Chapter I General Provisions
These Regulations are prescribed pursuant to Paragraphs 2 and 3, Article 27 of the Personal Information Protection Act.(hereinafter “the Act”)
The clearinghouse shall set up a security measures plan (hereinafter “ the Plan ” )for personal information files under its possession to carry out security maintenance and management of personal information files in order to prevent them from being stolen, tampered, damaged, destroyed or leaked.
The Plan shall cover related organizations and procedures stipulated in Articles 4 to 27 herein.
The terms used herein denote the following meanings:
1.Personal information management representative: an administrator served by the chairman of the clearinghouse or directly authorized by the chairman, who takes charge of supervising the design, formulation, execution, and revision of the Plan and its relevant decision making.
2.Personal information internal assessor: a supervisor authorized by the chairman of the clearinghouse to take charge of evaluating the performance of the Plan.
3.Relevant staff: employees of the clearinghouse who have to access personal information in the process of business execution, including the fixed-term and non-fixed-term contract employees and dispatched workers of the clearinghouse.
The clearinghouse shall organize a task force for security maintenance of personal information files and allocate appropriate resources so as to be responsible for the design, formulation, execution and revision of relevant procedures under the Plan.
The staffing of the task force for security maintenance of personal information files includes the personal information management representative and internal assessor.
When the personal information management representative is served by a person other than the chairman, this representative shall submit a written report about the task execution of the task force mentioned above to the chairman regularly.
Chapter II. General Procedures
The clearinghouse shall set up its management policy for personal information protection in accordance with the characteristics of its organization and business, submit it to the board of directors for approval, and then make it public so that all relevant staff understand it clearly and comply with it.
The management policy in the preceding paragraph shall include the following actions:
1.Complying with domestic laws and regulations on personal information protection;
2.Collecting, processing and using personal information for specific purposes in a reasonable and secure manner;
3.Protecting the collected, processed and used personal information files with technology at the level of security that could be reasonably expected;
4.Setting up a contact window for the principal parties of personal information ( hereinafter “ the Parties ” )to exercise relevant rights concerning personal information or to file complaint or seek consultation;
5.Mapping out contingency plan for handling personal information stolen, tampered, damaged, destroyed, leaked, or other incidents;
6.If the collection, processing and use of personal information are outsourced, properly monitoring outsourced service providers; and
7.Continuing to fulfill the obligation of maintaining the Plan to ensure security of personal information files.
The clearinghouse shall regularly examine laws on personal information protection that it should comply with, and formulate or revise the Plan accordingly.
The clearinghouse shall, in accordance with laws on personal information protection, check all personal information under its possession, define the scope of personal information that should be included in the Plan and create a list and check the change of list content regularly.
The clearinghouse shall, in accordance with the scope of personal information defined according to the preceding article and its relevant business processes, analyze potential risks, and set up proper control measures based on the results of risk analysis.
The clearinghouse shall, in coping with personal information under its possession stolen, altered, damaged, destroyed, leaked, or other incidents, establish relevant procedures for the following actions:
1.Adopting proper contingency plans to reduce or control damages to the Parties caused by the incidents.
2.Investigating the incident clearly and notify the Parties in a timely manner, where the notice shall contain facts of the personal information breached, response measures taken and customer service hotline.
3.Avoiding recurrence of such a similar incident.
When the clearinghouse has an incident described in the preceding paragraph, the clearinghouse shall, regardless whether it is during business or non-business hours, notify personnel of the Central Bank of the Republic of China (Taiwan) (referred to as the "Bank" hereunder) in charge of accepting reporting by phone, and in addition, report to the Bank in writing the facts of the incident, whether the breached personal information has been illegally utilized, how the interests of the principal have been damaged, and response measures taken.
Chapter III. Regulatory Compliance Procedures
The clearinghouse shall establish relevant procedures for the following actions to ensure that the collection of personal information complies with the regulatory requirements for personal information protection:
1.Identifying the specific purposes of personal information collection.
2.Ensuring those specific situations or other requirements for personal information collection required by laws.
The clearinghouse shall establish relevant procedures for the following actions to fulfill its obligation of notifying the Parties of personal information collected in complying with Article 8 and Article 9 of the Act:
1.Identifying situations which are exempted from the notification.
2.Except the exempted situations, notifying the Parties in a proper way according to the situations in collecting personal information
The clearinghouse shall establish relevant procedures for the following actions to ensure that the use of personal information complies with regulatory requirements for personal information protection:
1.Ensuring that the use of personal information complies with specific purposes.
2.Identifying whether the personal information may be used beyond the specific purposes and how to carry it out.
The clearinghouse shall take action according to following procedures in adding or changing its specific purposes:
1.Taking action in accordance with Article 11 herein.
2.Obtaining the written consent of the Parties, unless it is otherwise provided by laws.
The clearinghouse shall establish relevant procedures for the following actions in coping with specific categories of personal information under Article 6 of the Act:
1.Identifying whether the personal information collected, processed and used by it contains specific categories of personal information.
2.Ensuring that the collection, processing and use of specific categories of personal information comply with regulatory requirements.
Prior to carrying out international transmission of personal information, the clearinghouse shall check whether such transmission is restricted by Central Bank of the Republic of China (Taiwan) and comply with the relevant rules.
The clearinghouse shall establish relevant procedures for the following actions to enable the Parties to exercise its rights under Article 3 of the Act:
1.How to enable the Parties to exercise their rights.
2.Verifying the identity of the Parties.
3.Confirming whether there are situations under Article 10 or Article 11 of the Act by which the request for exercise of rights by the Parties may be rejected.
4.Rejecting the request of the Parties in a timely manner.
