Public Sector (Governance) (Amendment) Bill

Order for Second Reading read.

1.40 pm

The Minister of State for Digital Development and Information (Ms Jasmin Lau) (for the Minister of State for Digital Development and Information): Mr Speaker, on behalf of the Minister for Digital Development and Information, I move, “That the Bill be now read a Second time.”

Sir, the Public Sector (Governance) Act (or PSGA) was introduced in 2018. It helped to enable, among other objectives, public agencies to share data safely and purposefully, so that we can serve Singaporeans better.

The vision was simple but powerful: a whole-of-Government approach, where agencies can work together using data responsibly, instead of asking citizens to provide the same information repeatedly or navigate multiple agencies on their own.

Many Members in this House today were present back when the PSGA Bill was discussed in 2018. Thank you to all Members who supported the Bill back then. With your support, today, we have more integrated delivery of public services. About 99% of Government transactions with citizens and businesses are now completed digitally from start to end, enabled by data.

Here are some examples.

Singaporean households automatically qualify for and receive support like U-Save rebates, our favourite Community Development Council (CDC) vouchers and Child LifeSG credits.

Lower-income workers automatically receive salary top-ups from the Workfare Income Supplement Scheme.

Children from lower-income families receive educational bursaries.

And for our seniors, the Majulah package supports their healthcare and retirement, and the Senior Employment Credit supports their employment at the workplace.

Data sharing was also critical during national crises such as COVID-19. When support had to be rolled out quickly and at scale, for example through the Jobs Growth Incentive, the Government could calculate and disburse assistance more efficiently, without placing additional burden on Singaporeans and businesses during this difficult period.

At the same time, the PSGA was never only about enabling data sharing. The data sharing framework included strong safeguards. When the PSGA was debated here in 2018, Members asked for clear rules on data use. These have been put in place. There are clear permitted purposes, controlled access on a need-to-know basis, additional protection for sensitive data and serious consequences for misuse.

We have used the PSGA for eight years. Effectively and safely. When the PSGA Bill was debated in Parliament in 2018, some Members of Parliament (MPs) saw the potential for PSGA to do more. They asked about data sharing with trusted partners, like our social service agencies (SSAs). Back then, we had promised to review this later. And now, we are ready for the next step.

Over time, our public agencies have increasingly partnered trusted organisations outside of the public sector to deliver programmes and reach Singaporeans effectively – especially vulnerable groups where last-mile engagement matters. These include SSAs, community partners and our self-help groups. They have deep networks, cultural understanding and operational presence on the ground. When we work together with them, support can be more targeted, timely and coordinated.

For example, the Ministry of Education (MOE) works with self-help groups, like the Chinese Development Assistance Council, MENDAKI, SINDA and the Eurasian Association. These self-help groups understand their communities well. With access to appropriate student data, they can identify and provide targeted support to specific students in their respective ethnic communities. The data will also help these partners to assess and improve their programmes.

Similarly, the Ministry of Social and Family Development (MSF) works with SG Enable and SSAs to provide an integrated ecosystem of support for persons with disabilities. But for our partnerships to work well, they need relevant data.

The current PSGA does not cover them. Today, public agencies rely on individual consent, common law public interest grounds, or sector-specific legislation. These avenues are not ideal in many real-world situations.

First, external partners cannot identify who to help if we cannot share that information with them. Getting consent means we must first find the people who need help and then ask them for permission. This does not work when external partners should be the first point of contact for hard-to-reach groups.

Second, contact details may be outdated and vulnerable individuals may not respond in time.

Third, in urgent or large-scale situations, we cannot afford delays caused by seeking consent case-by-case.

And lastly, when multiple datasets and partners are involved in coordinated support, the consent route becomes onerous and fragmented.

In all of these situations, relying on consent means that people in need may fall through the cracks and fail to receive timely support. Common law public interest grounds can also be difficult to apply consistently because boundaries are not clearly set out and each case needs extensive assessment.

Take MSF's partnership with SG Enable and SSAs in supporting persons with disabilities as an example. In order for SG Enable and SSAs to support persons with disabilities in areas like employment assistance, training opportunities and referrals to relevant services, they need the relevant data on persons with disabilities from MSF. But MSF found it challenging to establish the legal basis for sharing. So, they went through many rounds of discussions with multiple teams to see if common law public interest applied. To reduce legal uncertainty, these SSAs could only get the addresses of persons with disabilities. They received no other information about disability conditions, needs or demographics.

Without this other information, our partners end up spending extra time and effort re-establishing details during visits to our persons with disabilities and their families. Members in this House may have heard of these realities on the ground. Families in need end up having to repeat their stories and details to many parties who are actually trying to support them.

So, this Bill addresses that gap. It provides a clear legal basis with guardrails for data sharing with our trusted external partners, where it serves legitimate public purposes. Mr Speaker, let me emphasise what this Bill does.

Under the amended PSGA, public agencies are allowed to share data with trusted external partners only when three safeguards are met. These are: (a) having a legitimate purpose for sharing; (b) the arrangement is specifically authorised by a Minister or the Minister's delegate; and (c) the external partner is bound by clear contractual terms of use, including data protection and security requirements.

Let me also emphasise what this Bill does not do. This Bill does not create a free-for-all. It does not override other written law, legal privilege or existing contractual restrictions. It does not authorise data sharing for commercial exploitation, marketing or unrelated purposes. And it does not remove the option for public agencies to rely on consent or other legal avenues where these remain appropriate.

Let me now elaborate on the three safeguards for data sharing.

First, the Bill retains the existing discipline of the PSGA. Clause 3 ensures there is a legitimate purpose for sharing data. Public agencies can only share data for the same public purposes that govern inter-agency sharing today. If a use case does not serve these public objectives, public agencies cannot share the data with external partners under the PSGA. So, for the MSF example I mentioned earlier, the relevant purpose under the PSGA would be well aligned with MSF's mandate to provide support for persons with disabilities. The shared data would help disability SSAs to provide more efficient and targeted support.

Second, each data sharing arrangement with an external partner needs specific authorisation by a Minister or his or her delegate. This is the second safeguard under clause 3. The authorisation must clearly specify what data can be shared, which partner receives it and for what purpose it may be used. This ensures high-level oversight for each and every arrangement. It is not a broad, open-ended permission.

The public agency must assess the partner's ability to fulfil its role and handle data responsibly with proper security protections. Where the partner is unable to meet the required safeguards, the sharing will not proceed.

The third safeguard is ensuring that all external partners are bound by clear Terms of Use that set out how the data is protected and used.

I spoke earlier about the Government's existing internal rules for data protection and security. Currently, public agencies already need to make sure external partners whom they share data with are able to meet these requirements, and are contractually bound to do so.

While public agencies already hold external partners to such requirements, we will provide more specific guidance to ensure consistency across different partnerships. These will include data protection and security requirements, and they will be calibrated to risk.

In other words, this will not be a one-size-fits-all approach. The more sensitive or confidential the data, the higher the safeguards required. This will include tighter access controls and stronger encryption and logging. This ensures that all external partners understand and uphold their responsibility to protect the data and are contractually bound to maintain the necessary safeguards. Where partners, especially smaller organisations, need to strengthen capabilities to meet these requirements, we will work with them so that safeguards are consistently applied.

Mr Speaker, expanded data sharing will mean expanded accountability too. So, this Bill introduces criminal offences for individuals in external organisations.

Today, the Personal Data Protection Act (PDPA) already criminalises individuals' misuse of personal data held by private organisations or public agencies. The PDPA sets out offences for the unauthorised use and disclosure of personal data, and unauthorised re-identification of anonymised information. Clause 8 of this Bill introduces related amendments to the PDPA to ensure that these offences can apply to misuse of shared data by individuals from external partners.

For non-personal data, the Bill introduces new offences for the unauthorised use or disclosure of shared data by individuals within the external partners. Clauses 6 and 7 of the Bill provide for this. With these expanded PSGA offences, individuals in external organisations face the same level of penalties that public officers are currently subject to for misusing shared data.

Together, the PDPA and the PSGA will provide for complementary offences for stronger deterrence against abuse.

Beyond criminal offences, the Government also retains strong and practical levers, such as: (a) enforcement of contractual Terms of Use; (b) tightening of requirements if an incident reveals additional safeguards are necessary; and (c) where appropriate, revoking authorisation and ceasing the data sharing arrangement.

Mr Speaker, the Bill also makes an amendment to the PSGA to clarify and make clear that the current set of public sector purposes specified in the PSGA apply for both data sharing with other public agencies as well as for the public agency's own use. As the latter is not explicitly stated today, this amendment will clarify, to avoid any doubt, that public agencies are permitted to use their own data to work more effectively. This removes unnecessary uncertainty and administrative delay, while maintaining the same discipline. For example, in 2023, MOE had planned a new survey called Parents' Voices. This was to understand parents' views on education policies. MOE already had parents' contact information from student data collected during school admission. As the PSGA was not explicit that the data MOE had could be used for other purposes, MOE spent an extra month checking if this new use met the threshold for public interest or consent exclusions. This was counterintuitive since MOE could already share such data with other public agencies under PSGA purposes.

So, this amendment we are making is aligned with the PSGA's original intent to enable the public sector to use data both across and within public agencies to fulfil their functions.

