我國個人資料保護法(Personal Information Protection Act)於2010年完成修正,其雖係參考國際標準(international standard)訂定,但我國法規仍與國際標準有所差異,故企業難以主張其已通過國際標準,因此符合我國個資法規定。再者,我國個資法規範定有「適當之安全措施(proper security measures)」,並授權主管機關(government authority)進一步加以解釋,但目前各主管機關僅針對五個行業別進行解釋,其餘大多數企業仍未能得知其應如何遵從「適當之安全措施」之要求。
因此,本文將以實務案例進行探討,使企業能合乎法規對適當安全措施之要求。此外,本文建議企業決定風險等級及對應的保護措施。且企業應依其所蒐集的個人資料性質、數量及不當使用或外洩所可能造成的傷害;以及企業之規模、商業模式與產業環境等,遵循產業標準及進行風險安全控制,以採取適當之個資防護措施。
This Thesis studies issues on the standardization of the information protection and security. Though in the present law system in Taiwan, Personal Information Protection Act had already been revised in 2010, and the revision was based on international standard, the present law in Taiwan still could not fit international standard. Moreover, present Personal Information Protection Act in Taiwan has a regulation of “proper security measures”, and government authority has power to expalin it, however, the government authorities have only explain on five types of industies, most of the industies in Taiwan are still unaware of how to obey the proper security measures.
Therefore, the present thesis studies on proper security measures according to prectical cases. Beside, the thesis provided ways of protection on separate risk levels, and recommanded that industries should adopt proper security measures based on the analysis of personal information, business modes, risks of inapropriate use, the scope of industries and industrial envireonment, thus they could avoid the risk of improper measures.
