REACH (Telegram) 64 - How do you think government agencies can better collaborate with each other to prevent lapses?
(SK)
04 Mar 2025 (10am - 7pm)
REACH (Telegram)
REACH Singapore, [4/3/2025 9:57 AM]
Dear contributors,
Welcome back! π
⏰ We will be opening the chat from 10am to 7pm today. ⏰
House Rules (short version of our Terms of Use) to keep in mind:
1. Be kind and respectful. We all want to be in a safe space to share our views.
2. Any and all threatening, abusive, vulgar or racially, religiously and ethnically objectionable content is prohibited.
3. Consider the quiet ones among us and give them a chance to comment.
4. No need to repeat your comment or in differnet forms (including caps) - we heard you loud and clear the first time.
5. Let's protect each other's privacy and keep contact details in this group what it should always be - confidential.
Full set of Terms of Use: https://www.reach.gov.sg/Participate/reach-telegram-group/REACH-Telegram-Group-Chat-Terms-of-Use/
We will strive to uphold these rules to ensure this is a safe space for all.
Please be assured that the points made by participants during the chat are aggregated and shared with relevant agencies.
The topic will be posted shortly.
Thank you.
Megan π
REACH Singapore, [4/3/2025 10:00 AM]
π’ Topic π’
A review panel investigating the disclosure of full NRIC numbers last December on the Accounting and Corporate Regulatory Authority’s (ACRA) Bizfile portal published its findings on March 3.
The probe found no deliberate wrongdoing by the Ministry of Digital Development and Information (MDDI) or ACRA, but flagged shortcomings that led to the mass disclosure of NRIC numbers of key business representatives and others on Bizfile’s database.
π¬ How do you think government agencies can better collaborate with each other to prevent lapses?
π Need for clearer communication
The report found that MDDI was not clear enough in its policy communications issued in July 2024 in a circular to various Government agencies on plans to end the use of NRIC numbers for authentication and cease any new masked NRIC usage by Nov 1, 2024.
The panel noted that this was a complex policy, MDDI should have been more precise and provided more context in the circular. Although MDDI made an effort to ensure the circular was understood by agencies, having engaged with nearly 50 agencies, including ACRA, on their use of NRIC numbers. ACRA and MDDI had exchanged multiple e-mails on the topic without addressing the crux of the misunderstandings.
π Insufficient sharing of information within ACRA
Two officers from ACRA who attended MDDI’s July 16 briefing and received meeting materials on the new policy did not disseminate the information within ACRA, especially to those who needed to act on the circular.
The panel recommended that ACRA review its processes to ensure there is sufficient dissemination of information within the organisation and to those who would require it to make informed decisions.
π MDDI should have paid more attention to complex uses
MDDI should have given more guidance to more complex new applications – such as public registries – to help agencies understand how to stop the use of partial NRIC numbers and decide if full NRIC numbers were necessary.
Although Bizfile’s People Search function was an existing-use case – rather than a new application, as ACRA had thought – it was a more complex use of NRIC numbers that warranted closer guidance by MDDI.
π Poor risk assessment by ACRA
The panel found that ACRA misjudged the need for corporate checks through Bizfile at the expense of privacy, making personal data too easily accessible.
The panel said ACRA should have explored alternative People Search designs such as by requiring extra search parameters like a Unique Entity Number.
π Security features on Bizfile lacking
Some cyber-security features that would have prevented users from collecting data from the Bizfile portal en masse were not adequately set up when the portal was launched on Dec 9, the panel found.
The report noted that ACRA was not able to identify the exact number of NRIC numbers that were disclosed through these queries, as the Bizfile portal is not configured to track individual queries for the People Search function.
π Poor communication with the public
It took ACRA and MDDI some time to figure out the misunderstanding of MDDI’s instructions and whether there were alternatives to halting the People Search function.
The Government should have made clear to the public at the outset that moving away from the use of partial NRIC numbers did not automatically mean using full NRIC numbers in every case, nor was it the Government’s intention to disclose full NRIC numbers on a large scale.
