Ensuring Third Party Contractors in Government Projects Adopt High Cybersecurity Standards

38 Mr Desmond Choo asked the Prime Minister in light of the recent personal data breach involving the Ministry of Defence, how is the Ministry working with Government agencies to ensure that their third party contractors adopt high standards of cybersecurity and that cybersecurity competency is an essential criterion for awarding of Government contracts.

Mr Teo Chee Hean (for the Prime Minister): Third party contractors of Government agencies handling personal data are required to implement cybersecurity and data protection measures. Penalties may be imposed where there are contractual breaches or acts contravening the Personal Data Protection Act (PDPA).

The Government has accepted the recommendations of the Public Sector Data Security Review Committee (PSDSRC). These include measures to strengthen the management of third party contractors that handle data on behalf of the Government, such as incorporating data security and governance requirements into the contract with the third party, and regular audits to ensure compliance. These could have helped to prevent or mitigate similar data incidents. The high standards of data protection that the Government places on itself must also extend to these third parties.

Investigations regarding the recent personal data incidents involving third-party vendors contracted by MINDEF are still underway. GovTech will work with MINDEF to identify any gaps and address them across the public service and its third party vendors.