Professor Tim Clark, Provost, SMU
Associate Professor Goh Yihan, Dean, SMU
Mr Philip Jeyaratnam, SC, Global Vice-Chair and ASEAN CEO, Dentons Rodyk,
Ladies and Gentlemen,
Good afternoon. Thank you for inviting me to attend the annual Dentons Rodyk Dialogue. I was asked to speak about cybersecurity, privacy, data breaches and social media. I thought what I might do is to lay out the thinking around the policy approaches to these areas, how we see them as separate and where they overlap.
2 The issue of data collection, in particular the reasons why data is being collected, is well known. A lot of data is being collected on a regular basis, via our interactions with our phones, our interactions with corporate entities and our interactions online. Data is largely being collected to deliver personalised services—which is the benefit we get as consumers—where data is used to inform product development and improvement cycles, as well as the innovation around the development of new products and services.
3 As the number of products, services and transactions increase, the risks associated with the data collected are also increasing. As more data from an individual is being aggregated and as more individuals have data that can be cross correlated, the type of risks are increasing qualitatively. As more transactions occur and as more individuals engage in these transactions, the number of individuals that can be affected would also increase quantitatively. The risks are multiplied and as technology improves, we will see some potential increase in both the surface area of these threats as well as the impact of the breaches.
4 When you think of this space, it is useful to be clear and to split up the thinking in three areas—data privacy, data security and cybersecurity. The three are interrelated, but often confused, conflated and bound together as one concept that can be solved by one government agency or one policy idea. That is not the case and I would like to explain why that is so, as well as our approach in dealing with these three areas.
5 Data privacy largely concerns the issues around personal data. The space where this is really a concern is in the private sector, as they need to collect data to develop personalised products and services. But the private sector has an incentive to monetize private data in their transactions with other private sector organisations, and we see this playing out whether it is in advertising, whether it is about layering multiple products together, or targeting a particular consumer demographic.
6 Data security is not exactly the same as data privacy. In data security, it is not just about personal data but data as a whole, especially as it impacts security issues. It may not be your address, your telephone number, NRIC. It may be a slightly wider number of data related issues—for example, the car you drive, the public transport you take, the locations you go to on a frequent basis. When you aggregate the data on a national level—where are the areas of high traffic or high density—this becomes a security related issue without necessarily being personally identifiable.
7 In general, for data security issues—as far as we are concerned from the perspective of legislation—we worry about those that involve the state, or public sector because firstly, it tends to be where the most sensitive security related data rests. Secondly, for the private sector, the incentive is now in the completely opposite direction because the private sector has every incentive to not share data that is security related to their functions. They have every incentive to protect their business processes and intellectual property, to protect their operational risks that concern where their operations fail, where their customers have complained. So in a way it is the opposite for their incentives around data that we would consider an issue for data privacy.
8 Cybersecurity layers across all of the these. Cybersecurity is not just about data, but you need cybersecurity in order to protect the data. A breach of cybersecurity is not automatically a data breach. Let me explain why. Cybersecurity is about how you have access to computing, information resources, information technology. It is about how you misuse the information for unauthorised purposes—some of which may include the exfiltration of data (removal of data), data infiltration (the insertion of false data) but it also includes other things which do not have anything to do with data. For instance, the distributed denial of service attacks, where a large number of computing resources are mobilised to take down the provision of a service without either the infiltration or exfilitration of data. The extent of it is that there are far more malicious things. For instance, penetrating systems and taking control of their systems to subvert an action or cause harm. Cybersecurity is larger than just data, but it is a necessary pre-condition in order to protect data. What then is our response from a State perspective?
9 We have three pieces of legislation that cover the space: (1) the Personal Data Protection Act (PDPA), (2) Cybersecurity Act, and (3) Public Sector Governance Act (PSGA). Why do we have three different legislations, and three different approaches? I hope to first establish that it is not one space.
10 For the PDPA, our policy intent is to impose a compliance burden on each individual private sector entity in terms of sharing data between them. There needs to be care and the cost associated with that care from sharing the data in order to work against the incentive of profit, exists in the private sector. We do not want to prevent the private sector from sharing your personal data, but we want to make sure that they appreciate the correct cost of sharing the data—both in terms of the safety and security around it, as well as how much you might be liable if the data is inappropriately shared. We want to provide an incentive in the opposite direction to the profit they extract from the sharing of your data.
11 At the same time, our policy trade-off is that we were too stringent, there would be no new innovative models and services for consumers to enjoy. That is the trade-off that we have to deal with respect to the PDPA and that personal privacy space. And so, our approach is largely around consent and information about the behaviour, processes with regard to people’s behaviours that handle the data. It is not so much a technical response, and instead a people and behavioural response predicated on the issue of consent.
