Parliament: Reporting data breaches to affected people done on case-by-case basis in public sector

Senior Minister of State for Communications and Information and Transport Janil Puthucheary assured the House that the Government has increased the number and types of internal IT audits to check on agencies' data protection measures.
Senior Minister of State for Communications and Information and Transport Janil Puthucheary assured the House that the Government has increased the number and types of internal IT audits to check on agencies' data protection measures. PHOTO: GOV.SG

SINGAPORE - Public agencies in Singapore will approach citizen data breaches on a case-by-case basis, Dr Janil Puthucheary, Senior Minister of State for Communications and Information and Transport, said in Parliament on Thursday (Feb 28).

“There are guidelines about how public sector officials should handle the matter of a data breach involving citizens particulars...there is no absolute requirement,” he said in his reply to questions from MPs on the standards for disclosing public sector-related data breaches.

Dr Janil, who is in charge of the Government Technology Agency (GovTech), added: “We do need to look at every case, and we do need to look at the issue at hand as to what has been accessed, what are the circumstances and what the potential impact would be on the citizen to be involved in that process thereafter."

Workers’ Party chairman Sylvia Lim (Aljunied GRC), had asked whether affected citizens have the right to know, and in a timely manner, if their data is compromised while in the care of public agencies. Nominated MP Walter Theseira had also asked similar questions.

Even though there is no mandatory reporting requirement, there are guidelines on how citizens should be approached.

"The situation needs to be taken on a case-by-case basis and all the factors that are relevant need to be taken into account," he added during the debate on the budget of the Prime Minister's Office (PMO), which GovTech comes under.

Ms Lim cited the case of a police station inspector who in February 2016 illegally accessed the computer system at his workplace to check the telephone records of a man whom he suspected of having an affair with his wife. The case was made public in February this year.

 
 
 

Dr Janil assured the House that the Government has increased the number and types of internal IT audits to check on agencies' data protection measures. Among the implemented measures is the disabling of USB ports to keep out unauthorised devices.

"We will continually review our standards and measures, and will incorporate lessons learnt and industry's best practices," he said.

Should citizens suspect that their data have been misused or hacked, they can complain to GovTech or make a police report if a crime is suspected.

"Complaints will be thoroughly investigated and appropriate action taken," Dr Janil  said.