With the high-profile data breaches that have occurred in Singapore this year, you might expect citizens to be more aware of the risks involved in this digital age.
Yet, if you asked anyone here if they knew which government agency they had shared their data with, or what was done to protect that data, they would probably be stumped.
Just two days ago, news came of yet another possible data leak. This time, malware installed on the computers of a vendor of the Ministry of Defence and the Singapore Armed Forces might have caused the personal details of 2,400 personnel to be leaked.
Yet, what can citizens do in this case? There is little reprieve for them, even though they probably had to submit the personal details, such as IC numbers and contact details, as part of their jobs.
Alright, perhaps the vendor might face fines, since it is part of the private sector that is subject to a set of clearly defined data protection regulations. However, it’s not to these private entities but to the government agencies that the victims probably submitted their data.
What happens when a data breach occurs at a government agency, either directly or through a contractor? Well, to many citizens, the answers aren’t always clear.
Consider a letter that the Singapore authorities recently sent to The Straits Times to clarify an earlier article on the topic.
In it, the director of the Government Data Office seeks to dispel the notion that there are double standards when it comes to the way the government handles citizen data.
Quek Su Lynn, the director, says that public officers are not given lower penalties for failing to meet data protection obligations than counterparts in the private sector, because the private sector rules don’t spell out these penalties for individuals.
But what about organisations? Clearly, private companies, from sushi joints to tuition agencies, have been penalised dearly for losing data.
Government agencies do not get fined, presumably because it’s somewhat illogical for one agency to fine another – the money goes nowhere.
What then can be done? In the wide-ranging list of data security recommendations accepted by the government last month, the top management of these agencies have to be accountable for good data security practices.
What’s needed are more details. When something goes wrong, with whom does the buck stop? The manager of the IT system? The chief executive of a statutory board? The minister?
On the topic of data protection, the letter to The Straits Times states that there are no two standards across the public and private sectors.
What are these standards for the public sector, you wonder. Unfortunately, the director doesn’t say in the letter. Are citizens to take their cue from what is spelt out for the private sector, then?
The director also goes on to explain that there is a different set of rules for data management – not protection – because agencies use data as one government to better serve citizens.
That’s fair enough. Many of the smart nation advancements of late, say, submitting data to multiple agencies when buying a house, depend on these agencies being able to share that data.
Yes, this increases exposure and theoretically could increase risk too, but the convenience that comes with the sharing will clearly improve the digital experience.
That’s the kind of conversation we should be having more of. This understanding of the shared risks in the digital age is clearly something still lacking, even as digital services have become a way of life here.
Even with the best intentions, the government cannot simply say “trust us” when dealing with citizen data. Trust has to be earned.
The government has to be clearer in explaining how it manages and protects this data, as well as spelling out the penalties involved with those failing to do so.
Just as important is being seen as independent. Like how the data security review was carried out with input from international and private sector experts, any review of a government data breach and how it was handled should involve non-government experts with no vested interests.
This may seem onerous at first, but ultimately, the added effort shows the care that the government will take with citizens’ data.
There may be instances where national security may be at stake, so it may not be possible for details of data breaches to be divulged publicly, but these instances have to be narrowly defined.
Certainly, there should be no reason to hold back information with a case like the HIV database leak earlier this year, which deeply affected an already vulnerable group in society.
If, as the government says, data is the lifeblood of a digital economy and government, then there should be more efforts to better explain what goes on with a citizen’s data once it’s in the system.
Compare this to, say, Google. Sure, you give up a lot of information to use the maps and e-mail too, but there’s also an easy-to-access dashboard for you to check what data you have shared and how to delete that.
This is giving back control to the owners of the data. But before that, they need to be aware of the shared risks of the digital age whenever they log on.
Here is where the Singapore government should take the first steps to raise awareness among citizens. After all, unlike Google, you can’t say no to sharing your data with the government.
