Getting your Trinity Audio player ready...
|
The Government has released its fifth annual update on efforts to enhance the public sector data security regime for the fiscal year 2023 (1 April 2023 – 31 March 2024). This report highlights the significant progress made, including the successful implementation of all 24 initiatives recommended by the Public Sector Data Security Review Committee (PSDSRC) in 2019.
In FY2023, the government reported 201 data incidents, an increase from 182 incidents in FY2022. This rise is attributed to the growing volume of digital government services, which has led to more data being handled and, consequently, more incidents being reported. The increase may also reflect improved awareness among public officers about the importance of reporting data incidents.
Despite this rise, the majority of reported incidents were of low severity. Notably, there were no incidents assessed as high severity for the fourth consecutive year. Additionally, medium severity incidents decreased from 46 in FY2022 to 29 in FY2023. These improvements are largely due to the progressive implementation of enhanced security processes, technical measures, and heightened public sector awareness regarding data security.
Several significant measures have been introduced to strengthen data security in FY2023:
Expansion of Central Privacy Toolkit (Cloak)
Launched in March 2023, the Central Privacy Toolkit, known as Cloak, has been enhanced with new features to support privacy-preserving technologies. It has been utilised by 1,400 public officers across 90 agencies. Notably, its free-text anonymisation feature has anonymised 20 million documents and supported over 20 generative AI use cases within the government.
Deployment of Automation Tools
By March 2024, all eligible government systems were equipped with the Central Accounts Management (CAM) tool. This tool automates the removal of unnecessary user accounts, reducing the risk of unauthorised access and exploitation of dormant accounts. Additionally, enhancements to the Government’s Data Loss Protection (DLP) tool have prevented accidental loss of sensitive data. Since September 2023, email recipients can no longer view the addresses of other external recipients when there are more than 30 recipients.
Enhancing Public Service Competencies
Recognising that eliminating data incidents entirely is challenging, the Government has focused on improving response capabilities. In August and September 2023, an annual central ICT and Data Incident Management exercise was conducted, involving 31 agencies across four Ministry Families. This exercise aimed to enhance coordinated and efficient incident response.
Additionally, gamified events and a refreshed Data Security e-learning module, introduced in February 2024, have been designed to engage public officers and educate them about data protection in the context of new technologies and trends like Large Language Models (LLMs) and phishing scams.
Ongoing Commitment to Data Security
The Government remains dedicated to maintaining a robust data security regime. All 24 PSDSRC initiatives have been implemented, reflecting the Government’s commitment to continually reviewing and enhancing data security measures. Future updates and new initiatives will be shared on the Ministry of Digital Development and Information (MDDI) website to ensure transparency and ongoing improvement in public sector data security.
Data management in the public sector is governed by the Public Sector (Governance) Act (PSGA) and the Government Instruction Manual on Infocomm Technology & Smart Systems Management (IM on ICT&SS Management). The PSGA and IM on ICT&SS Management outline the Government’s approach to managing and protecting data, including personal data, with a focus on integrated service delivery across agencies.
In contrast, the Personal Data Protection Act (PDPA) regulates data management in the private sector, where each organisation is individually accountable for its data, and there is no expectation of integrated service delivery across different private sector entities.
The PSGA, enacted in 2018, introduced criminal penalties for public officers who improperly disclose, misuse, or re-identify data. This complements the existing policies in the IM on ICT&SS Management, which has governed data security in the public sector since 2001.