(Delivered on 4 Mar 2019)
Personal Data Protection Regime – Sylvia Lim
The Personal Data Protection Commission (PDPC) was set up in 2013, as the implementing agency for the PDP Act. According to the PDPC website, the number of enquiries and complaints received by the PDPC in the last four years ranged from between 2,200 to 3,300 annually. I have a few enquiries about this. First, were the major classes of complaints related to the Do Not Call Registry, or were they complaints about organisations not exercising reasonable care to protect personal data from unauthorised disclosure? Secondly, what is the resource and staffing level of the PDPC, to enable it to look into the kinds of cases it is facing? The Minister recently pointed out that in the Singhealth data breach, the PDPC leveraged on the findings of the Committee of Inquiry called by the government. If another major breach were to occur and a COI is not formed, does PDPC have the resources to investigate a major case on its own?
Next, I would like to ask about outcomes achieved for complainants. The PDPC has usefully published its decisions online. Where the PDPC found that organisations were in breach of their obligations to safeguard personal data, it was usual that the PDPC would impose financial penalties and also give directions on how the organisation should improve its data security arrangements. Has the PDPC ever assisted a victim of a data breach to obtain redress e.g. by mediating a financial settlement with the organisation?
Finally, the coverage of the PDP Act still excludes what is defined as “public agencies”. This exclusion seems artificial, when data is collected by entities under PDPA obligations and then transmitted to the government. While I accept that government agencies have many laws and regulations governing its data obligations, is there a convincing reason to exclude it from the PDPA?
Cybersecurity for Businesses – Daniel Goh
Chairman, Budget 2019 has focused our attention on cybersecurity by adding the Digital Defence pillar to our Total Defence strategy. This is appropriate coming after the SingHealth cyberattack and the HIV registry leak.
There is one critical vulnerability that now needs addressing. In Singapore, the extensive interface between the private and public sectors means cybersecurity for businesses is a critical vulnerability. MINDEF has also been relying on private companies to drive technological innovation and adaptations.
Will the government thus consider implementing targeted initiatives to bolster the cybersecurity capabilities of businesses, especially our local SMEs, urgently? It has been suggested that the government should provide grants for SMEs to train employees and improve cyber-defenses. It has also been suggested that a government hotline be established for businesses to obtain advice and report cybersecurity breaches without adversarial treatment from government.
Cyber Security Agency – Low Thia Khiang
Chairman Sir, the Committee of Inquiry investigating the SingHealth cyber attack recommended to significantly improve the competency of cyber security personnel.
Manpower planning and talent development strategy is critical in the national strategy to strengthen cyber security. In 2012, EDB reported that there were 1,200 cyber security specialists although there are 140,000 IT professionals. After seven years, where do we stand today in terms of the number and percentage of cyber security specialists among IT professionals? How many more is needed and being targeted?
One of the key thrusts of the National Cyber Security Masterplan 2018 is to grow Singapore’s expertise in cyber security. IDA has been working with Institutes of Higher Learning to expand cyber security programmes. Polytechnics and industry have collaborated to establish cyber security centres. IDA is also collaborating with FireEye to upskill cyber security professionals. EDB and NEC Corporation are collaborating to develop capabilities in strategic areas through overseas attachment. ST Engineering established the DigiSAFE Cyber Security Centre to reskill those interested in a mid-career switch.
With the establishment of the Home Team Science & Technology Agency and MINDEF’s Defence Cyber Organisation, and also the public sector Cybersecurity Professional Scheme and MINDEF’s Cyber NSF Vocation, we now have a varied landscape for manpower and talent development in cyber security.
Are these different efforts being coordinated by the CSA and IDA in accordance to the national strategy? Are these efforts competing with each other for a small pool of talents or complementing each other for synergies?
Government Public Opinion Surveys – Leon Perera
Mr Chairman, before I begin, I declare my interest as the CEO of a research consultancy that undertakes surveys.
Sir, many Singaporeans nowadays have the experience of being interviewed by opinion polling agencies conducting surveys on behalf of the government.
In a reply to my previous PQ, then Minister Yaacob Ibrahim responded that “The Government does not compile statistics on the surveys conducted by various agencies, or which among them are published.”
The results of opinion surveys, if published, would be valuable to many stake-holders in society.
For example, charities could design better fund-raising programs to help their beneficiaries by understanding the climate of public opinion around the issues and beneficiaries they are addressing. Academics could mine such surveys for research purposes. Civil society groups could use survey data to develop better programs to raise awareness around their focused issues. Citizens could use that knowledge to better shape and calibrate their actions as citizens, for example in writing letters to the media, expressing views on social media and making representations to consultative committees.
Sir, I understand that the results of some surveys are published, for example by Reach. I would like to call for the adoption of a rule that all Ministries and government agencies conducting opinion surveys publish the reports arising from those surveys for the use and benefit of society at large where they do not impinge on national security or sensitive matters.
I would like to ask if there are currently mechanisms to enable all government agencies or Ministries to access data from non-published surveys conducted by other agencies or Ministries. If not, publication of survey data could even improve governmental efficiency and spending by reducing overlaps in surveying.
Government surveys are conducted using public funds. The results of those surveys should be available for all to use, not only the government and government leaders.