Govt agencies to adopt measures to protect public’s personal details

SINGAPORE — Government agencies will soon have to ensure that the public’s personal information such as income details are adequately protected, through means such as encryption, and undertake measures to mitigate data loss in the event of a breach.

Highly sensitive information — such as a person’s medical history of infectious diseases and bankruptcy information — will also have to be segregated from collective databases, to prevent it from being stolen in the event of a malicious attack.

These are among 13 technical recommendations a high-level committee that was convened to review data security practices across the public service has come up with as a broad common framework for data security, it announced on Monday (July 15).

These recommendations have been accepted by the Government, but there is no set timeline for government agencies to implement them.

Instead, they will be implemented in phases and on a risk-based approach, so that agencies deploy measures that adequately protect the type of data they handle.

In addition, the committee will also work towards protecting sensitive information as defined in the Information Sensitivity Framework established in November last year. The framework attempts to standardise the data protection measures based on the severity of harm in the event of a data breach.

Currently, agencies have varying practices and devise measures on their own.

The committee, convened by Prime Minister Lee Hsien Loong, is chaired by Senior Minister and Coordinating Minister for National Security Teo Chee Hean and includes private sector industry experts.

It will submit a full report to the Government by Nov 30 this year, when it will also detail how the data security culture can be strengthened in the public service, and third parties that handle Government data — like private sector firms — can be better managed.

WHY IT MATTERS

The measures recommended by the committee are intended to tighten the IT systems in the public sector and shore up public trust in the Government’s data security regime.

The committee was set up after a spate of data leaks — including the massive SingHealth cyberattack last year and a HIV registry leak in January this year. In March, the personal information of more than 800,000 blood donors were accessed illegally and possibly stolen, after being put online for more than two months.

While most of the technical recommendations were drawn up to deal with external threats who attempt to steal or leak data, some are aimed at tightening data-sharing processes between users.

KEY TECHNICAL RECOMMENDATIONS

Masking attributes, field-level encryption

How it works: Certain information details are masked, or encrypted. For example, one might only be shown the last four digits of an NRIC number.

Why it is useful: It reduces the risk of identification as it does not reveal the full data of the information obtained.

Dataset partitioning

How it works: Highly sensitive information is separated from general data sets.

Why it is useful: Currently, highly sensitive data — like one’s HIV status or bankruptcy information — could be part of a larger dataset. During a database attack, all information would be leaked. With dataset partitioning, information that is deemed highly sensitive will be separated and hence will not be leaked during an attack.

Password protection and encrypting files

How it works: The receiver of a file must use a password to access its contents.

Why it is useful: It mitigates the damage when a wrong file or dataset is sent to the wrong recipient.

Improving email data protection

How it works: If an email contains potentially-sensitive data such as NRIC numbers and is intended for a large number of recipients, the mailing tool will send out an additional alert to the sender before the message is sent.

Why it is useful: It is an additional prompt to remind senders to double-check the contents of their email and their intended recipients.

Volume- and time-limited data access

How it works: Sets limits on how much data can be extracted at any one time, and how long access is allowed.

Why it is useful: It mitigates the damage a malicious actor could potentially cause. For example, if a staff working in a government agency loses his or her laptop and login details, the malicious actor would not be able to access volumes of data above the limit set.

MORE ON THE COMMITTEE

The 10-member committee includes four other ministers involved in Singapore's Smart Nation efforts.

They are Foreign Minister and Minister-in-charge of the Smart Nation Initiative Vivian Balakrishnan, Communications and Information Minister and Minister-in-charge of Cyber Security S Iswaran, Trade and Industry Minister and Minister-in-charge of the Public Service Chan Chun Sing, and Senior Minister of State for Communications and Information and Transport Janil Puthucheary, who is also in charge of the Government Technology Agency.

The work of the committee builds on previous efforts by the Government to improve data security. Previous measures include rolling out Internet surfing separation in 2016, in which confidential data systems are separated from the Internet. In 2017, a policy was introduced to disable USB ports from being accessed by unauthorised devices.