书面答复 · 2019-05-06 · 第 13 届国会
公共机构数据保护免责问题
Public Agencies’ Exemption from Personal Data Protection Act
议员质询公共机构是否享有《个人数据保护法》豁免权及其数据泄露责任。政府回应指出公共机构受《公共部门治理法》和《指令手册8》等法规约束,设有刑事处罚和内部纪律处分,并通过技术和管理措施防范数据泄露。核心争议在于公共机构数据保护责任的法律基础及执行力度。
关键要点
- • 公共机构受多法规约束
- • 刑事及纪律处分并行
- • 技术管理措施严格
公共机构严格承担数据保护责任
质询公共机构免责条款及责任
强化公共部门数据安全管理
"The PSGA criminalises the acts of unauthorised disclosure of data, misuse of data and the re-identification of individuals from anonymised data."
参与人员(2)
完整译文(中文)
Hansard 英文原文译文 · 翻译日期:2026-05-02
1 艾琳·奎·秀清女士询问总理,关于公共机构是否免于《个人数据保护法》的适用:(a) 他是否能列出现行法律和指引手册中具体条款,这些条款规定了公共机构对公共信息技术系统中数据泄露(非数据滥用)的责任;(b) 他是否能解释这些法律条款如何共同对所有公共机构施加高标准的责任。
张志贤先生(代表总理)答复:公共机构及其工作人员须遵守《公共部门(治理)法案》(PSGA)和《指引手册8》(IM8)以及其他相关法律中规定的数据保护条款。PSGA将未经授权披露数据、数据滥用以及从匿名数据中重新识别个人的行为定为刑事犯罪。被判定犯有这些罪行的公务员可被罚款最高5,000新元和/或判处最高两年监禁。除PSGA外,其他法律如《官方机密法》、《银行法》、《所得税法》和《统计法》也将未经授权披露数据的行为定为刑事犯罪。这些规定旨在威慑公务员不负责任地使用和处理数据,并对其进行惩罚。相关法律条款列表请参见附件A。
除刑事诉讼外,若公务员在保护其控制的数据方面被认定为疏忽,还可依据1999年《公共服务(纪律程序)条例》面临内部纪律处分。
除了这些立法制裁外,政府还采取多项措施防止或尽量减少数据安全泄露的可能性,并减轻数据泄露的后果。所有公共机构必须遵守IM8的规定。IM8补充了PSGA中广泛的数据条款,明确了机构为管理和保护其控制的政府数据必须遵守的规则和要求。IM8规定了保护政府数据的具体措施,例如,IM8要求实施互联网浏览隔离,禁止未经授权设备访问USB端口,以及使用密码保护包含个人数据的文件。IM8还规定了某些数据保护流程,如及时撤销访问权限、检测非活跃用户和定期审查系统访问权限。
各机构定期接受IM8合规性及所实施措施有效性的审计。审计的目的是帮助机构发现应在数据事件发生前解决的流程和系统漏洞。发现漏洞后,机构须制定计划在特定时间内弥补这些漏洞,且计划进展将被持续监控直至漏洞完全修复。除定期IM8审计外,审计署也可能对机构的数据管理实践进行审计。审计结果会在国会报告并公开发布;机构弥补漏洞的行动将被跟踪直至完成。严重违规情况可在审计过程中提交财政部内部处理。
PSGA及其他法律中的威慑措施、IM8中的规定措施以及定期的IM8合规审计,共同对公共机构和公务员施加了高度的数据保护责任。数据安全对于维护公众对政府通过数据提供高质量公共服务能力的信心至关重要。由总理委托、资深部长张志贤主持的公共部门数据安全审查委员会,将提出加强公共部门现有政策和实践的建议,以跟上技术进步的步伐。这包括保持问责措施的最新状态,确保数据安全持续成为公共服务领导者的优先事项,并确保政策和实践不断改进,以维持稳健的数据安全体系。委员会将于2019年11月向总理提交其调查结果和建议。
英文原文
SPRS Hansard 原始记录 · 抓取日期:2026-05-02
1 Ms Irene Quay Siew Ching asked the Prime Minister with regard to public agencies' exemption from the Personal Data Protection Act (a) whether he can list out the specific clauses in the current laws and instruction manuals that provide for public agencies' accountability on data breaches (not misuse of data) in public IT systems; and (b) whether he can explain how these clauses in the laws collectively impose a high standard of responsibility on all public agencies.
Mr Teo Chee Hean (for the Prime Minister): Public agencies and their officers are subject to data protection provisions set out in the Public Sector (Governance) Act (PSGA) and the Instruction Manual 8 (IM8), as well as in other related legislation. The PSGA criminalises the acts of unauthorised disclosure of data, misuse of data and the re-identification of individuals from anonymised data. Public officers found guilty of these offences can be fined up to $5,000 and/or face a jail term of up to two years. Besides the PSGA, other legislation also criminalise the act of unauthorised disclosure of data, such as the Official Secrets Act, the Banking Act, the Income Tax Act, and the Statistics Act. These provisions serve to deter public service officers from and punish them for the irresponsible use and handling of data. Please refer to Annex A for a list of the relevant clauses in the aforementioned Acts.
Apart from criminal proceedings, public officers found to be negligent in protecting data under their control can face internal disciplinary actions, as provided for in the Public Service (Disciplinary Proceedings) Regulations 1999.
Apart from such legislative sanctions, the government has a number of measures to prevent or minimize the chances of a data security breach and to minimise the consequences of a data breach. All public agencies are required to comply with the provisions of the IM8. The IM8 complements the broad data provisions in the PSGA by setting out the rules and requirements that agencies have to adhere to in order to manage and protect government data under their control. The IM8 prescribes specific measures to protect government data. For example, the IM8 mandates Internet surfing separation, the disabling of USB ports from being accessed by unauthorised devices, and the use of passwords to protect files that contain personal data. The IM8 also prescribes certain data protection processes, such as the prompt removal of access rights, the detection of inactive users and the regular review of system access rights.
Agencies are regularly audited for their compliance with the IM8 requirements, as well as the effectiveness of the measures implemented. The objective of audits is to enable agencies to uncover process and system gaps that should be addressed before a data incident occurs. Where such gaps are identified, agencies are required to draw up plans to close these gaps within a specific timeframe, and the progress of these plans are monitored until the gaps are fully closed. Besides regular IM8 audits, agencies' data management practices may also be audited by the Auditor-General. The outcomes of these audits are reported in Parliament and publicly available; agencies' actions to close the gaps are tracked until completion. Serious irregularities can be brought to the attention of the Ministry of Finance for internal action, as part of the audit process.
The deterrent measures in the PSGA and other legislation, the prescriptive measures in the IM8, as well as the regular IM8 compliance audits, collectively impose upon public agencies and public officers a high level of responsibility for data protection. Data security is essential to upholding public confidence in the Government's ability to deliver a high quality of public service to our citizens through the use of data. The Public Sector Data Security Review Committee, commissioned by the Prime Minister and chaired by Senior Minister Teo Chee Hean, will recommend ways to enhance the policies and practices the public sector already has, to keep pace with advances in technology. This includes keeping accountability measures up-to-date to ensure that data security remains a priority among public service leaders, and to ensure that policies and practices are continually improved to maintain a robust data security regime. The Committee will present its findings and recommendations to the Prime Minister in November 2019.