Regulations for the Security and the Maintenance of Personal Information Files in Wholesaling and Retailing Western Pharmaceuticals
2022-01-21
手機睡眠
語音選擇
Article 1
These Regulations are promulgated in accordance with Article 27, Paragraph 3 the Personal Information Protection Act (hereinafter “the Act”).
Article 2
For purposes of these Regulations, the term "competent authority" shall mean the Ministry of Health and Welfare at the central government level, the municipal governments at the municipal level, and the county/city governments at the county/city level.
Article 3
The terms used herein are defined as follows:
I. Western pharmaceutical wholesalers or retailers: A pharmaceutical firm approved for registration in accordance with Article 27, Paragraph 1 of the Pharmaceutical Affairs Act, whose equity capital exceeding NT$30 million, and whose recruitment of members or obtains personal information of trading counterparts.
II. Responsible person: Personnel designated by western pharmaceutical wholesalers or retailers to be responsible for establishing and implementing personal information file security and maintenance plans (hereinafter referred to as "Security and Maintenance Plan(s)").
III. Subordinate: Personnel of western pharmaceutical wholesalers or retailers that come in contact with personal information in the course of performing professional duty.
IV. Auditor: Personnel designated by western pharmaceutical wholesalers or retailers to be responsible for auditing the implementation and results of Security and Maintenance Plans.
The responsible person in Subparagraph 2 and auditor in Subparagraph 4 of the preceding paragraph may not be the same person.
I. Western pharmaceutical wholesalers or retailers: A pharmaceutical firm approved for registration in accordance with Article 27, Paragraph 1 of the Pharmaceutical Affairs Act, whose equity capital exceeding NT$30 million, and whose recruitment of members or obtains personal information of trading counterparts.
II. Responsible person: Personnel designated by western pharmaceutical wholesalers or retailers to be responsible for establishing and implementing personal information file security and maintenance plans (hereinafter referred to as "Security and Maintenance Plan(s)").
III. Subordinate: Personnel of western pharmaceutical wholesalers or retailers that come in contact with personal information in the course of performing professional duty.
IV. Auditor: Personnel designated by western pharmaceutical wholesalers or retailers to be responsible for auditing the implementation and results of Security and Maintenance Plans.
The responsible person in Subparagraph 2 and auditor in Subparagraph 4 of the preceding paragraph may not be the same person.
Article 4
Western pharmaceutical wholesalers or retailers shall establish the Security and Maintenance Plans specifying the following matters in accordance with the Regulations:
I. The internal control procedures for the collection, processing, and use of personal information.
II. The scope and items of personal information.
III. The management of information security and personnel.
IV. The mechanisms of preventing, reporting, and responding to information leakage.
V. The management of facility security.
VI. The audit mechanisms of data security.
VII. The preservation of use records, log files and relevant evidence.
VIII. The measures for processing personal information after termination of any business relationship.
IX. The integrated and persistent improvement plan on the security and maintenance of personal information.
I. The internal control procedures for the collection, processing, and use of personal information.
II. The scope and items of personal information.
III. The management of information security and personnel.
IV. The mechanisms of preventing, reporting, and responding to information leakage.
V. The management of facility security.
VI. The audit mechanisms of data security.
VII. The preservation of use records, log files and relevant evidence.
VIII. The measures for processing personal information after termination of any business relationship.
IX. The integrated and persistent improvement plan on the security and maintenance of personal information.
Article 5
Western pharmaceutical wholesalers or retailers shall make reasonable distribution of operational resources by planning, establishing, reviewing, and revising the security and maintenance measures based on the scale and characteristics of their business, and include these measures in the Security and Maintenance Plans for ensuring the security maintenance and management of personal information and preventing personal information from being stolen, altered, damaged, destroyed or disclosed.
Article 6
Western pharmaceutical wholesalers or retailers shall establish a Security and Maintenance Plan within six months after these Regulations take effect.
Western pharmaceutical wholesalers or retailers shall retain the Security and Maintenance Plan in the preceding paragraph, and the competent authority may periodically send its personnel to inspect the plan.
