|
[Law Basis]
[Print]
|
Chapter I General Provisions
|
Article 1
These Regulations are prescribed pursuant to Paragraphs 2 and 3, Article 27 of the Personal
Information Protection Act.(hereinafter "the Act")
|
|
Article 2
The clearinghouse shall set up a security measures plan (hereinafter "the Plan") for personal
information files under its possession to carry out security maintenance and management of
personal information files in order to prevent them from being stolen, tampered, damaged,
destroyed or leaked. The Plan shall cover related organizations and procedures stipulated in
Articles 4 to 27 herein.
|
|
Article 3
The terms used in the Regulations shall be defined as follows:
1."Personal information management representative" shall mean the president of the
clearinghouse or an officer directly authorized by the president, who takes charge
of supervising the design, formulation, execution, and revision of the Plan and
its relevant decision making.
2."Personal information internal assessor representative" shall mean an officer
authorized by the president of the clearinghouse to take charge of supervising
internal assessors evaluating the performance of the Plan.
3."Relevant staff" shall mean employees of the clearinghouse who have to access
personal information in the process of business execution, including the fixed-term
and non-fixed-term contract employees and dispatched workers of the clearinghouse.
|
|
Article 4
The clearinghouse shall organize a task force for security maintenance of personal
information files and allocate appropriate resources so as to be responsible for the
design, formulation, execution, and revision of relevant procedures under the Plan.
The staffing of the task force for security maintenance of personal information files
includes the personal information management representative and the internal assessor.
When the personal information management representative is served by an officer other
than the president, this representative shall submit a written report about the task
execution of the task force mentioned above to the president regularly.
|
|
Chapter II. General Procedures
|
Article 5
The clearinghouse shall set up its management policy for personal information protection in
accordance with the characteristics of its organization and business, submit it to the board of
directors for approval, and then make it public so that all relevant staff understand it
clearly and comply with it.
The management policy in the preceding paragraph shall include the following actions:
1.Complying with domestic laws and regulations on personal information protection;
2.Collecting, processing and using personal information for specific purposes in a reasonable
and secure manner;
3.Protecting the collected, processed and used personal information files with technology at
the level of security that could be reasonably expected;
4.Setting up a contact window for the principal parties of personal information (
hereinafter “the Parties”) to exercise relevant rights concerning personal information or
to file complaint or seek consultation;
5.Mapping out contingency plan for handling personal information stolen, tampered, damaged,
destroyed, leaked, or other incidents;
6.If the collection, processing and use of personal information are outsourced, properly
monitoring outsourced service providers; and
7.Continuing to fulfill the obligation of maintaining the Plan to ensure security of personal
information files.
|
|
Article 6
The clearinghouse shall regularly examine laws on personal information protection that it
should comply with, and formulate or revise the Plan accordingly.
|
|
Article 7
The clearinghouse shall, in accordance with laws on personal information protection, check all
personal information under its possession, define the scope of personal information that should
be included in the Plan and create a list and check the change of list content regularly.
|
|
Article 8
The clearinghouse shall, in accordance with the scope of personal information defined according
to the preceding article and its relevant business processes, analyze potential risks, and set
up proper control measures based on the results of risk analysis.
|
|
Article 9
The clearinghouse shall, in coping with personal information under its possession
stolen, tampered, damaged, destroyed, leaked, or other incidents, establish relevant
procedures for the following actions:
1. Adopting proper contingency plans to reduce or control damages to the Parties
caused by the incidents.
2. Investigating the incident clearly and notifying the Parties in a timely manner.
Content of the notification shall include the facts about incidents, measures to
resolve incidents, and contact information for the consulting service.
3. Avoiding recurrence of such a similar incident.
|
|
When the clearinghouse has an incident described in the preceding paragraph, the
clearinghouse shall immediately notify personnel of the Central Bank of the Republic
of China (Taiwan) (hereafter referred to as "the Bank") in charge of accepting
reporting by phone, and within 72 hours, send a form to the Bank via electronic mail
according to the format of the attached form; in addition, within 7 business days
starting from the next day following the day of notification, the clearinghouse shall
report to the Bank in writing the facts of the incident, whether the breached personal
information has been illegally utilized, how the interests of the principal have been
damaged, and response measures taken.
|
|
After receiving the notification of the clearinghouse, the Bank may, by the
authority vested under Articles 22 ~ 25 of the Act, take appropriate supervisory
and administrative measures.
|
|
Chapter III. Regulatory Compliance Procedures
|
Article 10
The clearinghouse shall establish relevant procedures for the following actions to ensure that
the collection of personal information complies with the regulatory requirements for personal
information protection:
1.Identifying the specific purposes of personal information collection.
