Singapore to establish Data Security Unit after hackings
Oleh Yun Xuan Poon
A review of public sector security has set out new policies required after multiple hacks by foreign actors.
The unit will oversee how agencies are using public sector data and will design new systems and strategies to keep it safe, the committee’s report said.
The government convened the Public Sector Data Security Review Committee on 31 March to review how the public sector secures citizen’s data. This came in the wake of a major SingHealth healthcare data breach last year, where 1.5 million patients’ data was leaked, and a further succession of breaches in the public service.
The committee recommended the new unit after an inspection of all 94 public sector agencies found that three out of four agencies were not keeping up with existing data security legislation in at least one area.
The report also called for more accountability and responsibility within agencies on how data is handled. It recommended that the government “mandate that the top leadership of all public sector organisations be accountable for putting in place a strong organisational data security regime”.
It recommended “developing a culture of open reporting of all types of data incidents” to ensure responses can be managed better. It also called for all civil servants to be trained on data security, and to make cultural changes within agencies on how data is used and shared. “It is imperative that public officers move from a compliance-based system to one that aims to achieve excellence,” it said.
The committee said that agencies should collect data only when necessary, and should not collect data that has already been collected by other agencies that have been identified as “single sources of truth”.
Government agencies must set a “retention period” of data when it is gathered, committing to delete data after that date. These limits are up to individual agencies to mandate.
It also called for a better data incident management system, where there is a standardised post-incident inquiry process carried out by a separate organisation. This is so the process of identifying the root of the data breach can be reliably investigated.
The enquiry publicised its report this week and the findings were accepted by Singapore Prime Minister, Lee Hsien Loong.