These Regulations are promulgated in accordance with Article 27 Paragraph 3 of the Personal Information Protection Act (hereinafter “the Act”).
A travel agency that keeps personal information files shall adopt proper security measures to prevent them being stolen, altered, damaged, destroyed or disclosed. A consolidated travel agency and a Class-A travel agency shall also set up a plan for protecting the security of personal information files (hereinafter “Protection Plan”).
A consolidated travel agency and a Class-A travel agency shall complete the setting up of the forementioned Protection Plan before it obtains a travel agency operating license. A travel agency that obtained an operating license prior to these Regulations becoming effective shall complete the Protection Plan within six months of the date of these Regulations becoming effective.
A travel agency that keeps personal information files may refer to Articles 4 to 20 in setting up proper security protection measures.
A Protection Plan set up by a consolidated travel agency or a Class-A travel agency shall include the following items, which may be combined when necessary:
1.Designating management personnel and appropriate information sources.
2.Defining the scope of personal information and stipulating periodic checks.
3.A personal information risk assessment and management mechanism.
4.An accident prevention, notification and response mechanism.
5.An internal management procedure for personal information collection, processing and use.
6.Equipment security management, information security management, and personnel management measures.
7.A mechanism for checking information security.
8.Keeping records, tracking data and evidence of use.
9.Conducting guidance and training related to personal information.
10.Comprehensive ongoing improvement of personal information security protection.
11.Method of disposal of personal information after termination of business.
A travel agency shall clearly identify the specific purpose of the collection of personal information, and in accordance with the necessity of the specific purpose, define the type or scope of the personal information collection, processing and use, and periodically check the status of the personal information in its keeping.
Where the forementioned check reveals any of the following situations, the travel agency shall, on its own initiative or at the request of the person concerned, delete or discontinue the collection, processing or use of the relevant personal information:
1.Personal information that is not within the necessary scope of the specific purpose;
2.The specific purpose no longer exists or the time period has expired, and the proviso in Article 11 Paragraph 3 of the Act does not apply.
In order to meet the notification requirements as set out in Articles 8 and 9 of the Act, a travel agency shall adopt the following approach:
1.Examine the specific purpose of the collection, processing and use of personal information;
2.Examine whether the collection and processing of personal information matches one of the reasons for exemption from notification; and if not, adopt an appropriate method of notification in accordance with the situation of the information collection.
A travel agency shall examine whether its collection and processing of personal information complies with the provisions of Article 19 of the Act, having a specific purpose and meeting a need prescribed by law; and shall also examine whether its use of personal information complies with the provisions of Article 20 Paragraph 1 of the Act as necessary use within the scope of the specific purpose of collection. Where the use of personal information is outside the scope of the specific purpose, the travel agency shall examine whether it meets the conditions for use outside the specific purpose as prescribed by law.
When a travel agency makes first-time use of personal information for marketing purposes, it shall provide the person concerned with a free-of-charge means of expressing refusal to accept such marketing. Once the person concerned has expressed refusal to the marketing, the travel agency shall immediately cease using such personal information for marketing, and make all of its employees aware thereof.
In order to maintain the correctness of all personal information in its keeping, a travel agency shall adopt the following methods:
1.Check whether personal information is accurate in the course of collecting, processing and using it.
2.When personal information is discovered to be inaccurate, make timely correction or supplementation.
3.Where there is dispute regarding the accuracy of personal information, it should be dealt with in accordance with the provisions of Article 11 Paragraph 2 of the Act.
Where personal information has not been corrected or supplemented for reason attributable to the travel agency, the travel agency shall, after correction or supplementation, notify all parties to whom the personal information has been provided for use.
Where a travel agency commissions another party to conduct the collection, processing or use of personal information in whole or in part, it shall properly supervise the commissioned party in accordance with the provisions of Article 8 of the Enforcement Rules of the Act, and shall clearly stipulate the relevant items and methods of supervision.
Before a travel agency transmits personal information internationally, it shall examine whether or not the Ministry of Transportation and Communications has issued an order or sanction limiting international transmission in accordance with the provisions of Article 21 of the Act, and shall act in compliance therewith.
In order to enable a person providing personal information to exercise the rights prescribed by Article 3 of the Act, a travel agency shall adopt the following methods:
1.Identify whether the provider is the subject of the personal information or is acting under authority of the subject.
2.Provide the subject with means of exercising his rights, and abide by the provisions concerning time limits as set out in Article 13 of the Act.
3.Inform the person concerned whether or not a fee is charged to cover necessary costs.
