Bill on sharing of citizen data passed in Parliament amid calls for safeguards, transparency

A Bill that allows government agencies to share citizens’ data with partners outside the public sector was passed in Parliament on Jan 12, paving the way for more effective delivery of community services.

The Public Sector (Governance) Act (Amendment) Bill spells out data sharing requirements with social service agencies, community partners and self-help groups, among others, as these external partners are not covered by the current Public Sector (Governance) Act (PSGA).

PSGA, introduced in 2018, sets out data protection and sharing requirements only for public agencies.

So for years, social service agencies, community partners and self-help groups have had to rely on individual consent, common law public interest grounds or sector-specific legislation to obtain citizens’ data.

During a debate on the Bill in Parliament on Jan 12, Minister of State for Digital Development and Information Jasmin Lau said: “These avenues are not ideal in many real-world situations.”

For example, external partners cannot identify who to help if the Government cannot share that information with them. Getting consent from recipients before their data is shared is also a challenge because contact details may be outdated. In urgent or large-scale situations, the Government cannot afford delays caused by seeking consent case by case, she added.

It is also difficult to establish public interest, said Ms Lau.

She cited the example of the Ministry of Social and Family Development’s (MSF) partnership with disability support organisation SG Enable and other social service agencies to correctly identify people who need help in areas such as employment and training opportunities.

But MSF found it challenging to establish the legal basis for sharing their data. As a result, social service agencies could receive only the addresses of people with disabilities, and no other information about disability conditions, needs or demographics.

Without such information, “our partners end up spending extra time and effort re-establishing details during visits to our persons with disabilities and their families”, said Ms Lau, adding that the Bill addresses such a gap by providing a clear legal basis.

The amendments also provide more clarity that public agencies are allowed to use the data they have. The lack of clarity had led to the Ministry of Education wasting a month checking if it could use parents’ contact information from student data collected during school admission for a 2023 survey.

Eight MPs asked for safeguards to ensure that data shared with external parties is protected, and ways to ensure external parties are equipped to handle the data.

Ms Lau said that under the amended PSGA, public agencies can share data with external parties only under seven specific public purposes.

These include securing efficiencies for the public sector, ensuring business continuity and managing risks to the financial position of the Government.

Additionally, each data sharing arrangement must be authorised by a minister or the minister’s delegate. The authorisation must clearly specify what data can be shared, which organisation receives it and what purposes it will be used for.

“The public agency must assess the organisation’s ability to fulfil its role and handle data responsibly with proper security protections. Where the partner is unable to meet the required safeguards, the sharing will not proceed,” said Ms Lau.

External partners are also bound by clear contractual terms, including the use of anti-malware software with up-to-date signatures and regularly performing vulnerability assessments.

Mr Sharael Taha (Pasir Ris-Changi GRC), who chairs the PAP’s Government Parliamentary Committee for Digital Development and Information, asked how long data can be retained for and if the ministries would be responsible for wiping the data.

Ms Lau said the terms of use will specify data retention periods and requirements to purge data. External partners will also have to provide yearly declarations of compliance with the terms of use. Periodic audits at higher frequency will be done by public agencies or appointed third parties for more sensitive data.

“Highly sensitive data will also require reviewing of privileged accounts monthly for access rights before any data sharing is established,” said Ms Lau.

Mr Kenneth Tiong (Aljunied GRC) and Mr Yip Hon Weng (Yio Chu Kang) called for more transparency and suggested the creation of a public register of external parties under the PSGA. Mr Tiong also called for a five-year review period for the Bill.

In response, Ms Lau said: “It could be challenging to share in detail a list of external partners or to notify citizens for every use, given the dynamic nature of these partnerships.”

She added that the Government will review what is feasible when it has more experience with the Bill.

Responding to Mr Tiong’s suggestion that the TraceTogether incident in 2021 had broken public trust, she said that the Government explained its position in Parliament and passed the Covid-19 Act to restrict the use of TraceTogether data to serious offences.

The Government had apologised for not informing the public that data from the contact tracing application deployed during the Covid-19 pandemic could be used for criminal investigations.

“That is accountability. We did not hide from scrutiny. We addressed it openly in this House,” Ms Lau said.

She also provided a preview of the Health Information Bill (HIB), which was debated on the same day. The HIB covers healthcare information on the National Electronic Health Record (NEHR) and complements the PSGA.

While HIB governs public agencies’ access to the NEHR for healthcare purposes – such as medical consultations or laboratory tests – the PSGA governs the use of anonymous healthcare data for policy analysis.

Exceptions include the use of health data of staff from the Ministry of Home Affairs (MHA) to assess if regular uniformed officers could bear arms or take on demanding deployments. MHA will have to seek consent from personnel and conduct personal data protection impact assessments before accessing the NEHR data.

Under the amended PSGA, external parties that misuse shared data may be subject to the same level of penalties as public officers. Public officers found guilty of unauthorised disclosure of data, misuse of data and the re-identification of individuals from anonymised data can be fined up to $5,000 and jailed for up to two years.

In addition, Personal Data Protection Act obligations and penalties – which primarily apply to private sector organisations – will continue to apply to these external partners.

Source: The Straits Times © SPH Media Limited. Permission required for reproduction.

Government took action on IP riders after spotting potential ‘serious market failure’: Ong Ye Kung Pioneer in crypto disputes appointed senior counsel