These Regulations are promulgated in accordance with Article 27 Paragraph 3 of the Personal Information Protection Act (hereinafter “the Act”).
A tourist amusement enterprise that keeps personal information files shall adopt proper security measures to prevent personal information from being stolen, altered, damaged, destroyed or disclosed, and shall set up a plan for protecting the security of personal information files (hereinafter “Protection Plan”).
A tourist amusement enterprise shall complete the setting up of the forementioned Protection Plan before it obtains a tourist amusement enterprise operating license. If it has already obtained an operating license prior to these Regulations becoming effective, it shall set up the Protection Plan within six months of that date.
A tourist amusement enterprise that keeps personal information files may refer to Articles 4 to 20 in setting up proper security protection measures.
A Protection Plan set up by a tourist amusement enterprise shall include the following items, which may be combined when necessary:
1.Designating management personnel and appropriate information sources.
2.Defining the scope of personal information and stipulating periodic checks.
3.A personal information risk assessment and management mechanism.
4.An accident prevention, notification and response mechanism.
5.An internal management procedure for personal information collection, processing and use.
6.Measures for the management of equipment security, information security, and personnel.
7.A mechanism for checking information security.
8.Keeping records, tracking data and evidence of use.
9.Conducting guidance and training related to personal information.
10.Comprehensive ongoing improvement of personal information security protection.
11.Method of disposal of personal information after termination of business.
A tourist amusement enterprise shall clearly identify the specific purpose of the collection of personal information, and in accordance with the necessity of the specific purpose, define the type or scope of the personal information collection, processing and use, and periodically check the status of the personal information in its keeping.
Where the forementioned check reveals any of the following situations, the tourist amusement enterprise shall, on its own initiative or at the request of the person concerned, delete or discontinue the collection, processing or use of the relevant personal information:
1.Personal information that is not within the necessary scope of the specific purpose;
2.The specific purpose no longer exists or the time limit has expired, and the proviso in Article 11 Paragraph 3 of the Act does not apply.
In order to meet the notification requirements as set out in Articles 8 and 9 of the Act, a tourist amusement enterprise shall adopt the following approach:
1.Examine the specific purpose of the collection, processing and use of personal information;
2.Examine whether the collection and processing of personal information matches one of the reasons for exemption from notification; and if not, adopt an appropriate method of notification in accordance with the situation of the information collection.
A tourist amusement enterprise shall examine whether its collection and processing of personal information complies with the provisions of Article 19 of the Act, having a specific purpose and meeting a need prescribed by law; and shall also examine whether its use of personal information complies with the provisions of Article 20 Paragraph 1 of the Act as necessary use within the scope of the specific purpose of collection. Where the use of personal information is outside the scope of the specific purpose, the tourist amusement enterprise shall examine whether it meets the conditions for use outside the specific purpose as prescribed by law.
When a tourist amusement enterprise makes first-time use of personal information for marketing purposes, it shall provide the person concerned with a free-of-charge means of expressing refusal to accept such marketing. Once the person concerned has expressed refusal to the marketing, the tourist amusement enterprise shall immediately cease using such personal information for marketing, and make all members of its staff aware thereof.
In order to maintain the correctness of all personal information in its keeping, a tourist amusement enterprise shall adopt the following methods:
1.Check whether personal information is accurate in the course of collecting, processing and using it.
2.When personal information is discovered to be inaccurate, make timely correction or supplementation.
3.Where there is dispute regarding the accuracy of personal information, it must be dealt with in accordance with the provisions of Article 11 Paragraph 2 of the Act.
Where personal information has not been corrected or supplemented for reason attributable to the tourist amusement enterprise, the tourist amusement enterprise shall, after correction or supplementation, notify all parties to whom the personal information has been provided for use.
Where a tourist amusement enterprise commissions another party to conduct the collection, processing or use of personal information in whole or in part, it shall properly supervise the commissioned party in accordance with the provisions of Article 8 of the Enforcement Rules of the Act, and shall clearly stipulate the relevant items and methods of supervision.
Before a tourist amusement enterprise transmits personal information internationally, it shall examine whether or not the Ministry of Transportation and Communications has issued an order or sanction limiting international transmission in accordance with the provisions of Article 21 of the Act, and shall act in compliance therewith.
In order to enable a person providing personal information to exercise the rights prescribed by Article 3 of the Act, a tourist amusement enterprise shall adopt the following methods:
1.Identify whether the provider is the subject of the personal information or is acting under authority of the subject.
2.Provide the subject with means of exercising his rights, and abide by the provisions concerning time limits as set out in Article 13 of the Act.
3.Inform the person concerned whether or not a fee is charged to cover necessary costs.
4.Where there is reason for refusing the exercise of rights by the person concerned as prescribed in the provisos to Article 10 or Article 11 Paragraphs 2 or 3 of the Act, the tourist amusement enterprise shall notify the person concerned with the reason therefor.
