SINGAPORE: Senior Minister Teo Chee Hean has made it clear that imposing financial penalties on public agencies for the December 2024 data breach involving the Accounting and Corporate Regulatory Authority (ACRA) will not be effective or meaningful because the cost will ultimately have to be borne by the taxpayers. Instead, disciplinary action will be taken against the officers responsible and the senior management overseeing them, he said in a recent ministerial statement reported by The Business Times.
He pointed out that the Prime Minister will take the incident into account when evaluating the performance of the ministers overseeing ACRA and the Smart Nation initiative—Second Minister for Finance Indranee Rajah and Minister for Digital Development and Information Josephine Teo.
The data breach, which saw the full National Registration Identity Card (NRIC) numbers of individuals displayed on ACRA’s Bizfile portal from Dec 9 to 13, violated government guidelines and sparked public concern about data privacy.
Financial penalties not feasible for public agencies
The incident occurred when ACRA’s Bizfile portal unintentionally exposed full NRIC numbers, breaching guidelines set out in the government’s Instruction Manual for Infocomm Technology and Smart Systems Management. While private sector entities face financial penalties for violating personal data protection laws under the Personal Data Protection Act (PDPA), public agencies are governed differently. According to the Public Sector (Governance) Act (PSGA), no such penalties exist for public sector data breaches.
Mr Teo explained that imposing financial penalties on public agencies would not be appropriate, as the costs would ultimately be borne by taxpayers. “The cost of any financial penalties would ultimately have to be borne by the public purse,” he remarked, stressing that such penalties would not address the root causes of the issue.
Disciplinary measures for responsible officers
Mr Teo emphasised that appropriate disciplinary actions would be taken against the officers directly responsible for the data breach, as well as senior management overseeing them. Under the PSGA, public agencies have internal accountability frameworks, including counselling, retraining, and reductions in performance grades. These actions can also impact performance-based payments, serving as a deterrent for negligence.
While the review panel’s report analysed the breach, Mr Teo clarified that it was not part of a disciplinary process. Any further disciplinary actions against individuals involved would follow established procedures within the relevant agencies.
Citizen reactions
The statement about disciplinary action to be taken against the officers involved has sparked mixed reactions among citizens, appreciating the emphasis on accountability. One commented, “Even in (a) company, penalty in the form of warning or dismissal of person in charge is also a method for taking responsibilities. So I agree that officers being held accountable is fine. No point fining agencies.”
“(Who’s) talking about fining the agency? Since the issue has already been pinpointed, then take it on the personnel involved,” said another.
Another commented, “Spare the foot soldiers, go after the general,” suggesting that senior management should be held accountable instead of the officers.