Laws and Regulations Database of the Central Bank of the Republic of China(Taiwan)

Chapter IV.　　Security Management Measures

Article 19
To prevent personal information from being stolen, tampered, damaged, destroyed, leaked, or 
otherwise violated, the clearinghouse shall adopt management measures under  Articles 20 to 23 
in accordance with the characteristics of business, workstation to access personal information, 
categories and quantity of personal information, and tools and methods used for transmitting 
personal information.

Article 20 
The clearinghouse shall adopt the following personnel management measures:
1.Designating employees to take charge of the processes for collecting, processing and using 
　personal information respectively (hereinafter "respective operation").
2.Setting different priorities of access authority for respective operation and putting it 
　under control, managing access authority by using a specific authentication mechanism, and 
　regularly reviewing the appropriateness and necessity of the access authority’s priorities 
　set. 
3.Requiring all relevant staff to observe related obligation of confidentiality.

Article 21 
The clearinghouse shall adopt the following operation management measures:
1.Setting instructions for the respective operation. 
2.Setting rules for the use of portable storage media when computer and relevant apparatuses 
　are used for processing personal information.
3.Determining whether encryption is necessary for the storage of personal information, and if 
　it is necessary, adopting proper encryption mechanism.
4.Determining whether encryption is necessary for the transmission of personal information in 
　terms of the mode of transmission used, and if it is necessary, adopt- ing proper encryption 
　mechanism and verifying the information accuracy of recipient. 
5.Evaluating whether it is necessary to make a backup copy of personal information in 
　accordance with  the importance of information retention, and if it is necessary, saving a 
　backup copy of such information; Determining whether encryption is necessary for the backup 
　information, and if it is necessary, adopting proper encryption mechanism; keeping proper 
　care of media for storing backup information and conducting restore testing regularly to 
　ensure the validity of the backup information.
6.Ensuring to properly delete information stored in the media or destroy the media physically 
　before the media storing personal information are transferred to other people or disposed.
7.Properly preserving the passwords used in authentication mechanism and encryption mechanism, 
　and taking proper actions when it is necessary to give such passwords to other people.

Article 22 
The clearinghouse shall take following management measures for its physical environment:
1.Implementing necessary access control in accordance with the difference of respective 
　operation.
2.Keeping proper care of the storage media for safeguarding personal information.3. Installing 
　necessary disaster prevention equipment for different environment of the respective operation.

Article 23  
The clearinghouse shall adopt following technical management measures when it uses computers or 
relevant apparatuses for collecting, processing or using personal information: 
1.Setting up authentication mechanism on computers, or relevant apparatuses or systems, and 
　conducting identification and control for the staff authorized to access personal information.
2.When the authentication mechanism involves account name and password, ensuring the mechanism 
　has certain degree of sophistication in terms of security, and changing the password 
　regularly.
3.Setting up alerts and relevant response mechanisms on the computers, or relevant apparatuses 
　or systems to properly react to and handle abnormal access activities.
4.Carrying out identity authentication on terminals that provide access to personal information 
　for identification and control purposes.
5.Setting the quantity and scope of access authority for personal information within the extent 
　necessary for the respective operation; sharing access authority for the respective operation 
　not allowed in principle.  
6.Using firewalls or routers to prevent unauthorized access to systems stored with personal 
　information
7.Ensuring the users to have access authority in using application programs that can access 
　personal information. 
8.Testing the effectiveness of access authentication mechanism regularly. 
9.Examining regularly whether the setting of personal information access authority is proper.
10.Installing anti-virus software in the computer systems that process personal information and 
　updating the virus code regularly.
11.Installing patches for loopholes in computer operating systems and related programs 
　 regularly.
12.Assessing the threat of malware regularly and ensuring the stability of the computer systems 
　 after installing anti-virus software and patch programs.
13.No file-sharing software installed on terminals with access authority.
14.No using real personal information in testing the information system for processing personal 
　 information; stating clearly the using procedure if real personal information is used.
15.Ensuring the level of security not to decline when there is change in the information system 
　 for processing personal information. 
16.Checking the using records of information system for processing and accessing personal 
　 information regularly.