FAQs on Reporting Data Incidents
Got a question or need more help on reporting a government data incident? Check out our FAQs below.
- What is government data?
- What is a government data incident?
- I think I have detected a government data incident. What should I do?
- I need help with reporting a government data incident.
- How soon should I report a government data incident after I have detected it?
- What should I do if I am unsure if an incident constitutes as a government data incident?
- Do I need to submit evidence when reporting a government data incident?
- What should I do if I am unsure of which agency is affected by the incident?
- I have reported a government data incident. What should I do next?
- What should I do with the evidence after submitting it with the report?
- Will I need to provide a police statement after reporting a government data incident?
- Will I receive any follow up reply after reporting a government data incident?
- What is the difference between this government data incident reporting platform and the reporting platform by the Personal Data Protection Commission (PDPC)?
- Can I report an incident that involves other types of data?
- Where can I report a cybersecurity incident?
Q1. What is government data?
“Government data” refers to data that is in the possession or custody of the Government. Such data is important for the Government to discharge its functions, and could be collected and used by public agencies, or collected and used by their contracted third-party vendors. It includes:
- Personal data (e.g. income data for the purposes of calculating income tax)
- Business data (e.g. financial statements), and
- Classified data (e.g. policy documents).
Q2. What is a government data incident?
A “government data incident” happens when there is a compromise of government data. This includes unauthorised access to, collection of, use of, disclosure of, copying of, modification to, or disposal of, the government data.
Some examples of a government data incident are:
- The sending of data via email to unintended recipients
- The unintentional disclosure of data on a website due to a system error, and
- The unauthorised movement (including copying, transfer and retrieval) of data by a hacker.
Q3. What should I do when I have detected a government data incident?
You should act responsibly and promptly report any suspected data incidents to safeguard data from unauthorised use or loss. Please be mindful to conduct yourself in accordance with applicable laws and regulations, and do not make a false report.
When making a report, please provide as many details as possible. For example, when and where the incident occurred; how you detected the incident; the steps you took after you detected the incident. These details would help us in our investigation, and allow us to swiftly respond to the data incident and take the necessary remedial steps.
Q4. How do I report a government data incident?
There are three ways in which you can report a government data incident:
- Complete the ‘Government Data Incident Reporting Form’ located on the Ministry of Digital Development and Information (MDDI) website
- Email Report_Data_Incident@tech.gov.sg with details of the suspected data incident
- Call the Government Data Security Contact Centre hotline at +65 63830117.
Operation Hours for Hotline:
8.30am – 6.00pm SGT (Mondays to Thursdays)
8.30am – 5.30pm SGT (Fridays)
Closed on Weekends and Public Holidays
Q5. How soon should I report a government data incident after I have detected it?
You should report any detected incident as soon as practically possible. This would allow us to promptly take action to prevent any further compromise to the data.
Q6. What should I do if I am unsure if an incident constitutes as a government data incident?
As long as you suspect there is a government data incident, you should call the Government Data Security Contact Centre hotline for advice and clarifications.
Q7. Do I need to submit evidence when reporting a government data incident?
The submission of evidence will be useful for the Ministry of Digital Development and Information (MDDI) to investigate the data incident. For example, details of the affected system, and screenshots of the system error will allow us to quickly identify the affected agency, and pinpoint the error that requires fixing to prevent any further compromise to the data.
If your supporting document is in hardcopy, you may take a photo of it and attach it when submitting the incident reporting form.
Q8. What should I do if I am unsure of which agency is affected by the incident?
You should still report the incident, and MDDI will carry out the investigations to identify the affected agency. To help us identify the affected agency, please provide as many details as possible on the data incident.
Q9. What should I do after reporting a government data incident?
You should immediately dispose of all evidence and data appropriately after submitting them to MDDI. Thereafter, MDDI will carry out an investigation and no further action is required on your part.
Q10. What should I do with the evidence after submitting it with the report?
Upon submitting the evidence to MDDI, please immediately dispose of all evidence in an appropriate manner. These are some common disposal methods:
- For digital data that you have received unintentionally via email, please delete all copies of the email and any attachment that came with the email
- For any screenshot of system error, please delete them after submission
- For hardcopy data that you received unintentionally via mail, MDDI will advise you on the appropriate way of disposal
If you are unsure about how to dispose the evidence, please call us at +65 63830117.
Q11. Will I need to provide a police statement after reporting a government data incident?
No, you will not be required to provide a police statement after reporting a government data incident. However, MDDI may contact you via email or phone if we require any clarifications on the information you provided.
Q12. Will I receive any follow up reply after reporting a government data incident?
Yes, you should receive an acknowledgement email within 1 working day of reporting a government data incident using the online form or via email. We will conduct our investigation and provide you with a status update within 15 working days of the receipt of your report.
Q13. What is the difference between this government data reporting platform and the reporting platform by the Personal Data Protection Commission (PDPC)?
This government data incident reporting platform is meant for the reporting of data incidents which involve government data or Government agencies. PDPC’s reporting platform is meant for the reporting of data incidents which involve non-government entities.
Q14. Can I report an incident that involves other types of data (e.g. classified data or business-related data)?
Yes, please report any incident that involves any type of data that is in the possession or control of the Government. Such data include:
- Personal data (e.g. income data for the purposes of calculating income tax)
- Business data (e.g. financial statements), and
- Classified data (e.g. policy documents).
Please refer to Q1 above for the detailed definition of “government data”.
Q15. Where can I report a cybersecurity incident?
A cybersecurity incident is different from a data security incident. Cybersecurity incidents refer to attacks on IT systems or websites that affect the confidentiality, integrity and availability of systems or websites. Data security incidents, or government data incidents, refer to the unauthorised access to, collection of, use of, disclosure of, copying of, modification to, or disposal of, government data.
You may report a cybersecurity incident under the Government Technology Agency’s Vulnerability Disclosure Programme (VDP). VDP encourages responsible reporting of suspected vulnerabilities or weaknesses in IT services, systems, resources and/or processes that may affect Government internet-accessible applications.
Click on the link to find out more about the Vulnerability Disclosure Programme and report suspected vulnerabilities.