SINGAPORE: Public sector agencies will be able to share data with "trusted external partners" whom they work with for legitimate public interest purposes after parliament passed legal amendments on Monday (Jan 12).
Currently, the Public Sector (Governance) Act (PSGA) allows government agencies to share data with one another. When the PSGA amendments come into force, the government will be able to share data with private organisations, such as social service agencies, community partners and self-help groups.
Examples of these organisations that currently work with ministries include SG Enable, the Chinese Development Assistance Council, Mendaki, Sinda and the Eurasian Association.
Under the amended Act, agencies are allowed to share data with external partners only when three "safeguards" are met.
This means that the data can only be shared if there is a legitimate purpose, if a minister or the minister's delegate has authorised it, and if these organisations are held to the same data protection standards that public sector agencies already adopt.
Speaking in parliament, Minister of State for Digital Development and Information Jasmin Lau said that the changes represented a "careful evolution" of the PSGA.
"It extends our data sharing and governance framework that has enabled better services within government, to trusted partnerships beyond government, all while keeping clear what our purpose is, ensuring that there is high-level oversight, strong safeguards and strong accountability," she said.
Introduced in 2018, the PSGA allows public sector agencies to share data with one another for seven purposes, all of which support the public interest.
"Since then, the PSGA has enabled public sector agencies to work together to better serve Singaporeans through data, resulting in more data-driven policies and schemes, faster implementation, and more citizen-centric support and services," said the Ministry of Digital Development and Information (MDDI) in a press release.
The ministry added that data sharing between agencies has enabled "automatic qualification and disbursement" for various support schemes, such as the Community Development Council (CDC) vouchers scheme and the Majulah Package.
"When the PSGA bill was debated in parliament in 2018, some Members of Parliament saw the potential for PSGA to do more. They asked about data sharing with trusted partners, like our social service agencies," said Ms Lau.
"Back then, we had promised to review this later. And now we are ready for the next step."
The PSGA did not cover external partners outside the public sector. To share data with them, public agencies relied on individual consent, common law public interest grounds, or sector-specific legislation, said Ms Lau.
But these avenues are "not ideal" in many "real-world situations", where contact details become outdated as vulnerable individuals may not respond in time, or when the consent route becomes onerous when multiple datasets and partners are involved, she added.
"In all of these situations, relying on consent means people in need may fall through the cracks and fail to receive timely support," said Ms Lau.
"Common law public interest grounds can also be difficult to apply consistently, because boundaries are not clearly set out and each case needs extensive assessment."
The amendments address the "gap", she added.
"It provides a clear legal basis with clear guardrails for data sharing with our trusted external partners, where it serves legitimate public purposes.”
As for the three safeguards under the PSGA, Ms Lau reiterated the need for these conditions to be met to ensure accountability and that the data is handled in a secure manner.
On the first safeguard, public agencies can only share data for the same seven public purposes that govern inter-agency sharing today.
In addition, each data sharing arrangement with an external partner needs “specific” authorisation by a minister, or the minister's delegate.
The authorisation must clearly specify what data can be shared, which organisation receives it, and for what purpose it may be used, said Ms Lau.
"This ensures high-level oversight for each and every arrangement. It is not a broad, open-ended permission."
The public agency must evaluate the organisation's ability to fulfil its role and handle data responsibly with proper security protection, she added. Where the partner is unable to meet the required safeguards, the sharing will not proceed.
Under the third safeguard, all external partners will also be bound by clear terms of use that set out how the data is protected and used.
"Currently, public agencies already need to make sure external partners whom they share data with are able to meet these requirements, and are contractually bound to do so," said Ms Lau.
"While public agencies already hold external partners to such requirements, we will provide more specific guidance to ensure consistency across different partnerships."
To deter misconduct when it comes to shared data, individuals from external partners will also be liable for criminal offences.
Those convicted of an offence will be subject to a fine of not more than S$5,000 (US$3,900) or jail term of not more than two years or both, said MDDI. This is aligned with data-related offences that apply to public officers under the PSGA.
"Expanded data sharing will mean expanded accountability too," added Ms Lau.
Authorities can also revoke authorisation and cease data sharing arrangements with partners where appropriate.
"With the proposed amendments, we maintain our commitment to protect data, while addressing the reality that effective service delivery requires trusted partnerships beyond public agencies," said Ms Lau.
"These amendments will enable vulnerable Singaporeans to receive faster, targeted and more coordinated support, when they need it most."
During the Bill’s debate, eight Members of Parliament raised their concerns about various aspects of the safeguards, especially those related to ensuring accountability.
MP Kenneth Tiong (WP-Aljunied) said he supported the PSGA but wanted to “place some significant concerns” on the record. He brought up the TraceTogether incident in 2021, in which the government clarified that the police can access TraceTogether data under the Criminal Procedure Code.
“I raise this because the Bill before us creates a new framework for sharing citizen data, this time with private entities,” said Mr Tiong.
In response, Ms Lau said that the incident did not “undermine” public trust. When the issue arose, the government explained its position in parliament and clarified the legal framework, she added.