π [ST] https://www.straitstimes.com/singapore/6-missteps-that-led-to-acras-disclosure-of-full-nric-numbers-in-dec-2024
π [CNA] https://www.channelnewsasia.com/singapore/no-deliberate-wrongdoing-unmasking-nric-numbers-acra-mddi-4970921
----
365, [4/3/2025 10:08 AM]
All these boils down to unclear or ambiguous communication.
We should stop hiding behind the mentality of "you are expected to know what to do" and instead, be straightforward with clear cut instructions.
All circular should have an additional section called "actions". This section should clearly indicate what different agencies or different departments within agencies have to do.
Be as specific as possible, for example: "For all finance departments" or "For energy and maritime sectors". And then list down what actions or changes they have to make due to new policies being pushed out.
If there is no actions for anyone, be clear and state "no actions required".
Have a standard template for actions and non-actions alike. Staff within the agencies can familiarize with it and have clear understanding of the expectations.
I rather they give out foolproof instructions to reduce mishaps than to have an ego of "I hire you, you must know exactly what to do". Leave little to zero ambiguity in your intents.
REACH Singapore, [4/3/2025 11:07 AM]
[ Poll : 1. I agree with the report's findings that there was no deliberate wrongdoing by MDDI and ACRA in this mass disclosure of NRIC numbers on the BizFile portal. Share your reasons in the chat. ]
- Strongly Agree
- Agree
- Neutral
- Disagree
- Strongly Disagree
REACH Singapore, [4/3/2025 11:07 AM]
[ Poll : 2. The review panel's report reflects the Government’s commitment to public accountability. ]
- Strongly Agree
- Agree
- Neutral
- Disagree
- Strongly Disagree
REACH Singapore, [4/3/2025 11:08 AM]
Dear Contributors,
Please take a moment to participate in our polls and share your opinion. The poll questions are pinned for easy reference, and your vote is anonymous.
We look forward to hearing your thoughts on today’s topic!
Thank you.
Megan π
Caleb, [4/3/2025 11:09 AM]
Where to see the full report?
Joomua Tng, [4/3/2025 12:05 PM]
it is immediately displayed
Adam, [4/3/2025 12:18 PM]
Everyone agrees there is no 'deliberate' wrongdoing
Adam, [4/3/2025 12:18 PM]
If i kill a man because of incompetence in my job, its not like i deliberately did it
Adam, [4/3/2025 12:19 PM]
Yet mistakes have consequences
Adam, [4/3/2025 12:21 PM]
How can the gov be accountable to the public if they arent accountable for their own actions?
μ¬μμΉκ΅¬, 첫μ¬λ π, [4/3/2025 12:36 PM]
Findings aside it's very ironic that the ministry which was once called MCI has problems communicating like????
Khai Mun L., [4/3/2025 1:36 PM]
The consequences are being considered.
https://www.channelnewsasia.com/singapore/mddi-acra-nric-numbers-unmasking-financial-consequences-performance-review-staff-4972576
REACH Singapore, [4/3/2025 2:01 PM]
π’ Topic π’
Andy, [4/3/2025 2:07 PM]
Don't think ppl care too much about this topic
Adam, [4/3/2025 2:13 PM]
Nah, people should care. With nric, can get scammed much more easily among other stuff.
But one of the issue is that they tried to underplay the situation and pretend that nric was never private all along
G, [4/3/2025 2:24 PM]
Fully agree. NRIC number can never be changed, unlike your name.
And for a long time, and even up till now, your default singpass username is your NRIC number.
So for the ministers to downplay the importance of safeguarding your NRIC number appears to be reckless, especially in this day and age of identity theft, impersonation, and complex scam operations
365, [4/3/2025 2:26 PM]
Same sentiment, I get that they want to move away from nric being used for authentication, but until we have fully transited, and we are sure that the alternative solution is working well, safeguarding the secrecy of our nric should not change yet.
