口頭答覆 · 2019-04-01 · 屆國會 13
個人資料保護調查職能
議員質詢個人資料保護委員會(PDPC)在血液捐贈者資料洩露事件中的調查職責及公共機構是否應受《個人資料保護法》(PDPA)約束。政府回應PDPC正調查涉事私營IT供應商,公共機構受其他法規監管,資料保護標準不低於PDPA。核心爭議在於公共機構是否應免於PDPA監管及其問責機制。
關鍵要點
- • PDPC調查私營供應商
- • 公共機構受別法規監管
- • 公共機構資料保護標準高
公共機構受專門法規監管,非PDPA
質疑公共機構免於PDPA合理性
強化公共機構資料保護監管
“Public sector agencies have to comply with the Government Instruction Manuals and the Public Sector (Governance) Act.”
參與人員 (8)
- Dennis Tan Lip Fong
- Edwin Tong Chun Fai
- Irene Quay Siew Ching
- Minister for Communications and Information
- Cheng Li Hui
- S Iswaran
- Senior Minister of State for Health
- Sylvia Lim
完整譯文(中文)
Hansard 原始記錄 · 2026-05-02
13號問題,Ms Sylvia Lim詢問通訊及資訊部長關於最近衛生科學局(HSA)資料庫中超過80萬名獻血者個人資訊洩露事件,(a) 個人資料保護委員會在調查此事件中扮演什麼角色;(b) 是否正在進行任何審查以確定HSA在保護個人資料方面是否採取了合理措施,包括HSA與其IT供應商之間的合同義務是否合理保障了委託給這些方的個人資訊。
14號問題,Ms Irene Quay Siew Ching詢問通訊及資訊部長,鑑於公共IT系統中發生的資料洩露事件,(a) 公共機構是否有理由被豁免於《個人資料保護法》(PDPA);(b) 公民除了向機構投訴或尋求民事訴訟外,還有什麼其他救濟途徑;(c) 是否應對這些公共機構施加實質性處罰以實現公共問責。
通訊及資訊部長(Mr S Iswaran) :議長先生,能否允許我一併回答第13和第14號問題?
議長 :可以,請講。
Mr S Iswaran :議長先生,關於涉及HSA的事件,個人資料保護委員會(PDPC)正在調查Secur Solutions Group私人有限公司,該公司是HSA的IT服務供應商。如果發現其違反《個人資料保護法》(PDPA),PDPC將對該公司採取適當的執法行動,例如發出指令和施加罰款。
衛生高階國務部長此前已概述了對HSA資料安全政策和實踐的審查。由於HSA是政府機構,智慧國與數字政府集團也正在對此事件進行調查。
Ms Quay詢問公共機構被豁免於PDPA是否合理。該議員的問題隱含假設公共部門機構不對其資料保護實踐負責或未被要求達到高標準,因為PDPA不適用於他們。這種看法是錯誤的,事實並非如此。公共部門機構受另一部法律及其他規章約束。特別是,公共部門機構必須遵守政府指令手冊和《公共部門(治理)法》(PSGA)。總體而言,它們的資料保護標準與PDPA相當甚至更高,且對資料安全違規行為採取類似的調查和執法行動。
我之前已在議會解釋為何採取此做法。重申,PDPA不適用於公共機構,是因為公共部門運作方式存在根本差異,需採用不同的個人資料保護方法,以便實現全政府協作提供公共服務,個人資料必須作為公共部門的共同資源進行管理。私營部門則不同,商業服務的交付不期望採取整體方法。
公民在公共部門資料洩露時享有與PDPA相同的救濟途徑。若公民懷疑私營機構處理其資料不當,可向PDPC投訴;若涉及公共部門機構,則可向GovTech投訴。實際上,投訴渠道暢通,投訴將被轉交相關機構跟進。受影響個人也可尋求調解或對資料處理不當的機構提起民事訴訟。
議員詢問是否應對公共機構施加實質性處罰以實現公共問責。違反政府資料安全規則、未經授權濫用或披露資料的公務員,可能根據PSGA承擔刑事責任。處罰包括最高5,000新元罰款或最高兩年監禁,或兩者並罰。對公共機構施加罰款意義不大,因為罰款成本最終由公共財政承擔。
議長先生,多年來政府不斷加強安全措施以保護敏感資料。政府也增加了內部IT審計的數量和型別,以檢查機構的資料訪問和保護措施。然而,近期資料相關事件凸顯了加強公共部門資料安全政策和實踐的緊迫性。
因此,首相已召集公共部門資料安全審查委員會,對整個公共服務的資料安全實踐進行全面審查。審查內容包括公共部門機構及代表政府處理個人資料的供應商在收集和保護公民個人資料方面的措施和流程。各機構正在調查並處理具體事件,該委員會將進行全面審查,借鑑行業及全球最佳實踐,加強資料安全。
此次審查將確保所有公共部門機構維持最高資料治理標準。這對維護公眾信心及通過資料使用向公民提供高質量公共服務至關重要。該委員會的工作將補充我們實現智慧國願景的努力。公共部門資料安全審查委員會將於2019年11月30日前向首相提交調查結果和建議。
議長 :我們將接受之前議會提問及這兩個問題的追加問題。Ms Cheng Li Hui。
Ms Cheng Li Hui(淡濱尼) :我有兩個追加問題。據報道,伺服器還被多個其他IP地址訪問。我們對這些訪問了解多少?是外國人還是本地人?我們會對他們採取行動嗎?他們是否也獲得了獻血者資訊?對於因病未能獻血者的敏感資訊是否也被訪問?
