Parliament Sitting on 12 February 2019


*12. Ms Sylvia Lim: To ask the Minister for Communications and Information given the gravity of data protection breaches in the public sector, whether the Personal Data Protection Act should be amended to remove the exemptions for public agencies. 


The Personal Data Protection Act (PDPA) came into force in 2012.  With the gathering pace of digitalisation, we recognised the need to strengthen data protection in the private sector.  The PDPA establishes a baseline standard for data protection in the private sector, balanced against its need to use personal data for reasonable purposes.    

2. On its part, the Government has always taken seriously its responsibility to protect the data entrusted to the public sector, and we continue to strengthen our data governance policies.  Since 2001, the Government Instruction Manuals already include measures to govern the use, retention, sharing and security of personal data among public agencies.  In 2018, the Public Sector (Governance) Act (PSGA) was introduced and it provided for additional safeguards for personal data in the public sector, including criminalising the misuse of data by public servants.  The data protection standards in the PSGA are also aligned with the PDPA.

3. In addition, data collected by the public sector is also protected by specific legislation such as the Official Secrets Act, the Income Tax Act, the Infectious Diseases Act and the Statistics Act.  Collectively, these laws impose a high standard of responsibility on all public agencies, with additional requirements for the protection of sensitive or confidential data.  Also, regular, mandatory audits are conducted to ensure that public agencies comply with the standards for data protection and the security of ICT systems.

4. The PSGA allows personal data to be managed as a common resource within the public sector for better public policy making and more responsive public services.  For example, when a Singaporean applies for financial assistance at a Social Service Office, the front-line officers are able to quickly evaluate his or her eligibility for financial assistance because they have access to data from other relevant agencies.  In this way, we minimise the documents that need to be submitted by the applicant and improve the delivery of public services.  In contrast, each private sector organisation is expected to be individually accountable for the personal data in its possession, and there is no expectation of a similar integrated delivery of services across different commercial organisations.  

5. Because of these important differences, we need and have adopted different approaches to the protection of personal data in the public and private sectors.  That is also why the PDPA applies only to the private sector, while the PSGA and other legislation govern data protection in the public sector.  We will regularly review the PDPA, the PSGA and other legislation to ensure that they remain relevant and effective in safeguarding personal data in both the public and private sectors.
MCI's response to PQ on regulation of CCTVs Parliament QAs Personal Data 01 Apr 19
MCI's response to PQ on data protection complaints referred for alternative dispute resolution Parliament QAs Personal Data 01 Apr 19
MCI’s response to PQs on HSA data leak and public sector data breaches Parliament QAs Personal Data 01 Apr 19
MCI's response to PQ on public agencies' exemption from PDPA Parliament QAs Personal Data 12 Feb 19
Statement by Mr S iswaran, Minister-in-Charge of Cybersecurity, on the Government’s response to the report of the Committee of Inquiry into the cyber attack on SingHealth, during Parliamentary Sitting on 15 January 2019 Parliament QAs, Speeches Cyber Security, Personal Data 15 Jan 19
MCI’s response to PQ on measures to protect personal data of Facebook users Parliament QAs Personal Data 14 Jan 19