These regulations are established in accordance with Article 27, Item 3 of the Personal Data Protection Act (hereinafter referred to as the Act).
As used in these regulations, the competent authority shall refer to the Ministry of Education at the central level; the municipal government in special municipalities; and the county (city) government at the county (city) level.
The terms used in these regulations are defined as follows:
- 1. Responsible Personnel: Refers to personnel appointed or designated by the head of the private children's after-school care center (hereinafter referred to as the care center) who are responsible for supervising the establishment and execution of the security maintenance plan.
- 2. Auditors: Refers to personnel designated by the head of the care center responsible for evaluating the implementation and effectiveness of the security maintenance plan.
- 3. Affiliated Personnel: Refers to personnel who must access personal data during the execution of the care center’s business, including both regular and irregular contracted personnel and assigned staff.
The responsible personnel and auditors shall not be the same individual.
The care center shall establish a security maintenance plan according to these regulations to ensure the safety and management of personal data files, preventing data theft, tampering, damage, loss, or leakage.
When establishing the security maintenance plan, the care center shall consider its scale, characteristics, the nature and quantity of personal data retained, and other relevant matters to formulate appropriate safety maintenance measures.
The plan shall include methods for handling personal data after business termination and other related personal data management matters.
The care center shall complete the establishment of the security maintenance plan within six months after the implementation of these regulations.
The care center shall keep the established security maintenance plan on file for inspection; the competent authority at the municipal or county (city) level may dispatch personnel for inspection.
The care center shall designate responsible personnel to plan, establish, revise, execute the security maintenance plan, and handle personal data after business termination and other related matters, and shall report regularly to the head.
The care center shall confirm the specific purposes for collecting personal data and, based on the necessity of these purposes, define the categories or scope of personal data collected, processed, and used, and shall regularly check the status of retained personal data.
If, upon regular review, the care center finds personal data outside the necessary scope of specific purposes or that the specific purpose has disappeared or the retention period has expired with no further need for retention, it shall delete, destroy, or take other appropriate actions to stop collection, processing, or use.
When collecting personal data, the care center shall review whether it conforms to the categories and scope defined in the previous article.
When transmitting personal data, the care center shall take necessary protective measures to avoid leakage.
The care center shall analyze and evaluate potential risks based on the defined scope of personal data and the processes for collection, processing, and use, and establish appropriate control measures.
When collecting personal data, the care center shall comply with the notification obligations stipulated in Articles 8 and 9 of the Act and distinguish between direct and indirect collection of personal data, establishing separate notification methods, content, and precautions, requiring affiliated personnel to implement them properly.
When using personal data for publicity, promotion, or marketing according to Article 20, Item 1 of the Act, the care center shall clearly inform the parties involved of the registered name of the care center and the source of the personal data.
When using personal data for publicity, promotion, or marketing for the first time, the care center shall provide the party or their legal representative with a way to refuse acceptance of publicity, promotion, or marketing, and cover any necessary costs; if the party or their legal representative expresses a refusal, the care center shall immediately stop using their personal data for publicity, promotion, or marketing, and inform its personnel accordingly.
If the care center entrusts others to collect, process, or use all or part of the personal data, it shall supervise the entrusted party appropriately in accordance with Article 8 of the Enforcement Rules of the Act and explicitly agree on related supervisory matters and methods.
When a party or their legal representative exercises the rights stipulated in Article 3 of the Act, the care center may process as follows:
- 1. Provide a contact window and contact information.
- 2. Confirm whether the request is made by the data subject or their legal representative, or by someone authorized by them.
- 3. If there are reasons to refuse the rights of the party or their legal representative according to the provisions in Article 10, Item 1; Article 11, Item 2, or Item 3, notify the party or their legal representative with reasons.
- 4. Inform whether any necessary cost fees will be charged and the basis for charging, while complying with the processing deadline stipulated in Article 13 of the Act.
The care center shall establish a response mechanism to handle incidents of personal data theft, leakage, tampering, or other infringements swiftly to protect the rights of the parties involved.
The response mechanism shall include the following:
- 1. Taking appropriate measures to control the damage caused by the incident to the parties involved.
- 2. Investigating the cause of the incident and the extent of the damage, notifying the parties involved or their legal representatives in an appropriate manner, and reporting to the competent authority of the municipality or county (city).
- 3. Considering improvement measures to prevent the incident from recurring.
The notification procedures and document formats for the above-mentioned second clause shall be determined by the competent authority of the municipality or county (city).
The care center shall report to the competent authority within three days from the occurrence of the first incident; and within one month from the conclusion of the handling, report the handling methods and results for record.
The care center shall implement necessary security equipment and protective measures for the personal data files it holds.
These security measures or protective measures shall include:
- 1. Security protection facilities and management procedures for paper data files.
- 2. Computers or automated machines where electronic data files are stored, equipped with security protection systems or encryption mechanisms.
- 3. Establishing procedures for the destruction of paper data; when computers, automated machines, or other storage media need to be scrapped or repurposed, appropriate measures shall be taken to prevent leakage of personal data.
To effectively protect the security of personal data, the care center shall take the following measures for its affiliated personnel:
- 1. Establish management mechanisms based on operational needs, setting different permissions for affiliated personnel to control their access to personal data, and regularly confirming the appropriateness and necessity of permission contents.
- 2. Review the nature of related operations, regulating the responsibilities of personnel for collecting, processing, utilizing personal data, and other related processes.
- 3. Require affiliated personnel to properly safeguard the storage media of personal data and agree to custodial and confidentiality obligations.
- 4. Upon leaving, revoke the identifiers of departing personnel and require them to hand over any personal data (including paper and storage media) held for business execution, which must not be taken away for use, and have them sign a confidentiality agreement.
The care center shall establish a mechanism for auditing the safety maintenance of personal data files, regularly or irregularly checking the implementation of the security maintenance plan and reporting the results to the head.
The care center shall adopt appropriate measures to retain records of the use of personal data, the trajectory data of automated equipment, or other relevant evidence to explain the implementation of the established security maintenance plan when necessary.
The care center shall comply with the provisions of Articles 19 and 20 of the Act regarding the collection, processing, and use of personal data, and shall provide regular or irregular training or awareness-raising to its affiliated personnel, ensuring they understand the relevant legal regulations on personal data protection, scope of responsibilities, operational procedures, and related measures to be complied with.
After the termination of its business, the care center shall handle the retention and processing of personal data as follows:
- 1. Destruction: Methods, time, place, and proof of destruction.
- 2. Transfer: Reasons, recipients, methods, time, place, and legal basis for the recipients to retain the personal data.
- 3. Other deletion, stopping processing, or using personal data: Methods, time, or place of deletion or stopping processing or use.
The records mentioned in the preceding paragraph shall be retained for at least five years.
The care center shall review the appropriateness of the established security maintenance plan based on the execution status, technological developments, and legislative amendments, and shall revise it as necessary.
These regulations shall take effect from the date of publication.
蘊藏許多助人的知識與智慧。