Government's personal data protection laws and policies
Learn how the Government safeguards sensitive information.
Last updated 13 May 2025
Data management in the Public Sector
Data management in the public sector is governed by the Public Sector (Governance) Act (“PSGA”) and the Government Instruction Manual on Infocomm Technology & Smart Systems Management (“IM on ICT&SS Management”). The Personal Data Protection Act (“PDPA”) applies to the private sector. Two different legal frameworks governing data management in the public and private sectors are needed because the public has different expectations of the services provided by the Government and the private sector. The Government is expected to deliver services in an integrated manner across agencies. In contrast, each private sector organisation is expected to be individually accountable for the personal data in its possession, and there is no expectation of a similarly integrated delivery of services across different private sector organisations.
Since 2001, the Government’s data security policies have been set out in the IM on ICT&SS Management. The IM on ICT&SS Management sets out how the Government manages and protects data (including personal data) in its possession or control. In 2018, the PSGA was enacted to further strengthen public sector data governance. The PSGA imposes criminal penalties on public officers who (a) knowingly or recklessly disclose data without authorisation; (b) misuse data that results in personal gain for the public officer or another person, or harm or loss to another person; and (c) knowingly or recklessly re-identify anonymised information without authorisation.
Policies for safeguarding data and personal information
Data management by Third Parties of Public Agencies
The Government recognises that Agencies work extensively with Third Parties to deliver services to citizens, carry out operational functions, and plan and analyse policies. When doing so, these Third Parties may handle large volumes of data from the Government. Hence, the high standards of data protection that the Government places on itself must also extend to these Third Parties.
With this in mind, the Government has introduced policies to guide Agencies in ensuring that Third Parties adequately safeguard data. These policies are organised based on the lifecycle of the relationship between the Agency and the Third Party, namely: Evaluation and Selection, Contracting and On-boarding, Service Management and Transition Out (as shown in Diagram below). When working with Third Parties, Agencies will define the data security requirements that each Third Party has to comply with based on the Government’s data security policies.
Definition of a Third Party
A Third Party is defined as a party (other than a data subject or an Agency) which
(Data subject refers to the individual or entity to which the data relates. Agency refers to Organs of State, Ministries, Departments and Statutory Boards.) |
Key policies of the Government's Third-Party Management Framework
Public Sector Data Security Review
In 2019, a review committee recommended additional measures to enhance data security.