Keeping track of the new Personal Data Protection Act

A. Obligation to Inform

In addition to the rules on “when a private Personal Data Controller may collect, process, or use the personal data,” private Personal Data Controllers (for example, non-governmental entities that collect personal data) now have the obligation to inform the individual whose personal data are collected, processed or used. Specifically, the private Personal Data Controller shall, prior to collecting the information, inform the individual of (a) the name of the Personal Data Controller; (b) the purposes for which the personal data are collected; (c) the category of the personal data; (d) the period and area for which and the way in which the personal data are to be used and the persons or organisations for whom personal data might be used; (e) the rights that the individual is entitled to exercise, including the right to request that the using, processing, supplementing, or correcting of the personal data cease; and (f) the impact, on the individual's interests, of refusing to provide his/her personal data if he/she chooses not to disclose his/her personal data.

Further, if the private Personal Data Controller collects data from a third party, the private Personal Data Controller shall inform the individual whose personal data are collected, before processing or use. Unless otherwise expressly exempted by the Act, the private Personal Data Controller shall inform the individual the source where his/her personal data is being obtained before processing or using the personal data along with items (a) to (e) above. In addition, with regard to personal data provided by a third party before the effectiveness of the Act, if the data are the types of data where notice is to be provided before the data may be processed or used, the private Personal Data Controller is required to notify the individuals whose personal data were collected of the matters set forth in (a) to (e) and the source of such information within one year from the effective date of the Act.

Under the Act, a private Personal Data Controller may be exempt from the notice obligation if there is an express exemption, such as (1) there are other statutes that explicitly exempt the private Personal Data Controller of the notice obligation; (2) the private Personal Data Controller collects personal data in relation to its performance of statutory obligations; (3) a third party's substantial interests will be infringed if the individual whose personal data are collected is notified; or (4) the individual has previously been advised of the contents of the notice.

B. Special provision governing personal data used for promotion

Personal data may only be collected for a specific permitted purpose. Although the list of specific purposes has not yet been enumerated, it is clear that the use of personal data for promotion purposes is used beyond the scope permitted by the Act. As stipulated in both the Act and the CPDPA, in order to use the personal data beyond the specific purpose of collection, the private Personal Data Controller must acquire the written consent from the individual whose personal data has been collected unless the Personal Data Controller is expressly exempted from doing so under the Act.

In addition to the above, the Act specifically provides that if a private Personal Data Controller uses the personal data for promotion purposes, the private Personal Data Controller should provide the individual the option to opt out of the collection of his/her data at no charge and upon such rejection, the private Personal Data Controller should immediately stop using the individual's personal data to conduct any promotion. Violation of such regulations will result in administrative fines from NTD20,000 to NTD200,000.

II. Archiving employee's personal data

A question frequently asked about archiving the data of employees is whether an employer may ask employees to provide their medical records. The answer depends on whether the information is sensitive personal data or non-sensitive personal data. The Act categorises personal data related to medical treatments, genes, sexual life, health examination and criminal record as “sensitive personal data” which should not be collected, processed, or used except where there is an express exemption, such as:

(1) the laws explicitly provide otherwise;

(2) the sensitive personal data is made known to the public by the individual or has been disclosed in accordance with laws; or

(3) the private Personal Data Controller who collects, processes, or uses the personal data does so out of necessity to perform statutory obligations, and the appropriate safeguard measures for protecting the personal data are carried out.

Merely obtaining the written consent of the individual will not permit a Personal Data Collector to collect such individual's information.

In comparison, employers may collect and process “non-sensitive personal data” (for example, all other personal data not categorised as sensitive personal data) as long as it is for a specific purpose and complies with the enumerated circumstances as specified in the Act.

Once the Act becomes effective, an employer, unless explicitly permitted by the law, is prohibited from collecting its employees' or job applicants' medical records, which are considered sensitive personal data. In addition to medical records, employers may also need to collect other data about their employees, regarding the employees' level of education, family members, emergency contacts, etc. As the Act sets out many detailed rules on how and when personal data can be collected, processed, and used and also imposes heavy civil, administrative, and even criminal liabilities on the individual Personal Data Collector, it is important for employers to handle employees' personal data with care and prudence. To minimise their chances of breaching the Act, employers should establish standardised procedures for data collection to comply with the Act.

Furthermore, the Act requires the private Personal Data Controller to protect personal data that is under its custody by taking appropriate safeguard measures against theft and unauthorised alteration, damage, destruction, or disclosure of personal data. To minimise such risk, it is therefore also important to strengthen the information security system.

III. Private exchanges of personal data

The Act specifically states that it does not apply to the following two circumstances: (1) Personal data that is collected, processed, or used for the purpose of personal or family activities, and (2) Personal media data that are collected, processed, or used from/on public places or public events and that are not linked to the individual's other personal data.

From legislative records, the second exception is intended to exclude ordinary social activities from being covered under the Act. A typical example would be friends sharing photos or videos on Facebook or their blogs. However, the degree of linkage required for personal media data to be deemed “linked to the individual's other personal data” is still unclear. One viewpoint is that the Act would apply where an individual Personal Data Controller intentionally collects a large amount of data of a person from various public platforms and combines the data together for distribution.

Even though the Act does not apply to the personal data collected, processed, or used from/on public places or public events, civil liability under the Civil Act still applies where the violation of privacy rights or personality rights occurs during these social activities.

It is foreseeable that after the Act becomes effective, many, if not all, companies will need to re-evaluate their policies and procedures on personal data collection.

Jaclyn Tsai and Elaine Lee, Lee Tsai & Partners, Taipei