Government accepts all data security recommendations by review committee; to roll out 80% by end 2021

The government will be rolling out recommendations from the Public Sector Data Security Review Committee in 80% of its systems by the end of 2021, and the remaining 20% by end of 2030. In his reply to the committee's recommendation on 27 November, Prime Minister Lee Hsien Loong said, “Data is the lifeblood of the digital economy and a digital government. We need to use and share data as fully as possible to provide better public services. "In doing so, we must also protect the security of the data and preserve the privacy of individuals, and yet not stifle digital innovation." Recommendations include public agencies collecting and retaining a person’s data only when it is strictly necessary and ensuring it is well safeguarded. In cases of data incidents involving government ministries, public agencies or statutory bodies, affected individuals are to be promptly notified. A single contact point will also be established to allow the public to report on data incidents. On top of that, all public sector officers will have to go through a yearly data security training programme in an effort to improve the culture of safeguarding data. Also, as the Personal Data Protection Act (PDPA), for which amendments are likely to be announced next year, will also include third-party government vendors handling government data. This means that those agents who we previously exempted from the PDPA will not be liable to financial penalties under the Act of up to S$1 million. These recommendations fall under five broad measures aimed at better data protection and mitigating data compromise; improving detection of and response to data incidents; raising competency on data security in the public service, ensuring accountability for data protection at all levels of the government, and ensuring that data security is a sustained effort in the public service. These are in tandem with the 13 technical measures that were announced by the committee in July which included strategies like encrypting sensitive files and hiding highly sensitive information in a separate system with strictly controls. To oversee the data security across the public sector, a Digital Government Executive Committee will be appointed by the government. The current review committee, on the other hand, will take lead in implementing the latest recommended measures. PM Lee says the government agrees that the recommendations should be implemented as soon as practicable, noting that three baseline technical measures have already been implemented in October 2019.

A string of security breaches in Singapore

These recommendations by the review committee come after an eight-month review which was commissioned following a series of data breaches in Singapore which have sparked questions of the country's image as a tech innovator. In March, Russian cybersecurity company Group-IB revealed its discovery of a massive data breach involving email log-in and passwords from several government organisations on the dark web since 2017 as well as over 19,000 compromised payment card details stolen and put up for sale by the hackers. In a statement, Group-ID revealed that the breach involved Singapore’s Government Technology Agency, Ministry of Education, Ministry of Health, the Singapore Police Force and the National University of Singapore. Also in March, insurance company AIA reported that one of its web portals containing the personal information of 200 people was found to be publicly accessible. In worse cases, the data of more than 800,000 blood donors were placed at risk over the internet due to unauthorised access by a Health Sciences Authority (HAS) vendor for over two months, also revealed in March. Earlier in January, the Ministry of Health was notified by the police that the confidential data of 14,2000 individuals in the national HIV Registry as well as 2,4000 contacts has been illegally disclosed online. Last year in October, 72 HealthHub accounts were illegally accessed. June 2018 saw the worse cyber attack in Singapore which resulted in the personal data breach of 1.5 million patients of healthcare cluster SingHealth, including the information of Prime Minister Lee Hsien Loong. According to data research, the number of leaked cards has increased by 56% in 2018 compared to 2017, following a string of breaches and cyber attacks in both the public and private sector.