Singapore's public sector systems to be redesigned in 2021 to better protect citizens' personal data

A new Data Loss Prevention programme will be rolled out across the public sector. ST PHOTO: GAVIN FOO

SINGAPORE - A significant redesign of Singapore's public sector IT systems will take place next year (2021) as part of new measures to safeguard citizens' personal data.

For instance, inactive user accounts will be automatically removed when public servants have resigned and left. It is currently a manual process.

Such automation across the public sector is among 24 key recommendations by the Public Sector Data Security Review Committee (PSDSRC) being rolled out after a spate of breaches over the last two years.

In the SingHealth cyber attack disclosed in 2018, the attackers targeted inactive administrator accounts, one of which had an easily cracked password.

Another new data security measure will involve the use of technical and process controls to detect and stop risky user behaviour, such as copying sensitive files from laptops.

Users will be prompted to reconsider before clicking to proceed, in order to prevent unintended data leaks.

This will plug gaps in similar ways to how an already installed e-mail control had detected and stopped an attachment containing the contact details and examination results of 6,541 individuals from being accidentally sent by an officer from the Singapore Accountancy Commission to unintended recipients last year (2019).

In its inaugural annual report on the Government's personal data protection efforts yesterday, the Smart Nation and Digital Government Office (SNDGO) said it is on track to roll out all 24 measures by the end of 2023 as part of its $1 billion investment in data security. It has rolled out 18 measures to date.

Explaining why some of the measures can only be implemented next year, the SNDGO said: "These are larger and more complex programmes which require significant rearchitecting of the technical systems and would therefore require a longer lead-time for implementation."

For instance, the automation of the removal or granting of user access rights to public sector IT systems can only be fully implemented across all 2,000 IT systems by end-2024.

In the interim, a technical system will be used to alert agencies to staff movements and role changes so agencies can manually and promptly remove inactive user accounts.

The PSDSRC framework will replace current practices at public agencies, many of which have devised their own protocols.

The committee was convened by Prime Minister Lee Hsien Loong in March last year following a spate of cyber-security breaches, including the SingHealth incident in June 2018.

Hackers then stole the data of 1.5 million patients and the outpatient prescription information of 160,000 people.

Also starting March next year, all public agencies must carry out cyber and data security incident drills annually to ensure they are prepared when breaches occur.

This complements another measure that was launched on the SNDGO website in April to allow members of the public to report data breaches involving public agencies.

In its annual report, the SNDGO also highlighted plans to provide new guidelines by the end of this year aimed at helping public agencies use biometric data responsibly.

"Biometric data is increasingly being used as a convenient and secure form of identity verification for access to digital services and secure premises," it said.

An example of that is SingPass Face Verification, which was launched in September. It allows people to scan their faces remotely on their mobile phones to verify who they are without having to upload pictures of their NRIC or show up in person to perform actions such as opening a bank account.

"Biometric data has unique characteristics that set it apart from other types of personal data," said the SNDGO in its report. "For example, biometric data is often immutable, that is, it cannot be easily replaced once compromised."

Join ST's Telegram channel and get the latest breaking news delivered to you.