The clearinghouse shall establish relevant procedures for the following actions to ensure the accuracy of personal information under its possession:
1.Ensuring that the accuracy of information is not affected during the course of processing.
2.Making timely correction while verifying that information contains any error.
3.Checking the accuracy of information regularly.
For personal information that are not corrected or supplemented due to the fault of the clearinghouse, the clearinghouse, after correcting or supplementing personal information, shall establish a procedure for notifying parties to whom such information was once provided.
The clearinghouse shall check regularly whether the specific purpose for retaining certain personal information no longer exists or overdues. When the specific purpose disappears or the duration of retention has expired, the clearinghouse shall follow the provisions under Paragraph 3, Article 11 of the Act.
Chapter IV. Security Management Measures
To prevent personal information from being stolen, tampered, damaged, destroyed, leaked, or otherwise violated, the clearinghouse shall adopt management measures under Articles 20 to 23 in accordance with the characteristics of business, workstation to access personal information, categories and quantity of personal information, and tools and methods used for transmitting personal information.
The clearinghouse shall adopt the following personnel management measures:
1.Designating employees to take charge of the processes for collecting, processing and using personal information respectively (hereinafter “ respective operation ” ).
2.Setting different priorities of access authority for respective operation and putting it under control, managing access authority by using a specific authentication mechanism, and regularly reviewing the appropriateness and necessity of the access authority ’ s priorities set.
3.Requiring all relevant staff to observe related obligation of confidentiality.
The clearinghouse shall adopt the following operation management measures:
1.Setting instructions for the respective operation.
2.Setting rules for the use of portable storage media when computer and relevant apparatuses are used for processing personal information.
3.Determining whether encryption is necessary for the storage of personal information, and if it is necessary, adopting proper encryption mechanism.
4.Determining whether encryption is necessary for the transmission of personal information in terms of the mode of transmission used, and if it is necessary, adopt- ing proper encryption mechanism and verifying the information accuracy of recipient.
5.Evaluating whether it is necessary to make a backup copy of personal information in accordance with the importance of information retention, and if it is necessary, saving a backup copy of such information; Determining whether encryption is necessary for the backup information, and if it is necessary, adopting proper encryption mechanism; keeping proper care of media for storing backup information and conducting restore testing regularly to ensure the validity of the backup information.
6.Ensuring to properly delete information stored in the media or destroy the media physically before the media storing personal information are transferred to other people or disposed.
7.Properly preserving the passwords used in authentication mechanism and encryption mechanism, and taking proper actions when it is necessary to give such passwords to other people.
The clearinghouse shall take following management measures for its physical environment:
1.Implementing necessary access control in accordance with the difference of respective operation.
2.Keeping proper care of the storage media for safeguarding personal information.
3.Installing necessary disaster prevention equipment for different environment of the respective operation.
The clearinghouse shall adopt following technical management measures when it uses computers or relevant apparatuses for collecting, processing or using personal information:
1.Setting up authentication mechanism on computers, or relevant apparatuses or systems, and conducting identification and control for the staff authorized to access personal information.
2.When the authentication mechanism involves account name and password, ensuring the mechanism has certain degree of sophistication in terms of security, and changing the password regularly.
3.Setting up alerts and relevant response mechanisms on the computers, or relevant apparatuses or systems to properly react to and handle abnormal access activities.
4.Carrying out identity authentication on terminals that provide access to personal information for identification and control purposes.
5.Setting the quantity and scope of access authority for personal information within the extent necessary for the respective operation; sharing access authority for the respective operation not allowed in principle.
6.Using firewalls or routers to prevent unauthorized access to systems stored with personal information
7.Ensuring the users to have access authority in using application programs that can access personal information.
8.Testing the effectiveness of access authentication mechanism regularly.
9.Examining regularly whether the setting of personal information access authority is proper.
10.Installing anti-virus software in the computer systems that process personal information and updating the virus code regularly.
11.Installing patches for loopholes in computer operating systems and related programs regularly.
12.Assessing the threat of malware regularly and ensuring the stability of the computer systems after installing anti-virus software and patch programs.
13.No file-sharing software installed on terminals with access authority.
14.No using real personal information in testing the information system for processing personal information; stating clearly the using procedure if real personal information is used.
15.Ensuring the level of security not to decline when there is change in the information system for processing personal information.
16.Checking the using records of information system for processing and accessing personal information regularly.
Chapter V Awareness Education and Training
The clearinghouse shall conduct awareness education and provide training to its relevant staff to ensure that they understand the requirements prescribed in relevant laws on personal information protection, their respective responsibilities, and relevant operating procedures.
Chapter Ⅵ Procedures for Audit and Improvement of the Plan
The clearinghouse shall regularly examine the implementation of the Plan to ensure its continuing effectiveness.
The clearinghouse shall establish following procedures for continuing improvement of the Plan:
1.Remediation procedure for poor implementation of the Plan.
2.Procedure for change of the Plan.
Chapter Ⅶ Preservation of Records
The clearinghouse shall preserve at least the following records in proceeding procedures for implementation of the Plan:
1.Records on personal information delivery and transmission.
2.Records on identifying the accuracy and correction of personal information.
3.Records on the exercise of rights by the Parties.
4.Records on deletion and disposal of personal information.
5.Records on accessing personal information system.
6.Records on the backup and restore testing.
7.Records on addition, alteration and deletion of access authority of relevant staff.
8.Records on access violation by relevant staff.
9.Records on actions taken in response to incidents.
10.Records on the periodic check of information system for processing personal information.
11.Records on educational training.
12.Records on the audit of the Plan and the implementation of improvement procedure.
Chapter Ⅷ Effective Date
These Regulations shall become effective on the date of promulgation.