MCI’s response to PQs on HSA data leak and public sector data breaches

Parliament sitting on 1 April 2019

QUESTION FOR ORAL ANSWER

*2747. Ms Sylvia Lim: To ask the Minister for Communications and Information regarding the recent data leak of more than 800,000 blood donors’ personal information from the database of HSA (a) what is the role of the Personal Data Protection Commission in investigating this incident; (b) whether any review is being done to ascertain whether HSA has acted reasonably in protecting the personal data including whether the contractual obligations between HSA and its IT vendor reasonably safeguarded the personal information entrusted to these parties.

*2734. Ms Irene Quay Siew Ching: To ask the Minister for Communications and Information in view of data breaches across public IT systems (a) whether it is justifiable for public agencies to be exempted from Personal Data Protection Act; (b) what recourse do citizens have, other than to complain to agencies or seek civil action; and (c) whether there should be a tangible penalty meted out to these public agencies for public accountability. 

Answer:

1. Mr Speaker, with regard to the incident involving HSA, the Personal Data Protection Commission (PDPC) is investigating Secur Solutions Group Pte Ltd, which is a private company and vendor of IT services to HSA.  If found to be in breach of the Personal Data Protection Act (PDPA), PDPC will take the appropriate enforcement actions against the company, such as issuing directions and imposing financial penalties.  

2. The Senior Minister of State for Health has earlier outlined the review of HSA’s data security policies and practices that is being undertaken.  As HSA is a Government agency, the Smart Nation and Digital Government Group is also conducting an investigation into the incident. 

3. Ms Quay has asked if it is justifiable that public agencies are exempted from the PDPA.  Implicit in the Member’s question is the presumption that public sector agencies are not accountable for their data protection practices or not held to a high standard because the PDPA does not apply to them.  That is wrong and simply not the case.  Public sector agencies are subject to a different piece of legislation and other regulations.  In particular, public sector agencies have to comply with the Government Instruction Manuals and the Public Sector (Governance) Act (PSGA).  Collectively, they have comparable if not higher standards of data protection compared to the PDPA, and similar investigations and enforcement actions are taken against data security breaches.  

4. I have previously explained in Parliament why we have adopted this approach.  To reiterate, the PDPA does not apply to public agencies because there are fundamental differences in how the public sector operates, which requires a different approach to personal data protection compared to the private sector.  In order to enable a whole-of-government approach to the delivery of public services, personal data has to be managed as a common resource within the public sector.  The considerations are different in the private sector, as there is no such expectation of a holistic approach to the delivery of commercial services across private organisations. 

5. Citizens have the same recourse for a data breach in the public sector as with the PDPA.  Where citizens suspect that their data has been mishandled by a private sector organisation, they can lodge a complaint with the PDPC; or with GovTech, if a public sector agency is involved.  In practice, there are no wrong doors and the complaint will be directed to the relevant agencies for follow-up.  Affected individuals can also seek mediation or take civil action against the organisation or agency which mishandled the data.  

6. The member has asked whether tangible penalties should be imposed on public agencies for public accountability.  Public officers who flout the Government’s data security rules, and are found to have misused or disclosed data in an unauthorised manner, could be held criminally liable under the PSGA.  The penalties include fines of up to $5,000 or a jail term of up to two years, or both.  It is not meaningful to impose financial penalties on public sector agencies because the cost of such penalties would ultimately have to be borne by the same public purse. 

7. Mr Speaker, over the years, the Government has progressively enhanced security measures to safeguard sensitive data.  The Government has also increased the number and types of internal IT audits, to check on agencies’ data access and data protection measures.  Nevertheless, recent data-related incidents have underscored the urgency to strengthen data security policies and practices in the public sector.  

8. Therefore, the Prime Minister has convened a Public Sector Data Security Review Committee to conduct a comprehensive review of data security practices across the entire Public Service.  This includes measures and processes related to the collection and protection of citizens’ personal data by public sector agencies, as well as by vendors who handle personal data on behalf of the Government.  While individual agencies are investigating and taking action on the specific incidents, this Committee will undertake a comprehensive review across the public sector, and incorporate industry and global best practices to strengthen data security.  

9. This review will help to ensure that all public sector agencies maintain the highest standards of data governance.  This is essential to uphold public confidence and deliver a high quality of public service to our citizens through the use of data.  The work of this Committee will complement our efforts to achieve our Smart Nation vision.  The Public Sector Data Security Review Committee will submit its findings and recommendations to the Prime Minister by 30 November 2019.