Governments worldwide are under twin pressures – not only to use their data to inform policies, make better decisions, and deliver improved public services for less, but also to meet the public’s expectation that they maintain the highest standards of data privacy and protection.
Meeting both objectives is difficult, and both public and private organizations have suffered the consequences of data exposure or data losses that have eroded the trust of their citizens and customers by failing to safeguard private, personal information.
Singapore is taking action. Following two major data breaches in the last year, the government has announced measures to reform data-protection standards across the public sector.
The technical measures are the first from a new Public Sector Data Security Review Committee convened by Prime Minister Lee Hsien Loong. The committee was formed after a spate of cyber-security breaches over the past year, including one involving the personal data of more than 800,000 blood donors accessed illegally and uploaded on an unauthorized server for more than two months.
Singapore’s 13 technical measures conform to a common definition of what is entailed for sensitive information as outlined in a new Information sensitivity framework, which will supplant the current practices by public agencies, many of which devised the practices themselves.
The 13 measures, which can be accessed in full here, are:
- Hashing with salt
- Field Level Encryption
- Dataset partitioning
- Data file integrity verification
- Password protecting and encrypting
- Digital Watermarking
- Email data protection tool
- Data loss protection tools
- Volume-limited and time-limited data access
- Automatic identity and access management (IAM) tools
- Enhanced logging and active monitoring of data access"
Data security is necessary, but insufficient for uncompromised data privacy.
For sure, all organizations need strong password protection, access controls, and the many other security measures most organizations have in place today. But many breaches, like the database breach that Singapore suffered, come from insiders, who have authorized access that takes them past the traditional perimeter security controls.
Privacy controls are what protect individual’s identity when their data is being accessed, whether by someone who is authorized to do so or not. So, if privacy controls are important, what are these controls, and what should governments and businesses be thinking about?
Ahead of the final report, the Singapore committee would do well to consider the following:
- Start with the principle of data minimization. Security has the principle of least privilege, whereby users should as a default be given the minimum systems privileges they need. Organizations should also adopt principles of data minimization and least identifiability, whereby users are given only the data they need, and in the least identifying form possible for their purposes. Singapore’s steps to adopt tokenization and masking are wise and should be supported by guidance on when and how to use them.
- Enterprise data de-identification requires a range of functionality. Different techniques are required to deal with different data types of data and use cases. For example, de-identifying data for HR analytics requires a different technique than if creating de-identified data for testing a new payments system. Organizations also need tools that support the user to make informed decisions about which techniques to use and when. An enterprise-grade solution will need to work with a range of different technologies and deployment architectures.
- De-identification is crucial, but there’s more to privacy. It’s also about providing tools to enable effective data governance and management. It was encouraging to see the Singapore committee included data watermarking on their list of recommended measures. By inserting a pattern into the data itself, organizations can attach policies directly to the data, stating why a dataset was created, who it is to be used by and how, and when it should be deleted. If the data is then found outside of the parameters of that policy, the watermark can help the organization to identify that something has gone wrong and trace back to the person or group responsible. This helps ensure policies are being upheld, helps organizations respond faster to breaches, and acts as a deterrent for those using protected data.
- Effective data governance includes controlling linkability. This means controlling which datasets are linkable with others. This allows organizations to manage the risk associated with each group they provide with data. The Singapore committee’s recommendation to partition data so as to minimise risk is wise, but the next step is to be able to control linkability within and across those partitions.
One example of an organization that has implemented many of these measures is the UK’s NHS Digital. NHS Digital uses comprehensive de-identification capabilities, central policy management, data watermarking, and other advanced privacy enhancing technologies. A key feature of the solution is the ability to allow for datasets to be linked without revealing the raw identifiers. Using partially homomorphic encryption ensures that datasets from different providers can be joined together by the central organization, but if the data is exposed it cannot be linked by any other party.
Data privacy engineering is a rapidly evolving field, as it needs to be to deal with the rapidly evolving threats and the enormous opportunities of the data age. That’s why it's paramount to work with experts who understand what is possible today, and what will be coming tomorrow.
The approach the Singaporean Government is taking is correct, both with regard to the involvement of external experts in their committee and looking across the public sector to ensure consistency of standards.
Other countries will benefit by following Singapore’s lead before, rather than after, they suffer a major privacy incident.
Guy Cohen is a Strategy and Policy Lead at Privitar.