2.Ensuring those specific situations or other requirements for personal information collection
required by laws.
|
|
Article 11
The clearinghouse shall establish relevant procedures for the following actions to fulfill its
obligation of notifying the Parties of personal information collected in complying with Article
8 and Article 9 of the Act:
1.Identifying situations which are exempted from the notification.
2.Except the exempted situations, notifying the Parties in a proper way according to the
situations in collecting personal information
|
|
Article 12
The clearinghouse shall establish relevant procedures for the following actions to ensure that
the use of personal information complies with regulatory requirements for personal information
protection:
1.Ensuring that the use of personal information complies with specific purposes.
2.Identifying whether the personal information may be used beyond the specific purposes and how
to carry it out.
|
|
Article 13
The clearinghouse shall take action according to following procedures in adding or changing its
specific purposes:
1.Taking action in accordance with Article 11 herein.
2.Obtaining the written consent of the Parties, unless it is otherwise provided by laws.
|
|
Article 14
The clearinghouse shall establish relevant procedures for the following actions in coping with s
pecific categories of personal information under Article 6 of the Act:
1.Identifying whether the personal information collected, processed and used by it contains
specific categories of personal information.
2.Ensuring that the collection, processing and use of specific categories of personal
information comply with regulatory requirements.
|
|
Article 15
Prior to carrying out international transmission of personal information, the
clearinghouse shall check whether such transmission is restricted by the Bank and
comply with the relevant rules.
|
|
Article 16
The clearinghouse shall establish relevant procedures for the following actions to enable the
Parties to exercise its rights under Article 3 of the Act:
1.How to enable the Parties to exercise their rights.
2.Verifying the identity of the Parties.
3.Confirming whether there are situations under Article 10 or Article 11 of the Act by which the
request for exercise of rights by the Parties may be rejected.
4.Rejecting the request of the Parties in a timely manner.
|
|
Article 17
The clearinghouse shall establish relevant procedures for the following actions to ensure the
accuracy of personal information under its possession:
1.Ensuring that the accuracy of information is not affected during the course of processing.
2.Making timely correction while verifying that information contains any error.
3.Checking the accuracy of information regularly.
For personal information that are not corrected or supplemented due to the fault of the
clearinghouse, the clearinghouse, after correcting or supplementing personal information,
shall establish a procedure for notifying parties to whom such information was once provided.
|
|
Article 18
The clearinghouse shall check regularly whether the specific purpose for retaining certain
personal information no longer exists or overdues. When the specific purpose disappears or the
duration of retention has expired, the clearinghouse shall follow the provisions under
Paragraph 3, Article 11 of the Act.
|
|
Chapter IV. Security Management Measures
|
Article 19
To prevent personal information from being stolen, tampered, damaged, destroyed, leaked, or
otherwise violated, the clearinghouse shall adopt management measures under Articles 20 to 23
in accordance with the characteristics of business, workstation to access personal information,
categories and quantity of personal information, and tools and methods used for transmitting
personal information.
|
|
Article 20
The clearinghouse shall adopt the following personnel management measures:
1.Designating employees to take charge of the processes for collecting, processing and using
personal information respectively (hereinafter "respective operation").
2.Setting different priorities of access authority for respective operation and putting it
under control, managing access authority by using a specific authentication mechanism, and
regularly reviewing the appropriateness and necessity of the access authority’s priorities
set.
3.Requiring all relevant staff to observe related obligation of confidentiality.
|
|
Article 21
The clearinghouse shall adopt the following operation management measures:
1.Setting instructions for the respective operation.
2.Setting rules for the use of portable storage media when computer and relevant apparatuses
are used for processing personal information.
3.Determining whether encryption is necessary for the storage of personal information, and if
it is necessary, adopting proper encryption mechanism.
