口头答复 · 2019-02-12 · 第 13 届国会
公共机构数据保护豁免审议
Review of Public Agencies Exemption Provisions in Personal Data Protection Act
议员质询是否应修订个人数据保护法,取消公共机构豁免条款以应对数据泄露风险。政府回应公共部门已有多重法律和政策保障数据安全,强调公共部门数据管理与私营部门不同,采用不同法律体系,且将持续审视相关法规。核心争议在于公共机构数据保护是否应纳入个人数据保护法统一监管。
关键要点
- • 公共部门数据有多重法律保护
- • 公共部门数据管理与私营部门不同
- • 将持续审视相关法律法规
公共部门数据由多法规保障,维持现行豁免
建议取消公共机构数据保护豁免
持续强化公共部门数据治理
"Because of these important differences, we need and have adopted different approaches to the protection of personal data in the public and in the private sectors."
参与人员(3)
- Minister for Communications and Information
- S Iswaran
- Sylvia Lim
完整译文(中文)
Hansard 英文原文译文 · 翻译日期:2026-05-02
12号议员Sylvia Lim问通讯及资讯部长,鉴于公共部门数据保护违规的严重性,是否应修订《个人数据保护法》,取消对公共机构的豁免。
通讯及资讯部长(S Iswaran先生)答:议长先生,《个人数据保护法》(PDPA)于2012年生效。随着数字化进程加快,我们认识到需要加强私营部门的数据保护。PDPA为私营部门设立了数据保护的基本标准,同时平衡了其合理使用个人数据的需求。
政府方面一直严肃对待保护公共部门所托付数据的责任,并持续加强数据治理政策。自2001年以来,政府指引手册(IMs)已包含管理公共机构间个人数据的使用、保留、共享和安全的措施。
2018年,《公共部门(治理)法案》(PSGA)出台,为公共部门个人数据提供额外保障,包括将公职人员滥用数据行为定为刑事犯罪。PSGA中的数据保护标准也与PDPA保持一致。此外,公共部门收集的数据还受特定法律保护,如《官方机密法》、《所得税法》、《传染病法》和《统计法》。这些法律共同对所有公共机构施加了高标准的责任,且对敏感或机密数据的保护有额外要求。同时,定期进行强制性审计,确保公共机构遵守数据保护及信息通信技术系统安全标准。
PSGA允许将个人数据作为公共部门的共同资源进行管理,以促进更好的政策制定和更灵敏的公共服务。例如,新加坡人在社会服务办公室申请经济援助时,前线人员可快速评估其资格,因为他们能访问其他相关机构的数据。这样,我们减少了申请人需提交的文件数量,提升了公共服务的效率。相比之下,每个私营部门组织需对其持有的个人数据单独负责,且不期望不同商业组织间实现类似的服务整合。
鉴于这些重要差异,我们对公共和私营部门的个人数据保护采取了不同的方法。这也是PDPA仅适用于私营部门,而PSGA及其他法律则规范公共部门数据保护的原因。我们将定期审查PDPA、PSGA及其他法律,确保其在保护公共和私营部门个人数据方面保持相关性和有效性。
议长:Sylvia Lim女士。
