|May 15, 2012|
The Personal Data Protection ACT (the “PDPA”) was promulgated by the President on May 26, 2010. Since the PDPA is the first basic law for personal data protection for all persons (including natural persons) and has deep and profound impact, the PDPA stipulates that its effective date shall be separately prescribed by the Executive Yuan in order to provide sufficient time for enterprises to get ready and prepared.
The Ministry of Justice announced on October 27, 2011 the draft Amendment to the Enforcement Rules of the Personal Data Protection law (hereinafter, the “Draft Enforcement Rules”), public opinions of which are still being gathered. The ways by which the Draft Enforcement Rules will have material impact on personal data management by enterprises are summarized below.
I. Definitional provisions for personal data and personal data files
The PDPA provides that all data that may directly or indirectly identify individuals are personal data. In this regard, Article 3 of the Draft Enforcement Rules contains definitional provisions and provides that the so-called “data which may indirectly identify such individuals” refers to the data which can identify individuals only when compared, combined or linked with other data. The proviso of this article also provides that data which can identify individuals only after excessively difficult, costly or time-consuming inquiries shall be excluded.
The proviso of Article 3 of the Draft Enforcement Rules seeks to balance personal data protection with the reasonable use of data in order to prevent the scope of personal data from unlimited expansion. Since several uncertain legal constructs are involved, if enterprises still have doubts as to whether the data collected or used by them are personal data, it is advisable to take prudent action and seek professional legal advice to avoid haphazard violations of laws and regulations.
Article 5 of the Draft Enforcement Rules also stipulates that personal data files shall include archived files and trace data. According the amendment reasons, archived files and trace data are included in the scope of personal data files in order to fulfill and further the legislative objectives of personal data protection and of the fair use of personal data. The “trace data” refers to the log files which do not form part of the personal data previously collected but which are created when personal data are collected, processed or used, including (but not limited to) the codes of the individuals accessing the data, access time, code of the equipment used, IP addresses, Internet paths routed, etc., which can be used to compare and verify the appropriateness of data access.
II. The supervisory obligation of a party entrusting the management of personal data to another party
Under the PDPA, if an enterprise entrusts the management of personal data to another juristic person, organization or natural person, the entrusting party shall still be the responsible entity and shall be liable for the behavior of such entrusted party in managing personal data. Therefore, Article 7 of the Draft Enforcement Rules specifically stipulates as follows: A party seeking to exercise relevant rights under the PDPA shall do so vis-a-vis the entrusting party. Article 8 also stipulates the supervisory obligation of the entrusting party and provides that an enterprise which entrusts the management of personal data to another party shall exercise appropriate supervision over the entrusted party. The matters of supervision shall at least include the following:
1. The scope, category, specific objectives and duration of expected collection, processing or use of personal data.
2. Necessary measures which shall be adopted by the entrusted party to ensure the personal data security.
3. The entrusted party contracted in case of duplicated entrustment.
4. The matters which shall be notified to the entrusting party and the remedial measures which should be taken if the entrusted party or its employees violate personal data protection laws and regulations or provisions of entrustment contract.
5. Matters instructed to the entrusted party by the entrusting party.
6. The return of personal data carriers and the deletion of the stored personal data in the possession of the entrusted party when the entrustment relations are terminated or rescinded.
III. Contents of information security maintenance measures
Pursuant to the requirements under the PDPA, an enterprise shall take appropriate security measures to prevent the personal data files in its possession from theft, alteration, destruction, extinguishment or leakage. The regulations to be prescribed by the central competent authority for specified business for different sectors in the future will also require specific sectors to formulate their security maintenance plans for personal data files or the rules for handling personal data after business termination pursuant to the standards stipulated under such regulations.
To this end, Article 9 of the Draft Enforcement Rules further provides that the “appropriate security maintenance measures” mentioned above refer to the necessary technical and organizational measures adopted to prevent the theft, alteration, destruction, extinguishment or leakage of personal data. In addition, such necessary measures should at least including the following:
1. Establishment of a management organization to which certain resources are allocated.
2. Definition of the scope of personal data.
3. Risk assessment and management mechanisms for personal data.
4. Accident prevention, reporting and response mechanisms.
5. Internal management procedures for the collection, processing and use of personal data.
6. Data security management and personnel management.
7. Promotions, education and training to enhance awareness.
8. Equipment security management.
9. Data security audit mechanisms.
10. Preservation of necessary usage records, trace data and evidence.
11. Continued overall improvements in maintaining personal data security.
After the Draft Enforcement Rules are adopted in the future, when the competent authority for each specified business prescribes laws or regulations for personal data security maintenance plans, the necessary measures mentioned above will serve as the basis for prescribing the regulations for different sectors. Enterprises are advised to be prepared and adopt relevant measures as soon as possible to accommodate the implementation of the PDPA.
Although the Personal Data Protection Act has not yet come into force, still the provisions of its parent law have been finalized (with the exception of relevant regulations for special data, which are still controversial and for which the Ministry of Justice and the Executive Yuan may proposed amendments), enterprises, whether or not enterprises regulated under the current Computerized Processing of Personal Data Protection Law, should make appropriate preparations based on the PDPA and are also advised to pay close attention to the status of subsequent enforcement rules and ancillary laws to be prescribed by the Ministry of Justice and the central competent authority for specified business to ensure compliance with the PDPA and secure a solid legal foundation for business operation.