To be clear, this amendment does not apply to external partners. Each of our use cases with external partners must be specifically authorised by the relevant Minister.

Let me turn to health information specifically. The Government will also be introducing a Health Information Bill (HIB), which will set out a framework governing information contributed to and accessed from the National Electronic Health Record (NEHR). This is particularly for healthcare delivery purposes across the ecosystem of providers.

Both the PSGA and the HIB are complementary Bills. Where public agencies need NEHR data for healthcare purposes, the HIB governs this use. This applies when a public agency performs a healthcare service, such as medical consultations or laboratory tests.

The PSGA will continue to govern data in general, including health information for broader public purposes outside healthcare delivery – for example, de-identified data for policy analysis by other public agencies. The safeguards that I spoke about earlier will apply to such information shared under PSGA. Cybersecurity and data security safeguards matching those under the HIB will be required through the Terms of Use for external partners.

There is one exception relating to the Ministry of Home Affairs (MHA). MHA conducts job fitness and medical examinations to ensure that individuals are suitable for various deployments. Many of these examinations by MHA will access NEHR data under the HIB because they are statutory medical examinations. But some job fitness assessments fall outside the HIB's statutory framework. These include fitness assessments for regular uniformed officers to bear arms or take on more demanding deployments.

NEHR information for such assessments would be shared under the PSGA for public safety reasons. MHA will seek consent from personnel and conduct personal data protection impact assessments. Both requirements cannot be waived without consulting the Ministry of Health (MOH) first.

MOH will be going through the HIB in greater detail later.

Mr Speaker, in my maiden speech in Parliament, I emphasised that digital services must be efficient, inclusive and trusted. Technology must serve people, and not the other way around. The same principle applies to data. We share data because it enables us to serve Singaporeans better. And in doing so, we aim to strike the right balance – making data sharing not just more effective, but safer.

This Bill represents a careful evolution of the PSGA. It extends our data sharing and governance framework that has enabled better services within Government to trusted partnerships beyond Government, all while keeping clear what our purpose is, ensuring that there is high-level oversight, strong safeguards and strong accountability.

The enactment of PSGA in 2018 was a watershed moment. It enabled data across Government to serve citizens under strong governance. With the proposed amendments, we maintain our commitment to protect data, while addressing the reality that effective service delivery requires trusted partnerships beyond public agencies. These amendments will enable vulnerable Singaporeans to receive faster, targeted and more coordinated support, when they need it most. The amendments will create clearer legal pathways for responsible partnerships while maintaining rigorous oversight and accountability.

With Members' support to enhance our data sharing regime, this Bill ensures that data serves citizens more effectively and responsibly. And by working closely with our trusted partners for more responsive and integrated service delivery, we can further improve citizens' lives and uplift those who need help. Mr Speaker, I beg to move.

Question proposed.

Mr Speaker: Mr Sharael Taha.

2.02 pm

Mr Sharael Taha (Pasir Ris-Changi): Thank you, Mr Speaker, Sir. Mr Speaker, when the PSGA was debated in this House in 2018, Members raised thoughtful and legitimate concerns. Much of that debate centred on how to strike the right balance between central oversight and the operational autonomy of Statutory Boards; how to enable effective whole-of-Government coordination; how to provide a clear legal basis for data sharing across agencies; and how to apply governance standards consistently across public bodies.

Members also raised deeper questions that remain relevant today: where accountability sits in an increasingly digital state; how we build a data-driven, yet citizen-centric public service; how we break down agency silos; and how governance frameworks can enable, rather than constrain, our Smart Nation ambitions. At its core, the 2018 debate was about governance and boundaries: managing risk, clarifying authority and ensuring accountability as the public sector transformed.

Eight years on, we can see clearly how the PSGA has enabled many of the milestones set out in the Digital Government Blueprint. Whole-of-Government services, integrated digital platforms and the "once-only" principle are no longer abstract policy aspirations. They are lived realities for our residents and businesses.

We see this in the seamless sharing of information at the backend: whether in the delivery of the Goods and Services Tax Vouchers (GSTV) and Workfare Income Supplement, or in businesses applying for schemes such as the Enabling Employment Credit and Senior Employment Credit to support vulnerable workers, and many more examples shared by Minister of State earlier. These are not just efficiency gains; they translate directly into people receiving help more quickly and with less friction.

For those of us who regularly assist residents with appeals, we also see both how far we have come and where more can still be done. Even today, we sometimes wish for deeper integration, so that residents in need do not have to navigate multiple applications or repeatedly submit the same information. And we can no longer imagine a Public Service where backend systems are fragmented, because we know the administrative inefficiencies this would create and, more importantly, how easily people could fall through the cracks simply because the system was too complex or too burdensome to access.

Singaporeans intuitively understand the value of data sharing when it is used to meet real public needs, whether to deliver services more smoothly or to reduce administrative burden on businesses. But as we scale these capabilities, the central issue before us today is no longer just governance efficiency or administrative accountability. It is about trust.

Trust that data is used responsibly and only for its intended purpose. Trust that it is protected, not misused or manipulated to the disadvantage of individuals or businesses. And critically, trust that can be sustained as data sharing extends beyond direct Government agencies to external partners and ecosystems; introducing, inevitably, more points of vulnerability that must be carefully managed.

This debate marks an important evolution: from managing boundaries within Government, to how we build, safeguard and scale trust in a digital state that increasingly operates beyond its traditional reach.

Mr Speaker, the MPs of the Ministry of Digital Development and Information (MDDI) Government Parliamentary Committee (GPC) stand in support of this important Bill.

Singaporeans recognise the significant benefits that the PSGA has delivered within Government. This Bill seeks to extend those benefits by enabling trusted data sharing with external partners. As we do so, it is essential that we scale securely, protect the data of Singaporeans and hold external partners to the same high standards that Singaporeans rightly expect of the Government.

It is against this backdrop that the MDDI GPC and fellow People's Action Party (PAP) MPs seek clarifications across several key themes. These clarifications are not raised to slow progress, but to ensure that as we extend data sharing beyond direct government control and unlock further benefits for our people and businesses, we continue to uphold the trust that underpins public confidence in our digital systems.

Allow me to briefly outline these themes before elaborating on my own. Firstly, how does the Government determine what data may be shared, and under what circumstances, with external partners? What thresholds, what principles and public-interest considerations must be met before data move beyond the public sector? GPC and PAP MPs Ms Jessica Tan and Mr Henry Kwek will elaborate on this.

Second, the scope of data sharing, particularly in relation to healthcare data. This Bill is being debated ahead of the HIB, which focuses on safeguarding health data for healthcare delivery. The interaction between these two Bills raises important questions on scope, safeguards, accountability and how the amended PSGA interfaces with other legislation governing data use. My fellow GPC Member Ms Choo Pei Ling will address this.

Third, once data-sharing is deemed appropriate, how do we appoint and assess external partners? What capabilities must partners possess before data is entrusted to them and how do we ensure compliance is robust, yet not overly onerous?

In our deliberations, the GPC recognises that there are many types of data; ranging from anonymised and aggregated data, to business and economic, and sensitive data relating to personal data and critical infrastructure. How do we adopt a tiered, risk-based approach that balances control with efficiency? Mr Henry Kwek, Ms Jessica Tan and I will speak further on this.

At the core of this Bill is the objective of delivering public goods better and doing so safely. There could also be a group of partners who have demonstrated a strong track record of delivering positive public outcomes but may need assistance in strengthening their data infrastructure. The GPC will propose supporting such external partners to mature their digital system so that they can continue to serve residents better.

Fourth, governance and oversight. Who approves data sharing arrangements and what safeguards are in place? When data is shared with external partners, how do we ensure transparency on what is shared and the processes it goes through? Mr Yip Hon Weng will share views on this, including proposing possible oversight mechanisms such as reporting or periodic reviews.

Fifth, ongoing cybersecurity assurance once data exchange is operational and protection against cyberattacks. Mr Cai Yinzhou and I will touch on this.

Finally, accountability when things go wrong. As the cybersecurity community often reminds us, it is not a question of if a breach occurs, but when. How are external partners held accountable should a breach occur on their end, particularly in the context of PSGA and PDPA? Ms Jessica Tan and Mr Henry Kwek will address this. Mr Speaker, in Malay, please.

(In Malay): [Please refer to Vernacular Speech.] There have been many benefits brought by the Public Sector (Governance) Act in strengthening the Government's service delivery. This Bill seeks to extend those benefits through data sharing with external partners, namely organisations outside the public sector.

In this endeavour, it is important for us to enhance our capability to share data securely, protect the data of Singaporeans and ensure that the selected external partners comply with the same high standards that citizens expect from the Government.

In this regard, the MDDI Government Parliamentary Committee (GPC), together with the People's Action Party (PAP) Members of Parliament, seek several important clarifications. These clarifications are not intended to slow progress, but to ensure that when data sharing is extended beyond direct Government control, we continue to uphold public trust in our digital systems, while further enhancing its benefits to citizens and businesses.

The core of this discussion is not merely about data or systems, but about people's lives. It is about how data is used to facilitate transactions for Singaporeans, expedite assistance to those in need and ensure no one is left behind – while at the same time, allowing us to safeguard the security, privacy and trust that citizens have placed upon us.

