SINGAPORE - Public agencies are not governed by the Personal Data Protection Act (PDPA) because there are fundamental differences in how the public sector operates compared to the private sector, said Minister for Communications and Information S. Iswaran in Parliament on Monday (April 1).
Mr Iswaran noted that public sector agencies have to comply with Government Instruction Manuals and the Public Sector (Governance) Act (PSGA).
Collectively, these provide comparable, if not higher, standards of data protection compared to the PDPA, he said, adding that similar investigations and enforcement actions are taken against data security breaches.
Mr Iswaran was responding to Nominated MP Irene Quay's question about whether it is justifiable for public agencies to be exempted from the PDPA.
The PDPA is a data protection law that governs the collection, use, disclosure and care of personal data.
"Implicit in the Member's question is the presumption that public sector agencies are not accountable for their data protection practices or not held to a high standard because the PDPA does not apply to them," he said. "That is wrong and simply not the case."
While personal data is managed as a common resource within the public sector to enable a whole-of-government approach to deliver public services, the considerations are different in the private sector, where there is no such expectation of a holistic approach to the delivery of commercial services across organisations, he added.
In response to Ms Quay's other question about what recourse citizens have besides complaining to public agencies or seeking civil action, Mr Iswaran said they can lodge a complaint with the Personal Data Protection Commission (PDPC) or the Government Technology Agency (GovTech), which maintains government systems, if they suspect that their data has been mishandled by a private sector organisation.
Affected individuals can also seek mediation or take civil action against the organisation or agency which mishandled the data, he added.
Public officers who flout the Government's data security rules, and are found to have misused or disclosed data in an unauthorised manner, could be held criminally liable under the PSGA.
The penalties include fines of up to $5,000 or a jail term of up to two years, or both.
"It is not meaningful to impose financial penalties on public sector agencies because the cost of such penalties would ultimately have to be borne by the same public purse," said Mr Iswaran.
But Ms Sylvia Lim (Aljunied GRC) contested this point, arguing that the Government can operate on the premise that no additional money will be provided to public agencies to pay fines.
"Therefore the agency will just have to cope with cuts somewhere else to pay these fines, whether it is from bonuses from senior management or whatever it is, because there's still an important signalling effect that the Government is prepared to abide by the same standards it expects of small businesses," she said.
Ms Lim also asked if the Public Sector Data Security Review Committee convened by Prime Minister Lee Hsien Loong confirms "that the Government is actually not satisfied and that the standards so far have been wanting in the public sector".
Mr Iswaran replied that she was trying to "score a political point" and emphasised that it was in response to the recent data breaches - not inadequate measures - that PM Lee and the Government decided to take another look at the matter holistically.
"What it does mean is we should ensure that we put total effort to ensure to leave no stone unturned in ensuring the highest standards are met in the public sector when it comes to data security," he added.
On Ms Lim's question on financial penalties, Mr Iswaran also had a comeback.
"Well, I would say that first of all, in fact I think the term 'ownself check ownself' was coined by a member of her party, and so if you fine yourself, you do ask the question what is the signalling effect there," he said.
He was making a tongue-in-cheek reference to the term coined by Worker's Party's chief Pritam Singh during an election rally in the 2015 General Election.
He went on to explain that it is more important to ensure the signalling effect is that the Government takes the issue seriously and holds the relevant people accountable.
For this reason, the penalties are focused on the individuals.
Taking action against an organisation - the public sector - spells a significant impact on the reputation of the organisation and its leadership, which in itself is also a major signalling point.
"But having said that, we are prepared to look at all means to ensure there's clear accountability and ensure that in the public sector we have the highest standards of data security, and that is why this committee has been set up and we will be open to suggestions," said Mr Iswaran.