SINGAPORE – Public officers reported 108 cases of data leaks by the Singapore Government last year, up 44 per cent from 75 cases in 2019.
All of the incidents were assessed to be of “medium” or “low” severity, according to the second annual report on the Government’s personal data protection efforts released on Tuesday (July 27).
Without disclosing details, its author, the Smart Nation and Digital Government Office (SNDGO), defined medium severity to mean that a government agency had suffered difficult or undesirable consequences, with minor inconvenience to individuals or businesses.
There were no severe incidents reported last year. These are incidents that damage national security or the public’s confidence, or those resulting in death or serious physical, financial or sustained emotional injury to an individual.
To date, only two such severe incidents have been reported. Both took place in 2018.
The first is the unauthorised disclosure of the confidential data of 14,200 patients from the Ministry of Health’s HIV registry. The second is the unauthorised access of 223 case files due to a vulnerability in the State Courts’ online system.
Of the 108 cases last year, six were reported by members of the public through the Government Data Security Contact Centre, an online portal launched in April last year. Details of these cases have not been released.
The rise in public sector data incidents mirrors trends in the private sector here.
Last year, local residents filed 6,100 complaints against private organisations about potential personal data breaches, said SNDGO. In 2019, 4,500 complaints were made to privacy watchdog the Personal Data Protection Commission.
“This could be due, in part, to the Covid-19 crisis accelerating the pace of digitalisation in the past year,” said SNDGO.
As more businesses conduct their activities online in the light of public health restrictions, more data is generated and exchanged. This increases the risk of data being exposed.
“Work-from-home arrangements and the use of unsecured home networks may also raise the risk of data incidents,” SNDGO said.
“These trends highlight the increased data security risks faced by the private and public sectors and… the urgency of implementing the necessary measures to safeguard personal data.”
On its part, the public sector has committed to roll out 24 key measures by the end of 2023 as part of its $1 billion investment to better safeguard citizens’ personal data.
These measures were recommended by the Public Sector Data Security Review Committee (PSDSRC), formed in March 2019 after a spate of cyber-security breaches, including Singapore’s worst data breach involving 1.5 million SingHealth patients’ data in June 2018.
The PSDSRC framework will gradually replace current practices at public agencies, many of which have devised their own protocols.
As at March 31 this year, 21 of the recommended measures are already in place. These include automating the removal of inactive user accounts to automating the detection of risky user behaviour, such as copying sensitive files from laptops.
One of the most recent changes is an amendment to the Personal Data Protection Act (PDPA), which does not apply to the public sector, to cover third parties handling government data.
The new law came into effect on Feb 1 to better hold third-party organisations accountable for any mismanagement of citizen data. Individuals in these organisations will also be held accountable for lapses that are directly or indirectly caused by egregious mishandling of personal data.
Previously, third parties were subject to only the obligations in their contracts with public agencies and, where applicable, laws such as the Official Secrets Act.