These Regulations are prescribed pursuant to Paragraph 3 of Article 27 of the Personal Information Protection Act (hereinafter referred to as “the Act”).
These Regulations are applicable to professional engineering consulting firms (hereinafter referred to as “the consulting firm”) which are defined by the Act Governing the Administration of Professional Engineering Consulting Firms.
The consulting firm shall set up the security assurance plan for personal data (hereinafter referred to “the Assurance Plan”) and take appropriate security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed.
The Assurance Plan shall include the relevant organizations and procedures prescribed in Articles 3 to 21, and it shall be reviewed regularly and amended in conformity with related laws and regulations.
An operator of the consulting firm shall set up the Assurance Plan as mentioned in paragraph 2 before obtaining the registration certificate for consulting firm. A consulting firm obtained the registration certificate prior to the effectiveness of these Regulations shall set up the Assurance Plan within six months since the effectiveness of these Regulations.
The consulting firm may appoint designated personnel or establish a dedicated organization to enforce personal data security management with the allocation of appropriate resources.
The responsibility of the designated personnel or dedicated organization as referred to in the preceding paragraph shall be as follows:
1. Planning, prescribing, amending and executing the Assurance Plan, and methods of processing personal information after termination of business.
2. Setting up personal information protection management policy and disclosing the related requirements, specific purposes and other related protection practices involving collection, processing and using personal information to the staff members.
3. Periodically conducting basic knowledge introduction or professional education and training for staff members, to ensure that they clearly understand the related provisions of laws and regulations, the scope of staff members’ responsibilities, and the various methods or management measures for protecting personal information.
The consulting firm shall clearly identify the specific purpose of the collection of personal information, and in accordance with the necessity of the specific purpose, define the type or scope of the personal information collection, processing and use, and periodically check the status of the personal information in its keeping.
Where the aforementioned check reveals any of the following situations, the consulting firm shall, on its own initiative or at the request of the information owner, delete or discontinue the collection, processing or use of the relevant personal information:
1. Personal information that is not within the necessary scope of the specific purpose;
2. The specific purpose no longer exists or the time period has expired, and conditions described in Paragraph 3, Article 11of the Act does not exist.
The consulting firm shall, in accordance with the scope of personal information as defined in the previous article and the related procedures, analyze the risks that may occur, and set appropriate control measures based on the results of risk analysis.
The consulting firm shall adopt the following mechanisms in the event of personal information being stolen, altered, damaged, destroyed or disclosed in custody:
1. Taking appropriate response measures to control and minimize the damages to the information owner and reporting the incident to the Public Construction Commission, Executive Yuan.
2. Making full investigation on the incident, and notifying the information owner through appropriate means. The content of the notification shall include the fact of the incident which occurred on personal data, the responsive measures taken by the consulting firm, and the advisory service line provided.
3. Reviewing the deficiency and formulating preventive mechanism, to prevent similar incident.
The consulting firm shall examine and confirm whether the personal information being collected, processed and used includes the personal information and the specific purposes as specified in Article 6 of the Act, and its conformity to the relevant laws and regulations.
The consulting firm shall adopt the following means for compliance with the provisions of Article 8 and Article 9 of the Act concerning obligation to notify:
1. Examining the specific purposes of the collection or processing of personal information.
2. Examining whether the collection or processing of personal information matches one of the reasons for exemption from notification; and if not, adopting appropriate means of notification in accordance with the situation of the information collection.
The consulting firm shall examine whether its collection or processing of personal information has a specific purpose and legal imperative, and is in compliance with the provisions of Article 19 of the Act. It shall also examine whether its use of personal information is within the scope of the specific purpose of use, and is in compliance with the provisions of Paragraph 1 of Article 20 of the Act. When personal information is used outside the scope of the specific purpose, examination shall determine whether there is a legally prescribed condition for use outside the specific purpose.
When the consulting firm uses personal information for marketing for the first time, it shall provide the information owner a free-of-charge means of expressing refusal to marketing. If the owner rejects such marketing, the consulting firm shall immediately stop using that owner’s personal information for marketing, and notify the relevant staff members.
Where the consulting firm commissions a third party to collect, process or use personal information, in whole or in part, it shall conduct proper supervision on the commissioned party as prescribed in Article 8 of the Enforcement Rules of the Act, and set clear contractual requirements concerning the matters and methods of supervision.
