Personal data protection in public sector set for overhaul; 3 in 4 agencies found non-compliant with Govt standards
SINGAPORE — Personal data protection systems across Singapore’s public sector are set for a significant overhaul after a high-level committee released a report on Wednesday (Nov 27) which found that about three in four agencies fell short of Government standards in at least one area.
SINGAPORE — Personal data protection systems across Singapore’s public sector are set for a significant overhaul after a high-level committee released a report on Wednesday (Nov 27) which found that about three in four agencies fell short of Government standards in at least one area.
The Public Sector Data Security Review Committee – set up in March after a string of data lapses, especially in the healthcare sector – inspected 336 systems across 94 public sector agencies as part of a major review aimed at better protecting Singaporeans’ personal data.
The committee said that about 75 per cent of the agencies had at least one finding of non-compliance with a set of policies that were written to protect and manage government data under their control.
Based on the findings, the committee led by Senior Minister Teo Chee Hean, the Coordinating Minister for National Security and the Minister-in-charge of Public Sector Data Governance, outlined five main recommendations and an action plan.
The Prime Minister’s Office issued a statement on Wednesday stating that Prime Minister Lee Hsien Loong has accepted the recommendations and the timetable for implementing them. The committee submitted its report on Tuesday.
The recommendations include enhancing data protection and preventing data compromise; improving the competencies of public officers to safeguard data securely; being accountable for data protection at every level and reducing the scope for attack by minimising data collection, retention, access and downloads.
MOST CHANGES TO BE IN EFFECT BY END-2021
Mr Teo said all the relevant recommended measures would be implemented across 80 per cent of government systems by the end of 2021. The other 20 per cent, involving more complex systems or those needing redesign, would be implemented by the end of 2023, he said.
Speaking at a press conference on Wednesday, Mr Teo said the measures will “significantly enhance safeguards and hold officers to account”, and that they are comparable to international and industry best practices.
The committee also included five international and private sector representatives with expertise in data security and technology, as well as four other ministers who are involved in Singapore’s Smart Nation efforts.
Mr Teo said that the committee was satisfied that the recommended measures “would have prevented or mitigated the impact of the past data incidents”.
In the past two years, several data-related incidents in the public sector have made the headlines, such as the SingHealth cyberattack in July 2018, and the disclosure in January this year that a deported American fraudster had leaked the confidential records of 14,200 HIV-positive individuals online.
In light of these high-profile incidents, the committee was formed on March 31 this year when PM Lee called for a comprehensive review of all of Singapore’s 94 public agencies’ systems and data management practices.
RECOMMENDATIONS
1) Enhance data protection and prevent data compromise
A total of 13 technical and 10 process safeguards were proposed for incorporation into information and communications technology and data systems in different combinations, depending on the security risks the agencies are expected to face.
Some of the goals of these safeguards are to reduce the surface areas of attack by minimising data collection, retention, access and downloads; to enhance logging and monitoring to detect high-risk or suspicious activity; and to protect data directly when it is stored and distributed to render it unusable even if extracted.
Beyond these measures, the committee has also recommended, among other things, improving an audit framework to detect gaps in practices and policies before they result in incidents.
2) Enhance detection and response to data incidents
The recommendations to detect and respond to data incidents swiftly and effectively are structured around the following five stages:
Detect: Creating a central contact point for the public to report Government data incidents
Analyse: Tasking the Government Data Office to monitor and analyse data security incidents that pose significant harm to individuals
Respond: Appointing the Government IT Management Committee as the central body to respond to large scale incidents
Remediate: Putting in place a framework for all public agencies to notify individuals who are significantly impacted by data security incidents
Post-incident follow-up: Creating a standard process for post-incident inquiry for all data incidents, and sharing the findings with all agencies
3) Raise competencies, instil culture of excellence
The report states that public officers need to be aware of data security risks when handling citizens’ data, and noted that the recommended safeguards are effective only if they are “well executed” by the officers.
