針對衝擊及問題,在符合個資法及配合校方已實施資訊安全管理系統 (ISMS) 的條件下,採用 BS 10012 個人資料保護系統 (PIMS) 及PDCA管理循環的作法,本研究提出因應個資法衝擊之改善方案,並規劃個人資料保護系統的實施步驟,利用由上而下的改善方式,透過擴大校方原有的資訊安全制度,來完善個人資料保護的深度及廣度,降低校方誤觸個資法的風險,進而達到保障個人資料之目的。;The official announcement and implementation of the “Personal Information Protection Act” has propelled the privacy protection issue in Taiwan into a new era. Recently, frequent occurrence of information security leaks and data privacy violation events has awakened public awareness concerning this issue. Personal information leakage is likely to happen under circumstances without comprehensive information security protection mechanisms and personal information protection measures in place. Especially after the implementation of the “Personal Information Protection Act,” personal information leakage incidents will not only impact the image of the organization but also result in legal liabilities and severe damage compensation.
Having already acquired information security management ISO 27001 annual certification through a third party, University “S” is covered with a comprehensive information security protection base. However, the university is still faced with the impact of “Personal Information Protection Act” and the related requests from the Ministry of Education. It must further examine the existing information security system from the viewpoint of personal information protection to reduce the legal impact and strengthen security measures to protect personal information.
This study aims to provide a solution for the university facing such a problem. First, a review of relevant literature concerning the “Personal information Protection Act,” information security, and protection of personal information is conducted. Second, it seeks to understand the current status of the university through examining the information security measures and information assets. Third, it analyzes the legal impact and issues faced by the university in accordance with the “Personal Information Protection Act,” Personal Information Protection Act Enforcement Rules, and the use of personal information life cycle.
Finally, based on the Personal Information Protection Act and Information Security Management System (ISMS) implemented by the school, this study also adopts the BS 10012 Personal Information Management System (PIMS) and PDCA viewpoints, it proposes a set of actions in response to the impact of the Personal Information Protection Act. Detail implementation steps are also outlined. We adopt the top-down improvement method to improve personal information protection in depth and breadth, reduce the risk of violating Personal Information Protection Act, and achieve the purpose of protecting personal information by expanding the existing security system of the university.
