Trends in number of government data incidents reported.
The Smart Nation and Digital Government Office (SNDGO) has published the second update on the Government’s personal data protection efforts. This annual update is a key recommendation made by the Public Sector Data Security Review Committee (PSDSRC) in November 2019, to enhance transparency on how the Government uses and secures citizen data.
This update focuses on the initiatives carried out between 1 October 2020 and 31 March 2021, while the inaugural update covered the period from November 2019 to 30 September 2020. The coverage of future updates will henceforth be aligned to the financial year.
Trends in Number of Government Data Incidents Reported
The number of government data incidents rose from 75 in FY2019 to 108 in FY2020. While the number of data incidents reported has increased by 44 per cent, there has been a downward trend in their severity – none of these incidents were assessed to be of high severity, and all incidents were addressed within 48 hours. The increase in data incidents reported correlates with trends seen in the private sector and globally, as the exchange and usage of data grows. The increase also reflects increased awareness and improved understanding among public officers to report all data incidents, regardless of scale or impact.
Out of the 108 government data incidents in FY2020, 6 were detected as a result of public reports made to the Government Data Security Contact Centre (GDSCC). The Centre was set up in April 2020 for members of the public to report data incidents involving government data or government agencies, and seeks to strengthen the Government’s capabilities to detect data incidents.
Public officers found to have made unauthorised use or disclosure of government data will be held accountable. In 2021, several individuals had been charged under the Official Secrets Act (OSA) for the unauthorised disclosure of information related to Singapore’s response to COVID-19.
Three Newly-Implemented Initiatives since 1 October 2020
As of 31 March 2021, the Government has implemented 21 of the 24 initiatives arising from the five key recommendations by the PSDSRC. The 3 initiatives that have been implemented since 1 October 2020 are:
- The Data Privacy Protection Capability Centre (DPPCC): This centre was set up within GovTech in December 2020 to deepen the Government’s expertise in data privacy protection technologies. It will provide expert advice to agencies, and monitor emerging data privacy protection risks and recommend solutions to mitigate these risks.
- Advanced Data Protection Technical Measures: Since its inception, the DPPCC has begun studying and implementing advanced technical measures to protect data in Government systems. An example is the de-identification modules to protect sensitive personal data and maintain data privacy, while enabling data to be used.
- Amendments to the Personal Data Protection Act (PDPA): The amendments came into effect on 1 February 2021. These amendments strengthen the data protection accountability of non-Government entities and non-public officers who handle Government data. Punitive measures were introduced to hold these individuals accountable for the reckless handling, or intentional mishandling, of personal data.
The remaining three of the 24 initiatives are technical measures, which require significant re-architecting of technical systems and more time to develop. The Government is on track to complete these initiatives as planned, by end-2023.
Technical and process measures to prevent data compromises
The Government has been implementing advanced technical solutions to further strengthen the public sector’s data security posture. In November 2020, the Government implemented the Government Commercial Cloud (GCC) Privileged Identity Management (PIM) solution. With more Government systems migrating to the Cloud as part of our “Cloud-First” strategy, the GCC-PIM solution will ensure that access by privileged users (i.e. those whose roles require wide access to data), such as system administrators, will be secured and monitored to prevent unauthorised use of data.
The Government has also started to develop WOG Data Loss Protection (DLP) services. The DLP services uses technical and process controls to detect anomalous activities, such as unexpected downloads of large amounts of data to personal computers, that are indicators of possible malicious activity or data incidents.
The DLP services will prompt the user to confirm that the data was intended to be transferred before proceeding to do so, and in some cases, stop the anomalous data transfer altogether to prevent the loss of sensitive data from Government networks and user devices. The implementation of the WOG DLP services will commence by the end of 2021.
It is not possible to eliminate data incidents altogether and we will need to respond swiftly when they occur. To ensure that the public service is well-prepared to respond to data incidents at the WOG level, the Government will be conducting central ICT and Data Incident Management exercises in a multiple-agency effort.
Four ministries have been selected to participate in the inaugural central ICT and Data Incident Management Exercise to be held in September 2021. These come on top of annual agency-specific exercises to simulate data incidents and test the readiness of agencies to effectively contain and manage the impact of data incidents.
The Government has also implemented several initiatives to ensure that public officers are well-equipped to manage and safeguard data to mitigate security risks. In February 2021, the Data Security e-learning module was refreshed to include new content on how to work from home securely, and how to safeguard data when using the new Secure Internet Surfing technology implemented in November 2020.
In addition, the Government will be conducting a series of specialised workshops from July 2021 for Key Appointment Holders, as well as ICT and data teams, to equip them with the necessary skillsets to fulfil their roles.