Inaugural Update On Government Personal Data Protection And Implementation Of PSDSRC Recommendations

Inaugural Update On Government Personal Data Protection And Implementation Of PSDRC Recommendations

11 Nov 2020

The Smart Nation and Digital Government Office (SNDGO) has published the inaugural annual update on the Government’s personal data protection efforts. The update contains the measures undertaken to date to strengthen the public sector data security regime to safeguard citizen data. The annual update will also serve to enhance transparency on how the Government uses and secures citizen data, which is among the key recommendations made by the Public Sector Data Security Review Committee (PSDSRC).

In November 2019, the PSDSRC submitted its recommendations to improve the Government’s data security regime and enhance public confidence. The Government accepted the Committee’s recommendations in full and committed to implementing them in phases from 2020 to 2023. In April 2020, SNDGO provided an update on the first tranche of the implementation of the PSDSRC recommendations. The second tranche of implementation was completed in October 2020.

Overview of Government’s Data Security Initiatives in the Update

Within a year from the completion of the review, we have implemented 18 of the 24 key initiatives recommended by the PSDSRC. The improvements to the public sector data security regime include: * Improving audit and third-party management frameworks * Enhancing processes to respond to data incidents in a timely manner * Strengthening data security accountability at every level * Instituting a structured approach to build a data security-conscious culture within the Public Service * Strengthening organisational structures to manage data security * Improving transparency of the public sector data security regime

The Government has made progress in implementing technical and process measures to strengthen public sector data security. In October 2019, 4 baseline technical and process measures were implemented service wide. We are on track to implement the remaining technical measures as planned - 80% of the systems will be covered by the end of 2021 and all systems by the end of 2023. These measures include tools that (a) prevent the loss of sensitive data across all government systems and devices; and (b) automate user account management to ensure regular and timely reviews of access to IT systems containing sensitive data. These are larger and more complex programmes which require significant re-architecting of the technical systems and would therefore require a longer lead-time for implementation. While we are implementing the remaining measures, interim measures, such as timely alerts to remove user accounts when there is staff movement, are in place to mitigate potential data security risks.

New processes have been implemented to ensure a more coordinated and effective response to data incidents across the Government. Starting from March 2021, all public agencies are required to carry out cyber and data security incident exercises annually, to ensure that they are well-prepared to detect and respond to cyber and data incidents. The Government Data Security Contact Centre (GDSCC) was set up in April 2020 for members of the public to report data incidents involving public agencies. This augments the Government’s ability to detect and respond to data incidents so that remediation efforts can be swiftly taken.

Technical and process safeguards are important, but not sufficient. Beyond that, every public officer must actively play his or her role in safeguarding the data used. To this end, we have embarked on a campaign to build a culture of excellence in “Using Data Securely” within the public service and move beyond mere compliance with baseline requirements to proactively identifying and managing data security risks. In addition, we have identified data security competencies and training programmes required for public officers to use data securely and perform their roles well.

Strengthening organisational structures, transparency, and accountability

The Government has introduced and strengthened organisational structures to drive a sustainable and resilient public sector data security regime that can keep up with emerging threats and new technologies. The Digital Government Executive Committee for Cyber and Data, chaired by the Permanent Secretary of Smart Nation & Digital Government, has been established as the high-level body to oversee public sector data security. The Government Data Security Unit was also set up to drive and coordinate data security efforts across the public sector.

Besides public officers, third parties such as vendors and contractors often handle Government data on behalf of the Government. The Government has developed a Third Party Management Framework to ensure that the high standards of data protection that the Government places on itself is extended to them as well. The Government’s policies on personal data protection and third-party management have been published on the Smart Nation website since April 2020.

Amendments to the Personal Data Protection Act (PDPA) were passed in Parliament on 2 November 2020, to hold third parties and non-public officers accountable for recklessly or intentionally mishandling personal data regardless of whether the data is from the public sector. This will align the PDPA to the Public Sector Governance Act (PSGA) in terms of individual accountability and penalties for the egregious mishandling of personal data.

Data Incidents in the Public Sector

There has been an increase in the number of data incidents reported within Government – from 51 in FY 2018 to 75 in FY 2019. This is in tandem with the trends seen in the private sector and globally, where there has been a general increase in data incidents. The increase in the number of data incidents reported can be partly attributed to greater awareness, vigilance and an improved understanding among public officers of what constitutes a data incident. Public officers are regularly engaged on data security measures to build a culture of learning and heightened awareness.

The majority of incidents reported were due to human error, such as, inadvertently emailing sensitive data to the wrong recipients and misplacing IT equipment containing sensitive data. Most of the incidents were assessed to not have significant impact on the agency or individuals affected as protection measures had been put in place to mitigate the risk of data breach. For example, the misplaced IT equipment were encrypted; the sensitive data contained therein would not be usable to unauthorised users who attempt to extract data from these devices.

Use of Data to Fight COVID-19

The foundation laid by the PSDSRC’s recommendations has provided the Government with a strong footing to implement digital tools swiftly and use data securely to support our response to the COVID-19 pandemic. Digital contact tracing tools such as SafeEntry and TraceTogether were designed from the onset to ensure that only necessary data is collected, and that individuals’ personal data collected is well-protected according to the Government’s data protection principles and relevant PSDSRC data security measures. These data protection measures helped to bolster public trust and adoption of these digital tools, which in turn have helped to enhance our national contact tracing efforts and strengthen our fight against COVID-19.

The COVID-19 pandemic has accelerated the pace of digitalisation. The Government will continue its journey to become digital to the core and drive Singapore to become a Smart Nation. The Government is committed to protecting personal data that is entrusted to it by the citizens, and will continue our efforts to ensure that our data security regime remains resilient against emerging threats. As we can never completely eliminate data incidents, we will continue to improve our processes so that we can respond effectively and rapidly to minimise the impact on our citizens.

The full annual update on the Government’s personal data protection efforts for 2020 can be found on the “A Secure Smart Nation” microsite. Going forward, the Government will continue to publish the annual updates every July.

---

• Annex A: Infographic on Annual Update (pdf - 205kb)

• Annex B: Implementation Timeline of the Public Sector Data Security Review Committee Recommendations (pdf - 305kb)

---

For media queries, please contact:

Goh Yu Chong
Senior Manager, Adoption and Engagement Directorate
Smart Nation and Digital Government Office, Prime Minister’s Office, Singapore
Tel: 9644 1674
Email: goh_yu_chong@pmo.gov.sg

Amanda Foo
Manager, Adoption and Engagement Directorate
Smart Nation and Digital Government Office, Prime Minister’s Office, Singapore
Mobile: +65 9841 8628
Email: amanda_foo@pmo.gov.sg