Public service to roll out 13 measures to protect citizens' personal data following data breaches

SINGAPORE - The entire public service will have to conform to a common framework to safeguard citizens' personal data, beginning with 13 new measures developed after a spate of breaches in the past year.

These digital measures, some of which are being put in place, aim to make databases unusable if information has been wrongfully extracted from them, detect unusual data transmissions and limit users' access rights.

For instance, sensitive files have to be encrypted and highly sensitive attributes of individuals, such as one's HIV status, are to be hidden away in a separate system with tighter controls. The personal information of ministers and other very important people will also be kept in separate systems with more stringent protection.

The technical measures announced on Monday (July 15) are the first of more to come from a new Public Sector Data Security Review Committee, which was convened by Prime Minister Lee Hsien Loong in April this year.

They were issued after a government-wide stocktake of how data was managed at five key agencies here handling medical and financial data of citizens.

The 13 measures conform to a common definition of what is entailed for sensitive information as outlined in the new Information Sensitivity Framework, and will replace the current practices by public agencies, many of which devised the practices themselves.

More measures, including ways to better manage third-party vendors and train public servants on data security practices to prepare Singapore for a safer digital future, will be revealed later and will be included in the committee's final report due in November this year.

 
 
 
 

"These include measures to better ensure high data protection standards by third parties that handle government data," said a spokesman from the Smart Nation and Digital Government Office.

The committee was formed after a spate of cyber-security breaches over the past year, with the latest involving the personal data of more than 800,000 blood donors accessed illegally and uploaded on an unauthorised server for more than two months. A Health Sciences Authority technology vendor, Secur Solutions Group, was responsible for the incident.

In January, the Ministry of Health (MOH) revealed that the confidential information of 14,200 HIV-positive individuals had been leaked online by an American who had lived in Singapore. He had gained access to the data through his partner, Ler Teck Siang, a Singaporean doctor who once headed MOH's National Public Health Unit.

And in February, MOH said a computer error had resulted in 7,700 people receiving inaccurate healthcare subsidies when they applied for or renewed their Community Health Assist Scheme cards in September and October last year.

Singapore's worst cyber-attack happened in June last year and involved the database of Singapore's largest public healthcare cluster SingHealth. Hackers made away with the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including PM Lee.

All 13 measures will eventually be deployed to accord the highest level of protection for the most sensitive information. For instance, the database of patients with infectious diseases and individuals who were bankrupt will have the highest form of protection involving most, if not all, of the 13 measures.

They will supplement current practices including Internet Surfing Separation, rolled out in 2016, and the disabling of USB ports from being accessed by unauthorised devices, implemented in 2017.