SINGAPORE – The formation of the Public Sector Data Security Review Committee is a forward-thinking step in beefing up data security and shoring up public confidence, said industry experts, even as they identified challenges.

Mr Andrew Duck, chief executive of cyber security company Aversafe, told The Straits Times: “Individual committees established after a breach are reactive in nature and focused to a specific breach.

“The establishment of this committee to recommend improvements to the protection of citizens’ data is proactive and dedicates the resources necessary to improving capabilities across the entire public service.”

Associate Professor Hannah Yeefen Lim, a data protection law expert from Nanyang Technological University’s Nanyang Business School, said there is “absolutely” a need for the new committee to be created.

“It will affect the public trust if we don’t have something like this, especially after the spate of incidents recently,” she said, describing it as a positive step in Singapore’s move towards becoming a Smart Nation.

The Prime Minister’s Office, in announcing the new committee on Sunday (March 31), said it will be chaired by Deputy Prime Minister Teo Chee Hean, who is also the Coordinating Minister for National Security and Minister-in-charge of Public Sector Data Governance.

The committee will also include four ministers involved in Singapore’s Smart Nation efforts, as well as private-sector representatives with expertise in data security and technology.

Mr Cedric Foo, head of the Government Parliamentary Committee (GPC) for Communication and Information, said that having a senior minister in DPM Teo at the helm of the committee who can look across all ministries gives it a good base to work from.

Mr Foo added: “Each ministry is slightly different from the other and may have different priorities on what should be the base level of data security, but this committee will fulfil the role to determine the base level that can cut across all ministries.”

Mr Teo Ser Luck, MP for Pasir Ris-Punggol GRC, and also a member of the GPC, described the new committee – which will submit its findings and recommendations to Prime Minister Lee Hsien Loong by Nov 30 – as a “good start”.

Moving forward, he said forming a working group in the long term to constantly review the data security processes would help to provide assurance to the public and instil confidence in Singapore’s system following recent data leaks involving public agencies.

“What’s more critical are the people handling and managing the data. They are more critical to data security than the system itself,” said Mr Teo.

The recent incidents included the personal information of more than 800,000 blood donors – which was put online improperly for over two months – being accessed illegally and possibly stolen, according to a Health Sciences Authority vendor responsible for the mistake on Saturday.

Experts also identified challenges facing the committee that need to be addressed for it to be effective.

Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said the government will have to get the mix of the committee right for it to be effective, as an over-representation on the side of the private sector could result in companies pushing their own commercial interests.

“I hope to see a very independent committee made up of people across different industries, based on their expertise,” he said.

He said the committee will also have to reconcile the diverse needs and goals of different government agencies, which could pose a challenge for the committee.

In such cases, Mr Cheang suggested that the financial and healthcare sectors should be prioritised due to the need to address personal data in these two areas.

Co-founder of cyber security start-up 689 Cloud Hiro Kataoka said the committee will also need to strike a balance between the security and effective use of data, and not tilt the balance towards security so much that it negates the benefits of using data.

“Wherever possible, security must not be an impediment to the effective use of data,” he added.

Source: Read Full Article