Government's Personal Data Protection Laws And Policies
Government’s Personal Data Protection Laws And Policies
The Government has put in place strong personal data protection laws and policies to safeguard sensitive data.
- Data Management in the Public Sector
- Data Management by Third Parties of Public Agencies
- Data Protection Trustmark Certification
Data Management in the Public Sector
Data management in the public sector is governed by the Public Sector (Governance) Act (“PSGA”) and the Government Instruction Manual on Infocomm Technology & Smart Systems Management (“IM on ICT&SS Management”). The Personal Data Protection Act (“PDPA”) applies to the private sector. Two different legal frameworks governing data management in the public and private sectors are needed because the public has different expectations of the services provided by the Government and the private sector. The Government is expected to deliver services in an integrated manner across agencies. In contrast, each private sector organisation is expected to be individually accountable for the personal data in its possession, and there is no expectation of a similarly integrated delivery of services across different private sector organisations.
Since 2001, the Government’s data security policies have been set out in the IM on ICT&SS Management. The IM on ICT&SS Management sets out how the Government manages and protects data (including personal data) in its possession or control. In 2018, the PSGA was enacted to further strengthen public sector data governance. The PSGA imposes criminal penalties on public officers who (a) knowingly or recklessly disclose data without authorisation; (b) misuse data that results in personal gain for the public officer or another person, or harm or loss to another person; and (c) knowingly or recklessly re-identify anonymised information without authorisation.
In 2019, the Public Sector Data Security Review Committee (PSDSRC) recommended additional technical and process measures to protect data and prevent data compromise. The recommended measures have since been incorporated into the IM on ICT&SS Management and sets out how data security is managed by agencies. The data security policies prescribe data security requirements, including technical and process controls, to safeguard data against security threats.
As part of the PSDSRC recommendation to provide the public with more information about the Government’s approach to personal data protection, the Government started publishing its policies and standards on personal data protection on this microsite in 2020.
Find out more about the Government’s key personal data protection policies in the document below:
Find out more about the Government’s key data security policies in the document below:
Click on the link to find out more about the data-related provisions in Sections 6 to 8 of the Public Sector (Governance) Act.
Data Management by Third Parties of Public Agencies
The Government recognises that Agencies work extensively with Third Parties to deliver services to citizens, carry out operational functions, and plan and analyse policies. When doing so, these Third Parties may handle large volumes of data from the Government. Hence, the high standards of data protection that the Government places on itself must also extend to these Third Parties.
With this in mind, the Government has introduced policies to guide Agencies in ensuring that Third Parties adequately safeguard data. These policies are organised based on the lifecycle of the relationship between the Agency and the Third Party, namely: Evaluation and Selection, Contracting and On-boarding, Service Management and Transition Out (as shown in Diagram below). When working with Third Parties, Agencies will define the data security requirements that each Third Party has to comply with based on the Government’s data security policies.

A Third Party is defined as a party (other than a data subject1 or an Agency2) which
-
delivers, develops, implements, operates, provides or otherwise supplies ICT systems or services to an Agency, or
-
collects, stores or otherwise processes data for an Agency.
Find out more about the key policies that govern how agencies work with its third parties to safeguard data in the document below:
Data Protection Trustmark Certification
The Data Protection Trustmark (DPTM) certification is a voluntary, enterprise-wide certification that validates an organisation’s data protection practices.

Jointly developed by the Personal Data Protection Commission (PDPC) and the Infocomm Media Development Authority (IMDA), the DPTM certifies third parties providing services to the Government who have robust data protection practices to ensure our citizens’ personal data are adequately safeguarded. The DPTM also allows organisations to demonstrate that they are in compliance with the Personal Data Protection Act (PDPA) and IM8 Personal Data Protection Policies & Standards.
Click on the link to find out more about IMDA’s Data Protection Trustmark certification.