Parliament: Laws exist to hold public agencies accountable for data breaches

Besides the Public Sector (Governance) Act, other legislation also criminalises unauthorised disclosure of data, including the Official Secrets Act, the Banking Act, the Income Tax Act, and the Statistics Act. PHOTO: ST FILE
Lester Wong
Updated
May 06, 2019, 11:40 PM
Published
May 06, 2019, 11:30 PM

SINGAPORE - Laws are in place that hold public agencies and their officers accountable in the event of a data breach, while the Government also has a number of measures to prevent such a scenario from taking place, said Senior Minister Teo Chee Hean on Monday (May 6).

He was responding to Nominated MP Irene Quay, who had asked what laws provide for public agencies' accountability in the case of a data breach in public IT systems, as public agencies are exempted from the Personal Data Protection Act.

Mr Teo pointed to provisions set out in the Public Sector (Governance) Act (PSGA) and the Instruction Manual 8 (IM8) among other related legislation.

"Data security is essential to upholding public confidence in the Government's ability to deliver a high quality of public service to our citizens through the use of data," he said in a written reply.

"(These provisions) collectively impose upon public agencies and public officers a high level of responsibility for data protection."

The PSGA criminalises the acts of unauthorised disclosure of data, misuse of data and the re-identification of individuals from anonymised data. Public officers found guilty of these offences can be fined up to $5,000 and could face a jail term of up to two years.

Besides the PSGA, other legislation also criminalises unauthorised disclosure of data, including the Official Secrets Act, the Banking Act, the Income Tax Act, and the Statistics Act.

More On This Topic
Public agencies not governed by PDPA because of fundamental differences in how they operate
Public sector held to high standards for data protection, says Iswaran
Government reviewing way it handles data following cases of mismanagement, breaches
All eyes on steps to protect personal data

Public agencies must also comply with rules and requirements in the IM8 that prescribe specific measures to protect and manage government data under their control.

For example, the IM8 mandates the disabling of USB ports from being accessed by unauthorised devices and the use of passwords to protect files that contain personal data.

Agencies are regularly audited for compliance with the IM8 requirements. The audits are meant to identify system gaps and irregularities before a data breach occurs.

Where such gaps are identified, agencies are required to draw up plans to close these gaps within a specific time frame. The outcomes of these audits are reported in Parliament and publicly available.

Mr Teo, who is the Minister-in-charge of Public Sector Data Governance, chairs the 10-man Public Sector Data Security Review Committee convened by Prime Minister Lee Hsien Loong in the wake of a spate of cyber and data security breaches and incidents over the past year.

Singapore's worst cyber attack was in June last year when hackers got into the database of public healthcare cluster SingHealth and stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including PM Lee.

The committee is reviewing data security practices across the entire public service and is expected to present its findings in November.

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top