Safeguards to Ensure Citizen Data Is Not Disclosed to or Processed by Foreign-headquartered Vendors

82 Mr Low Wu Yang Andre asked the Minister for Digital Development and Information (a) whether the whole-of-Government data architecture permits proprietary artificial intelligence (AI) or data analytics platforms from foreign-headquartered vendors to process citizen data; and (b) if so, what legal and technical safeguards ensure that such data cannot be compelled for disclosure by a foreign government under that government's domestic laws.

The Minister of State for Digital Development and Information (Ms Jasmin Lau) (for the Minister for Digital Development and Information): Mr Speaker, the Government uses best-in-class technology solutions, including those from international vendors, to deliver effective digital services for citizens and to support our public officers' work.

We have established comprehensive safeguards to protect citizen data when working with any vendor. Our risk-based approach ensures that data access is granted strictly on a "needs-basis" following the principle of least privilege. Vendors are expected to implement robust technical safeguards such as non-retention of data, encryption as well as access and identity management. Data residency may also be required, depending on the sensitivity of the data. This is coupled with proper governance frameworks and contractual agreements on how the data can be accessed, used, stored and retained.

These help to prevent vendors from accessing, using or disclosing government data where they are not permitted to do so, including in response to demands from foreign governments.

Our approach combines global expertise, technical safeguards, legal protections and ongoing oversight to ensure that citizen data remains secure. We continuously monitor vendor compliance, conduct regular security assessments and update our frameworks to address emerging risks and maintain public trust.

Mr Speaker: Mr Low.

Mr Low Wu Yang Andre (Non-Constituency Member): I thank the Minister of State for the response. I would like to share that the primary reason for me to ask this Parliamentary Question was driven by concerns I have over a specific vendor, which is Palantir Technologies, which, over the last five years or so, has become the preeminent supplier to governments around the globe of artificial intelligence, data and security solutions.

I am not sure if the Minister of State is at the liberty to disclose if we do have any ongoing contracts with Palantir, but I think even if the answer is no, the broader concern remains that overseas legislation like the United States' Clarifying Lawful Overseas Use of Data (CLOUD) Act compels these US-based companies to disclose data in their legal system from foreign countries. Even with data residency in mind, the Act still compels them to disclose this data.

What assurances can the Minister of State give that we will not be subject to such compulsions?

Ms Jasmin Lau: I thank the Member for the question. I understand that the Member may have filed a separate Parliamentary Question on Palantir for the Ministry of Finance (MOF), which I will leave for MOF to answer.

I would like to add that he is right. Legal and contractual agreements aside, the reality is that no matter what legal provisions the contracts may contain, some jurisdictions like, as he mentioned, the US, may have legislation or regulations, including with extraterritorial reach, that empower government agencies to require companies or entities within their jurisdictions to provide certain information. This could include Singapore Government data.

Such legislation or regulations can override contractual obligations. This is why the Government's approach is to rely not solely on contractual provisions, but also on other risk mitigation measures, which I have mentioned, such as technical controls and safeguards as well as governance frameworks, which limit what use cases and categories of information may be used with non-government provided tools and platforms.