SINGAPORE: The Government reported 41 incidents involving the loss of personal data to the police over the past three years, Deputy Prime Minister Teo Chee Hean said on Wednesday (Feb 13).
Thirty cases involved missing laptops with no specific individuals' data compromised, while the other 11 cases affected specific individuals who were then notified, he said in a written answer to a parliamentary question by Nominated Member of Parliament Walter Theseira.
Associate Professor Theseira had asked how many Government personal data information security incidents were reported to the police or the Personal Data Protection Commission (PDPC) from 2014 to 2018.
In his response, Mr Teo said Government agencies lodge a police report if there is suspected foul play or when a physical asset like laptops go missing. These incidents are not reported to the PDPC as it is not their function to investigate them, he added.
Assoc Prof Theseira also asked about the proportion of incidents that were disclosed to the public, as well as the average duration between the police report and the notification of affected individuals.
Mr Teo said that among the 41 cases reported over the last three years, 80 per cent of the reports were submitted to the police on the same day as the discovery of the incident.
For the 11 cases that affected individuals, notification took place an average of three weeks from the police report. For four of the 11 cases, the general public were also informed.
The duration comprises the time needed to identify those affected, assess the extent of the data loss, give an accurate report of the situation to affected persons and to recover and preserve evidence for potential future prosecution, said Mr Teo.
For the remaining 30 reports concerning missing laptops, Mr Teo assured that no data was compromised as Government laptops are protected by encryption and will be cut off from the network if reported lost.
"Nevertheless, a lost laptop remains a serious concern and the agency affected will work with the Police to make a best effort to recover it," he said.
Mr Teo added there are also incidents of data mishandling that are reported internally but not to the police, such as the accidental emailing of personal information to the wrong recipient or mass emails in which officers mistakenly included all recipients' email addresses in the cc field rather than the bcc field.
In those cases, police assistance or intervention is not required, but the affected agency will inform and apologise to affected individuals, and follow up with the necessary staff education and discipline to avoid future occurrence.