Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam

Ministry of Digital Development and Information
Parliament

Closing Speech By MOS Jasmin Lau, For Second Reading Of Public Sector (Governance) (Amendment) Bill On 12 January 2026

12 January 2026

  1. Mr Speaker, I thank the Members for their support and questions. Several Members raised questions on the scope and safeguards for data sharing with external partners.

  2. Expanding PSGA is like building more bridges to help more people cross safely and access support earlier.

  3. Every bridge must be built for a clear public purpose. Not for curiosity, not for convenience, not for commercial gains, but to connect people to something essential. Likewise, data will only be shared when there is a clear public service objective.

  4. Access to the bridges must be properly authorised. Not everyone can direct traffic across the bridge, or change its structure. Likewise, data access will be tightly governed, with clear and defined approval processes, roles and responsibilities.

  5. As the usage of the bridges grow, we must ensure that those who operate and maintain the bridges are capable and ready. This means that we will assess and uplift both the public sector and our trusted partners’ capabilities so that they can be trusted custodians of the data they receive.

  6. Trust is sustained through accountability and transparency – through regular inspections, monitoring, and audits. And when something goes wrong, a responsible system responds decisively. We close, we fix, we make the bridge safe again. That is why we have clear incident management processes. We do not give up on building the bridges altogether.

  7. This is how we help more people while strengthening trust. Because trust is not meant to be a brake that holds us back. Trust is what makes progress possible.

  8. I will now address specific points that Members raised.

How the Bill will improve outcomes

  1. Mr Henry Kwek asked for concrete examples of how the Bill will improve outcomes – particularly for those around us who need social and financial assistance, especially for our seniors and children.

  2. I shared a few examples in my opening speech on how the PSGA framework has enabled more integrated delivery of support within Government. With this Bill, we can extend this approach to partnerships with Social Service Agencies, community partners, and Self-Help Groups – organisations with deep networks, cultural understanding and presence on the ground.

  3. Mr Cai Yinzhou mentioned many social service providers that support his Toa Payoh Central residents – Care Corner, TOUCH, Dementia Singapore, NTUC health and others. These partners can benefit from data sharing with public agencies serving the same community needs. Seniors can receive more coordinated care. Families in difficulty need not repeat their circumstances to multiple parties. And the staff working in these social service providers can focus their time and effort on providing tangible help, rather than collect duplicative information again.

The Framework for Sharing with External Parties – Three Safeguards for Data Sharing

  1. Mr Kwek, Ms Jessica Tan and Mr Yip Hon Weng asked how the public can be assured that their data would be used appropriately.

  2. Central to all of this is our focus on building and safeguarding trust, as noted by Mr Sharael Taha.

  3. Let me explain the three safeguards that must be met before data is shared with external partners.

  4. First, there must be a valid purpose. Data sharing must serve public purposes as provided for under the PSGA. To borrow Ms Tan’s words, data is not shared just because it is convenient or efficient for public agencies, but it must clearly support a real public need. The two main categories where Government will share and use data for remain unchanged. That this data will be used for better delivery of services to the individual and for policy analysis and formulation.

  5. Ms He Ting Ru claimed that we are shifting from a rule based framework to executive discretion in data sharing. Let me be clear that there is no such shift. Again, there is no such shift. The existing PSGA stipulates seven purposes, under which a Ministerial direction may be made for data sharing. These clear purposes, as well as all existing data governance rules, remain fully in place.

  6. These purposes make it clear that citizens must benefit before data can be shared. Mr Kenneth Tiong may have misunderstood, but there will be no situation where we share data with partners for their commercial benefit.

  7. What we are adding is a second layer of checks, referred to as the “further authorisation” in the Bill, for cases of sharing with external partners. This authorisation by the Minister is not a replacement for rules, but an additional safeguard.

  8. Second, there must be proper authorisation. Before data is shared with external partners, it must go through careful deliberation within the public service, culminating in a sign-off by the Minister or his/her delegate. Each authorisation must clearly state the purpose for sharing, the scope of data to be shared, and the specific external parties receiving the data.

  9. To Mr Yip’s question on the delegation of Minister’s authorisation, delegation if done, will only be to the senior leadership level of the public service. Any delegation will be made public as provided for under the Interpretation Act.

  10. The third safeguard is that our partners must comply with Terms of Use. Even if there is a valid purpose and proper authorisation, public agencies must assess the external partner’s ability to meet the requirements in the Terms of Use and impose these terms on them. Let me elaborate on these requirements, which Members have asked about.

