Regulations for the Security and the Maintenance of Personal Information Files in Social Welfare Organizations
2022-06-09
手機睡眠
語音選擇
Article 1
The Regulations are enacted in accordance with Paragraph 3, Article 27 of the Personal Data Protection Act (herein after referred to as the “Act”).
Article 2
For purposes of the Regulations, the term “competent authority” shall mean the Ministry of Health and Welfare at the central government level, the municipal governments at the municipal level, and the county/city governments at the county/city level.
Article 3
The terms used herein are defined as follows:
I. The social welfare organizations refer to the following organizations:
(1) Organizations established pursuant to the Regulations for the Establishment and Permission of Private Children and Youth Welfare Institutes, equipped with more than 95 authorized beds.
(2) Organizations established pursuant to the Regulations for the Permit and Management Regulations for the Establishment of Private Senior Citizens’ Welfare Institutions, equipped with more than 200 authorized beds.
(3) Organizations established pursuant to the Regulations for the Permit and Management Regulations for the Establishment of Private Mental and Physical Disabilities Welfare Organizations, equipped with more than 200 authorized beds.
II. Responsible Person: Personnel designated by the social welfare organizations to be responsible for establishing and implementing personal information file security and maintenance plans (herein after referred to as the “Security and Maintenance Plan”).
III. Subordinate: Personnel of the social welfare organizations that come in contact with personal information in the course of performing professional duty.
IV. Auditor: Personnel designated by the social welfare organizations to be responsible for auditing the implementation and results of the Security and Maintenance Plan.
The responsible person referred to in Subparagraph 2 and the auditor in Subparagraph 4 of the preceding paragraph may not be the same person.
I. The social welfare organizations refer to the following organizations:
(1) Organizations established pursuant to the Regulations for the Establishment and Permission of Private Children and Youth Welfare Institutes, equipped with more than 95 authorized beds.
(2) Organizations established pursuant to the Regulations for the Permit and Management Regulations for the Establishment of Private Senior Citizens’ Welfare Institutions, equipped with more than 200 authorized beds.
(3) Organizations established pursuant to the Regulations for the Permit and Management Regulations for the Establishment of Private Mental and Physical Disabilities Welfare Organizations, equipped with more than 200 authorized beds.
II. Responsible Person: Personnel designated by the social welfare organizations to be responsible for establishing and implementing personal information file security and maintenance plans (herein after referred to as the “Security and Maintenance Plan”).
III. Subordinate: Personnel of the social welfare organizations that come in contact with personal information in the course of performing professional duty.
IV. Auditor: Personnel designated by the social welfare organizations to be responsible for auditing the implementation and results of the Security and Maintenance Plan.
The responsible person referred to in Subparagraph 2 and the auditor in Subparagraph 4 of the preceding paragraph may not be the same person.
Article 4
The social welfare organizations shall establish the Security and Maintenance Plan specifying the following matters in accordance with the Regulations:
I. The internal control procedures for the collection, processing, and use of personal information.
II. The scope and items of personal information.
III. The management of information security and personnel.
IV. The mechanisms of preventing, reporting, and responding to information leakage.
V. Management of facility security.
VI. The audit mechanisms of data security.
VII. Preservation of access records, log files, and relevant evidence.
VIII. Measures for processing personal information upon termination of the business.
IX. The integrated and persistent improvement plan on the security and maintenance of personal information.
I. The internal control procedures for the collection, processing, and use of personal information.
II. The scope and items of personal information.
III. The management of information security and personnel.
IV. The mechanisms of preventing, reporting, and responding to information leakage.
V. Management of facility security.
VI. The audit mechanisms of data security.
VII. Preservation of access records, log files, and relevant evidence.
VIII. Measures for processing personal information upon termination of the business.
IX. The integrated and persistent improvement plan on the security and maintenance of personal information.
Article 5
The social welfare organizations shall make reasonable distribution of operational resources for planning, establishing, reviewing, and revising the security and maintenance measures based on the scale and characteristics of their business and include these measures in the Security and Maintenance Plan to ensure the security maintenance and management of personal information and prevent personal information from being stolen, altered, damaged, destroyed, or disclosed.
Article 6
The responsible person is responsible for planning, establishing, revising, and implementing the Security and Maintenance Plan, the measures for processing personal information upon termination of the business and related matters. The responsible person shall periodically submit a report to the social welfare organizations.
Article 7
The social welfare organizations shall identify the specific purpose and necessity of collecting the personal information, define the category or scope of personal information collection, processing, and use, and periodically check the status of personal information in its keeping, while establishing the internal control procedures for the collection, processing, and use of personal information in Article 4, Subparagraph 1, as well as the scope and items of personal information in Subparagraph 2.