(In English): Mr Speaker, allow me to elaborate on my own clarifications. First, on assessing the readiness and capability of external partners entrusted with public data.

Within Government, agencies are required to meet established standards such as Instruction Manual 8 (IM8) compliance, secure hosting environments, robust incident-response capabilities and many others and these are regularly audited. As we extend data sharing to external partners, what equivalent standards will be required of them?

In particular, I seek clarification on the standards that will be imposed; the audit rights Government will retain and the intended audit regime or frequency; whether partners will be assessed through self-declaration, pre-project assessments, or ongoing assurance; on how risks arising from subcontractors engaged by these partners will be managed; and how liability and breach accountability will be clearly structured in contractual terms.

Which brings me to my second point: data classification and proportionality. Information technology (IT) practitioners will recognise that the safest way to manage risk in this scenario is, in theory, not to allow data sharing at all. But the clear benefits of responsible data sharing; seen in schemes such as GSTV, Workfare and employment credits, and all the examples cited by Minister of State Jasmin Lau earlier, show that this is not a tenable position today.

Avoiding risk entirely comes at a real cost to citizens. Our residents have asked for greater integration across Government services, and our lived experience in assisting with appeals shows both how far we have come and how much more we can still do to make lives better for our people and businesses.

That said, not all data carries the same level of risk. Some data may be aggregated or anonymised; some may involve businesses or economic information; and other data may involve personal information or touch on critical infrastructure. Can there be differentiated standards based on the classification and sensitivity of data shared?

A risk-based, tiered approach; matching partner requirements to the nature of the data, could reduce unnecessary burden on partners while maintaining strong safeguards, and allow our data sharing ecosystem to remain nimble and responsive. At the same time, while standards, audits and controls are necessary when data is shared with external partners, they must be implemented in a way that is administratively efficient and not overly onerous, while still meeting the intent of safeguarding data. And most importantly, this framework must be operationally resourced. Assurance cannot rest solely on self-declaration, especially when dealing with sensitive data. It must be supported by credible, enforceable oversight that keeps pace with the scale and the sensitivity of data sharing.

Third, on partners that deliver strong public outcomes but may lack the digital maturity. We must not lose sight that the ultimate objective of this Bill is to deliver strong public outcomes. Some social service organisations, for example, are exceptionally effective at engaging vulnerable seniors or families in need; yet, may not have the resource or technical capability to immediately meet stringent digital standards. Their digital limitations should not diminish their ability to deliver public good, nor risk unintentionally excluding those who need help most.

In this regard, I seek clarification on whether the Government would consider providing support through targeted funding or capability-building programmes to help such partners strengthen their digital resilience. As we approach the Budget period, this may be a timely area for consideration, ensuring that trust and inclusion advance together.

Fourth, on data retention and disposal. I seek clarification on how long external partners may retain this data shared, how proper care, retention and eventual secure deletion of data would be enforced, whether responsibility for ensuring data wiping rests with the individual Ministries or centrally and whether Ministries are adequately resourced to manage these audit trails over time.

Mr Speaker, in the context of extending data sharing beyond direct government control, the key policy question is not whether standards exist. They clearly do. The question before us is how equivalence is assured, how compliance is enforced and how accountability is maintained when trust is delegated. These clarifications are intended to ensure that we scale data sharing not just efficiently, but responsibly – delivering the best public good while safeguarding the data, privacy and trust of Singaporeans. Mr Speaker, Sir, I stand in support of the Bill.

Mr Speaker: Ms He Ting Ru.

2.17 pm

Ms He Ting Ru (Sengkang): Mr Speaker, today, public services are delivered by community partners, SSAs and even private contractors. And we agree that it is important that data is available, where needed, to ensure that public services are allowed to reach as wide an audience as possible and to enable agencies to get assistance to vulnerable groups.

Ultimately, data empowers policy-making that is more responsive to the needs of a diverse population. Thus, we do agree that data must be accessible to entities and partners in order to achieve this, and that data be used to enable better delivery of public services.

However, the question before us today is not simply whether data should be shared or used. It is also about how power over the sharing and use of data is governed and what guardrails are in place where such power is exercised. We also would benefit from having express channels of recourse known and accessible widely that would come into play, if and when mistakes occur from misuse or abuse of data.

The Bill before us today moves us from a framework that, on the whole, allowed data to be shared between public agencies and subject to rules and regulations about such sharing and use, to one which expands the sharing of data expressly authorising: one, the use of data; two, the sharing of data with non-public sector persons; and three, even the re-identification of previously anonymised information – all through Ministerial directions and further authorisations, that is, data sharing and use directions given by a Minister.

Such a shift from a more rule-based model of data governance to one that relies more heavily on executive decision and ultimately, discretion, should be founded in necessity. While we do not automatically disagree with this shift in principle, the public should understand why this change is being proposed and why now.

In this regard, I understand that there will be grounds and limited instances in which data will be shared. However, for a full understanding of the difficulties faced, could the Minister clarify, in the last five years, how many times have agencies run into difficulties in providing necessary services to the community? And from these examples, can the Minister articulate the common characteristics that would indicate when Ministerial discretion was warranted? And will these characterisations be codified as guidance for future authorisations?

Had the agencies previously attempted other approaches, such as, for example, for persons with disabilities and their families attempting to gain consent upfront from affected individuals to share the full suite of data to community partners, which are not public agencies, in order to better provide services?

As I said earlier, allowing sharing to be made subject to a Minister's discretion is not automatically wrong. In a complex system with many moving parts, it is probably often necessary. But as with all our governance institutions, executive discretion has to be bounded, reviewable and transparent, especially when it concerns citizens' data. This is even more so when that data is highly sensitive. I need not remind everyone that data is king, given that we live in a world of scams, impersonation, data theft and identity theft, now enhanced by generative and exponentially improving artificial intelligence.

Under the proposed amendments to this Bill, Ministers will be able to issue data sharing and use directions, and be allowed to further authorise sharing of data with non-public sector persons. While it is provided for in the Bill that directions must not be inconsistent with written law or to impede independently statutory functions, it is not clear to me how these limits will operate in practice under the expanded scope proposed by the Bill. It is not about ascribing nefarious intentions to current officeholders. It is about the institutional design and guardrails that need to be built around such powers to be granted.

Could the Minister thus clarify, what would be the oversight mechanisms to be applied in ensuring that a direction is not overly broad nor made erroneously? What recourse exists if a decision is later found to be erroneous or disproportionate? It is also foreseeable that the proposed amendments could have implications beyond personal data. Any number of businesses now exist that attempt to commercialise personal data that is collected before attempting to monetise these data, whether through outright sale of such datasets, targeted advertising or using it to craft more commercially competitive strategies.

Additionally, public or agencies also often hold commercially sensitive information, proprietary business data or intellectual property belonging to firms that engage with the public sector. It is not inconceivable that personal data, especially when aggregated is, by its nature, valuable, especially when dealing in instances, such as the people sector.

While the Bill criminalises unauthorised disclosure or misuse of disclosed data by employees of external parties, this does not fully address the risk of legitimate but unintended commercial or anti-competitive effects. This could take the form of an external contractor gaining access to sensitive data about a competitor when data is shared legitimately under a broad authorisation to do so.

Could the Minister thus clarify about whether and how the proposed data sharing and use directions will explicitly require consideration and evaluation of data that could be commercially sensitive? Would there be clear expectations to exclude, anonymise or otherwise protect such information by default? Could the Minister also clarify when issuing a data sharing direction, what specific factors must be evaluated? For instance, must the Minister assess the sensitivity classification of the data, the proportionality between privacy, intrusion and public benefit, whether less intrusive alternatives exist and the data recipients' security posture, and are these factors documented in writing for each authorisation?

For example, Saudi Arabia recently issued rules for secondary use of data, which establishes a framework for sharing data beyond its original collection for public interest, research and innovation. Those rules explicitly state, for instance, that the data sharing entity reserves the right to incorporate provisions concerning intellectual property rights and commercial confidentiality within the usage licence.

I would like to turn to the provisions giving express power to re-identify anonymise information. While the Bill emphasises that PDPA obligations continue to apply and that criminal penalties extend to non-public sector recipients, citizens may wonder what are the explicit safeguards or channels of recourse they have to protect their privacy. This is especially in the instance where the data is highly sensitive, such as personal or family medical records. Can the Minister thus clarify: one, what instances would lead to re-identification; two, what avenues exists to raise concerns; three, how will breaches by non-public sector persons be communicated, particularly to affected citizens; and four, how can individuals seek redress in this system that has an increasing number of third-party partners or contractors?

Redress should not only be about fines or punishment. Clear, accessible pathways for recourse are essential to maintaining public trust as data flows become more complex. Once sensitive personal data is leaked, it could potentially compromise a person's financial situation, access to key services and those of their family as well. It could affect the financial, commercial and competitive position of a firm. Should serious data breaches occur and recourse be difficult, that could undermine that very public trust that the Bill rests upon and which the Singapore system has painstakingly built up over decades.