4.Where there is reason for refusing the exercise of rights by the person concerned as prescribed in the provisos to Article 10 or Article 11 Paragraphs 2 or 3, the travel agency shall notify the person concerned with the reason therefor.
For managing protection of the security of personal information files, a travel agency shall designate a person or set up an organization to be specially responsible for this purpose, and shall designate appropriate sources of information.
The tasks of the forementioned specially responsible person or organization shall be as follows:
1.Planning, setting, revising and implementing the Protection Plan and matters concerning the method of dealing with personal information after cessation of business, and periodically reporting to the person in charge of the travel agency.
2.Setting policy for managing the protection of personal information, and ensuring that all members of staff are informed about and clearly understand the basis for, specific purpose of, and other protection-related matters concerning the collection, processing and use of personal information.
3.Periodically conducting basic awareness guidance or specialized instruction and training for all members of staff, to ensure that they clearly understand the provisions of law and regulation and the scope of each staff member’s responsibility regarding the protection of personal information, and the methods or management measures for all kinds of matters concerning the protection of private information.
A travel agency shall adopt the following personnel management measures:
1.According to the needs of each particular task of the collection, processing and use of personal information, appropriately set varying limits on the authority of each member of staff and control their contact with personal information.
2.Review the responsible personnel of each relevant work process involving the collection, processing and use of personal information.
3.Require each member of staff to assume a duty of confidentiality.
4.All members of staff shall, upon leaving employment or completing assigned work, return personal information taken into possession for the performance of work duties, and may not privately retain copies of and continue to use such personal information.
A travel agency shall adopt the following information security management measures:
1.When computer or automated machine related equipment is used to collect, process or use personal information, rules should be set for the use of portable devices or storage media.
2.If there is a need for heightened confidentiality in respect of the content of personal information held in keeping, an appropriate mechanism for encryption should be adopted when collecting, processing or using such information.
3.When a business process requires the backing up of personal information, the backup should be accorded the same protection as the original information in accordance with the provisions of the Act.
4.When paper, magnetic disc, magnetic tape, compact disc, microfilm, integrated circuit, or any other medium used for keeping personal information is scrapped or transferred to other use, proper precautionary measures must be taken to prevent the disclosure of personal information; when another party is commissioned to perform this, Article 9 of these Regulations applies mutatis mutandis.
A travel agency shall adopt the following measures for managing the environment of paper, magnetic disc, magnetic tape, compact disc, microfilm, integrated circuit, computer or automatic machine, or any other medium used for keeping personal information:
1.Implement entry and exit controls by appropriate means in accordance with different components of business operation.
2.Require all members of staff to take proper measures to safeguard media containing personal information.
3.Appropriately install air-conditioning, fire prevention, rodent proofing, disinsectization, and other protective equipment and technologies for the different environments in which media are kept.
A travel agency shall adopt the following mechanisms for response to theft, alteration, damage, destruction, disclosure or other such accident happening to personal information in its keeping:
1.Adopt proper emergency measures to control and reduce harm from the accident to the person concerned, and notify the Tourism Bureau of the Ministry of Transportation and Communications.
2.Investigate the circumstances of the accident and notify the person concerned by appropriate means in accordance with the provisions of Article 12 of the Act, and also inform such person of responsive measures already taken.
3.Examine deficiencies and formulate preventive mechanisms to avoid the reoccurrence of such kind of accident.
A travel agency shall set up a mechanism for checking the security of personal information, and at regular or irregular intervals check whether the person designated or organization set up under Article 12 has fully and properly implemented all relevant plans and tasks, and include this in the staff appraisal of the staff members concerned.
A travel agency shall implement proper measures, adopting mechanisms for recording or keeping automated machine or equipment tracking data or other relevant proof of the use of personal information, to provide whenever necessary a clear account of the implementation status of its Protection Plan; and the allotted time for the retention of related records shall be at least five years.
A travel agency shall review the suitability of its Protection Plan, giving due consideration to the current status of its business operation, public sentiment, technological development, changes in law and regulation, and other pertinent factors, and revise it when necessary.
Upon termination of its business operation, a travel agency shall dispose of personal information in its keeping, and record the same, as per the following; and such record must be retained for at least five years:
1.Where it is destroyed, record the method, time, location and proof of destruction.
2.Where it is transferred, record the reason, the transferee, the method, the time, the location, and the legal basis for allowing the transferee to take possession of this personal information.
3.For other deletion or cessation of processing or use of personal information, record the method, time and location.
The date on which these Regulations come into effect shall be decided by the Ministry of Transportation and Communications.