Western pharmaceutical wholesalers or retailers shall retain the Security and Maintenance Plan in the preceding paragraph, and the competent authority may periodically send its personnel to inspect the plan.
Article 7
The responsible person is responsible for planning, establishing, revising, and implementing the Security and Maintenance Plan, the measures for processing personal information after termination of any business relationship and related matters. The responsible person shall periodically submit a report to western pharmaceutical wholesalers or retailers.
Article 8
Western pharmaceutical wholesalers or retailers shall identify the specific purpose and necessity of collecting the personal information, define the category or scope of personal information collection, processing, and use, and periodically check the status of personal information in its keeping, while establishing the internal control procedures for the collection, processing, and use of personal information in Article 4, Subparagraph 1, as well as the scope and items of personal information in Subparagraph 2.
If western pharmaceutical wholesalers or retailers find personal information that is not within the necessary scope for the specific purpose or the specific purpose has disappeared, or that no longer needs to be retained due to expiration of the retention period, then the said information shall be deleted, destroyed, discontinued to collect, process or use, or handled by other appropriate measures.
If western pharmaceutical wholesalers or retailers find personal information that is not within the necessary scope for the specific purpose or the specific purpose has disappeared, or that no longer needs to be retained due to expiration of the retention period, then the said information shall be deleted, destroyed, discontinued to collect, process or use, or handled by other appropriate measures.
Article 9
Western pharmaceutical wholesalers or retailers shall comply with the category and scope specified in Paragraph 1 of the preceding article while collecting personal information.
Western pharmaceutical wholesalers or retailers shall take necessary protection measures to prevent information leakage while transferring personal information.
Western pharmaceutical wholesalers or retailers shall take necessary protection measures to prevent information leakage while transferring personal information.
Article 10
Western pharmaceutical wholesalers or retailers shall comply with the obligation of notification specified in Articles 8 and 9 of the Act when collecting personal information; they shall also establish the notification method, contents, and notices for direct collection or indirect collection, and shall require subordinates to comply.
Article 10-1
Western pharmaceutical wholesalers or retailers shall survey whether they are restricted by the central competent authority prior to transferring any personal data internationally, and shall inform the information owner of the country or region they intend to transfer the data to.
Article 11
Western pharmaceutical wholesalers or retailers shall inform the information owner of the western pharmaceutical wholesaler or retailer's registered name and the source of personal information, while using personal information for promotion or marketing in accordance with Article 20, Paragraph 1 of the Act.
Western pharmaceutical wholesalers or retailers shall provide the information owners or their statutory agents with methods of expressing refusal to accept such promotion or marketing, and shall pay necessary expenses, while using personal information for promotion or marketing purposes for the first time. When the information owners or their statutory agents refuse to receive promotion or marketing, western pharmaceutical wholesalers or retailers shall stop using the owner's personal information immediately and inform subordinates.
Western pharmaceutical wholesalers or retailers shall provide the information owners or their statutory agents with methods of expressing refusal to accept such promotion or marketing, and shall pay necessary expenses, while using personal information for promotion or marketing purposes for the first time. When the information owners or their statutory agents refuse to receive promotion or marketing, western pharmaceutical wholesalers or retailers shall stop using the owner's personal information immediately and inform subordinates.
Article 12
Western pharmaceutical wholesalers or retailers shall conduct proper supervision on the commissioned party in accordance with Article 8 of the Enforcement Rules of the Act, and shall set clear contractual requirements in the contract or related documents, while commissioning a third party to collect, process, or use all or a part of personal information.
Article 13
Western pharmaceutical wholesalers or retailers shall adopt the following actions to provide the information owners or their statutory agents with the means to exercise the rights prescribed in Article 3 of the Act:
I. Provide a contact person and contact method.
II. Confirm whether the individual is the information owner, statutory agent, or a duly authorized representative of the information owner.
III. Where there is a reason for refusing the exercise of rights by the information owner based on the provisos prescribed in Article 10, Paragraph 2 or Paragraph 3 of Article 11, the reason for the refusal shall be notified to the information owner or statutory agent.