If the social welfare organizations find personal information that is not within the necessary scope for the specific purpose or the specific purpose has disappeared, or that no longer needs to be retained due to expiration of the retention period, then said information shall be deleted or destroyed, or collection, processing or use thereof should be discontinued, or the information shall be handled in any other manner.
If the social welfare organizations find personal information that is not within the necessary scope for the specific purpose or the specific purpose has disappeared, or that no longer needs to be retained due to expiration of the retention period, then said information shall be deleted or destroyed, or collection, processing or use thereof should be discontinued, or the information shall be handled in any other manner.
Article 8
The social welfare organizations shall comply with the category and scope specified in Paragraph 1 of the preceding article while collecting personal information.
The social welfare organizations shall take necessary protection measures to prevent information leakage while transferring personal information.
The social welfare organizations shall take necessary protection measures to prevent information leakage while transferring personal information.
Article 9
The social welfare organizations shall comply with the obligation of notification specified in Articles 8 and 9 herein when collecting personal information, and shall also establish the notification method, contents, and notices for direct collection or indirect collection, and shall require their subordinates to comply with the same.
Article 10
Before transferring the personal information internationally, the social welfare organizations shall check whether it is restricted by the central authority, and inform the subject of the country or region to which the information is intended to be transferred:
I. The planned scope, category, specific purpose, time period, territory, recipient, and method for processing or use of personal information.
II. Matters related to the concerned party's exercise of the rights set forth in Article 3 herein.
I. The planned scope, category, specific purpose, time period, territory, recipient, and method for processing or use of personal information.
II. Matters related to the concerned party's exercise of the rights set forth in Article 3 herein.
Article 11
The management measures of information security and personnel established by the social welfare organizations in Article 4, Subparagraph 3 herein shall include the following matters:
I. Establish management mechanisms based on business needs, set different access rights for subordinates to control their access to personal information, and periodically verify the appropriateness and necessity of access rights.
II. Examine the nature of businesses and designate personnel responsible for personal information collection, processing, use, and other procedures.
III. Require subordinates to properly retain storage media containing personal information and agree on safekeeping and confidentiality obligations.
IV. Cancel the ID number of subordinates upon termination of employment; require subordinates to hand over documents and information obtained from performance of job duty and prohibit them from taking away or using the documents and data upon termination of employment; and also require them to sign the non-disclosure agreement.
I. Establish management mechanisms based on business needs, set different access rights for subordinates to control their access to personal information, and periodically verify the appropriateness and necessity of access rights.
II. Examine the nature of businesses and designate personnel responsible for personal information collection, processing, use, and other procedures.
III. Require subordinates to properly retain storage media containing personal information and agree on safekeeping and confidentiality obligations.
IV. Cancel the ID number of subordinates upon termination of employment; require subordinates to hand over documents and information obtained from performance of job duty and prohibit them from taking away or using the documents and data upon termination of employment; and also require them to sign the non-disclosure agreement.
Article 12
The social welfare organizations shall establish a mechanism for prevention, notification, and response to incidents in accordance with Article 4, Paragraph 4, which shall include the following matters:
I. Take appropriate measures to control the damage caused by the accident and notify the competent authorities of the municipal city, city, or county (city) competent authorities and the central government within 72 hours from the time the accident is discovered.
II. Identify the cause of the incident and the damage, and notify the parties involved or their legal representatives.
III. Formulate improvement measures to prevent recurrence of the incident.
In the event of theft, disclosure, tampering, or other infringement of personal information, the social welfare organizations shall follow the mechanism for prevention, notification, and response to incidents referred to in the preceding paragraph to promptly address the situation and protect the rights and interests of the parties involved.
In the event of the incident referred to in the preceding paragraph, the competent authorities shall, in accordance with the provisions of Article 22, Paragraph 1 herein, enter the organizations for inspection, order the relevant personnel to provide the necessary explanation, ask for cooperation or provision of relevant evidence, and take further actions depending on the inspection result.
The format of the notification in Paragraph 1, Subparagraph 1 is attached hereto.
I. Take appropriate measures to control the damage caused by the accident and notify the competent authorities of the municipal city, city, or county (city) competent authorities and the central government within 72 hours from the time the accident is discovered.
II. Identify the cause of the incident and the damage, and notify the parties involved or their legal representatives.
III. Formulate improvement measures to prevent recurrence of the incident.
In the event of theft, disclosure, tampering, or other infringement of personal information, the social welfare organizations shall follow the mechanism for prevention, notification, and response to incidents referred to in the preceding paragraph to promptly address the situation and protect the rights and interests of the parties involved.