12 In the public sector, however, there is no such incentive that we worry about. There is no need to work against a certain pressure to share data for profit. In fact, we have the opposite problem. We want to encourage data sharing in the public sector, because the public sector is made up of many entities—each with statutory boards, governance processes and policies, and each with an incentive to manage their own risks as an individual entity. But from the point of view of servicing our citizens, what we need to do is take a calibrated approach with regard to that risk management and share the data in order to link different pieces of information and provide appropriately calibrated services to citizens using data from across the public sector. We want the public sector to behave as one entity with respect to data sharing, around the citizen, even though there are hundreds of entities. Secondly, for the public sector, we have the issue of security because the public sector also manages a lot of data with a security issue that is not personal data. And so we have a slightly different approach to that.
13 The PDPA only covers personal data, takes a relatively light touch technical approach and is predicated largely on, information, consent provisions with a whole bunch of guidance. We are reviewing it this year. The PSGA however, covers all data within the public sector and not just personal data. It has very stringent controls at the periphery—the sharing public sector data out to the private sector and because you don’t have the ability for one part of government to fine the other part of government, it criminalises certain actions. The PSGA has a series of controls elevating the status of offences because the risk is much higher. We need to operationalise two types of approaches for two different policy intents, and this is why we have two separate pieces of legislation and two separate ways of governing the space.
14 For cybersecurity, there is a single Cybersecurity act that cuts across right from the private sector as well as the public sector. But what is it that we are governing in the Cybersecurity Act? Firstly, we are only going after Critical Information Infrastructure (CII). We are not applying that legislative framework to the entire universe of data. We are choosing those areas—where even if you are in the private sector, the information infrastructure that you have as a national security issue. For instance, the banking sector, aviation, or our healthcare system. So is there a difference between the private and the public sector? The answer is yes.
15 But how then do you differentiate the cybersecurity approach for the State versus the cybersecurity approach for the private sector entities? And we do this one layer down through the Assistant Commissioners and the fact that each of our CII will have a different body governing cybersecurity. So for Government, it would be the Government Technology Agency of Singapore (GovTech). The government is a subset of a larger piece of cybersecurity governance.
16 These three pieces allow us to apply appropriate measures for each of these spaces. It is not necessarily neat, but we find that if we can develop these separate levers of control, then we are allowing within each space, the correct balance between innovation and preserving data privacy, and cybersecurity.
17 However, none of these matters if you are a victim of a cybersecurity breach. You are personally affected, your data is compromised and you want to know how this complex system is working on your behalf. This is not something we can solve once and for all. The technology, the adversarial threats that we are facing are evolving as fast as our thinking evolves. What we need is the ability to have the regulatory agility and updated approach going forward, as we examine each and every threat and risk to assess whether we have the right posture. Disaggregating the approach like this allows us to think of separate levers when we are faced with new threats. If we need to apply intervention, and I think this is something other jurisdictions are facing, because of the threat that is specific to the State sector and yet it significantly constraints the private sector’s ability to innovate, then there is a very significant implication on how you are able to attract business investments into that space. That is what we hope our regime will allow businesses the flexibility to calibrate correctly.
18 We are quite aware that public trust is key to all of this. The issues around data breaches that we have had—whether locally or the ones that made the headlines internationally—the commonality is that human factors were involved. That is the most difficult thing to solve, especially for individuals who have the intention to exploit the data, which is an insider threat.
19 The solutions cannot be purely technical or technological. Nevertheless, there is a role for technical, technological, and policy processes to scrutinize the space as closely as possible. We convened the Public Sector Data Security Review Committee chaired by DPM Teo, which will surface recommendations as to how we can improve our governance processes. But the assumption is that we will need tighter processes, including technical solutions, as well as how we manage the people factors in order to enforce public trust in this space moving forward. Without the public trust in the private sector, you are not going to have flourishing technology innovation which we have seen in the last few years. Without trust in the public sector, we are not going to deliver on our Smart Nation promises to transform Singapore using technology. Reassuring the public that we are taking this seriously and that we are able to intervene appropriately is going to be essential as we deal with data privacy, data security and cybersecurity.
20 I hope how I have explained these three buckets, legislative pieces and interventions have been clear. I will be happy to take questions and I look forward to the discussion.
21 Finally, I would like to thank SMU and Dentons Rodyk for hosting this dialogue. I think that the space is exciting as we go forward. The role of the legal sector in thinking how we need to update our conceptual frameworks as well as the tools that we have to intervene in this space is crucial and critical, but at the same time, it is also an opportunity for us in Singapore to differentiate ourselves and provide a competitive edge. Thank you.