Unauthorised Possession and Disclosure of Information from HIV Registry

The Minister for Health (Mr Gan Kim Yong): Mr Speaker, Sir, thank you for allowing me to make a Statement on the Unauthorised Possession and Disclosure of Information from HIV Registry, and to respond to the various Parliamentary Questions (PQs) asked earlier. Senior Minister of State Janil Puthucheary will speak after me on matters regarding governance on data in general.

Sir, on 22 January 2019, MOH was alerted to a case of unauthorised possession and wrongful online disclosure of information from the HIV Registry by one Mikhy K Farrera Brochez, affecting 14,200 individuals diagnosed with HIV, and 2,400 of their contacts.

The incident has caused anxiety and distress to the affected persons. This matter is especially delicate as it involves persons living with HIV. Our priority is their well-being.

Members have asked several questions regarding the incident. So, let me first give a brief account on what happened, the actions we took, and why.

Some have asked whether MOH had known about Brochez's possible access to HIV Registry information in 2012, when he first made a complaint to MOH. Let me clarify that the issue then was not about Brochez's access to HIV Registry information, but a different one.

Brochez was then a partner of Dr Ler Teck Siang who was the Head of the National Public Health Unit, and they had lived together. In November 2012, Brochez alleged that Ler had disclosed information about Brochez to others. He later also claimed that Ler had shared screenshots of his HIV status with others.

Despite multiple attempts by MOH to engage him, Brochez did not provide any evidence to support his allegation. He was uncooperative and evasive, and rejected or postponed meetings with MOH on several occasions. At one point, he even informed MOH officers that he was leaving Singapore and did not want to continue with the investigation into his allegation. Due to his uncooperative attitude, the investigation could not make much headway. Nevertheless, we re-assigned Ler to another role in May 2013, and kept up the investigation. Ler's access to the live HIV Registry was terminated after his re-assignment.

In the course of our investigation, MOH discovered in December 2013 that Brochez may have submitted fake HIV blood tests to MOM in order to retain his employment pass. We informed MOM and also made a Police report. Ler resigned the following month.

MOH's investigations in 2012 and 2013 were on Brochez's allegation that Ler had revealed Brochez's HIV status to others. At no point in 2012 or 2013 did MOH have basis to suspect that Brochez had access to, or was in possession of, the data in the HIV Registry.

Between 2014 and 2016, Police and MOH investigated whether Brochez had submitted fake blood tests, and whether Ler had abetted this process and provided false information to investigators. These investigations were difficult as Brochez continued to be uncooperative and initially refused to provide a statement to the Police.

The Police eventually recorded a statement from Brochez in May 2014, after he was stopped trying to leave Singapore. When interviewed, Brochez lied to the Police that it was his blood that was tested during a HIV test conducted in November 2013.

MOH then ordered Brochez to undergo a fresh blood test for HIV to verify his claim but Brochez refused to cooperate.

In late April 2016, Brochez was arrested for repeatedly refusing to comply with MOH's order to take a blood test. He then provided the Police and the Government authorities 75 names and particulars from the HIV Registry.

This was the first time MOH had evidence that Brochez may have access to HIV related data. We made a Police Report on 16 May 2016.

The Police raided Ler's and Brochez's premises simultaneously, and seized and secured all relevant materials. These included their computers and electronic storage devices containing files with confidential information from the HIV Registry, files related to hospital services and to other infectious diseases, as well as other information likely used by Ler for his work such as emails, HIV studies and reports.

The Police searched through Brochez's email account and found that Brochez had sent the same screenshot that he had sent to Government authorities, as well as a PDF file of a further 46 records from the HIV Registry, to his mother. The Police then contacted Brochez's mother, who agreed to let the Police access her email account and deleted those records.

At this point, the Police had seized everything they found in Ler's and Brochez's possession, and had done their best to ensure that no further confidential information remained with Ler and Brochez, including in their known online accounts. It was always recognised that there was a risk that Brochez could have hidden away some more information. Unfortunately, as recent events showed, Brochez did manage to retain at least the data which he has recently disclosed, and we cannot rule out the possibility that he has more.

Ler and Brochez were both charged in Court in June 2016. Ler was charged both under the Penal Code and OSA. Ler's charge sheet, which was public information, stated that he had had access to the HIV Registry as part of his position as the Head of NPHU in MOH, and that he had failed to take reasonable care of the information in the HIV Registry by failing to retain possession of a thumb drive on which he had saved the HIV Registry.

Brochez was charged for offences under the Misuse of Drugs Act, Penal Code and Infectious Diseases Act (IDA). AGC decides on the charges. AGC decided not to charge him under the OSA because they assessed that he would likely be sentenced to a fine only, or at most a few weeks in jail. This was because there had been no wide dissemination of the information at that stage, and he had primarily used the information to complain to Government agencies, and he was already facing numerous fraud and drug-related charges, which carried far heavier penalties. AGC also assessed that any jail term under the OSA was likely to be concurrent with jail terms that he would serve under other offences.

Brochez was therefore issued with a stern warning for the OSA offence.

Brochez was subsequently convicted in March 2017 and sentenced to 28 months' imprisonment. In its judgment, the Court found that Brochez had "deliberat[ly] flout[ed] the law for personal benefit", and that there was "not a single-word of regret."

Mr Speaker Sir, let me now address questions as to whether MOH should have informed the public earlier. In 2016, MOH had to decide whether to inform the affected persons and whether to make a public announcement about the incident.