IV. Comply with the disposal deadline set forth in Article 13 of the Act.
V. Inform the information owner or statutory agent of necessary expenses that may be charged in accordance with Article 14 of the Act.
I. Provide a contact person and contact method.
II. Confirm whether the individual is the information owner, statutory agent, or a duly authorized representative of the information owner.
III. Where there is a reason for refusing the exercise of rights by the information owner based on the provisos prescribed in Article 10, Paragraph 2 or Paragraph 3 of Article 11, the reason for the refusal shall be notified to the information owner or statutory agent.
IV. Comply with the disposal deadline set forth in Article 13 of the Act.
V. Inform the information owner or statutory agent of necessary expenses that may be charged in accordance with Article 14 of the Act.
Article 14
The mechanisms of preventing, reporting, and responding established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 4 shall include the following matters:
I. Take appropriate measures to control the damage to the parties concerned due to the incident , and report to the municipal or county/city competent authorities and the central competent authority within 72 hours from the discovery of the incident.
II. Investigate the cause of the incident and damages, and notify the information owners or statutory agents.
III. Review the deficiency and establish the prevention and improvement measures to prevent the incident from occurring again.
When personal information is stolen, disclosed, altered, or otherwise infringed occur, western pharmaceutical wholesalers or retailers shall rapidly handle the incident according to the mechanisms of preventing, reporting, and responding in the preceding paragraph to protect the rights and interests of the personal information owners.
In the event of any incident specified in the preceding paragraph, the competent authority may conduct any other routine inspections on western pharmaceutical wholesalers or retailers in accordance with the provisions in Article 22, Paragraph 1 of the Act, ordering relevant personnel to provide necessary explanations, cooperate on adopting relevant measures, or provide supporting documents, and perform any follow-up actions depending on the inspection results.
The format of the reporting form stipulated in Paragraph 1, Subparagraph 1 is shown in the Attached Schedule.
I. Take appropriate measures to control the damage to the parties concerned due to the incident , and report to the municipal or county/city competent authorities and the central competent authority within 72 hours from the discovery of the incident.
II. Investigate the cause of the incident and damages, and notify the information owners or statutory agents.
III. Review the deficiency and establish the prevention and improvement measures to prevent the incident from occurring again.
When personal information is stolen, disclosed, altered, or otherwise infringed occur, western pharmaceutical wholesalers or retailers shall rapidly handle the incident according to the mechanisms of preventing, reporting, and responding in the preceding paragraph to protect the rights and interests of the personal information owners.
In the event of any incident specified in the preceding paragraph, the competent authority may conduct any other routine inspections on western pharmaceutical wholesalers or retailers in accordance with the provisions in Article 22, Paragraph 1 of the Act, ordering relevant personnel to provide necessary explanations, cooperate on adopting relevant measures, or provide supporting documents, and perform any follow-up actions depending on the inspection results.
The format of the reporting form stipulated in Paragraph 1, Subparagraph 1 is shown in the Attached Schedule.
- Attached Schedule Record Form for Incident Infringing Personal Information.pdf
- Attached Schedule Record Form for Incident Infringing Personal Information.doc
Article 15
The management measures of facility security established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 5 shall include the following matters:
I. Security and protection facilities and management procedures for paper documents.
II. Security systems or encryption mechanisms installed on computers or automated machines for storing electronic files.
III. Procedures for destroying paper documents and electronic files. Suitable measures for preventing personal information disclosed shall be adopted when computers, automated machines, or other storage media is to be discarded, replaced, or used for other purposes.
I. Security and protection facilities and management procedures for paper documents.
II. Security systems or encryption mechanisms installed on computers or automated machines for storing electronic files.
III. Procedures for destroying paper documents and electronic files. Suitable measures for preventing personal information disclosed shall be adopted when computers, automated machines, or other storage media is to be discarded, replaced, or used for other purposes.
Article 16
The management measures of information security and personnel established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 3 shall include the following matters:
I. Establish management mechanisms based on business needs, set different access rights for subordinates to control their access to personal information, and periodically verify the appropriateness and necessity of access rights.
II. Examine the nature of businesses and designate personnel responsible for personal information collection, processing, use, and other procedures.
