The Public Sector Data Security Review Committee provided five key recommendations in 2019 to improve the government’s data security regime.
They include enhancing technology and processes to effectively protect data and strengthening processes to detect and respond to incidents.
To meet these five recommendations, 24 initiatives were put together. As of Mar 31, all 24 have been implemented, said MDDI.
In the last financial year, the government completed two recommendations: Minimising data collection, retention, access and downloads, as well as protecting data directly when it is stored and distributed to make sure it is unusable even when extracted.
The government has also progressively put in place several measures, said MDDI.
In the last year, it expanded a central privacy toolkit called Cloak. This allows public officers to apply “privacy-enhancing technologies” to datasets while preserving the data’s value for sharing and use.
For example, one feature has been used to anonymise 20 million documents.
Since its launch in March 2023, the toolkit has been used by 1,400 public officers from 90 agencies.
Another tool is the Central Accounts Management (CAM) system, which is used to automatically remove user accounts that are no longer needed.
This mitigates the risk of unauthorised access by officers who have left their roles and the exploitation of dormant accounts by malicious actors, said MDDI.
Enhancements have also been made to the government’s Data Loss Protection tool that mitigates the accidental loss of classified or sensitive data from government networks, systems, and devices.
For example, people can no longer see the email addresses of other external recipients if there are more than 30 recipients.
“The government acknowledges that the endeavour to enhance data protection measures is a continuous process,” said MDDI.
“As technology progresses, data security risks and opportunities for mitigation will also evolve. The government remains committed that our policies and initiatives will undergo continuous review to ensure a robust data security regime.”