口頭答覆 · 2019-02-12 · 屆國會 13
公共機構資料保護豁免審議
議員質詢是否應修訂個人資料保護法,取消公共機構豁免條款以應對資料洩露風險。政府回應公共部門已有多重法律和政策保障資料安全,強調公共部門資料管理與私營部門不同,採用不同法律體系,且將持續審視相關法規。核心爭議在於公共機構資料保護是否應納入個人資料保護法統一監管。
關鍵要點
- • 公共部門資料有多重法律保護
- • 公共部門資料管理與私營部門不同
- • 將持續審視相關法律法規
公共部門資料由多法規保障,維持現行豁免
建議取消公共機構資料保護豁免
持續強化公共部門資料治理
“Because of these important differences, we need and have adopted different approaches to the protection of personal data in the public and in the private sectors.”
參與人員 (3)
- Minister for Communications and Information
- S Iswaran
- Sylvia Lim
完整譯文(中文)
Hansard 原始記錄 · 2026-05-02
12號議員Sylvia Lim問通訊及資訊部長,鑑於公共部門資料保護違規的嚴重性,是否應修訂《個人資料保護法》,取消對公共機構的豁免。
通訊及資訊部長(S Iswaran先生)答:議長先生,《個人資料保護法》(PDPA)於2012年生效。隨著數字化程序加快,我們認識到需要加強私營部門的資料保護。PDPA為私營部門設立了資料保護的基本標準,同時平衡了其合理使用個人資料的需求。
政府方面一直嚴肅對待保護公共部門所託付資料的責任,並持續加強資料治理政策。自2001年以來,政府指引手冊(IMs)已包含管理公共機構間個人資料的使用、保留、共享和安全的措施。
2018年,《公共部門(治理)法案》(PSGA)出臺,為公共部門個人資料提供額外保障,包括將公職人員濫用資料行為定為刑事犯罪。PSGA中的資料保護標準也與PDPA保持一致。此外,公共部門收集的資料還受特定法律保護,如《官方機密法》、《所得稅法》、《傳染病法》和《統計法》。這些法律共同對所有公共機構施加了高標準的責任,且對敏感或機密資料的保護有額外要求。同時,定期進行強制性審計,確保公共機構遵守資料保護及資訊通訊技術系統安全標準。
PSGA允許將個人資料作為公共部門的共同資源進行管理,以促進更好的政策制定和更靈敏的公共服務。例如,新加坡人在社會服務辦公室申請經濟援助時,前線人員可快速評估其資格,因為他們能訪問其他相關機構的資料。這樣,我們減少了申請人需提交的檔案數量,提升了公共服務的效率。相比之下,每個私營部門組織需對其持有的個人資料單獨負責,且不期望不同商業組織間實現類似的服務整合。
鑑於這些重要差異,我們對公共和私營部門的個人資料保護採取了不同的方法。這也是PDPA僅適用於私營部門,而PSGA及其他法律則規範公共部門資料保護的原因。我們將定期審查PDPA、PSGA及其他法律,確保其在保護公共和私營部門個人資料方面保持相關性和有效性。
議長:Sylvia Lim女士。
Sylvia Lim女士(阿裕尼選區):我有四個補充問題。首先,我承認部長提到的各種法規和IM確實為公共服務設定了標準。但部長是否同意,這些法規或IM通常對公民在資料洩露時可採取的救濟措施保持沉默或力度不足?它們可能對違規官員的處罰較嚴,但通常對公民權利缺乏明確規定。
