SINGAPORE — The Singapore public service sector is implementing several technical measures with immediate effect in order to strengthen its data security regime, following a series of data breaches in the past year.
In a progress report released on Monday (15 July), the Public Sector Data Security Review Committee said that the immediate measures will result in:
data integrity being checked to ensure that there are no malicious modifications to data in transit;
the automated detection of sensitive data content within emails;
and enhanced encryption requirements for files.
“The current security regime has strong fundamentals. However, there is a need to strengthen our data security regime for the future,” the committee said in the report.
“This is in view of the increasing complexity of our systems, the greater demand for the use of data to provide convenient digital services to the public, and the need to use data for better policy making. The range of threats to data security has also increased.”
Committee convened by the Prime Minister
The committee was convened by Prime Minister Lee Hsien Loong to review how the government secures and protects citizens’ data. It was formed on 1 April, chaired by Senior Minister and Coordinating Minister for National Security Teo Chee Hean, and will submit its full report by 30 November.
The committee, as well as industry experts that it sought to improve public sector data security, recognise that a holistic set of technical, process and people measures will be required.
While some of the technical measures can be implemented immediately, there will be further measures to address and strengthen access controls. Such medium-term measures will be detailed in the final report.
In terms of process measures – procedures to enable agencies to protect against data security threats – the committee will be recommending enhancements to rules and guidelines, including measures to better ensure high data protection standards by third parties handling government data.
The committee will also recommend methods to strengthen the government’s response to data incidents, to contain the breach and to minimise impact. It will also improve procedures to notify and assist the public who are affected by the incidents.
Finally, the committee will also develop measures to raise data security capabilities among public officers, so that they can be more competent and confident in using and safeguarding data, as well as maintaining public trust.
Spate of cyber-security breaches
PM Lee had convened the committee after a spate of cyber-security breaches over the past year.
In July last year, about 1.5 million SingHealth patients’ records – including that of PM Lee – were accessed and copied, in what is the most serious breach of personal data in Singapore’s history.
This was followed in January this year by the revelation that the HIV-positive status and personal information of 14,200 people from the Republic’s HIV registry had been leaked online by United States citizen Mikhy Farrera Brochez.
Then in March, the Health Sciences Authority revealed that the personal data of more than 800,000 blood donors were accessed illegally and uploaded on an unauthorised server for more than two months. A technology vendor, Secur Solutions Group, was responsible for the incident.
PDPC updates guide to accountability
Meanwhile, the Personal Data Protection Commission (PDPC) also released an update of its guide to accountability on Monday.
The updated guide covers accountability in three broad areas: Within an organisation, within the industry and in enforcement. It includes examples and resources that organisations may use to translate accountability concepts into practical steps they can adopt.
“It is important that organisations shift from a compliance-based approach to an accountability-based approach in the management of personal data,” the PDPC said in a media release on the updated guide on Monday.
“This will provide consumers with greater assurance, enhance business competitiveness, and strengthen the public’s trust in their data protection practices.”
The updated list of the PDPC’s general guides for reference can be found here.