Mr Speaker,
I support the Public Sector (Governance) (Amendment) Bill, but I would like to place some significant concerns on the record.
(A Lesson in Trust)
Let me begin with a story this House knows well.
In January 2021, Singaporeans learned that police had access to TraceTogether data under the Criminal Procedure Code. This contradicted earlier assurances that the data was (quote) "purely for contact tracing, period." (end quote) The then-Minister in charge of Smart Nation acknowledged he had been "blindsided"—he had not considered existing law when making those assurances.
The backlash was significant. Not because Singaporeans oppose law enforcement, but because they felt misled about how their data would be used. The backlash led to the expedited passage in February 2021 of the COVID-19 (Temporary Measures) (Amendment) Bill, restricting access to 7 serious offence categories.
The lesson is that trust must be built through demonstrably robust processes. Once faith in a data-sharing framework is broken, it is expensive to rebuild.
I raise this because the Bill before us creates a new framework for sharing citizen data—this time, with private entities. The question is whether we have learned from the TraceTogether episode.
(What the Bill Does)
The original PSGA, passed in 2018, allowed government agencies to share data with one another under Ministerial direction.
This Amendment expands that framework significantly: data can now flow to private companies, contractors, and vendors. And it introduces a power to re-identify anonymised information.
(The Core Question)
Mr Speaker, of course data sharing creates value. Examples abound - like the Social Service Net -when MSF shares client data with Family Service Centres and VWOs, we see coordinated assistance and faster assessments.
But this Bill creates a fundamental asymmetry.
The Government gains the capability to share any data with any private entity. Private entities gain access to government-held data. What do citizens gain?
Under this Bill, a citizen has no right to know when their data is shared with a private company. No mechanism to find out which companies hold their data. And no way to ensure they benefit from the value that data creates.
TraceTogether failed on transparency—citizens did not know police could access their data. Why risk the same failure mode again with this Bill on a larger scale, with more actors including those outside government, and less visibility?
If this Bill expands what the Government can do with citizen data, should it not also expand what citizens can do—to track, to benefit from, and to govern that sharing?
(Three Asks)
Mr Speaker, I ask for three commitments that would complete this framework.
One: A Public Register.
All data sharing directions issued to private entities should be published—the categories of data shared, the recipient, the purpose, the duration.
This is not a per-transaction notification. It is the disclosure of Ministerial directions, made in small numbers. Australia's Data Availability and Transparency Act 2022 includes such a register. It creates accountability without undue operational burden.
TraceTogether's problem was that citizens could not know how their data was used. A register solves this.
Question 1: Will the Government commit to publishing a register of all data sharing directions issued to private entities?
Two: Citizen Benefit
When data flows from government to the private sector, it creates value for those two players. Agencies gain efficiency. Private entities gain data access and improve their services. Where is the mechanism ensuring citizens share in that value?
I mean concrete improvements: service quality guarantees, cost reductions passed to users, transparency about outcomes, and also something I believe in, which is benefit-sharing from any future monetisation of their data.
Question 2: What benefits will Singaporeans see from this framework? How will these be tracked and reported? WIll there be any part of the government that advocates directly for citizens gaining a share of these data benefits?
Three: Public Review
The original PSGA allowed sharing between government agencies. This Amendment opens the door to the private sector—powers of a different order.
Australia's framework includes a review that quote “must start by, and be completed within, 12 months (or a longer period agreed by the Minister) of the third anniversary of the commencement of the Act.”. This is a sound legislative principle: The grant of novel powers should have built-in moments for reassessment.
The backlash to TraceTogether led to emergency legislation limiting police access. Would it not be better to commit to a review now than to legislate in a possible crisis of confidence later?
So, Question 3: Will the Minister commit to a formal public review within five years—including the directions issued, the data shared, and whether safeguards have been adequate.
(Two Further Concerns)
Mr Speaker, beyond these three asks, I wish to flag two concerns about organisational accountability.
First, a data governance gap.
The public consultation promised "robust safeguards" through "data governance requirements" on external partners—I quote: requirements "similar to what public sector agencies have to meet."
What does the Bill deliver? Individual criminal liability for employees who misuse data.
What does the Bill not deliver? Any organisational requirements. No security certification. No audit trails. No breach notification duties.
So, Question 4: Where are the data governance requirements promised in the consultation? If they are to come by regulation or procurement contract terms, will the Minister commit to that today?
Second, a liability gap for non-personal data.
Under PDPA, for data breaches involving personal data, organisations face financial penalties of up to 10% of annual turnover. . Individuals also face liability.
Under this Bill, for non-personal data shared with private entities, only individual employees can be prosecuted. If an organisation systematically exploits non-personal government data beyond its authorised purpose, the entity that designed the business model and profited faces no direct liability.
Accountability must reach the benefiting entity. If organisations can profit from misuse while only individuals bear risk, the incentive structure is incorrect.
Question 5: Will the Government commit to organisational accountability mechanisms, especially for non-personal data which is not covered by PDPA? Why has it not chosen to hold organisations accountable here?
Mr Speaker, I am on the whole supportive of the bill’s enabling of data sharing with private sector actors. In any case, deeper public-private collaboration is inevitable. Data will flow to where it creates value.
But we should learn the lessons of TraceTogether.
TraceTogether taught us that non-transparency about data-sharing has costs. This Bill should learn that lesson. Transparency is what makes data sharing sustainable in the long-term.
So I’ve asked for three commitments: a public register, a mechanism to track and report citizen benefit, and a formal review within five years.
And I’ve flagged two gaps in organisational accountability that should be addressed.
I trust the points collectively raised today will spare us a future 'blindsiding'.
Thank you, Mr Speaker.
Sources for factual claims:
- Social Service Net: MSF
- PDPA 10% penalty: Allen & Gledhill
- MDDI consultation quote: REACH
- Australia DAT Act: Holding Redlich
- TraceTogether backlash: MIT Technology Review