These were not straightforward decisions. On the one hand, there is the need to be transparent. On the other hand, we need to consider the impact of an announcement on the affected persons with HIV – would it serve their interest or would it harm them instead?

I discussed this with my medical colleagues in MOH. They emphasised the need to pay particular attention to the concerns and needs of HIV patients. A person's HIV status is a deeply emotional and personal matter. Some patients will experience high anxiety and distress from a disclosure or announcement. Some will feel compelled to reveal their HIV status to family members or friends. Relationships can be disrupted; lives can be changed. We had to exercise care and judgement in making our decision, and the wellbeing of the affected persons weighed heavily in our considerations.

One key factor was that there was then still no evidence that the confidential information had been disseminated to the public. Brochez had sent the information to Government authorities. The Police search was extensive and all relevant material found had been seized or deleted. While there could be no guarantee, MOH had good reason to believe that the information had been secured and the risk of future exposure significantly mitigated.

Ultimately, it was a judgement call – to be made based on the information we had, and the considerations for and against an announcement, and the assessed risk of future public exposure of the information. MOH judged that on balance, an announcement then would not serve the interests of the affected individuals, when weighed against the inevitable anxiety and distress they would experience.

Two years later, in April 2018, Brochez was deported from Singapore after serving his sentence and we had no basis to keep him here.

In May 2018, after his deportation, Brochez sent a screenshot containing 31 records from the HIV Registry to several Government authorities. All 31 records were not new. They were a sub-set of the 75 which Brochez had earlier revealed to authorities in May 2016. MOH lodged another Police report.

We considered again whether to inform the affected individuals and the public. The relevant factors were similar to those in 2016. But there was one difference. This time, we could not retrieve the screenshot of the 31 records in Brochez's possession because he was already out of Singapore.

MOH therefore decided to contact the affected individuals and alert them to the matter. We did not make a public announcement as there was still no specific evidence that Brochez had more information beyond these 31 records. Furthermore, as on previous occasions, Brochez had only shared it with Government authorities and not to any wider audience. A public announcement would create anxiety and distress not just among the 31 persons but also other HIV patients whose names were in the Registry.

In September 2018, Ler was convicted for abetting Brochez to commit cheating, and also of providing false information to the Police and the MOH. He was sentenced to 24 months' imprisonment. Ler has appealed and this is scheduled to be heard in March 2019.

Ler's charge under the OSA is currently "stood down". That means that the OSA charge has been put aside for the moment, but it remains before the Courts and will be dealt with after proceedings on his other charges have concluded. AGC decided to go to trial against Ler on the cheating and false information charges first, as they were more serious and carried stiffer penalties. The trial for his drug charges will be held next, as these also involve stiffer penalties, including mandatory caning. So that there is no doubt, let me say again that the OSA charge against Ler is still "live". AGC will decide on the OSA charge, after proceedings on his other charges have concluded. This is the usual course.

The most recent incident in January 2019 stood on a different footing from the earlier incidents. It showed that Brochez probably still possessed the entire HIV Registry, beyond just the 31 records. He had also put the information online and provided the link to a non-Government party.

This new situation meant that the likelihood of the identities of affected persons being made public by Brochez had increased significantly. MOH therefore decided to make a public announcement on 28 January, even though we remained deeply concerned about the impact this would have on the affected persons. We sought to quickly contact each of the affected individuals to inform them of the circumstances and also offer them assistance prior to the announcement. We worked with the Police and other relevant parties to disable access to the information as quickly as possible.

Mr Speaker, Sir, at this point, let me reiterate the basis of our decisions and actions, especially on the issue of disclosure and announcement. At each juncture – May 2016, May 2018 and January 2019 – MOH had to decide whether to inform the affected persons and make a public announcement.

In making those decisions, MOH had a responsibility to balance the opposing considerations and exercise judgement on what would best serve the interest of the affected persons and the public.

MOH made a judgement call, balancing the various considerations. It is arguable that MOH should have made a different call. But I reject any allegation that MOH sought to cover up the incident.

On all three occasions, MOH's primary concern was the wellbeing of the persons on the HIV registry.

Today, we still face the same dilemma as we did back in 2016 and 2018. We now know that Brochez retained some of the data after the Police seized all the files they could find in 2016. Quite possibly, he still has more files in his possession.

Should MOH now make known all that Brochez may, or may not, still have in his possession? Do we contact every person whose data may, or may not, be at risk? And in the process inflict more harm on people even though it may ultimately turn out that Brochez in fact does not have the information?

Again, we have to assess and make a judgement call. MOH has decided to continue to manage the situation in a way that reduces the possibility of further exposure. This is consistent with the decision taken in 2016 and again, in 2018. It is based on what we believe to be the interest of the potentially affected persons.

Mr Speaker, Sir, let me now turn to what else we are doing following the latest incident.

Brochez is currently under Police investigation for various offences. He is believed to be in the US. The Police are engaging their American counterparts and are seeking their assistance in the investigations against Brochez. The Police will spare no effort pursuing all avenues to bring Brochez to justice.

Following our public announcement, a few parties have come forward to inform us that Brochez had in fact attempted to make contact with them in 2018, and had given them links to confidential information he had uploaded online. We have quickly worked with the authorities to similarly disable access to the online content. The content that was uploaded is similar to what we had found in January, so no new individuals have been exposed.

We have also been working with relevant parties to scan the Internet for indications of further sharing of the information. There have thus far been no signs of further disclosure, but we will continue to monitor.

