Five lessons from the Singapore Data Security Review

By Gareth Shercliff - December 02, 2019

Last Thursday saw the release of the Singapore Public Sector Data Security Review Committee (PSDSRC) report into data security practice. Commissioned as a response to “several data breaches” in the healthcare sector, it had a wide remit in making recommendations for change in data privacy practices across the central government of Singapore.

Although intended for central government, the themes of this report have broader significance to any organisation that makes use of personal data. 

The recommendations are disparate and complex, and implementing them is hard.  Finding and partnering with a data privacy vendor who is able to interpret and apply these to your own organisation, using best in class technology to support you on your journey is key.

1. Consistent, controlled and transparent application of privacy policy

It doesn't matter how good policies are if they aren't applied effectively and consistently. It only takes one pocket of non-compliance to put the whole organisation at risk. The report rightly recognises how privacy enhancing technologies (PETs) are a critical enabler, but they too need to be used properly and consistently to deliver on their promise.


Technologies selected by the organisation to enforce privacy policies must be able to operate at enterprise scale and interoperate with the IT and organisational structures which already exist and which will continue to evolve.  To deliver at the enterprise level, partners should have a proven track record integrating with key systems and processes.

2. Access controls are necessary, but not sufficient

Planning for the failure of access controls and a subsequent data breach is recognised as the new reality by the committee.  That means data needs to be tokenised as a minimum, with other obfuscation techniques potentially needed too.

Watermarking of data is also highlighted as a critical tool, which can be used to identify where, when, why and for whom any dataset was requested.   This improves data breach responses, and provides an additional incentive for data users to be careful with data.

3. End-to-end data privacy requires enterprise-grade data lineage and audit

A majority of the recommendations in the report raise the need for applications and tooling. If organisations are to protect and monitor data through its full lifecycle, then applications must also support key data governance processes, such as audit,data lineage, and (more broadly) metadata management.

Organisations must choose best in class tools.  Partner with a vendor that takes provenance of data and processes as seriously as you and the regulator do, and who can demonstrate how their tools directly support your wider data governance programmes.

4. Privacy protection should be based on who is going to be using the data, and for what purpose

The most encouraging theme is the recognition that one size does not fit all for data protection.  Asserting that data can be either “under or over-protected”, the committee see it as important to balance privacy risk against the value in using the data, and that adopting a principle to “access and use data for the task in hand” is appropriate.  

The implication is that organisations need to be able to create, protect, manage and eventually retire datasets, and do so based on the privacy risk inherent to the user’s context (who and where the users are) and what the user is doing (what the most valuable parts of the data are to them).

Provisioning datasets by use case with protections based on the specifics of that context allows for a better privacy/utility trade off.

5. Dealing with privacy is a continuous journey

Privacy requirements, compliance programmes, and best practices will continue to evolve.  Similarly, many promising PETs are still emerging. To respond to the “new risks [that] will continue to emerge as technology advances” the committee suggests that organisations “develop and maintain expertise in advanced technology”.

Building partnerships with vendors that are shaping the future of PETs is key. The stakes and potential returns for privacy are higher than for usual IT partnerships.  Regulators have powers to enforce major penalties on organisations that break the rules. Conversely, organisations that are able to unlock the most value from their sensitive data will see a transformative effect on their bottom line.  Organisations should therefore actively seek to form partnerships with innovative vendors who have a proven track record of commercialising privacy technologies.

Conclusion

When selecting a privacy vendor to partner with, organisations should ensure that vendor takes a view of privacy which is context- and risk-centric.  Data lineage, transparency, consistency and enterprise integration should be embedded at the core of the vendor’s technology and product roadmap. Finally, organisations should partner with a privacy vendor that can help them shape their own future.