Data protection compliance review urged

Out-Law News | 29 Nov 2019 | 9:41 am | 2 min. read

Organisations have been urged to commission a review of their compliance with data protection laws after a number of recommendations were outlined in Singapore to improve data security in the public sector.

The compliance review was advocated by technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, after the government in Singapore confirmed it will implement new security measures across all of Singapore's public sector systems by the end of 2023 in a bid to better protect data.

The government confirmed the plans as it announced it would accept the recommendations made by a committee it set up earlier this year to review data security in the country's public sector.

The recommendations include technical measures, including enhanced encryption requirements for files, automated detection of sensitive data content within emails, and stricter access controls. It also includes changing processes to ensure public sector bodies are able to respond swiftly and effectively to data incidents if and when they occur, while further changes are aimed at improving the culture and accountability around data use and sharing within the sector.

One specific measure that has been recommended is to bring third party suppliers to the public sector in Singapore within the scope of the country's Personal Data Protection Act (PDPA) for the first time, according to the Business Times. Under the planned reforms, which are anticipated to be announced formally next year, the suppliers would face fines of up to SIN$1 million ($732,000) where they misuse personal data, the report said.

Tan said: "The measures are wide-ranging and would entail the government and its agencies ramping up its capability and capacity to better handle cybersecurity. This is likely to put a further squeeze on the already tight market for cybersecurity specialists."

"To address the forthcoming change to the data protection regime, third party government agency suppliers should begin to check their contracts and their processes to make sure they are compliant with the PDPA. A review of their cyber insurance positions would also be recommended," he said.

Singapore's government confirmed its intention to implement the bulk of the committee's recommendations over the next two years.

"Three of the technical measures recommended have already been implemented in October this year," it said. "By end 2021, we will implement all the relevant recommended measures in 80% of government systems. By end 2023 we will implement them in the remaining 20% of government systems. These systems are the ones which are most complex or will require significant redesign. In the meantime, we will have processes and measures to cover the risks."

The committee, which brought together representatives from government and industry, said: "We are confident that our recommendations, when implemented, will significantly improve the government’s data security regime and enhance the public’s confidence in the government’s data security regime. The recommendations will also make it clear that requirements and standards imposed on the public agencies are no less stringent than what the private sector has to comply with."

Prime minister Lee Hsien Loong commissioned the review on 31 March this year following high-profile incidents of data breaches.

In January, the Personal Data Protection Commission (PDPC) served fines totalling SIN$1 million ($739,000) on the body behind the operation of several hospitals and other health institutions in Singapore and the city state's central national IT agency for the public healthcare sector over data security failings that enabled a hacker to access the personal data of nearly 1.5m people.

Later that month, the Ministry of Health (MoH) confirmed that thousands of people diagnosed with HIV, as well as people linked to those individuals, had their details "illegally disclosed online" in a separate incident.

The committee said that had the measures it has recommended for implementation been in place at the time of those incidents, it could have helped mitigate the impact of the incidents or even prevent them from happening at all.

As part of the review, the Committee audited 336 systems across 94 public sector agencies. It also studied data security practices in the UK and Canada, as well as those within companies in the finance and security sectors. The Committee also compared the data security obligations public sector organisations face under existing legislation and guidance in Singapore against those that organisations in the private sector face under the Personal Data Protection Act.