Review of Public Agencies Exemption Provisions in Personal Data Protection Act

12 Ms Sylvia Lim asked the Minister for Communications and Information given the gravity of data protection breaches in the public sector, whether the Personal Data Protection Act should be amended to remove the exemptions for public agencies.

The Minister for Communications and Information (Mr S Iswaran) : Mr Speaker, the Personal Data Protection Act (PDPA) came into force in 2012. With the gathering pace of digitalisation, we recognised the need to strengthen data protection in the private sector. PDPA establishes a baseline standard for data protection in the private sector, balanced against its need to use personal data for reasonable purposes.

On its part, the Government has always taken seriously its responsibility to protect the data entrusted to the public sector and we continue to strengthen our data governance policies. Since 2001, the Government Instruction Manuals (IMs) already include measures to govern the use, retention, sharing and security of personal data among public agencies .

In 2018, the Public Sector (Governance) Act (PSGA) was introduced and it provided for additional safeguards for personal data in the public sector, including criminalising the misuse of data by public servants. The data protection standards in PSGA are also aligned with the PDPA. In addition, data collected by the public sector is also protected by specific legislation, such as the Official Secrets Act, the Income Tax Act, the Infectious Diseases Act and the Statistics Act. Collectively, these laws impose a high standard of responsibility on all public agencies, with additional requirements for the protection of sensitive or confidential data. Also, regular mandatory audits are conducted to ensure that public agencies comply with the standards for data protection and the security of information and communications technology systems.

PSGA allows personal data to be managed as a common resource within the public sector for better policymaking and also for more responsive public services. For example, when a Singaporean applies for financial assistance at a Social Service Office, the frontline officers are able to quickly evaluate his or her eligibility for financial assistance because they have access to data from other relevant agencies. In this way, we minimise the documents that need to be submitted by the applicant and improve the delivery of public services. In contrast, each private sector organisation is expected to be individually accountable for the personal data in its possession, and there is no expectation of a similar integrated delivery of services across different commercial organisations.

Because of these important differences, we need and have adopted different approaches to the protection of personal data in the public and in the private sectors. That is also why the PDPA applies only to the private sector, while the PSGA and other legislation govern data protection in the public sector. We will regularly review the PDPA, PSGA and other legislation to ensure that they remain relevant and effective in safeguarding personal data in both the public and private sectors.

Mr Speaker: Ms Sylvia Lim.

Ms Sylvia Lim (Aljunied) : I have four supplementary questions for the Minister. The first question is, I acknowledge that the various statutes and the IMs, as the Minister mentioned, do set out standards for the Public Service to comply with. Does the Minister agree, however, that these instruments, legislation or IMs are usually silent or weak on the recourse that citizens may have if there is a data breach? They may be strong on penalties for errant officers but, generally, we get silences on the rights of citizens.

Secondly, does the Minister also agree that for the PDPA itself, I suppose one of the advantages or assets of the PDPA is its approach to try to balance the need of organisations to collect data and, at the same time, if we look at section 3, it also recognises that personal data belongs to individuals, and individuals have a right to protect that data?

The third question is, we talked recently about the SingHealth incident. Does the Minister agree, because SingHealth is a body that comes within the purview of PDPA, it is not a Public Agency as defined in the Act, and the SingHealth cyberattack case has shown that the Personal Data Protection Commission (PDPC) can actually play a very useful role as far as the public is concerned? The PDPC's judgement in the cyberattack case mentioned that members of the public complained to it that their data had not been adequately protected by SingHealth. PDPC actually made some findings which will likely lead to improvements on the part of SingHealth and the Integrated Healthcare Information Systems (IHiS) as well.

Perhaps the last question for now is that one of the things that the PDPA does provide is a complaints procedure which I would like the Minister to confirm that this is something that is very useful to the citizens, which does not force the citizens to commence a lawsuit against a Government agency should one suffer damage and so on. So, these are very real advantages of the PDPA which I believe citizens can benefit from.

Mr S Iswaran : Mr Speaker, I thank the Member for her comments. I am not sure all of them were questions because some of them were observations. But let me interpret them.

Let me start by making a more general point. I think the key conclusion we have to draw is this. When we say exempt – and that is the language that the Member has used in her question – that the public sector is exempt from the PDPA, that does not mean that the public sector is somehow subject to a different or lower standard, as might be implied, in terms of data security and safety. In fact, and that was the thrust of my reply that, one, the public sector and the PSGA, in particular, takes reference, and it is in broad alignment with PDPA. But having said that, there is a clear recognition that the mode of operation and the expectation of how data is used in order to provide an effective and efficient Public Service, implies that we do need a different methodology in the way we govern public sector data governance. That is why we have this differentiated approach. In addition to the PSGA, as I had said, we do have other legislations in place.

Just for Members' information, we are by no means alone in this approach. The Canadians, for example, at the federal level, also have different laws in terms of its application to the private sector and its application to the public sector. So, it is not about differing standards or somehow having a different threshold when it comes to the public sector. In fact, we subject the public sector to the same kind of standards, if not higher standards, precisely because we know that the data that is being entrusted to the public sector is done with the confidence that it would be dealt with in a secure manner.