RY, [4/3/2025 2:41 PM]
Govt pass the data privacy bill few years ago, and hence our NRIC no/card no are now masked and only displaying the last 4 digits in most documents/labels/receipts and etc
How can the 2 ACRA staffs who attended the MDDI briefing ~
1 not aware of the data privacy law ?
2 shouldnt they have "doubts" if the Ministry allow them to display the full NRIC details ?
3 English is the main stream of language used in most govt docs, why is there still a mis-interpretation/mis-communication between the Authorities ? Different standard of english for those working in the Ministry & Authority ?
RY, [4/3/2025 2:47 PM]
Seems that ACRA BizFile system has many "loopholes", and not comprehensive, as they unable to track many things eg individual queries for people search and etc
ACRA will probaby need to upgrade to better system maybe using AI technology ?
RY, [4/3/2025 2:51 PM]
This "drama" reflects many system and communication that have to be further improved between the govt and the different authorities
And such incidents/mistakes can be avoided .....
And b4 ACRA implement any new/improvised system, IT should have a "trial run" b4 releasing to the public to use, as part of the IT SOP
RY, [4/3/2025 3:03 PM]
It is gd to have investigation and review when some issues happen ....
And also Report to discuss/conclude what are the steps to be improved further, and steps taken to avoid such scenario from happening again
And there must also be some accountability by the staffs working in the Govt/Authority, as they are paid to do the job and the responsibility should be there
It is okay to make "mistakes" as nobody/Authorities are perfect. Admit the mistakes, apologise to public, and do the nec remedy to solve the problems and ensuring it may not happen again in future
Bec this is the Trust that have been built up over the years, between the Govt and people
G, [4/3/2025 3:07 PM]
Yes.. When mistakes happen, own up to it, take responsibility and take timely remedial actions, instead of gaslighting, guilt tripping and then attempting to "educate" Singaporeans on NRIC usage with a holier-than-thou attitude
LCL (Danny εΏ), [4/3/2025 3:45 PM]
1. It is unfortunate such miscomm and mis-step has taken place and result in NRIC being displayed.
2. But fortunately, this is not a deliberate wrongdoing.
3. As milk has already been spilled, no point crying over it, remedial actions need to be activated to rectify and mitigate any damages that would have happen due to the slippage.
4. Probably, 3 action items will be necessary as identified by the Government, and is good to reiterate to keep them in focus:-
a. Looking at how best to coordinate and communicate among the different Ministries and Government bodies - to prevent future miscomm and mis-coordination.
- One way is for agencies to check back with the source of Ministry that initiate the changes - when implementing new system and not take "briefing" at face value. Because wording, memo, or brief can subject to different interpretation.
- By inviting the person in charge or its representative from the source Ministry to a project meeting to hear their views or infuse them as a project committee member (if the project is very complex that needs constant input) - will be the sure way the intent of the changes or information will not go wrong (because source Ministry representative and its higher boss need to sign off documents from the project as endorsement - to ensure the intent of the change is accurately captured and correctly represented in the project).
This ensure it won't go wrong.
The only minus point for this approach is that - if there are a few Ministries or Government agencies are replacing a new system, the source Ministry that initiate the change will run out of manpower to attend such project meetings and will be very busy multi-tasking to be involved in a few simultaneous meetings with different Ministries and Government Bodies.
b. Identify which NRIC number that have been exposed and take remedial actions to "ring-fence" and communicate to "service providers" to put them in watchlist any financial transactions coming from these exposed NRIC number - with double efforts to verify that they will not be scammed.
Owners of these exposed NRIC numbers should also be pre-warned and advise what steps to take in dealing with "likely scammers" and "Service providers" - in any financial transactions to ensure their future transactoins are legitimate and not scam transactions.
c. Those at fault need to undergo mentoring, training to ensure in future to be more conscientious and careful in handling public information.
Penalty as recommended by Government should be measured and appropriate - not too lax or too onerous.
No people or system make no mistakes - and most important own up to it, improve and do better in future.