Mr Speaker, to conclude, I am not arguing against using data to govern better nor against using data to strengthen partnerships with the community or private sector. However, I hope that as we expand the executive's discretion about the use of our data out of necessity, we strengthen rather than dilute the governance framework around these increased powers.

Thus, could the Minister consider, first, how Parliament can be kept updated and meaningfully informed about the use of these powers. Second, how Singaporeans can have clearer avenues for recourse. And finally, how can commercial and personal sensitive information be more explicitly safeguarded, even if the use and sharing of such data is subject to Ministerial discretion. This could take the form of including data sharing, breaches, remedies and vulnerabilities, and efforts to strengthen procedures.

We must also have clearer rules and principles that must be applied when Ministerial directions are made for the sharing of data with information about the avenues available to the public to seek redress should their sensitive personal data be misused or even leaked. While we improve our data systems to better communicate and implement policies to better serve Singaporeans, let us ensure that we continue to have measures in place to protect and safeguard sensitive data in order for them to have trust in the institutions that are ultimately meant to be there to serve and support them.

Mr Speaker: Ms Jessica Tan.

2.27 pm

Ms Jessica Tan Soon Neo (East Coast): Mr Speaker, I rise in support of the Public Sector Governance (Amendment) Bill. Since its introduction in 2018, the PSGA has strengthened the way Government agencies work together, especially in how they share and use data. This makes a real and meaningful difference to Singaporeans. When agencies can exchange information safely and responsibly, families in need can receive help more quickly, agencies can plan interventions and reduce duplications, eligibility checks for support schemes do not require applications, for example, the GSTV, healthcare subsidies and the Silver Support Scheme, and businesses experience smoother, more coordinated support. The Act also makes clear that data is shared only for genuine public interest purposes and always with strong safeguards.

The Public Sector Governance (Amendment) Bill we are debating today seeks to update PSGA so that the Government agencies can share data with trusted external partners, with the right safeguards in place. This will help deliver services to the public more effectively and seamlessly.

But as we discuss the Public Sector Governance (Amendment) Bill, I want to focus on a set of practical questions that matter to Singaporeans: how will the Government agency decide when data can be shared with external partners? What documentation is required? How will approvals be managed? And how do we ensure that every external partner entrusted with public sector data is truly capable of protecting it?

These questions are at the core of public trust. Singaporeans expect that when their information is shared across agencies or with external partners who help deliver public services, that it is done with care, transparently and only when it genuinely serves the public interest.

So, how will the Government agency decide when data can be shared with external partners?

Under the amendment Bill, any sharing of data with external partners must still be tied to the same seven public interest purposes set out in PSGA. What this means is that data cannot be shared just because it is convenient or efficient for agencies. It must clearly support a real public need – whether that is helping residents receive services more smoothly, ensuring essential functions continue during disruptions or strengthening the stewardship of public funds, or enabling agencies to work together to solve complex problems.

At its heart, the principle is simple: data should only be shared when it genuinely benefits people, is appropriate for the situation and is backed by a strong public interest reason.

But purpose alone is not enough. We also need strong documentation because every decision to share data ultimately affects real people.

Under the amendment Bill, any sharing with external partners must be backed by a Ministerial direction. If the partner is outside the public sector, an additional layer of authorisation is required. This two-tier structure ensures that agencies spell out clearly why the data is needed, what exactly will be shared, what safeguards must be in place and who is accountable.

This is important and I am glad that the Bill specifies this because it creates a transparent audit trail that shows not just what is to be shared but why, with whom and under what conditions? Most importantly, it ensures that these decisions are not made quietly or casually at an operational level. They are reviewed and approved at the right level of leadership, with clear responsibility for protecting the trust Singaporeans have placed with the Government.

Finally, we must ask a simple but important question – how do we know that an external partner can be trusted to handle public sector data with the same care and responsibility that Singaporeans expect from Government agencies?

The public sector operates under stricter rules for managing government data while external partners are governed by the PDPA. The amendment Bill addresses the gap without adding unnecessary compliance burdens for partners, requiring external partners who receive public sector data to be held to the same criminal penalties as public officers if they misuse it, whether through unauthorised disclosure, improper use or re-identifying anonymised information without approval.

These offences carry the same penalties already set out in the PSGA, which are fines of up to $5,000, imprisonment of up to two years, or both. This ensures that anyone who is entrusted with public data is held to the same legal standard of responsibility and protection.

But I must stress that penalties alone do not remove risks. We need assurance that partners have the right systems, training and safeguards in place before any data is shared. As more public services are delivered through digital platforms, vendor systems and community partners, one thing has become very clear – data protection cannot rely on the good intentions of individuals alone. Most incidents do not just happen because someone acted maliciously. They can happen because a system was not designed well, a process was unclear or an organisation did not invest in the right safeguards. In other words, the risks today are increasingly systemic, not just personal.

So, the question for every agency that intends to share data is – how is an external partner assessed beyond just checking for compliance on paper?

I am glad to hear the Minister of State say in her speech that before sharing data, agencies are responsible for assessing whether each partner has the systems, processes and competencies to handle Government data securely. I would suggest and would like to ask if the agencies are also required to conduct regular audits to confirm that the obligations in the Ministerial directions are being met in practice throughout the partnership.

It means understanding their partners' technical safeguards, their governance structure, their staff training, their incident response processes and their ability to meet the conditions set out in the Ministerial direction. It means ensuring that they can protect data not just in theory, but in practice, day to day, across their systems and across their teams. Ultimately, this is about protecting the trust that Singaporeans place in our public institutions.

This is not about duplicating the PDPA, which already governs private sector data practice. What I am suggesting is not imposing additional burdens. But I suggest that perhaps we consider not imposing a one‑size‑fits‑all data security burden – I believe the Minister of State did touch on this point – but perhaps that agencies could adopt a risk‑based approach that looks at higher‑risk data flows, undergoing deeper technical assessments, and at lower‑risk or time‑limited projects with a lighter touch.

What matters is that every partner can show that their system works in practice, not just on paper. Where appropriate, agencies can also recognise independent certifications or existing audits rather than duplicating effort. I want to stress again that the intent is not to add burden to our partners because we want their services to be delivered. But we have to find that balance of how to ensure that this is done securely.

At the end of the day, the intent of the PSGA is not to prevent the use of data but how to use it securely. With all these measures, I think we can also recognise that it is not going to take risk away completely. What it is, is to look at how we can minimise or prevent data breaches. Because once a data breach happens, the damage is already done.

We must remember that at the heart of the Bill is a simple promise – that when Singaporeans share their information, that their trust will be honoured. To make this real, public agencies and partners must treat data as a shared, ongoing responsibility. This means building a culture where leaders set clear expectations, staff are trained and supported, and systems are regularly tested and improved. It means learning from incidents, not hiding them. It means working closely with partners to close gaps early rather than waiting for problems to surface.

When agencies and external organisations take that proactive approach and put the safeguards in place, the safeguards in the PSGA then become safeguards in practice rather than just on paper, serving Singaporeans effectively and giving Singaporeans confidence that their information is protected every day. Mr Speaker, I support the Bill.

Mr Speaker: Mr Kenneth Tiong.

2.38 pm

Mr Kenneth Tiong Boon Kiat (Aljunied): Mr Speaker, I support the PSGA. But I would like to place some significant concerns on the record.

Let me begin with a story this House knows well. In January 2021, Singaporeans learned that Police had access to TraceTogether data under the Criminal Procedure Code. This contradicted earlier assurances that the data was "purely for contact tracing, period".

The then-Minister in-charge of the Smart Nation acknowledged he had been blindsided. He had not considered existing laws when making those assurances.

The backlash was significant not because Singaporeans opposed law enforcement but because they felt misled about how their data would be used. The backlash led to the expedited passage in February 2021 of the COVID-19 (Temporary Measures) (Amendment) Bill restricting access to seven serious offence categories.

The lesson is that trust must be built through demonstrably robust processes. Once faith in a data sharing framework is broken, it is expensive to rebuild.

I raise this because the Bill before us creates a new framework for sharing citizen data, this time, with private entities. The question is whether we have learnt from the TraceTogether episode.

The original PSGA passed in 2018 allowed Government agencies to share data with one another under Ministerial direction. This amendment expands that framework significantly. Data can now flow to private companies, contractors and vendors, and introduces a power to re-identify anonymised information.

Mr Speaker, of course, data sharing creates value. Examples abound, like the Social Service Net. When MSF shares client data with family service centres and voluntary welfare organisations (VWOs), we see coordinated assistance and faster assessments.

But this Bill creates a fundamental asymmetry. The Government gains the capability to share any data with any private entity. Private entities gain access to Government health data. And what do citizens gain?

Under this Bill, a citizen has no right to know when their data is shared with a private company, no mechanism to find out which companies hold their data and no way to ensure they benefit from the value that data creates.

TraceTogether failed on transparency. Citizens did not know Police could access their data. Why risk the same failure mode again with this Bill on a larger scale, with more actors, including those outside the Government, and less visibility?

If this Bill expands what the Government can do with citizen data, should it not also expand what citizens can do to track, to benefit from and to govern that sharing?

Mr Speaker, I ask for three commitments that would complete this framework.

