Article 1
These Regulations are set in accordance with Paragraph 3, Article 27 of the Personal Information Protection Act (hereafter refers to as the Act).
Article 2
These Regulations are applicable to national and foreign vessel carriers (hereafter refers to as the Operators) operating liner service.
The Operators shall set up respective personal information security maintenance plan (hereafter refers to Maintenance Plan) with appropriate security measures to prevent personal information from being stolen, altered, damaged, destroyed or disclosed.
The Security Maintenance Plan shall include the relevant organization and procedures described from Article 3 to 21 and the provisions shall be reviewed regularly and amended when relevant laws are revised.
The Operators shall complete drafting of the Security Maintenance Plan described in the preceding paragraph before receiving the vessel carrier permit. Operators who have obtained the vessel carrier permit before enforcement of This Policy shall complete the Security Maintenance Plan within six months after official enforcement of These Regulations.
Article 3
The Operators may appoint delegated personnel or set up delegated organization for maintenance and management of personal information files and allocate equitable resources for the operations.
The above-described delegated personnel or organization shall carry the following missions:
1.Plan, set up, revise and implement the Security Maintenance Plan and Processing Procedures for personal information after termination of business dealings.
2.Set up personal information protection management policy and disclose the basis, purpose and other protection practices involving collection, processing and using of personal information to the relevant personnel.
3.Implement regular education and training to the relevant personnel to inform them of the laws and regulations, the scope of responsibilities and the methods and management policies relating to protection of personal information.
Article 4
The Operators shall confirm the specific purpose for collection of personal information and define the category or scope of such actions as collection, processing and using of personal information based on the necessity of the specified purpose and survey the conditions of the personal information in custody on regular basis.
When one of the following conditions are found during the above-mentioned survey, the Operators shall take the initiative or act upon request of the information owner to delete or stop collection, processing or using the personal information:
1.Personal information is not covered in the scope of the specified purpose.
2.The specified purpose no longer exists or time period has expired and conditions described in Paragraph 3, Article 11 of The Act does not exist.
Article 5
The Operators shall analyze the potential risks based on the scope and relevant operational procedures defined in the preceding article and set up appropriate control measures based on the risk analysis.
Article 6
In response to incidents such as theft, alteration, damage, loss, or leakage of personal information in custody, the Operators shall adopt the following mechanisms:
1. Take appropriate response measures to control and minimize the damages to the information owner.
2. Make full investigation on the incident, notify the information owner through appropriate means in accordance with Article 12 of The Act and inform the information owner of the response measures taken to handle the situation.
3. Review the issues and set up preventive mechanism to prevent similar incidents.
The Operators shall notify the Maritime and Port Bureau, MOTC, within 72 hours after discovering the incident mentioned in the preceding paragraph. If the notification is not made within the time limit, the reason for the delay shall be attached (the notification format is shown in the attached table).
After the incident in the preceding paragraph is reported, the competent authority may take appropriate supervision and management measures in accordance with the functions and powers conferred by Articles 22 to 26 of the Act.
Article 7
The Operators shall review and confirm whether the personal information collected, processed and used conforms to the specific purposes specified in Article 6 of The Act and whether the purposes satisfy the criteria of relevant laws and regulations.
Article 8
The Operators shall take the following actions in order to comply with the obligation to notify as described in Article 8 and 9 of The Act:
1.Review the specified purpose of collection and processing of personal information.
2.Review whether such actions as collection and processing of personal information satisfy the criteria for exemption of notification. Information owners shall be duly notified of the information collection status through appropriate means when such actions fail to satisfy the above-mentioned criteria.
Article 9
The Operators shall review whether such actions as collection and processing of personal information satisfy the specific purpose and statutory criteria as described in Article 19 of The Act and whether the use of personal information falls into the scope of necessity within the scope of the specified purpose as described in Paragraph 1, Article 20 of The Act. When using the personal information outside the scope of the specified purpose, the Operators shall review whether such actions satisfy the criteria of using the information outside the scope of the specified purpose.
Article 10
When using personal information of a certain individual for marketing for the first time, the Operator shall provide the individual feasible ways to express his/her rejection free of charge. If the individual rejects such marketing, the Operator shall stop using personal information of this individual for the specified marketing purpose immediately and notify the relevant personnel of the rejection.
Article 11
When an Operator commissions a third party to collect, process or use whole or part of the personal information of an individual, the Operator shall supervise the third-party in accordance with Article 8 of the Enforcement Rules of the Personal Information Protection Act and clearly lay out the scope and implementation methods of the supervision.