衛生高階國務部長(Mr Edwin Tong Chun Fai) :關於Cheng女士的後一個問題,受影響的伺服器上沒有該資訊。伺服器僅存有註冊相關資訊。引用供應商宣告中相關部分,伺服器上的資訊包括身份證號碼、性別、獻血次數、最近三次獻血日期,有時還有血型、身高和體重。
關於第一個問題,未經授權的訪問來自多個地點,調查仍在進行中,待情況更明朗時,我們將提供相關答案。
Ms Sylvia Lim(亞逸) :議長先生,我有三個追加問題給Iswaran部長。首先,我很高興聽到他確認私營供應商Secur Solutions Group受PDPA管轄,且PDPC正在調查其行為。我的第一個問題是,PDPC會等待HSA調查結果後再行動,還是同時進行?
第二個問題,提到首相已召集由副首相張志賢主持的跨政府委員會審查政府IT安全標準。這是否意味著政府對目前公共部門的標準不滿意,認為標準不足?
最後,第三個問題,部長對Ms Quay關於對機構施加罰款的回答很有趣。他提到對公共機構罰款無意義,因為罰款最終由公共財政承擔。但中央政府是否不能假設不會額外撥款給公共機構支付罰款,因此機構必須從其他地方削減開支支付罰款,比如高階管理層獎金等?因為這仍具有重要的訊號作用,表明政府作為一個組織,願意遵守其對小企業所期望的相同標準。
Mr S Iswaran :議長先生,感謝議員的問題。首先,關於PDPC調查是否同時進行,答案是肯定的。但顯然,我們也需參考其他相關活動的進展,因為它們存在關聯因素。調查將同時進行。
第二個問題,公共部門資料安全審查委員會的成立意味著什麼。我認為議員試圖藉此得分,我要明確表示,政府一直在持續努力提升資料安全標準。多年來我們採取了多項措施,議會多次對此作出解釋,回應議員及其他議員的提問。
關鍵是,鑑於近期一系列事件,首相和政府評估需要全面審視。並非現有措施不足,而是我們應全力以赴,確保公共部門資料安全達到最高標準。若能從私營部門或全球企業的最佳實踐中學習,我們樂於採納並融入政府實踐。
最後,關於罰款及其訊號作用。首先,我認為“自己檢查自己”這一說法是她黨內某位議員提出的。如果自己罰自己,訊號作用確實值得質疑。更重要的是,訊號是你認真對待此事並追究相關人員責任。因此,我們的處罰重點是針對做出不合規決定或行為的個人官員,並承擔相應後果。
此外,對公共機構採取行動,其聲譽及領導層影響重大。議員應承認,這本身也是重要訊號,因為無論公私機構都不願聲譽受損。我們願意探討所有方式,確保明確問責,確保公共部門資料安全達到最高標準。這也是設立該委員會的原因,若議員有好的建議,我們樂於聽取。
Ms Irene Quay Siew Ching(提名議員) :部長向議會保證,我們有多部法律對公共機構施加高標準責任。但審查後發現,這些法律對資料洩露的問責不夠明確,重點似乎在資料濫用。部長能否澄清?