Should we detect any disclosure or online publication of the information, MOH will work with the relevant authorities and parties to take down the content and disable access to the data.

Here, I would like to remind everyone that the Police will not hesitate to take stern action, including prosecution, against anyone who possesses, communicates or uses any of the confidential data that has been disclosed. The Police will also not tolerate any harassment or intimidation, of any form, towards any person, arising from this leak. Stern action will be taken against perpetrators.

MOH has prioritised informing and supporting the affected individuals. We have completed attempts to contact all the affected individuals. But we are unable to reach all of them, as many had dated contact information, given that the Registry went back to 1985. Many of the foreigners were work pass applicants who never worked in Singapore, or who previously worked here but are no longer in Singapore.

Amongst the affected Singaporeans diagnosed with HIV and are still living, we have reached 2,400 out of 3,500. Individuals who worry that they may be affected or who have concerns, can contact our hotline at 6325 9220. I repeat: 63259220. We seek their understanding that to maintain confidentiality of the information, we have to verify the identity of the caller. Officers manning our hotline will then provide information on the incident and direct callers to available avenues for support.

Ms Anthea Ong, Assoc Prof Walter Theseira and Assoc Prof Daniel Goh asked about the measures taken to protect the psychological welfare of the affected individuals. We know that the affected persons may have concerns and may be worried about unfair treatment arising from this incident.

Prior to calling patients, our medical social workers have helped to first identify those likely to require more support, so that designated officers can exercise extra care and provide additional support when calling them. If callers request to speak to our counsellors, are in distress, or require more advice and support, counsellors are on standby to speak with them.

Some affected individuals may prefer to discuss their concerns with those they are more familiar with, such as the medical social workers, nurses and doctors who have been supporting their on-going care and treatment. We have arranged with the relevant public hospitals to have medical social workers and doctors onsite to attend to them.

Agencies such as the Life Insurance Association (LIA), MOM and TAFEP have provided public assurances on common concerns. MOM shared that Singapore has employment laws to protect employees from wrongful dismissals, including on the grounds of HIV. LIA has in turn assured policyholders that insurers that receive information related to this incident will not use such information. They will inform the relevant authorities immediately.

Understandably, despite these efforts, some will continue to be concerned. Some may decline to return to care because of the fear of future disclosure. Some felt we should have just informed the affected individuals. A few wished they had not been called at all. The anxiety and concerns which some individuals felt have also been carried in various online, broadcast and print articles in recent weeks.

Our medical social workers were themselves distressed by the news they had to break and felt the anguish that the patients experienced when they were told. They had to conduct the calls carefully and gently and be alert to signs of distress so that they could help the patients appropriately. At times, our medical social workers became the target of anger and blamed themselves. Nevertheless, they do their best to support the affected persons.

These reactions are not unexpected and they were the reasons we made a judgement call in 2016 not to make a public announcement, and in 2018, to inform only the affected patients.

Mr Speaker, Sir, Members have asked about the purpose and safeguards of the HIV Registry.

MOH’s national HIV Registry contains information of persons diagnosed with HIV in Singapore. We are not unique in having such a registry. Countries such as the United States and Canada also maintain HIV registries containing identifiable information.

We need the Registry to monitor the HIV infection situation, conduct contact tracing, and assess disease prevention and management measures. The data needs to be identifiable for purposes such as contact tracing to protect those who are contacts of HIV patients.

The security safeguards for the HIV Registry in 2012/2013 were in accordance with the prevailing Government policies on classified information and IT security. Staff were briefed on the policies, systems and processes, and regularly reminded of the sensitivity of the information, which they should access on a need-to-know basis. All of them signed an undertaking to observe confidentiality obligations under the OSA.

Prior to 2012, the HIV Registry was placed in a secured network drive. The file could only be accessed and downloaded from Government issued computers, and was password protected. NPHU staff would need to download the HIV Registry in order to carry out routine data entry, contact tracing and analysis. Staff were allowed to use personal thumb drives at that time, subject to adherence to data protection guidelines and policies.

As the Head of NPHU, Ler had authority to access information in the HIV Registry as required for his work. He is believed to have downloaded the HIV Registry into a thumb drive and failed to retain possession of it. Ler has been charged for mishandling the information.

Mr Seah Kian Peng asked about the additional measures undertaken to ensure data security.

In 2012, prior to the complaint from Brochez, the Registry database was migrated to a network-based system. NPHU staff no longer had to download a database file stored on a network drive to do their work. Instead, staff would call up records they require from the network-based system. With the implementation of a network-based Registry, the audit trail was also enhanced. In 2014, alerts of multiple failed login attempts were incorporated into the system.

MOH continues to follow the security policies from the Singapore Government Instruction Manual for the Security of Classified Information. In tandem with the Government guidelines, we implemented several controls to tighten our systems.

Specifically for NPHU, MOH’s Chief Data Officer also conducted a data security review in 2016. Following the review, enhancements were made to further strengthen the NPHU systems. These include the following:

(a) Elevating the approval authority for downloading and decrypting Registry data to the level of the Director of our Communicable Diseases Division (CDD) or higher.

(b) Implementing a two-person approval process to download and decrypt Registry data, to ensure that data could not be accessed by a single person.

(c) Designating a specific workstation for processing of sensitive data from the HIV Registry. This workstation is configured and locked down to prevent unauthorised removal of data.