  11. These Terms of Use will include data security and protection safeguards such as using anti-malware software with up-to-date signatures and performing regular vulnerability assessments. Retention periods for the data will be specified and requirements to purge data when the retention period has ended will be mandated. External partners will also have to provide yearly declarations of compliance with the Terms of Use. Non-compliance needs to be rectified. Failing which, data access may be revoked.

  12. On top of these, there will be higher requirements for more sensitive data. For instance, periodic audit checks at a higher frequency when more sensitive data is involved. These checks must be conducted by the agency or qualified third parties. Highly sensitive data will also require reviewing of privileged accounts monthly for access rights.

  13. Before any data sharing is established, such terms will be discussed with the external partner to ensure that they are able to comply. As our trusted external partner may face liability under the contractual Terms, both the public agency and the external partner must be confident that the requirements can be complied with.

Principles of Data Protection

  1. Dr Choo Pei Ling and Mr Yip asked about our principles for data protection and sharing.

  2. The starting point is this: where identifiable personal data is not needed, anonymised data will be provided to external partners instead. As Dr Choo noted, public agencies also use privacy-preserving technologies to limit unnecessary exposure of data.

  3. Where personal data is concerned, public agencies must continue to exercise judgement even if the statutory requirements allow for sharing with external partners should this Bill be passed. In the instance of health information which Dr Choo had asked about, for health information that is used for employment and insurance purposes in particular, there will be additional requirements under the public service’s rules to seek consent and conduct a personal data protection impact assessment under the PSGA. In cases like this where the data use is highly sensitive, an additional impact assessment may be made, and consent sought, even though it is not statutorily required. This is another example where more safeguards are put in place in proportion to the risk.

  4. To Mr Yip’s and Ms He’s question about re-identification of anonymised data, this was already debated in 2018. Re identification of anonymised data can be allowed only when it meets public sector objectives. For example, when certain datasets are corrupted or destroyed, and re-identification is needed to continue delivering services to citizens. Unauthorised re-identification remains an offence.

  5. Several Members also suggested providing a list of external partners authorised under the PSGA. We will consider what is practical. Today, public agencies work with many partners on diverse purposes, often on an ad-hoc basis, and it could be challenging to share in detail a list of external partners or notify citizens for each use given the dynamic nature of these partnerships. But we thank Members for the suggestions and we will review the suggestion at a later date once we have sufficient experience with the Bill.

  6. Individuals with concerns about how their personal data is being used can approach the relevant public agencies or the external partner. They can also report suspected misuse of their personal data or report data incidents through the Government Data Incident Reporting Platform.

Cybersecurity Standards and Partner Support

  1. Mr Cai and Mr Kwek asked about cybersecurity expectations for our external partners.

  2. Mr Cai also rightly noted that no organisation is immune to cyberattacks.

  3. As I shared, our approach is to set standards proportionate to risk. We have baseline standards that all partners must meet, with more stringent requirements when sensitive data is involved.

  4. When the data security space evolves and new requirements are needed, public agencies will also update the Terms of Use so that our external partners are well-positioned to protect data.

  5. Mr Kwek and Mr Yip asked about smaller partners who may lack resources. Mr Cai similarly asked about how external partners would be expected to maintain safeguards against sophisticated attacks.

  6. While well-intentioned, tiering cybersecurity requirements so that smaller entities face less stringent standards is not advisable. A smaller entity may handle data sets that are as sensitive as larger partners, and hence lowering requirements simply due to them being smaller entities will not be proportional to the level of data risk.

  7. Instead, our public agencies will work with our external partners to build the capabilities where necessary for the proper and responsible management of data shared with them. This was a point raised by Mr Sharael. As Ms Tan has suggested, this may involve ensuring robust systems, strong training, and proper controls. Mr Kwek also suggested for MDDI and GovTech to provide common tools or shared platforms to help smaller organisations and partners meet requirements. We will consider this.

Accountability of Individuals and Organisations

  1. Mr Cai asked whether the Ministry will consider financial penalties against organisations that misuse data. Mr Tiong also asked about organisational accountability.

  2. This is an important question. Mr Cai is right that not all data incidents can be traced to a single employee. Failures may be organisational in nature, arising from weak internal controls, poor access governance or inadequate training. And in such cases, organisational liability matters.

  3. Let me assure Members that such a framework already exists.

  4. First, organisational liability under the PDPA. External partners must comply with the obligations under the PDPA, such as maintaining reasonable security requirements preventing unauthorised access. The PDPC can impose financial penalties on organisations for intentional or negligent contraventions. This also applies to personal data shared under the PSGA framework. So the organisational penalties that Mr Cai asked about are already available under existing law.