Sylvia Lim女士(阿裕尼选区):我有四个补充问题。首先,我承认部长提到的各种法规和IM确实为公共服务设定了标准。但部长是否同意,这些法规或IM通常对公民在数据泄露时可采取的救济措施保持沉默或力度不足?它们可能对违规官员的处罚较严,但通常对公民权利缺乏明确规定。
第二,部长是否同意,PDPA的优势之一是其试图平衡组织收集数据的需求与个人对其数据的所有权和保护权利?例如,第三条明确承认个人数据属于个人,个人有权保护其数据。
第三,我们最近讨论了SingHealth事件。部长是否同意,因SingHealth属于PDPA监管范围内的机构,而非法案定义的公共机构,SingHealth网络攻击案显示个人数据保护委员会(PDPC)在公众利益方面能发挥非常有用的作用?PDPC在该案中指出,公众投诉其数据未被SingHealth充分保护,PDPC的调查结果可能促使SingHealth及综合医疗信息系统(IHiS)改进。
最后,PDPA确实提供了投诉程序,我希望部长确认这对公民非常有用,因为它不强迫公民因损害而对政府机构提起诉讼。这是PDPA带给公民的切实优势。
S Iswaran先生答:议长先生,感谢议员的意见。我不确定所有内容都是问题,有些更像是观察,但我会尝试解读。
首先我要强调的是,当我们说公共部门“豁免”PDPA时(正如议员所用的词),这并不意味着公共部门在数据安全和保护方面标准较低或不同。事实上,正如我之前所述,公共部门特别是PSGA参考并大致与PDPA保持一致。但同时也明确认识到,公共服务为提供高效服务而使用数据的方式和预期不同,因此需要不同的数据治理方法。这就是我们采取差异化方法的原因。除了PSGA,我们还有其他相关法律。
供议员参考,我们并非唯一采用此方法的国家。例如,加拿大联邦层面也对私营和公共部门适用不同法律。因此,这不是标准不同或门槛不同的问题。实际上,我们对公共部门施加相同甚至更高的数据治理标准,因为公共部门所托付的数据是基于信任,必须安全处理。
议员提出的许多问题更涉及PDPA的元素,例如投诉程序,公众可向PDPC投诉数据权利问题。议员指出PDPA在保护个人数据权利与企业使用数据权利之间取得平衡,这确实是我们努力的方向,无论是公共还是私营领域。公共部门同样需保护个人数据,同时将其作为公共资源以更好服务市民。许多我们习以为常的服务都依赖于后台数据共享。
关于投诉程序,任何认为其数据被不当处理的个人均可提出投诉,且有多种渠道。
关于SingHealth事件,议员提到PDPC提出了有用建议。实际上,整个事件的关键建议来自政府成立的调查委员会(COI)。PDPC因早期收到投诉,决定参考COI的调查结果判断相关机构(SingHealth和IHiS)是否违规及应受何种处罚。大部分建议通过政府发起的COI程序提出,而非法律强制。
关于救济问题,公众若认为其数据被不当处理,有权向部长、相关部门投诉,政府会采取行动。若认为构成犯罪,也可报警,警方将调查。
总结来说,我们对公共部门施加相同甚至更严格的数据治理标准。若不如此,我们建设智慧国、利用数字技术提升公共服务的努力将受阻。这就是我们严肃对待此事的原因。总体而言,PSGA作为公共部门数据治理的法律,参考了PDPA,我们还有其他针对特定领域的法律补充。
议长:Sylvia Lim女士。
Sylvia Lim女士:我有两个补充问题。首先,部长早前提到公众若认为其信息被公共机构不当处理,可投诉。问题是投诉对象是谁?部长提到可以投诉给部长。部长是否同意,专注于个人数据保护的PDPC应承担接收此类投诉的角色,因为他们毕竟是个人数据保护领域的专家?
