Data Compliance and Data Governance are imperative for Singapore's public sectorBy Jimmy Kwang
For the past years, Singapore has witnessed a significant increase in cybersecurity challenges. The threats and attacks in public agencies and private institutions caused a tremendous impact on the country’s data and security landscape. The call for better regulations in data governance, compliance, and security guardrails has elevated further the pandemic. The virtualised environment translates to an open playing field for potential cybersecurity threats.
What must Singapore do, especially its public agencies, to avoid unfortunate situations such as the 2018 data breach of 1.5 million healthcare patients on the SingHealth’s database, or the 2019 leakage of personal data of 2,400 Ministry of Defence personnel? What practices and concepts should public agencies consider in order to implement a robust compliance and governance framework?
A strong data governance programme is a pivotal part of the landscape for data protection and privacy compliance. The traditional data governance disciplines of data ownership, metadata management, data cataloguing, data quality management, and model governance apply to protection and privacy. Singapore must implement data governance programmes that support data protection compliance which also support broader adherence to data sovereignty regulations.
The sections below focus mainly on the technology and process dimensions; the people and culture dimension is shaped by each public agency’s organisational culture and context.
First, limits must be set in data collection
According to a recent data trust report, the decrease of public trust in public agencies collecting data and in the technologies that rely upon this data has provoked a backlash that endangers society’s ability to access and use trusted data for the common good. There is an urgent need to explore new data governance models that give individuals a measure of control over their personal data. At the same time, industry and governments also have to work to define, protect, and advance digital rights concepts.
In Singapore, the Public Sector Data Security Review Committee Report or PSDSRCR; 2019 states that public agencies are to collect data of value only when it is not part of the Government Data Architecture Single Source of Truth (SSOT) dataset. In short, public agencies need to maintain clear retention policies pertaining to the purging of data when the data user no longer requires it. This ensures that there are limits to collecting personal data and that any such data is managed by lawful and fair means by the public sector.
From a technology perspective, the public agency’s data management platform should support the different phases of the data lifecycle: namely collect, transform, govern, and share. During the collection phase, agencies that collect data must, first, be able to validate that the required data is not already available in the SSOTs; and, second, have the ability to ingest across different data sources and formats, as the required information might come from an industry source or an application.
In addition, agencies should leverage technologies such as natural language processing for efficient extraction and tagging of personal data from mediums such as free-form text within a document, an application, or user-generated content within a web or mobile application.
Beyond collection limitation, during the transformation and governance phase of the data lifecycle, the agency should exercise control over data access or retention policies. For example, it should be able to set users’ access permissions and the types of activities they can perform on the data.
There is a need to control the volume of data users can download from government information systems and the time users access the data in the sharing phase.
In the context of public data collection, there is a clear need for an iterative process between communities, governments, and corporations, committed to co-evolving regulation and technology through a governance model that recognises a plurality of interests. This then shapes an enabling environment that does not sacrifice the public’s right to the technology or data it participates in creating.
Data quality is critical
Another essential element of a strong data governance framework is data quality. Accuracy, completeness, consistency, timeliness, uniqueness, and validity are the chief measures of data quality, and methods to ensure data quality should be built into the data management platform.
For example, data quality techniques such as profiling enable data users to explore, identify, and assess whether the data they are using is inaccurate, inconsistent, or incomplete. Techniques such as data deduplication and data matching enable agencies to create a 360-degree view of a citizen’s behavioural profile across datasets from the SSOTs or agency-specific databases.
Another data security technique is encryption, which protects data by transforming it into unreadable cipher text. Only users with the proper password and cryptographic file can decrypt the cipher text and read the original data. Encryption not only protects data from internal and external leakage, but also reduces the risk of sensitive data being exposed during transmission between systems.
There is a clear need to explore new models that provide the public agencies with control over data and the technologies that use them and advance the public good. Precise definitions of a new data governance programme, with the inclusion of the data quality techniques, enable governments, industry and society to pilot their applications and learn through experimentation and implementation.
Accountability is key
Data users and owners need to be accountable for their actions in order for any data governance and protection framework to work. For example, public officers in Singapore implements fines up to $5,000, and/or up to two years imprisonment and disciplinary actions under the 2018 Public Sector (Governance) Act. These punishments are applicable not just to public officers, but also to third parties involved that provide services to public agencies.
Thus, having an effective data management platform that provides auditable evidence of negligent acts and intentional data breaches is key for accountability. Functionalities such as data lineage enable agencies to monitor and trace users’ actions on the data over time. Data lineage also lets organisations trace data across a landscape of applications and systems as well as track the sources and types of modifications performed on the data. Ultimately, tracking lineage ensures that data modifications are properly documented and can potentially serve as evidence in the event that a public officer tampers with personal data.
Public agencies must take ownership of data stewardship which is crucial to data governance’s success, which is critical to data management success. Public agencies are the public’s data stewards that collect, document, and maintain both data and metadata, such as data definitions and business rules. Establishing an enhanced framework of accountability measures for public agencies provide the public with stronger protection against privacy violations and the unethical collection and use of their personal data.
Governments have too often taken a reactive approach to regulation and governance; first letting the market develop freely and then only setting in motion incremental change as threats and problems emerge, as reported by a recent data trust report. Whilst this may work in slower-moving fields, they are insufficient for the challenge of data governance in a nation such as Singapore, where new business models can scale very rapidly, reaching millions of consumers worldwide in only a short time.
Singapore’s public sector’s data governance and protection framework for touch on information practices and concepts, including collection limitation, data quality, security safeguards, and accountability. These principles and their corresponding implementation need to be addressed through technology like a data fabric platform, people, and processes to derive maximum organisational effectiveness.
The economic and health situation reminds us every day; expectations are high on the part of the population. According to Accenture’s Public Service for a New Era report, “meeting the needs of citizens, businesses, and public servants mean harnessing the power of transformative technologies and becoming a truly data-driven organisation that analyses, shares and acts on data insights to make a lasting difference in people’s lives.”
Singapore should stimulate data governance as a tool to increase access to quality data and promote a more equitable distribution of its value. By increasing the governance capabilities, public authorities will have the resources to explore ways to make the right to privacy means in the digital context, for instance, by making the agencies accountable and adjusting legislative frameworks to empower the public with the right to exercise revocability, portability, and erasure. A robust ecosystem of data governance framework is the catalyst for enabling the public to trust the public agencies that reflect their privacy preferences and support their values.