Strong data governance, protection framework in Singapore’s public sector

By Jimmy Kwang, Regional Vice President (Sales), Asia, Talend

While Singapore is known to be the more advanced nation in digitisation among countries in Asia Pacific, it has been said that its security hygiene still needs improvement. In the Cybersecurity Public Awareness (CSA) Survey 2019 released August 2020, about a quarter, or 28 per cent of respondents, had experienced at least one cyber incident in the past 12 months.

The nation’s strong vision for a digital economy remains in peril if its data infrastructure continues to be threatened. Protecting government, organisational and personal data is imperative. Primarily, public agencies need to pay attention to information practices and concepts that underlie data governance and protection frameworks. A strong data governance programme is a pivotal part of the landscape for data protection and privacy compliance.

Singapore’s data governance and compliance

In Singapore, the Personal Data Protection regulations come into effect in 2014. The act was created to aid in the governance of the collection, use, and disclosure of personal data by private organisations as well as to establish a Do Not Call Registry. The act, while providing governance, also recognises individuals’ rights to protect their personal data, and private organisations’ needs to collect, use, and disclose personal data for appropriate practices. It specifies some of the stiffest penalties for data protection offenses in the Asia-Pacific region, with fines of up to S$1 million.

Conversely, the public sector in Singapore adheres to different data regulatory frameworks:

Namely the 2018 Public Sector (Governance) Act (PSGA) and the 2011 Government Instruction Manual (IM) on IT Management. The separate frameworks for the private and public sectors provide for the differences in expectations for the latter — namely integrated services delivery across public agencies for citizens. The PSGA enables criminal penalties to be imposed on public officers who breach data protection regulations.

In addition to regulations, the government had taken steps to implement a set of architectural practices, known as the Government Data Architecture (GDA), based on a single common data governance framework within the public sector. GDA’s implementation of the data governance and protection framework for the public sector touches on information practices and concepts including collection limitation, data quality, security safeguards, and accountability. These principles and their corresponding implementation need to be addressed through a combination of technology, people, and processes in order to derive maximum organisational effectiveness.

The latest data governance policies and implementation guidelines come from the Public Sector Data Security Review Committee Report (PSDSRCR; 2019). Recommendations and details are set out following the committee’s review of government systems and data management practices, after a series of serious data breaches in 2018 and 2019. The government’s target is that by the end of 2021, these recommended measures should be implemented on 80% of government systems, whilst the remaining 20% should be implemented by the end of 2023.

The PSGA enables criminal penalties to be imposed on public officers who breach data protection regulations.

 The need for strong governance

While data governance plays a key role in enterprise data security, it also enables a critical role in ensuring the public sector’s data security. As such, public agencies require a data governance council that can determine how and where data may be shared to comply with privacy regulations.

Data governance enforces a policy guide across an enterprise for developing a strategy around cyber security and information risk management. Specifically, for emerging digital analytics programmes, organisations may have challenges dealing with external unstructured data sources, including data lakes. An appropriate tool can help manage data security across the entire data analytics stack.

Ultimately, for any data governance and protection framework to be successful, data owners and users must be held accountable for their actions. In the public sector in Singapore, the PSGA prescribes penalties for public officers who violate data security with fines of up to $5,000, and/or up to two years imprisonment and disciplinary actions. These punishments are applicable not just to public officers, but also to third-parties that provide services to public agencies.

Ultimately, for any data governance and protection framework to be successful, data owners and users must be held accountable for their actions.

Accountability thus requires having a data management platform that provides auditable evidence of negligent acts and intentional data breaches. Functionalities such as data lineage enable public agencies to monitor and trace users’ operations on the data over time. Data lineage lets organisations trace data across the landscape of applications and systems they use and track the sources and types of modifications performed on the data.

In conclusion, reasonable security safeguards must be available to protect personal data against risks such as loss and unauthorised access, destruction, use, modification, or disclosure. Public agencies are encouraged to minimise their own data management by leveraging the GDA as much as possible to reduce vulnerabilities.