The Government has put in place strong personal data protection laws and policies to safeguard sensitive data:


1. Data management by public agencies

Data management in the public sector is governed by the Public Sector (Governance) Act (“PSGA”) and the Government Instruction Manual on IT Management (“IM on IT Management”). The Personal Data Protection Act (“PDPA”) on the other hand, applies to the private sector. Two different legal frameworks governing data management in the public and private sectors are needed because there are different expectations of the services provided by the Government and the private sector. The Government is expected to deliver services in an integrated manner across agencies. In contrast, each private sector organisation is expected to be individually accountable for the personal data in its possession, and there is no expectation of a similarly integrated delivery of services across different private sector organisations.

Since 2001, our Government’s data security policies have been set out in the IM on IT Management. The IM on IT Management sets out how we manage and protect data (i.e. including personal data) in our ownership or control. In 2018, the PSGA was enacted to further strengthen public sector data governance. The PSGA imposes criminal penalties on public officers who recklessly or intentionally disclose data without authorisation, misuse data for a gain or re-identify anonymised data.


Find out more about the Government’s key personal data protection policies in the document below.

Government Personal Data Protection Policies


Find out more about the data-related provisions in Sections 6 to 8 of the PSGA in the link here


2. Data management by third parties of public agencies

The Government recognises that Agencies work extensively with Third Parties to deliver services to citizens, carry out operational functions, and plan and analyse policies. When doing so, these Third Parties may handle large volumes of data from the Government. Hence, the high standards of data protection that the Government places on itself must also extend to these Third Parties.

With this in mind, the Government has introduced policies to guide Agencies in ensuring that Third Parties adequately safeguard data. These policies are organised based on the lifecycle of the relationship between the Agency and the Third Party, namely: Evaluation and Selection, Contracting and On-boarding, Service Management and Transition Out (as shown in Diagram below). When working with Third Parties, Agencies will define the data security requirements that each Third Party has to comply with based on the Government’s data security policies.



Third Party is defined as a party (other than a data subjecta or an Agencyb) which

1. delivers, develops, implements, operates, provides or otherwise supplies ICT systems or services to an Agency, or

2. collects, stores or otherwise processes data for an Agency.

a   Data subject refers to the individual or entity to which the data relates.

b Agency refers to Organs of State, Ministries, Departments and Statutory Boards


Find out more about the key policies that govern how agencies work with its third parties to safeguard data in the document below:

TPM for public release-page-001

Last updated on 30 Apr 2020