口头答复 · 2019-04-01 · 第 13 届国会
个人数据保护调查职能
Role of Personal Data Protection Commission in Investigating Blood Donors' Data Leak
议员质询个人数据保护委员会(PDPC)在血液捐赠者数据泄露事件中的调查职责及公共机构是否应受《个人数据保护法》(PDPA)约束。政府回应PDPC正调查涉事私营IT供应商,公共机构受其他法规监管,数据保护标准不低于PDPA。核心争议在于公共机构是否应免于PDPA监管及其问责机制。
关键要点
- • PDPC调查私营供应商
- • 公共机构受别法规监管
- • 公共机构数据保护标准高
公共机构受专门法规监管,非PDPA
质疑公共机构免于PDPA合理性
强化公共机构数据保护监管
"Public sector agencies have to comply with the Government Instruction Manuals and the Public Sector (Governance) Act."
参与人员(8)
- Dennis Tan Lip Fong
- Edwin Tong Chun Fai
- Irene Quay Siew Ching
- Minister for Communications and Information
- Cheng Li Hui
- S Iswaran
- Senior Minister of State for Health
- Sylvia Lim
完整译文(中文)
Hansard 英文原文译文 · 翻译日期:2026-05-02
13号问题,Ms Sylvia Lim询问通讯及资讯部长关于最近卫生科学局(HSA)数据库中超过80万名献血者个人信息泄露事件,(a) 个人数据保护委员会在调查此事件中扮演什么角色;(b) 是否正在进行任何审查以确定HSA在保护个人数据方面是否采取了合理措施,包括HSA与其IT供应商之间的合同义务是否合理保障了委托给这些方的个人信息。
14号问题,Ms Irene Quay Siew Ching询问通讯及资讯部长,鉴于公共IT系统中发生的数据泄露事件,(a) 公共机构是否有理由被豁免于《个人数据保护法》(PDPA);(b) 公民除了向机构投诉或寻求民事诉讼外,还有什么其他救济途径;(c) 是否应对这些公共机构施加实质性处罚以实现公共问责。
通讯及资讯部长(Mr S Iswaran) :议长先生,能否允许我一并回答第13和第14号问题?
议长 :可以,请讲。
Mr S Iswaran :议长先生,关于涉及HSA的事件,个人数据保护委员会(PDPC)正在调查Secur Solutions Group私人有限公司,该公司是HSA的IT服务供应商。如果发现其违反《个人数据保护法》(PDPA),PDPC将对该公司采取适当的执法行动,例如发出指令和施加罚款。
卫生高级国务部长此前已概述了对HSA数据安全政策和实践的审查。由于HSA是政府机构,智慧国与数字政府集团也正在对此事件进行调查。
Ms Quay询问公共机构被豁免于PDPA是否合理。该议员的问题隐含假设公共部门机构不对其数据保护实践负责或未被要求达到高标准,因为PDPA不适用于他们。这种看法是错误的,事实并非如此。公共部门机构受另一部法律及其他规章约束。特别是,公共部门机构必须遵守政府指令手册和《公共部门(治理)法》(PSGA)。总体而言,它们的数据保护标准与PDPA相当甚至更高,且对数据安全违规行为采取类似的调查和执法行动。
我之前已在议会解释为何采取此做法。重申,PDPA不适用于公共机构,是因为公共部门运作方式存在根本差异,需采用不同的个人数据保护方法,以便实现全政府协作提供公共服务,个人数据必须作为公共部门的共同资源进行管理。私营部门则不同,商业服务的交付不期望采取整体方法。
公民在公共部门数据泄露时享有与PDPA相同的救济途径。若公民怀疑私营机构处理其数据不当,可向PDPC投诉;若涉及公共部门机构,则可向GovTech投诉。实际上,投诉渠道畅通,投诉将被转交相关机构跟进。受影响个人也可寻求调解或对数据处理不当的机构提起民事诉讼。
议员询问是否应对公共机构施加实质性处罚以实现公共问责。违反政府数据安全规则、未经授权滥用或披露数据的公务员,可能根据PSGA承担刑事责任。处罚包括最高5,000新元罚款或最高两年监禁,或两者并罚。对公共机构施加罚款意义不大,因为罚款成本最终由公共财政承担。
议长先生,多年来政府不断加强安全措施以保护敏感数据。政府也增加了内部IT审计的数量和类型,以检查机构的数据访问和保护措施。然而,近期数据相关事件凸显了加强公共部门数据安全政策和实践的紧迫性。
因此,首相已召集公共部门数据安全审查委员会,对整个公共服务的数据安全实践进行全面审查。审查内容包括公共部门机构及代表政府处理个人数据的供应商在收集和保护公民个人数据方面的措施和流程。各机构正在调查并处理具体事件,该委员会将进行全面审查,借鉴行业及全球最佳实践,加强数据安全。
此次审查将确保所有公共部门机构维持最高数据治理标准。这对维护公众信心及通过数据使用向公民提供高质量公共服务至关重要。该委员会的工作将补充我们实现智慧国愿景的努力。公共部门数据安全审查委员会将于2019年11月30日前向首相提交调查结果和建议。
议长 :我们将接受之前议会提问及这两个问题的追加问题。Ms Cheng Li Hui。
Ms Cheng Li Hui(淡滨尼) :我有两个追加问题。据报道,服务器还被多个其他IP地址访问。我们对这些访问了解多少?是外国人还是本地人?我们会对他们采取行动吗?他们是否也获得了献血者信息?对于因病未能献血者的敏感信息是否也被访问?
