Singapore government to review data security in public sector

The Singapore government is reviewing its data security practices across all public sector agencies, as well as that of suppliers that handle personal data on its behalf.

In a statement on 31 March 2019, it said it has formed a committee chaired by deputy prime minister and coordinating minister for national security Teo Chee Hean, who is also the minister-in-charge of public sector data governance.

The committee, supported by an inter-agency taskforce comprising officers from various government agencies, will also consult international experts and industry professionals in both private and public sectors.

Following the review, it will recommend technical measures, processes and capabilities to improve the government’s protection of citizens’ data and its response to incidents.

The government’s move to review its data security practices comes amid several high-profile cyber attacks and data breaches that have hit the public sector over the past year.

In July 2018, it was revealed that the non-medical personal details of about 1.5 million patients who had visited SingHealth’s specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 had been illegally accessed and copied in a deliberate, targeted and well-planned cyber attack.

Data taken included names, identity card numbers, addresses and birth dates of patients. Information on the outpatient dispensed medicines of about 160,000 patients was also exfiltrated through an initial breach on a front-end workstation.

In early 2019, the health ministry revealed that the personal information of 14,200 people in Singapore with HIV was leaked online.

Faced with growing cyber threats, the government has progressively enhanced security measures in recent years to safeguard sensitive data. These included the internet surfing separation policy in 2016 and the disabling of USB ports from being accessed by unauthorised devices in 2017. 

The number and types of internal IT audits have also been increased to check on agencies’ data access and data protection measures. In 2018, the government also introduced measures to detect and respond more quickly to cyber threats that target critical government databases.

Notwithstanding these measures, the government acknowledged that recent data-related incidents have underlined the urgency to strengthen data security policies and practices in the public sector.

“While individual agencies are investigating and taking action on the specific incidents, this committee will undertake a comprehensive review and incorporate industry and global best practices to strengthen data security across the public sector,” it said, adding that the review is necessary to uphold public confidence and deliver high quality public services to citizens through the use of data.

The committee, comprising four ministers – including S. Iswaran and Vivian Balakrishnan – who are driving Singapore’s smart nation efforts, as well as private sector experts in data security and technology, will submit its findings and recommendations to the prime minister by 30 November 2019.