Data security review for public sector: 5 key recommendations

The recommendations will be rolled out in 80 per cent of its systems by the end of 2021, with a deadline of end-2023 for full implementation.
The recommendations will be rolled out in 80 per cent of its systems by the end of 2021, with a deadline of end-2023 for full implementation.PHOTO: PIXABAY

SINGAPORE - The Public Sector Data Security Review Committee has made recommendations in five key areas for entities that handle public sector data to adopt, following a comprehensive inspection of 336 systems in 94 agencies.

The Prime Minister's Office said in a statement on Wednesday (Nov 27) that the Government accepts these recommendations. They will be rolled out in 80 per cent of its systems by the end of 2021, with a deadline of end-2023 for full implementation.

The five key recommendations are:

1) Protecting data and preventing it from being compromised

- Government agencies to collect data only when necessary and limit their retention period.

- Minimise devices which hold data by allowing file access only on secured platforms. Use data only for tasks that require the data, and giving selective access.

-Enhance how data use is monitored through digital watermarking and checking how data moves through the network.

- Detect suspicious activity, through e-mail data protection tools and data loss protection tools.

- Protect stored data by making it unusable and unreadable even if stolen.

- Protecting the data when it is being distributed through password protection and encryption, as well as distribution through secure channels.

 
 
 
 

2) Detecting and responding to data incidents

- Establish a central contact point for public to report government data incidents.

- Set up the Government Data Office to monitor and analyse security incidents.

- Designate the Government IT management committee as the central body to respond to large-scale incidents that involve multi-agencies.

- Install a framework for all public agencies to notify individuals affected by data incidents promptly.

- Have a standard process for post-incident inquiry for data incidents and share takeaways across all agencies.

3) Raising competencies and improving the culture of data security

- Specify roles for groups of officers involved in management of data security.

- Ensure all public officers are regularly updated on data security considerations through an annual training programme.

- Inculcate a culture of excellence around sharing and using data, and cultivate an environment conducive to open reporting of data incidents.

4) Accountability for data protection

- Install organisational key performance indicators for data security.

- Hold top leadership of all public sector organisations accountable for installing strong organisational data security practices.

- Ensure accountability of third party handling government data by amending the Personal Data Protection Act to cover Government vendors and non-public officers who mishandle personal data.

 
 
 

- Publish government policies and standards relating to data protection and update this annually.

5) Sustainability

- Appoint the Digital Government Executive Committee to oversee public data security.

- Set up the Government Data Security unit to drive data security efforts in the public sector.

- Deepen the Government's expertise in data protection technologies.