These Regulations are prescribed pursuant to the provisions of Article 27 Paragraph 3 of the Personal Information Protection Act (hereinafter referred to as “the Act”).
This Regulation is applicable to national and foreign civil air transport enterprises operating scheduled air transport service (hereinafter referred to as “the enterprise”).
The enterprise shall draw up plans for maintaining the security of personal information files (hereafter referred to as “the Plans”), for the purpose of ensuring the secure maintenance and management of personal information files, to prevent the theft, alteration, damage, destruction or disclosure of personal information.
The content of the Plans shall include the relevant organization and procedures prescribed in Articles 3 to 22, and the Plans shall be periodically reviewed and brought into conformity with related laws and regulations as newly prescribed or amended.
The enterprise may appoint designated personnel or establish a dedicated organization to enforce personal information security with the allocation of appropriate resources.
The responsibility of the designated personnel or dedicated organization as referred to in the preceding paragraph shall be as follows:
1. Planning, prescribing, amending and executing matters concerning plans for maintaining the security of personal information files, and methods of handling personal information after termination of business.
2. Stipulating policies for the protection and management of personal information, as the basis and specific purposes for the collection, processing and use of personal information, and other matters concerning protection, and announcing these to ensure that they are clearly understood by all members of staff.
3. Periodically conducting basic knowledge guidance or specialist education and training for staff members, to ensure that they clearly understand the provisions of laws and regulations relating to personal information protection, the scope of staff members’ responsibilities relating to personal information protection, and the various methods or management measures for protecting personal information.
The enterprise shall check all personal information in its custody; define those personal information are included in the scope of the Plans and establish the archives; and confirm of any change periodically.
The enterprise shall, in accordance with the scope of personal information as defined in the previous article and the related procedures, analyze the possible occurrence of risk, and set appropriate control measures based on the results of risk analysis.
The enterprise shall adopt the following matters for responding to the theft, alteration, damage, destruction or disclosure of personal information in its custody:
1. Adopt appropriate responsive measures to control consequential harm to the parties concerned, and notify Civil Aeronautics Administration of MOTC.
2. Ascertain the current situation of the incident, and use appropriate means to notify the parties concerned. The notified information includes the fact of the incident which occurs on personal data, measures which the enterprise takes and the advisory service line provided.
3. Formulate preventive mechanisms, to avoid the recurrence of such kind of incident.
The enterprise shall establish the following management procedures respectively for ordinary personal information:
1. Examining and confirming whether the collection, processing and use of personal information includes personal information and the specific purposes thereof prescribed in Article 6 of the Act.
2. Confirming whether the collection, processing and use of personal information as prescribed in Article 6 of the Act is in compliance with the requirements of applicable laws and regulations.
3. Where personal information does not fall within the ambit of Article 6 of the Act, but is considered to need special management, it may still be managed similarly or by the setting of a special management procedure.
The enterprises shall adopt the following steps for compliance with the provisions of Articles 8 and 9 of the Act concerning obligation to notify:
1. Examine whether the specific purposes of the collection and processing of personal information match the reasons for exemption from notification.
2. Adopt appropriate means of notification in accordance with the situation of the information collection.
The enterprise shall examine whether its collection and processing of personal information has a specific purpose and legal imperative in compliance with the provisions of Article 19 of the Act.
Examination of the use of personal information shall determine whether it is in compliance with the provisions of Article 20 Paragraph 1 of the Act, and is within the scope of the specific purpose of use; when personal information is used outside the scope of the specific purpose, examination shall determine whether there is a legally prescribed condition for use outside the specific purpose.
When the enterprise commissions another to collect, process or use personal information, in whole or in part, it shall conduct proper supervision of the commissioned party as prescribed in Article 8 of the Enforcement Rules of the Act, and set clear contractual requirements concerning the matters and methods of supervision.
When the enterprise uses personal information for marketing for the first time, it shall provide the parties concerned with a free-of-charge means of expressing refusal to accept the marketing, and after an expression of refusal by a party concerned, shall immediately cease to use that party’s personal information for marketing, and announce this to all of its staff.