卫生高级国务部长(Mr Edwin Tong Chun Fai) :关于Cheng女士的后一个问题,受影响的服务器上没有该信息。服务器仅存有注册相关信息。引用供应商声明中相关部分,服务器上的信息包括身份证号码、性别、献血次数、最近三次献血日期,有时还有血型、身高和体重。
关于第一个问题,未经授权的访问来自多个地点,调查仍在进行中,待情况更明朗时,我们将提供相关答案。
Ms Sylvia Lim(亚逸) :议长先生,我有三个追加问题给Iswaran部长。首先,我很高兴听到他确认私营供应商Secur Solutions Group受PDPA管辖,且PDPC正在调查其行为。我的第一个问题是,PDPC会等待HSA调查结果后再行动,还是同时进行?
第二个问题,提到首相已召集由副首相张志贤主持的跨政府委员会审查政府IT安全标准。这是否意味着政府对目前公共部门的标准不满意,认为标准不足?
最后,第三个问题,部长对Ms Quay关于对机构施加罚款的回答很有趣。他提到对公共机构罚款无意义,因为罚款最终由公共财政承担。但中央政府是否不能假设不会额外拨款给公共机构支付罚款,因此机构必须从其他地方削减开支支付罚款,比如高级管理层奖金等?因为这仍具有重要的信号作用,表明政府作为一个组织,愿意遵守其对小企业所期望的相同标准。
Mr S Iswaran :议长先生,感谢议员的问题。首先,关于PDPC调查是否同时进行,答案是肯定的。但显然,我们也需参考其他相关活动的进展,因为它们存在关联因素。调查将同时进行。
第二个问题,公共部门数据安全审查委员会的成立意味着什么。我认为议员试图借此得分,我要明确表示,政府一直在持续努力提升数据安全标准。多年来我们采取了多项措施,议会多次对此作出解释,回应议员及其他议员的提问。
关键是,鉴于近期一系列事件,首相和政府评估需要全面审视。并非现有措施不足,而是我们应全力以赴,确保公共部门数据安全达到最高标准。若能从私营部门或全球企业的最佳实践中学习,我们乐于采纳并融入政府实践。
最后,关于罚款及其信号作用。首先,我认为“自己检查自己”这一说法是她党内某位议员提出的。如果自己罚自己,信号作用确实值得质疑。更重要的是,信号是你认真对待此事并追究相关人员责任。因此,我们的处罚重点是针对做出不合规决定或行为的个人官员,并承担相应后果。
此外,对公共机构采取行动,其声誉及领导层影响重大。议员应承认,这本身也是重要信号,因为无论公私机构都不愿声誉受损。我们愿意探讨所有方式,确保明确问责,确保公共部门数据安全达到最高标准。这也是设立该委员会的原因,若议员有好的建议,我们乐于听取。
Ms Irene Quay Siew Ching(提名议员) :部长向议会保证,我们有多部法律对公共机构施加高标准责任。但审查后发现,这些法律对数据泄露的问责不够明确,重点似乎在数据滥用。部长能否澄清?