For managing protection of the security of personal information files, a tourist amusement enterprise shall designate a person or set up an organization to be specially responsible for this purpose, set appropriate sources of information, and require periodic reporting to the person in charge of the tourist amusement enterprise.
The tasks of the forementioned specially responsible person or organization shall be as follows:
1.Planning, setting, revising and implementing the Protection Plan and such matters as those concerning the method of dealing with personal information after cessation of business, and periodically reporting to the person in charge of the tourist amusement enterprise.
2.Setting policy for managing the protection of personal information, and ensuring that all members of staff are informed about and clearly understand the basis for, specific purpose of, and other protection-related matters concerning the collection, processing and use of personal information.
3.Periodically conducting basic awareness guidance or specialized instruction and training for all members of staff, to ensure that they clearly understand the provisions of law and regulation and the scope of each staff member’s responsibility regarding the protection of personal information, and the methods or management measures for all kinds of matters concerning the protection of private information.
A tourist amusement enterprise shall adopt the following personnel management measures:
1.According to the needs of each particular task of the collection, processing and use of personal information, appropriately set varying limits on the authority of each member of staff and control their contact with personal information.
2.Review the responsible personnel of each relevant work process involving the collection, processing and use of personal information.
3.Require each member of staff to assume a duty of confidentiality.
4.All members of staff shall, upon leaving employment or completing assigned work, return personal information taken into possession for the performance of work duties, and may not privately retain copies of and continue to use such personal information.
A tourist amusement enterprise shall adopt the following information security management measures:
1.When computer or automated machine related equipment is used to collect, process or use personal information, rules should be set for the use of portable devices or storage media.
2.If there is a need for heightened confidentiality in respect of the content of personal information held in keeping, an appropriate mechanism for encryption should be adopted when collecting, processing or using such information.
3.When a business process requires the backing up of personal information, the backup should be accorded the same protection as the original information in accordance with the provisions of the Act.
4.When paper, magnetic disc, magnetic tape, compact disc, microfilm, integrated circuit, or any other medium used for keeping personal information is scrapped or transferred to other use, proper precautionary measures must be taken to prevent the disclosure of personal information; when another party is commissioned to perform this, Article 9 of these Regulations applies mutatis mutandis.
A tourist amusement enterprise shall adopt the following measures for managing the environment of paper, magnetic disc, magnetic tape, compact disc, microfilm, integrated circuit, computer or automatic machine, or any other medium used for keeping personal information:
1.Implement entry and exit controls by appropriate means in accordance with different components of business operation.
2.Require all members of staff to take proper measures to safeguard media containing personal information.
3.Appropriately install air-conditioning, fire prevention, rodent proofing, disinsectization, and other protective equipment and technologies for the different environments in which media are kept.
A tourist amusement enterprise shall adopt the following mechanisms for response to theft, alteration, damage, destruction, disclosure or other such accident happening to personal information in its keeping:
1.Adopt proper emergency measures to control and reduce harm from the accident to the person concerned, and notify the Tourism Bureau of the Ministry of Transportation and Communications and the local government at the special municipality, county or city level.
2.Investigate the circumstances of the accident and notify the person concerned by appropriate means in accordance with the provisions of Article 12 of the Act. The content of such notification shall include the facts of personal information disclosure, responsive measures already taken, and the provision of a service line for telephone inquiry.
3.Examine deficiencies and formulate preventive mechanisms to avoid the reoccurrence of such kind of accident.
A tourist amusement enterprise shall notify the Tourism Bureau of the Ministry of Transportation and Communications and the local government at the special municipality, county or city level within three days of the occurrence of an accident as referred to in the preceding paragraph; and shall submit a report on its method of dealing with the accident and the outcome thereof to the Tourism Bureau of the Ministry of Transportation and Communications and the local government at the special municipality, county or city level, for reference filing, within one month of completing its response to the accident.
A tourist amusement enterprise shall set up a mechanism for checking the security of personal information, and at regular or irregular intervals check whether the person designated or organization set up under Article 12 has fully and properly implemented all relevant plans and tasks, and include this in the staff appraisal of the staff members concerned.
A tourist amusement enterprise shall implement proper measures, adopting mechanisms for recording or keeping automated machine or equipment tracking data or other relevant proof of the use of personal information, to provide whenever necessary a clear account of the implementation status of its Protection Plan; and the allotted time for the retention of related records shall be at least five years.
A tourist amusement enterprise shall review the suitability of its Protection Plan, giving due consideration to the current status of its business operation, public sentiment, technological development, changes in law and regulation, and other pertinent factors, and revise it when necessary.
Upon termination of its business operation, a tourist amusement enterprise shall dispose of personal information in its keeping, and record the same, as per the following; and such record must be retained for at least five years:
1.Where it is destroyed, record the method, time, location and proof of destruction.
2.Where it is transferred, record the reason, the transferee, the method, the time, the location, and the legal basis for allowing the transferee to take possession of this personal information.
3.For other deletion or cessation of processing or use of personal information, record the method, time and location.
These Regulations are effective from the date of promulgation.