Taiwan Focus: How to comply with the Personal Information Protection Act
Taiwan's Personal Information Protection Act has left many companies unaware of their obligations to protect employee's personal information and how to establish their own personal information management system
Two years after the promulgation of the Personal Information Protection Act (PIPA), it finally came into force on October 1 2012. However, many companies have still not grasped the relevant provisions of the Act. There are many key requirements which companies are failing to meet in order to comply with the PIPA.
|
Personal information
Personal information encompasses name, birth date, ID number, passport number, personal characteristics, finger prints, marital status, family background, educational background, occupation, medical information, medical history, DNA, sexual activity, health examination, criminal record, contact information, financial status, social activities and any information capable of being used directly or indirectly to identify a person. In particular, information like medical history, DNA, sexual activity, health examination and criminal record are considered specific personal information. In principle, unless otherwise provided as exceptions, companies are prohibited from collecting, processing and using specific personal information.
Considering general personal information, collection, processing and use, are only permitted if the criteria of specific purpose, compliance with statutory requirements and compliance with the notice obligation are satisfied.
|
Personal information requirements
For companies, the most important thing is to plan and design internal and external operation processes that comply with the criteria under the PIPA, so that they can legally collect, process and use general personal information.
To understand the scope of specific purpose, companies may refer to the types of specific purposes and personal information subject to the PIPA as announced by the Ministry of Justice on October 1 2012. Companies should select the purposes carefully. In particular, companies should pay extra attention when choosing the following types of specific purposes: 002 Human Resources Management; 069 Contract, Quasi-Contract or Other Legal Matter; and 181 Engaging in Other Business Activities Complying with the Company Registration or Articles of Incorporation.
As to the so-called statutory requirements, companies should analyse and review whether the following requirements are met when companies collected and processed personal information in the past: Was it explicitly provided by law? Did the company have any contractual or quasi-contractual relationship with the concerned person? Was the personal information disclosed by the concerned person or otherwise legally disclosed? Was the personal information collected and processed by academic and research institutions for compiling statistics or for academic research based on public interests and that such information was processed by the provider or collector in such way that the concerned person cannot be identified? Did the company obtain the written consent of the concerned person? Was the personal information related to public interests? Was the personal information obtained from a publicly accessible source, unless the reason why the concerned person does not allow such information to be processed and used is based on a greater interest that is worth protecting?
Consequently, in designing and planning personal information management policies, companies need to take into consideration these statutory requirements to ensure that the collection, processing and use of personal information complies with the law. Companies should also think about whether the personal information collected can only be used within the specific purposes and, in the event where it is necessary to use the personal information collected outside of the specific purposes, how to make the proper determinations and what are the measures to be taken accordingly.
Finally, in respect to the compliance with the notice obligation, according to the Enforcement Rules of the PIPA, companies may carry out the notice obligation orally or in writing, by telephone, text message, email, facsimile, electronic document or other method that would allow the concerned person to know or should have know about the notice. Companies should assess the method by which they choose to comply with the notice obligation so as not to cause any annoyances to the concerned person or to overly increase the cost of operation. Regardless of the method adopted by companies, in order to comply with the law, companies would still need to inform the concerned person regarding the name of the entity, the purpose of collection, the type of personal information collected, the period, area, subject and method of use, the rights of the concerned person, and the impact on the rights of the concerned person for not providing his or her personal information.
|
Establishing internal processes
When implementing personal information management processes, companies should first conduct an overall inventory check on the personal information. This should include information related to internal personnel and external clients that the company currently holds. This will enable them to understand the contents of the personal information retained within the companies and to further assess whether such information falls within the category of general information or specific information and whether such information was collected directly or indirectly. This overall check would serve as the basis for establishing a personal information management process.
In practice, companies quite often over-collect information, which causes them to retain much personal information that has never been used. It is suggested that companies discard personal information that is worthless, so as to reduce the burden of the subsequent personal information management and the risks of information leakage.
In terms of internal management within companies, they should confirm the key steps in respect to the internal operation processes, using such steps as the basis for the personal information management. For example: (i) establishing guidelines for personal information management; (ii) guidelines for the collection, processing and use of personal information, (iii) guidelines for personal information inquiries, (iv) procedure governing personal information leakage and; (v) guidelines for maintaining personal information protection for the employees to comply with.
|
Implementing measures
When companies seek to implement personal information management schemes, they often are not sure where to begin. Therefore, in order to implement the personal information management process, companies should first establish an executive group consisting of persons from the business department, human resources department, information department and legal department, as to conduct preliminary planning for the future implementation of the personal information management process.
Then, with the assistance from information security consultants and legal professionals, companies should conduct an overall inventory on the personal information. This gives a clear idea of the actual practice of personal information collection, processing and use within the companies. It also defines the individual processes and establishes the basis for management process planning. In the event where the companies have limited resources, it can use the pareto principle and invest 80% of its resources in the personal information protection process that presents the highest risks for companies.
Furthermore, companies can start by conducting small-scale information safety evaluations, legal evaluations and impact analysis on departments. With this opportunity, companies can train the employees that execute the personal information management within the companies. They can also use this opportunity to understand the risks that they may potentially face with personal information management and when the time is right, companies can conduct large-scale or full-scale personal information management implementations based on actual circumstances.
Lastly, companies can also consider obtaining the third party certifications for the aforementioned personal information management process. For example, the commonly seen ISO27001or BS10012 can be a method for companies to prove that they are not intentional or negligent in case of future disputes. Of course, obtaining such certifications would increase the costs and would be subject to companies' decision based on their available budget.
Terry T Y Chih
Partner
Formosan Brothers
Terry T Y Chih obtained his bachelor's degree from National Taiwan University and his LLM degree from the University of London. He is admitted to practice law in Taiwan and has worked at Formosan Brothers since 2000. Mr. Chih was retained as an advocate in a number of significant white-collar criminal cases, such as manipulations of stock price, false financial statements, insider trading, misappropriation of company assets, breach of fiduciary duty, extraordinary lending by banks, commissions of property insurances, corrupting practices in construction and false statements of construction costs, which drew much public attention. Mr. Chih also teaches at Ming Chuan University School of Law and at the Taiwan Construction Research Institute, as well as at Chinese Land Professional Training Centre, concerning criminal procedure. He has recently been invited by many companies to deliver speeches on the Personal Information Protection Act.
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now