  5. Second, contractual liability. I earlier mentioned many times the Terms of Use that public agencies will impose on private sector partners. Organisations receiving Government’s data must comply with the data protection and security safeguards in the Terms of Use, and may face liability under these contractual Terms for breaches.

  6. Third, individual criminal liability. The Bill amends the PDPA to make clear that offences relating to personal data under the PDPA will still apply so that individuals that intentionally carry out unauthorised actions can be taken to task.

  7. Fourth, coverage of non-personal data. The new PSGA offences cover non-personal data. And this means all data shared by Government, be it personal or non-personal data, is covered either by PDPA or PSGA in terms of penalties for misuse.

  8. Mr Yip also asked if the severity of offences is large enough to deter bad actors. The penalties are aligned with current PDPA offences for external partners and PSGA offences for public officials. The possibility of imprisonment for misusing data is a significant deterrent.

Data Incidents

  1. Mr Kwek and Mr Yip have raised concerns about data incidents.

  2. We take these very seriously. All data incidents reported to Government will be properly looked into. When significant data incidents occur, we have strict requirements for public agencies to be accountable to the public and to affected individuals.

  3. When incidents are likely to result in significant harm or impact on individuals or entities, affected individuals will be notified, except where it would adversely impact public interest.

  4. Public agencies will take remedial actions to limit the impact of an incident, investigate and address vulnerabilities, and also to recover equipment and data. The Government will also continue to report on data incidents. External partners are obligated to report to the public agency or to PDPC when significant data incidents occur.

  5. Mr Kwek asked how Government will assess responsibility in a way that is firm, fair and predictable, if a serious incident happens despite reasonable safeguards. Liability is assessed in context: we look at all of the facts and the circumstances, and consider the nature of the incident, whether reasonable safeguards were in place, and the actions of the parties involved, including their response to the incident. Partners who act in good faith and made reasonable efforts to implement proper safeguards will be treated fairly. Those who are reckless or negligent will be held to account.

  6. Mr Kenneth Tiong raised TraceTogether as a cautionary tale. Let me address this directly.

  7. First, on the facts. When the issue arose, the Government came to Parliament, explained the position, and clarified the legal framework. That is accountability. We did not hide from scrutiny—we addressed it openly in this House. Parliament subsequently passed the COVID-19 (Temporary Measures) (Amendment) Act to restrict the use of TraceTogether data to serious offences. So the system worked as it should.

  8. Second, TraceTogether did not undermine public trust in the way Mr Tiong suggests. Singaporeans continued to use TraceTogether. They understood the Government's explanation and the safeguards that were put in place. To characterise it as a fiasco that broke public trust is not borne out by how Singaporeans actually responded.

  9. The lesson from TraceTogether is not that Government cannot be trusted with data. It is that when questions arise, the Government must be accountable and transparent—and we were.

Why Opt-out is not feasible

  1. Mr Yip asked whether citizens can be permitted to opt out of data sharing with external partners.

  2. This is not feasible. The data sharing serves broad public sector policy, planning, and service delivery objectives. Allowing individuals to opt-out would lead to incomplete data which will fundamentally undermine our ability to plan, formulate policies and deliver services.

  3. Take planning for social services. If individuals opt out, the data that public agencies and external partners have will be incomplete. This could mean under-provisioning services for groups with specific needs simply because public agencies and external partners are unaware of those needs. Partners will find it more difficult to optimise their resources for more targeted outreach or service delivery.

  4. Complete data is needed for more informed planning and decisions. This is why the Bill builds in oversight of each data sharing arrangement, restricts sharing to public sector objectives under the PSGA, and provides for criminal offences to ensure that external partners take their duty to protect the information seriously.

Conclusion

  1. Mr Speaker, I thank Members for their thoughtful speeches. The concerns raised – about purpose, authorisation, partner readiness, accountability, and incident response – are precisely the questions we must ask when we expand data sharing.

  2. This Bill enables public agencies to better use data to serve Singaporeans. This goes to the heart of public sector’s core mandate, which Ms Tan has noted, has made real and meaningful differences to Singaporeans.

  3. When more people rely on a bridge, we do not slow down progress. We build and we strengthen the foundations, we tighten controls, and we inspect the bridges more rigorously. That is the approach we are taking, with this Bill.

  4. This is how we serve more Singaporeans while safeguarding trust. Progress that lasts is progress that is built on trust. Keeping data safe is an ongoing and shared responsibility. We are committed to this responsibility, as we strive to serve all Singaporeans better.

  5. I beg to move.

Back to top