New steps by public agencies to safeguard personal data

As part of moves to improve the culture of safeguarding data, all public sector officers will have to go through an annual data security training programme.
As part of moves to improve the culture of safeguarding data, all public sector officers will have to go through an annual data security training programme.PHOTO: THE NEW PAPER

Govt accepts review panel's recommendations; single contact point for public to report incidents

Public agencies will collect and retain an individual's data only when it is strictly necessary. They will also make sure the data is properly safeguarded, adopting new measures that will be rolled out across the entire public service.

In case of a data incident involving ministries, statutory boards or other public agencies, anyone affected will have to be notified promptly.

A single contact point will also be established for the public to report data incidents.

An exercise that began eight months back following a spate of data breaches has culminated with a series of suggestions submitted to Prime Minister Lee Hsien Loong on improving data security.

The Government said yesterday it has accepted these recommendations from the Public Sector Data Security Review Committee (PSDSRC) and they will be rolled out in 80 per cent of its systems by end-2021.

The rest will follow by the end of 2023, as some systems will require significant redesign.

The committee was convened on March 31 and tasked with reviewing data security practices across the public sector and suggesting ways to improve it. It carried out detailed inspections of 336 systems in all 94 government agencies.

In a letter accepting the committee's recommendations, PM Lee said: "Data is the lifeblood of the digital economy and a digital government. We need to use and share data as fully as possible to provide better public services.

"In doing so, we must also protect the security of the data and preserve the privacy of individuals, and yet not stifle digital innovation."

 
 
 
 

As part of moves to improve the culture of safeguarding data, all public sector officers will have to go through an annual data security training programme.

Third-party vendors handling government data who misuse personal data will also come under the Personal Data Protection Act (PDPA), following changes to the Act which will likely be announced next year.

This means that these agents of government, who were previously exempt from the PDPA, will be liable to its financial penalties of up to $1 million.

These steps come under five broad measures: better protect data and stop it from being compromised; improve the detection of data incidents and the response to them; raise competencies in the public service with regard to data security; ensure accountability for data protection at every level of government; and make sure that data security is a sustained effort in the public service.

The PSDSRC was formed after a spate of cyber-security breaches.

In March, the personal data of 800,000 blood donors was uploaded on an unauthorised server.

And in June last year, hackers stole the data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people, including PM Lee.

 
 

PM Lee said in his letter that given the amount of data the Government gathers, it must do all it can to minimise the risk of data security incidents. "At the same time, when such breaches do occur, it is essential that we detect them quickly, and respond effectively to limit the breach and minimise the harm done," he said.

Senior Minister Teo Chee Hean, who chaired the panel, said that had these measures been in place earlier, the impact of the breaches would have been less severe.

"These measures will significantly enhance safeguards and hold officers to account. They are compatible to international and industry best practices," said SM Teo.

A version of this article appeared in the print edition of The Straits Times on November 28, 2019, with the headline 'New steps by public agencies to safeguard personal data'. Print Edition | Subscribe