No. They are not.
In the wake of recent failures to protect against hacking and breach of data privacy in public health institutions, there has been a growing perception that government agencies are treated with undue leniency where it comes to data protection breaches.
This is different for non-government organisations. It is a well-known fact that the Personal Data Protection Act 2012 (PDPA), enforced by the Personal Data Protection Commission, only looks at the conduct of private organisations, and not public organisations.
Today in Parliament, Minister S Iswaran, Minister for Communications and Information, responded to a question from MP Irene Quay as to whether it is justifiable for public agencies to be exempted from the PDPA.
The fact that this question was asked suggests that there is such a misconception.
The Minister clarified that public agencies are held to account under the Government Instruction Manuals (specifically Instruction manual (No. 8)) and the Public Sector (Governance) Act 2018.
This is true in respect of the Act. The Act is available here.
We have been unable to locate the Instruction Manual and it may not be a public document. However, it would appear that the available enforcement penalties and powers of the government are equal if not greater than the PDPC.
We extract the relevant portion of the Minister’s response today as follows:-
“Miss Quay has asked if it is justifiable that public agencies are exempted from the PDPA. Implicit in the Member’s question is the presumption that public sector agencies are not accountable for their data protection practices or not held to a high standard because the PDPA does not apply to them. That is wrong, and simply not the case. Public sector agencies are subject to a different piece of legislation and other regulations. In particular, public sector agencies have to comply with the Government Instruction Manuals and the Public Sector Governance Act. Collectively, they have comparable if not higher standards of data protection compared to the PDPA, and similar investigations and enforcement actions are taken against data security breaches. I have previously explained in Parliament why we adopted this approach. To reiterate, the PDPA does not apply to public agencies because there are fundamental differences in how the public sector operates which requires a different approach to personal data protection when compared to the private sector. In order to allow a WOG approach to the delivery of public services, personal data has to be managed as a common resource within the public sector. The considerations are different in the private sector as there is no such expectation of a holistic approach to the delivery of commercial services across private organisations. Citizens have the same recourse for a data breach in the public sector as with the PDPA. Where citizens suspect their data has been mishandled by a private sector organization, they can lodge a complaint with the PDPC, or with GovTech if a public sector agency is involved. In practice there are no wrong doors, and the complaint will be directed to the relevant agencies for follow up. Affected individuals can also seek mediation or take civil action against the organization and agency which mishandled the data.
The member has asked whether tangible penalties should be imposed on public agencies for public accountability. Public officers who flout the government’s data security rules and are found to have misused or disclosed data in an unauthorized manner could be held criminally liable under the PSGA. The penalties include fines of up to S$5,000 or a jail term of up to 2 years, or both. It is not meaningful to impose financial penalties on public sector agencies, because the cost of such penalties would ultimately have to be borne by the same public purse.”