Singapore has assembled a committee to review data security practices in the public sector, following a spate of breaches involving government entities, but it remains firm on its decision to exclude such organisations from the country's Personal Data Protection Act (PDPA). The new committee has been tasked to assess measures and processes, amongst others, related to the collection and protection of citizens' personal data by government agencies as well as vendors appointed to handle personal data for the government.
Led by Deputy Prime Minister and Coordinating Minister for National Security Teo Chee Hean, the committee would include representatives from the private sector specialised in data security and technology and ministers involved in Singapore's smart nation initiatives. Teo also oversees public sector data governance.
The committee also would review the role of vendors and authorised third-parties engaged by the government and recommend technical measures, processes, and capabilities to improve the government's protection of citizens' data and response to security incidents.
In a statement issued by the Prime Minster's Office, the Singapore government acknowledged that recent data security incidents had underscored "the urgency to strengthen" data security policies and practices in the public sector. "While individual agencies are investigating and taking action on the specific incidents, this committee will undertake a comprehensive review and incorporate industry and global best practices to strengthen data security across the public sector," it said.
The government noted that, over the years, it had implemented several measures to boost security in its sector, including separating systems from the internet in 2016, disabling USB ports to prevent access by unauthorised devices in 2017, and increasing the number of internet IT audits to monitor agencies' data access and protection.
The review committee now would help ensure government agencies had "the highest standards of data governance", the Prime Minister's Office said. "This is essential to uphold public confidence and deliver a high quality of public service to our citizens through the use of data. The work of this committee will complement our efforts to achieve our smart nation vision," it said, adding that the team would submit its findings and recommendations to the prime minister by November 30 this year.
Meanwhile, however, the Singapore government remains unwavering in its decision to exempt public-sector entities from the country's data protection regulations.
Government exclusion needed to ensure data flow
Nominated Member of Parliament Irene Quay Siew Ching questioned during a parliament sitting on Monday if, in view of a series of data breaches involving public IT systems, it was "justifiable" for government agencies to be excluded from the PDPA.
In the past year, these breaches had resulted in the personal information of 808,201 blood donors and 14,200 individuals with HIV being compromised. Personal data of another 1.5 million SingHealth patients also was compromised last July in what was described as Singapore's most serious data security breach.
Quay, who is president of the Pharmaceutical Society of Singapore, also asked about recourse citizens had, other than to complain to agencies or seek civil action, in the aftermath of such security incidents and whether there should be a tangible penalty meted out to these public agencies for public accountability.
In response, the Ministry of Communications and Information reiterated the government's stance that the PDPA should not apply to public agencies because of "fundamental differences" in how these organisations operated, which required "a different approach" to personal data protection compared to the private sector.
"In order to enable a whole-of-government approach to the delivery of public services, personal data has to be managed as a common resource within the public sector. The considerations are different in the private sector, as there is no such expectation of a holistic approach to the delivery of commercial services across private organisations," the ministry said.
It noted that while government agencies were exempted from the PDPA, they still were accountable for the protection of public data and were subject to different legislation and regulations regarding data security. Specifically, public sector agencies must comply with the Government Instruction Manuals and the Public Sector Governance Act (PSGA). Passed last year, the act introduced standardised key corporate policies and data sharing across government agencies.
The ministry added that Singapore citizens had the same recourse for a data breach in the public sector as they would with the PDPA and could lodge a complaint with the Personal Data Protection Commission (PDPC), which oversees the act, or GovTech, which is responsible for the public sector's ICT deployments.
It added that public officers who flouted the government's data security rules, and misused or disclosed data in an unauthorised manner, could be held criminally liable under the PSGA. Penalties included fines of up to S$5,000 or a jail term of up to two years, or both.
Member of Parliament and chairperson of opposition party Workers' Party, Sylvia Lim, also queried the handling of the security breach that compromised personal data of 800,000 blood donors, asking whether contractual obligations between the Health Sciences Authority (HSA) and IT vendor. which was identified as the cause of the security leak, reasonably protected personal information.
The ministry said the PDPC was investigating the IT vendor, Secur Solutions Group, and if found to be in breach of the PDPA, would face "appropriate enforcement actions" such as financial penalties. In addition, the HSA's data security policies and practices currently were under review and the Smart Nation and Digital Government Group also was conducting an investigation into the incident.
Following a spate of data breaches affecting healthcare patients in Singapore, another lapse has occurred. A server containing personal information of 808,201 blood donors was not properly secured by a third-party vendor, potentially exposing data such as blood type and national identification number.
Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.
Hackers that compromised the data of 1.5 million healthcare patients have been identified as a group that launched attacks against several organisations based in Singapore, including multinational firms with operations in the country, and is likely part of a larger operation targeting other countries and regions.
Monetary Authority of Singapore is looking to introduce changes to existing technology risk and business continuity management guidelines that will require financial organisations to implement more measures, including cyber surveillance, to boost operational resilience.
Government unveils plans to include a framework, as part of a review of the country's Personal Data Protection Act, that aims to ease data flow between service providers while giving consumers "greater control" over their own data.