In 2017, the NPHU also complied with Government-wide policy to disable the use of unauthorised portable storage devices on official computers, and only allow the use of authorised and encrypted thumb drives.

To give greater attention to data usage and safeguards, we had also set up a Data Analytics Group in April 2018. Within the group, a Data Governance Division was set up to formulate policies, practices and guidelines for MOH and its agencies. The aim is to protect and secure access to health sector data, in accordance with data protection requirements in the Government Instruction Manuals and PDPA, and other MOH sectoral legislation.

In light of the recent incident, and the increased prevalence of data use across the healthcare sector, it is important to ensure that data security and governance policies are strictly adhered to on the ground. MOH will expand the role and resourcing of this unit. We will include within it a specific mandate and team to look into the compliance and audits of data access and use.

Several Members have called for de-stigmatisation of HIV, and asked how we can protect people living with HIV from discrimination. Stigmatisation is an issue that all of us are concerned with.

De-stigmatisation requires efforts across the society. Let me cite some of the efforts by MOH, together with the Government and non-Government agencies, advocacy groups as well as Voluntary Welfare Organisations.

Persons living with HIV require lifelong treatment. HIV therefore continues to be a serious infectious disease that the MOH closely monitors and actively manages for public health reasons. But clinically, HIV treatment has vastly improved over the years, and early treatment can delay disease progression and improve the quality of life.

Over the years, MOH has increased financial support and lowered the financial barriers for HIV treatment, through MediSave and MediFund. Since 2014, HIV anti-retroviral drugs can be supported under the Medication Assistance Fund. MAF provides means-tested subsidies for lower and middle income patients, covering up to 75% of the cost of anti-retroviral treatment.

In 2015, with the introduction of MediShield Life, persons living with HIV are now covered by our national health insurance scheme should they be hospitalised.

We have also made HIV testing and counselling services more widely available. For example, anonymous HIV testing is now available at 10 sites across the island. Special outreach efforts have also been made for specific groups. For instance, it is part of standard antenatal testing at our public hospitals.

Support from doctors, medical social workers and healthcare workers is also widely available in public hospitals. Generally, every HIV patient in public healthcare institutions is assigned to a medical social worker to provide assistance upon their diagnosis.

Sir, it is easy to stigmatise something that we do not understand. MOH has therefore been working with stakeholders to raise awareness of the disease and reduce stigma for the disease. In 2017, SNEF, TTSH and Health Promotion Board worked together to introduce "Guidelines on Managing HIV and AIDS in the Workplace" to help companies create enabling workplace environments for employees with HIV. More recently, the Tripartite Guidelines on Fair Employment Practices call for employers to treat employees fairly and based on merit. This include employees with HIV.

MOH will continue to work with partner organisations to step up efforts in public education, stigma reduction, prevention, testing, treatment and counselling support. But beyond this, how each of us as individuals relate to persons with HIV also matters, a lot.

Here, I would like to appeal to Singaporeans to stand in support of these affected individuals, and our efforts to fight the stigma against persons living with HIV. I would like to urge the public and media not to share illegally obtained information and inform Police/MOH immediately.

The welfare of the affected individuals in this incident would be something of deep concern for us. We would like to encourage those with concerns to contact us at our hotline at, again, 6325 9220. You may also call the SOS, TAFEP and Action for AIDS, or approach the healthcare institutions and professionals that have been providing you care and support.

Mr Speaker, Sir, this has been a regrettable incident caused by the irresponsible and deplorable actions of two individuals.

Ler is a Singaporean doctor and ex-MOH officer who had been entrusted with the care of our patients, but he had betrayed the trust of the Ministry and the medical profession. I am sorry that these irresponsible actions of one of our officers has resulted in such distress to the affected persons. Ler’s case is now before the Courts and he will be dealt with according to the law.

The other – Brochez – is an American citizen who had left a trail of lies and deceit, and now perpetrated a reprehensible act that has affected thousands of persons with HIV. He had already spent time behind bars here for his earlier offences, and we will spare no effort in bringing him to justice again for his latest crime.

As individuals and part of the larger Singaporean community, the best way for us to respond to this incident is with sensitivity, understanding and support for those affected. If we can say no to discrimination and reduce the stigma surrounding HIV, we can turn the harm and discord which the perpetrators seek to sow into a more inclusive and supportive environment for persons with HIV.

3.03 pm

The Senior Minister of State for Communications and Information (Dr Janil Puthucheary): Mr Speaker, Assoc Prof Walter Theseira had asked some questions about the standards for public disclosure of Government information incidents involving personal data.

Mr Speaker, in the event of a suspected data breach, the first priority is to limit the potential harm to affected individuals. The agency involved will assess the damage, prevent further losses and take precautionary measures to heighten safeguards. The Government Technology Agency (GovTech) will put other agencies across Government on alert and also take broader measures, if need be. A police report will be made if there is suspected foul play or loss of physical equipment, such as laptops.

As to the issue of broader public disclosure of the breach, this is taken as a considered decision, taking into account the possibility that such a disclosure may allow the attacker to create more damage, may help him cover his tracks or may cause unnecessary distress. Thus, there is no standard timing for public disclosure that automatically applies to all data breach cases.

Post-breach the agency affected will undertake a comprehensive review of the incident to understand what more could be done to prevent such an incident and what could be done better to manage such an incident. Such a review would include the approach taken to inform affected individuals and the public.

Mr Speaker: Assoc Prof Walter Theseira.