One, a public register. All data sharing directions issued to private entities should be published – the categories of data shared, the recipient, the purpose, the duration. This is not a per transaction notification. It is the disclosure of Ministerial directions made in small numbers.

Australia's Data Availability and Transparency Act 2022 includes such a register. It creates accountability without undue operational burden.

TraceTogether's problem was that citizens could not know how their data was used – and a register solves this. So, question one: would the Government commit to publishing a register of all data sharing directions issued to private entities?

Secondly, citizen benefits. When data flows from the Government to the private sector, it creates value for those two players. Agencies gain efficiency. Private entities gain data access and improve their services.

What is the mechanism ensuring citizens share in that value? I mean concrete improvements: service quality guarantees, cost reductions passed to users, transparency about outcomes and also something I believe in, which is benefit sharing from any future possible monetisation of their data. So, question two: what benefits will Singaporean citizens see from this framework? How would these be tracked and reported? And will there be any part of the Government that advocates directly for citizens gaining a share of these data benefits?

Thirdly, public review. The original PSGA allowed sharing between Government agencies. This amendment opens the door to the private sector powers of a different order.

Australia's framework includes a review that "must start by and be completed within 12 months or a longer period agreed by the Minister of the third anniversary of the commencement of this Act". This is a sound legislative principle. The grant of novel powers should have built-in moments for reassessment.

The backlash to TraceTogether led to emergency legislation limiting Police access. Would it not be better to commit to a review now, than to legislate in the possible crisis of confidence later? So, question three: would the Minister commit to a formal public review within five years, including the directions issued, the data shared and whether the safeguards have been adequate?

Mr Speaker, beyond these three asks, I wish to flag two concerns about organisational accountability.

Firstly, a data governance gap. The public consultation promised robust safeguards through data governance requirements on external partners – I quote, "requirements similar to what public sector agencies have to meet".

What does the Bill deliver? Individual criminal liability for employees who misuse data.

What does the Bill not deliver? Any organisational requirements. No security certification, no audit trails, no breach notification duties.

So, question four: where are the data governance requirements promised in the consultation? And if they are to come by regulation or procurement contract terms, will the Ministry commit to that today?

Secondly, a liability gap for non-personal data. Under PDPA, for data breaches involving personal data, organisations face financial penalties of up to 10% of their annual turnover. Individuals also face liability.

Under this Bill, for non-personal data shared with private entities, only individual employees can be prosecuted. If an organisation systematically exploits non-personal Government data beyond its authorised purpose, the entity that designed the business model and profited, faces no direct liability.

Accountability must reach the benefiting entity. If organisations can profit from misuse while only individuals bear risk, the incentive structure is incorrect. So, question five: will the Government commit to organisational accountability mechanisms, especially for non-personal data which is not covered by PDPA? And why has it not chosen to hold organisations accountable here?

Mr Speaker, I am on the whole supportive of the Bills enabling data sharing with private sector actors. In any case, deeper public-private collaboration is inevitable. Data will flow to where it creates value.

But we should learn the lessons of TraceTogether. TraceTogether taught us that non-transparency about data sharing has costs. This Bill should learn that lesson. Transparency is what makes data sharing sustainable in the long term. So, we will continue to ask for three commitments: a public register, a mechanism to track and report citizen benefit, and a formal review within five years. And I have flagged two gaps in organisational accountability that should be addressed. I trust that the points collectively raised today will spare us a future blindsiding. Thank you, Mr Speaker.

Mr Speaker: Dr Choo Pei Ling.

2.46 pm

Dr Choo Pei Ling (Chua Chu Kang): Mr Speaker, I rise to speak on the Public Sector (Governance) (Amendment) Bill, with particular focus on its interaction with the forthcoming HIB, and the implications of health data being used by public sector agencies and external partners for non-health purposes.

The PSGA establishes the overarching framework for data governance across public agencies, including provisions for sharing health data beyond clinical care – for policy planning, service delivery and community outreach. In contrast, the HIB is designed to safeguard health data primarily for healthcare delivery. The intersection of these two regimes raises important questions about scope, safeguards and accountability.

The foremost concern among Singaporeans is the extent to which sensitive health data will be shared under the PSGA and whether safeguards are sufficiently robust to prevent misuse. Residents want assurance that their most personal information – medical histories, disabilities, mental health records – will not be casually accessed or repurposed.

The Government has rightly identified legitimate scenarios. For instance MSF may share health risk indicators and demographic data with SG Enable and SSAs to proactively reach out to people with disabilities for job-matching and to our seniors for caregiver support. Such proactive outreach is commendable – it improves lives, strengthens preventive care and ensures that vulnerable groups are not left behind.

Yet, these examples also underscore the sensitivity of health data being used for social policy, community outreach and service coordination. The line between beneficial use and overreach must be carefully guarded.

The Bill provides three layers of safeguards for data sharing with external partners – Ministerial authorisation, terms of use which impose data protection requirements and criminal penalties for misuse. The general concern is execution – how usage and safeguards are implemented on the ground. Safeguards on paper must translate into practice. Are agencies sufficiently resourced with trained personnel, secure infrastructure and modern cybersecurity tools to enforce these safeguards? We seek the Government’s assurance that appropriate funding and resources are allocated for talent, hardware and software.

A particularly sensitive area involves requests for health information by public sector agencies for employment or insurance purposes. It is comforting to know that when public sector agencies request health information from MOH for employment or insurance purposes under PSGA, they must first seek consent from individuals and conduct a Personal Data Protection Impact Assessment. These requirements cannot be waived without consulting MOH. This is essential.

The HIB prohibits NEHR access for employment or insurance purposes to prevent discrimination. It would undermine public trust if agencies could bypass this by requesting the same information under PSGA.

I note that the Bill requires individual consent and a Personal Data Protection Impact Assessment for such requests, with MOH oversight. These are critical backstops. But I urge the Government to go further – commit that such requests will be rare and exceptional, subject them to close scrutiny and independent review, and publish annual reports detailing the number and nature of such requests to ensure transparency and accountability.

To further enhance trust, I propose that the Government jointly maintain a public register of all use cases where health data has been shared under PSGA for non-health purposes. The register should specify the authorising Minister, the external partner, the general purpose and the categories of data shared, without disclosing sensitive operational details. Such a register, updated regularly, would reassure Singaporeans that health data sharing beyond healthcare delivery is tightly controlled, exceptional and subject to public oversight.

On future-proofing safeguards, could Singapore explore privacy-preserving technologies, such as anonymisation, differential privacy or federated learning, to enable data-driven insights without exposing raw health records? These technologies are increasingly adopted worldwide to balance innovation with privacy.

The PSGA amendments empower the Government to partner effectively with community organisations for public benefit. With robust safeguards – Ministerial authorisation, cybersecurity requirements, criminal penalties and mandatory consent for sensitive uses – health data can, indeed, be shared responsibly where genuine public interest exists. But transparency, accountability and public trust must remain at the heart of this framework. I support this Bill.

Mr Speaker: Mr Henry Kwek.

2.52 pm

Mr Kwek Hian Chuan Henry (Kebun Baru): Mr Speaker, Sir, I rise in support of this amendment Bill. At its core, this Bill strengthens the Government’s ability to deliver help that is effective, timely and dignified. In practice, the Government does not serve Singaporeans alone. It works with social service agencies and community partners to deliver care with empathy. It also works with the private sector to deliver services efficiently and at scale. And to do this well, it often needs to pull together the right facts from different sources, so that those who need help most can receive the right support quickly and in a coordinated way.

But we also know the challenge. Information does not always flow smoothly sometimes across agencies and often between Government and trusted partners.

Many of us in Parliament see the consequences when we help our residents in their appeals. Some residents must submit the same documents multiple times. Some must repeat the same details again. Some must recount painful parts of their story more than once before support can be put together. Not everybody can navigate the system with ease. And some do fall through the cracks, not because officers or partners do not care, but because the right information needs time to gather for the right persons to act. And that is why I support this Bill and its direction.

It is a practical step forward from the status quo and it aims to strike a better balance between service delivery, privacy and security. And it recognises a simple truth – data sharing must not be driven by convenience. It must be controlled, accountable and safe, especially when we share data with external partners.

Because this Bill will has wide impact, I have three questions.

First, can the Minister of State share a range of concrete examples across the Government of how this Bill will improve outcomes for Singaporeans beyond what she has shared earlier? Examples that show better support for those who need social and financial assistance, better coordination across services and stronger outreach, especially for seniors, preventive care and active ageing. Some examples may be immediate, others longer-term, but it will help us understand and have a clearer sense of the early priorities and aspirations and how the Government fully intends to tap this Bill to better our people’s lives.

Second, the Government works with many partners of different sizes and capabilities. What are the key principles for deciding what to share, with whom and how much? How will the Government ensure purpose limitation and data minimisation is done, so that we share what is needed and not more than what is needed, and not longer than what is needed? And where strategic partners need this information to serve residents well but lack capability, how will the Government help level them up?

Therefore, I call for the Government to provide common frameworks, grants, training, shared platforms and secure ways for partners to plug in, so that all partners, even the smaller ones, can meet the requirements without being overwhelmed.

Third, on cybersecurity. Singaporeans expect data to be safeguarded well and we also expect strong consequences for misuse. At the same time, threats are becoming more sophisticated and even well-run organisations can be targeted by persistent attacks or malware.

