The Recommendations of Public Sector Data Security Review Committee - A Data Protection Perspective
Updated: Jan 24, 2020
by Andrew Leong Wai Chong, Head DPEX Centre & Market Research
In the wake of major breaches, the Public Sector Data Security Review Committee was convened in March 2019 to examine how the Singapore public sector handles citizen data. The high powered committee chaired by the Deputy Prime Minister, Teo Chee Hean, consisted of 3 other cabinet ministers and several prominent industry leaders submitted its recommendations to the Prime Minister of Singapore on 27 November 2019. Unlike many other government committees of enquiry, the terms of reference clearly indicate it to focus the pre-emptive rather than find faults (i.e. to minimise risk of future incidents in the operational processes of data protection):
Review how the Government is securing and protecting citizens’ data end-to end, including the role of vendors and other authorised non-Government Entities;
Recommend technical measures, processes and capabilities to improve the Government’s protection of citizens’ data, and response to incidents; and
Develop an action plan of immediate steps and longer-term measures to implement the recommendations.
It is almost a lesson lifted from Data Protection by Design and the requirements behind a data protection management programme (DPMP) with the benefit of hindsight. Based on learnings from mistakes made, risks and common causes of data breaches in some 336 systems in 94 agencies, the report reviewed policies, benchmarked against the requirements for sector organisations. It also evaluated if the proposed recommendations would have prevented, or significantly mitigated the impact of the public sector data incidents in 2018-19. The key conclusions include data protection design principles such as requiring organisations to be proactive rather than reactive, as well as the need ensure that measures incorporate end-to-end data protection measures.
The desired outcome listed for (public sector) organisations is parallel to what data protection practitioners find familiar in data protection management programme (DPMP):
Enhance technology and processes to effectively protect data against security threats and prevent data compromises.
Strengthen processes to detect and respond to data incidents swiftly and effectively.
Improve culture of excellence around sharing and using data securely, and raise public officers’ competencies in safeguarding data
Enhance frameworks and processes to improve the accountability and transparency of the public sector data security regime
Introduce and strengthen organisational and governance structures to drive a resilient public sector data security regime that can meet future needs.
No DPMP is 100% watertight nor “a one size fits all”. Yet that should not deter the resolve to be responsible and accountable for the personal data of the people who entrust their data (both internal and external customers) to the organisation:
“As the custodian of a vast amount of data, the Government takes this responsibility very seriously. We must do our utmost to minimise the risk of data breaches. At the same time, when such breaches do occur, as unfortunately they occasionally will, it is essential that we detect them quickly, and respond effectively to limit the breach and minimise the harm done.”
- Lee Hsien Loong, Prime Minister of Singapore
in accepting the report from Public Sector Data Security Review Committee
Clearly data protection needs to cover the management and operational processes, organisational culture, training/competency development and response readiness beyond the technical specificities focus of cyber security. The above-listed recommendations made in the Public Sector Data Security Review Committee Report generally could be served by the privacy operations life-cycle of G-APSR (Governance, Assess, Protect, Sustain and Respond) which all certified data protection practitioners carry out:
Governance: Create an appropriate governance structure with management buy-in
Once an organisation makes a resolute decision to protecting personal data under its care, it has to commit resources and people to the effort. With management buy-in, there should be an appointed data protection officer supported by a governance committee - assessing, protecting, sustaining and responding to any identified gaps through a DPMP.
With an oversight of its known risks, the organisation makes informed decisions about what the required practical outcomes are and the “reasonable-ness” of the resource committed to it. Hence it is actually to “Introduce and strengthen organisational and governance structures to drive resilient data security regime that can meet future needs”.
The goal is also to demonstrate accountability. Under the PDPA, this is undertaking and demonstrating the ownership and responsibility for the personal data in the organisation’s control. In having a systematic framework of its undertaking, produce strong evidence of such accountability. It includes an oversight of its personal data repositories, flow and identified risks. Finally, the structure is only as strong as the commitment from its people,
governance starts at the management with all levels of staff involved.
Assess: Identify vulnerabilities and assess the risks in the entire organisation’s operations where data is collected, used, stored/disposed and disclosed/transferred, which is a key component of DPMP. These risks should be prioritised according to impact and likelihood. Only then can it effectively “Strengthen processes to detect and respond to data incidents swiftly and effectively.” Intuitively, it is important that the organisation takes a practical approach to identify the risks against guidelines such as conducting a data protection impact assessment (DPIA). Otherwise any data protection guideline-compliance is merely a paper check-off exercise.
As such, the approach from a risk-based perspective go beyond data security; it is clearly not just implementing security solutions and fix-it patches within “systems”. Vulnerabilities need to be addressed from a holistic approach in data protection, covering “people” and “processes” as well.
Protect: The logical step to follow is for the organisation can develop and implement a data protection management programme to address all identified risks that aligns with the data protection governance structure. This goes beyond policies and must include SOPs (standard operating procedures) that cover administrative, physical and technical controls. In fact all risks should be documented and addressed in a risk register, prioritised according to probability and impact. In addition, data protection by design should be incorporated in all key processes, projects and products as part of the measures. Only then can the organisation effectively carry out the recommendation to “Enhance technology and processes to effectively protect data against security threats and prevent data compromises”.
Sustain the Data Protection Management Programme: The organisation must not stop at a one-off effort in enhancing its data protection system. To “Improve culture of excellence around sharing and using data securely, and raise (public) officers’ competencies in safeguarding data” the organisation has to continually keep up with the latest on data protection: from changes in legislation/guidelines to technologies to possible gaps from changes in operational processes. Hence the organisation has to continually:
Conduct relevant training for all levels – Management, Managers and Staff, from on-boarding to continual awareness
Have constant reminders to maintain vigilance
Monitor and keep abreast with latest development (externally) and changes internally
Audit policies and standard operation procedures (SOPs)
Respond to any data protection incident
The Report calls for public organisations to “Strengthen processes to detect and respond to data incidents swiftly and effectively.” This means drafting and reviewing an Incident Response Plan, complete with table-top exercises to handle any data incidents or breaches. Again they need to be aligned with the risks identified in the risk register.
The recommendations in the Public Sector Data Security Review Committee Report can be served by the principles of G-APSR framework to mitigate the risks or prevent data incidents. In changing the organisational culture/behaviour, the responsibility rests with the whole organisation and not just one person or department. However, the Data Protection Officer (DPO) has a key role to help the organisation lead and manage a data protection management programme – including facilitation to co-ordination. The expertise is backed by knowledge/skills and best-practices gleaned from experts and experience of other organisations and experience gained over time. In Singapore (and selected countries in the ASEAN region), such framework can be learnt from the DPEX (Data Protection Excellence) Centre that organises courses/ seminars on data protection. The centre presents best practices from introductory to advance levels and international practices (IAPP) and more importantly the DPEX is a platform for data protection professionals to network and exchange ideas and practices.