Fifth Update on the Government's Personal Data Protection Efforts

The Government has published key efforts undertaken to strengthen the public sector data security regime between 1 April 2023 and 31 March 2024 (i.e. FY2023). This is the fifth annual update. All 24 initiatives recommended by the Public Sector Data Security Review Committee (PSDSRC)¹ in 2019 have been implemented. (Please refer to Annex A for the full list of PSDSRC initiatives).

No Serious Data Incidents over Last Four Years

There were 201 government data incidents reported in FY2023 as compared to 182 incidents reported in FY2022. The increase in the number of incidents is due to the higher volume of data usage as more government services are digitalised to provide convenience to citizens and businesses. In addition, improved awareness among public officers on the need to report incidents may have also contributed to the increase.

The vast majority of incidents were of low severity. This is the fourth consecutive year with no incidents assessed to be of high severity and above. Incidents of medium severity also decreased from 46 in FY2022 to 29 in FY2023. This is partly the result of progressive implementation of security processes and technical measures and increased public sector awareness on data security.

Government's Initiatives to Strengthen Data Security in FY2023

The Government has progressively put in place various measures since 2019 to enhance the public sector data security regime. The following are key highlights of government initiatives introduced in FY2023.

Central Privacy Toolkit (Cloak) Expanded to Include New Features

Cloak allows public officers to apply privacy-enhancing technologies to datasets while preserving the data's value for sharing and use, thus mitigating the risk of data leaks. Since its launch in March 2023, the toolkit has expanded its offerings and has been used by 1,400 public officers from 90 agencies. For instance, its free-text anonymisation feature has anonymised 20 million documents and served more than 20 generative AI use cases in government.

Deployment of Automation Tools to Prevent Data Compromises

As of end-March 2024, all eligible systems in the government used the Central Accounts Management (CAM) tool to automatically remove user accounts that were no longer needed. This has mitigated the risk of unauthorised access by officers who have left their roles and the exploitation of dormant accounts by malicious actors.

Enhancements have also been made to the Government's Data Loss Protection (DLP) tool which mitigates the accidental loss of classified and/or sensitive data from government networks, systems, and devices. For instance, since September 2023, email recipients can no longer see the email addresses of other external recipients if there are more than 30 recipients.

Enhancing Competencies in Public Service

The Government recognises that it is not possible to eliminate data incidents entirely and remains committed to respond swiftly to data incidents. From August to September 2023, the Government conducted the annual central ICT and Data Incident Management exercise involving 31 agencies across four Ministry Families. This enhanced the Government's ability to provide a coordinated and efficient response when required.

Enhancing public officers' instincts and instilling a culture of excellence in using data securely is an ongoing effort. In FY2023, the Government introduced gamified events to help public officers learn about data protection in an engaging way. In February 2024, the mandatory Data Security e-learning module was also refreshed to include content related to new technologies and prevalent trends, such as Large Language Models (LLMs) and phishing scams.

Implementation of All 24 Recommended PSDSRC Initiatives

All 24 PSDSRC initiatives have been implemented. The Government remains committed to ensuring a robust data security regime. We will continue to review the effectiveness of our existing measures regularly, introducing enhancements or new measures when necessary. New initiatives aimed at strengthening the Government's data security will be shared on the Ministry of Digital Development and Information (MDDI) website.

The full FY2023 report can be found at go.gov.sg/public-sector-data-security-review.

¹ The Public Sector Data Security Review Committee (PSDSRC) made five key recommendations in 2019 to improve the Government's data security regime. The Government accepted the Committee's recommendations in full and committed to implementing them in phases from FY2020 to FY2023.

Annex A: Implementation Progress of the PSDSRC Initiatives

All 24 initiatives recommended by the PSDSRC have been implemented as of 31 March 2024.

PSDSRC Initiatives	Timeline	Status as of 31 Mar 2024
Key Recommendation 1: Enhance technology and processes to effectively protect data against security threats and prevent data compromises.
1.1	Reduce the surface area of attack by minimising data collection, data retention, data access and data downloads	By 31 Mar 2024 (By end FY2023)	Implemented
1.2	Enhance the logging and monitoring of data transactions to detect high-risk or suspicious activity	By 31 Mar 2023	Implemented
1.3	Protect the data directly when it is stored and distributed to render the data unusable even if extracted	By 31 Mar 2024 (By end FY2023)	Implemented
1.4	Develop and maintain expertise in advanced technical measures	Continual effort beyond FY2023	Implemented
1.5	Enhance the data security audit framework to detect gaps in practices and policies before they manifest into incidents	By 30 Apr 2020	Implemented
1.6	Enhance the third-party management framework to ensure that third parties handle Government data with the appropriate protection	By 30 Apr 2020	Implemented
Key Recommendation 2: Strengthen processes to detect and respond to data incidents swiftly and effectively.
2.1	Establish a central contact point in the Government Data Office for the public can report Government data incidents	By 30 Apr 2020	Implemented
2.2	Designate the Government Data Office to monitor and analyse data incidents that pose significant harm to individuals	By 30 Apr 2020	Implemented
2.3	Designate the Government IT Incident Management Committee as the central body to respond to incidents with Severe impact	By 30 Apr 2020	Implemented
2.4	Institute a framework for all public agencies to promptly notify individuals affected by data incidents with significant impact to the individual	By 30 Apr 2020	Implemented
2.5	Established a standard process for post-incident inquiry for all data incidents	By 30 Apr 2020	Implemented
2.6	Distil and share learning points with all agencies to improve their data protection policies/measures and response to incidents	By 30 Apr 2020	Implemented
Key Recommendation 3: Improve culture of excellence around sharing and using data securely and raise public officers' competencies in safeguarding data.
3.1	Clarify and specify the roles and responsibilities of key groups of public officers involved in the management of data security	By 30 Apr 2020	Implemented
3.2	Equip these key groups with the requisite competencies and capabilities to perform their roles effectively.	Continual effort beyond FY2023	Implemented
3.3	Inculcate a culture of excellence around sharing and using data securely	Continual effort beyond FY2023	Implemented
Key Recommendation 4: Enhance frameworks and processes to improve accountability and transparency of the public sector data security regime
4.1	Institute organisational Key Performance Indicators (KPIs) for data security	By 30 Apr 2020	Implemented
4.2	Mandate that the top leadership to be accountable for putting in place a strong organisational data security regime	By 30 Apr 2020	Implemented
4.3	Make the impact and consequences of data security breaches salient to public officers	By 30 Apr 2020	Implemented
4.4	Ensure accountability of third parties handling Government data by amending the PDPA	By 31 Oct 2020	Implemented
4.5	Publish the Government's policies and standards on personal data protection	By 31 Oct 2020	Implemented
4.6	Publish an annual update on the Government's personal data protection efforts	By 31 Oct 2020	Implemented
Key Recommendation 5: Introduce and strengthen organisational and governance structures to drive a resilient public sector data security regime that can meet future needs
5.1	Appoint the Digital Government Executive Committee to oversee public sector data security	By 31 Oct 2020	Implemented
5.2	Set up a Government Data Security Unit to drive data security efforts across the Government	By 31 Oct 2020	Implemented
5.3	Deepen the Government's expertise in data privacy protection technologies through GovTech's Capability Centres	By 31 Oct 2020	Implemented

Public link

Please use the above public link if you want to share this noodl on another website.