Public Sector (Governance) (Amendment) Bill - Cai Yinzhou

Reposted from Source: MDDI Singapore (12 January 2026 - 2:58 PM)

Source: MDDI Singapore

Full Transcript

Mr Cai Yinzhou (Bishan-Toa Payoh): Mr Speaker, Sir, I rise in support for the amendments to the Public Sector (Governance) (Amendment) Bill. 

As Minister of State Jasmin Lau shared, I note that in tandem with the HIB, the Public Service (Governance) Bill complements and allows the Government to deliver better social services to Singaporeans nationwide, by permitting public agencies to share and use data across agencies, as well as with non-public sector partners. With the appropriate safeguards to prevent misuse, this amendment Bill will enable targeted and effective delivery of social services to those who need it the most.  

My Toa Payoh Central residents, with a significant elderly population, is supported by various social service providers, such as Care Corner, TOUCH, Dementia Singapore, NTUC Health, People’s Association, as well as many other local community healthcare services and organisations. Non-public social service providers would benefit from greater collaboration and information-sharing with the public sector agencies serving the same community needs.

Similar to how schemes like the Housing and Development Board Flat Eligibility process and ComCare financial assistance require pulling of data from various sources, I agree that the enhancements will allow for timely access in delivering support and ensuring that no one is left behind.  

In order to better enable the delivery of social services to our communities, I have two points of clarifications for the Minister’s consideration.

First, I would like to ask the Minister to clarify what safeguards will be put in place to ensure that data shared with non-public sector organisations is safe from malicious third-party cyberattacks and data breaches.

We live in a day and age where no organisation is safe from cyberattacks, including our social service providers and charitable organisations. For example, in May 2019, more than 4,000 individuals had their personal information leaked after part of the reputable blood donation organisation’s website was hacked. Personal names, contact numbers, email addresses, declared blood types, preferred appointment dates and times and preferred locations for blood donations were compromised.

According to the Singapore Cybersecurity Health Report in 2023, which surveyed more than 2,000 small, medium and large organisations in Singapore, over eight in 10 organisations encountered a cybersecurity incident that year.

As hackers use sophisticated techniques to evade detection, they lurk in networks to spy over the long term, to steal sensitive information or disrupt essential services, among other objectives. Therefore, my question is, how will external partners be expected to keep up and maintain safeguards, before they can receive shared data from public agencies? 

Whether in the form of encryption standards or increased incident response capabilities, how regularly would these safeguards be reviewed? Risk profiles and ownership may change over time as organisations change systems, employees or subcontractors. Regular audits and reviews of the cybersecurity capabilities of external partners would ensure a safe and secure transfer of data between the public and non-public sectors. And I am sure what many SSAs will also want to know is the details of the terms of funding, which will be allocated specifically for beefing up of their IT infrastructure.

Secondly, I would like to ask whether the Ministry will consider introducing financial penalties against non-public sector organisations which have misused data shared under this Act. The amendment currently states that it is an offence for organisations to carry out improper disclosure or use of data/information by individual employees or officers of non-public sector organisations.

Individual accountability is important, especially in cases where a single individual or a small group of individuals may be directly responsible for the misuse of shared data. However, in other data incidents, responsibility is unable to be traced back to one single employee. The failure may be organisational, for example, due to weak internal controls, poor access governance or inadequate training.

In those cases, it is especially important for a strong framework of organisational liability to exist, to ensure that liability can be correctly attributed to a wider variety of situations. For example, under the PDPA, the Personal Data Protection Commission can impose financial penalties against an organisation for intentional or negligent contraventions of PDPA.  

I would like to clarify whether the Ministry intends to look into imposing similar financial penalties on organisations who have contravened data sharing and use directions issued under PSGA. This may be necessary considering the sensitivity of the information shared by the Government with non-public entities.

Mr Speaker, Sir, in conclusion, I strongly support this amendment's efforts in further facilitating information sharing in a protected manner, ensuring that our Government's efforts will be better able to support Singaporeans nationwide. These additional measures will ensure that the public continues entrusting personal data to the Government and, by extension, its external partners, upholding its commitment to data security. Notwithstanding these clarifications, I support this amendment Bill. 

Ms Jasmin Lau (Minister of State) (Excerpt): Mr Cai Yinzhou mentioned many social service providers that support his Toa Payoh Central residents – Care Corner, TOUCH, Dementia Singapore, NTUC Health and others. These partners can benefit from data sharing with public agencies, serving the same community needs. Our seniors can receive more coordinated care. Families in difficulty need not repeat their circumstances to multiple parties. And the staff working in these social service providers can focus their time and their energies on providing tangible help, rather than collect duplicative information again.

Ms Jasmin Lau (Excerpt): Mr Cai and Mr Kwek asked about cybersecurity expectations for our external partners. And Mr Cai also rightly noted that no organisation is immune to cyberattacks. As I shared, our approach is to set standards proportionate to risk. We have baseline standards that all partners must meet, with more stringent requirements when sensitive data is involved. When the data security space evolves and new requirements are needed, public agencies will also update the Terms of Use so that our external partners are well-positioned to protect data. 

Mr Kwek and Mr Yip asked about smaller partners who may lack resources. And Mr Cai similarly asked about how external partners would be expected to maintain safeguards against sophisticated attacks. While well-intentioned, tiering cybersecurity requirements so that smaller entities face less stringent standards is not advisable. A smaller entity may handle data sets that are as sensitive as larger partners and hence lowering the requirements simply due to them being smaller entities will not be proportional to the level of data risk.

Instead, our public agencies will work with our external partners to build the capabilities where necessary for the proper and responsible management of data shared with them. This was a point raised by Mr Sharael. As Ms Tan had suggested, this may involve ensuring robust systems, strong training and proper controls. Mr Kwek also suggested for MDDI and the Government Technology Agency of Singapore, to provide common tools or shared platforms to help smaller organisations and partners meet the requirements. We will consider this. 

Mr Cai asked whether the Ministry will consider financial penalties against organisations that misuse data. Mr Tiong also asked about organisational accountability. This is an important question. And Mr Cai is right that not all data incidents can be traced to a single employee. Failures may be organisational in nature, arising from weak internal controls, poor access governance or inadequate training. And in such cases, organisational liability matters. 

Let me assure Members that such a framework already exists. First, organisational liability under the PDPA. External partners must comply with the obligations under the PDPA, such as maintaining reasonable security requirements preventing unauthorised access. The Personal Data Protection Commission (PDPC) can impose financial penalties on organisations for intentional or negligent contraventions. This also applies to personal data shared under the PSGA framework. So, the organisational penalties that Mr Cai asked about are already available under existing law. 

Link to Hansard: Official Reports - Parliamentary Debates (HANSARD)