第二,部长提到公共部门机构相互连接,因此需要不同方法。但SingHealth事件也显示医疗领域存在某种人为区分。SingHealth虽不属于PDPA定义的公共机构,但它与卫生部(MOH)联系紧密,实际上由MOH Holdings拥有,医疗机构与母部门之间频繁交换数据。部长是否同意,如果我的数据交给某个医疗集团的诊所,我可以向PDPC投诉,但若数据传至卫生部并在那里发生泄露,我就无法通过PDPC寻求救济?这在医疗领域造成了某种人为区分。
S Iswaran先生答:议长先生,鉴于即将有部长声明涉及公共医疗系统相关事宜,我的回应将简要,后续可在声明后进一步澄清。
我要强调的是,公众“救济”一词在本次交流中多次出现。关键是必须有救济途径。无论救济是通过PDPC、PDPA、法律还是其他完善机制,关键是必须存在。
我说个人可根据具体情况提出投诉。顺便说,PDPC有时也接收涉及公共部门的投诉。作为接收方,PDPC不会拒绝,而是根据管辖权将不属于PDPA范围的案件转交相关政府机构处理。政府技术局(GovTech)负责政府数据安全和保障系统,进行审查确保政府机构遵守IM及相关规定。此外,审计署也会不定期进行安全审查。
我的观点是,公众无需担心缺乏救济途径。实际上,他们拥有多种救济渠道。相较私营部门,公共部门在某些方面可能拥有更多渠道和途径。私营部门通常只能向PDPC投诉或自行提起法律诉讼,而公共部门则可通过PDPC、GovTech、相关部委,甚至报警等多种途径寻求帮助。
因此,议员们应毫无疑虑,我们拥有适当的救济机制。公共部门数据治理标准绝不低于私营部门,甚至更高。这是我们的期望。
英文原文
SPRS Hansard 原始记录 · 抓取日期:2026-05-02
12 Ms Sylvia Lim asked the Minister for Communications and Information given the gravity of data protection breaches in the public sector, whether the Personal Data Protection Act should be amended to remove the exemptions for public agencies.
The Minister for Communications and Information (Mr S Iswaran) : Mr Speaker, the Personal Data Protection Act (PDPA) came into force in 2012. With the gathering pace of digitalisation, we recognised the need to strengthen data protection in the private sector. PDPA establishes a baseline standard for data protection in the private sector, balanced against its need to use personal data for reasonable purposes.
On its part, the Government has always taken seriously its responsibility to protect the data entrusted to the public sector and we continue to strengthen our data governance policies. Since 2001, the Government Instruction Manuals (IMs) already include measures to govern the use, retention, sharing and security of personal data among public agencies .
In 2018, the Public Sector (Governance) Act (PSGA) was introduced and it provided for additional safeguards for personal data in the public sector, including criminalising the misuse of data by public servants. The data protection standards in PSGA are also aligned with the PDPA. In addition, data collected by the public sector is also protected by specific legislation, such as the Official Secrets Act, the Income Tax Act, the Infectious Diseases Act and the Statistics Act. Collectively, these laws impose a high standard of responsibility on all public agencies, with additional requirements for the protection of sensitive or confidential data. Also, regular mandatory audits are conducted to ensure that public agencies comply with the standards for data protection and the security of information and communications technology systems.
PSGA allows personal data to be managed as a common resource within the public sector for better policymaking and also for more responsive public services. For example, when a Singaporean applies for financial assistance at a Social Service Office, the frontline officers are able to quickly evaluate his or her eligibility for financial assistance because they have access to data from other relevant agencies. In this way, we minimise the documents that need to be submitted by the applicant and improve the delivery of public services. In contrast, each private sector organisation is expected to be individually accountable for the personal data in its possession, and there is no expectation of a similar integrated delivery of services across different commercial organisations.
Because of these important differences, we need and have adopted different approaches to the protection of personal data in the public and in the private sectors. That is also why the PDPA applies only to the private sector, while the PSGA and other legislation govern data protection in the public sector. We will regularly review the PDPA, PSGA and other legislation to ensure that they remain relevant and effective in safeguarding personal data in both the public and private sectors.
Mr Speaker: Ms Sylvia Lim.
Ms Sylvia Lim (Aljunied) : I have four supplementary questions for the Minister. The first question is, I acknowledge that the various statutes and the IMs, as the Minister mentioned, do set out standards for the Public Service to comply with. Does the Minister agree, however, that these instruments, legislation or IMs are usually silent or weak on the recourse that citizens may have if there is a data breach? They may be strong on penalties for errant officers but, generally, we get silences on the rights of citizens.
