Third update on the Government’s personal data protection efforts

28 JUL 2022

Third update on the Government’s personal data protection efforts

28 Jul 2022

The Smart Nation and Digital Government Office (SNDGO) has published the third update on the Government’s personal data protection efforts. It details the Government’s efforts to strengthen the public sector data security regime between 1 April 2021 and 31 March 2022 (i.e. FY2021). This annual update is a key recommendation made by the Public Sector Data Security Review Committee (PSDSRC)¹ in November 2019, to enhance transparency on how the Government uses and secures citizen data.

Trends in Number of Government Data Incidents Reported

No Serious Data Incidents Over Last Two Years

The number of government data incidents rose from 108 in FY2020 to 178 in FY2021. While the number of data incidents reported has increased, none of these incidents were assessed to be of high severity or posed any significant impact on the agency or affected individuals. The overall increase in data incidents reported mirrors the trends seen in the private sector and globally, as the exchange and use of data continue to grow. The increase also reflects the improved awareness among public officers of the need to safeguard data, and to report every incident regardless of the severity.

Out of the 178 government data incidents in FY2021, 14 were detected as a result of public reports made to the Government Data Security Contact Centre (GDSCC). The Centre was set up in April 2020 for members of the public to report data incidents involving government data or government agencies and seeks to strengthen the Government’s capabilities to detect data incidents.

Government’s Initiatives to Strengthen Data Security

Progressive Roll-out of Three Remaining Technical Measures to Prevent Data Compromises

The Government had reported in its second annual update in July 2021 that it has implemented 21 of the 24 initiatives arising from the five key recommendations by the PSDSRC. Since then, the Government has been progressively deploying technical measures for the remaining three initiatives to protect data against security threats and is on track to complete all 24 initiatives as planned by end-2023.

Central Account Management (CAM) Solution

In August 2021, the Government started the development of the CAM solution to improve the user account management process. The CAM solution automates the process of removing and disabling user accounts that are no longer needed due to staff movement. Since its commissioning in April 2022, 32% of eligible Government IT systems have been configured for onboarding to the CAM solution. These include central systems used by all public officers, such as the Whole-of-Government collaboration and productivity platform, and key systems used by officers handling Government’s transactions with third-party vendors. The remaining systems are expected to be onboarded by end-2023.

Whole-Of-Government (WOG) Data Loss Protection (DLP) Suite

The Government also launched the Whole-Of-Government (WOG) Data Loss Protection (DLP) Suite in May 2022. The WOG DLP Suite prevents the accidental loss of sensitive data from government networks, systems and devices. The WOG DLP tools use technical and process controls to detect risky user activities. When such activities are detected, the DLP tools will prompt the user to take certain actions, such as confirming that the data was intended to be transferred, before proceeding to do so. Otherwise, it will stop the anomalous data transfer altogether to prevent any loss of data. As of 31 March 2022, the WOG DLP tools have been deployed to the WOG email service and secured internet surfing gateway. The tools will be deployed to WOG laptops in August 2022.

Data Privacy Protection Capability Centre (DPPCC)

Since its establishment in December 2020, the DPPCC has been developing data privacy protection toolkits which agencies can adopt to promote the protection of data without restricting its use. In addition, DPPCC has been working with agencies to co-create solutions to strengthen data privacy and protection for key systems.
These solutions include dataset segregation and stringent standards of encryption to reduce the risk of data exposure.

Enhancing Competencies in Public Service

The Government recognises that it is not possible to eliminate data incidents entirely, but we should have the expertise and ability to respond swiftly when they occur. To ensure that the public service is equipped to respond to data incidents at the WOG level, the Government conducted the inaugural central ICT and Data Incident Management exercises in September 2021. The exercises involved 33 agencies across five Ministries. The exercise scenarios included prevalent threats such as supply chain attacks and ransomware incidents leading to disruption of services. These exercises prepare the Government to provide a coordinated response and test the capabilities of agencies to respond effectively. Agencies that did not participate in the central exercises carried out their own exercises to test their officers’ readiness in effectively containing and managing the impact of data incidents.

Developing the public service’s capabilities and instincts in managing and securing data is an ongoing endeavour. Since May 2021, the Government has launched a series of engagement campaigns and workshops targeted at all public officers. These campaigns and workshops aim to raise officers’ awareness of using data securely, and educate them on how they can do so in their daily work. In addition, the Government conducted workshops for Key Appointment Holders, as well as ICT and data teams, to equip them with the necessary skills to fulfil their roles. In early 2022, the Data Security e-learning module, which all public officers are required to complete annually, was refreshed to include new content on how to work remotely in a safe and secure manner.

Overall, the Government’s initiatives have helped to improve the public sector’s data security posture. The Government will continue to enhance our protection efforts to safeguard the data of both citizens and businesses. The third update on the Government’s personal data protection efforts can be found on the “A Secure Smart Nation” microsite (go.gov.sg/public-sector-data-security-review).

Annexes

Annex A: Implementation Timeline of the Public Sector Data Security Review Committee (PSDSRC)

For media enquiries, please contact:

Cristiano Peswani (Mr)
Manager, Adoption and Engagement Directorate
Smart Nation and Digital Government Office, Prime Minister’s Office
Tel: 9674 5524
Email: cristiano_peswani@pmo.gov.sg

Goh Yu Chong (Mr)
Assistant Director, Public and International Communications
Smart Nation and Digital Government Office, Prime Minister’s Office
Tel: 9644 1674
Email: goh_yu_chong@pmo.gov.sg

The Public Sector Data Security Review Committee (PSDSRC) made five key recommendations in 2019 to improve the Government’s data security regime. The Government accepted the Committee’s recommendations in full and committed to implementing them in phases from 2020 to 2023. ↩