Public sector data leaks jump 65% to 178 cases last year, but none severe

All of the incidents were assessed to be of "medium" or "low" severity, according to the report released on July 28, 2022. PHOTO ILLUSTRATION: ST FILE

SINGAPORE - Public officers reported 178 cases of data leaks by the Singapore Government in the year that ended on March 31, a sharp 65 per cent increase from 108 cases in the preceding year.

All of the incidents were assessed to be of "medium" or "low" severity, according to the third annual report on the Government's personal data protection efforts released on Thursday (July 28).

Without disclosing details, its author, the Smart Nation and Digital Government Office (SNDGO), defined medium severity to mean that a government agency had suffered difficult or undesirable consequences, with minor inconvenience to individuals or businesses.

There were no severe incidents reported in the 12 months to March this year. These are incidents that damage national security or the public's confidence, or those resulting in death or serious physical, financial or sustained emotional injury to an individual.

To date, only two such severe incidents have been reported. Both took place in 2018.

The first was the unauthorised disclosure of the confidential data of 14,200 patients from the Ministry of Health's HIV registry. The second was the unauthorised access of 223 case files due to a vulnerability in the State Courts' online system.

Of the 178 cases last year, 14 were reported by members of the public through the Government Data Security Contact Centre portal, launched in April 2020. Details of these cases have not been released.

SNDGO said the rise in public sector data incidents mirrors trends in the private sector here and globally, as the exchange and use of data continue to grow.

"The pace of digital adoption has accelerated as the Covid-19 pandemic entered its second year in 2021," said SNDGO, noting that more people and business activities went online. "As more data is created and exchanged, the risk of data being exposed or misused increases correspondingly."

Last year, local residents filed 6,700 complaints against private organisations about potential personal data breaches, said SNDGO. This is up from 6,100 complaints made to privacy watchdog the Personal Data Protection Commission in 2020, and 4,500 complaints in 2019.

The public sector has started rolling out 24 major improvements to its security workflow, as part of its $1 billion investment to better safeguard citizens’ personal data.

These measures were recommended by the Public Sector Data Security Review Committee (PSDSRC), formed in March 2019 after a spate of cyber-security breaches, including Singapore’s worst data breach involving 1.5 million SingHealth patients’ data in June 2018.

Three of these improvement projects are ongoing but will be completed by the end of 2023. These include systems to automatically disable inactive user accounts, and detect and stop risky user behaviour such as copying sensitive files from laptops.

Another work in progress is a system to segregate data sets based on their sensitivity and automatically encrypt data in storage.

The PSDSRC framework will gradually replace current practices at public agencies, many of which have devised their own protocols. 

Unlike the private sector, public agencies are not subject to the Personal Data Protection Act, which has been fully implemented since 2014 to safeguard consumers against the wrongful collection, use and disclosure of personal data.

Third parties handling government data come under the PDPA, after an amendment came into effect in February last year. Previously, third parties were subject to only the obligations in their contracts with public agencies and, where applicable, laws such as the Official Secrets Act.

Public agencies come under the Public Sector (Governance) Act, where unauthorised disclosure and improper use is punishable with a fine of up to $5,000, imprisonment of up to two years, or both. 

Ms Charmian Aw, a technology and data lawyer at Reed Smith, said that the Public Sector (Governance) Act is more prescriptive - and the criminal penalties it carries are arguably harsher - than the PDPA.

“This is probably because of the egregiousness of disclosing what is likely very sensitive data held by public bodies,” she said. “But the right of private action against businesses under the PDPA could sting too as there is technically no cap to the amount of monetary damages a court could award in cases of serious data breaches.”

Join ST's Telegram channel and get the latest breaking news delivered to you.