Fifth Update on the Government's Personal Data Protection Efforts
The Government has published key efforts undertaken to strengthen the public sector data security regime between 1 April 2023 and 31 March 2024 (i.e. FY2023). This is the fifth annual update. All 24 initiatives recommended by the Public Sector Data Security Review Committee (PSDSRC)1 in 2019 have been implemented. (Please refer to Annex A for the full list of PSDSRC initiatives).
No Serious Data Incidents over Last Four Years
There were 201 government data incidents reported in FY2023 as compared to 182 incidents reported in FY2022. The increase in the number of incidents is due to the higher volume of data usage as more government services are digitalised to provide convenience to citizens and businesses. In addition, improved awareness among public officers on the need to report incidents may have also contributed to the increase.
The vast majority of incidents were of low severity. This is the fourth consecutive year with no incidents assessed to be of high severity and above. Incidents of medium severity also decreased from 46 in FY2022 to 29 in FY2023. This is partly the result of progressive implementation of security processes and technical measures and increased public sector awareness on data security.
Government’s Initiatives to Strengthen Data Security in FY2023
The Government has progressively put in place various measures since 2019 to enhance the public sector data security regime. The following are key highlights of government initiatives introduced in FY2023.
Central Privacy Toolkit (Cloak) Expanded to Include New Features
Cloak allows public officers to apply privacy-enhancing technologies to datasets while preserving the data’s value for sharing and use, thus mitigating the risk of data leaks. Since its launch in March 2023, the toolkit has expanded its offerings and has been used by 1,400 public officers from 90 agencies. For instance, its free-text anonymisation feature has anonymised 20 million documents and served more than 20 generative AI use cases in government.
Deployment of Automation Tools to Prevent Data Compromises
As of end-March 2024, all eligible systems in the government used the Central Accounts Management (CAM) tool to automatically remove user accounts that were no longer needed. This has mitigated the risk of unauthorised access by officers who have left their roles and the exploitation of dormant accounts by malicious actors.
Enhancements have also been made to the Government’s Data Loss Protection (DLP) tool which mitigates the accidental loss of classified and/or sensitive data from government networks, systems, and devices. For instance, since September 2023, email recipients can no longer see the email addresses of other external recipients if there are more than 30 recipients.
Enhancing Competencies in Public Service
The Government recognises that it is not possible to eliminate data incidents entirely and remains committed to respond swiftly to data incidents. From August to September 2023, the Government conducted the annual central ICT and Data Incident Management exercise involving 31 agencies across four Ministry Families. This enhanced the Government’s ability to provide a coordinated and efficient response when required.
Enhancing public officers’ instincts and instilling a culture of excellence in using data securely is an ongoing effort. In FY2023, the Government introduced gamified events to help public officers learn about data protection in an engaging way. In February 2024, the mandatory Data Security e-learning module was also refreshed to include content related to new technologies and prevalent trends, such as Large Language Models (LLMs) and phishing scams.
Implementation of All 24 Recommended PSDSRC Initiatives
All 24 PSDSRC initiatives have been implemented. The Government remains committed to ensuring a robust data security regime. We will continue to review the effectiveness of our existing measures regularly, introducing enhancements or new measures when necessary. New initiatives aimed at strengthening the Government’s data security will be shared on the Ministry of Digital Development and Information (MDDI) website.
The full FY2023 report can be found at go.gov.sg/public-sector-data-security-review.
1 The Public Sector Data Security Review Committee (PSDSRC) made five key recommendations in 2019 to improve the Government’s data security regime. The Government accepted the Committee’s recommendations in full and committed to implementing them in phases from FY2020 to FY2023.