All public officers, including top leadership, will undergo an annual training programme to keep them up to date on data security considerations.
These officers will be made aware of their exact roles and responsibilities when it comes to the management of data security.
The committee also recommended “cultivating an environment conducive to open reporting of data incidents whether major or minor”.
4) Accountability for data protection at every level
Six sub-recommendations in this category include mandating that top leadership be held accountable for their respective organisation’s data security regime, improving the accountability of third-party vendors and improving transparency.
Holding leadership accountable: While individual public officers who mishandle Government data are liable to a fine of up to S$5,000, a jail term of up to two years, or both, the committee noted that no financial penalties or sanctions are imposed on the agencies.
The report states that this is because the monies come from the same public purse.
The committee said a more effective measure would be to hold those in positions of responsibility accountable for their organisations’ effectiveness in maintaining data security. It also recommended taking action against individual officers who allowed data security to be compromised.
Third-party vendor accountability: Tightening the legislation governing the accountability of these vendors becomes more important as the Government works more closely with them to deliver services to the public, said the committee.
To do so, the committee has recommended that the Personal Data Protection Act cover agents of the Government.
This amendment would also include provisions to take non-public officers to task for “recklessly or intentionally” mishandling any personal data.
Improving transparency: To maintain public confidence in the Government’s management of data, the committee has recommended publishing its policies and standards relating to personal data.
The report says this will allow the public to understand the Government’s approach to personal data protection, and the measures in place.
It also recommends publishing an annual update on the Government’s efforts in safeguarding personal data.
5) Ensure sustainability and resilience
While improvements are underway to improve data security in the public sector, the committee said that Singapore should institutionalise such efforts so that “they are sustained and continue to evolve” to address new challenges.
It recommended the appointment of the Digital Government Executive Committee as a high-level Whole-of-Government body to oversee public sector data security.
Chaired by a permanent secretary, it will drive the implementation of the committee’s recommendations.
The committee also recommended setting up the Government Data Security unit in the Government Data office to drive security efforts.
FINDINGS
The inspection covered 336 systems across all 94 public agencies, except for the Pioneer Generation Office. It was renamed the Silver Generation Office and joined the non-Government entity Agency of Integrated Care in April 2018.
A key finding was that about 75 per cent of agencies had one finding on non-compliance with Instruction Manual 8 (IM8), which contains guidelines on data security.
The most common lapses, which informed the recommendations, were in the following areas:
Privilege user management and monitoring. This refers to the management of user accounts on critical devices and applications.
User access reviews
The encryption of emails with highly sensitive data
Management of production data extraction
The committee also found that 64 per cent of agencies were rated as low risk, while 23 per cent were rated as medium risk.
The remaining 13 per cent were rated as high risk. The committee’s report did not specify which agencies fall under this category.
The committee also found that smaller agencies tend to have smaller information technology teams and lack the resources to implement data security measures.
At the public officer level, the committee also found that not all officers have “internalised the potential impact of their actions” on individuals whose data have been compromised.
IMPLEMENTATION
Mr Teo said that three technical measures have already been implemented in October.
These pertain to data file integrity verification, password protecting and encrypting of files, and an email data protection tool.
He added that the rest of the recommended measures will be implemented in 80 per cent of Government systems by the end of 2021.
In a letter to the committee, PM Lee said that the Government accepts all the recommendations.
“Data is the lifeblood of the digital economy and a digital government,” said Mr Lee.
“We need to use and share data as fully as possible to provide better public services. In doing so, we must also protect the security of the data and preserve the privacy of individuals, and yet not stifle digital innovation.”
Although this applies to every field of government, he said that this is “especially so in healthcare”.
Being the custodians of vast amounts of data, Mr Lee added that the Government must take this responsibility seriously.
While the Government will do its utmost to minimise the risk of data breaches, he said that in the event it occurs, it is crucial to detect such breaches quickly and respond effectively to limit the breach and minimise the harm done.