Public sector IT systems to be redesigned next year

Move is part of new measures to protect citizens' personal data

A significant redesign of Singapore's public sector IT systems will take place next year as part of new measures to safeguard citizens' personal data.

For instance, inactive user accounts will be automatically removed when public servants resign and leave. It is currently a manual process.

Such automation across the public sector is among 24 key recommended measures by the Public Sector Data Security Review Committee (PSDSRC) that are being rolled out after a spate of breaches over the last two years.

In the SingHealth cyber attack disclosed in 2018, the attackers targeted inactive administrator accounts, one of which had an easily cracked password.

Another new data security measure will involve the use of technical and process controls to detect and stop risky user behaviour, such as copying sensitive files from laptops.

Users will be prompted to reconsider before clicking to proceed, in order to prevent unintended data leaks.

This will plug gaps in ways similar to how an already installed e-mail control had detected and stopped an attachment containing the contact details and examination results of 6,541 individuals from being accidentally sent by an officer from the Singapore Accountancy Commission to unintended recipients last year.

In its inaugural annual report on the Government's personal data protection efforts yesterday, the Smart Nation and Digital Government Office (SNDGO) said it is on track to roll out all 24 measures by the end of 2023 as part of its $1 billion investment in data security. It has rolled out 18 measures to date.

On why some measures can be implemented only next year, the SNDGO said: "These are larger and more complex programmes which require significant re-architecting of the technical systems and would therefore require a longer lead time for implementation."

The automation of the removal or granting of user access rights to public sector IT systems can be fully implemented across all 2,000 IT systems only by end-2024. In the interim, a technical system will be used to alert agencies to staff movements and role changes so agencies can manually and promptly remove inactive user accounts.

The PSDSRC framework will replace current practices at public agencies, many of which have devised their own protocols.

The committee was convened by Prime Minister Lee Hsien Loong in March last year following a spate of cyber security breaches, including the SingHealth incident in June 2018.

In its report, the SNDGO highlighted plans to provide new guidelines by the end of this year aimed at helping public agencies use biometric data responsibly.