第二,部長是否同意,PDPA的優勢之一是其試圖平衡組織收集資料的需求與個人對其資料的所有權和保護權利?例如,第三條明確承認個人資料屬於個人,個人有權保護其資料。
第三,我們最近討論了SingHealth事件。部長是否同意,因SingHealth屬於PDPA監管範圍內的機構,而非法案定義的公共機構,SingHealth網路攻擊案顯示個人資料保護委員會(PDPC)在公眾利益方面能發揮非常有用的作用?PDPC在該案中指出,公眾投訴其資料未被SingHealth充分保護,PDPC的調查結果可能促使SingHealth及綜合醫療資訊系統(IHiS)改進。
最後,PDPA確實提供了投訴程式,我希望部長確認這對公民非常有用,因為它不強迫公民因損害而對政府機構提起訴訟。這是PDPA帶給公民的切實優勢。
S Iswaran先生答:議長先生,感謝議員的意見。我不確定所有內容都是問題,有些更像是觀察,但我會嘗試解讀。
首先我要強調的是,當我們說公共部門“豁免”PDPA時(正如議員所用的詞),這並不意味著公共部門在資料安全和保護方面標準較低或不同。事實上,正如我之前所述,公共部門特別是PSGA參考並大致與PDPA保持一致。但同時也明確認識到,公共服務為提供高效服務而使用資料的方式和預期不同,因此需要不同的資料治理方法。這就是我們採取差異化方法的原因。除了PSGA,我們還有其他相關法律。
供議員參考,我們並非唯一採用此方法的國家。例如,加拿大聯邦層面也對私營和公共部門適用不同法律。因此,這不是標準不同或門檻不同的問題。實際上,我們對公共部門施加相同甚至更高的資料治理標準,因為公共部門所託付的資料是基於信任,必須安全處理。
議員提出的許多問題更涉及PDPA的元素,例如投訴程式,公眾可向PDPC投訴資料權利問題。議員指出PDPA在保護個人資料權利與企業使用資料權利之間取得平衡,這確實是我們努力的方向,無論是公共還是私營領域。公共部門同樣需保護個人資料,同時將其作為公共資源以更好服務市民。許多我們習以為常的服務都依賴於後臺資料共享。
關於投訴程式,任何認為其資料被不當處理的個人均可提出投訴,且有多種渠道。
關於SingHealth事件,議員提到PDPC提出了有用建議。實際上,整個事件的關鍵建議來自政府成立的調查委員會(COI)。PDPC因早期收到投訴,決定參考COI的調查結果判斷相關機構(SingHealth和IHiS)是否違規及應受何種處罰。大部分建議通過政府發起的COI程式提出,而非法律強制。
關於救濟問題,公眾若認為其資料被不當處理,有權向部長、相關部門投訴,政府會採取行動。若認為構成犯罪,也可報警,警方將調查。
總結來說,我們對公共部門施加相同甚至更嚴格的資料治理標準。若不如此,我們建設智慧國、利用數字技術提升公共服務的努力將受阻。這就是我們嚴肅對待此事的原因。總體而言,PSGA作為公共部門資料治理的法律,參考了PDPA,我們還有其他針對特定領域的法律補充。
議長:Sylvia Lim女士。
Sylvia Lim女士:我有兩個補充問題。首先,部長早前提到公眾若認為其資訊被公共機構不當處理,可投訴。問題是投訴物件是誰?部長提到可以投訴給部長。部長是否同意,專注於個人資料保護的PDPC應承擔接收此類投訴的角色,因為他們畢竟是個人資料保護領域的專家?