我的第二个追加问题是,部长告知议会,公共机构有定期强制内部审计,确保遵守数据保护和ICT系统安全标准。既然如此,为什么之前的内部审计未发现这些潜在漏洞?
Mr S Iswaran :议长先生,我可否请议员澄清?
议长 :可以,请讲。
Mr S Iswaran :您说法律只提及数据滥用而非数据泄露,是指《公共部门(治理)法》还是PDPA?
Ms Irene Quay Siew Ching :我指的是《公共部门(治理)法》、《官方机密法》、《所得税法》和《传染病法》。
Mr S Iswaran :您是否也看过指令手册(IM)第8号?综合来看,数据问题无论是泄露还是滥用,存在一定连续性。请放心,数据泄露时必须查明原因。若因滥用,将采取一套措施;若因系统缺失,则需采取另一套措施纠正系统性错误。若有人对此负责,也将被追责。处理政府机构的行动有其流程。
关于定期IT审计为何未发现问题,这是老生常谈的问题。审计无论是IT、财务还是质量审计,都可能未能完全防范事件发生,因为系统由人操作,偶尔会出错。重要的是事件发生后,我们要从中学习,纠正错误,并透明公开我们的做法。
议长 :Mr Dennis Tan。
Mr Dennis Tan Lip Fong(非选区议员) :请问卫生高级国务部长Edwin Tong,您能否回答我部分问题?
Mr Edwin Tong Chun Fai :议员能否说明哪些方面尚未得到回答?
Mr Dennis Tan Lip Fong :关于我的问题,不确定是否已得到回答。
Mr Edwin Tong Chun Fai :Dennis Tan议员的问题涉及信息为何存放在服务器上,数据如何被访问,以及是否违法等事项。这些均在正在进行的调查范围内,待查明后,我们将尽可能提供相关信息。
英文原文
SPRS Hansard 原始记录 · 抓取日期:2026-05-02
13 Ms Sylvia Lim asked the Minister for Communications and Information regarding the recent data leak of more than 800,000 blood donors' personal information from the database of HSA (a) what is the role of the Personal Data Protection Commission in investigating this incident; and (b) whether any review is being done to ascertain whether HSA has acted reasonably in protecting the personal data including whether the contractual obligations between HSA and its IT vendor reasonably safeguarded the personal information entrusted to these parties.
14 Ms Irene Quay Siew Ching asked the Minister for Communications and Information in view of data breaches across public IT systems (a) whether it is justifiable for public agencies to be exempted from Personal Data Protection Act; (b) what recourse do citizens have, other than to complain to agencies or seek civil action; and (c) whether there should be a tangible penalty meted out to these public agencies for public accountability.
The Minister for Communications and Information (Mr S Iswaran) : Mr Speaker, may I have your permission to take Question Nos 13 and 14 together, please?
Mr Speaker : Yes, please.
Mr S Iswaran : Mr Speaker, with regard to the incident involving HSA, the Personal Data Protection Commission (PDPC) is investigating Secur Solutions Group Pte Ltd, which is a private company and vendor of IT services to HSA. If found to be in breach of the Personal Data Protection Act (PDPA), PDPC will take the appropriate enforcement actions against the company, such as issuing directions and imposing financial penalties.
The Senior Minister of State for Health has earlier outlined the review of HSA’s data security policies and practices that is being undertaken. As HSA is a Government agency, the Smart Nation and Digital Government Group is also conducting an investigation into the incident.
Ms Quay has asked if it is justifiable that public agencies are exempted from the PDPA. Implicit in the Member’s question is the presumption that public sector agencies are not accountable for their data protection practices or not held to a high standard because the PDPA does not apply to them. That is wrong and simply not the case. Public sector agencies are subject to a different piece of legislation and other regulations. In particular, public sector agencies have to comply with the Government Instruction Manuals and the Public Sector (Governance) Act (PSGA). Collectively, they have comparable if not higher standards of data protection compared to the PDPA, and similar investigations and enforcement actions are taken against data security breaches.
I have previously explained in Parliament why we have adopted this approach. To reiterate, the PDPA does not apply to public agencies because there are fundamental differences in how the public sector operates, which requires a different approach to personal data protection when compared to the private sector. In order to enable a whole-of-Government approach to the delivery of public services, personal data has to be managed as a common resource within the public sector. The considerations are different in the private sector, as there is no such expectation of a holistic approach to the delivery of commercial services across private organisations.