III. Require subordinates to properly retain storage media containing personal information, and agree on safekeeping and confidentiality obligations.
IV. Cancel the ID number of subordinates after the termination of employment. The subordinates are required to hand over the personal information documents and data obtained from work, and they may not take or use them after termination of employment.
I. Establish management mechanisms based on business needs, set different access rights for subordinates to control their access to personal information, and periodically verify the appropriateness and necessity of access rights.
II. Examine the nature of businesses and designate personnel responsible for personal information collection, processing, use, and other procedures.
III. Require subordinates to properly retain storage media containing personal information, and agree on safekeeping and confidentiality obligations.
IV. Cancel the ID number of subordinates after the termination of employment. The subordinates are required to hand over the personal information documents and data obtained from work, and they may not take or use them after termination of employment.
Article 16-1
The e-commerce service systems provided by western pharmaceutical wholesalers or retailers shall adopt the following information security measures:
I. User identity verification and protection mechanism.
II. The hidden code mechanism for the display of personal data.
III. Security encryption mechanism for Internet transmission.
IV. Access control and protection monitoring measures for personal data files and databases.
V. Preventive measures against external network intrusion.
VI. Monitoring and response mechanisms for illegal or unusual use of the system.
The term “e-commerce” stipulated in the preceding paragraph refers to the advertising, marketing, supply, purchasing, delivery or other commercial transaction activities of goods or services via the internet.
The measures stipulated in Subparagraph 5 and the mechanism specified in Subparagraph 6 of Paragraph 1 shall have regular drills and reviewed for improvement.
The provisions of the preceding three Subparagraphs shall come into force three months after the revision and promulgation of these Regulations on January 21, 2022.
I. User identity verification and protection mechanism.
II. The hidden code mechanism for the display of personal data.
III. Security encryption mechanism for Internet transmission.
IV. Access control and protection monitoring measures for personal data files and databases.
V. Preventive measures against external network intrusion.
VI. Monitoring and response mechanisms for illegal or unusual use of the system.
The term “e-commerce” stipulated in the preceding paragraph refers to the advertising, marketing, supply, purchasing, delivery or other commercial transaction activities of goods or services via the internet.
The measures stipulated in Subparagraph 5 and the mechanism specified in Subparagraph 6 of Paragraph 1 shall have regular drills and reviewed for improvement.
The provisions of the preceding three Subparagraphs shall come into force three months after the revision and promulgation of these Regulations on January 21, 2022.
Article 17
Auditors shall regularly or irregularly audit the implementation status and results of the Security and Maintenance Plan in accordance with Article 4, Subparagraph 6, and report audit results to western pharmaceutical wholesalers or retailers.
Article 18
The preservation measures of use records, log files, and relevant evidence established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 7 shall include the following matters:
I. Retention of personal information use records.
II. Retention of log files of automated machines or other relevant evidence.
I. Retention of personal information use records.
II. Retention of log files of automated machines or other relevant evidence.
Article 19
The disposal measures for personal information after termination of business established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 8 shall include the following matters:
I. Destruction: Method, time, place, and proof of destruction.
II. Transfer: Reason, subject, method, time, place, and legal basis for the recipient to retain the personal information.
III. Delete or discontinue to process or use: Method, time, or place.
The measure in the preceding paragraph shall be documented, and retained for at least five years.
I. Destruction: Method, time, place, and proof of destruction.
II. Transfer: Reason, subject, method, time, place, and legal basis for the recipient to retain the personal information.
III. Delete or discontinue to process or use: Method, time, or place.
The measure in the preceding paragraph shall be documented, and retained for at least five years.
Article 20
Western pharmaceuticals wholesalers or retailers shall take into account the implementation status of Security and Maintenance Plans, technological developments, amendments of laws, or other factors when establishing the integrated and persistent improvement plan on the security and maintenance of personal information in accordance with Article 4, Subparagraph 9. Western pharmaceuticals wholesalers or retailers shall examine the appropriateness of Security and Maintenance Plans regularly and revise the plans when necessary.
Article 21
Unless otherwise specified, these Regulations shall come into force as from the date of promulgation.