In this day and age, where almost every transaction is done online, data security and protection is essential. Without it, people would be prone to scams of all kinds, including employment scams that affect Filipino job seekers and overseas workers.
To prevent crimes such as identity theft, hacking, and data breach — Taiwan enacted the Personal Data Protection Act (PDPA). This legislation applies to government agencies as well as private entities, and to both Taiwanese and foreign nationals in the country.
OFW Guide to Protecting Personal Data in Taiwan
Matters of data security and protection in Taiwan are governed by the Personal Data Protection Act (PDPA). Previously, the regulatory body responsible for data protection was the National Development Council (NDC). Recently, this was replaced by the Personal Data Protection Commission (PDPC) as the country’s protection authority, although other bodies like the Ministry of Digital Affairs (MODA) remain active within their respective jurisdictions.
The PDPA contains information and policies regarding personal data, informed consent, data security measures, and other topics.
What is Personal Data?
According to the PDPA, “personal data” refers to a person’s: name, date of birth, identification card number, passport number, marital status, family, education, profession, financial condition, contact information, social activities, and other information by which the person may be identified, directly or indirectly.
Furthermore, the Act provides a definition for “sensitive personal data,” stating that this includes a person’s medical records, medical treatment, health examination, genetic information, fingerprints, sexual life (e.g. sexual orientation), and criminal records.
Giving Informed Consent
When it comes to personal data, the topic of consent is of primary importance. The PDPA states that a person (i.e. data subject) may give “informed consent” only if he/she is notified of the following:
- Name or title of the data collector;
- Purpose(s) for data collection;
- Types of data to be collected;
- Time frame, place, persons involved, and methods of using personal data;
- Data subject’s rights; and
- Impact on data subject’s rights and interests if he/she chooses not to provide his/her personal data.
The data subject may give his/her informed consent in verbal, written, or digital form, as long as the collecting entity is able to prove that the person has properly and explicitly given consent.
Data for Marketing Purposes
With regard to collecting data for marketing purposes, data collectors are required to give data subjects a “privacy notice.” If a data subject requests to “opt out,” the data collector should stop using the data subject’s personal data for marketing.
Data Security Measures
To ensure that private companies and entities in digital economic industries comply with the PDPA, the Personal Data Protection Commission (PDPC) and Ministry of Digital Affairs (MODA) have laid out rules, including the implementation of data security measures.
For Private Entities
Data security measures for private entities, include:
- Appointing data management personnel;
- Appointing information security personnel;
- Specifying the scope of personal data;
- Adopting strategies to assess and manage risks;
- Adopting internal procedures on data collection, processing, and usage;
- Adopting internal rules for preventing data breach, reporting cases of data breach, and taking action;
- Adopting mechanisms for ensuring the security of information services equipment;
- Adopting plans for improving data protection practices;
- Auditing information security;
- Preserving records of data usages, tracking, and evidence; and
- Offering training on data protection to employees.
For Entities in Digital Economic Industries
Meanwhile, data security measures for entities in the digital economic industries include:
- Entering into “non-disclosure agreements” (NDAs) with employees;
- Identifying employees who will handle matters of data collection, processing, and usage;
- Determining each employee’s authority to access personal data and reviewing this authority regularly; and
- Requesting departing employees to return devices that store personal data, and delete personal data that they had during the course of their employment.
In addition, entities are required to keep records on the following for at least five (5) years: records of data collection, processing, or usage; tracking information of automatic equipment; and evidence supporting compliance of the entity’s data security plan.
Data Breach Notifications
In case of data breach, private companies are required to notify data subjects about it. Specifically, they must tell affected persons about: the breach that occurred; measures that have been taken to address the breach; and the contact details of the data collector.
Transmission of Data Overseas
As for the transmission of data overseas or outside the territory of Taiwan, Taiwan authorities may strict this if: (a) substantial national interest is at stake; the receiving country does not provide proper protection of personal data; and (c) the transmission evades or circumvents the policies of the PDPA. This restriction applies to private entities, both local and foreign.
Data Protection in the Workplace
At this point, let us focus on data protection in the workplace, and how this relates to matters such as the monitoring of workers’ emails, social media usage, and social media conduct.
Monitoring of Workers’ Emails
Currently, there is no law that prohibits employers from monitoring their worker’s official emails. Nevertheless, in respect of privacy rights, employers are urged to inform their workers — in advance — about the company’s monitoring practices.
Social Media Usage
The Labor Standards Act (LSA) states that companies with 30 employees or more must establish rules and regulations. These may include restrictions on the use of social media in the workplace. It must be emphasized, however, that rules on social media usage, including any penalties — should be announced in advance.
Likewise, smaller companies may also include a “social media usage policy” clause in their employment contracts. In any case, the important thing is that employees must be informed and aware of the company’s rules, to avoid any problems or misunderstandings.
Social Media Conduct of Employees
In the event that an employee’s social media conduct is proven to be “harmful” to a company’s business and reputation, the employer may seek legal action. For example, if a worker has committed a data breach or revealed confidential information, the employer may terminate the worker’s job contract, in accordance with the LSA.
Nowadays, data security and protection is a big deal, for people as well as the companies they work for. By enforcing the Personal Data Protection Act (PDPA), Taiwan is able to help manage personal data and protect crucial information of companies and their employees.
Ultimately, data protection is part of a person’s overall safety, wherever he/she may be. Check out this article to learn more about safety and security while living and working in Taiwan.