The clearinghouse shall set up its management policy for personal information protection in accordance with the characteristics of its organization and business, submit it to the board of directors for approval, and then make it public so that all relevant staff understand it clearly and comply with it.
The management policy in the preceding paragraph shall include the following actions:
1.Complying with domestic laws and regulations on personal information protection;
2.Collecting, processing and using personal information for specific purposes in a reasonable and secure manner;
3.Protecting the collected, processed and used personal information files with technology at the level of security that could be reasonably expected;
4.Setting up a contact window for the principal parties of personal information ( hereinafter “ the Parties ” )to exercise relevant rights concerning personal information or to file complaint or seek consultation;
5.Mapping out contingency plan for handling personal information stolen, tampered, damaged, destroyed, leaked, or other incidents;
6.If the collection, processing and use of personal information are outsourced, properly monitoring outsourced service providers; and
7.Continuing to fulfill the obligation of maintaining the Plan to ensure security of personal information files.

The clearinghouse shall regularly examine laws on personal information protection that it should comply with, and formulate or revise the Plan accordingly.

The clearinghouse shall, in accordance with laws on personal information protection, check all personal information under its possession, define the scope of personal information that should be included in the Plan and create a list and check the change of list content regularly.

The clearinghouse shall, in accordance with the scope of personal information defined according to the preceding article and its relevant business processes, analyze potential risks, and set up proper control measures based on the results of risk analysis.

The clearinghouse shall, in coping with personal information under its possession stolen, tampered, damaged, destroyed, leaked, or other incidents, establish relevant procedures for the following actions:
1. Adopting proper contingency plans to reduce or control damages to the Parties caused by the incidents.
2. Investigating the incident clearly and notifying the Parties in a timely manner. Content of the notification shall include the facts about incidents, measures to resolve incidents, and contact information for the consulting service.
3. Avoiding recurrence of such a similar incident.
When the clearinghouse has an incident described in the preceding paragraph, the clearinghouse shall immediately notify personnel of the Central Bank of the Republic of China (Taiwan) (hereafter referred to as "the Bank") in charge of accepting reporting by phone, and within 72 hours, send a form to the Bank via electronic mail according to the format of the attached form; in addition, within 7 business days starting from the next day following the day of notification, the clearinghouse shall report to the Bank in writing the facts of the incident, whether the breached personal information has been illegally utilized, how the interests of the principal have been damaged, and response measures taken.
After receiving the notification of the clearinghouse, the Bank may, by the authority vested under Articles 22 ~ 25 of the Act, take appropriate supervisory and administrative measures.

• Form .pdf