Parliament: Laws exist to hold public agencies accountable for data breaches

Besides the Public Sector (Governance) Act, other legislation also criminalises unauthorised disclosure of data, including the Official Secrets Act, the Banking Act, the Income Tax Act, and the Statistics Act.
Besides the Public Sector (Governance) Act, other legislation also criminalises unauthorised disclosure of data, including the Official Secrets Act, the Banking Act, the Income Tax Act, and the Statistics Act.PHOTO: ST FILE

SINGAPORE - Laws are in place that hold public agencies and their officers accountable in the event of a data breach, while the Government also has a number of measures to prevent such a scenario from taking place, said Senior Minister Teo Chee Hean on Monday (May 6).

He was responding to Nominated MP Irene Quay, who had asked what laws provide for public agencies' accountability in the case of a data breach in public IT systems, as public agencies are exempted from the Personal Data Protection Act.

Mr Teo pointed to provisions set out in the Public Sector (Governance) Act (PSGA) and the Instruction Manual 8 (IM8) among other related legislation.

"Data security is essential to upholding public confidence in the Government's ability to deliver a high quality of public service to our citizens through the use of data," he said in a written reply.

"(These provisions) collectively impose upon public agencies and public officers a high level of responsibility for data protection."

The PSGA criminalises the acts of unauthorised disclosure of data, misuse of data and the re-identification of individuals from anonymised data. Public officers found guilty of these offences can be fined up to $5,000 and could face a jail term of up to two years.

Besides the PSGA, other legislation also criminalises unauthorised disclosure of data, including the Official Secrets Act, the Banking Act, the Income Tax Act, and the Statistics Act.

 
 
 
 

Public agencies must also comply with rules and requirements in the IM8 that prescribe specific measures to protect and manage government data under their control.

For example, the IM8 mandates the disabling of USB ports from being accessed by unauthorised devices and the use of passwords to protect files that contain personal data.

Agencies are regularly audited for compliance with the IM8 requirements. The audits are meant to identify system gaps and irregularities before a data breach occurs.

Where such gaps are identified, agencies are required to draw up plans to close these gaps within a specific time frame. The outcomes of these audits are reported in Parliament and publicly available.

Mr Teo, who is the Minister-in-charge of Public Sector Data Governance, chairs the 10-man Public Sector Data Security Review Committee convened by Prime Minister Lee Hsien Loong in the wake of a spate of cyber and data security breaches and incidents over the past year.

Singapore's worst cyber attack was in June last year when hackers got into the database of public healthcare cluster SingHealth and stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including PM Lee.

The committee is reviewing data security practices across the entire public service and is expected to present its findings in November.