Chapter I General Provisions
Article 1
These Regulations are prescribed pursuant to Paragraphs 2 and 3, Article 27 of the Personal Information Protection Act.(hereinafter “the Act”)
Article 2
The clearinghouse shall set up a security measures plan (hereinafter “ the Plan ” )for personal information files under its possession to carry out security maintenance and management of personal information files in order to prevent them from being stolen, tampered, damaged, destroyed or leaked.
The Plan shall cover related organizations and procedures stipulated in Articles 4 to 27 herein.
Article 3
The terms used in the Regulations shall be defined as follows:
1."Personal information management representative" shall mean the president of the clearinghouse or an officer directly authorized by the president, who takes charge of supervising the design, formulation, execution, and revision of the Plan and its relevant decision making.
2."Personal information internal assessor representative" shall mean an officer authorized by the president of the clearinghouse to take charge of supervising internal assessors evaluating the performance of the Plan.
3."Relevant staff" shall mean employees of the clearinghouse who have to access personal information in the process of business execution, including the fixed-term and non-fixed-term contract employees and dispatched workers of the clearinghouse.
Article 4
The clearinghouse shall organize a task force for security maintenance of personal information files and allocate appropriate resources so as to be responsible for the design, formulation, execution, and revision of relevant procedures under the Plan.
The staffing of the task force for security maintenance of personal information files includes the personal information management representative and the internal assessor.
When the personal information management representative is served by an officer other than the president, this representative shall submit a written report about the task execution of the task force mentioned above to the president regularly.
Chapter II. General Procedures
Article 5
The clearinghouse shall set up its management policy for personal information protection in accordance with the characteristics of its organization and business, submit it to the board of directors for approval, and then make it public so that all relevant staff understand it clearly and comply with it.
The management policy in the preceding paragraph shall include the following actions:
1.Complying with domestic laws and regulations on personal information protection;
2.Collecting, processing and using personal information for specific purposes in a reasonable and secure manner;
3.Protecting the collected, processed and used personal information files with technology at the level of security that could be reasonably expected;
4.Setting up a contact window for the principal parties of personal information ( hereinafter “ the Parties ” )to exercise relevant rights concerning personal information or to file complaint or seek consultation;
5.Mapping out contingency plan for handling personal information stolen, tampered, damaged, destroyed, leaked, or other incidents;
6.If the collection, processing and use of personal information are outsourced, properly monitoring outsourced service providers; and
7.Continuing to fulfill the obligation of maintaining the Plan to ensure security of personal information files.
Article 6
The clearinghouse shall regularly examine laws on personal information protection that it should comply with, and formulate or revise the Plan accordingly.
Article 7
The clearinghouse shall, in accordance with laws on personal information protection, check all personal information under its possession, define the scope of personal information that should be included in the Plan and create a list and check the change of list content regularly.
Article 8
The clearinghouse shall, in accordance with the scope of personal information defined according to the preceding article and its relevant business processes, analyze potential risks, and set up proper control measures based on the results of risk analysis.
Article 9
The clearinghouse shall, in dealing with personal information under its possession stolen, tampered, damaged, destroyed, leaked, or other incidents, establish relevant procedures for the following actions:
1. Adopting proper contingency plans to reduce or control damages to the Parties caused by the incidents.
2. Investigating the incident and notifying the Parties in a timely manner. Content of the notification shall include the relevant facts about the incident, measures to resolve the incident, and contact information of the consulting service.
3. Avoiding recurrence of similar incidents.
When the clearinghouse has an incident similar to what is described in the preceding paragraph, the clearinghouse shall immediately notify the personnel of the Central Bank of the Republic of China (Taiwan) (hereafter referred to as "the Bank") in charge of accepting reporting by phone, and, within 36 hours, send a form to the Bank via electronic mail in the format of the attached form. However, in the event of any of the following situations, the clearinghouse shall immediately notify the Bank by phone and promptly send a form to the Bank via electronic mail in the format of the attached form:
1.The incident involves breach of personal data that is of concern to the Executive Yuan, Legislative Yuan or Control Yuan.
2.The incident involves breach of personal data that has been widely reported in the media. For example, it is reported in the national news section of print media, or it is a feature story discussed in electronic media.