第二,部長提到公共部門機構相互連線,因此需要不同方法。但SingHealth事件也顯示醫療領域存在某種人為區分。SingHealth雖不屬於PDPA定義的公共機構,但它與衛生部(MOH)聯絡緊密,實際上由MOH Holdings擁有,醫療機構與母部門之間頻繁交換資料。部長是否同意,如果我的資料交給某個醫療集團的診所,我可以向PDPC投訴,但若資料傳至衛生部並在那裡發生洩露,我就無法通過PDPC尋求救濟?這在醫療領域造成了某種人為區分。
S Iswaran先生答:議長先生,鑑於即將有部長宣告涉及公共醫療系統相關事宜,我的回應將簡要,後續可在聲明後進一步澄清。
我要強調的是,公眾“救濟”一詞在本次交流中多次出現。關鍵是必須有救濟途徑。無論救濟是通過PDPC、PDPA、法律還是其他完善機制,關鍵是必須存在。
我說個人可根據具體情況提出投訴。順便說,PDPC有時也接收涉及公共部門的投訴。作為接收方,PDPC不會拒絕,而是根據管轄權將不屬於PDPA範圍的案件轉交相關政府機構處理。政府技術局(GovTech)負責政府資料安全和保障系統,進行審查確保政府機構遵守IM及相關規定。此外,審計署也會不定期進行安全審查。
我的觀點是,公眾無需擔心缺乏救濟途徑。實際上,他們擁有多種救濟渠道。相較私營部門,公共部門在某些方面可能擁有更多渠道和途徑。私營部門通常只能向PDPC投訴或自行提起法律訴訟,而公共部門則可通過PDPC、GovTech、相關部委,甚至報警等多種途徑尋求幫助。
因此,議員們應毫無疑慮,我們擁有適當的救濟機制。公共部門資料治理標準絕不低於私營部門,甚至更高。這是我們的期望。
英文原文
SPRS Hansard · Fetched: 2026-05-02
12 Ms Sylvia Lim asked the Minister for Communications and Information given the gravity of data protection breaches in the public sector, whether the Personal Data Protection Act should be amended to remove the exemptions for public agencies.
The Minister for Communications and Information (Mr S Iswaran) : Mr Speaker, the Personal Data Protection Act (PDPA) came into force in 2012. With the gathering pace of digitalisation, we recognised the need to strengthen data protection in the private sector. PDPA establishes a baseline standard for data protection in the private sector, balanced against its need to use personal data for reasonable purposes.
On its part, the Government has always taken seriously its responsibility to protect the data entrusted to the public sector and we continue to strengthen our data governance policies. Since 2001, the Government Instruction Manuals (IMs) already include measures to govern the use, retention, sharing and security of personal data among public agencies .
In 2018, the Public Sector (Governance) Act (PSGA) was introduced and it provided for additional safeguards for personal data in the public sector, including criminalising the misuse of data by public servants. The data protection standards in PSGA are also aligned with the PDPA. In addition, data collected by the public sector is also protected by specific legislation, such as the Official Secrets Act, the Income Tax Act, the Infectious Diseases Act and the Statistics Act. Collectively, these laws impose a high standard of responsibility on all public agencies, with additional requirements for the protection of sensitive or confidential data. Also, regular mandatory audits are conducted to ensure that public agencies comply with the standards for data protection and the security of information and communications technology systems.
PSGA allows personal data to be managed as a common resource within the public sector for better policymaking and also for more responsive public services. For example, when a Singaporean applies for financial assistance at a Social Service Office, the frontline officers are able to quickly evaluate his or her eligibility for financial assistance because they have access to data from other relevant agencies. In this way, we minimise the documents that need to be submitted by the applicant and improve the delivery of public services. In contrast, each private sector organisation is expected to be individually accountable for the personal data in its possession, and there is no expectation of a similar integrated delivery of services across different commercial organisations.
Because of these important differences, we need and have adopted different approaches to the protection of personal data in the public and in the private sectors. That is also why the PDPA applies only to the private sector, while the PSGA and other legislation govern data protection in the public sector. We will regularly review the PDPA, PSGA and other legislation to ensure that they remain relevant and effective in safeguarding personal data in both the public and private sectors.
Mr Speaker: Ms Sylvia Lim.
Ms Sylvia Lim (Aljunied) : I have four supplementary questions for the Minister. The first question is, I acknowledge that the various statutes and the IMs, as the Minister mentioned, do set out standards for the Public Service to comply with. Does the Minister agree, however, that these instruments, legislation or IMs are usually silent or weak on the recourse that citizens may have if there is a data breach? They may be strong on penalties for errant officers but, generally, we get silences on the rights of citizens.
