Government's Personal Data Protection Laws And Policies
The Government has put in place strong personal data protection laws and policies to safeguard sensitive data.
Data Management in the Public Sector
Data management in the public sector is governed by the Public Sector (Governance) Act (“PSGA”) and the Government Instruction Manual on Infocomm Technology & Smart Systems Management (“IM on ICT&SS Management”). The Personal Data Protection Act (“PDPA”) applies to the private sector. Two different legal frameworks governing data management in the public and private sectors are needed because the public has different expectations of the services provided by the Government and the private sector. The Government is expected to deliver services in an integrated manner across agencies. In contrast, each private sector organisation is expected to be individually accountable for the personal data in its possession, and there is no expectation of a similarly integrated delivery of services across different private sector organisations.
Since 2001, the Government’s data security policies have been set out in the IM on ICT&SS Management. The IM on ICT&SS Management sets out how the Government manages and protects data (including personal data) in its possession or control. In 2018, the PSGA was enacted to further strengthen public sector data governance. The PSGA imposes criminal penalties on public officers who (a) knowingly or recklessly disclose data without authorisation; (b) misuse data that results in personal gain for the public officer or another person, or harm or loss to another person; and (c) knowingly or recklessly re-identify anonymised information without authorisation.
Find out more about the Government’s key data security policies and key personal data protection policies in the documents below:
Government’s Key Personal Data Protection Policies (2.7MB)
Government’s Key Data Security Policies (606KB)
Data-related provisions of the Public Sector (Governance) Act
Public Sector Data Security Review
In 2019, the Public Sector Data Security Review Committee (PSDSRC) recommended additional technical and process measures to protect data and prevent data compromise. It made five key recommendations to strengthen the Government’s data security regime.
In the 2020 Budget, the Government announced an investment of $1 billion over three years to enhance cybersecurity and data security in the public sector. It will also continually and proactively enhance its initiatives to ensure the resiliency of its data security regime to respond and address emerging threats and risks
Find out more about the Public Sector Data Security Review through the links below:
Public Sector Data Security Review Committee Report (2.3MB)
Annexes to the Public Sector Data Security Review Committee Report (1.4MB)
Infographic on Recommendations (0.5MB)Find out more about the annual updates on the Government’s personal data protection initiatives through the following documents:
2024: Fifth Update on the Government's Personal Data Protection Efforts (586kb)
2023: Fourth Update on the Government's Personal Data Protection Efforts (891kb)
2022: Third Update on the Government's Personal Data Protection Efforts (983KB)
2021: Second Update on the Government's Personal Data Protection Efforts (269KB)
2021: Second Update on the Government's Personal Data Protection Efforts – Summary (932KB)
2020: First Update on the Government's Personal Data Protection Efforts (2.1MB)
2020: First Update on the Government's Personal Data Protection Efforts - Summary (205KB)Data Management by Third Parties of Public Agencies
The Government recognises that Agencies work extensively with Third Parties to deliver services to citizens, carry out operational functions, and plan and analyse policies. When doing so, these Third Parties may handle large volumes of data from the Government. Hence, the high standards of data protection that the Government places on itself must also extend to these Third Parties.
With this in mind, the Government has introduced policies to guide Agencies in ensuring that Third Parties adequately safeguard data. These policies are organised based on the lifecycle of the relationship between the Agency and the Third Party, namely: Evaluation and Selection, Contracting and On-boarding, Service Management and Transition Out (as shown in Diagram below). When working with Third Parties, Agencies will define the data security requirements that each Third Party has to comply with based on the Government’s data security policies.
A Third Party is defined as a party (other than a data subject or an Agency) which
-
delivers, develops, implements, operates, provides or otherwise supplies ICT systems or services to an Agency, or
-
collects, stores or otherwise processes data for an Agency.
(Data subject refers to the individual or entity to which the data relates. Agency refers to Organs of State, Ministries, Departments and Statutory Boards.)
Find out more about the key policies that govern how agencies work with its third parties to safeguard data in the document below:
Key Policies of the Government's Third-Party Management Framework (1.2MB)