Throwing the gauntlet?
I think we can accept the Minister for Health’s explanation that his ministry made an honest “judgement call” not to inform the affected patients of the data breach back in 2016, and that it was not unreasonable for them to assess then that putting out the information would have caused more harm than good.
Note that the minister himself did not cite national security as the ministry’s reason to withhold disclosure of the breach. Low’s suggestion, with the implication that it is entirely appropriate for the Ministry of Health to apply a purely political calculus to manage a crisis where it should instead have applied healthcare (as its domain of regulation and expertise) or data governance principles (as the situation fell under), is either pure stupidity or administrative arrogance.
How should the Ministry of Health have acted then?
We note that Singapore’s HIV registry is a name-based registry which includes confidential information like “addresses, HIV status and other medical information” of PLHIV resident in Singapore, whether they are Singapore citizens, PRs, or guest workers.
The NHS in the UK has this to say in its 2007 guidance on data governance: holders and controllers of confidential patient information have a common law duty of confidentiality to these patients. They have a duty of care to facilitate and maintain the confidentiality of patient records. Applying the common law duty of confidentiality, the NHS and the Department of Health and Social Care advise that “if information is inappropriately disclosed, the individual can take legal action for breach against the public body concerned.” On a design level, the Information Commissioner’s Office (a far stronger version of Singapore’s PDPC) is to be notified by the organisation’s IT head or equivalent whenever confidential records are processed, and it must be notified when breaches have occurred, and it is the arbiter of whether a public authority has properly dealt with a breach.
The Information Commissioner’s Office advises that in the event of a data breach:
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible. Example: A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.
And here we have it. A reasonable, respectable, and reputable institution on the level of Singapore’s Ministry of Health would have made the entirely opposite decision that Mr Gan Kim Yong defended and rationalised in parliament as a good judgement call.
But was there a real, high risk to the rights and freedoms of the PLHIV when Brochez helped himself to Singapore’s HIV registry? Instead of calling in the information and privacy watchdog and experts on this matter, the police were involved. Their lack of expertise in this matter (and inappropriateness as an investigation authority in this matter) is evident, when they judged that because the data was wiped from Brochez and Ler’s devices, there was no real risk of the confidential information getting leaked into the wild.
Yet cybersecurity experts advise, consistently across the board, that if data is breached, even if you cannot tell if it has been published elsewhere, . It is believed the hackers were after the medical data of Singapore’s prime minister and cabinet colleagues. There was an inquiry and the local privacy watchdog, the Personal Data Protection Commission (PDPC) fined the hospital and its technology vendor a total of S$1 million.
How can things be set right?
If the 2018 hack of SingHealth records didn’t illustrate the need clearly enough: Singapore’s healthcare industry and its own healthcare regulator both lack a competent data governance model, even though Singapore may have competently carried out its national campaign to digitise healthcare records.
It appears that the PDPC was not designed to be an integral part of active data governance, nor part of crisis and breach management.
As the HIV registry contains not just the details of Singapore citizens but foreign nationals who were resident in Singapore, the fallout cannot be easily contained. Foreign governments, especially European states under the extraterritorial scope of the GDPR regime, have a whip hand against the Singapore government especially if the Ministry of Health is seen to be excused from accountability, responsibility, and even the requirement of competence in this matter. Such an egregious series of lapses require real and overreaching remedies.
We at Illusio therefore recommend a redesign of the structure of data governance, as well as for the PDPC to be beefed up and empowered as a fully fledged information commission. Further, we recommend parliament pass legislation mandating mandatory disclosure for data breaches, along the lines of the Australian model.