3.04 pm

Assoc Prof Walter Theseira (Nominated Member): Mr Speaker, thank you. I will ask some questions of the Minister for Health first. At any of the decision junctures that you had to consider over the last few years regarding this case, did the Ministry ever consult any persons with HIV or HIV advocacy groups for their views on whether disclosure should happen and if so, what views were expressed by these groups or persons?

Second, in light of the move to de-stigmatise, the policy decision that HIV should be de-stigmatised in Singapore, and this should be reflected in employment and in other areas of life, would it be appropriate to review, for example, immigration and employment regulations of foreigners regarding HIV as well, at this juncture?

Mr Gan Kim Yong: On the consultation with other organisations, as the Member would appreciate, this is a very sensitive area. We had information about Brochez and Ler, and both were being charged in Court. Therefore, we did not consult outside parties. We were discussing within the Ministry, with people who had been dealing with persons with HIV. So, we were familiar with the concerns about the patients and it was borne out with the issues that arose as a result of this disclosure. We were therefore quite clear that the pressure, the distress and the anxiety were real.

With regard to de-stigmatisation of HIV persons and whether we would review the immigration policies, we do these reviews quite regularly. Every time, we would look at the practice here and around the world, and take into account the concerns and interests of Singaporeans and decide on these issues. We have made adjustments along the way as we have done so over the past few years. As I had explained, HIV remains a very serious infectious disease. Therefore, we need to be very cautious in approaching this issue. We want to make sure that we are able to manage the disease environment here and to protect Singaporeans where possible. Therefore, for persons with long-term residence in Singapore, we still have a restriction on their access to Singapore. For persons who are on short-term stay, the restriction has been lifted recently. We are also not alone in this. Australia and New Zealand also have restrictions on long-term stays for persons with HIV.

Assoc Prof Daniel Goh Pei Siong (Non-Constituency Member): I thank the Minister. I have two questions. The first is, for those who have been contacted by Brochez and do not report to MOH, and if there is any leakage of personal information, would the person be liable for prosecution? That means, if the person is contacted by Brochez, given links online to confidential information online, would the person liable for prosecution if that person did not report to MOH that correspondence, that contact?

The second question is, I am assuming that the National Public Health Unit also kept a list of people living with other infectious diseases like STDs and TB. Were any of these lists also compromised by Ler and Brochez?

Mr Gan Kim Yong: Let me answer the second question. The National Public Health Unit oversees public health issues which would include infectious diseases, such as MERS, Bird Flu, TB, STDs and HIV. The Unit will handle many of these infectious diseases and that is part of the information and data that officers would be handling. As to the data that has been exposed, it is limited to the HIV Registry, as I had mentioned.

The other question on whether a person receives information or a link that is provided by Brochez, whether it is illegal to retain them, I have to consult my colleague. But my suggestion is whether it is legal or illegal, please forward it to us or to the Police so that we can follow up to investigate the implications of that.

Mr Speaker: Minister Shanmugam, a response on the point of law.

The Minister for Law (Mr K Shanmugam): Technically, there could potentially be some offences under the Official Secrets Act, particularly if further action is taken upon receipt, to say, publicise it or send it to others. But as the Minister has said, if it is sent to MOH, I do not see AGC taking action in those circumstances.

Ms Anthea Ong (Nominated Member): I have two questions for the Minister of Health. The first is, we are all aware of the painstaking efforts we have taken over the decades to allow people who have or suspect that they may have HIV to come forward for testing. So, given this latest incident, what specific measures is the Ministry taking to make sure that this decades of efforts have not been negated?

The second question is, given the requirement for long-term residency and HIV being an issue, which obviously created that whole fraud on the part of Brochez and Ler, how many cases have we encountered so far where fake blood has been used in order to get access to our long-term residents' pass, or in the past, even short-term pass?

Mr Gan Kim Yong: I stand corrected but this is, in my memory, the first case that we have seen. I will check and provide the Member with the information.

On the issue of HIV testing, we do encourage persons who suspect they may have HIV or who are uncertain whether they have HIV to come forward to be tested. We do have anonymous test sites across Singapore. The identity of the person will be kept anonymous and MOH will only receive an aggregated number of people who have tested. We do not get the identity. So, we will continue to encourage you to come forward and be tested so that at least you will know your status. And we also encourage you to seek treatment. When you seek treatment, we will know who you are because we need to provide treatment to the patients. We will do our utmost to protect the data and the information as much as we can. Rest assured that we will do what we can to support you.

The Ministry will also continue to step up efforts on public education to reduce the stigma on HIV patients. At the same time, the effort is not just the Government's alone. The society as a whole should come together and show support for these persons living with HIV. By showing them support, it will encourage more of them to come forward for testing, and more importantly, for treatment as well.

Mr Christopher de Souza (Holland-Bukit Timah): I thank the Minister for his Statement. In the constituency I serve, there are persons with HIV. We work with them, we partner them, they are fellow Singaporeans. While I recognise that good work has already been done in this area by various organisations, such as Action for AIDS or Catholic AIDS Response Effort, will the Ministry consider formalising and bolstering this process, drawing from good initiatives in other countries. For example, Living Positive Victoria in Australia has a team of peer navigators who are themselves living with HIV, who work extensively with HIV patients and their families, one-on-one.

Sir, some contract HIV through no fault of their own. These include babies. So, arising from this data leak, will MOH consider a more formalised process of support for those living with HIV and their families?

