The clearinghouse shall set up its management policy for personal information protection in accordance with the characteristics of its organization and business, submit it to the board of directors for approval, and then make it public so that all relevant staff understand it clearly and comply with it.
The management policy in the preceding paragraph shall include the following actions:
1.Complying with domestic laws and regulations on personal information protection;
2.Collecting, processing and using personal information for specific purposes in a reasonable and secure manner;
3.Protecting the collected, processed and used personal information files with technology at the level of security that could be reasonably expected;
4.Setting up a contact window for the principal parties of personal information ( hereinafter “ the Parties ” )to exercise relevant rights concerning personal information or to file complaint or seek consultation;
5.Mapping out contingency plan for handling personal information stolen, tampered, damaged, destroyed, leaked, or other incidents;
6.If the collection, processing and use of personal information are outsourced, properly monitoring outsourced service providers; and
7.Continuing to fulfill the obligation of maintaining the Plan to ensure security of personal information files.

The clearinghouse shall regularly examine laws on personal information protection that it should comply with, and formulate or revise the Plan accordingly.

The clearinghouse shall, in accordance with laws on personal information protection, check all personal information under its possession, define the scope of personal information that should be included in the Plan and create a list and check the change of list content regularly.

The clearinghouse shall, in accordance with the scope of personal information defined according to the preceding article and its relevant business processes, analyze potential risks, and set up proper control measures based on the results of risk analysis.

The clearinghouse shall, in dealing with personal information under its possession stolen, tampered, damaged, destroyed, leaked, or other incidents, establish relevant procedures for the following actions:
1. Adopting proper contingency plans to reduce or control damages to the Parties caused by the incidents.
2. Investigating the incident and notifying the Parties in a timely manner. Content of the notification shall include the relevant facts about the incident, measures to resolve the incident, and contact information of the consulting service.
3. Avoiding recurrence of similar incidents.
When the clearinghouse has an incident similar to what is described in the preceding paragraph, the clearinghouse shall immediately notify the personnel of the Central Bank of the Republic of China (Taiwan) (hereafter referred to as "the Bank") in charge of accepting reporting by phone, and, within 36 hours, send a form to the Bank via electronic mail in the format of the attached form. However, in the event of any of the following situations, the clearinghouse shall immediately notify the Bank by phone and promptly send a form to the Bank via electronic mail in the format of the attached form:
1.The incident involves breach of personal data that is of concern to the Executive Yuan, Legislative Yuan or Control Yuan.
2.The incident involves breach of personal data that has been widely reported in the media. For example, it is reported in the national news section of print media, or it is a feature story discussed in electronic media.
The clearinghouse shall, within 7 business days from the next day following the phone notification under the preceding paragraph, report to the Bank in writing the facts of the incident, whether the breached data have been unlawfully utilized, any damage to the interests of the Parties, and response actions taken. However in case any situation under the proviso of the preceding paragraph exists, the clearinghouse shall submit such a report to the Bank in writing on the next business day following the phone notification.
After receiving the notification of the clearinghouse, the Bank may, by the authority vested under Articles 22-26 of the Act, take appropriate supervisory and administrative measures.

• Form：Personal Information Breach Incident Notification and Record Form.pdf

The clearinghouse should cooperate with the Bank in the following actions:
1.The administrative examination of personal data protection conducted by the Bank every year.
2.Administrative investigation and reinspection of the incidents specified in Paragraph 1 of the preceding article.
For improvement actions to be taken as advised in the administrative examination or administrative investigation and reinspection mentioned in the preceding paragraph, the clearinghouse shall propose concrete improvement measures and report subsequently actions taken to the Bank.