Regulation Concerning De-identification of Personal Data and Verification Standard (Taiwan)

Debby Yu

To cope with the open data and big data development of the government and in view of the concern about violation of personal privacy (Note 1) due to the fact that the data for big data analysis which the government intends to deregulate or conduct involve personal data, “de-identification” has become one of the solutions for mitigating the violation pursuant to the Personal Information Protection Act and the opinions reflected in the Fa-Lu-Zi-10303513040 Circular of November 7, 2014 from the Ministry of Justice (Note 2).  Currently, there are established national standards which serve as the standards and regulations for the verification of de-identification.

There are citizens who raised their opposition about the use of National Health Insurance data in 2012 out of the belief that the National Health Insurance Administration under the Ministry of Health and Welfare (hereinafter, the “NHIA”) had inappropriately provided the data in the database about all citizens which was set up by the NHIA to the National Health Research Institute for the creation of the National Health Insurance Research Database, for the creation of the Health and Wealth Data Science Center by the Ministry of Health and Wealth, and for use by other branch centers.  After the citizens issued legal attest letters to the NHIA to indicate their objection to the provision of the personal data collected by the NHIA to other agencies for use but were rejected by the NHIA, this matter had gone through administrative action until a final decision was rendered by the Supreme Administrative Court in January 2017.  The court held that macro data such as the physical, health, illness and medical treatment of all citizens in Taiwan are very important to the formulation of health policies and disease prevention and treatment.  Therefore, the processing of such data involves “major public interest purposes.”  With respect to the conflict between the privacy involved in personal data and the public interest for creating databases, the most efficient way to resolve such “conflict between public and private interests” is to “de-identify” personal data (Note 3).  This shows that court practices affirm that de-identification is an appropriate way to protect persona data.

However, whether the so-called “de-identification” should completely exclude the personal data of specific individuals to the extent that they cannot be identified simply for the privacy of personal data, the author believes that the samples obtained as a result of sampling should accurately represent the population in order to be valid.  If the means of de-identification is too drastic, the fulfillment of public interest may still be undermined.

In Germany, privacy verification mechanisms consist of third-party verification as well as internal audit by entities, supplemented by supervision of public agency.  With respect to the third-party verification mechanism, the inspection process requires joint evaluation by legal experts to ensure compliance with relevant laws and regulations.  In addition, if there are more than 10 people in an entity or organization who are in charge of or exposed to personal data, dedicated personnel should be set up to protect personal data pursuant to law.  However, if the main business of such entity is the circulation of personal data, dedicated personnel for personal data protection shall still be set up regardless of the number of people.  The dedicated personnel are responsible to supervise the correct usage of computers and computer programs to ensure that people with access to personal data can only process personal data within the purposes of use and to ensure that the owners of the data have the right to inquire about their data and to request their modification, blockage or deletion.  Meanwhile, such dedicated personnel are also responsible to cultivate data protection awareness of the employees.  Such mechanisms can also serve as an aspect of corporate governance to be fulfilled.  In addition, government authority supervision and audit have to be accommodated under certain circumstances, and those who pass the evaluation will be granted an inspection certificate (Note 4).

To align with international trends for protecting the privacy of personal data, the CNS29100 national standard known as “Information Technology – Security Technologies – Privacy Framework” and CNS29291 as”Information Technology – Security Technologies –Requirements for partially anonymous and partially unlinkable authentication”, which were respectively released in June 2014 and June 2015, serve as the current verification standards for de-identifying personal data.  The former applies to scenarios involving government open data and big data, including the following scenarios: provision of personally identifiable information (or “PII”, such as open data or big data which involve personal data) by government agencies to third parties (where the government agencies play the role of “PII controllers”) and the provision of personally identifiable information to third parties by government agencies or entities entrusted by government (where the government agencies play the role of “PII providers”).  The latter provides a framework for evaluating partial anonymity and partial unlinkability and sets up the requirements.  Currently, government agencies are taking the lead in piloting these standards with the Fiscal Information Agency, Ministry of Finance as the first agency to use the above standards in accommodation with the Electronics Testing Center of Taiwan pursuant to Personal Data De-identification Procedure Verification Requirements and Control Measures, which require an entity to formulate de-identification steps that meet specific requirements, including (1) privacy policy, (2) PII privacy risk control procedure, (3) PII privacy principles, (4) PII de-identification procedure, and (5) PII re-identification requirements.  The Fiscal Information Agency, Ministry of Finance obtained a verification certificate in November 2015.  It is expected that this will be promoted and applied to industries such as the finance industry and technology industry, which hold massive personal data from the people.

