Public Sector to implement 23 new data security measures
Measures will be fully implemented in public sector systems by 2023
A set of recommendations to target data security were accepted by the Prime Minister's Office yesterday.
Broadly sorted into five categories, the recommendations include measures to ensure that the Government collects and retains an individual's data only when it is necessary and ensures the data is properly protected and encrypted.
There will also be a single contact point for the public to report government data incidents and breaches, and a central body that will ensure the Government's response to such breaches are consistent.
The measures come in the wake of a series of data breaches and leaks in 2018 and 2019, including incidents where the personal data of 1.5 million SingHealth patients and the personal details of thousands of HIV-positive people on Singapore's registry were leaked.
The measures were announced by the Public Sector Data Security Review Committee at a press conference yesterday.
Chaired by Senior Minister Teo Chee Hean, the committee was convened in March to conduct a comprehensive review of data security practices across the public service.
The recommendations, which were accepted by Prime Minister Lee Hsien Loong, will be rolled out in 80 per cent of public sector systems by end-2021.
The rest will be implemented by the end of 2023.
In his letter to Mr Teo, PM Lee said: "As custodian of a vast amount of data, the Government takes this responsibility very seriously.
"The Government accepts the Committee's recommendations in full. Your proposals are practical, and we will implement them expeditiously and thoughtfully."
The measures, which will target different aspects of data security, include technical, process-based, people and organisational changes.
In the report, the committee broke down how the four major breaches in 2018 and 2019 occurred, and detailed ways in which the recommendations could have helped address the points of failure.
The four archetypes identified were "malicious actors", "negligent insider", "careless employee" and "third-party mishandling".
In the case of the SingHealth cyber attack in 2018, the Committee said a skilled attacker gained entry to the IT network after overcoming a series of security measures.
Security staff had spotted signs of potential intrusions in the IT network but did not recognise that they were indicators of a sophisticated attack.
Recommendations that could have mitigated the attack include technical measures that monitor authorised access and privileged access, increase in training focus for IT security staff and the Enhanced Data Incident Management Framework, which will help ensure prompt and clear incident reporting.
In the case of the HIV registry leak, a medical officer who was an authorised user is believed to have copied out the data into a thumbdrive, which was then believed to have been copied by an unauthorised party.
Among others, the new measures that will restrict access of sensitive files to secured platforms would have prevented download of data by the medical officer.
Associate Professor Lawrence Loh of the National University of Singapore Business School said that while such structural and policy based measures can help, data security boils down to the people who make up the agencies, organisations and public.
"It remains up to individual habits - we cannot expect the computer's defences to be foolproof, because as in many past cases, it comes down to human error," he said.
"It will take time, training and awareness to ensure that data is well protected."
Five key measures to handle public sector data
The Public Sector Data Security Review Committee's recommendations in five key areas for entities handling public sector data.
Enhancing data protection and preventing compromise
- Agencies to collect only necessary data and limit their retention period, giving restricted access and download ability.
- Enhance logging and monitoring to detect high-risk or suspicious activity, including digital watermarking.
- Protect stored data directly by making it unusable and unreadable if it is stolen.
- Enhance third party framework to ensure they handle data with appropriate care.
Strengthening detection of and response to incidents
- Central contact point for public to report data incidents.
- Set up Government Data Office to monitor and analyse data incidents.
- Government IT management committee to serve as central body to respond to large scale or multi-agency incidents.
- Institute a notification framework to ensure individuals are promptly notified.
Building competencies of public officers and a culture of secure data usage
- Specify responsibilities for those involved in management of data security.
- Ensure all public officers are equipped with the necessary skills, and are regularly updated through an annual training programme.
- Cultivate an environment conducive to open reporting of data incidents.
Accountability for data protection
- Institute organisational key performance indicators for data security to signal data security as an organisational priority.
- Hold top leadership of all public sector organisations accountable for putting a strong security regime in place.
- Stress the impact and consequences of breaches to public officers.
- Ensure accountability of third parties handling government data by amending the Personal Data Protection Act.
- Publish the Government's policies and standards relating to personal data protection and update information yearly.
Ensure sustained efforts
- Appoint the Digital Government Executive Committee to oversee public sector data security and drive the implementation of the Committee's recommendations.
- Set up the Government Data Security Unit in the Government Data Office to drive data security efforts in the Government.
- Deepen the Government's expertise in data privacy protection technologies through GovTech's Capability Centres.
- CHEOW SUE-ANN