While we must keep the bar high and always learn from past mistakes, we must also avoid swinging to the other extreme, setting requirements or consequences so onerous that capable partners hesitate to work with the Government. We must also guard against the Public Service getting excessively risk averse that they do not even want to share even with this expanded framework and therefore, lose the chance to serve our people better.

With that in mind, I would like to ask the Minister of State the Government’s approach to setting cybersecurity expectations that are robust but also clear and workable across different partners? For example, what is the baseline standard for all partners and what higher standards must apply for more sensitive data and what support will be given to help partners meet these standards?

And the next point, and an important point, if a serious incident happens despite reasonable safeguards by these partners, given how widespread cybersecurity breaches are globally, how will the Government assess responsibility in a way that is fair, firm and predictable so that our partners have clarity and confidence to work with us?

Mr Speaker, Sir, this Bill reduces friction for our residents, strengthens trust and helps our ecosystem of partners serve Singaporeans more seamlessly, while keeping safeguards. I also hope the Government will take this chance to engage partners closely as implementation begins, so that the safeguards are not just strong on paper but also workable in practice. With that, I support the Bill.

Mr Speaker: Mr Cai Yinzhou.

2.58 pm

Mr Cai Yinzhou (Bishan-Toa Payoh): Mr Speaker, Sir, I rise in support for the amendments to the Public Sector (Governance) (Amendment) Bill.

As Minister of State Jasmin Lau shared, I note that in tandem with the HIB, the Public Service (Governance) Bill complements and allows the Government to deliver better social services to Singaporeans nationwide, by permitting public agencies to share and use data across agencies, as well as with non-public sector partners. With the appropriate safeguards to prevent misuse, this amendment Bill will enable targeted and effective delivery of social services to those who need it the most.

My Toa Payoh Central residents, with a significant elderly population, is supported by various social service providers, such as Care Corner, TOUCH, Dementia Singapore, NTUC Health, People’s Association, as well as many other local community healthcare services and organisations. Non-public social service providers would benefit from greater collaboration and information-sharing with the public sector agencies serving the same community needs.

Similar to how schemes like the Housing and Development Board Flat Eligibility process and ComCare financial assistance require pulling of data from various sources, I agree that the enhancements will allow for timely access in delivering support and ensuring that no one is left behind.

In order to better enable the delivery of social services to our communities, I have two points of clarifications for the Minister’s consideration.

First, I would like to ask the Minister to clarify what safeguards will be put in place to ensure that data shared with non-public sector organisations is safe from malicious third-party cyberattacks and data breaches.

We live in a day and age where no organisation is safe from cyberattacks, including our social service providers and charitable organisations. For example, in May 2019, more than 4,000 individuals had their personal information leaked after part of the reputable blood donation organisation’s website was hacked. Personal names, contact numbers, email addresses, declared blood types, preferred appointment dates and times and preferred locations for blood donations were compromised.

According to the Singapore Cybersecurity Health Report in 2023, which surveyed more than 2,000 small, medium and large organisations in Singapore, over eight in 10 organisations encountered a cybersecurity incident that year.

As hackers use sophisticated techniques to evade detection, they lurk in networks to spy over the long term, to steal sensitive information or disrupt essential services, among other objectives. Therefore, my question is, how will external partners be expected to keep up and maintain safeguards, before they can receive shared data from public agencies?

Whether in the form of encryption standards or increased incident response capabilities, how regularly would these safeguards be reviewed? Risk profiles and ownership may change over time as organisations change systems, employees or subcontractors. Regular audits and reviews of the cybersecurity capabilities of external partners would ensure a safe and secure transfer of data between the public and non-public sectors. And I am sure what many SSAs will also want to know is the details of the terms of funding, which will be allocated specifically for beefing up of their IT infrastructure.

Secondly, I would like to ask whether the Ministry will consider introducing financial penalties against non-public sector organisations which have misused data shared under this Act. The amendment currently states that it is an offence for organisations to carry out improper disclosure or use of data/information by individual employees or officers of non-public sector organisations.

Individual accountability is important, especially in cases where a single individual or a small group of individuals may be directly responsible for the misuse of shared data. However, in other data incidents, responsibility is unable to be traced back to one single employee. The failure may be organisational, for example, due to weak internal controls, poor access governance or inadequate training.

In those cases, it is especially important for a strong framework of organisational liability to exist, to ensure that liability can be correctly attributed to a wider variety of situations. For example, under the PDPA, the Personal Data Protection Commission can impose financial penalties against an organisation for intentional or negligent contraventions of PDPA.

I would like to clarify whether the Ministry intends to look into imposing similar financial penalties on organisations who have contravened data sharing and use directions issued under PSGA. This may be necessary considering the sensitivity of the information shared by the Government with non-public entities.

Mr Speaker, Sir, in conclusion, I strongly support this amendment's efforts in further facilitating information sharing in a protected manner, ensuring that our Government's efforts will be better able to support Singaporeans nationwide. These additional measures will ensure that the public continues entrusting personal data to the Government and, by extension, its external partners, upholding its commitment to data security. Notwithstanding these clarifications, I support this amendment Bill.

Mr Speaker: Mr Yip Hon Weng.

3.04 pm

Mr Yip Hon Weng (Yio Chu Kang): Mr Speaker, Sir, data is often described as the new oil. Today, I want to frame it differently. I want to speak of data as eyesight, the visibility that allows the Government to see what is happening in people's lives, especially at the margins.

When the Government holds data but cannot share it effectively with trusted partners on the ground, it becomes partially blind. When the system cannot see clearly, it is not policy that fails first. It is people, especially the vulnerable, who fall through the cracks. This Bill seeks to address that blind spot by enabling responsible data sharing beyond the public sector. While I support this move, it raises fundamental questions about agency, accountability, safeguards, transparency and trust. I have several clarifications.

Mr Speaker, Sir, my first concern is individual agency, viewed from the lived experience of a resident.

Under the amended sections 4(5) to 4(8), a public agency may share information with non-public sector persons only with further authorisation from the Minister. Even after sharing, the public agency remains the controller under PDPA. These are sound legal constructs. But for residents, these are invisible. Legal control does not always translate into felt control.

I acknowledge that consent is often not practicable, especially when data is needed urgently to identify those in need. However, urgency is not a licence for opacity. While agencies may not know every future downstream collaborator, the Bill rightly requires them to specify the external partners, purpose and scope. If an agency does not know who it is sharing with, it should not share at all.

From a resident's perspective, consent is not merely a checkbox. It is a signal of dignity. When consent cannot be the default, what replaces it as a reassurance? When a resident walks into a Family Service Centre, they experience the system as one whole. They do not distinguish between a Ministry, a charity or a contractor. Yet under this Bill, their data may flow across all these actors.

Will residents be told clearly, plainly and at the right time, that their information is being shared? When something goes wrong, will they know whom to turn to first, instead of being bounced between agencies? Furthermore, not all data sharing is life critical, some are for administrative convenience. In such cases, will residents have a practical way to express discomfort? The Bill provides no opt-out, so reassurance must come from transparency and restraint, not silence. Efficiency matters, but it must never eclipse agency.

Mr Speaker, Sir, my second concern is the explicit authorisation to re-identify anonymised data under amended sections 4(5)(d) and 6(1)(d).

For many residents, "anonymisation" is understood as a permanent promise. The idea that it can be reversed, even lawfully, feels unsettling. Re-identification is a powerful tool. Used well, it can help agencies identify unmet needs. Used poorly, it erodes trust.

I ask four questions. First, on communication. How will the Government explain that anonymisation is not an absolute state, but one that may be reversed under tightly authorised circumstances? Residents must understand this is not casual.

Second, on ethical boundaries. Will there be clearly articulated "no-go zones"? Can the Minister assure us that re-identified data will never be used for predictive scoring affecting access to housing, insurance, loans or employment?

Third, on oversight. Ministerial approval is a high bar, but for large cohorts or sensitive data, should there be independent ethical review, similar to health research purposes? Fourth, on purpose limitation. Re-identification must exist to help people, to connect dots for protection, never to label or stigmatise.

I also note that data should be retained only for as long as needed. Purpose completion should trigger deletion, not secondary utility. Why should anonymised datasets continue to be held by external partners once the authorised purpose is complete?

Mr Speaker, Sir, my third concern is accountability. Under the Bill, sharing with non-public sector persons requires Ministerial authorisation, which may be delegated. This use case specific model supports agility, but delegation raises a simple question: where does the buck stop?

First, who may be a delegate? How many layers of delegation are envisaged? Transparency matters because delegation should not dilute responsibility. Second, would it be more robust to have high-risk or large-scale decisions reviewed by a small standing board rather than a single official? Third, could the Government consider maintaining an auditable register of future authorisations, with anonymised statistics published annually? Trust grows when systems can be verified, not merely asserted.

Mr Speaker, Sir, my fourth concern regards to safeguards as data flows beyond the public sector.

The Bill introduces offences for unauthorised disclosure of non-personal data by employees of external partners, with penalties of up to $5,000 or two years' imprisonment. Personal data misuse remains governed by PDPA.

