Found this old article interesting. There were questions raised back in 2019 on why government agencies should be exempt from the PDPA. At that time, Iswaran (then Minister for Communication and Information) said that govt agencies, unlike private orgs, are expected to adopt a whole-of-govt approach in delivering public services and this is very different from the private sector.
But he also said that govt agencies need to comply with comparable, if not stricter, data protection standards.
“Mr Iswaran noted that public sector agencies have to comply with Government Instruction Manuals and the Public Sector (Governance) Act (PSGA).
Collectively, these provide comparable, if not higher, standards of data protection compared to the PDPA, he said, adding that similar investigations and enforcement actions are taken against data security breaches.”
So was ACRA’s disclosure of full NRIC numbers in compliance with the govt’s own data protection standards? If not, will investigation and enforcement actions be taken?
For private sector orgs, data breach incidents have to be notified to the PDPC and affected individuals, with remedial actions taken, in line with the timelines set out by the PDPC. See https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/guide-on-managing-and-notifying-data-breaches-under-the-pdpa-15-mar-2021.pdf
Can we expect to see some similar accountability on ACRA’s part? Regardless of what the govt’s future policy intent may be, we live in the present and surely ACRA’s disclosure of NRIC data has to be evaluated based on the prevailing guidelines and status quo. Until the future policy intent has been fully operationalised, disclosure now compromises the data privacy and security of everyone whose full NRICs were exposed.
I think it is high time for ACRA to come forward and explain just how many people were affected, how they decided on whose NRIC numbers to disclose (was it only directors and shareholders or were others included too), why they decided it was necessary to publish this database, how they ended up running ahead of future policy intent, whether they can track who accessed the NRIC numbers or could have scraped the NRIC data they made available, and what remedial actions they are now going to take. “Sorry we ran ahead of policy intent” doesn’t cut it.
submitted by /u/likethatlaw
[link] [comments]
r/singapore Source: https://www.straitstimes.com/politics/parliament-public-agencies-not-governed-by-pdpa-because-of-fundamental-differences-in-how Found this old article interesting. There were questions raised back in 2019 on why government agencies should be exempt from the PDPA. At that time, Iswaran (then Minister for Communication and Information) said that govt agencies, unlike private orgs, are expected to adopt a whole-of-govt approach in delivering public services and this is very different from the private sector. But he also said that govt agencies need to comply with comparable, if not stricter, data protection standards. “Mr Iswaran noted that public sector agencies have to comply with Government Instruction Manuals and the Public Sector (Governance) Act (PSGA). Collectively, these provide comparable, if not higher, standards of data protection compared to the PDPA, he said, adding that similar investigations and enforcement actions are taken against data security breaches.” So was ACRA’s disclosure of full NRIC numbers in compliance with the govt’s own data protection standards? If not, will investigation and enforcement actions be taken? For private sector orgs, data breach incidents have to be notified to the PDPC and affected individuals, with remedial actions taken, in line with the timelines set out by the PDPC. See https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/guide-on-managing-and-notifying-data-breaches-under-the-pdpa-15-mar-2021.pdf Can we expect to see some similar accountability on ACRA’s part? Regardless of what the govt’s future policy intent may be, we live in the present and surely ACRA’s disclosure of NRIC data has to be evaluated based on the prevailing guidelines and status quo. Until the future policy intent has been fully operationalised, disclosure now compromises the data privacy and security of everyone whose full NRICs were exposed. I think it is high time for ACRA to come forward and explain just how many people were affected, how they decided on whose NRIC numbers to disclose (was it only directors and shareholders or were others included too), why they decided it was necessary to publish this database, how they ended up running ahead of future policy intent, whether they can track who accessed the NRIC numbers or could have scraped the NRIC data they made available, and what remedial actions they are now going to take. “Sorry we ran ahead of policy intent” doesn’t cut it. submitted by /u/likethatlaw [link] [comments]
Found this old article interesting. There were questions raised back in 2019 on why government agencies should be exempt from the PDPA. At that time, Iswaran (then Minister for Communication and Information) said that govt agencies, unlike private orgs, are expected to adopt a whole-of-govt approach in delivering public services and this is very different from the private sector.
But he also said that govt agencies need to comply with comparable, if not stricter, data protection standards.
“Mr Iswaran noted that public sector agencies have to comply with Government Instruction Manuals and the Public Sector (Governance) Act (PSGA).
Collectively, these provide comparable, if not higher, standards of data protection compared to the PDPA, he said, adding that similar investigations and enforcement actions are taken against data security breaches.”
So was ACRA’s disclosure of full NRIC numbers in compliance with the govt’s own data protection standards? If not, will investigation and enforcement actions be taken?
For private sector orgs, data breach incidents have to be notified to the PDPC and affected individuals, with remedial actions taken, in line with the timelines set out by the PDPC. See https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/other-guides/guide-on-managing-and-notifying-data-breaches-under-the-pdpa-15-mar-2021.pdf
Can we expect to see some similar accountability on ACRA’s part? Regardless of what the govt’s future policy intent may be, we live in the present and surely ACRA’s disclosure of NRIC data has to be evaluated based on the prevailing guidelines and status quo. Until the future policy intent has been fully operationalised, disclosure now compromises the data privacy and security of everyone whose full NRICs were exposed.
I think it is high time for ACRA to come forward and explain just how many people were affected, how they decided on whose NRIC numbers to disclose (was it only directors and shareholders or were others included too), why they decided it was necessary to publish this database, how they ended up running ahead of future policy intent, whether they can track who accessed the NRIC numbers or could have scraped the NRIC data they made available, and what remedial actions they are now going to take. “Sorry we ran ahead of policy intent” doesn’t cut it.
submitted by /u/likethatlaw
[link] [comments]