In the past two years, the impact of the COVID-19 epidemic and the continuing development of 5G have accelerated digital transformation across industries. With the addition of the emerging metaverse concept, topics related to privacy and personal data protection have again become the focus of attent
By Chiu-Hua Chen & Jeffrey K.S. Hung, Managing Partner & Partner of Formosan Brothers, Attorneys-at-Law
Paragraph 1 of Article 27 of the Personal Data Protection Act (hereinafter the “Act”) provides that companies and organizations of all industries in possession of personal data files shall implement proper security measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed. And with respect to industries that are in possession of an enormous amount of important personal data files, e.g., banking, telecommunication, medical care, and insurance, the competent authority has long since required them to establish security and maintenance plans for the protection of personal data files and guidelines on disposing personal data following a business termination.
In the past two years, the impact of the COVID-19 epidemic and the continuing development of 5G have accelerated digital transformation across industries. With the addition of the emerging metaverse concept, topics related to privacy and personal data protection have again become the focus of attention. In order to implement personal data protection and avoid leakage or theft of personal data, on December 1, 2021, the Ministry of the Interior announced regulations for the security and maintenance of personal data files specific to various organizations and industry groups, which include designated political parties and national civil affairs foundations, religious organizations, ancestor worship organizations, funeral services, land administration industry, cooperative and civil associations, nongovernmental police-related industry, construction related industry, and immigration business agencies. Among them, the “construction related industry” includes: the construction industry, the real estate development industry (referring to the industry engaged in the investment and construction of real estate such as land and buildings for the purpose of sales), architect firms, condominium buildings management and maintenance companies, urban renewal business corporation, etc. The "land administration industry" includes: the real estate brokerage industry, rental housing services, real estate appraisal offices, land administration agency offices, etc. The "nongovernmental police-related industry" includes private security service, pawnshops, controlling guns, ammunition and knives business, etc. The regulations cover a wide range of industries and organizations.
The Ministry of the Interior announced the regulations for the security and maintenance of personal data files specific to the nine major industries and mainly required those businesses to take the following appropriate measures, according to the scale and characteristics of business, nature and quantity of the personal data collected, etc., to secure and manage personal data files: 1. allocating management personnel and reasonable resources; 2. defining the scope of collection, processing, and use of personal data; 3. establishing a mechanism of risk assessment and management of personal data; 4. establishing a mechanism of preventing, giving notice of, and responding to a data breach; 5. establishing an internal control procedure for the collection, processing, and use of personal data; 6. establishing measures for equipment security management, data security management, and personnel management; 7. promoting awareness, education, and training; 8. establishing an audit mechanism for personal data security and maintenance; 9. keeping records, log files, and relevant evidence; 10. implementing integrated and persistent improvements on the security and maintenance of personal data; and 11. setting a guideline on disposing personal data following a business termination. In addition, for major personal data breach incidents, businesses shall notify the competent authority in writing within 72 hours following the discovery of the breach, which shall include the information of the agency of notification, the time of occurrence, the type of breach, the cause and summary of breach, the condition of damage, the possible consequences of personal data infringements, the responding measure to be adopted, when and how the data subject will be notified, and whether the incident was reported immediately after the discovery of personal data breach. This obligation to notify the competent authority in writing is not included in the existing Personal Data Protection Act.
Moreover, for businesses that hold the personal data up to a certain amount, the related regulations also require them to strengthen their personal data protection operations, including: 1. mechanisms for user identity verification and protection; 2. masking function for the displaying of personal data; 3. security encryption mechanisms for transmission over the Internet; 4. access control, protective and surveillance measures for personal data files and database; 5. countermeasures against external network intrusion; and 6. monitoring and responding mechanisms against unlawful or abnormal usage. Wherein, the measures prescribed in subparagraphs 5 and 6 shall be periodically exercised and reviewed for improvement.
In addition, the regulations also provide that a non-government agency established before the implementation of the regulations shall establish “a security and maintenance plan for the protection of personal data files and a guideline on disposing personal data following a business termination” within six months of the implementation of the regulations and file such plans with the competent authority for future reference. A new established non-government agency shall also complete such plans and file them with the competent authority for future reference. As such, the designated industries should complete their security and maintenance plans for the protection of personal data files as soon as possible before May 31, 2022 to avoid a fine between NT$20,000 and NT$200,000 provided in Article 48 of the Personal Data Protection Act imposed by the competent authority.
(This article was published in the Expert’s Commentary Column of the Commercial Times:https://view.ctee.com.tw/tax/35204.html)