我的第二個追加問題是,部長告知議會,公共機構有定期強制內部審計,確保遵守資料保護和ICT系統安全標準。既然如此,為什麼之前的內部審計未發現這些潛在漏洞?
Mr S Iswaran :議長先生,我可否請議員澄清?
議長 :可以,請講。
Mr S Iswaran :您說法律只提及資料濫用而非資料洩露,是指《公共部門(治理)法》還是PDPA?
Ms Irene Quay Siew Ching :我指的是《公共部門(治理)法》、《官方機密法》、《所得稅法》和《傳染病法》。
Mr S Iswaran :您是否也看過指令手冊(IM)第8號?綜合來看,資料問題無論是洩露還是濫用,存在一定連續性。請放心,資料洩露時必須查明原因。若因濫用,將採取一套措施;若因系統缺失,則需採取另一套措施糾正系統性錯誤。若有人對此負責,也將被追責。處理政府機構的行動有其流程。
關於定期IT審計為何未發現問題,這是老生常談的問題。審計無論是IT、財務還是質量審計,都可能未能完全防範事件發生,因為系統由人操作,偶爾會出錯。重要的是事件發生後,我們要從中學習,糾正錯誤,並透明公開我們的做法。
議長 :Mr Dennis Tan。
Mr Dennis Tan Lip Fong(非選區議員) :請問衛生高階國務部長Edwin Tong,您能否回答我部分問題?
Mr Edwin Tong Chun Fai :議員能否說明哪些方面尚未得到回答?
Mr Dennis Tan Lip Fong :關於我的問題,不確定是否已得到回答。
Mr Edwin Tong Chun Fai :Dennis Tan議員的問題涉及資訊為何存放在伺服器上,資料如何被訪問,以及是否違法等事項。這些均在正在進行的調查範圍內,待查明後,我們將盡可能提供相關資訊。
英文原文
SPRS Hansard · Fetched: 2026-05-02
13 Ms Sylvia Lim asked the Minister for Communications and Information regarding the recent data leak of more than 800,000 blood donors' personal information from the database of HSA (a) what is the role of the Personal Data Protection Commission in investigating this incident; and (b) whether any review is being done to ascertain whether HSA has acted reasonably in protecting the personal data including whether the contractual obligations between HSA and its IT vendor reasonably safeguarded the personal information entrusted to these parties.
14 Ms Irene Quay Siew Ching asked the Minister for Communications and Information in view of data breaches across public IT systems (a) whether it is justifiable for public agencies to be exempted from Personal Data Protection Act; (b) what recourse do citizens have, other than to complain to agencies or seek civil action; and (c) whether there should be a tangible penalty meted out to these public agencies for public accountability.
The Minister for Communications and Information (Mr S Iswaran) : Mr Speaker, may I have your permission to take Question Nos 13 and 14 together, please?
Mr Speaker : Yes, please.
Mr S Iswaran : Mr Speaker, with regard to the incident involving HSA, the Personal Data Protection Commission (PDPC) is investigating Secur Solutions Group Pte Ltd, which is a private company and vendor of IT services to HSA. If found to be in breach of the Personal Data Protection Act (PDPA), PDPC will take the appropriate enforcement actions against the company, such as issuing directions and imposing financial penalties.
The Senior Minister of State for Health has earlier outlined the review of HSA’s data security policies and practices that is being undertaken. As HSA is a Government agency, the Smart Nation and Digital Government Group is also conducting an investigation into the incident.
Ms Quay has asked if it is justifiable that public agencies are exempted from the PDPA. Implicit in the Member’s question is the presumption that public sector agencies are not accountable for their data protection practices or not held to a high standard because the PDPA does not apply to them. That is wrong and simply not the case. Public sector agencies are subject to a different piece of legislation and other regulations. In particular, public sector agencies have to comply with the Government Instruction Manuals and the Public Sector (Governance) Act (PSGA). Collectively, they have comparable if not higher standards of data protection compared to the PDPA, and similar investigations and enforcement actions are taken against data security breaches.
I have previously explained in Parliament why we have adopted this approach. To reiterate, the PDPA does not apply to public agencies because there are fundamental differences in how the public sector operates, which requires a different approach to personal data protection when compared to the private sector. In order to enable a whole-of-Government approach to the delivery of public services, personal data has to be managed as a common resource within the public sector. The considerations are different in the private sector, as there is no such expectation of a holistic approach to the delivery of commercial services across private organisations.
