Personal Data Protection Act Article 27
內容
Enforcement Rules Article 12
"Proper security and maintenance measures", as referred to under subparagraphs 2 and 5 of the proviso to paragraph 1 of Article 6, "security and maintenance measures", as referred to under Article 18, and "proper security measures", as referred to under subparagraph 2, paragraph 1 of Article 19 and paragraph 1 of Article 27 of the PDPA, shall mean the technical or organizational measures taken by a government agency or non-government agency for the purpose of preventing personal data from being stolen, altered, damaged, destroyed or disclosed.
The measures prescribed in the preceding paragraph may include the following and shall be proportionate to the intended purposes of personal data protection:
1. allocating management personnel and reasonable resources;
2. defining the scope of personal data;
3. establishing a mechanism of risk assessment and management of personal data;
4. establishing a mechanism of preventing, giving notice of, and responding to a data breach;
5. establishing an internal control procedure for the collection, processing, and use of personal data;
6. managing data security and personnel;
7. promoting awareness, education and training;
8. managing facility security;
9. establishing an audit mechanism of data security;
10. keeping records, log files and relevant evidence; and
11. implementing integrated and persistent improvements on the security and maintenance of personal data.
The measures prescribed in the preceding paragraph may include the following and shall be proportionate to the intended purposes of personal data protection:
1. allocating management personnel and reasonable resources;
2. defining the scope of personal data;
3. establishing a mechanism of risk assessment and management of personal data;
4. establishing a mechanism of preventing, giving notice of, and responding to a data breach;
5. establishing an internal control procedure for the collection, processing, and use of personal data;
6. managing data security and personnel;
7. promoting awareness, education and training;
8. managing facility security;
9. establishing an audit mechanism of data security;
10. keeping records, log files and relevant evidence; and
11. implementing integrated and persistent improvements on the security and maintenance of personal data.