Citizens have the same recourse for a data breach in the public sector as with the PDPA. Where citizens suspect that their data has been mishandled by a private sector organisation, they can lodge a complaint with PDPC; or with GovTech, if a public sector agency is involved. In practice, there are no wrong doors and the complaint will be directed to the relevant agencies for follow-up. Affected individuals can also seek mediation or take civil action against the organisation or agency which mishandled the data.
The Member has asked whether tangible penalties should be imposed on public agencies for public accountability. Public officers who flout the Government’s data security rules, and are found to have misused or disclosed data in an unauthorised manner, could be held criminally liable under the PSGA. The penalties include fines of up to $5,000 or a jail term of up to two years, or both. It is not meaningful to impose financial penalties on public sector agencies because the cost of such penalties would ultimately have to be borne by the same public purse.
Mr Speaker, over the years, the Government has progressively enhanced security measures to safeguard sensitive data. The Government has also increased the number and types of internal IT audits, to check on agencies’ data access and data protection measures. Nevertheless, recent data-related incidents have underscored the urgency to strengthen data security policies and practices in the public sector.
Therefore, the Prime Minister has convened a Public Sector Data Security Review Committee to conduct a comprehensive review of data security practices across the entire Public Service. This includes measures and processes related to the collection and protection of citizens’ personal data by public sector agencies, as well as vendors who handle personal data on behalf of the Government. While individual agencies are investigating and taking action on the specific incidents, this Committee will undertake a comprehensive review across the public sector, and incorporate industry and global best practices to strengthen data security.
This review will help to ensure that all public sector agencies maintain the highest standards of data governance. This is essential to uphold public confidence and deliver a high quality of public service to our citizens through the use of data. The work of this Committee will complement our efforts to achieve our Smart Nation vision. The Public Sector Data Security Review Committee will submit its findings and recommendations to the Prime Minister by 30 November 2019.
Mr Speaker : We will take the supplementary questions for the earlier Parliamentary Questions as well as for these two. Miss Cheng Li Hui
Miss Cheng Li Hui (Tampines) : I have two supplementary questions. It was reported that the server was also accessed by several other IP addresses. What do we know about this access? Is it by foreigners or locals and will we be pursuing any actions on them? Do they have the information on the blood donors as well? For those who failed to donate their blood due to illnesses, can this sensitive information be accessed?
The Senior Minister of State for Health (Mr Edwin Tong Chun Fai) : On Miss Cheng's latter question, that information was not on the server that was compromised. Only registration related information was on that server. And if I can just cite for Miss Cheng this relevant portion from the vendor's statement. It says that the information that was on that server were NRIC, gender, number of blood donations, dates of the last three blood donations and in some cases, blood type, height and weight.
As for the first point, the unauthorised access is from various locations. That is still being looked into and when we have a fuller position on this and have more clarity, we will provide those answers.
Ms Sylvia Lim (Aljunied) : Mr Speaker, I have three supplementary questions for Minister Iswaran. The first is, I am glad to hear that he confirmed that the private sector vendor Secured Solutions Group is actually governed by the PDPA and that PDPC is looking into their conduct. My first question will be, is the PDPC going to wait for the outcome of the HSA investigation and then, follow on from there or is it concurrent?
The second question is, it was mentioned that the Prime Minister has now convened a cross-Government committee chaired by Deputy Prime Minister Teo to look into standards of Government IT security. Does this confirm that the Government is actually not satisfied and that the standards so far have been wanting in the public sector?
Finally, the third question, which is an interesting one, is Minister's answer to Nominated Member Quay's question about financial penalties on organisations. He mentioned that it was not meaningful to fine public agencies because the fine would in the end come from the public purse. But can the central Government not operate on the premise that no additional money is going to be provided to public agencies to pay fines, and therefore, the agencies would just have to cope with cuts somewhere else to pay these fines, whether it is from bonuses of Senior Management or whatever it is? Because there is still an important signalling effect that the Government is prepared, as an organisation, to abide by the same standards it expects of small businesses.
Mr S Iswaran : Mr Speaker, I thank the Member for her questions. Firstly, on whether the PDPC's investigations would be concurrent, the answer is yes. But clearly, we would have to be informed by what is happening also in some of the other activities because they have some inter-related factors. But the answer is, the investigations will proceed concurrently.