Before the enterprise conducts the international transmission of personal information, it shall examine whether the Ministry of Transportation and Communications has issued an applicable order or injunction limiting international transmission under the provisions of Article 21 of the Act, and shall comply therewith.
The enterprise shall adopt the following methods to provide the parties concerned with the means to exercise the rights prescribed in Article 3 of the Act:
1. Confirming that the parties concerned are the subject of the personal information or are duly authorized to act on their behalf.
2. Providing the parties concerned with means of exercising their rights, and complying with the relevant time limits prescribed in Article 13 of the Act.
3. Informing whether there is a charge for necessary costs and expenses.
4. If it is determined that there is a reason why the exercise of their rights by a party concerned may be refused under Articles 10 and 11 of the Act, the reason shall be given in notification to the party concerned.
The enterprise shall adopt the following methods to maintain the accuracy of all personal information in its custody:
1. Examining whether the procedure of collecting, processing and using personal information is correct.
2. When incorrect personal information is discovered, promptly correcting or supplementing it, and informing all parties to whom it has previously been provided for use.
3. Where there is a dispute as to the correctness of personal information, the matter shall be handled as prescribed in Article 11 Paragraph 2 of the Act.
The enterprise shall periodically review the personal information in its custody to confirm the specific purpose for keeping information still exists and not expired. If not, proceed according to Paragraph 3 of Article 11 of the Act.
The enterprise may adopt the following personnel management measures:
1. In accordance with operational needs, to a suitable degree setting various limits on the authority of members of staff and controlling their access to personal information.
2. Reviewing the personnel with responsibility for all relevant work procedures involving the collection, processing and use of personal information.
3. Setting confidentiality obligations in contracts with all staff members.
The enterprise may adopt the following information security management measures:
1. When using computer or automatic machine related equipment to collect, process and use personal information, appropriately set rules for use of portable devices or storage media.
2. If the content of personal information under custody has a need for encryption, adopt appropriate encryption mechanisms when collecting, processing or storing the information.
3. When a work process entails a need for backing up personal information, it shall be accorded the same protection as original documents in accordance with the provisions of the Act.
4. Where personal information is recorded on or in paper, magnetic disk, magnetic tape, compact disk, microfiche, IC chip, or other medium, appropriate preventive measures must be adopted to prevent the disclosure of such personal information when the medium is scrapped or transferred to other purpose.
The enterprises must adopt the following environmental management measures in respect of the environment of paper, magnetic disks, magnetic tapes, compact disks, microfiches, IC chips, computers, automatic machines or devices, or other media on or in which personal information is kept:
1. Implementing appropriate methods of input and output control in accordance with differences of business content.
2. Requiring all staff members to keep secure custody of storage media containing personal information.
3. Giving consideration to the establishment of suitable protective equipment or technology for each different media environment.
After the enterprise terminates business, it may consider taking the following measures in respect of personal information, and keep relevant records as prescribed:
1. Destruction: Record the method, time and location of destruction, and keep proof of method of destruction.
2. Transfer: Record the reason for transfer, the transferee, method, time and location of transfer, and the legal basis for the transferee being permitted to take custody of the personal information.
3. Other deletion or termination of processing or use of personal information: Record the method, time and location of the deletion or termination of processing or use.
The enterprise shall establish a mechanism for the audit of personal information security, and conduct routine or special inspection for assuring the Plans or the means for handling personal information after the termination of operation are duly executed.
The enterprise may take appropriate measures, by adopting mechanisms for keeping records of the use of personal information, or the retention of tracking data in automatic machines or devices, or other relevant proof, to provide when necessary for explaining the situation of the execution of its Plan.
The enterprise shall give appropriate consideration to the current situation of business execution, public opinion, technological development, changes in law and regulations, and other pertinent factors, in examining whether the Plan it has made is appropriate, and shall amend the Plan when necessary.
This Regulation shall come into full force as of January 1 2015.
This Regulation shall become effective on the date of promulgation.