Personal Data Information Lapse Incidents Reported and Disclosed to Public
Prime Minister's OfficeSpeakers
Summary
This question concerns Assoc Prof Walter Theseira’s inquiry regarding government personal data security incidents from 2014 to 2018, including reporting frequencies, disclosure rates, and notification timelines. Senior Minister Teo Chee Hean stated that 41 police reports were made over three years for suspected foul play or missing assets, with 80% filed on the day of discovery. Out of these, individuals were notified in 11 cases—four of which were also disclosed to the public—following an average three-week period for assessment and evidence recovery. Senior Minister Teo Chee Hean clarified that the Personal Data Protection Commission does not investigate government incidents and that 30 reports involved encrypted assets where no individual data was compromised. For internal data mishandling, agencies directly notify and apologise to affected individuals while implementing staff training and disciplinary measures to prevent future occurrences.
Transcript
2 Assoc Prof Walter Theseira asked the Prime Minister for each year from 2014 to 2018 inclusive (a) what is the number of Government personal data information security incidents reported to the police or the Personal Data Protection Commission (PDPC); (b) what proportion of cases have been disclosed to the public; (c) what proportion of cases have been disclosed to the affected individuals; and (d) what is the average duration that had elapsed between the incident date, internal confirmation of the incident, incident reporting to the police or PDPC, and disclosure to the public, respectively.
Mr Teo Chee Hean (for the Prime Minister): Loss of personal data by Government agencies is reported to the police when there is suspected foul play, or when a physical asset such as a laptop is missing. Over the past three years, the Government made 41 such reports to the police. These reports have been made in a timely manner, with 80% submitted on the same day as the discovery of the incident. These incidents are not reported to the PDPC, as it is not their function to investigate such Government-related incidents.
In seven of these 41 incidents, the individuals affected were notified. In another four of these incidents, both the individuals affected and the general public were informed. Among these 11 cases, it took an average of three weeks from the police report to notify the individual. This was the time taken to identify the exact individuals affected, and assess the extent of loss, to give an accurate report of the situation to the affected individuals, and to recover or safeguard evidence for potential future prosecution. The time required varies from case to case depending on the complexity of the incident.
The remaining 30 police reports concern loss of physical assets such as laptops. No specific individual's data was compromised. Government laptops are protected by encryption and laptops that are reported lost will be immediately blocked from the Government network. Nevertheless, a lost laptop remains a serious concern and the agency affected will work with the Police to make a best effort to recover it.
From time to time, there are also incidents of data mishandling that are reported internally but not to the police. Such incidents typically involve the accidental mailing of letters containing personal information to the wrong recipient; or mass emails in which officers mistakenly included all recipients' email addresses in the cc field rather than the bcc field. The affected agency will inform and apologise to the affected individuals, and follow up with the necessary staff education and discipline to avoid a future occurrence. Police assistance or intervention is not required.