SINGAPORE — Over the past three years, the Government has made 41 police reports over the loss of personal data by its agencies, said Deputy Prime Minister Teo Chee Hean on Wednesday (Feb 13).

Mr Teo was responding to a question from Nominated Member of Parliament Walter Theseira in Parliament about the frequency of lapses involving personal data in government agencies.

Incidences of government data leaks have made the headlines of late, with the most recent case involving Singapore’s HIV Registry.

The data breach — announced by the Ministry of Health (MOH) on Jan 28 — was the work of American Mikhy K Farrera Brochez, whose partner Ler Teck Siang had access to the HIV Registry as head of the ministry’s National Public Health Unit from March 2012 to May 2013.

The leak affected 14,200 individuals diagnosed with the human immunodeficiency virus (HIV) and 2,400 of their contacts.

Associate Professor Theseira had asked Prime Minister Lee Hsien Loong how often security incidents involving Government personal data were reported to the police or the Personal Data Protection Commission (PDPC) each year from 2014 to 2018.

He also asked what proportion of the cases were disclosed to affected individuals, and how long it took to notify them.

Responding on behalf of the prime minister, Mr Teo said: “Loss of personal data by government agencies is reported to the police when there is suspected foul play, or when a physical asset such as a laptop is missing.”

He clarified that the incidents were not reported to the PDPC because it is “not (its) function to investigate Government-related incidents”.

In seven of the 41 incidents, affected individuals were notified. In another four, both the affected individuals and the general public were informed.

While Mr Teo did not specify in his response what these 11 incidents were, he said it took an “average of three weeks” from the police report to notify the individual.

“These reports have been made in a timely manner, with 80 per cent submitted on the same day as the discovery of the incident,” he said.

Elaborating on why it took three weeks, Mr Teo said that this was generally the time needed to “identify the exact individuals affected and assess the extent of loss, to give an accurate report of the situation to the affected individuals and to recover or safeguard evidence for potential future prosecution”.

The remaining 30 police reports concerned the loss of physical assets such as laptops, he said.

“No specific individual’s data was compromised. Government laptops are protected by encryption and laptops that are reported lost will be immediately blocked from the Government network.”

Regardless, he said the affected agency would work with the police to “make a best effort to recover it” as this remained a “serious concern”.

DATA MISHANDLING REPORTED INTERNALLY, NOT TO THE POLICE

Mr Teo said incidents of data mishandling are dealt with internally because police assistance or intervention is not required.

“(They) typically involve the accidental mailing of letters containing personal information to the wrong recipient; or mass emails in which officers mistakenly included all recipients’ email addresses in the ‘cc’ field rather than the ‘bcc’ field.”

In such cases, he said that the affected agencies will inform and apologise to the relevant individuals and follow up with necessary education and discipline to “avoid a future occurrence”.