Secondly, does the Minister also agree that for the PDPA itself, I suppose one of the advantages or assets of the PDPA is its approach to try to balance the need of organisations to collect data and, at the same time, if we look at section 3, it also recognises that personal data belongs to individuals, and individuals have a right to protect that data?
The third question is, we talked recently about the SingHealth incident. Does the Minister agree, because SingHealth is a body that comes within the purview of PDPA, it is not a Public Agency as defined in the Act, and the SingHealth cyberattack case has shown that the Personal Data Protection Commission (PDPC) can actually play a very useful role as far as the public is concerned? The PDPC's judgement in the cyberattack case mentioned that members of the public complained to it that their data had not been adequately protected by SingHealth. PDPC actually made some findings which will likely lead to improvements on the part of SingHealth and the Integrated Healthcare Information Systems (IHiS) as well.
Perhaps the last question for now is that one of the things that the PDPA does provide is a complaints procedure which I would like the Minister to confirm that this is something that is very useful to the citizens, which does not force the citizens to commence a lawsuit against a Government agency should one suffer damage and so on. So, these are very real advantages of the PDPA which I believe citizens can benefit from.
Mr S Iswaran : Mr Speaker, I thank the Member for her comments. I am not sure all of them were questions because some of them were observations. But let me interpret them.
Let me start by making a more general point. I think the key conclusion we have to draw is this. When we say exempt – and that is the language that the Member has used in her question – that the public sector is exempt from the PDPA, that does not mean that the public sector is somehow subject to a different or lower standard, as might be implied, in terms of data security and safety. In fact, and that was the thrust of my reply that, one, the public sector and the PSGA, in particular, takes reference, and it is in broad alignment with PDPA. But having said that, there is a clear recognition that the mode of operation and the expectation of how data is used in order to provide an effective and efficient Public Service, implies that we do need a different methodology in the way we govern public sector data governance. That is why we have this differentiated approach. In addition to the PSGA, as I had said, we do have other legislations in place.
Just for Members' information, we are by no means alone in this approach. The Canadians, for example, at the federal level, also have different laws in terms of its application to the private sector and its application to the public sector. So, it is not about differing standards or somehow having a different threshold when it comes to the public sector. In fact, we subject the public sector to the same kind of standards, if not higher standards, precisely because we know that the data that is being entrusted to the public sector is done with the confidence that it would be dealt with in a secure manner.
So, many of the questions that the Member has raised pertain more to whether there are elements of the PDPA. For example, there is a complaints procedure where they can complain to the PDPC on, for example, the right to data. I think the Member made the point that the PDPA strikes the balance between the right to data of the individual versus the right to use the data of the enterprises. Indeed, that is the balance we are trying to strike, whether it is in the public domain or in the private domain. Because essentially, you can say the same sets of considerations apply in the public sector – that we want to ensure individual data is protected, accorded due safeguards, but, at the same time, it should be a common resource that public sector agencies can tap on in order to better serve citizens. Many of the services that we take quite for granted today actually rely on that backend sharing. So, when it comes to a complaints procedure today, there is nothing stopping an individual who feels aggrieved that their data has somehow been mishandled to launch a complaint. And they have different channels for doing so.
On the SingHealth piece, the Member made the point that PDPC came out with the recommendations and so on which were very useful and so on. But actually, if you look at the morphology of the entire incident, the key recommendations that came out of this was actually from the Committee of Inquiry (COI) which the Government established. That is the process through which we derived a whole set of very detailed recommendations. What the PDPC did, because it received the complaint early in the process, was to say that it will take reference from the COI's process in determining whether there was a breach by the relevant agencies, in this case SingHealth and IHiS, and, if so, what penalty should be meted out. But the substantial portion of the recommendations was actually made through the COI process which was, in fact, initiated by the Government, not mandated by any legislation but something that was because of the judgement that was exercised.
The point on recourse comes back to the same thing again. If a member of the public feels that, in some way, their data has been mishandled, then they have every opportunity to lodge a complaint with the Minister, the Ministry, the relevant department, and action will be taken. And you can also, if you think a crime has been committed, make a Police report, and that will also be investigated.
