Regulations for the Security and the Maintenance of Personal Information Files in Wholesaling and Retailing Medical Devices

2022-01-21
播放模式
手機睡眠
語音選擇
Article 1
These Regulations are stipulated in accordance with Subparagraph 3, Article 27 of the Personal Data Protection Act (hereinafter referred to as “the Act”).
Article 2
For purposes of this Act, the term “competent authority” shall mean the Ministry of Health and Welfare at the central government level, the municipal governments at the municipal level, and the county/city governments at the county/city level.
Article 3
The terms used herein are defined as follows:
I. Medical devices wholesalers or retailers: A medical devices dealer approved for registration in accordance with Article 13 of the Medical Devices Act, has a capital of more than NT$30 million, and has recruitment of members or obtains personal information of trading counterparts.
II. Responsible person: Personnel designated by medical devices wholesalers or retailers to be responsible for establishing and implementing personal information file security and maintenance plans (hereinafter referred to as “Security and Maintenance Plans”).
III. Subordinate: Personnel of medical devices wholesalers or retailers that come in contact with personal information in the course of performing professional duty.
IV. Auditor: Personnel designated by medical devices wholesalers or retailers to be responsible for auditing the implementation and results of Security and Maintenance Plans.
The responsible person in Subparagraph 2 and auditor in Subparagraph 4 of the preceding paragraph may not be the same person.
Article 4
Medical devices wholesalers or retailers shall establish the Security and Maintenance Plans specifying the following matters in accordance with these Regulations:
I. The internal control procedures for the collection, processing, and use of personal information.
II. The scope and items of personal information.
III. The management of information security and personnel.
IV. The mechanisms of preventing, reporting, and responding to information leakage.
V. The management of facility security.
VI. The audit mechanisms of data security.
VII. The preservation of use records, log files and relevant evidence.
VIII. The measures for processing personal information after termination of any business relationship.
IX. The integrated and persistent improvement plan on the security and maintenance of personal information.
Article 5
Medical devices wholesalers or retailers shall make reasonable distribution of operational resources by planning, establishing, reviewing, and revising the security and maintenance measures based on the scale and characteristics of their business, and include these measures in the Security and Maintenance Plans for ensuring the security maintenance and management of personal information and preventing personal information from being stolen, altered, damaged, destroyed or disclosed.
Article 6
Medical devices wholesalers or retailers shall establish Security and Maintenance Plans within six months after these Regulations take effect.
Medical devices wholesalers or retailers shall retain said Security and Maintenance Plans in the preceding paragraph, and the competent authority may periodically send its personnel to inspect the plans.
Article 7
The responsible person is responsible for planning, establishing, revising, and implementing the Security and Maintenance Plans, the measures for processing personal information after termination of any business relationship and related matters. The responsible person shall periodically submit a report to medical devices wholesalers or retailers.
Article 8
Medical devices wholesalers or retailers shall identify the specific purpose and necessity of collecting the personal information, define the category or scope of personal information collection, processing, and use, and periodically check the status of personal information in its keeping, while establishing the internal control procedures for the collection, processing, and use of personal information in accordance with Subparagraph 1 of Article 4 as well as the scope and items of personal information in Subparagraph 2.
If medical devices wholesalers or retailers find personal information that is not within the necessary scope for the specific purpose or the specific purpose has disappeared, or that no longer needs to be retained due to expiration of the retention period, then the said information shall be deleted, destroyed, discontinued to collect, process or use, or handled by other appropriate measures.
Article 9
The collection of personal information by medical devices wholesalers or retailers shall comply with the category or scope prescribed in Subparagraph 1 of the preceding Article.
Medical devices wholesalers or retailers shall take necessary protection measures to prevent information leakage while transferring personal information.
Article 10
Medical devices wholesalers or retailers shall comply with the obligation of notification specified in Articles 8 and 9 of the Act when collecting personal information; they shall also establish the notification method, contents, and notices for direct collection or indirect collection, and shall require subordinates to comply.
Article 11
Before transferring personal information internationally, medical devices wholesalers or retailers shall verify if such transfer is restricted by the central competent authority and inform the information owner of the country or region where the personal information will be transferred to.
Article 12
Medical devices wholesalers or retailers shall inform the information owner of the medical devices wholesaler or retailer's registered name and the source of personal information, while using personal information for publicity, promotion or marketing in accordance with Paragraph 1, Article 20 of the Act.
Medical devices wholesalers or retailers shall provide the information owners or their statutory agents with methods of expressing refusal to accept such publicity, promotion or marketing, and shall pay necessary expenses, while using personal information for publicity, promotion or marketing purposes for the first time. When the information owners or their statutory agents refuse to receive publicity, promotion or marketing, medical devices wholesalers or retailers shall stop using the owner's personal information immediately and inform subordinates.
Article 13
Medical devices wholesalers or retailers shall conduct proper supervision on the commissioned party in accordance with Article 8 of the Enforcement Rules of the Act, and shall set clear contractual requirements in the contract or related documents, while commissioning a third party to collect, process, or use all or a part of personal information.