From data processing regulation under Articles 6 and 16 of the Personal Information Protection Act, concerning “the impossibility to identify specific individuals based on the manner of disclosure after data are processed by the providers or collectors,” to opinions such as “if personal data kept by a public agency are de-identified by leveraging technologies so that the way they are presented are no longer possible to directly or indirectly identify specific individuals, such data are not so-called personal data” as reflected in circulars released by the Ministry of Justice, this shows that de-identified personal data will not be subject to the Personal Information Protection Act.  Since the personal data of the public can be thoroughly protected, the practices in Germany may be referenced in the future to require, by way of legislation, private enterprises to set up dedicated personnel for handling personal data, coupled with timely supervision by government agencies.  However, currently verification is performed via the Electronics Testing Center of Taiwan, and the effective period of the inspection certificate is 3 years. Regarding the legal basis and whether the verification could be treated as a disclaimer to be exempted from judicial inspection or not, such as due to the intentionally or negligently leakages of personal data by the civil servants of the government agencies even it was verified, are the issues worthy to be watched and be further discussed.Electronics Testing Center of Taiwan, and the term of a verification certificate is three years.  Whether the legal basis for the establishment center is clear and whether an entity which processes personal data through such de-identification verification procedure can directly claim immunity on such basis and thus completely exclude examination in judicial practices, e.g, leakage of personal data willfully or negligently by civil servants when personal data are used by government agencies even if such verification has been performed (Note 5), are issues that merit subsequent observations and in-depth discussions.


Note 1: Judicial Interpretation No. 603 (excerpt): “Protecting human dignity and respecting free development of personality are core values of free and democratic constitutional order.  Although privacy is not a right specifically enumerated in the Constitution, still to safeguard human dignity, individuality and the integrity of personality development and to protect private domain of an individual’s personal life from being intruded by others as well as the autonomous control of personal data, privacy is thus an indispensable baisic right protected under Article 22 of the Constitution (Judicial Interpretation No. 585 for reference).  In particular, the information privacy of individuals concerning their ability to control their personal data protects the right of the citizens to decide if they will disclose their personal data and to what extent, when, by what means and to whom the disclosure will be made and safeguard the right of the citizens to learn about and control the use of their personal data and to correct errors in records.   However, constitutional protection of privacy is not absolute.  The state may impose appropriate restrictions through clear legal requirements within the scope of Article 23 of the Constitution.  」

Note 2: Gist of the Fa-Lu-Zi-10303513040 Circular of November 7, 2014 from the Ministry of Justice: “In reference to Articles 1, 2, 16 and 20 of the Personal Information Protection Act, if the personal data maintained by a government agency are de-identified through technologies so that the way they are presented can longer directly or indirectly identify specifical indivduals, such data are not so-called personal data.  When a government agency voluntarily releases or passively accepts requests from the citizens to provide the above government information, it will be sufficient to decide if such information will be released or provided in accordance with Article 18 of the Archives Law or Article 18 of the Freedom of Government Information Law, respectively, in addition to the consideration if there is any special legal restriction.  In addition, personal data that can directly or indirectly identify personal data shall always be kept confidential or prohibited from use.  Although the use of personal data by a government agency or non-government entity is basically limited to the scope of necessity with respect to the specific purposes of collection, use beyond specific purposes may be accepted for statutory reasons such as compliance with specific legal provisions or furtherance of public interest.”

Note 3: The 106-Pan-Zi-54 Decision of the Supreme Administrative Court

Note 4: Yung-chi Teng, Introduction of Privacy and Personal Data Protection and Brief Account of Development Trends in Europe and the US, The Financial Information Quarterly, Issue 62, June 9, 2011 (, Date of Last Review: November 29, 2017)

Note 5: Article 28 of the Personal Information Protection Act provides: “A government agency should be liable for damages and compensation caused by illegal collection, processing and us of personal data, or other ways of infringement on the rights of the party due to violation of this Law, provided that this shall not apply to damages caused by any natural disaster, incident or other force majeure (Paragraph 1). A proper amount of monetary compensation may be requested for damage not to properties. A proper disposition may be requested for infringement upon reputation to restore reputation (Paragraph 2).  The total amount of compensation for the damages referred to in the two preceding paragraphs shall be no less than NT$500 but no more than NT$20,000 for each incident per person in the cases where the victims in the two preceding paragraphs may not or cannot provide evidence for actual damage amount (Paragraph 3).  With regard to damages suffered by multiple parties for the same cause and fact, the total amount of compensation should not exceed NT$200 million, provided that if the benefits involved in such cause or fact exceed the amount in the preceding sentence, the amount of such benefits should be set as the limit (Paragraph 4).”  Article 41 of the Personal Information Protection Act provides: “Any person who, with the intention to acquire illegal profits for himself/herself or a third party, or to impair another person’s interest, violates Paragraph 1 of Article 6, Articles 15, 16, 17, 19, and Paragraph 1 of Article 20, or an order or disposition rendered by the central competent authority for specified business to restrict international transmission in accordance with Article 21 to an extent sufficient to injure other people shall be subject to imprisonment of up to five years or, a fine of up to NT$1,000,000, or both.”