Mr Gan Kim Yong: Sir, I thank the Member for his suggestion. Indeed, we will learn from other countries, their experiences and share their practices on how to better support persons living with HIV. We also work with advocacy groups and support groups, as well as NGOs and VWOs, to see how we can enable them, how we can support them in the work that they do.

As I have mentioned, many of these require collaborative efforts, not just from the Government. Some persons with HIV would feel more comfortable talking to people that they know, people they are more familiar with, and therefore, it is not just the Government doing it. We need to work with multiple agencies, whether it is Action for AIDS, SOS or other VWOs. We try to work with them and see how we can best reach out to these people who need support and provide the relevant and effective support.

We will also look at how we can formalise these arrangements in a more structured way so that they are more sustainable and also, there is a continuity in the efforts. So, we take the Member's point and will explore other possibilities.

Mr Leon Perera (Non-Constituency Member): I thank the Minister for his comprehensive Statement. Just three questions. Firstly, just to confirm, I believe the Minister said that although this was not the protocol previously at the time, but right now it is the protocol that where as far as sensitive data is concerned, like personal data and the HIV Registry, right now, when the public officer exports, extracts or downloads the data, there is an automatic alert that is triggered; and then someone will see that list of download attempts and they will be subject to some scrutiny. So, I just wanted to confirm that that is in place right now.

Secondly, I think the Minister explained that the individuals such as Dr Ler who had access to personalised information from the HIV Registry needed that information in order to do their work by contact tracing and so on and so forth. In hindsight, I just wanted to ask the Minister, does the Minister feel there could be more scope going forward to maybe reduce the number of people who have access to the personalised data to the absolute minimum and possibly even break up access for the entire database between different individuals, so that very few, or perhaps even no individual has access to all the personalised data, even though other individuals may have access to the aggregated data for the purpose of policy analysis? That is my second question.

My third and last question is, based on what I heard from the Minister's timeline and I will stand corrected if I misheard this, Minister mentioned that Brochez was convicted and sentenced to 28 months in jail in March 2017 and he was released in 2018. So, I just wanted to check if he did in fact serve the full sentence as per conviction or was the sentence reduced in length or was it because he had already served time when the conviction took place?

Mr Gan Kim Yong: I think on the last question I can confirm with my colleagues but I would imagine that it is subject to the normal prison terms where you have remission of a certain period and then he was deported thereafter. So, perhaps my colleagues can confirm.

The Member's question about access: in fact, access to the data has always been on a need-to-know and need-to-use basis, and the number of staff in the NPHU is actually very small; they are limited to a handful of people. Whenever they need the information, they would have to then access because they are all doing contact tracing, doing analysis, so all of them are actually working on the similar type of matters. At the same time, we also have to understand that Ler was the head of the unit. So, in his particular position, he needs to have oversight of all the work that the staff is working on, and therefore he would have access to all the information in any case. So, I think it probably does not relate to this particular incident.

The new system that we put in place has audit trail and this audit trail was not meant to watch everybody and what they do. There are certain alerts that are built into the system where if there are excessive access to the information, or where there is unusual kind of access to information, it will be flagged up. The audit trail will also allow us, when something does happen, to look back.

Therefore, let me just put in perspective, we have to take a multi-pronged approach to data security. The first level is to have a system in place to prevent abuse of data – things like encrypted thumb drives. So, those are important to allow us to prevent attempts to abuse the data or illegal access to data. The second level is for us to detect should something happen and there are some suspicious activities that are going on. These are the audit trails which are important, the documentation which is important. The third level, which is equally important, and that is deterrence. And that is why if we were to find someone who has made an illegal access or who has abused information or has been less than careful with the information that he is entrusted with, then we must take stern action and that is what happened to Ler and Brochez – that is why they were charged in Court.

Only when we do these three would we be able to have a robust system of protecting our information. So, if you bear in mind that Ler himself was the head of the unit, the safeguards that you put in place, even if it is effective, he had the right to access. Even if you have audit trails, most of the things that he did from our audit over the last few years, when we checked what he did, based on our investigation, they were legitimate work that he was doing with MOH. Whether or not he was careful in protecting the data that he was using is a separate issue. Many of these may not be able to stop Ler from doing what he did but the deterrence is an important part to make sure that those who want to try have to be mindful of the penalties that could be imposed on him if they were ever caught. Therefore, these three must work hand in hand to ensure we have a robust system of data security – protection, detection and deterrence.

Ms Tin Pei Ling (MacPherson): This is a very unfortunate incident. I have got two questions. One is, may I know what is the risk of potential suicide amongst the affected individuals and what MOH may be doing to provide more support to help them tide over this very difficult period?

Second, is that I think quite clearly from the whole sequence of events, these two individuals, Brochez and Ler, lacked conscience, they are recalcitrant, spiteful, committed very despicable act and as Minister have mentioned also, despite having systems and policies in place, it did not stop Ler from abusing his position and authority. It did not stop Brochez even with the different time milestones after being discovered, did not stop him from being willful and spiteful. So, I am wondering whether the current penalties are deemed to be deterrent enough and whether there is scope to enhance the penalties further to prevent such individuals from ever committing such crimes ever again?

Mr Gan Kim Yong: Sir, two points. First, on the risk of suicidal tendencies. I get feedback from my medical social workers who are working on calling the patients and they do tell me that in their calls, there were patients who were suicidal and they have to manage the case very delicately. They have to sense the distress the patients are facing and they have to make a judgement how much to tell them, whether to stress them further, or to refer them for help. Often, when they come across a person who has a clear intention to do something drastic, they would refer them to the IMH for example who can manage them. Often, they would try to refer them to people whom they are familiar with, people who have been their support group so that they are able to continue to support them. But these are very delicate issues and I do not want to go into specific details for various reasons.

