Singapore is soon to have a central contact point where the public can report on data incidents, such as unauthorised copying or disclosures, to the Government.
It will act as a dedicated platform for lodging all of such incidents, providing assurance to the public that their case will be monitored and handled by a figure of authority.
This contact point will exist as a website with an email directly to the Government Data Office (GDO). At present, the GDO receives such reports from the public via multiple Government agencies.
This contact point is to be made available in the upcoming months.
The decision to roll it out follows the adoption of the Public Sector Data Security Review Committee’s five recommendations for enhancing the securing of citizens’ data:
- Improve data protection and prevent data compromise by protecting data directly when stored to ensure it is unusable even if extracted
- Improve detection and response to data incidents through ways such as designating the GDO to monitor and analyse data incidents that pose significant harm
- Raise competencies and instill a culture of excellence through ways such as training all public officers to attend improved data security training every year
- Account for data protection at every level through ways like amending the Personal Data Protection Act to cover third-party vendors handling Government data
- Ensure a continuous approach to improving data security through ways like improving the Government’s expertise in data security technology
Senior Minister Teo Chee Hean is the Minister-in-charge of Public Sector Data Governance and also chairs this committee.
The Government aims to roll out the recommended measures in 80 percent of Government systems by the end of 2021.
The end of 2023 has been set as the target goal for rolling out to the remaining 20 percent of government systems. These systems are more sophisticated and may need notable redesigning.
Mr Teo said that while there are such measures in place, threats will continue to exist. He said that in the event of such situations, there will already be countermeasures in place to effectively deal with them.
The Digital Government Executive Committee, which is chaired by the Permanent Secretary of the Smart Nation and Digital Government Office, will oversee the public sector data security and push for implementing the committee’s recommendations.
The Government Technology Agency (GovTech) will be developing capabilities in data protection and privacy preservation to strengthen the Government’s expertise in these areas and be up to date with the latest developments.
The Public Sector Data Security Review Committee assessed 336 out of the total 2,840 Government systems and data management practices across all 94 public agencies for identifying risk areas and common causes of incidents.
Three in four agencies were found to have non-compliance with policies and standards of an internal Government manual on data management.
These were mostly in the areas of management and monitoring of privileged user accounts, user access reviews, encryption of emails with highly sensitive data and extraction of production data.
GovTech will validate the measures taken by the agencies to fix these non-compliance issues.
An analysis of best practices globally and in the industry was done by the committee. These are the following policies and practices which were found to require improvement:
- Better support for smaller agencies in implementing intended policies as they do not have as much resources
- Better articulation of the roles and responsibilities of staff in data security
- Wider adoption of technical, process and organisational best practices by the Government to improve data security
- Extension of the Government’s high standards of data protection to vendors and other non-Government entities when they handle public sector data
- Further tightening of the management of data-related incidents
A comparison was also done of the Government’s data protection standards to that of the private sector. The robustness of the recommended measures by the committee was tested against past data incidents.
The results were that the recommended measures if implemented during the past data attacks in the public and public healthcare sector would have stopped or reduced the impacts of them.
“The committee is confident that these measures will significantly enhance data security,” said Mr Teo.