Public Agencies’ Exemption from Personal Data Protection Act

1 Ms Irene Quay Siew Ching asked the Prime Minister with regard to public agencies' exemption from the Personal Data Protection Act (a) whether he can list out the specific clauses in the current laws and instruction manuals that provide for public agencies' accountability on data breaches (not misuse of data) in public IT systems; and (b) whether he can explain how these clauses in the laws collectively impose a high standard of responsibility on all public agencies.

Mr Teo Chee Hean (for the Prime Minister): Public agencies and their officers are subject to data protection provisions set out in the Public Sector (Governance) Act (PSGA) and the Instruction Manual 8 (IM8), as well as in other related legislation. The PSGA criminalises the acts of unauthorised disclosure of data, misuse of data and the re-identification of individuals from anonymised data. Public officers found guilty of these offences can be fined up to $5,000 and/or face a jail term of up to two years. Besides the PSGA, other legislation also criminalise the act of unauthorised disclosure of data, such as the Official Secrets Act, the Banking Act, the Income Tax Act, and the Statistics Act. These provisions serve to deter public service officers from and punish them for the irresponsible use and handling of data. Please refer to Annex A for a list of the relevant clauses in the aforementioned Acts.

Apart from criminal proceedings, public officers found to be negligent in protecting data under their control can face internal disciplinary actions, as provided for in the Public Service (Disciplinary Proceedings) Regulations 1999.

Apart from such legislative sanctions, the government has a number of measures to prevent or minimize the chances of a data security breach and to minimise the consequences of a data breach. All public agencies are required to comply with the provisions of the IM8. The IM8 complements the broad data provisions in the PSGA by setting out the rules and requirements that agencies have to adhere to in order to manage and protect government data under their control. The IM8 prescribes specific measures to protect government data. For example, the IM8 mandates Internet surfing separation, the disabling of USB ports from being accessed by unauthorised devices, and the use of passwords to protect files that contain personal data. The IM8 also prescribes certain data protection processes, such as the prompt removal of access rights, the detection of inactive users and the regular review of system access rights.

Agencies are regularly audited for their compliance with the IM8 requirements, as well as the effectiveness of the measures implemented. The objective of audits is to enable agencies to uncover process and system gaps that should be addressed before a data incident occurs. Where such gaps are identified, agencies are required to draw up plans to close these gaps within a specific timeframe, and the progress of these plans are monitored until the gaps are fully closed. Besides regular IM8 audits, agencies' data management practices may also be audited by the Auditor-General. The outcomes of these audits are reported in Parliament and publicly available; agencies' actions to close the gaps are tracked until completion. Serious irregularities can be brought to the attention of the Ministry of Finance for internal action, as part of the audit process.

The deterrent measures in the PSGA and other legislation, the prescriptive measures in the IM8, as well as the regular IM8 compliance audits, collectively impose upon public agencies and public officers a high level of responsibility for data protection. Data security is essential to upholding public confidence in the Government's ability to deliver a high quality of public service to our citizens through the use of data. The Public Sector Data Security Review Committee, commissioned by the Prime Minister and chaired by Senior Minister Teo Chee Hean, will recommend ways to enhance the policies and practices the public sector already has, to keep pace with advances in technology. This includes keeping accountability measures up-to-date to ensure that data security remains a priority among public service leaders, and to ensure that policies and practices are continually improved to maintain a robust data security regime. The Committee will present its findings and recommendations to the Prime Minister in November 2019.