Public sector rolls out measures to ensure safety of personal data

13 new protocols to replace current practices, with more recommendations to come

The 13 technical measures announced yesterday are the first of many to come from a new Public Sector Data Security Review Committee.
The 13 technical measures announced yesterday are the first of many to come from a new Public Sector Data Security Review Committee.PHOTO: ST FILE

The entire public service will have to conform to a common framework to safeguard citizens' personal data, with new measures being rolled out after a spate of breaches in the past year.

The aim is to make databases unusable in case information has been wrongfully extracted from them. The measures, some of which are already in place, will also detect unusual data transmissions and limit users' access rights.

Sensitive files will now have to be encrypted. Highly sensitive information about individuals, such as their HIV status, will be hidden away in a separate system with tighter controls. The personal information of ministers and other important people will also be kept in separate systems with more stringent protection.

The 13 technical measures announced yesterday are the first of many to come from a new Public Sector Data Security Review Committee convened by Prime Minister Lee Hsien Loong in April.

They were issued after a stock-take of how data was managed at five key government agencies here - the Ministry of Health (MOH), Health Sciences Authority (HSA), Health Promotion Board, Central Provident Fund Board and the Inland Revenue Authority of Singapore - which handle medical and financial data of citizens.

The new measures will replace current practices being followed by public agencies, many of which devised the protocols themselves.

More measures, including ways to better manage third-party vendors and train public servants on data security practices, will be revealed later and included in the committee's final report due in November this year.

"These include measures to better ensure high data protection standards by third parties that handle government data," said a spokes-man for the Smart Nation and Digital Government Office yesterday.

The committee was formed after a spate of cyber security breaches over the past year, with the latest involving the personal data of more than 800,000 blood donors getting accessed illegally and uploaded on an unauthorised server for more than two months. An HSA technology vendor, Secur Solutions Group, was responsible for the incident.


In January, the MOH revealed that the confidential information of 14,200 HIV-positive individuals had been leaked online by an American citizen who had lived and worked in Singapore. He had gained access to the data through his partner, Ler Teck Siang, a Singaporean doctor who once headed MOH's National Public Health Unit.

And in February, MOH said a computer error had resulted in 7,700 people receiving inaccurate healthcare subsidies when they applied for or renewed their Community Health Assist Scheme cards in September and October last year.

Singapore's worst cyber attack took place in June last year, when hackers made away with the personal data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people, including PM Lee.

All 13 measures will eventually be deployed. For instance, the database of patients with infectious diseases and individuals who were declared bankrupt will have the highest form of protection involving the most, if not all, of the 13 measures.

The measures will supplement current practices, including Internet surfing separation - cutting Internet access from work computers, which was rolled out in 2016 - and the disabling of USB ports from being accessed by unauthorised devices, implemented in 2017.

Mr Aloysius Cheang, Asia-Pacific executive vice-president of the London-based think-tank Centre for Strategic Cyberspace + International Studies, is concerned, however, that placing the data of important people in a separate system "may only draw the attention of hackers to the high-value system".


A version of this article appeared in the print edition of The Straits Times on July 16, 2019, with the headline 'Public sector rolls out measures to ensure safety of personal data'. Subscribe