On the issue of – what is Member's second question?

Ms Tin Pei Ling: Whether the penalties are a deterrent.

Mr Gan Kim Yong: This is something probably for Ministry of Law to look into but I think we will press for whatever is allowable under the law. But because I think Ler's case is still being appealed, I would not want to go into the case's specific details. We will wait for the Court and the law to take its process.

Ms Sylvia Lim (Aljunied): I have got two clarifications actually for MCI so I am not sure whether Minister S Iswaran or Senior Minister of State Janil Puthucheary will take them. The first clarification is that, in this recent incident involving the NPHU, that the organisation concerned is actually within MOH and therefore I would like confirmation that it does not come under the auspices of the Personal Data Protection Act. That is the first clarification.

The second clarification is, I think earlier Senior Minister of State Janil Puthucheary went through the instruction manual or some policy about how the public sector safeguards personal data and if I heard him correctly, a lot of responsibility is placed on the department concerned to assess and come up with measures. My question is, in this recent incident involving the HIV leak, did any department outside MOH assess whether the arrangements that were in existence at the time when the breach occurred, whether the security arrangements were reasonable? Did anybody outside MOH come to any conclusion or inquire into the matter?

Dr Janil Puthucheary: Mr Speaker, for the first point Ms Sylvia Lim is correct – the PDPA does not apply. For the second point, the answer is yes, the arrangements that the MOH team and the officers who were involved in at the time were audited to be in compliance with the standards that were set. Those are not the same standards that are present today. The standards have changed, the training of officers has changed, and the deployment and use of technology has changed.

Mr Speaker: Mr Edwin Tong.

The Senior Minister of State for Health and Law (Mr Edwin Tong Chun Fai): Thank you, Mr Speaker. On Mr Leon Perera's point earlier on the sentence, just like to clarify that it was backdated to the time that he was first remanded, which was June 2016. And thereafter, he also had remission, as is usual, which accounted for the dates that the Member had in mind.

Mr Seah Kian Peng (Marine Parade): Just two supplementary questions for the Minister for Health. I am heartened by the additional measures that Minister has shared, one of which he mentioned was the setting up of the compliance team, I believe it was last year. I want to have a sensing of how big this compliance team is.

My second question is, on the one part we talk about deterrent measures, on the other part I wonder whether for positions within the Ministry which we consider as in possession of sensitive information, whether we could improve – prior to the appointment of people to these positions, whether we could subject them to additional tests on character, things which can allow us to sharpen the process of appointing these people to these positions. I recognise there are no foolproof systems but for these positions, I would request, perhaps it is already in existence, but I would request that perhaps these appointments be subjected to more tests prior to confirmation of their appointment.

Mr Gan Kim Yong: As I mentioned, we are now expanding the data governance division. We would need to look at the scope of the work and determine what is the size that we need. Currently, it is a very small unit and it is focusing on dealing with the policies, dealing with practices and reviewing MOH's governance practices on data security. But in order for them to do the audit function, to go down to the ground, to look at practices and to enforce practices, we would need to significantly enhance resources and these would include visiting and checking on the operations and practices on the ground to ensure compliance. Policies are as good as how much they are practised on the ground and therefore it is important for us to make sure that they practise what the policy requires. So, I think we will have to continue to enhance the size of the group.

On the recruitment for staff handling sensitive information, we will take a look, but there is no foolproof system because integrity of the person has to be tested over time. The Chinese says, "路遥知马力，日久见人心". So, sometimes you do the best you can in assessing a person's character, but you will never know until you have worked with him over a period of time. We also have to be careful with unnecessary discrimination when you deal with a character assessment. Some of these may not be objective. Therefore, in recruitment and selecting people, we would need to take quite a holistic approach and make a holistic assessment on the suitability of the person.

Mr Png Eng Huat (Hougang): I have two questions to ask the Minister. It was reported in the MOH website that Ler has been charged under the OSA for failing to take reasonable care of confidential information regarding HIV positive patients. So, the critical issue here is not really about failing to take reasonable care of the confidential information. The issue here is why did the MOH system at NPHU allow someone to download the entire database. You can access the database but why allow someone to download the entire database onto a thumb drive, to begin with. I seek confirmation from the Minister that there was actually no safeguard against such downloading of the entire database by authorised staff prior to 2016.

The second issue is, I also read from the MOH website that additional safeguards against mishandling of information by authorised staff were only put in place three to four years after MOH was first alerted to an allegation that Ler had misused the HIV Registry. I also understand earlier from Minister Iswaran that there are regular mandated IT audits done with regard to security of personal data at our public agencies. So, why did it take so long for MOH to implement the additional safeguards because authorised staff still can access and download the entire database like what Ler did, from 2013 to 2016 before the additional measures were put in?

Mr Gan Kim Yong: Let me first respond to Mr Seah's question on Data Analytics Group, we have about 50, but the number who is looking at the governance division, we have about six. So, we will need to expand the governance division.