Annex A: Implementation Progress of the PSDSRC Initiatives
All 24 initiatives recommended by the PSDSRC have been implemented as of 31 March 2024.
|
PSDSRC Initiatives |
Timeline |
Status as of 31 Mar 2024 |
||||||
|---|---|---|---|---|---|---|---|---|
|
Key Recommendation 1: Enhance technology and processes to effectively protect data against security threats and prevent data compromises. |
||||||||
|
1.1 |
Reduce the surface area of attack by minimising data collection, data retention, data access and data downloads |
By 31 Mar 2024 (By end FY2023) |
Implemented |
|||||
|
1.2 |
Enhance the logging and monitoring of data transactions to detect high-risk or suspicious activity |
By 31 Mar 2023 |
Implemented |
|||||
|
1.3 |
Protect the data directly when it is stored and distributed to render the data unusable even if extracted |
By 31 Mar 2024 (By end FY2023) |
Implemented |
|||||
|
1.4 |
Develop and maintain expertise in advanced technical measures |
Continual effort beyond FY2023 |
Implemented |
|||||
|
1.5 |
Enhance the data security audit framework to detect gaps in practices and policies before they manifest into incidents |
By 30 Apr 2020 |
Implemented |
|||||
|
1.6 |
Enhance the third-party management framework to ensure that third parties handle Government data with the appropriate protection |
By 30 Apr 2020 |
Implemented |
|||||
|
Key Recommendation 2: Strengthen processes to detect and respond to data incidents swiftly and effectively. |
||||||||
|
2.1 |
Establish a central contact point in the Government Data Office for the public can report Government data incidents |
By 30 Apr 2020 |
Implemented |
|||||
|
2.2 |
Designate the Government Data Office to monitor and analyse data incidents that pose significant harm to individuals |
By 30 Apr 2020 |
Implemented |
|||||
|
2.3 |
Designate the Government IT Incident Management Committee as the central body to respond to incidents with Severe impact |
By 30 Apr 2020 |
Implemented |
|||||
|
2.4 |
Institute a framework for all public agencies to promptly notify individuals affected by data incidents with significant impact to the individual |
By 30 Apr 2020 |
Implemented |
|||||
|
2.5 |
Established a standard process for post-incident inquiry for all data incidents |
By 30 Apr 2020 |
Implemented |
|||||
|
2.6 |
Distil and share learning points with all agencies to improve their data protection policies/measures and response to incidents |
By 30 Apr 2020 |
Implemented |
|||||
|
Key Recommendation 3: Improve culture of excellence around sharing and using data securely and raise public officers’ competencies in safeguarding data. |
||||||||
|
3.1 |
Clarify and specify the roles and responsibilities of key groups of public officers involved in the management of data security |
By 30 Apr 2020 |
Implemented |
|||||
|
3.2 |
Equip these key groups with the requisite competencies and capabilities to perform their roles effectively. |
Continual effort beyond FY2023 |
Implemented |
|||||
|
3.3 |
Inculcate a culture of excellence around sharing and using data securely |
Continual effort beyond FY2023 |
Implemented |
|||||
|
Key Recommendation 4: Enhance frameworks and processes to improve accountability and transparency of the public sector data security regime |
||||||||
|
4.1 |
Institute organisational Key Performance Indicators (KPIs) for data security |
By 30 Apr 2020 |
Implemented |
|||||
|
4.2 |
Mandate that the top leadership to be accountable for putting in place a strong organisational data security regime |
By 30 Apr 2020 |
Implemented |
|||||
|
4.3 |
Make the impact and consequences of data security breaches salient to public officers |
By 30 Apr 2020 |
Implemented |
|||||
|
4.4 |
Ensure accountability of third parties handling Government data by amending the PDPA |
By 31 Oct 2020 |
Implemented |
|||||
|
4.5 |
Publish the Government’s policies and standards on personal data protection |
By 31 Oct 2020 |
Implemented |
|||||
|
4.6 |
Publish an annual update on the Government’s personal data protection efforts |
By 31 Oct 2020 |
Implemented |
|||||
|
Key Recommendation 5: Introduce and strengthen organisational and governance structures to drive a resilient public sector data security regime that can meet future needs |
||||||||
|
5.1 |
Appoint the Digital Government Executive Committee to oversee public sector data security |
By 31 Oct 2020 |
Implemented |
|||||
|
5.2 |
Set up a Government Data Security Unit to drive data security efforts across the Government |
By 31 Oct 2020 |
Implemented |
|||||
|
5.3 |
Deepen the Government’s expertise in data privacy protection technologies through GovTech’s Capability Centres |
By 31 Oct 2020 |
Implemented |
|||||