Security, business and voter numbers

PDPA: Public agencies differ from private sector

Public agencies are not governed by the Personal Data Protection Act (PDPA) because there are fundamental differences in how the public sector operates, compared with the private sector.

Minister for Communications and Information S. Iswaran in Parliament yesterday said public-sector agencies have to comply with Government Instruction Manuals and the Public Sector (Governance) Act.

Collectively, these provide comparable, if not higher, standards of data protection, compared with the PDPA, and similar investigations and enforcement actions are taken against data breaches, he said.

He was responding to Nominated MP Irene Quay, on whether it is justifiable for public agencies to be exempted from the PDPA.

He said: "Implicit in the Member's question is the presumption that public-sector agencies are not accountable for their data protection practices or not held to a high standard because the PDPA does not apply to them. That is wrong and simply not the case."

Personal data is managed as a common resource within the public sector to enable a whole-of-government approach to deliver public services, he noted, unlike the private sector, where there is no such expectation of a holistic approach to the delivery of commercial services across organisations.

Citizens can lodge a complaint with the Government Technology Agency if they suspect their data has been mishandled by a public sector organisation, he said. Those affected can also seek mediation or take civil action against the agency that mishandled the data.


Public officers who flout the Government's data security rules, and are found to have misused or disclosed data in an unauthorised manner, could be fined up to $5,000, jailed for up to two years, or both.

Said Mr Iswaran: "It is not meaningful to impose financial penalties on public-sector agencies because the cost of such penalties would ultimately have to be borne by the same public purse."

Workers' Party chairman Sylvia Lim (Aljunied GRC) asked if the public-sector data security review committee convened by Prime Minister Lee Hsien Loong confirms "that the Government is actually not satisfied", and that standards have been wanting in the public sector.

Mr Iswaran replied that Ms Lim was trying to "score a political point" and emphasised that it was in response to the recent data breaches - not inadequate measures - that PM Lee and the Government decided to take another look at the matter holistically.

He said: "What it does mean is we should ensure that we put total effort to ensure to leave no stone unturned in ensuring the highest standards are met in the public sector when it comes to data security."

Mr Iswaran also said penalties are focused on individuals to signal that the Government takes the issue seriously and holds the relevant people accountable.

The Government is prepared to look at all means to ensure there is clear accountability and ensure the highest standards of data security in the public sector, he added.

A version of this article appeared in the print edition of The Straits Times on April 02, 2019, with the headline 'PDPA: Public agencies differ from private sector'. Print Edition | Subscribe