Article 14
Medical devices wholesalers or retailers may take the following measures when the information owners or their statutory agents exercise their rights as stipulated in Article 3 of the Act:
I. Provide a contact person and contact method.
II. Confirm whether the individual is the information owner, statutory agent, or a duly authorized representative of the information owner.
III. Where there is a reason for refusing the exercise of rights by the information owner based on the provisions prescribed in Article 10, Paragraph 2 or Paragraph 3 of Article 11, the reason for the refusal shall be notified to the information owner or statutory agent.
IV. Comply with the disposal deadline set forth in Article 13 of the Act.
V. Inform the information owner or statutory agent of necessary expenses that may be charged in accordance with Article 14 of the Act.
Article 15
The management measures of information security and personnel established by medical devices wholesalers or retailers in accordance with Subparagraph 3 of Article 4 shall include the following matters:
I. Establish management mechanisms based on business needs, set different access rights for subordinates to control their access to personal information, and periodically verify the appropriateness and necessity of access rights.
II. Examine the nature of businesses and designate personnel responsible for personal information collection, processing, use, and other procedures.
III. Require subordinates to properly retain storage media containing personal information, and agree on safekeeping and confidentiality obligations.
IV. Cancel the ID number of subordinates after termination of employment. The subordinates are required to hand over the documents and data obtained from the work and may not take or use the documents and data after termination of employment.
Article 16
Medical devices wholesalers or retailers shall take the following data protection measures if they provide services on an e-commerce platform:
I. Mechanisms for user verification and protection.
II. Masking mechanisms for displaying personal data.
III. Security encryption mechanisms for Internet transmission.
IV. Access control and protection monitoring measures of personal data files and databases.
V. Countermeasures against external network intrusion.
VI. Monitoring and responding mechanisms against unlawful or abnormal usage.
The so-called e-commerce as referred to in the preceding paragraph refers to advertisements, promotions, supply, order, delivery or other commercial activities carried out via the Internet.
The measures prescribed in Subparagraphs 5 and 6 in the preceding paragraph shall be periodically exercised and reviewed for improvement.
Article 17
The incident prevention, reporting, and response mechanisms established by medical devices wholesalers or retailers in accordance with Subparagraph 4 of Article 4 shall include the following matters:
I. Take appropriate measures to control the damages to the information owner due to the incident and report to the municipal and county (city) competent authorities and the central competent authority within 72 hours after discovering the incident.
II. Investigate the cause of the incident and damages, notify the information owners or statutory agents, and report the incident to the competent authority.
III. Examine deficiencies and formulate preventive and improvement measures to avoid the reoccurrence of such kind of incident.
When personal information theft, leakage, tampering, or other incidents occur, medical devices wholesalers or retailers shall rapidly handle the incident according to the prevention, reporting, and response mechanisms in the preceding paragraph to protect the rights and interests of the personal information owners.
When an incident mentioned in the preceding paragraph occurs to a medical devices wholesaler or retailer, the competent authority may conduct inspections by having their staff enter the premises, order relevant personnel to provide necessary explanations, cooperate on adopting relevant measures, or provide supporting documents in accordance with the provisions of Paragraph 1 of Article 22 of the Act and take any further action depending on the inspection result.
Please see the attachment for the report form referred to in Subparagraph 1 of Paragraph 1.
  • Attachment Reporting of personal information breach incident.pdf
Article 18
The management measures of facility security established by medical devices wholesalers or retailers in Subparagraph 5 of Article 4 shall include the following matters:
I. Security and protection facilities and management procedures for paper documents.
II. Security systems or encryption mechanisms installed on computers or automated machines for storing electronic files.
III. Establish procedures for destroying paper and electronic documents. Suitable measures for preventing personal information leakage must be taken when computers, automated machines, or other storage media is to be discarded, replaced, or used for other purposes.
Article 19
Auditors shall regularly or irregularly audit the implementation status and results of Security and Maintenance Plans in accordance with Subparagraph 6 of Article 4 and report audit results to medical devices wholesalers or retailers.
Article 20
The preservation measures of use records, log files, and relevant evidence established by medical devices wholesalers or retailers in accordance with Subparagraph 7 of Article 4 shall include the following matters:
I. Retention of personal information use records.
II. Retention of log files of automated machines or other relevant evidence.
Article 21
The disposal measures for personal information after termination of business established by medical devices wholesalers or retailers in accordance with Subparagraph 8 of Article 4 shall include the following matters:
I. Destruction: Method, time, place, and proof of destruction.
II. Transfer: Reason, subject, method, time, place, and legal basis for the recipient to retain the personal information.
III. Delete or discontinue to process or use: Method, time, or place.
The measure in the preceding paragraph shall be documented, and retained for at least five years.
Article 22
Medical devices wholesalers or retailers shall take into account the implementation status of their Security and Maintenance Plans, technological developments, amendments of laws, or other factors when establishing the integrated and persistent improvement plan on the security and maintenance of personal information in accordance with Subparagraph 9 of Article 4. Medical devices wholesalers or retailers shall examine the appropriateness of Security and Maintenance Plans regularly and revise the plans when necessary.
Article 23
These Regulations are implemented from their date of promulgation.