“The lesson from TraceTogether is not that the government cannot be trusted with data. It is that when questions arise, the government must be accountable and transparent - and we were,” said Ms Lau.
Mr Tiong and Dr Choo Pei Ling (PAP-Chua Chu Kang) suggested that the authorities set up a public register detailing how these data requests are handled.
This would reassure Singaporeans that health data sharing beyond healthcare delivery is tightly controlled, exceptional, and subject to public oversight, said Dr Choo.
Mr Tiong added that the register would create “accountability without undue operational burden”.
To this, Ms Lau said that authorities will consider what is “feasible” as they get more “experience” with the amended law.
Ms Jessica Tan (MP-East Coast), who is also part of the Government Parliamentary Committee for Digital Development and Information, similarly called for strong documentation.
Ministerial direction and authorisation will ensure that agencies spell out why data is needed, what will be shared, the party accountable, and the safeguards in place, she said.
This creates a transparent audit trail ensuring that decisions are not made "quietly or casually" at operational levels, Ms Tan added.
MPs from both sides of the House raised concerns about privacy, particularly the risk of individuals being re-identified from anonymous data.
Ms He Ting Ru (WP-Sengkang) asked when re-identification would be allowed and what recourse citizens would have, while Mr Yip Hon Weng (PAP-Yio Chu Kang) questioned whether residents would be informed when their data is shared and who they could approach if issues arise.
To this, Ms Lau said re-identification would be allowed only in limited cases to meet public sector objectives, such as when data is corrupted.
Unauthorised re-identification remains an offence, she said, adding that individuals can raise concerns with agencies, external partners or via the government’s data incident reporting platform.
Ms Lau also responded to another question by Mr Tiong who pointed out that only individual employees can be prosecuted for breaches involving non-personal data shared with private entities, while the entity that profited faces no direct liability.
The new PSGA offences cover non-personal data, ensuring that all data - including personal data - shared by the government is subject to penalties for misuse under the PDPA or the PSGA, she said.
She added that public agencies will impose terms of use on external partners, requiring organisations that receive government data to comply with data protection and security safeguards.
These organisations may face liability through contractual terms if breaches occur, said Ms Lau.
Continue reading...
Currently, the Public Sector (Governance) Act (PSGA) allows government agencies to share data with one another. When the PSGA amendments come into force, the government will be able to share data with private organisations, such as social service agencies, community partners and self-help groups.
Examples of these organisations that currently work with ministries include SG Enable, the Chinese Development Assistance Council, Mendaki, Sinda and the Eurasian Association.
Under the amended Act, agencies are allowed to share data with external partners only when three "safeguards" are met.
This means that the data can only be shared if there is a legitimate purpose, if a minister or the minister's delegate has authorised it, and if these organisations are held to the same data protection standards that public sector agencies already adopt.
Speaking in parliament, Minister of State for Digital Development and Information Jasmin Lau said that the changes represented a "careful evolution" of the PSGA.
"It extends our data sharing and governance framework that has enabled better services within government, to trusted partnerships beyond government, all while keeping clear what our purpose is, ensuring that there is high-level oversight, strong safeguards and strong accountability," she said.
ADDRESSING A GAP
Introduced in 2018, the PSGA allows public sector agencies to share data with one another for seven purposes, all of which support the public interest.
"Since then, the PSGA has enabled public sector agencies to work together to better serve Singaporeans through data, resulting in more data-driven policies and schemes, faster implementation, and more citizen-centric support and services," said the Ministry of Digital Development and Information (MDDI) in a press release.
The ministry added that data sharing between agencies has enabled "automatic qualification and disbursement" for various support schemes, such as the Community Development Council (CDC) vouchers scheme and the Majulah Package.
Data sharing across public sector agencies for seven purposes
- To uphold and promote the values of the Singapore public sector
- To secure economies or efficiencies for the Singapore public sector
- To improve (directly or indirectly) the efficiency or effectiveness of policies, programme management or service planning and delivery by Singapore public sector agencies
- To ensure business continuity
- To ensure accountable and prudent stewardship of Singapore public sector finances and resources
- To manage risks to the financial position of the government
- To support a whole-of-government approach in the discharge of the Singapore public sector agencies’ functions
"When the PSGA bill was debated in parliament in 2018, some Members of Parliament saw the potential for PSGA to do more. They asked about data sharing with trusted partners, like our social service agencies," said Ms Lau.
"Back then, we had promised to review this later. And now we are ready for the next step."
The PSGA did not cover external partners outside the public sector. To share data with them, public agencies relied on individual consent, common law public interest grounds, or sector-specific legislation, said Ms Lau.
But these avenues are "not ideal" in many "real-world situations", where contact details become outdated as vulnerable individuals may not respond in time, or when the consent route becomes onerous when multiple datasets and partners are involved, she added.
"In all of these situations, relying on consent means people in need may fall through the cracks and fail to receive timely support," said Ms Lau.