Citizens have the same recourse for a data breach in the public sector as with the PDPA. Where citizens suspect that their data has been mishandled by a private sector organisation, they can lodge a complaint with PDPC; or with GovTech, if a public sector agency is involved. In practice, there are no wrong doors and the complaint will be directed to the relevant agencies for follow-up. Affected individuals can also seek mediation or take civil action against the organisation or agency which mishandled the data.
The Member has asked whether tangible penalties should be imposed on public agencies for public accountability. Public officers who flout the Government’s data security rules, and are found to have misused or disclosed data in an unauthorised manner, could be held criminally liable under the PSGA. The penalties include fines of up to $5,000 or a jail term of up to two years, or both. It is not meaningful to impose financial penalties on public sector agencies because the cost of such penalties would ultimately have to be borne by the same public purse.
Mr Speaker, over the years, the Government has progressively enhanced security measures to safeguard sensitive data. The Government has also increased the number and types of internal IT audits, to check on agencies’ data access and data protection measures. Nevertheless, recent data-related incidents have underscored the urgency to strengthen data security policies and practices in the public sector.
Therefore, the Prime Minister has convened a Public Sector Data Security Review Committee to conduct a comprehensive review of data security practices across the entire Public Service. This includes measures and processes related to the collection and protection of citizens’ personal data by public sector agencies, as well as vendors who handle personal data on behalf of the Government. While individual agencies are investigating and taking action on the specific incidents, this Committee will undertake a comprehensive review across the public sector, and incorporate industry and global best practices to strengthen data security.
This review will help to ensure that all public sector agencies maintain the highest standards of data governance. This is essential to uphold public confidence and deliver a high quality of public service to our citizens through the use of data. The work of this Committee will complement our efforts to achieve our Smart Nation vision. The Public Sector Data Security Review Committee will submit its findings and recommendations to the Prime Minister by 30 November 2019.
Mr Speaker : We will take the supplementary questions for the earlier Parliamentary Questions as well as for these two. Miss Cheng Li Hui
Miss Cheng Li Hui (Tampines) : I have two supplementary questions. It was reported that the server was also accessed by several other IP addresses. What do we know about this access? Is it by foreigners or locals and will we be pursuing any actions on them? Do they have the information on the blood donors as well? For those who failed to donate their blood due to illnesses, can this sensitive information be accessed?
The Senior Minister of State for Health (Mr Edwin Tong Chun Fai) : On Miss Cheng's latter question, that information was not on the server that was compromised. Only registration related information was on that server. And if I can just cite for Miss Cheng this relevant portion from the vendor's statement. It says that the information that was on that server were NRIC, gender, number of blood donations, dates of the last three blood donations and in some cases, blood type, height and weight.
As for the first point, the unauthorised access is from various locations. That is still being looked into and when we have a fuller position on this and have more clarity, we will provide those answers.
Ms Sylvia Lim (Aljunied) : Mr Speaker, I have three supplementary questions for Minister Iswaran. The first is, I am glad to hear that he confirmed that the private sector vendor Secured Solutions Group is actually governed by the PDPA and that PDPC is looking into their conduct. My first question will be, is the PDPC going to wait for the outcome of the HSA investigation and then, follow on from there or is it concurrent?
The second question is, it was mentioned that the Prime Minister has now convened a cross-Government committee chaired by Deputy Prime Minister Teo to look into standards of Government IT security. Does this confirm that the Government is actually not satisfied and that the standards so far have been wanting in the public sector?
Finally, the third question, which is an interesting one, is Minister's answer to Nominated Member Quay's question about financial penalties on organisations. He mentioned that it was not meaningful to fine public agencies because the fine would in the end come from the public purse. But can the central Government not operate on the premise that no additional money is going to be provided to public agencies to pay fines, and therefore, the agencies would just have to cope with cuts somewhere else to pay these fines, whether it is from bonuses of Senior Management or whatever it is? Because there is still an important signalling effect that the Government is prepared, as an organisation, to abide by the same standards it expects of small businesses.
Mr S Iswaran : Mr Speaker, I thank the Member for her questions. Firstly, on whether the PDPC's investigations would be concurrent, the answer is yes. But clearly, we would have to be informed by what is happening also in some of the other activities because they have some inter-related factors. But the answer is, the investigations will proceed concurrently.