The second question is, what does the establishment of the Public Sector Data Security Review Committee mean. I think the Member is trying to score a political point here and I want to make it categorically clear. The Government has been working, that is why I said so in my answer, consistently working and improving data security standards. There is a list of things that we have been doing over the years and I think this has been explained in the House many times in response to the Member's questions and that of many other Members as well.
The key point here is that, because there has been a series of these incidents in recent times, the Prime Minister and the Government have assessed that we need to take a holistic look again. That does not mean, that what we have is inadequate or lacking, but what it does mean is we should ensure that we put total effort to ensure that we leave no stones unturned in ensuring the highest standards of are met in the public sector when it comes to data security. If there is something that is to be learnt, whether it is from best practices in the private sector or from global companies, that is something we will be very happy to learn from and incorporate in the Government's practices.
Finally, on the point on financial penalties, and the Member makes the point about signalling effect. I would say, that first of all, in fact I think the term "ownself check ownself" was coined by a Member of her party. So, if you fine yourself, you do ask the question, what is the signalling effect there. It is far important that the signalling effect is that, you are taking this issue seriously and holding relevant people accountable. So, that is why, in the way we go about this, the penalties are focused on the individuals, officers, who have made decisions or taken actions which were deemed to be not compliant, and therefore, there are the consequences that I spelled out.
Having said that, I think, when you take action against an organisation in the public sector, the reputational impact on that organisation and leadership is significant. I think the Member will concede that, that in itself is also a major signalling point, because no organisation, public or private, wants to have its reputation tarnished. Having said that, we are prepared to look at all means, to ensure there is clear accountability and ensure that in the public sector we have the highest standards of data security. That is why, this committee has been set up and we will be open to suggestions. If the Member has interesting ideas on this, we would be happy to hear from her.
Ms Irene Quay Siew Ching (Nominated Member) : The Minister reassured the House that we have the various acts to impose a high standards of responsibility on public agencies. However, upon reviewing that, there seems to be a lack of clarity in this Act regarding accountability for data breaches. The focus seems to be on misuse of data. Can Minister clarify?
My second supplementary question is, Minister informed the House that the public agencies have regular mandatory internal audits in place to ensure public agencies comply with these standards for data protection and security of ICT systems. In that case, why are these potential lapses not surfaced during previous internal audit checks?
Mr S Iswaran : May I just seek a clarification from the Member, Speaker?
Mr Speaker : Yes, please.
Mr S Iswaran : When you say the Act does not refer to data breeches, only data misuse, are you referring to the Public Sector (Governance) Act or are you referring to PDPA?
Ms Irene Quay Siew Ching : I am referring to the Public Sector (Governance) Act, Official Secrets Act, Income Tax Act and Infectious Diseases Acts.
Mr S Iswaran : Yes, and have you also looked at the Instructions Manual (IM) 8? Because I think when you look at them holistically, it will be clear, that the issues with data, whether it is a breach or misuse, and when can I argue that there is a kind of continuum here. But let me assure you, when you have a breach of data, you have to establish why it occurred. If it is because of misuse, there will be a certain set of actions. If it is because your systems were not in place, it has to result in a different set of actions to correct the systemic errors. If there were certain people accountable for that systemic error, then they have to be held to account as well. So, I think there is a flow in the way this will proceed, in terms of action against Government organisations.
The second point on regular IT audits, why did they not throw up such issues in the past. I think that is an age-old question. You can have audits, I think it is not just in IT, you have it in financial audits, you have got quality audits, but you still have incidents. This is because it is human beings running the system and from time to time, it can happen. I think what is important is that when they occur, we learn from these incidents and set them right, and be transparent about what we are doing and how we are going about it.
Mr Speaker : Mr Dennis Tan.
Mr Dennis Tan Lip Fong (Non-Constituency Member) : A question for Senior Minister of State Edwin Tong. Is the Senior Minister of State able to answer any aspect of my questions?
Mr Edwin Tong Chun Fai : Can the Member elaborate on what other aspects have not been answered?
Mr Dennis Tan Lip Fong : No, on my question. Not sure my question has been answered.
Mr Edwin Tong Chun Fai : Mr Dennis Tan's question relate to the circumstances in which the information is placed on the server. How it is that there was access that was gained to the data and whether there was a breach of any law? Those are all matters that are covered by the investigations that are currently on-going, and to the extent possible, when this has been ascertained, we will provide those information.