This is a hallmark of accountability and responsibillity.
LCL (Danny εΏ), [4/3/2025 3:57 PM]
1. Another way for better communication or coordinate among different Ministries when implementing new systems or replacing new systems is to have a Central Government IT Review Committee (make up of Central Government IT staff) - to scrutinise and review the new systems or upgrading systems coming from different Ministries/Statutory Boards/Government Agencies/Organs of States.
2. Basically this Central Government Review Committee will check and verify things such as :-
a. Purpose of the new systems or the features of the upgrading systems.
b. Conformance to existing procedures or new procedures or evolving procedures.
c. Look into cybersecurity and protection of the IT infrastructure/apps/db/AI etc, security, functions, features, integration to the Central infrastructure and to other Ministries/Stat Board/Organ of State, Government-Linked Organisation as well as other private organisations.
d. Plus other administrative, operation, integration, policies etc issues.
These will ensure all different Ministries, Statutory Board, Government Agencies - are properly coordinated, communicated, synch and integrated - prevent miscomm, mis-coordination and wrong understanding.
Jun Ming, [4/3/2025 3:58 PM]
I think the problem for this government is poor in cross agency communication
LCL (Danny εΏ), [4/3/2025 3:59 PM]
The above suggestions will solve the communication or coordination problem.
Jun Ming, [4/3/2025 4:00 PM]
Not only in acra but in those town council problems. Agency tends to kick the ball around
LCL (Danny εΏ), [4/3/2025 4:00 PM]
Town Council can also erect such central coordination committee - and hence will resolve coordination or communication problem.
LCL (Danny εΏ), [4/3/2025 4:02 PM]
But the problem is, estate management too many small small things unlike government system projects that are very big.
Jun Ming, [4/3/2025 4:02 PM]
Sometimes I feel maybe just the relevant agency find one time to have a meeting and get a central agreement can liao. Instead of keep throwing the ball to one and another
Jun Ming, [4/3/2025 4:03 PM]
For small issue
LCL (Danny εΏ), [4/3/2025 4:03 PM]
I think the above suggestions can be considered and I believe will be able to solve a lot of coordination problem.
LCL (Danny εΏ), [4/3/2025 4:12 PM]
In fact multiple layers of scrutiny can be implemented to make it foolproof - if not too onerous:-
1. Central Government IT review committee (at Specialist level).
2. COPS committee (Council of Permanent Secretary)
- at Administrative level.
3. Cabinet meeting - at Political level.
This 3 hierarchy of reviews will have cover all blind spots and prevent any loopholes - because they are inter-locked.
ζ»΄ζ°΄δΈζΌ。
LCL (Danny εΏ), [4/3/2025 4:15 PM]
But this will make our COPS and Cabinet very busy.
Because some changes could be minor but take up alot of the VIPs times.
Maybe small and minor system delegate downward to deputy to scrutinized and review....
REACH Singapore, [4/3/2025 6:03 PM]
π’ Topic π’
REACH Singapore, [4/3/2025 6:45 PM]
Dear Contributors,
⏰ We will be closing the chat in 15 minutes ⏰
Thank you very much for being part of our Telegram chat and participating actively.
Goodnight!
Megan π
RY, [4/3/2025 6:56 PM]
The 2 ACRA staffs whom attended the Ministry briefing, they are supposed to disseminate the briefing info to ACRA
Why these 2 staffs chosen not to share the briefing info ?
This may also show that ACRA may have not a gd de-briefing communication system
They represent ACRA to attend the Ministry briefing, but none was shared in ACRA
ACRA may have to further improve their communication within the Authority after this incident - I supposed
RY, [4/3/2025 6:57 PM]
Tks Megan and gd nite π
REACH Singapore, [4/3/2025 7:00 PM]
Dear Contributors
We will be closing the chat for today.
Thank you very much for being part of our Telegram chat and participating actively.
Goodnight!
Megan π
====
No comments:
Post a Comment