The Ministry of the Interior Prescribed Regulations Governing the Security Maintenance of Personal Data by Nine Designated Categories (such as Construction) of Non-government Agencies. The Obligation to Report Major Incidents Within 72 Hours and Enhanced Information Security Measures are Specifically Prescribed

January 2022

Sally Yang

In view of frequent personal data leakage incidents in recent years and to carry out personal data protection and prevent the rights and interests of the people from being impaired by the leakage or theft of personal data, the Ministry of the Interior prescribed the regulations governing the security maintenance of personal data files by nine designated categories of non-government agencies (hereinafter, the “Personal Data Maintenance Regulations” or the “Regulations”) on November 29, 2021 pursuant to the authorization under the Personal Data Protection Act.  Except for the Personal Data Maintenance Regulations for non-government agencies related to police administration, which were promulgated on November 3, 2021, the remainder of the Personal Data Maintenance Regulations were all promulgated on November 30, 2021.

I. The Ministry of the Interior prescribed the Regulations designated this time for nine categories of non-government agencies such as construction, land administration, police administration, etc.

There are nine categories of non-government agencies designated by the Ministry of the Interior for the Regulations this time, including “police administration,” “construction,” “land administration,” “immigration service agencies,” “cooperatives and civil associations,” “religious organizations,” “political parties and national foundations of civil affairs,” “ritual organizations,” and “funeral services.”

Since the Regulations have clearly stipulated the specific scope of all kinds of non-government agencies, the definitions of the “police administration,” “construction,” “land administration” and “religious organization” categories are summarized below:

No. Category of Non-government Agency Definition of Non-government Agency
1 Construction 1. Construction business

2. Real estate development business (note: this refers to the business of real estate investment and construction involving land, buildings, etc.)

3. Architectural firms

4. Apartment and condominium management and maintenance companies

5. Foundations engaging in the urban renewal business

6. Other business announced and designated by the central competent authority

2 Land administration 1.  Real estate brokerage business

2. Rental housing service business

3. Real estate appraiser firms

4. Land administration agent office

5. Other business announced and designated by the central competent authority.

3 Police administration 1. Security business

2. Pawnshop business

3. Guns, ammunition, and knives business

4. Other business announced and designated by the central competent authority

4 Religious organization

 

Temples or religious foundations that have completed temple registration

II. The Regulations apply to non-government agencies that “had been established” before the Regulations were promulgated, and the recordation application shall be filed in six months.

The Personal Data Maintenance Regulations prescribed by the Ministry of the Interior this time specifically provide that non-government agencies established or licensed to operate before the promulgation of the Regulations shall prepare their security maintenance plan for personal data files and the method for processing personal data after their business is terminated within six months upon the promulgation date of the Regulations and submit the same to the competent authority for recordation.

In the case of a newly established non-government agency, its obligation to file its related plan for recordation shall be fulfilled within six months upon establishment or approval of its operation.

III. A report shall be filed with the competent authority within 72 hours upon occurrence of a material personal data incident involving a minimum of a specific number of entries.

Under the Personal Data Maintenance Regulations prescribed by the Ministry of the Interior this time, each personal data incident involving a minimum of a specific number of entries that a non-government agency encounters shall be reported to the competent authority in local municipalities under the direct jurisdiction of the Executive Yuan, counties, or cities within “72” hours upon discovery in the format required under the Personal Data Incident Report and Record Form with a copy to the central competent authority.

The thresholds for reporting personal data incidents by a non-government agency based on different categories can be summarized below:

Reporting Threshold for Personal Data Incidents Category
Over 150 entries Immigration service agencies
Over 500 entries Ritual organizations
Over 1,000 entries Construction, land administration, funeral services, political parties and national foundations of civil affairs, and cooperatives and civil associations
Over 5,000 entries Police administration and religious groups

IV. Information securities measures additionally required for a database holding up to a certain amount of personal data

The Personal Data Maintenance Regulations formulated by the Ministry of the Interior also require non-government agencies that use information and communications systems to collect, process, or use personal data above a certain amount to adopt the following information security measures (the measures set forth in Subparagraphs 5 and 6 should be regularly practiced and reviewed for improvement):

1. User identity confirmation and protection mechanisms

2. Code injection concerning the display of personal data

3. A network transmission security transmission mechanism

4. Access control and protection monitoring measures for personal data files and databases

5. Countermeasures for external network intrusion

6. Monitoring and coping mechanisms for illegal or abnormal use

The thresholds for the mandatory information security measures for the amount of personal data under possession based on different types of databases

Threshold for Required Information Security Measures Based on the Amount of Personal Data in the Database Category
Over 1,000 entries Immigration service agencies
Over 3,000 entries Ritual organizations
Over 5,000 entries Police administration, construction, cooperatives and civil associations
Over 10,000 entries Land administration, religious groups, funeral services, and political parties and national foundations of civil affairs

 V. Obligation to retain records concerning the inspection and audit of personal data security maintenance and the status of personal data usage

Pursuant to the Regulations, a non-government agency shall establish an audit mechanism for the security maintenance of personal data and designate appropriate personnel to inspect the implementation status of the plan and its processing method, and the results of the inspection shall be reported to the responsible person with relevant records retained for at least five years.

In addition, for all kinds of personal data protection mechanisms, procedures, and measures established by a non-government agency in implementing the plan and its processing method, the usage status of the personal data shall be recorded with audit trails or relevant evidence retained.  Except as otherwise stipulated under laws and regulations or otherwise agreed under a contract, the audit trails, relevant records, and records shall be retained for a minimum of five years.

VI. Penalties

If a non-government agency fails to prepare a safety maintenance plan for personal data files or the method for processing personal data after the termination of its business, the central competent authority for specified business or the government of a municipality under the direct jurisdiction of the Executive Yuan or of a county or city will demand rectification within a specified period in accordance with Article 48, Subparagraph 4 of the Personal Data Protection Act, and if the rectification is not made within the period, a penalty of NT$20,000 to NT$200,000 will be imposed each time.