MCI's response to PQ on public agencies' exemption from PDPA

11 FEB 2019

Parliament Sitting on 12 February 2019

QUESTION FOR ORAL ANSWER

*12. Ms Sylvia Lim: To ask the Minister for Communications and Information given the gravity of data protection breaches in the public sector, whether the Personal Data Protection Act should be amended to remove the exemptions for public agencies. 

Answer:

  1. The Personal Data Protection Act (PDPA) came into force in 2012.  With the gathering pace of digitalisation, we recognised the need to strengthen data protection in the private sector.  The PDPA establishes a baseline standard for data protection in the private sector, balanced against its need to use personal data for reasonable purposes.    

  2. On its part, the Government has always taken seriously its responsibility to protect the data entrusted to the public sector, and we continue to strengthen our data governance policies.  Since 2001, the Government Instruction Manuals already include measures to govern the use, retention, sharing and security of personal data among public agencies.  In 2018, the Public Sector (Governance) Act (PSGA) was introduced and it provided for additional safeguards for personal data in the public sector, including criminalising the misuse of data by public servants.  The data protection standards in the PSGA are also aligned with the PDPA.

  3. In addition, data collected by the public sector is also protected by specific legislation such as the Official Secrets Act, the Income Tax Act, the Infectious Diseases Act and the Statistics Act.  Collectively, these laws impose a high standard of responsibility on all public agencies, with additional requirements for the protection of sensitive or confidential data.  Also, regular, mandatory audits are conducted to ensure that public agencies comply with the standards for data protection and the security of ICT systems.

  4. The PSGA allows personal data to be managed as a common resource within the public sector for better public policy making and more responsive public services.  For example, when a Singaporean applies for financial assistance at a Social Service Office, the front-line officers are able to quickly evaluate his or her eligibility for financial assistance because they have access to data from other relevant agencies.  In this way, we minimise the documents that need to be submitted by the applicant and improve the delivery of public services.  In contrast, each private sector organisation is expected to be individually accountable for the personal data in its possession, and there is no expectation of a similar integrated delivery of services across different commercial organisations.  

  5. Because of these important differences, we need and have adopted different approaches to the protection of personal data in the public and private sectors.  That is also why the PDPA applies only to the private sector, while the PSGA and other legislation govern data protection in the public sector.  We will regularly review the PDPA, the PSGA and other legislation to ensure that they remain relevant and effective in safeguarding personal data in both the public and private sectors.