書面答覆 · 2019-05-06 · 屆國會 13
公共機構資料保護免責問題
議員質詢公共機構是否享有《個人資料保護法》豁免權及其資料洩露責任。政府回應指出公共機構受《公共部門治理法》和《指令手冊8》等法規約束,設有刑事處罰和內部紀律處分,並通過技術和管理措施防範資料洩露。核心爭議在於公共機構資料保護責任的法律基礎及執行力度。
關鍵要點
- • 公共機構受多法規約束
- • 刑事及紀律處分並行
- • 技術管理措施嚴格
公共機構嚴格承擔資料保護責任
質詢公共機構免責條款及責任
強化公共部門資料安全管理
“The PSGA criminalises the acts of unauthorised disclosure of data, misuse of data and the re-identification of individuals from anonymised data.”
參與人員 (2)
完整譯文(中文)
Hansard 原始記錄 · 2026-05-02
1 艾琳·奎·秀清女士詢問總理,關於公共機構是否免於《個人資料保護法》的適用:(a) 他是否能列出現行法律和指引手冊中具體條款,這些條款規定了公共機構對公共資訊科技系統中資料洩露(非資料濫用)的責任;(b) 他是否能解釋這些法律條款如何共同對所有公共機構施加高標準的責任。
張志賢先生(代表總理)答覆:公共機構及其工作人員須遵守《公共部門(治理)法案》(PSGA)和《指引手冊8》(IM8)以及其他相關法律中規定的資料保護條款。PSGA將未經授權披露資料、資料濫用以及從匿名資料中重新識別個人的行為定為刑事犯罪。被判定犯有這些罪行的公務員可被罰款最高5,000新元和/或判處最高兩年監禁。除PSGA外,其他法律如《官方機密法》、《銀行法》、《所得稅法》和《統計法》也將未經授權披露資料的行為定為刑事犯罪。這些規定旨在威懾公務員不負責任地使用和處理資料,並對其進行懲罰。相關法律條款列表請參見附件A。
除刑事訴訟外,若公務員在保護其控制的資料方面被認定為疏忽,還可依據1999年《公共服務(紀律程式)條例》面臨內部紀律處分。
除了這些立法制裁外,政府還採取多項措施防止或儘量減少資料安全洩露的可能性,並減輕資料洩露的後果。所有公共機構必須遵守IM8的規定。IM8補充了PSGA中廣泛的資料條款,明確了機構為管理和保護其控制的政府資料必須遵守的規則和要求。IM8規定了保護政府資料的具體措施,例如,IM8要求實施網際網路瀏覽隔離,禁止未經授權裝置訪問USB埠,以及使用密碼保護包含個人資料的檔案。IM8還規定了某些資料保護流程,如及時撤銷訪問許可權、檢測非活躍使用者和定期審查系統訪問許可權。
各機構定期接受IM8合規性及所實施措施有效性的審計。審計的目的是幫助機構發現應在資料事件發生前解決的流程和系統漏洞。發現漏洞後,機構須制定計劃在特定時間內彌補這些漏洞,且計劃進展將被持續監控直至漏洞完全修復。除定期IM8審計外,審計署也可能對機構的資料管理實踐進行審計。審計結果會在國會報告並公開發布;機構彌補漏洞的行動將被跟蹤直至完成。嚴重違規情況可在審計過程中提交財政部內部處理。
PSGA及其他法律中的威懾措施、IM8中的規定措施以及定期的IM8合規審計,共同對公共機構和公務員施加了高度的資料保護責任。資料安全對於維護公眾對政府通過資料提供高質量公共服務能力的信心至關重要。由總理委託、資深部長張志賢主持的公共部門資料安全審查委員會,將提出加強公共部門現有政策和實踐的建議,以跟上技術進步的步伐。這包括保持問責措施的最新狀態,確保資料安全持續成為公共服務領導者的優先事項,並確保政策和實踐不斷改進,以維持穩健的資料安全體系。委員會將於2019年11月向總理提交其調查結果和建議。
英文原文
SPRS Hansard · Fetched: 2026-05-02
1 Ms Irene Quay Siew Ching asked the Prime Minister with regard to public agencies' exemption from the Personal Data Protection Act (a) whether he can list out the specific clauses in the current laws and instruction manuals that provide for public agencies' accountability on data breaches (not misuse of data) in public IT systems; and (b) whether he can explain how these clauses in the laws collectively impose a high standard of responsibility on all public agencies.
Mr Teo Chee Hean (for the Prime Minister): Public agencies and their officers are subject to data protection provisions set out in the Public Sector (Governance) Act (PSGA) and the Instruction Manual 8 (IM8), as well as in other related legislation. The PSGA criminalises the acts of unauthorised disclosure of data, misuse of data and the re-identification of individuals from anonymised data. Public officers found guilty of these offences can be fined up to $5,000 and/or face a jail term of up to two years. Besides the PSGA, other legislation also criminalise the act of unauthorised disclosure of data, such as the Official Secrets Act, the Banking Act, the Income Tax Act, and the Statistics Act. These provisions serve to deter public service officers from and punish them for the irresponsible use and handling of data. Please refer to Annex A for a list of the relevant clauses in the aforementioned Acts.
Apart from criminal proceedings, public officers found to be negligent in protecting data under their control can face internal disciplinary actions, as provided for in the Public Service (Disciplinary Proceedings) Regulations 1999.
Apart from such legislative sanctions, the government has a number of measures to prevent or minimize the chances of a data security breach and to minimise the consequences of a data breach. All public agencies are required to comply with the provisions of the IM8. The IM8 complements the broad data provisions in the PSGA by setting out the rules and requirements that agencies have to adhere to in order to manage and protect government data under their control. The IM8 prescribes specific measures to protect government data. For example, the IM8 mandates Internet surfing separation, the disabling of USB ports from being accessed by unauthorised devices, and the use of passwords to protect files that contain personal data. The IM8 also prescribes certain data protection processes, such as the prompt removal of access rights, the detection of inactive users and the regular review of system access rights.
Agencies are regularly audited for their compliance with the IM8 requirements, as well as the effectiveness of the measures implemented. The objective of audits is to enable agencies to uncover process and system gaps that should be addressed before a data incident occurs. Where such gaps are identified, agencies are required to draw up plans to close these gaps within a specific timeframe, and the progress of these plans are monitored until the gaps are fully closed. Besides regular IM8 audits, agencies' data management practices may also be audited by the Auditor-General. The outcomes of these audits are reported in Parliament and publicly available; agencies' actions to close the gaps are tracked until completion. Serious irregularities can be brought to the attention of the Ministry of Finance for internal action, as part of the audit process.
The deterrent measures in the PSGA and other legislation, the prescriptive measures in the IM8, as well as the regular IM8 compliance audits, collectively impose upon public agencies and public officers a high level of responsibility for data protection. Data security is essential to upholding public confidence in the Government's ability to deliver a high quality of public service to our citizens through the use of data. The Public Sector Data Security Review Committee, commissioned by the Prime Minister and chaired by Senior Minister Teo Chee Hean, will recommend ways to enhance the policies and practices the public sector already has, to keep pace with advances in technology. This includes keeping accountability measures up-to-date to ensure that data security remains a priority among public service leaders, and to ensure that policies and practices are continually improved to maintain a robust data security regime. The Committee will present its findings and recommendations to the Prime Minister in November 2019.