We refer to Dr Lee Pheng Soon's letter, "Regular review needed on what personal data is collected and what needs to be purged" (Nov 3).

We would like to assure Dr Lee that the public sector takes its responsibility as a custodian of data very seriously. As a general principle, the Government only collects and uses personal data that is required to discharge its public functions.

Data management in the public sector is governed by the Public Sector (Governance) Act and the Government Instruction Manual on Infocomm Technology and Smart Systems Management.

This instruction manual sets out how the Government manages and protects data, including personal data, in its possession or control, while the Act imposes criminal penalties on public officers who misuse data, or knowingly or recklessly disclose or re-identify data without authorisation.

In addition, public officers who are found to be negligent in protecting data may face disciplinary actions.

The risk of data breaches must be taken seriously.

Organisations should collect only what will be used, notify individuals of the purposes for which the personal data is collected, and have clear policies to limit the retention of data once its purpose is fulfilled. Purging data regularly will reduce the scale and impact of data breaches.

Organisations, including those that engage vendors, are expected to comply with these obligations under the Personal Data Protection Act.

Organisations must also establish a level of cyber security appropriate for the types of data they have collected.

When national identifiers like NRIC numbers need to be collected, organisations must protect them well. For sensitive personal data like health or financial information, they should take extra care with higher security standards and clearer retention policies.

Organisations that retain personal data when it is no longer required/necessary are in breach of the Personal Data Protection Act.

The failure to purge sensitive personal data is an aggravating factor when the Personal Data Protection Commission investigates the data breach and determines the financial penalties.

The commission has taken tough enforcement action against organisations which do not fulfil their retention limitation obligation.

Individuals must also do their part. They can inquire with organisations on the purposes for which their personal data is collected, and withhold consent if they consider the request excessive.

Foo Wen Dee

Director, Communications and Marketing Division

Infocomm Media Development Authority