Article 12
When transferring personal information internationally, an Operator or another person entrusted by the Operator shall check whether the Ministry of Transportation and Communications has imposed restrictions in accordance with Article 21 of the Act, and inform the information owner of the area to which his/her personal information is to be transferred internationally. Additionally, the information recipient should be supervised in the following areas:
1. The scope, category, specific purpose, period, region, subject, and method of the intended processing or use of personal information.
2. Matters related to the information owner’s exercise of the rights specified in Article 3 of the Act.
Article 13
When an Operator exercises the rights provided in Article 3 of The Act for the information owner, the following actions shall be taken:
1.Confirm whether the individual is the owner of the personal information or a representative of the information owner.
2.Offer ways for the information owner to exercise the rights and comply with the provisions relating to processing period described in Article 13 of The Act.
3.Inform the information owner whether a fee will be charged to cover the costs.
4.When the Operator intends to refuse the information owner on exercise of rights based on the provisos stated in Article 10, Paragraph 2 or Paragraph 3 of Article 11, the Operator shall notify the information owner with the reason for the refusal.
Article 14
To maintain the accuracy of the personal information in custody, the Operators shall take the following actions:
1.Review whether the personal information is correct during the process of collection, processing or use.
2.Make timely correction or updated when inaccuracies are discovered in the personal information.
3.When the accuracy of the personal information is in dispute, the Operator shall handle the dispute in accordance with Paragraph 2, Article 11 of The Act.
In the cases where the operators should be attributed to of not correcting or supplementing personal information, persons to whom the personal information was provided should be notified after correction or supplement.
Article 15
The Operators may adopt the following personnel management measures:
1.Configure varied authorities to the personnel based on the needs of operations involving collection, processing and use of personal information and control the scope of personal information coming into contact with the personnel of different authorities.
2.Audit the personnel involved in the process of collecting, processing and using personal information.
3.Request the personnel to fulfill the obligation to confidentiality.
4.Personnel who have left the position or completed the assigned tasks shall hand over the personal information held for the operations and shall not held, duplicate or continue use the personal information for private purposes.
Article 16
The Operators shall take the following actions for information security management:
1.Set up regulations for using portable equipment or storage media when using computers or automated machinery for collection, processing and use of personal information.
2.When encryption is needed for the content of the personal information in custody, appropriate encryption mechanism shall be activated during the process of collection, processing and use of personal information.
3.When backup is needed for the personal information during operation, the backup copy shall be protected as the original copy in accordance with The Act.
4.When the media used to store personal information, such as paper copies, diskettes, tape, CD-ROM, microfiche or integrated circuit chips, are to be disposed or transferred for other use, the Operator shall take appropriate precautions to avoid leaking of personal information. If the tasks are commissioned to a third party, Article 11, mutatis mutandis, of These Regulations shall apply.
Article 16-1
The Operators operating fixed passenger routes shall take the following information security measures when collecting, processing, or utilizing personal information through an information and communications system:
1. Confirmation and protection mechanism for user identity.
2. Masking mechanism for the display of personal information.
3. Security encryption mechanism for Internet transmission.
4. Access control and protection monitoring measures for personal information files and databases.
5. Countermeasures to prevent external network intrusion
6. Monitoring and response mechanisms for illegal or abnormal use behaviors.
The measures Subparagraphs 5 and 6 of the preceding paragraph shall be regularly practiced and reviewed for improvement.
Article 17
The Operators shall take the following actions to manage the environment where the media carrying personal information, such as paper copies, diskettes, tape, CD-ROM, microfiche or integrated circuit chips, computers or automated machinery, are stored:
1.Implement access control according to the different contents of operations.
2.Demand the personnel to safeguard the media storing the personal information.
3.Set up appropriate protection facility or technology for the environment where the various storage media are placed.
Article 18
After the operations ended, the Operators shall process and document the personal information in custody according to the methods listed below and the documented records shall be preserved for at least five years:
1.For personal information to be destroyed, record the method, time, location and proof of destruction methods.
2.For personal information transferred for other uses, record the reason, subject, method, time, location and the legal basis, based on which the party receiving the transfer is entitled to own the personal information.
3.For personal information to be deleted or its processing and use to be stopped, record the method, time and location.
Article 19
The Operators shall set up a personal information security audit mechanism and implement regular or ad irregular inspection to see whether the maintenance plan or personal information processing procedures after termination of operations are duly implemented.
Article 20
The Operators shall take appropriate measures to derive the records of using personal information, track data of personal information processed in automated machinery or other proof of preservation mechanism for exhibition of the implementation status of the maintenance plan when necessary.
Article 21
The Operators shall review whether the maintenance plan is up-to-date based on the status of operations, public opinion, technology development and development of legal regulations and make appropriate revision when necessary.
Article 22
Enforcement date of These Regulations will be determined by the Ministry of Transportation and Communications.