Government accepts 5 measures to improve data security, to set up single contact for public to report breaches
SINGAPORE: The public will soon have a single contact point to report Government data incidents like unauthorised copying or disclosures.
This will ensure “greater consistency” in the handling of data incidents across agencies, the Public Sector Data Security Review Committee said on Wednesday (Nov 27).
“The central contact point will minimise confusion on where the public may lodge complaints on Government data incidents, and assure the public that an authoritative independent party would follow up on the complaint,” the committee wrote in its report.
READ: MOH committed to better protect ‘sensitive’ health data, plans to comply with new security measures
READ: Confirmation prompts for emails among 13 data security measures to be rolled out across public sector
The contact point is targeted to be ready in the next few months, and will comprise a website and an email to the Government Data Office (GDO), which currently receives reports from Government agencies on data incidents.
This follows the Government’s acceptance of the committee’s five wide-ranging recommendations to better protect citizens’ data. The committee is chaired by Senior Minister Teo Chee Hean, who is also Minister-in-charge of Public Sector Data Governance.
The five recommendations are:
- Improve data protection and prevent data compromise through measures like protecting data directly when stored to ensure it is unusable even if extracted;
- Improve detection and response to data incidents through measures like designating the GDO to monitor and analyse data incidents that pose significant harm;
- Raise competencies and instil a culture of excellence through measures such as training all public officers to attend improved data security training every year;
- Account for data protection at every level through measures like amending the Personal Data Protection Act to cover third-party vendors handling Government data.
- Ensure a continuous approach to improving data security through measures like improving the Government’s expertise in data security technology.
The Government targets to implement the measures in 80 per cent of Government systems by end-2021. The timeline for remaining 20 per cent which involve systems which are complex or require significant redesign is end-2023. In the interim, agencies will put in place appropriate measures to manage the relevant data risks.
“The committee is confident that these measures will significantly enhance data security,” Mr Teo said on Wednesday.
“And we will do our utmost to implement them thoroughly, expeditiously but thoughtfully. As you know … the threats are always rapidly evolving. So we will do our best to keep up with the threats to try and stay ahead of them.
“But there's no 100 per cent guarantee that things will not happen. But if they do, we will also have a regime in place to respond to them expeditiously and effectively to minimise the damage.”
Mr Teo said the Digital Government Executive Committee, chaired by the Permanent Secretary of the Smart Nation and Digital Government Office, will oversee public sector data security and drive implementation of the committee’s recommendations.
The Government Technology Agency will also build capabilities in data protection and privacy preservation to deepen the Government’s expertise in these areas and keep up with the latest developments, he added.
In making the recommendations, the committee reviewed 336 out of a total of 2,840 Government systems and data management practices across all 94 public agencies to identify risk areas and common causes of incidents.
The committee discovered that three in four agencies had at least one finding of non-compliance with the policies and standards of an internal Government manual on data management.
The most common findings were in the areas of management and monitoring of privileged user accounts, user access reviews, encryption of emails with highly-sensitive data and extraction of production data.
Of these non-compliant agencies, 64 per cent were rated “low-risk”, 23 per cent were rated “medium-risk” and the remaining 13 per cent were rated “high-risk”.
These agencies will rectify the inspection findings with validation from GovTech, the committee said.
The committee studied global and industry best practices and found areas for improvement in policies and practices:
- Smaller agencies in particular, could be better supported in implementing intended policies because they do not have as much resources,
- The roles and responsibilities of staff in data security could be better articulated;
- The Government could more widely adopt technical, process and organisational best practices to improve data security;
- The Government’s high standards of data protection needed to be extended to vendors and other non-Government entities when they handle public sector data;
- Management of data-related incidents could be further tightened.
The committee also compared the Government’s data protection standards alongside that of the private sector, and assessed the robustness of its recommendations by testing them against past data incidents.
“The committee then checked and satisfied itself that the recommended measures would have prevented or minimised the impact of the past data incidents in the public and public healthcare sector,” Mr Teo said.
RECENT DATA BREACHES
The Prime Minister’s Office announced on Mar 31 that it was forming the committee following several public data breaches.
In July 2018, 1.5 million SingHealth patients’ records – including that of Prime Minister Lee Hsien Loong – were accessed and copied, in what was the most serious breach of personal data in Singapore’s history.
READ: Personal data of more than 6,500 people 'inadvertently' leaked by Singapore Accountancy Commission
This was followed by the online leak in January of the HIV-positive status and personal information of 14,200 people from Singapore’s HIV registry.
And in March, the Health Sciences Authority revealed that the personal information of 808,201 blood donors was left exposed online for nine weeks the data was mishandled by one of its IT vendors.
In his letter to Mr Teo thanking the committee for its work, the Prime Minister said the Government takes its responsibility as a custodian of a vast amount of data “seriously”.
“We need to use and share data as fully as possible to provide better public services. In doing so, we must also protect the security of the data and preserve the privacy of individuals, and yet not stifle digital innovation,” Mr Lee wrote.
“This is especially so in healthcare, but it is true of every other field of Government too.”
Mr Teo said he does not expect the implementation of the measures to delay any Smart Nation initiatives, highlighting that the latter must go “hand in hand” with data security to gain the confidence of citizens and business users.
“The (Smart Nation) projects that we are rolling out now, we go in clear-eyed that these would be targets, that we have to bake (data) security into the design,” said Minister-in-charge of the Smart Nation initiative Vivian Balakrishnan, who also sits on the committee.
“If and when we detect that there are any critical threats, then clearly we will take a pause and we will review the situation before we move forward.”
In July, the committee had also recommended that the Government immediately deploy three readily available measures to improve data security.
These include having a data file integrity verification system, strengthening password and encryption requirements across more types of data files, and introducing prompts before public officers send out emails with sensitive data.
Mr Teo said these measures were implemented in October, reiterating that the remaining measures will follow expeditiously so “Singaporeans can be confident that the Government takes data security seriously and will do the utmost to protect citizens’ data”.