The second question is, what does the establishment of the Public Sector Data Security Review Committee mean. I think the Member is trying to score a political point here and I want to make it categorically clear. The Government has been working, that is why I said so in my answer, consistently working and improving data security standards. There is a list of things that we have been doing over the years and I think this has been explained in the House many times in response to the Member's questions and that of many other Members as well.
The key point here is that, because there has been a series of these incidents in recent times, the Prime Minister and the Government have assessed that we need to take a holistic look again. That does not mean, that what we have is inadequate or lacking, but what it does mean is we should ensure that we put total effort to ensure that we leave no stones unturned in ensuring the highest standards of are met in the public sector when it comes to data security. If there is something that is to be learnt, whether it is from best practices in the private sector or from global companies, that is something we will be very happy to learn from and incorporate in the Government's practices.
Finally, on the point on financial penalties, and the Member makes the point about signalling effect. I would say, that first of all, in fact I think the term "ownself check ownself" was coined by a Member of her party. So, if you fine yourself, you do ask the question, what is the signalling effect there. It is far important that the signalling effect is that, you are taking this issue seriously and holding relevant people accountable. So, that is why, in the way we go about this, the penalties are focused on the individuals, officers, who have made decisions or taken actions which were deemed to be not compliant, and therefore, there are the consequences that I spelled out.
Having said that, I think, when you take action against an organisation in the public sector, the reputational impact on that organisation and leadership is significant. I think the Member will concede that, that in itself is also a major signalling point, because no organisation, public or private, wants to have its reputation tarnished. Having said that, we are prepared to look at all means, to ensure there is clear accountability and ensure that in the public sector we have the highest standards of data security. That is why, this committee has been set up and we will be open to suggestions. If the Member has interesting ideas on this, we would be happy to hear from her.
Ms Irene Quay Siew Ching (Nominated Member) : The Minister reassured the House that we have the various acts to impose a high standards of responsibility on public agencies. However, upon reviewing that, there seems to be a lack of clarity in this Act regarding accountability for data breaches. The focus seems to be on misuse of data. Can Minister clarify?
My second supplementary question is, Minister informed the House that the public agencies have regular mandatory internal audits in place to ensure public agencies comply with these standards for data protection and security of ICT systems. In that case, why are these potential lapses not surfaced during previous internal audit checks?
Mr S Iswaran : May I just seek a clarification from the Member, Speaker?
Mr Speaker : Yes, please.
Mr S Iswaran : When you say the Act does not refer to data breeches, only data misuse, are you referring to the Public Sector (Governance) Act or are you referring to PDPA?
Ms Irene Quay Siew Ching : I am referring to the Public Sector (Governance) Act, Official Secrets Act, Income Tax Act and Infectious Diseases Acts.
Mr S Iswaran : Yes, and have you also looked at the Instructions Manual (IM) 8? Because I think when you look at them holistically, it will be clear, that the issues with data, whether it is a breach or misuse, and when can I argue that there is a kind of continuum here. But let me assure you, when you have a breach of data, you have to establish why it occurred. If it is because of misuse, there will be a certain set of actions. If it is because your systems were not in place, it has to result in a different set of actions to correct the systemic errors. If there were certain people accountable for that systemic error, then they have to be held to account as well. So, I think there is a flow in the way this will proceed, in terms of action against Government organisations.
The second point on regular IT audits, why did they not throw up such issues in the past. I think that is an age-old question. You can have audits, I think it is not just in IT, you have it in financial audits, you have got quality audits, but you still have incidents. This is because it is human beings running the system and from time to time, it can happen. I think what is important is that when they occur, we learn from these incidents and set them right, and be transparent about what we are doing and how we are going about it.
Mr Speaker : Mr Dennis Tan.
Mr Dennis Tan Lip Fong (Non-Constituency Member) : A question for Senior Minister of State Edwin Tong. Is the Senior Minister of State able to answer any aspect of my questions?
Mr Edwin Tong Chun Fai : Can the Member elaborate on what other aspects have not been answered?
Mr Dennis Tan Lip Fong : No, on my question. Not sure my question has been answered.
Mr Edwin Tong Chun Fai : Mr Dennis Tan's question relate to the circumstances in which the information is placed on the server. How it is that there was access that was gained to the data and whether there was a breach of any law? Those are all matters that are covered by the investigations that are currently on-going, and to the extent possible, when this has been ascertained, we will provide those information.