The clearinghouse shall, within 7 business days from the next day following the phone notification under the preceding paragraph, report to the Bank in writing the facts of the incident, whether the breached data have been unlawfully utilized, any damage to the interests of the Parties, and response actions taken. However in case any situation under the proviso of the preceding paragraph exists, the clearinghouse shall submit such a report to the Bank in writing on the next business day following the phone notification.
After receiving the notification of the clearinghouse, the Bank may, by the authority vested under Articles 22-26 of the Act, take appropriate supervisory and administrative measures.
Article 9-1
The clearinghouse should cooperate with the Bank in the following actions:
1.The administrative examination of personal data protection conducted by the Bank every year.
2.Administrative investigation and reinspection of the incidents specified in Paragraph 1 of the preceding article.
For improvement actions to be taken as advised in the administrative examination or administrative investigation and reinspection mentioned in the preceding paragraph, the clearinghouse shall propose concrete improvement measures and report subsequently actions taken to the Bank.
Chapter III. Regulatory Compliance Procedures
Article 10
The clearinghouse shall establish relevant procedures for the following actions to ensure that the collection of personal information complies with the regulatory requirements for personal information protection:
1.Identifying the specific purposes of personal information collection.
2.Ensuring those specific situations or other requirements for personal information collection required by laws.
Article 11
The clearinghouse shall establish relevant procedures for the following actions to fulfill its obligation of notifying the Parties of personal information collected in complying with Article 8 and Article 9 of the Act:
1.Identifying situations which are exempted from the notification.
2.Except the exempted situations, notifying the Parties in a proper way according to the situations in collecting personal information
Article 12
The clearinghouse shall establish relevant procedures for the following actions to ensure that the use of personal information complies with regulatory requirements for personal information protection:
1.Ensuring that the use of personal information complies with specific purposes.
2.Identifying whether the personal information may be used beyond the specific purposes and how to carry it out.
Article 13
The clearinghouse shall take action according to following procedures in adding or changing its specific purposes:
1.Taking action in accordance with Article 11 herein.
2.Obtaining the written consent of the Parties, unless it is otherwise provided by laws.
Article 14
The clearinghouse shall establish relevant procedures for the following actions in coping with specific categories of personal information under Article 6 of the Act:
1.Identifying whether the personal information collected, processed and used by it contains specific categories of personal information.
2.Ensuring that the collection, processing and use of specific categories of personal information comply with regulatory requirements.
Article 15
Prior to carrying out international transmission of personal information, the clearinghouse shall check whether such transmission is restricted by the Bank and comply with the relevant rules.
Article 16
The clearinghouse shall establish relevant procedures for the following actions to enable the Parties to exercise its rights under Article 3 of the Act:
1.How to enable the Parties to exercise their rights.
2.Verifying the identity of the Parties.
3.Confirming whether there are situations under Article 10 or Article 11 of the Act by which the request for exercise of rights by the Parties may be rejected.
4.Rejecting the request of the Parties in a timely manner.
Article 17
The clearinghouse shall establish relevant procedures for the following actions to ensure the accuracy of personal information under its possession:
1.Ensuring that the accuracy of information is not affected during the course of processing.
2.Making timely correction while verifying that information contains any error.
3.Checking the accuracy of information regularly.
For personal information that are not corrected or supplemented due to the fault of the clearinghouse, the clearinghouse, after correcting or supplementing personal information, shall establish a procedure for notifying parties to whom such information was once provided.
Article 18
The clearinghouse shall check regularly whether the specific purpose for retaining certain personal information no longer exists or overdues. When the specific purpose disappears or the duration of retention has expired, the clearinghouse shall follow the provisions under Paragraph 3, Article 11 of the Act.
Chapter IV. Security Management Measures
Article 19
To prevent personal information from being stolen, tampered, damaged, destroyed, leaked, or otherwise violated, the clearinghouse shall adopt management measures under Articles 20 to 23 in accordance with the characteristics of business, workstation to access personal information, categories and quantity of personal information, and tools and methods used for transmitting personal information.
Article 20
The clearinghouse shall adopt the following personnel management measures:
1.Designating employees to take charge of the processes for collecting, processing and using personal information respectively (hereinafter “ respective operation ” ).
2.Setting different priorities of access authority for respective operation and putting it under control, managing access authority by using a specific authentication mechanism, and regularly reviewing the appropriateness and necessity of the access authority ’ s priorities set.
3.Requiring all relevant staff to observe related obligation of confidentiality.