On Mr Png's question, even in 2012, there were data security governance policies at that time stipulated by the Government through the Instruction Manuals (IMs) and so on. NPHU is compliant with the requirements stipulated in the Government's data governance policies. For example, even at that time, you were only allowed to download data onto Government-issued computers. Therefore, you were not allowed to download data into your own computers. You were allowed to have portable storage devices at that time, because the encrypted storage devices was only a requirement in 2017, as a Whole-of-Government policy, not MOH policy but Whole-of-Government.

Therefore, we were in compliance. The nature of Ler's job requires him to constantly operate on the database and, therefore, he is allowed to download the registry into his computer. Unfortunately, he did not protect the data by using an unencrypted thumb drive. At that time, we did not have the encrypted thumb drive policy, so he used a normal thumb drive and he did not protect the thumb drive. If you are using the thumb drive, you need to transfer files from computer to another Government computer to work on it, you ought to protect the thumb drive. The policy stipulates that you must ensure that your access to the confidential official information must be with you all the time. You must ensure that you have possession of the information all the time. But he was believed to have failed to keep the thumb drive with him at all times and, had therefore, contravened the OSA, and that is why he is charged on that basis.

Ms Irene Quay Siew Ching (Nominated Member): Can I ask the Minister, with PDPA exemption for MOH, what will be the recourse that the victims can seek as a result of this exposure of sensitive information? This is to address public trust for better accountability.

Mr Gan Kim Yong: Patients can take civil action against MOH on breach of data or loss of data. But we encourage them to talk to us, and we will discuss with them what are the ways to help them and to support them in whichever way we can.

Mr Dennis Tan Lip Fong (Non-Constituency Member): My question relates to what I understand was the blood test that was done at the clinic where Dr Ler was a locum. Brochez did the blood test at the clinic where Dr Ler was a locum. So, I would like to ask the Minister what are the rules preventing doctors from carrying out test for people they know which may put them in a position of compromise or conflict of interest, or question of independence may be raised exactly in the situation like when Brochez went to take a blood test at the clinic where Dr Ler worked? And just to supplement, to this end, whether or not the Minister think that we need to strengthen the governance in this particular area.

Mr Gan Kim Yong: I would need to be careful in answering this because the appeal is still in progress, but I can answer, probably, generally.

Generally, doctors have to exercise discretion and they will have to exercise judgement too. Under the ethical codes of conduct and guidelines, they will have to assess whether they do have a conflict of interest. If they feel that they have a conflict, they ought to make it known to the patient and to then step away from whatever procedure or treatment that they may be offering to them. But we cannot have a rule to say that you are not allowed to see everybody you know. Then, you have a problem, because doctors know many people. Therefore, eventually, it is the judgement of the doctor himself to assess whether by treating you, I do have a conflict of interest.

But I must say that in this particular case, it is not the conflict of interest, it is more than that. Brochez has been charged for cheating for fraud for specific reasons, so it is not just a conflict of interest. In Brochez's case, and the case is over. It was fraud.

Dr Lim Wee Kiak (Sembawang): Out of the 2,500 that MOH has contacted, has any of them been contacted and blackmailed? Was there any demand made on them in the first place? The Minister mentioned that there were a few of them that was given the link. When they were given the link, what was the demand? Under what circumstances, why were they given the link?

Mr Gan Kim Yong: Part of this is part of the Police investigation that is on-going. Maybe I can just say that Brochez is not very consistent in his communication with all the relevant parties. So, it is very difficult to fathom what is his motive in sending these letters or demands. So far, we have not received any complaints or feedback on blackmails or threats from our patients or from any of our contacts. So, I think I probably should not go too much into the mechanism and the process because this is part of the Police investigation work that is on-going.

Assoc Prof Walter Theseira (Nominated Member): This is a question about Government disclosure policy. I agree that in this case, the Government had to make a very difficult decision to balance transparency with the interest of those affected, and I do not want to second-guess that decision. But I fear that without a general Government policy on the issue, the Government will find it difficult to effectively rebut claims or conspiracy theories about Government's lack of transparency. So, I would like to ask the Government if it would find elucidating, developing a general policy on disclosure useful to enhance transparency and public trust in the Government.

Mr Gan Kim Yong: These issues tend to vary from issue to issue, from case to case. As much as I would like to have a standard rule and say, "This is not my problem; I just follow the rules" —

Hon Members indicated Senior Minister of State Dr Janil Puthucheary would give the reply.

Mr Gan Kim Yong: Okay.

Dr Janil Puthucheary: Mr Speaker, I thank Assoc Prof Walter Theseira for the question. There are general guidelines for the handling of data, the training of officers, the protocols that should be in place across the public sector including what are the considerations that should be taken into account after an incident occurs, with respect to the affected individuals, the processes of the agency and the broader public. So, it is not that there are no guidelines; it is not a vacuum. There is quite a lot of thoughts, considerations and processes that are in place. But there is no single general rule, simply because of the complexities of the situations as we have described today.

And as you have heard from the difficulties in making the judgement call in this incident, you can imagine that it would be very, very difficult to come up with some general rule which will ultimately get the right balance between the privacy of the individual and the public interest, and we do want to strike that right balance.

The other aspect to consider is that within the public sector, there are a number of other entities, Smart Nation and Digital Government Group, GovTech and also the security services and the Police where these matters can be reported to, and external view given by people who were not directly involved in the incident.

Mr Speaker: Order. End of Ministerial Statement. I propose to take a break now. I suspend the Sitting and will take the Chair at 4.00 pm.

Sitting accordingly suspended

at 3.41 pm until 4.00 pm.

Sitting resumed at 4.00 pm.

[Mr Speaker in the Chair]