First, on proportionality. Where large datasets are mishandled, will these penalties sufficiently deter negligence? Second, on coherence. To residents, a breach is a breach. Are we confident the PSGA and PDPA framework leaves no gaps where technical classification determines liability rather than real harm? Third, on prevention. Sanctions act after damage is done. I understand external partners will be subject to Terms of Use requiring strict security standards. How will compliance be validated? Will audits be regular, risk-based and independent? A breach at the weakest partner compromises the entire ecosystem. Smaller charities acting in good faith must be supported, while large vendors must be held to higher standards befitting their capabilities.

Mr Speaker, Sir, my final concern is the lived experience of this Bill. While data sharing directions are internal instruments, the stated aim is enhanced transparency. Will residents receive plain-language explanations of how and why their data is shared? Could MDDI commit to an annual public report summarising data sharing directions and authorisations? How will this information be accessible to seniors and those with limited English proficiency? Transparency cannot live only in legal texts. Finally, does the Government plan to measure public trust in this sharing ecosystem and course-correct if it erodes?

In conclusion, Mr Speaker, Sir, let me close by returning to where I began. Data is eyesight.

Four-year-old Megan Khung did not die because no one cared. She died because the signals that might have protected her never came together. A preschool saw injuries; a social worker identified risks; family members raised concerns. Each saw a part of the picture, but the system never saw clearly, early enough or as one.

No law can guarantee that such tragedies will never happen again. But Parliament has a responsibility to ask whether we can build systems that can see better, respond earlier and act together.

If data is eyesight, then sharing must help the system see, not blur its vision. If data is eyesight, then re-identification must protect the vulnerable, not label them. If data is eyesight, then accountability must be visible, not lost in layers of delegation. And if consent cannot always be practicable, then we owe residents something just as important in return: clarity about what is done with their data, dignity in how decisions are made and confidence that responsibility is clearly held.

Many PAP MPs today have rightly stressed that when data leaves the public sector, external partners must meet the same high standards as the Government. With clear public interest tests, stronger oversight and firm accountability, including how this Bill aligns with the HIB that is upcoming. This Bill gives us tools, but tools alone do not guarantee wisdom. What matters is how we choose to use them.

So, let us be clear about our commitment. We will use data to protect, not to stigmatise. We will share data to connect, not to surveil. We will govern data so the system can see clearly, so that people can live with dignity. That is the work before us, not to just to pass this Bill, but to exercise its powers with restraint, care and moral clarity; not just to enable data sharing, but to earn and keep the trust of the people we serve.

Mr Speaker, Sir, let us act with that responsibility firmly in mind. Let us ensure that when the system sees, it sees together and when it acts, it acts in time. I support the Bill.

Mr Speaker: Minister of State Jasmin Lau.

3.14 pm

Ms Jasmin Lau: Mr Speaker, I thank the Members for their support and their questions. Several Members raised questions on the scope and the safeguards for data sharing with external partners.

Expanding PSGA is like building more bridges to help more people cross safely and access support earlier. Every bridge must be built with a clear public purpose. Not for curiosity, not for convenience and not for commercial gains, but to connect our people to something essential. Likewise, data will only be shared when there is a clear public service objective.

Access to the bridges must also be properly authorised. Not everyone can direct traffic across the bridge or change its structure. And likewise, data access will be tightly governed, with clear and defined approval processes, roles and responsibilities.

As the usage of these bridges grow, we must ensure that those who operate and maintain the bridges are capable and ready. This means that we will assess and uplift both the public sector and our trusted partners' capabilities so that they can be trusted custodians of the data that they receive.

Trust is sustained through accountability and transparency – through regular inspections, monitoring and audits. And when something goes wrong, a responsible system responds decisively. We close, we fix, we make the bridge safe again. That is why we have clear incident management processes. We do not give up on building the bridges altogether.

This is how we help more people while strengthening trust. Because trust is not meant to be a brake that holds us back. Trust is what makes progress possible.

I will now address specific points that Members raised.

Mr Henry Kwek asked for concrete examples of how the Bill will improve outcomes – particularly for those around us who need social and financial assistance, especially for our seniors and our children. I shared a few examples in my opening speech on how the PSGA framework has enabled more integrated delivery of support within Government. With this Bill, we can extend this approach to partnerships with SSAs, community partners and self-help groups – organisations with deep networks, cultural understanding and presence on the ground.

Mr Cai Yinzhou mentioned many social service providers that support his Toa Payoh Central residents – Care Corner, TOUCH, Dementia Singapore, NTUC Health and others. These partners can benefit from data sharing with public agencies, serving the same community needs. Our seniors can receive more coordinated care. Families in difficulty need not repeat their circumstances to multiple parties. And the staff working in these social service providers can focus their time and their energies on providing tangible help, rather than collect duplicative information again.

Mr Kwek, Ms Jessica Tan and Mr Yip Hon Weng asked how the public can be assured that their data would be used appropriately. And central to all of this is our focus on building and safeguarding trust, as noted by Mr Sharael Taha. Let me explain the three safeguards that must be met before data is shared with external partners.

First, there must be a valid purpose. Data sharing must serve public purposes as provided for under the PSGA. To borrow Ms Tan's words, data is not shared just because it is convenient or efficient for public agencies, but it must clearly support a real public need. The two main categories where Government will share and use data for remain unchanged. That is, data will be used for better delivery of services to the individual and for policy analysis and formulation.

Ms He Ting Ru claimed that we are shifting from a rule-based framework to executive discretion in data sharing. Let me be clear, there is no such shift. Again, there is no such shift. The existing PSGA stipulates seven purposes under which a Ministerial direction may be made for data sharing these clear purposes, as well as all existing data governance rules remain fully in place. These purposes make it clear that citizens must benefit before data can be shared. So, Mr Kenneth Tiong may have misunderstood, but there will be no situation where we share data with partners for their commercial benefit.

What we are adding is a second layer of checks referred to as the "further authorisation" in the Bill for cases of sharing with external partners. This authorisation by the Minister is not a replacement for rules, but an additional safeguard.

There must be proper authorisation. Before data is shared with external partners, it must go through careful deliberation within the Public Service, culminating in a sign off by the Minister or his or her delegate. Each authorisation must clearly state the purpose for sharing the scope of data to be shared and the specific external parties receiving the data.

To Mr Yip's question on the delegation of Minister's authorisation, delegation if done, will only be to the senior leadership level of the Public Service. Any delegation will be made public as provided for under the Interpretation Act.

The third safeguard is that our partners must comply with Terms of Use. Even if there is a valid purpose and proper authorisation, public agencies must assess the external partner's ability to meet the requirements in the Terms of Use and impose these terms on them. Let me elaborate on these requirements, which Members have asked about.

These Terms of Use will include data security and protection safeguards, such as using anti-malware software with up-to-date signatures and performing regular vulnerability assessments. Retention periods for the data will be specified and requirements to purge data when the retention period has ended will be mandated. External partners will also have to provide yearly declarations of compliance with the Terms of Use. Non-compliance needs to be rectified. Failing which, data access may be revoked.

On top of these, there will also be higher requirements for more sensitive data. For instance, periodic audit checks at a higher frequency when more sensitive data is involved. These checks will be conducted by the agency or qualified third parties appointed by the agency. Highly sensitive data will also require reviewing of privileged accounts monthly for access rights.

Before any data sharing is established, such terms, of course, will be discussed with the external partner to ensure that they are able to comply. As our trusted external partners may face liability under the contractual terms, both the public agency and the external partner must be confident that the requirements can be complied with.

Dr Choo Pei Ling and Mr Yip asked about our principles for data protection and sharing. The starting point is this: where identifiable personal data is not needed, anonymised data will be provided to external partners instead. As Dr Choo noted, public agencies also use privacy-preserving technologies to limit unnecessary exposure of data.

Where personal data is concerned, public agencies must continue to exercise judgement even if the statutory requirements allow for sharing with external partners should this Bill be passed. In the instance of health information, which Dr Choo had asked about, for health information that is used for employment and insurance purposes in particular, there will be additional requirements under the Public Service's rules to seek consent and to conduct a personal data protection impact assessment under the PSGA. In cases like this where the data use is highly sensitive, an additional impact assessment may be made and consent sought, even though, it is not statutorily required. This is another example where more safeguards are put in place in proportion to the risk.

To Mr Yip and Ms He's questions about re-identification of anonymised data, this was already debated in 2018. Re-identification of anonymised data can be allowed only when it meets public sector objectives. For example, when certain datasets are corrupted or destroyed and re-identification is needed to continue delivering services to citizens. Unauthorised re-identification remains an offence.

Several Members also suggested providing a list of external partners authorised under the PSGA. We will consider what is practical. Today, public agencies work with many partners on diverse purposes, often on an ad hoc basis, and it could be challenging to share, in detail, a list of external partners or notify citizens for every use, given the dynamic nature of these partnerships. But we thank Members for the suggestion and we will review this at a later date once we have sufficient experience with the Bill.

Individuals with concerns about how their personal data is being used can approach the relevant public agencies or the external partner. They can also report suspected misuse of their personal data or report data incidents through the Government Data Incident Reporting Platform.