So, many of the questions that the Member has raised pertain more to whether there are elements of the PDPA. For example, there is a complaints procedure where they can complain to the PDPC on, for example, the right to data. I think the Member made the point that the PDPA strikes the balance between the right to data of the individual versus the right to use the data of the enterprises. Indeed, that is the balance we are trying to strike, whether it is in the public domain or in the private domain. Because essentially, you can say the same sets of considerations apply in the public sector – that we want to ensure individual data is protected, accorded due safeguards, but, at the same time, it should be a common resource that public sector agencies can tap on in order to better serve citizens. Many of the services that we take quite for granted today actually rely on that backend sharing. So, when it comes to a complaints procedure today, there is nothing stopping an individual who feels aggrieved that their data has somehow been mishandled to launch a complaint. And they have different channels for doing so.

On the SingHealth piece, the Member made the point that PDPC came out with the recommendations and so on which were very useful and so on. But actually, if you look at the morphology of the entire incident, the key recommendations that came out of this was actually from the Committee of Inquiry (COI) which the Government established. That is the process through which we derived a whole set of very detailed recommendations. What the PDPC did, because it received the complaint early in the process, was to say that it will take reference from the COI's process in determining whether there was a breach by the relevant agencies, in this case SingHealth and IHiS, and, if so, what penalty should be meted out. But the substantial portion of the recommendations was actually made through the COI process which was, in fact, initiated by the Government, not mandated by any legislation but something that was because of the judgement that was exercised.

The point on recourse comes back to the same thing again. If a member of the public feels that, in some way, their data has been mishandled, then they have every opportunity to lodge a complaint with the Minister, the Ministry, the relevant department, and action will be taken. And you can also, if you think a crime has been committed, make a Police report, and that will also be investigated.

So, if I can summarise, we subject our public sector to the same, if not higher, rigorous standards of data governance. And we have to do that, because if we do not, then a lot of our other efforts, in terms of wanting to build a Smart Nation and delivering, harnessing the digital technologies and all these in order to deliver better public services will all be thwarted. So, that is exactly why we take this very seriously. By and large, the PSGA, in other words, the legislation that governs the public sector data governance, takes reference from the PDPA and we also have other legislation for specific sectoral matters which can also be implied in addition.

Mr Speaker: Ms Sylvia Lim.

Ms Sylvia Lim : Two supplementary questions for the Minister. First, the Minister, in his answer earlier, mentioned that for members of the public who are aggrieved that their information has been mishandled by a public agency can always make a complaint. The question is: to whom? And the Minister mentioned that it could be to the Minister. Does the Minister not agree that the PDPC itself, which is focused on personal data protection, should have a role to receive such complaints because they are, after all, the domain expert on personal data protection?

The second supplementary question is: Minister mentioned the issue of public sector agencies being interconnected and, therefore, there needs to be a different approach. But I think the SingHealth incident also illustrates some artificiality in what is actually happening in the healthcare sector. If we look at the setup of SingHealth, for example, no doubt, it is not under the definition of public agency under the PDPA. But the fact is that it is very connected to the Ministry of Health (MOH). In fact, it is owned by MOH Holdings, and there is a frequent, I believe, exchange of data between such healthcare bodies and the parent Ministry. So, it would come to a stage, does Minister not agree that, if my data is given to a clinic, for example, under a cluster, I may be able to complain to the PDPC, but once that data goes to the Ministry and the breach happens there, I do not have recourse under the PDPC? So, there is some artificiality in the distinction as far as the healthcare sector is concerned.

Mr S Iswaran : Mr Speaker, because there will be a Ministerial Statement governing many of the matters pertaining to the public healthcare system, I will keep my comments in response to the Member's queries limited, and I think we can take up clarifications after the Ministerial Statement as well.

The key point I want to emphasise in my response to the Member is this: the term "recourse" for the public has been used several times in the course of this exchange. The fact of the matter is that you need recourse. It does not matter whether the recourse is under the PDPC or PDPA, the legislation or there are other established improved mechanisms. But the key point is you must have recourse.

And that is my point when I said that individuals, depending on where or what circumstances they find themselves in, they can make complaints. By the way, the PDPC does receive complaints sometimes pertaining to the public sector. So, as a recipient of such complaints from the public, it does not turn them away. Rather, the standing arrangement is that they look at it and, if the jurisdiction is such that it does not come under the PDPA, they then refer it to the Government agencies involved to then follow through. In the case of the Government, the Government Technology Agency (GovTech), for example, is overall in-charge of the security and safeguard systems for data. And GovTech is the agency that does many of the reviews and ensures that the Government agencies are in compliance with the IMs and other provisions and so on. Moreover, there is also the Auditor-General's review as well, which occurs from time to time, and it includes security.

My point is that members of the public should not at all be concerned that they do not have recourse. They do, and, in fact, they have a multiplicity of recourse. And I would add that, in the case of the public sector, they probably have more channels and more avenues of recourse in some ways, compared to what you see in the context of the private sector. Because essentially, for private sectors, you go to the PDPC, or you take out a specific legal action against the company on your own. Here, you have got more options because you can go through the PDPC. It would be referred to the relevant agencies. You can go to GovTech, you can go to the Ministry that oversees the relevant department, you can also make a Police report if you feel that it warrants such action.

So, there should be no doubt in Members' minds that we have the appropriate recourse mechanisms. There should also be no doubt in Members' minds that the public sector's data governance standards are in no way inferior to the standards that we impose on the private sector. And, if anything, we impose a higher set of standards. That is the expectation that we have.