Personal Data Protection Policy
Personal Data Protection Policy
I. Purpose
To comply with the Personal Data Protection Act (the "PDPA"), and to ensure that all activities within National Tsing Hua University (NTHU) shall reasonably collect, process, and use personal data, NTHU hereby sets forth the Personal Data Protection Policy (the "Policy").
II. Legal Grounds
- The PDPA
- The Enforcement Rules of the PDPA
- The specific purpose and the classification of personal information of the PDPA
- The Guidelines for NTHU's Personal Data Protection Management
III. Applicable Scope
Activities relating to personal data in connection with NTHU's daily operations and business execution.
The "personal data" prescribed under the Policy refers to a natural person's name, date of birth, national ID card number, passport number, appearance, fingerprints, marital status, family background, educational background, occupation, medical records, healthcare data, genetic data, sex life, health examination, criminal records, contact, financial conditions, social activities and any other information that may be used to directly or indirectly identify a natural person.
IV. Enforcement Directions
- Each security management guideline shall be aligned with the relevant governmental regulations.
- Prior to the collection, processing and use of personal data, the Policy or the right to privacy shall be publicly announced, and the relevant approvals and amendments shall be recorded. Please refer to the "Privacy Policy Statement" for the details of the announcement of privacy rights.
- To ensure the implementation of the Policy and the allocation of a fair amount of resources, the Information Security and Personal Data Management Committee (the "Committee") shall be set up to be in charge of the establishment and management of the personal data protection system. To ensure overall continuous improvement of personal data security maintenance, a meeting in principle shall be held by the Committee once every academic year, and a special meeting may be held when necessary.
- The level of personal data security protection of the internal and external interested parties and of the organizations to which these interested parties belong shall be identified, and the duties and responsibilities of the staff shall also be identified.
- A list of processed personal data (e.g., a file list of the personal data) shall be maintained, and a personal data risk assessment and management mechanism shall be established.
- Regulations on the management of information security and personnel, and on the prevention, notification and response mechanisms of personal data breaches shall be established.
- A data security audit and a storage mechanism for necessary usage records, log files and evidence shall be established in order to subsequently prove that the fiduciary duty has been performed.
- Personal data security awareness shall be regularly promoted to the school personnel, and proper education training shall be provided to the personal data management coordinator in each unit of NTHU for the purpose of disseminating the Policy and relevant regulations.
- An internal personal data audit plan shall be formulated regularly in order to examine NTHU's personal data protection situation. In addition, rectification measure shall be formulated and implemented in accordance with the internal audit report.
- Personal data shall be processed impartially and legitimately within the necessary scope to achieve legitimate purposes, conduct statutory duties and perform statutory obligations.
- Minimum and necessary personal data shall be collected for legitimate purposes, and the processing of relevant and appropriate personal data shall not exceed the purpose of collection.
- The correctness and security of personal data shall be maintained, and shall be corrected or supplemented on NTHU's own initiative or at the request of the data subjects.
- In addition to the exemptions from the notification obligations under Article 8 or 9 of the PDPA, at the time of collection of personal data (direct collection) or prior to the use of personal data for the first time (indirect collection), NTHU shall explicitly inform the data subjects of how NTHU would process or use their personal data, and shall respect the relevant rights of the data subjects and their personal data, including their right to access their personal data.
- The personal data retained by NTHU shall only be used in the territory of Taiwan, Penghu, Kinmen and Matsu. Should the transfer of personal data out of said territory be necessary, prior consent from the data subjects shall be obtained, if required, and the transfer shall be conducted under proper and adequate protection.
- When NTHU engages an agency for the collection, processing and use of personal data, NTHU shall properly supervise the agency and set forth the agency's responsibilities of personal data security protection and confidentiality regulations, and incorporate such responsibilities and regulations into the agreement in order to require the agency to abide thereby and to check periodically.
V. Announcement and Implementation
The Policy shall be reviewed at least once a year, and records must be kept in accordance with any changes in business or technology development, and risk assessment. In addition, the effectiveness and adequacy of the Policy shall be continuously improved to comply with laws and regulations, technology development, and NTHU's operational requirements. The measures suggested based on the evaluation and review of the Policy shall be implemented after being approved by the Committee.
VI. Attachment
Privacy Policy Statement