Chapter IV Personal Information Administration Measures
Article 18
The human resources recruitment industry shall adopt the following measures for staff administration:
1.Confirm the persons responsible for all relevant procedures for the collection, processing and use of personal information.
2.Establish an administration mechanism as required by the procedure and assign different authorities to the relevant staff. Regularly verify whether such authorities are proper and necessary.
3.Agree on confidentiality obligations with the affiliated staff.
4.Cancel the identification code of affiliated staff after their departure and take back the access badge (card) and relevant authorizations.
5.If relevant staff possesses personal information, upon departure of the staff, the staff must return the media on which personal information is stored and destroy or delete personal information stored.
Article 19
The human resources recruitment industry shall adopt the following measures with regard to information security administration in the collection, processing or use of personal information:
1. Establish procedure guidelines.
2. In using computerized equipment, establish regulations regarding the use of mobile devices or storage media.
3. If personal information is maintained and must be encrypted or shielding, adopt proper encryption or shielding mechanism.
4. In transmitting personal information, if encryption is required under different transmission methods, adopt a proper encryption mechanism and ensure the correctness of the recipient of information.
5. Evaluate the necessity of backup based on the importance of information maintained and create backups and encryption thereon in the same manner as the originals. Maintain the media in which backup information is stored in a proper manner and regularly perform reverse testing to confirm effectiveness.
6. When the media in which personal information is stored is to be disposed of or used for another purpose, duly destroy or delete the information stored in the media in a physical or other manner.
7. Properly maintain the passcodes used in the administration mechanism and encryption mechanism.
Article 20
The human resources recruitment industry shall adopt the following measures with regard to equipment security administration:
1.Implement necessary access control methods depending on the procedure.
2.Property maintains the media in which personal information is stored.
3.Reinforce protection against natural disaster and other accidents in accordance with different work environments and establish necessary disaster prevention equipment.
Article 21
The human resources recruitment industry shall adopt the following measures in relation to technology administration:
1.Configure a certification mechanism on computers, automatic processing equipment or systems and perform identification and control of authorized staff with access to personal information.
2.The account name and password used under the certification mechanism must have a certain degree of complexity and passwords must be changed regularly.
3.Configure an alarm and relevant response mechanism on computers, automatic processing equipment or systems to react and handle anomalous access properly.
4.The quantity and scope of authority to access personal information shall be determined as required for the procedure. Access authority cannot be shared.
5.Use firewalls or intrusion detection equipment to avoid unauthorized access to the system that stores personal information.
6.In using application programs that access personal information, ensure that the user has authorization to use them.
7.Regularly test the effectiveness of the authority certification mechanism.
8.Regularly inspect configuration of authority to access personal information.
9.Install anti-virus, anti-hacking software in the computer system that processes personal information and regularly update virus codes.
10.Regularly install patches for loopholes in the computer processing system and relevant application programs.
11.File sharing software shall not be installed in any computer or automatic processing equipment with access authority.
12.In testing information systems that process personal information, do not use real personal information. If real personal information is used, specify a procedure of use.
13.In case of any change to the information system that processes personal information, ensure that the level of security is not lowered.
14.Regularly inspect the use status of personal information system and the access to personal information.