Reports of Government data incidents rise again, but with fewer severe incidents: SNDGO

SINGAPORE: A total of 108 data incidents were reported within Government in Financial Year (FY) 2020, up from 75 incidents in FY 2019, the Smart Nation and Digital Government Office (SNDGO) said on Tuesday (Jul 27).

None of the incidents in FY 2020 was assessed to be of "high" severity, compared to five "high" severity incidents in the previous financial year. 

SNDGO said the incidents were primarily caused by human error.

With work-from-home arrangements and more discussions taking place via emails and digitally, there were more incidents of officers sending information to the wrong email address, it said in a press release.

Some public officers also forgot to include external recipients in large mailing lists in the “bcc” instead of the “to” field to protect the privacy of recipients, while others forwarded information or documents to their private email accounts to work at home on their personal device.

"The officers found responsible for these data incidents had been counselled. Where required, officers have also been duly disciplined, with punitive measures ranging from formal reprimands to financial penalties," SNDGO said.

READ: Increase in number of data incidents reported within Government, majority due to human error: SNDGO

Nevertheless, SNDGO said the increase in data incidents reported correlates with trends seen in the private sector and globally, with a growing exchange and usage of data.

"The increase also reflects increased awareness and improved understanding among public officers to report all data incidents, regardless of scale or impact," it added.

SNDGO said the incidents were addressed within 48 hours, highlighting that technical and process measures implemented were effective in mitigating the impact of potential data compromises.

For example, the process measure of protecting files with passwords and sending the passwords via a separate channel prevented at least one data incident in FY2020 from escalating further, SNDGO said.

"In one incident, an email with files containing sensitive personal data was mistakenly sent to employees of a government agency who were not authorised to receive the files," it added.

"Fortunately, the files were password protected and the public officer who sent the erroneous email realised his mistake when preparing to send the password through a separate channel. Email recipients were unable to open the files without the password and no data was disclosed."

READ: Government agencies have fixed 80% of high-risk data security issues found in review: SNDGG

The figures on the data incidents are part of the second update on the Government’s personal data protection efforts.

The annual update is a key recommendation made by the Public Sector Data Security Review Committee in November 2019 to improve transparency on how the Government uses and secures citizen data.

The committee, which inspected 336 systems across 94 public sector agencies then, found that about three-quarters of agencies had at least one finding of non-compliance with a government manual on data policies and standards.

The committee also recommended improving audit and third-party management frameworks, enhancing processes to respond to data incidents in a timely manner, and strengthening data security accountability at every level.

MORE DATA PROTECTION MEASURES IMPLEMENTED

SNDGO said on Tuesday that as of Mar 31, the Government had implemented 21 of the 24 initiatives arising from five key recommendations by the committee, including three initiatives implemented since October 2020.

These included setting up the Data Privacy Protection Capability Centre to deepen expertise in the field and implement advanced technical measures to protect data in government systems.

"The remaining three of the 24 initiatives are technical measures, which require significant re-architecting of technical systems and more time to develop," SNDGO said, adding that the Government is on track to complete these initiatives as planned by end-2023.

READ: Backup plans in place for government websites, says Smart Nation group in wake of global Internet outage

To ensure that the public service is well-prepared to respond to data incidents, SNDGO said the Government will conduct central information and communications technology (ICT) and data incident management exercises in a multiple-agency effort.

Four ministries have been selected to participate in an inaugural exercise to be held in September, SNDGO said.

On an individual level, the Government has conducted specialised data security workshops from July for key appointment holders as well as ICT and data teams.

In February, it refreshed the data security e-learning module to include new content on how to work from home securely, and how to safeguard data when using the new secure internet surfing technology implemented last year.

"It is not possible to eliminate data incidents altogether and we will need to respond swiftly when they occur," SNDGO stated.