Regulations Governing Personal Information File Security Maintenance Plan and Processing Method for the Human Resources Recruitment Industry

2021-09-27
播放模式
手機睡眠
語音選擇
Chapter I General
Article 1
These regulations are established in accordance with Paragraph 3, Article 27 of the Personal Information Protection Act (hereinafter the "Act").
Article 2
These regulations are applicable to the human resources recruitment industry, meaning the following institutions:
1.Private employment services institutions with approval of establishment in accordance with Article 34 of the Employment Services Act.
2.Employment service agencies for people with disabilities with approval of establishment in accordance with Paragraph 3, Article 35 of the People with Disabilities Rights Protection Act.
Article 3
To implement the security maintenance and administration of personal information files and to protect personal information against theft, alteration, damage, loss or disclosure, the human resources recruitment industry should establish a personal information file security maintenance plan (hereinafter the "Plan").
The Plan shall include a processing method for personal information after termination of any business relationship.
The human resources recruitment industry should regularly review and amend the Plan in accordance with applicable legislation.
Chapter II Personal Information Protection Planning
Article 4
The human resources recruitment industry shall have dedicated staff or establish a dedicated organization to be responsible for personal information file security maintenance and administration and shall allocate commensurate resources.
The duties of the dedicated person or organization under the previous paragraph are as follows:
1.Establish personal information protection administration principles and make public announcements about the basis and specific purpose of its collection, processing and use of personal information and other protection related matters for the understanding of their staff.
2.Plan, establish, amend and execute the Plan.
3.Regularly provide basic knowledge promotion and professional educational training for their affiliated staff for them to understand the applicable legislations of personal information protection, the scope of responsibilities, administration measures and methods.
Article 5
Personal information protection administration principles established by the human resources recruitment industry shall include the following:
1.Compliance with personal information protection related legislation.
2.Reasonable and safe method for the collection, processing and use of personal information within the scope of specific purpose.
3.Techniques of reasonable security standards for the protection of personal information files that are collected, processed and used.
4.Contact the personnel for the exercise of personal information related rights by owners of information or for whom relevant complaints and consultations may be filed.
5.Emergency response procedure for handling events of theft, alteration, damage, loss or disclosure of personal information.
6.Mechanism for the supervision of subcontractors for the collection, processing and use of personal information.
7.Mechanism to ensure the security of personal information files and to maintain the operation of the Plan.
Article 6
The human resources recruitment industry shall verify personal information they hold in accordance with personal information protection related legislation, define the scope included in the Plan, establish files and regularly verify whether there are any changes.
Article 7
The human resources recruitment industry shall analyze the risks that may arise out of the collection, processing and use in accordance with the scope defined under the previous paragraph and establish proper control measures based on the results of such analysis.
Article 8
The human resources recruitment industry shall establish the following mechanisms in response to any event of theft, alteration, damage, loss or disclosure of personal information:
1. Adopt proper response measures to control the damage to the owners of the information created by the event.
2. Verity the situation of the event, inform the owner in a proper manner, including corresponding measures that have been adopted.
3. Review the prevention mechanism to prevent reoccurrence of a similar event.
When the incidents under the preceding paragraph occur, the human resources recruitment industry shall fill up the Notification Record sheet (as attached), and notify the municipal city government(s), or the county/city government(s) where the incident occurred and notify the Central Competent Authority. After the Central Competent Authority or the municipal city government(s), or the county/city government(s) received the notifications, with the power granted in Article 22 to Article 25 of this regulation, the mentioned authority is entitled to take appropriate supervisory and management measures.
  • Attached Form:Human ResourcesRecruitment Industry Notification Record Form.pdf
Chapter III Personal Information Administration Procedure
Article 9
The human resources recruitment industry shall ensure compliance with applicable legislation before the collection, processing and use of personal information provided under Paragraph 1, Article 6 of the Act.
Article 10
The human resources recruitment industry shall establish the following procedure with regard to the obligation of notification in accordance with Articles 8 and 9 of the Act:
1.Adopt a proper notification method based on the situation of information collection.
2.Confirm the reasons based on which the owner does not need to be notified.
Article 11
The human resources recruitment industry shall establish the following procedure with regard to the collection, processing or use of personal information other than the information provided under Paragraph 1, Article 6:
1.Confirm the specific purpose and legal conditions for the collection and processing of personal information.
2.Ensure that the use of personal information is within the necessary scope of the specific purpose. For any use of personal information outside the specific purpose, verify whether the conditions for use outside the legally defined specific purpose are met.
Article 12
The human resources recruitment industry shall establish the following supervisory procedure if the collection, processing or use of personal information is subcontracted in whole or in part:
1.Confirm the scope, type, specific purpose and period for the subcontracted collection, processing and use of personal information.
2.Ensure that the subcontractor adopts necessary security measures.
3.In case of further subcontracting, verify the identity of the second-level subcontractor.
4.If the subcontractor or its employee breaches any personal information protection legislation or the subcontracting agreement, require the subcontractor to inform the principal of the relevant measures and adopt remedy measures.
5.If the principal has any other instructions to the subcontractors, such instructions must be considered.
6.Upon termination or cancellation of the subcontracting relationship, must request the subcontractor to return the media in which personal information is stored and destroy or delete personal information stored and held by the subcontractor.
7.Ensure that the subcontractor performs the requirements under subparagraphs 1 to 6.
Article 13
The human resources recruitment industry shall establish the following procedure if personal information is used for marketing purposes:
1.Upon the initial marketing, the owners of information shall be provided with a method of refusing the marketing, with the necessary cost paid by the human resources recruitment industry.
2.When the owner refuses to receive marketing, immediately stop using the owner's personal information for marketing purposes and inform the relevant staff.