In the event of the incident referred to in the preceding paragraph, the competent authorities shall, in accordance with the provisions of Article 22, Paragraph 1 herein, enter the organizations for inspection, order the relevant personnel to provide the necessary explanation, ask for cooperation or provision of relevant evidence, and take further actions depending on the inspection result.
The format of the notification in Paragraph 1, Subparagraph 1 is attached hereto.
Article 13
The management measures of equipment security established by the social welfare organizations in Article 4, Subparagraph 5 herein shall include the following matters:
I. Security protection facilities and management procedures for hard copies of data files.
II. Security systems or encryption mechanisms installed on computers or automated machines for storing electronic files.
III. Establish procedures for destroying hard copies of documents.
IV. Suitable measures for preventing personal information from being disclosed must be taken when computers, automated machines, or other storage media is to be discarded, replaced, or used for other purposes.
I. Security protection facilities and management procedures for hard copies of data files.
II. Security systems or encryption mechanisms installed on computers or automated machines for storing electronic files.
III. Establish procedures for destroying hard copies of documents.
IV. Suitable measures for preventing personal information from being disclosed must be taken when computers, automated machines, or other storage media is to be discarded, replaced, or used for other purposes.
Article 14
Auditors shall regularly or irregularly audit the implementation status and results of the Security and Maintenance Plan in accordance with Article 4, Subparagraph 6, and report audit results to the social welfare organizations, if necessary.
Article 15
The preservation measures of access records, log files, and relevant evidence established by the social welfare organizations in Article 4, Subparagraph 7 herein shall include the following matters:
I. Retention of personal information access records.
II. Retention of log files of automated machines or other relevant evidence.
III. Measures for preservation of the logs and evidence referred to in the preceding two subparagraphs.
I. Retention of personal information access records.
II. Retention of log files of automated machines or other relevant evidence.
III. Measures for preservation of the logs and evidence referred to in the preceding two subparagraphs.
Article 16
The measures for processing personal information upon termination of the business established by the social welfare organizations in Article 4, Subparagraph 8 herein shall include the following matters:
I. Destruction: Method, time, place, and proof of destruction.
II. Transfer: Reason, subject, method, time, place, and legal basis for the transferee to retain the personal information.
III. Delete or Discontinue to Process or Use: Method, time, or place.
The measures in the preceding paragraph shall be documented, and retained for at least five years, unless otherwise provided by laws.
I. Destruction: Method, time, place, and proof of destruction.
II. Transfer: Reason, subject, method, time, place, and legal basis for the transferee to retain the personal information.
III. Delete or Discontinue to Process or Use: Method, time, or place.
The measures in the preceding paragraph shall be documented, and retained for at least five years, unless otherwise provided by laws.
Article 17
The social welfare organizations shall take into account the implementation status of the Security and Maintenance Plan, technological developments, amendments to laws and regulations, or other factors when establishing the integrated and persistent improvement plan on the security and maintenance of personal information in accordance with Article 4, Subparagraph 9. The social welfare organizations shall examine the appropriateness of the Security and Maintenance Plan regularly and revise it when necessary.
Article 18
The social welfare organizations which use any cyber security service system to collect, process, and use personal information shall adopt the following information security measures:
I. User identity confirmation and protection mechanism.
II. Data masking mechanism for personal information display.
III. Security encryption mechanism for Internet data transmission.
IV. Access control and protection monitoring measures for personal information files and databases.
V. Prevention mechanism of external network intrusion.
VI. The monitoring and response mechanism against illegal or abnormal access to the system.
The countermeasures and mechanism referred to in Paragraph 1, Subparagraphs 5 and 6 shall be regularly practiced and reviewed for improvement.
I. User identity confirmation and protection mechanism.
II. Data masking mechanism for personal information display.
III. Security encryption mechanism for Internet data transmission.
IV. Access control and protection monitoring measures for personal information files and databases.
V. Prevention mechanism of external network intrusion.
VI. The monitoring and response mechanism against illegal or abnormal access to the system.
The countermeasures and mechanism referred to in Paragraph 1, Subparagraphs 5 and 6 shall be regularly practiced and reviewed for improvement.
Article 19
The social welfare organizations shall complete the establishment and implementation of the Security Maintenance Plan within one year upon promulgation and implementation of the Regulations. The competent authorities may send their personnel to conduct inspection periodically.
Article 20
The Regulations shall be enforced as of the date of promulgation.