Secondly, does the Minister also agree that for the PDPA itself, I suppose one of the advantages or assets of the PDPA is its approach to try to balance the need of organisations to collect data and, at the same time, if we look at section 3, it also recognises that personal data belongs to individuals, and individuals have a right to protect that data?
The third question is, we talked recently about the SingHealth incident. Does the Minister agree, because SingHealth is a body that comes within the purview of PDPA, it is not a Public Agency as defined in the Act, and the SingHealth cyberattack case has shown that the Personal Data Protection Commission (PDPC) can actually play a very useful role as far as the public is concerned? The PDPC's judgement in the cyberattack case mentioned that members of the public complained to it that their data had not been adequately protected by SingHealth. PDPC actually made some findings which will likely lead to improvements on the part of SingHealth and the Integrated Healthcare Information Systems (IHiS) as well.
Perhaps the last question for now is that one of the things that the PDPA does provide is a complaints procedure which I would like the Minister to confirm that this is something that is very useful to the citizens, which does not force the citizens to commence a lawsuit against a Government agency should one suffer damage and so on. So, these are very real advantages of the PDPA which I believe citizens can benefit from.
Mr S Iswaran : Mr Speaker, I thank the Member for her comments. I am not sure all of them were questions because some of them were observations. But let me interpret them.
Let me start by making a more general point. I think the key conclusion we have to draw is this. When we say exempt – and that is the language that the Member has used in her question – that the public sector is exempt from the PDPA, that does not mean that the public sector is somehow subject to a different or lower standard, as might be implied, in terms of data security and safety. In fact, and that was the thrust of my reply that, one, the public sector and the PSGA, in particular, takes reference, and it is in broad alignment with PDPA. But having said that, there is a clear recognition that the mode of operation and the expectation of how data is used in order to provide an effective and efficient Public Service, implies that we do need a different methodology in the way we govern public sector data governance. That is why we have this differentiated approach. In addition to the PSGA, as I had said, we do have other legislations in place.
Just for Members' information, we are by no means alone in this approach. The Canadians, for example, at the federal level, also have different laws in terms of its application to the private sector and its application to the public sector. So, it is not about differing standards or somehow having a different threshold when it comes to the public sector. In fact, we subject the public sector to the same kind of standards, if not higher standards, precisely because we know that the data that is being entrusted to the public sector is done with the confidence that it would be dealt with in a secure manner.
So, many of the questions that the Member has raised pertain more to whether there are elements of the PDPA. For example, there is a complaints procedure where they can complain to the PDPC on, for example, the right to data. I think the Member made the point that the PDPA strikes the balance between the right to data of the individual versus the right to use the data of the enterprises. Indeed, that is the balance we are trying to strike, whether it is in the public domain or in the private domain. Because essentially, you can say the same sets of considerations apply in the public sector – that we want to ensure individual data is protected, accorded due safeguards, but, at the same time, it should be a common resource that public sector agencies can tap on in order to better serve citizens. Many of the services that we take quite for granted today actually rely on that backend sharing. So, when it comes to a complaints procedure today, there is nothing stopping an individual who feels aggrieved that their data has somehow been mishandled to launch a complaint. And they have different channels for doing so.
On the SingHealth piece, the Member made the point that PDPC came out with the recommendations and so on which were very useful and so on. But actually, if you look at the morphology of the entire incident, the key recommendations that came out of this was actually from the Committee of Inquiry (COI) which the Government established. That is the process through which we derived a whole set of very detailed recommendations. What the PDPC did, because it received the complaint early in the process, was to say that it will take reference from the COI's process in determining whether there was a breach by the relevant agencies, in this case SingHealth and IHiS, and, if so, what penalty should be meted out. But the substantial portion of the recommendations was actually made through the COI process which was, in fact, initiated by the Government, not mandated by any legislation but something that was because of the judgement that was exercised.
The point on recourse comes back to the same thing again. If a member of the public feels that, in some way, their data has been mishandled, then they have every opportunity to lodge a complaint with the Minister, the Ministry, the relevant department, and action will be taken. And you can also, if you think a crime has been committed, make a Police report, and that will also be investigated.
