Dear privacy pros,

It has been a busy week with plenty of news for colleagues based in Singapore to digest.

In an unfortunate turn of events, it was discovered that earlier reports concerning a data breach in the public health care sector were wrong in assuming that the data was only accessed by the cybersecurity expert who discovered the vulnerability. It turns out that the server on which personal information of more than 800,000 blood donors was improperly uploaded by an independent vendor of the Health Sciences Authority had, in fact, been accessed under suspicious circumstances from a number of other IP addresses. This raises the possibility that sensitive information might have been exfiltrated by hackers.

This incident follows a number of other high-profile cases affecting public-sector organizations, including the SingHealth data breach and the HIV data registry leak. It appears this may be the proverbial straw that broke the camel’s back.

The Singapore government recently convened a committee to review data collection and protection practices of government agencies, vendors and other third parties. The committee is chaired by Deputy Prime Minister Teo Chee Hean and includes Foreign Minister Vivian Balakrishnan, Communications and Information Minister S. Iswaran, Minister of Industry and Trade Chan Chun Sing, and Senior Minister of State of Communications and Information and Transport Janil Puthucheary.

The constitution of the committee demonstrates the government is serious about tackling systemic weaknesses that led to the incidents above and shoring up public trust. However, it has also raised important questions, including whether the public sector should continue to be exempted from the Personal Data Protection Act. While it is true that government agencies are already required to comply with similar rules in the Public Sector (Governance) Act and Government Instruction Manuals and that it may not be meaningful to impose financial penalties on them (given that the fine would eventually be paid by the taxpayer), one cannot help but to wonder whether the extension of the PDPC to public-sector organizations might be more effective in fostering circumspection and accountability than any recommendation that the committee might make.

Also top of mind recently is the responsibility big tech companies have in policing "fake news," hate speech and other nefarious content on the internet. In the aftermath of the Christchurch shooting, Facebook CEO Mark Zuckerberg has called for greater governmental oversight and more global rules in four specific areas: harmful content, election integrity, privacy and data portability.

Singapore has taken Facebook up on its offer almost immediately. A draft bill tabled in the Singapore Parliament Monday would impose criminal sanctions on individuals who spread online falsehoods with malicious intent, as well as penalties of up to S$1 million on firms that do not act swiftly to limit the spread of such falsehoods. Under the Protection from Online Falsehoods and Manipulation Bill, ministers are empowered to give a directive to internet platforms to remove or correct misinformation if there is a false statement of fact, and it is in the public interest for the government to take action. This allows the government to act quickly in curbing the spread of viral content, but the court will act as a checking mechanism as the minister’s decision may be subject to legal challenge.

A number of concerns have already been raised by industry players including Facebook. No doubt there will be lots of further discussions on the draft bill in the weeks to come.

As we would say in Singapore, “akan datang” (“coming soon” or “stay tuned”)!