Before the consulting firm conducts the international transmission of personal information, it shall examine whether the Public Construction Commission, Executive Yuan has issued an applicable order or injunction limiting international transmission under the provisions of Article 21 of the Act, and shall comply therewith.
The consulting firm shall adopt the following actions to provide the information owner with the means to exercise the rights prescribed in Article 3 of the Act:
1. Confirming whether the individual is the owner of the personal information or a duly authorized representative of the information owner.
2. Providing the information owner with means of exercising the rights, and complying with the relevant time limits prescribed in Article 13 of the Act.
3. Informing whether there is a charge for necessary costs and expenses.
4. Where there is a reason for refusing the exercise of rights by the information owner based on the provisos prescribed in Article 10, Paragraph 2 or Paragraph 3 of Article 11, the consulting firm shall notify the information owner with the reason for the refusal.
The consulting firm shall adopt the following methods to maintain the accuracy of all personal information in its custody:
1. Examining whether the personal information is correct during the process of collection, processing and use.
2. Making timely correction or supplement when inaccuracies of personal information are discovered.
3. Where there is a dispute as to the correctness of personal information, the matter shall be handled as prescribed in Paragraph 2 of Article 11 of the Act. Where personal information has not been corrected or supplemented for reason attributable to the consulting firm, the consulting firm shall, after correction or supplementation, notify all parties to whom the personal information has been provided for use.
The consulting firm may adopt the following personnel management measures:
1. In accordance with operational needs of each particular task of the collection, processing and use of personal information, appropriately setting varying limits on the authority of each staff member and controlling their access to personal data.
2. Reviewing the personnel with responsibility for each relevant work procedures involving the collection, processing and use of personal information.
3. Requiring each staff member to assume the duty of confidentiality.
4. All staff members shall, upon leaving employment or completing assigned work, return personal information taken into possession for the performance of work duties, and may not privately retain copies of and continue to use such personal information.
The consulting firm shall adopt the following information security management measures:
1. When using computer or automatic machine related equipment to collect, process or use personal information, shall set up regulations for using portable devices or storage media.
2. If the content of personal information under custody has a need for encryption, shall adopt appropriate encryption mechanisms for collecting, processing or using the information.
3. When a work process entails a need for backing up personal information, it shall be accorded the same protection as original documents in accordance with the provisions of the Act.
4. Where personal information is recorded on or in paper, magnetic disk, magnetic tape, compact disk, microfiche, IC chip, or other medium, appropriate preventive measures must be adopted to prevent the disclosure of such personal information when the medium is scrapped or transferred to other purpose; when another party is commissioned to perform the above, Article 11 of these Regulations shall apply mutatis mutandis.
The consulting firm shall adopt the following environmental management measures in respect of the environment of paper, magnetic disks, magnetic tapes, compact disks, microfiches, IC chips, computers, automatic machines or devices, or other media on or in which personal information is kept:
1. Implementing appropriate entry and exit controls in accordance with differences of business operation.
2. Requiring all staff members to keep secure custody of storage media containing personal information.
3. Giving consideration to the establishment of suitable protective equipment or technology for each different media environment.
Upon termination of its business, the consulting firm shall process and record the personal information in custody according to the methods listed below, and the documented records shall be preserved for at least five years:
1. For personal information destroyed, record the method, time, location and the proof of destruction method.
2. For personal information transferred, record the reason for transfer, the transferee, method, time, location of transfer, and the legal basis for the transferee being permitted to take custody of the personal data.
3. For other deletion or termination of processing or use of personal information, record the method, time or location.
The consulting firm shall establish a personal information security audit mechanism, and inspect regularly or irregularly to see whether the Assurance Plan or the related personal information processing methods after termination of business.
The consulting firm shall take appropriate measures, to derive the records of using personal information, track the data of personal information processed in automated machinery or other relevant proof of preservation mechanism for exhibition of the implementation status of its Assurance Plan when necessary.
The consulting firm may give appropriate consideration to the current situation of business execution, public opinion, technological development, changes in law and regulations, and other pertinent factors, in examining whether the Assurance Plan is appropriate, and shall amend it when necessary.
These Regulations shall come into effect 6 months after promulgating.