So, if I can summarise, we subject our public sector to the same, if not higher, rigorous standards of data governance. And we have to do that, because if we do not, then a lot of our other efforts, in terms of wanting to build a Smart Nation and delivering, harnessing the digital technologies and all these in order to deliver better public services will all be thwarted. So, that is exactly why we take this very seriously. By and large, the PSGA, in other words, the legislation that governs the public sector data governance, takes reference from the PDPA and we also have other legislation for specific sectoral matters which can also be implied in addition.
Mr Speaker: Ms Sylvia Lim.
Ms Sylvia Lim : Two supplementary questions for the Minister. First, the Minister, in his answer earlier, mentioned that for members of the public who are aggrieved that their information has been mishandled by a public agency can always make a complaint. The question is: to whom? And the Minister mentioned that it could be to the Minister. Does the Minister not agree that the PDPC itself, which is focused on personal data protection, should have a role to receive such complaints because they are, after all, the domain expert on personal data protection?
The second supplementary question is: Minister mentioned the issue of public sector agencies being interconnected and, therefore, there needs to be a different approach. But I think the SingHealth incident also illustrates some artificiality in what is actually happening in the healthcare sector. If we look at the setup of SingHealth, for example, no doubt, it is not under the definition of public agency under the PDPA. But the fact is that it is very connected to the Ministry of Health (MOH). In fact, it is owned by MOH Holdings, and there is a frequent, I believe, exchange of data between such healthcare bodies and the parent Ministry. So, it would come to a stage, does Minister not agree that, if my data is given to a clinic, for example, under a cluster, I may be able to complain to the PDPC, but once that data goes to the Ministry and the breach happens there, I do not have recourse under the PDPC? So, there is some artificiality in the distinction as far as the healthcare sector is concerned.
Mr S Iswaran : Mr Speaker, because there will be a Ministerial Statement governing many of the matters pertaining to the public healthcare system, I will keep my comments in response to the Member's queries limited, and I think we can take up clarifications after the Ministerial Statement as well.
The key point I want to emphasise in my response to the Member is this: the term "recourse" for the public has been used several times in the course of this exchange. The fact of the matter is that you need recourse. It does not matter whether the recourse is under the PDPC or PDPA, the legislation or there are other established improved mechanisms. But the key point is you must have recourse.
And that is my point when I said that individuals, depending on where or what circumstances they find themselves in, they can make complaints. By the way, the PDPC does receive complaints sometimes pertaining to the public sector. So, as a recipient of such complaints from the public, it does not turn them away. Rather, the standing arrangement is that they look at it and, if the jurisdiction is such that it does not come under the PDPA, they then refer it to the Government agencies involved to then follow through. In the case of the Government, the Government Technology Agency (GovTech), for example, is overall in-charge of the security and safeguard systems for data. And GovTech is the agency that does many of the reviews and ensures that the Government agencies are in compliance with the IMs and other provisions and so on. Moreover, there is also the Auditor-General's review as well, which occurs from time to time, and it includes security.
My point is that members of the public should not at all be concerned that they do not have recourse. They do, and, in fact, they have a multiplicity of recourse. And I would add that, in the case of the public sector, they probably have more channels and more avenues of recourse in some ways, compared to what you see in the context of the private sector. Because essentially, for private sectors, you go to the PDPC, or you take out a specific legal action against the company on your own. Here, you have got more options because you can go through the PDPC. It would be referred to the relevant agencies. You can go to GovTech, you can go to the Ministry that oversees the relevant department, you can also make a Police report if you feel that it warrants such action.
So, there should be no doubt in Members' minds that we have the appropriate recourse mechanisms. There should also be no doubt in Members' minds that the public sector's data governance standards are in no way inferior to the standards that we impose on the private sector. And, if anything, we impose a higher set of standards. That is the expectation that we have.