Mr Cai and Mr Kwek asked about cybersecurity expectations for our external partners. And Mr Cai also rightly noted that no organisation is immune to cyberattacks. As I shared, our approach is to set standards proportionate to risk. We have baseline standards that all partners must meet, with more stringent requirements when sensitive data is involved. When the data security space evolves and new requirements are needed, public agencies will also update the Terms of Use so that our external partners are well-positioned to protect data.

Mr Kwek and Mr Yip asked about smaller partners who may lack resources. And Mr Cai similarly asked about how external partners would be expected to maintain safeguards against sophisticated attacks. While well-intentioned, tiering cybersecurity requirements so that smaller entities face less stringent standards is not advisable. A smaller entity may handle data sets that are as sensitive as larger partners and hence lowering the requirements simply due to them being smaller entities will not be proportional to the level of data risk.

Instead, our public agencies will work with our external partners to build the capabilities where necessary for the proper and responsible management of data shared with them. This was a point raised by Mr Sharael. As Ms Tan had suggested, this may involve ensuring robust systems, strong training and proper controls. Mr Kwek also suggested for MDDI and the Government Technology Agency of Singapore, to provide common tools or shared platforms to help smaller organisations and partners meet the requirements. We will consider this.

Mr Cai asked whether the Ministry will consider financial penalties against organisations that misuse data. Mr Tiong also asked about organisational accountability. This is an important question. And Mr Cai is right that not all data incidents can be traced to a single employee. Failures may be organisational in nature, arising from weak internal controls, poor access governance or inadequate training. And in such cases, organisational liability matters.

Let me assure Members that such a framework already exists. First, organisational liability under the PDPA. External partners must comply with the obligations under the PDPA, such as maintaining reasonable security requirements preventing unauthorised access. The Personal Data Protection Commission (PDPC) can impose financial penalties on organisations for intentional or negligent contraventions. This also applies to personal data shared under the PSGA framework. So, the organisational penalties that Mr Cai asked about are already available under existing law.

Second, contractual liability. I earlier mentioned many times the Terms of Use that public agencies will impose on external partners. Organisations receiving Government's data must comply with the data protection and security safeguards in the Terms of Use and may face liability under these contractual terms for breaches.

Third, individual criminal liability. The Bill amends the PDPA to make clear that offences relating to personal data under the PDPA will still apply so that individuals that intentionally carry out unauthorised actions can be taken to task.

Fourth, coverage of non-personal data. The new PSGA offences cover non-personal data. And this means that all data shared by Government, be it personal or non-personal data, is covered either by PDPA or PSGA in terms of penalties for misuse.

Mr Yip also asked if the severity of offences is large enough to deter bad actors. The penalties are aligned with current PDPA offences for external partners and PSGA offences for public officials. The possibility of imprisonment for misusing data is a significant deterrent.

Mr Kwek and Mr Yip have raised concerns about data incidents. We take these very seriously. All data incidents reported to Government will be properly looked into. When significant data incidents occur, we have strict requirements for public agencies to be accountable to the public and to affected individuals. And when incidents are likely to result in significant harm or impact on individuals or entities, affected individuals will be notified, except where it would adversely impact public interest.

Public agencies will take remedial actions to limit the impact of an incident, investigate and address vulnerabilities, and also to recover equipment and data. The Government will also continue to report on data incidents. External partners are obligated to report to the public agency or to PDPC when significant data incidents occur.

Mr Kwek asked how Government will assess responsibility in a way that is firm, fair and predictable, if a serious incident happens despite reasonable safeguards. Liability is assessed in context: we look at all of the facts and the circumstances, and we consider the nature of the incident, whether reasonable safeguards were in place, and the actions of the parties involved, including their response to the incident. Partners who act in good faith and made reasonable efforts to implement proper safeguards will be treated fairly. Those who are reckless or negligent will be held to account.

Mr Tiong raised TraceTogether as a cautionary tale. Let me address this directly. First, on the facts. When the issue arose, the Government came to Parliament, explained the position and clarified the legal framework. That is accountability. We did not hide from scrutiny, we addressed it openly in this House. Parliament subsequently passed the COVID-19 (Temporary Measures) (Amendment) Bill to restrict the use of TraceTogether data to serious offences. So, the system worked as it should.

Second, TraceTogether did not undermine public trust in the way Mr Tiong suggests. Singaporeans continued to use TraceTogether. They understood the Government's explanation and the safeguards that were put in place. To characterise it as a fiasco that broke public trust is not borne out by how Singaporeans actually responded. The lesson from TraceTogether is not that Government cannot be trusted with data. It is that when questions arise, the Government must be accountable and transparent – and we were.

Mr Yip asked whether citizens can be permitted to opt out of data sharing with our external partners. This is not feasible. The data sharing serves broad public sector policy, planning and service delivery objectives. Allowing individuals to opt out would lead to incomplete data, which will fundamentally undermine our ability to plan, formulate policies and deliver services.

Take planning for social services as an example. If individuals opt out, the data that public agencies and external partners have will be incomplete. This could mean under-provisioning services for groups with specific needs simply because public agencies and partners are unaware of those needs. Partners will also find it more difficult to optimise their resources for more targeted outreach or service delivery.

Complete data is needed for more informed planning and decisions. And this is why the Bill builds in oversight of each data sharing arrangement. The Bill restricts sharing to public sector objectives under the PSGA and provides for criminal offences to ensure that external partners take their duty to protect the information seriously.

Mr Speaker, I thank Members for their thoughtful speeches. The concerns raised – about purpose, authorisation, partner readiness, accountability and incident response – are precisely the questions we must ask when we expand data sharing. This Bill enables public agencies to better use data to serve Singaporeans and this goes to the heart of the public sector's core mandate, which Ms Tan has noted, has made real and meaningful differences to Singaporeans.

When more people rely on a bridge, we do not slow down progress. We build and we strengthen the foundations, we tighten the controls and we inspect the bridges more rigorously. That is the approach we are taking, with this Bill. This is how we serve more Singaporeans while safeguarding trust. Progress that lasts is progress that is built on trust. Keeping data safe is an ongoing and shared responsibility. We are committed to this responsibility, as we strive to serve all Singaporeans better. I beg to move.

Mr Speaker: Clarifications for Minister of State Lau. Mr Kenneth Tiong.

3.37 pm

Mr Kenneth Tiong Boon Kiat: I thank the Minister of State for her clarifications and her response. I just want to clarify, because I think she may have misunderstood what was my fifth question. I was saying that there is no organisational statutory liability for those handling non-personal data, and I think she made some references to contractual obligations as well as something about personal — so, I just want to clarify that it is organisational statutory liability for non-personal data, does it exist or not?

Another thing I would like to bring up, which I do not think she has answered, is my request for a public register of all these Ministerial directions. Australia does it. I do not see why it would be very difficult to do it. It will certainly not be operationally difficult to, because it is just publicising the type of data that is going to be shared. As well, I think, the five-year review period – I do not see why not. Australia does it, and I think it is quite a sound legislative principle. so, these are my supplementary questions for now.

Ms Jasmin Lau: I thank Mr Tiong for his clarifications. I spent quite a bit of time just now explaining how organisations will be liable if they misuse data: there is an existing PDPA, as well as Terms of Use.

Mr Kenneth Tiong Boon Kiat: Is PDPA not for personal data?

Ms Jasmin Lau: So, in the same explanation in the speech, I went on to say that there are also contractual Terms of Use that public agencies must impose on external partners for the receiving and use of all data. Those Terms of Use will hold our external partners liable, should they misuse the data.

On the point about public register, I think I mentioned in my speech, that we will consider what is possible, what is feasible, as we get more experience with the Bill. The reason why I said that the Member may have misunderstood was that the point raised earlier was about whether our citizens will benefit from the data sharing. I needed to clarify that the PSGA only allows for data sharing for Public Service objectives. There is no sharing for commercial gains and therefore, there is no need for citizens to check whether or not private companies or organisations are gaining from this.

Mr Speaker: Any other clarifications for Minister of State Lau? Mr Tiong.

Mr Kenneth Tiong Boon Kiat: Sorry, not to belabour the point. Is it contractual liability or statutory liability? And second of all, could the Minister of State respond on my five-year review period point, please. Thank you.

Ms Jasmin Lau: On the first question, contractual liabilities. And I think on the second question, we have said that we will review what is feasible as we gain more experience with this Bill.

Mr Speaker: Any other clarifications for Minister of State Lau? No.

Question put, and agreed to.

Bill accordingly read a Second time and committed to a Committee of the whole House.

The House immediately resolved itself into a Committee on the Bill. – [Ms Jasmin Lau].

Bill considered in Committee.

[Mr Speaker in the Chair]

The Chairman: The Chairman: The citation year "2025" will be changed to "2026", as indicated in the Order Paper Supplement.

Clauses 1 to 13 inclusive ordered to stand part of the Bill.

Bill reported with amendment.

Question for Third Reading put, and agreed to.

Bill accordingly read a Third time and passed.

Mr Speaker: Order. I propose to take a break now. I suspend the Sitting and will take the Chair at 4.05 pm.

Sitting accordingly suspended

at 3.43 pm until 4.05 pm.

Sitting resumed at 4.05 pm.

[Deputy Speaker (Mr Xie Yao Quan) in the Chair]