High-level committee finds shortfalls in public sector's data security practices

The Public Sector Data Security Review Committee found that public-sector agencies have insufficient policies governing third parties handling data and there are inconsistent practices in managing data access.
The Public Sector Data Security Review Committee found that public-sector agencies have insufficient policies governing third parties handling data and there are inconsistent practices in managing data access.PHOTO: REUTERS

SINGAPORE - Public-sector agencies have insufficient policies governing third parties handling data and there are inconsistent practices in managing data access, a high-level committee currently reviewing and strengthening data security practices across the entire public service has found.

The Public Sector Data Security Review Committee, which was convened by Prime Minister Lee Hsien Loong and is chaired by Senior Minister Teo Chee Hean, has conducted a six-week-long government-wide stocktake of data management practices after it was announced in April.

The committee, which includes four ministers and experts from the private sector, has till Nov 30 to submit its findings and recommendations to PM Lee.

In a briefing on Monday (July 15), the Smart Nation and Digital Government Office (SNDGO) said the committee also found that in the public sector, there are currently varying levels of training in data protection, and that many data incidents have previously been the result of human error where well-meaning staff had inadvertently compromised data.

An analysis of emerging trends by the committee also found that the increasing prevalence of data sharing and the growing availability of complex analytics tools heighten the chances of a data breach.

Said the SNDGO in a statement: "There is a need to strengthen our data security regime for the future. This is in view of the increasing complexity of our systems, the greater demand for the use of data to provide convenient digital services to the public and the need to use data for better policymaking."

Besides the stocktake, SNDGO said the committee is also carrying out in-depth inspections of key government agencies' information technology systems. It is doing this in waves, and has looked at the systems in some of the organisations in the finance and healthcare sectors in the first wave.

 
 

These agencies are: the Inland Revenue Authority of Singapore, the Central Provident Fund Board, the Ministry of Health, the Health Promotion Board and the Health Sciences Authority.

The committee has so far carried out two meetings since it was announced in April: one on April 18 and another on July 1.

It was previously announced that the committee comprises 10 people, and that its members were chosen for their experience and expertise in how technology and data security are applied in their respective fields.

The committee is also supported by a separate expert group consisting of seven international experts and industry professionals.

In addition to this expert group, the committee is supported by an inter-agency task force formed by public officers across the Government.

The formation of the committee follows a spate of cyber and data security breaches and incidents over the past year. The latest data breach involved the personal information of more than 800,000 blood donors being improperly put online for more than two months.

Singapore's worst cyber attack was in June last year when hackers got into the database of public healthcare cluster SingHealth, and stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including PM Lee.