SINGAPORE - The Public Sector Data Security Review Committee has made recommendations in five key areas for entities that handle public sector data to adopt, following a comprehensive inspection of 336 systems in 94 agencies.
The Prime Minister's Office said in a statement on Wednesday (Nov 27) that the Government accepts these recommendations. They will be rolled out in 80 per cent of its systems by the end of 2021, with a deadline of end-2023 for full implementation.
The five key recommendations are:
1) Protecting data and preventing it from being compromised
- Government agencies to collect data only when necessary and limit their retention period.
- Minimise devices which hold data by allowing file access only on secured platforms. Use data only for tasks that require the data, and giving selective access.
-Enhance how data use is monitored through digital watermarking and checking how data moves through the network.
- Detect suspicious activity, through e-mail data protection tools and data loss protection tools.
- Protect stored data by making it unusable and unreadable even if stolen.
- Protecting the data when it is being distributed through password protection and encryption, as well as distribution through secure channels.
2) Detecting and responding to data incidents
- Establish a central contact point for public to report government data incidents.
- Set up the Government Data Office to monitor and analyse security incidents.
- Designate the Government IT management committee as the central body to respond to large-scale incidents that involve multi-agencies.
- Install a framework for all public agencies to notify individuals affected by data incidents promptly.
- Have a standard process for post-incident inquiry for data incidents and share takeaways across all agencies.
3) Raising competencies and improving the culture of data security
- Specify roles for groups of officers involved in management of data security.
- Ensure all public officers are regularly updated on data security considerations through an annual training programme.
- Inculcate a culture of excellence around sharing and using data, and cultivate an environment conducive to open reporting of data incidents.
4) Accountability for data protection
- Install organisational key performance indicators for data security.
- Hold top leadership of all public sector organisations accountable for installing strong organisational data security practices.
- Ensure accountability of third party handling government data by amending the Personal Data Protection Act to cover Government vendors and non-public officers who mishandle personal data.
- Publish government policies and standards relating to data protection and update this annually.
- Appoint the Digital Government Executive Committee to oversee public data security.
- Set up the Government Data Security unit to drive data security efforts in the public sector.
- Deepen the Government's expertise in data protection technologies.