Public sector data leaks up 65% to 178 cases, but none severe

Public officers reported 178 cases of data leaks by the Government in the year that ended on March 31, a sharp 65 per cent increase from 108 cases in the preceding year.

All of the incidents were assessed to be of "medium" or "low" severity, according to the third annual report on the Government's personal data protection efforts released yesterday.

Without disclosing details, its author - the Smart Nation and Digital Government Office (SNDGO) - defined medium severity to mean that a government agency had suffered difficult or undesirable consequences, with minor inconvenience to individuals or businesses.

There were no severe incidents reported in the 12 months to March this year. These are incidents that damage national security or the public's confidence, or those resulting in death or serious physical, financial or sustained emotional injury to an individual.

To date, only two severe incidents have been reported - both in 2018. The first was the unauthorised disclosure of the confidential data of 14,200 patients from the Ministry of Health's HIV registry. The second was the unauthorised access of 223 case files due to a vulnerability in the State Courts' online system.

SNDGO said the rise in public sector data incidents mirrors trends in the private sector.

"The pace of digital adoption has accelerated as the Covid-19 pandemic entered its second year in 2021," said SNDGO, noting that more people and business activities went online. "As more data is created and exchanged, the risk of data being exposed or misused increases correspondingly."

Last year, local residents filed 6,700 complaints against private organisations over potential personal data breaches, said SNDGO. This was up from 6,100 complaints in 2020, and 4,500 in 2019.

The public sector has started rolling out 24 major improvements to its security workflow as part of its $1 billion investment to better safeguard citizens' personal data.

These measures were recommended by the Public Sector Data Security Review Committee (PSDSRC), formed in March 2019 after a spate of cyber-security breaches, including Singapore's worst data breach involving 1.5 million Sing-Health patients' data in June 2018.

Three of these improvement projects are ongoing but will be completed by the end of next year. These include systems to automatically disable inactive user accounts and detect risky user behaviour such as copying sensitive files from laptops.

The PSDSRC framework will gradually replace current practices at public agencies, many of which have devised their own protocols.

Unlike the private sector, public agencies are not subject to the Personal Data Protection Act (PDPA), which safeguards consumers against the wrongful collection, use and disclosure of personal data. Third parties handling government data also come under the PDPA.

Public agencies come under the Public Sector (Governance) Act, where unauthorised disclosure and improper use is punishable with a fine of up to $5,000, imprisonment of up to two years, or both.

The criminal penalties this law carries are arguably harsher than the PDPA's, said Ms Charmian Aw, a technology and data lawyer at Reed Smith.

"This is probably because of the egregiousness of disclosing what is likely very sensitive data held by public bodies," she said. "But the right of private action against businesses under the PDPA could sting too, as there is technically no cap on the amount of monetary damages a court could award in cases of serious data breaches."