"Common law public interest grounds can also be difficult to apply consistently, because boundaries are not clearly set out and each case needs extensive assessment."
The amendments address the "gap", she added.
"It provides a clear legal basis with clear guardrails for data sharing with our trusted external partners, where it serves legitimate public purposes.”
Related:
"HIGH-LEVEL" OVERSIGHT INVOLVED
As for the three safeguards under the PSGA, Ms Lau reiterated the need for these conditions to be met to ensure accountability and that the data is handled in a secure manner.
On the first safeguard, public agencies can only share data for the same seven public purposes that govern inter-agency sharing today.
In addition, each data sharing arrangement with an external partner needs “specific” authorisation by a minister, or the minister's delegate.
The authorisation must clearly specify what data can be shared, which organisation receives it, and for what purpose it may be used, said Ms Lau.
"This ensures high-level oversight for each and every arrangement. It is not a broad, open-ended permission."
The public agency must evaluate the organisation's ability to fulfil its role and handle data responsibly with proper security protection, she added. Where the partner is unable to meet the required safeguards, the sharing will not proceed.
Under the third safeguard, all external partners will also be bound by clear terms of use that set out how the data is protected and used.
"Currently, public agencies already need to make sure external partners whom they share data with are able to meet these requirements, and are contractually bound to do so," said Ms Lau.
"While public agencies already hold external partners to such requirements, we will provide more specific guidance to ensure consistency across different partnerships."
To deter misconduct when it comes to shared data, individuals from external partners will also be liable for criminal offences.
Those convicted of an offence will be subject to a fine of not more than S$5,000 (US$3,900) or jail term of not more than two years or both, said MDDI. This is aligned with data-related offences that apply to public officers under the PSGA.
"Expanded data sharing will mean expanded accountability too," added Ms Lau.
Authorities can also revoke authorisation and cease data sharing arrangements with partners where appropriate.
"With the proposed amendments, we maintain our commitment to protect data, while addressing the reality that effective service delivery requires trusted partnerships beyond public agencies," said Ms Lau.
"These amendments will enable vulnerable Singaporeans to receive faster, targeted and more coordinated support, when they need it most."
ACCOUNTABILITY AND TRANSPARENCY
During the Bill’s debate, eight Members of Parliament raised their concerns about various aspects of the safeguards, especially those related to ensuring accountability.
MP Kenneth Tiong (WP-Aljunied) said he supported the PSGA but wanted to “place some significant concerns” on the record. He brought up the TraceTogether incident in 2021, in which the government clarified that the police can access TraceTogether data under the Criminal Procedure Code.
Related:
“I raise this because the Bill before us creates a new framework for sharing citizen data, this time with private entities,” said Mr Tiong.
In response, Ms Lau said that the incident did not “undermine” public trust. When the issue arose, the government explained its position in parliament and clarified the legal framework, she added.
“The lesson from TraceTogether is not that the government cannot be trusted with data. It is that when questions arise, the government must be accountable and transparent - and we were,” said Ms Lau.
Mr Tiong and Dr Choo Pei Ling (PAP-Chua Chu Kang) suggested that the authorities set up a public register detailing how these data requests are handled.
This would reassure Singaporeans that health data sharing beyond healthcare delivery is tightly controlled, exceptional, and subject to public oversight, said Dr Choo.
Mr Tiong added that the register would create “accountability without undue operational burden”.
To this, Ms Lau said that authorities will consider what is “feasible” as they get more “experience” with the amended law.
Ms Jessica Tan (MP-East Coast), who is also part of the Government Parliamentary Committee for Digital Development and Information, similarly called for strong documentation.
Ministerial direction and authorisation will ensure that agencies spell out why data is needed, what will be shared, the party accountable, and the safeguards in place, she said.
This creates a transparent audit trail ensuring that decisions are not made "quietly or casually" at operational levels, Ms Tan added.
Related:
ANONYMISED DATA AND RECOURSE
MPs from both sides of the House raised concerns about privacy, particularly the risk of individuals being re-identified from anonymous data.
Ms He Ting Ru (WP-Sengkang) asked when re-identification would be allowed and what recourse citizens would have, while Mr Yip Hon Weng (PAP-Yio Chu Kang) questioned whether residents would be informed when their data is shared and who they could approach if issues arise.
To this, Ms Lau said re-identification would be allowed only in limited cases to meet public sector objectives, such as when data is corrupted.
Unauthorised re-identification remains an offence, she said, adding that individuals can raise concerns with agencies, external partners or via the government’s data incident reporting platform.
Ms Lau also responded to another question by Mr Tiong who pointed out that only individual employees can be prosecuted for breaches involving non-personal data shared with private entities, while the entity that profited faces no direct liability.
The new PSGA offences cover non-personal data, ensuring that all data - including personal data - shared by the government is subject to penalties for misuse under the PDPA or the PSGA, she said.
She added that public agencies will impose terms of use on external partners, requiring organisations that receive government data to comply with data protection and security safeguards.
These organisations may face liability through contractual terms if breaches occur, said Ms Lau.
Continue reading...