|
[Law Basis]
[Print]
|
Chapter II. General Procedures
|
Article 5
The clearinghouse shall set up its management policy for personal information protection in
accordance with the characteristics of its organization and business, submit it to the board of
directors for approval, and then make it public so that all relevant staff understand it
clearly and comply with it.
The management policy in the preceding paragraph shall include the following actions:
1.Complying with domestic laws and regulations on personal information protection;
2.Collecting, processing and using personal information for specific purposes in a reasonable
and secure manner;
3.Protecting the collected, processed and used personal information files with technology at
the level of security that could be reasonably expected;
4.Setting up a contact window for the principal parties of personal information (
hereinafter “the Parties”) to exercise relevant rights concerning personal information or
to file complaint or seek consultation;
5.Mapping out contingency plan for handling personal information stolen, tampered, damaged,
destroyed, leaked, or other incidents;
6.If the collection, processing and use of personal information are outsourced, properly
monitoring outsourced service providers; and
7.Continuing to fulfill the obligation of maintaining the Plan to ensure security of personal
information files.
|
|
Article 6
The clearinghouse shall regularly examine laws on personal information protection that it
should comply with, and formulate or revise the Plan accordingly.
|
|
Article 7
The clearinghouse shall, in accordance with laws on personal information protection, check all
personal information under its possession, define the scope of personal information that should
be included in the Plan and create a list and check the change of list content regularly.
|
|
Article 8
The clearinghouse shall, in accordance with the scope of personal information defined according
to the preceding article and its relevant business processes, analyze potential risks, and set
up proper control measures based on the results of risk analysis.
|
|
Article 9
The clearinghouse shall, in coping with personal information under its possession
stolen, tampered, damaged, destroyed, leaked, or other incidents, establish relevant
procedures for the following actions:
1. Adopting proper contingency plans to reduce or control damages to the Parties
caused by the incidents.
2. Investigating the incident clearly and notifying the Parties in a timely manner.
Content of the notification shall include the facts about incidents, measures to
resolve incidents, and contact information for the consulting service.
3. Avoiding recurrence of such a similar incident.
|
|
When the clearinghouse has an incident described in the preceding paragraph, the
clearinghouse shall immediately notify personnel of the Central Bank of the Republic
of China (Taiwan) (hereafter referred to as "the Bank") in charge of accepting
reporting by phone, and within 72 hours, send a form to the Bank via electronic mail
according to the format of the attached form; in addition, within 7 business days
starting from the next day following the day of notification, the clearinghouse shall
report to the Bank in writing the facts of the incident, whether the breached personal
information has been illegally utilized, how the interests of the principal have been
damaged, and response measures taken.
|
|
After receiving the notification of the clearinghouse, the Bank may, by the
authority vested under Articles 22 ~ 25 of the Act, take appropriate supervisory
and administrative measures.
|
|
|