4.Determining whether encryption is necessary for the transmission of personal information in
terms of the mode of transmission used, and if it is necessary, adopt- ing proper encryption
mechanism and verifying the information accuracy of recipient.
5.Evaluating whether it is necessary to make a backup copy of personal information in
accordance with the importance of information retention, and if it is necessary, saving a
backup copy of such information; Determining whether encryption is necessary for the backup
information, and if it is necessary, adopting proper encryption mechanism; keeping proper
care of media for storing backup information and conducting restore testing regularly to
ensure the validity of the backup information.
6.Ensuring to properly delete information stored in the media or destroy the media physically
before the media storing personal information are transferred to other people or disposed.
7.Properly preserving the passwords used in authentication mechanism and encryption mechanism,
and taking proper actions when it is necessary to give such passwords to other people.
|
|
Article 22
The clearinghouse shall take following management measures for its physical environment:
1.Implementing necessary access control in accordance with the difference of respective
operation.
2.Keeping proper care of the storage media for safeguarding personal information.3. Installing
necessary disaster prevention equipment for different environment of the respective operation.
|
|
Article 23
The clearinghouse shall adopt following technical management measures when it uses computers or
relevant apparatuses for collecting, processing or using personal information:
1.Setting up authentication mechanism on computers, or relevant apparatuses or systems, and
conducting identification and control for the staff authorized to access personal information.
2.When the authentication mechanism involves account name and password, ensuring the mechanism
has certain degree of sophistication in terms of security, and changing the password
regularly.
3.Setting up alerts and relevant response mechanisms on the computers, or relevant apparatuses
or systems to properly react to and handle abnormal access activities.
4.Carrying out identity authentication on terminals that provide access to personal information
for identification and control purposes.
5.Setting the quantity and scope of access authority for personal information within the extent
necessary for the respective operation; sharing access authority for the respective operation
not allowed in principle.
6.Using firewalls or routers to prevent unauthorized access to systems stored with personal
information
7.Ensuring the users to have access authority in using application programs that can access
personal information.
8.Testing the effectiveness of access authentication mechanism regularly.
9.Examining regularly whether the setting of personal information access authority is proper.
10.Installing anti-virus software in the computer systems that process personal information and
updating the virus code regularly.
11.Installing patches for loopholes in computer operating systems and related programs
regularly.
12.Assessing the threat of malware regularly and ensuring the stability of the computer systems
after installing anti-virus software and patch programs.
13.No file-sharing software installed on terminals with access authority.
14.No using real personal information in testing the information system for processing personal
information; stating clearly the using procedure if real personal information is used.
15.Ensuring the level of security not to decline when there is change in the information system
for processing personal information.
16.Checking the using records of information system for processing and accessing personal
information regularly.
|
|
Chapter V Awareness Education and Training
|
Article 24
The clearinghouse shall conduct awareness education and provide training to its relevant staff
to ensure that they understand the requirements prescribed in relevant laws on personal
information protection, their respective responsibilities, and relevant operating procedures.
|
|
Chapter Ⅵ Procedures for Audit and Improvement of the Plan
|
Article 25
Prior to carrying out international transmission of personal information, the
clearinghouse shall check whether such transmission is restricted by the Bank
and comply with the relevant rules.
|
|
Article 26
The clearinghouse shall establish following procedures for continuing improvement of the
Plan:
1.Remediation procedure for poor implementation of the Plan.
2.Procedure for change of the Plan.
|
|
Chapter Ⅶ Preservation of Records
|
Article 27
The clearinghouse shall preserve at least the following records in proceeding procedures for
implementation of the Plan:
1.Records on personal information delivery and transmission.
2.Records on identifying the accuracy and correction of personal information.
3.Records on the exercise of rights by the Parties.
4.Records on deletion and disposal of personal information.
5.Records on accessing personal information system.
6.Records on the backup and restore testing.
7.Records on addition, alteration and deletion of access authority of relevant staff.
8.Records on access violation by relevant staff.
9.Records on actions taken in response to incidents.
10.Records on the periodic check of information system for processing personal information.
11.Records on educational training.
12.Records on the audit of the Plan and the implementation of improvement procedure.
|
|
Chapter Ⅷ Effective Date
|
Article 28
These Regulations shall come into force on the date of promulgation.
|
|