So, if I can summarise, we subject our public sector to the same, if not higher, rigorous standards of data governance. And we have to do that, because if we do not, then a lot of our other efforts, in terms of wanting to build a Smart Nation and delivering, harnessing the digital technologies and all these in order to deliver better public services will all be thwarted. So, that is exactly why we take this very seriously. By and large, the PSGA, in other words, the legislation that governs the public sector data governance, takes reference from the PDPA and we also have other legislation for specific sectoral matters which can also be implied in addition.
Mr Speaker: Ms Sylvia Lim.
Ms Sylvia Lim : Two supplementary questions for the Minister. First, the Minister, in his answer earlier, mentioned that for members of the public who are aggrieved that their information has been mishandled by a public agency can always make a complaint. The question is: to whom? And the Minister mentioned that it could be to the Minister. Does the Minister not agree that the PDPC itself, which is focused on personal data protection, should have a role to receive such complaints because they are, after all, the domain expert on personal data protection?
The second supplementary question is: Minister mentioned the issue of public sector agencies being interconnected and, therefore, there needs to be a different approach. But I think the SingHealth incident also illustrates some artificiality in what is actually happening in the healthcare sector. If we look at the setup of SingHealth, for example, no doubt, it is not under the definition of public agency under the PDPA. But the fact is that it is very connected to the Ministry of Health (MOH). In fact, it is owned by MOH Holdings, and there is a frequent, I believe, exchange of data between such healthcare bodies and the parent Ministry. So, it would come to a stage, does Minister not agree that, if my data is given to a clinic, for example, under a cluster, I may be able to complain to the PDPC, but once that data goes to the Ministry and the breach happens there, I do not have recourse under the PDPC? So, there is some artificiality in the distinction as far as the healthcare sector is concerned.
Mr S Iswaran : Mr Speaker, because there will be a Ministerial Statement governing many of the matters pertaining to the public healthcare system, I will keep my comments in response to the Member's queries limited, and I think we can take up clarifications after the Ministerial Statement as well.
The key point I want to emphasise in my response to the Member is this: the term "recourse" for the public has been used several times in the course of this exchange. The fact of the matter is that you need recourse. It does not matter whether the recourse is under the PDPC or PDPA, the legislation or there are other established improved mechanisms. But the key point is you must have recourse.
And that is my point when I said that individuals, depending on where or what circumstances they find themselves in, they can make complaints. By the way, the PDPC does receive complaints sometimes pertaining to the public sector. So, as a recipient of such complaints from the public, it does not turn them away. Rather, the standing arrangement is that they look at it and, if the jurisdiction is such that it does not come under the PDPA, they then refer it to the Government agencies involved to then follow through. In the case of the Government, the Government Technology Agency (GovTech), for example, is overall in-charge of the security and safeguard systems for data. And GovTech is the agency that does many of the reviews and ensures that the Government agencies are in compliance with the IMs and other provisions and so on. Moreover, there is also the Auditor-General's review as well, which occurs from time to time, and it includes security.
My point is that members of the public should not at all be concerned that they do not have recourse. They do, and, in fact, they have a multiplicity of recourse. And I would add that, in the case of the public sector, they probably have more channels and more avenues of recourse in some ways, compared to what you see in the context of the private sector. Because essentially, for private sectors, you go to the PDPC, or you take out a specific legal action against the company on your own. Here, you have got more options because you can go through the PDPC. It would be referred to the relevant agencies. You can go to GovTech, you can go to the Ministry that oversees the relevant department, you can also make a Police report if you feel that it warrants such action.
So, there should be no doubt in Members' minds that we have the appropriate recourse mechanisms. There should also be no doubt in Members' minds that the public sector's data governance standards are in no way inferior to the standards that we impose on the private sector. And, if anything, we impose a higher set of standards. That is the expectation that we have.