Article 14
The human resources recruitment industry shall verify whether any restriction is imposed by the central industry competent authority in accordance with Article 21 of the Act before international transmission of personal information.
Article 15
The human resources recruitment industry shall establish the following procedure when the information owner exercises the rights with regard to its personal information under Article 3 of the Act:
1.Verify that the person is the owner of the personal information.
2.Provide the owner with a method to exercise its rights and proceed within the deadline required under Article 13 of the Act.
3.Verify whether there is any reason to refuse the owner's exercise of its rights under Articles 10 and 11 of the Act and inform the owner of such reason.
4.Inform the fees to be charged.
Article 16
The human resources recruitment industry shall establish the following procedure to maintain correct personal information:
1.Verify whether there is any mistake in the collection, processing or use of personal information.
2.Regularly review the information and make correction or supplement if any mistake discovered. If the correction or supplement is not made, inform the persons who have used the information after correction or supplement.
3.In case of any dispute, establish a relevant procedure for the processing and use of disputed information in accordance with Paragraph 2, Article 11 of the Act.
Article 17
The human resources recruitment industry shall regularly verify whether the specific purpose for the personal information it possesses has ceased to exist or whether the period has expired.
If the specific purpose for the personal information has ceased to exist or if the period has expired, Paragraph 3, Article 11 of the Act shall be applicable.
Chapter IV Personal Information Administration Measures
Article 18
The human resources recruitment industry shall adopt the following measures for staff administration:
1.Confirm the persons responsible for all relevant procedures for the collection, processing and use of personal information.
2.Establish an administration mechanism as required by the procedure and assign different authorities to the relevant staff. Regularly verify whether such authorities are proper and necessary.
3.Agree on confidentiality obligations with the affiliated staff.
4.Cancel the identification code of affiliated staff after their departure and take back the access badge (card) and relevant authorizations.
5.If relevant staff possesses personal information, upon departure of the staff, the staff must return the media on which personal information is stored and destroy or delete personal information stored.
Article 19
The human resources recruitment industry shall adopt the following measures with regard to information security administration in the collection, processing or use of personal information:
1. Establish procedure guidelines.
2. In using computerized equipment, establish regulations regarding the use of mobile devices or storage media.
3. If personal information is maintained and must be encrypted or shielding, adopt proper encryption or shielding mechanism.
4. In transmitting personal information, if encryption is required under different transmission methods, adopt a proper encryption mechanism and ensure the correctness of the recipient of information.
5. Evaluate the necessity of backup based on the importance of information maintained and create backups and encryption thereon in the same manner as the originals. Maintain the media in which backup information is stored in a proper manner and regularly perform reverse testing to confirm effectiveness.
6. When the media in which personal information is stored is to be disposed of or used for another purpose, duly destroy or delete the information stored in the media in a physical or other manner.
7. Properly maintain the passcodes used in the administration mechanism and encryption mechanism.
Article 20
The human resources recruitment industry shall adopt the following measures with regard to equipment security administration:
1.Implement necessary access control methods depending on the procedure.
2.Property maintains the media in which personal information is stored.
3.Reinforce protection against natural disaster and other accidents in accordance with different work environments and establish necessary disaster prevention equipment.
Article 21
The human resources recruitment industry shall adopt the following measures in relation to technology administration:
1.Configure a certification mechanism on computers, automatic processing equipment or systems and perform identification and control of authorized staff with access to personal information.
2.The account name and password used under the certification mechanism must have a certain degree of complexity and passwords must be changed regularly.
3.Configure an alarm and relevant response mechanism on computers, automatic processing equipment or systems to react and handle anomalous access properly.
4.The quantity and scope of authority to access personal information shall be determined as required for the procedure. Access authority cannot be shared.
5.Use firewalls or intrusion detection equipment to avoid unauthorized access to the system that stores personal information.
6.In using application programs that access personal information, ensure that the user has authorization to use them.
7.Regularly test the effectiveness of the authority certification mechanism.
8.Regularly inspect configuration of authority to access personal information.
9.Install anti-virus, anti-hacking software in the computer system that processes personal information and regularly update virus codes.
10.Regularly install patches for loopholes in the computer processing system and relevant application programs.
11.File sharing software shall not be installed in any computer or automatic processing equipment with access authority.
12.In testing information systems that process personal information, do not use real personal information. If real personal information is used, specify a procedure of use.
13.In case of any change to the information system that processes personal information, ensure that the level of security is not lowered.
14.Regularly inspect the use status of personal information system and the access to personal information.
Chapter V Personal Information Processing Method after Termination of Business
Article 22
The human resources recruitment industry shall adopt the following measures for the processing of personal information after termination of business:
1.Delete or destroy the information stored in the media in which personal information is stored, record and maintain the method, time, location of deletion or destruction and the method proving the deletion or destruction.
2.The assignee may legally maintain such personal information, record and maintain the reason, method, time and location of assignment.
Chapter VI Record Mechanism
Article 23
The human resources recruitment industry shall maintain the following records in executing the procedures and measures under the Plan:
1.Actions undertaken in response to the occurrence of the event.
2.Requirements of the principal that are executed by the subcontractor.
3.The rights that the information owners are allowed to exercise.
4.Maintenance and correction of personal information.
5.Change of authority of relevant staff.
6.Act of relevant staff in violation of authority.
7.Backup and testing of reversion.
8.Delivery and transmission of personal information.
9.Deletion, destruction or assignment of personal information.
10.System for storage of personal information.
11.Regular inspection on information system that processes personal information.
12.Educational training.
13.Execution of audit on the Plan and improvement measures.
Chapter VII Miscellaneous
Article 24
The human resources recruitment industry shall regularly inspect the execution status of the Plan and establish improvement measures for failure of due execution.
Article 25
These Regulations are implemented from their date of promulgation.