Mr Speaker
Today, public services are delivered by community partners, social services agencies and even private contractors, and we agree that it is important that data is available where needed to ensure that public services are allowed to reach as wide an audience as possible, and to enable agencies to get assistance to vulnerable groups. Ultimately, data empowers policy making that is more responsive to the needs of a diverse population.
Thus we do agree that data must be accessible to entities and partners in order to achieve this, and that data be used to enable better delivery of public services.
However, the question before us today is not simply whether data should be shared or used. It is also about how power over the sharing and use of data is governed, and what guardrails are in place when such power is exercised. We also would benefit from having express channels of recourse known and accessible widely, that would come into play if and when mistakes occur from misuse or abuse of data.
The Bill before us today moves us from a framework that on the whole allowed data to be shared between public agencies – and subject to rules and regulations about such sharing and use – to one which expands the sharing of data, expressly authorising:
One, the use of data,
two, the sharing of data with non-public sector persons, and
three, even the re-identification of anonymised information,
All through ministerial directions and further authorisations, that is, “data sharing and use directions” given by a Minister.
Shift in regime: rule-based to ministerial directions
Such a significant shift from a more rule-based model of data governance to one that relies more heavily on executive decision and ultimately discretion should be founded in necessity. While we do not automatically disagree with this shift in principle, the public should understand why this change is being proposed, and why now. In this regard, I understand there will be safeguards and limited instances in which data will be shared. However, for our full understanding of the difficulties faced, could the Minister clarify: in the last 5 years, how many times have agencies run into difficulties in providing necessary services to the community?
And from these examples, can the Minister articulate the common characteristics that would indicate when ministerial discretion is warranted? And will these characteristics be codified as guidance for future authorisations? Had the agencies previously attempted other approaches such, as, for example, for PWDs and their families, attempting to gain consent upfront for affected individuals to share the full suite of data to community partners which are not public agencies in order to better provide services?
As I said earlier, allowing sharing to be made subject to a minister’s discretion is not automatically wrong. In a complex system with many moving parts, it is probably often necessary. But as with all our governance institutions, executive discretion has to be bounded, reviewable, and transparent, especially when it concerns citizens’ data. This is even more so when that data is highly sensitive. I need not remind everyone that data is king, given that we live in a world of scams, impersonation, data theft, and identity theft – now enhanced by generative and exponentially improving artificial intelligence.
Executive discretion and oversight
Under the proposed amendments to this Bill, Ministers will be able to issue data sharing and use directions, and be allowed to further authorise sharing of data with non-public sector persons.
While it is provided for in the Bill that directions must not be inconsistent with written law, or to impede independent statutory functions, it is not clear to me how these limits will operate in practice under the expanded scope proposed by this Bill. It is not about ascribing nefarious intentions to current office-holders. It is about the institutional design and guardrails that need to be built around such powers to be granted.
Could the Minister thus clarify what would be the oversight mechanisms to be applied in ensuring that a direction is not overly broad nor made erroneously? What recourse exists if a decision is later found to be erroneous or disproportionate?
Beyond personal data
It is also foreseeable that the proposed amendments could have implications beyond personal data. Any number of businesses now exist that attempt to commercialise personal data that is collected, before attempting to monetise these data, whether through outright sale of such data sets, targeted advertising, or using it to craft more commercially competitive strategies. Additionally, public agencies also often hold commercially sensitive information, proprietary business data, or intellectual property belonging to firms that engage with the public sector. It is not inconceivable that personal data – especially when aggregated – is by its nature valuable, especially when dealing in instances such as the people sector.
While the Bill criminalises unauthorised disclosure or misuse of disclosed data by employees of external parties, this does not fully address the risk of legitimate but unintended commercial or anticompetitive effects. This could take on the form of an external contractor gaining access to sensitive data about a competitor when data is shared legitimately under a broad authorisation to do so.
Could the Minister thus clarify about whether and how the proposed data sharing and use directions will explicitly require consideration and evaluation of data that could be commercially sensitive. Would there be clear expectations to exclude, anonymise or otherwise protect such information by default?
Could the Minister also clarify: when issuing a data sharing direction, what specific factors must be evaluated? For instance, must the Minister assess:
(a) the sensitivity classification of the data,
(b) the proportionality between privacy intrusion and public benefit,
(c) whether less intrusive alternatives exist, and
(d) the data recipient's security posture?
And are these factors documented in writing for each authorisation?
For example, Saudi Arabia recently issued Rules for Secondary Use of Data, which establishes a framework for sharing data beyond its original collection for public interest, research, and innovation. Those rules explicitly state, for instance, that the Data-Sharing Entity reserves the right to incorporate provisions concerning intellectual property rights and commercial confidentiality within the Usage License.
Re-identification of anonymised personal data
Now I would like to turn to the provisions giving express power to re-identify anonymised information. While the Bill emphasises that PDPA obligations continue to apply, and that criminal penalties extend to non-public sector recipients, citizens may wonder what are the explicit safeguard or channels of recourse they have to protect their privacy. This is especially in the instance where the data is highly sensitive, such as personal or family medical records.
Can the Minister thus clarify:
One, what instances would lead to re-identification.
Two, what avenues exist to raise concerns.
Three, how will breaches by non-public sector persons be communicated, particularly to affected citizens, and
Four, how can individuals seek redress in this system that has an increasing number of third party partners or contractors?
Redress should not only be about fines or punishment. Clear, accessible pathways for recourse are essential to maintaining public trust as data flows become more complex. Once sensitive personal data is leaked, it could potentially compromise a person’s financial situation, access to key services, and those of their family as well. It could affect the financial, commercial, and competitive position of a firm. Should serious data breaches occur and recourse be difficult, that could undermine that very public trust that the bill rests upon and which the Singapore system has painstakingly built up over decades.
Mr Speaker to conclude, I am not arguing against using data to govern better, nor using data to strengthen partnerships with the community or private sector. However, I hope that as we expand the executive’s discretion about the use of our data out of necessity, we strengthen, rather than dilute the governance framework around these increased powers.
Thus, could the Minister consider first, how Parliament can be kept updated and meaningfully informed about the use of these powers. Second, how Singaporeans can have clearer avenues for recourse, and finally, how can commercial and personal sensitive information be more explicitly safeguarded even if the use and sharing of such data is subject to Ministerial discretion.
This could take the form of including data sharing breaches, remedies and vulnerabilities, and efforts to strengthen procedures. We must also have clearer rules and principles that must be applied when ministerial directions are made for the sharing of data, with information about the avenues available to the public to seek redress should their sensitive personal data be misused or even leaked.
While we improve our data systems to better communicate and implement policies to better serve Singaporeans, let us ensure that we continue to have measures in place to protect and safeguard sensitive data, in order for them to have trust in the institutions that are ultimately meant to be there to serve and support them.
Thank you.