Article 21
The clearinghouse shall adopt the following operation management measures:
1.Setting instructions for the respective operation.
2.Setting rules for the use of portable storage media when computer and relevant apparatuses are used for processing personal information.
3.Determining whether encryption is necessary for the storage of personal information, and if it is necessary, adopting proper encryption mechanism.
4.Determining whether encryption is necessary for the transmission of personal information in terms of the mode of transmission used, and if it is necessary, adopt- ing proper encryption mechanism and verifying the information accuracy of recipient.
5.Evaluating whether it is necessary to make a backup copy of personal information in accordance with the importance of information retention, and if it is necessary, saving a backup copy of such information; Determining whether encryption is necessary for the backup information, and if it is necessary, adopting proper encryption mechanism; keeping proper care of media for storing backup information and conducting restore testing regularly to ensure the validity of the backup information.
6.Ensuring to properly delete information stored in the media or destroy the media physically before the media storing personal information are transferred to other people or disposed.
7.Properly preserving the passwords used in authentication mechanism and encryption mechanism, and taking proper actions when it is necessary to give such passwords to other people.
Article 22
The clearinghouse shall take following management measures for its physical environment:
1.Implementing necessary access control in accordance with the difference of respective operation.
2.Keeping proper care of the storage media for safeguarding personal information.
3.Installing necessary disaster prevention equipment for different environment of the respective operation.
Article 23
The clearinghouse shall adopt following technical management measures when it uses computers or relevant apparatuses for collecting, processing or using personal information:
1.Setting up authentication mechanism on computers, or relevant apparatuses or systems, and conducting identification and control for the staff authorized to access personal information.
2.When the authentication mechanism involves account name and password, ensuring the mechanism has certain degree of sophistication in terms of security, and changing the password regularly.
3.Setting up alerts and relevant response mechanisms on the computers, or relevant apparatuses or systems to properly react to and handle abnormal access activities.
4.Carrying out identity authentication on terminals that provide access to personal information for identification and control purposes.
5.Setting the quantity and scope of access authority for personal information within the extent necessary for the respective operation; sharing access authority for the respective operation not allowed in principle.
6.Using firewalls or routers to prevent unauthorized access to systems stored with personal information
7.Ensuring the users to have access authority in using application programs that can access personal information.
8.Testing the effectiveness of access authentication mechanism regularly.
9.Examining regularly whether the setting of personal information access authority is proper.
10.Installing anti-virus software in the computer systems that process personal information and updating the virus code regularly.
11.Installing patches for loopholes in computer operating systems and related programs regularly.
12.Assessing the threat of malware regularly and ensuring the stability of the computer systems after installing anti-virus software and patch programs.
13.No file-sharing software installed on terminals with access authority.
14.No using real personal information in testing the information system for processing personal information; stating clearly the using procedure if real personal information is used.
15.Ensuring the level of security not to decline when there is change in the information system for processing personal information.
16.Checking the using records of information system for processing and accessing personal information regularly.
Chapter V Awareness Education and Training
Article 24
The clearinghouse shall conduct awareness education and provide training to its relevant staff to ensure that they understand the requirements prescribed in relevant laws on personal information protection, their respective responsibilities, and relevant operating procedures.
Chapter Ⅵ Procedures for Audit and Improvement of the Plan
Article 25
The clearinghouse shall regularly examine the implementation of the Plan to ensure its continuing effectiveness.
Article 26
The clearinghouse shall establish following procedures for continuing improvement of the Plan:
1.Remediation procedure for poor implementation of the Plan.
2.Procedure for change of the Plan.
Chapter Ⅶ Preservation of Records
Article 27
The clearinghouse shall preserve at least the following records in proceeding procedures for implementation of the Plan:
1.Records on personal information delivery and transmission.
2.Records on identifying the accuracy and correction of personal information.
3.Records on the exercise of rights by the Parties.
4.Records on deletion and disposal of personal information.
5.Records on accessing personal information system.
6.Records on the backup and restore testing.
7.Records on addition, alteration and deletion of access authority of relevant staff.
8.Records on access violation by relevant staff.
9.Records on actions taken in response to incidents.
10.Records on the periodic check of information system for processing personal information.
11.Records on educational training.
12.Records on the audit of the Plan and the implementation of improvement procedure.
Chapter Ⅷ Effective Date
Article 28
These Regulations shall come into force on the date of promulgation.