個人資料管理系統驗證要求事項標準化實作初論：根基於ISO/IEC JTC 1/SC 27在2017-01公布的框架

個人資料保護法施行細則第17條闡明：「……所稱無從識別當事人，指個人資料以代碼、匿名、隱藏部分資料或其他方式，無從辨識該特定個人者」亦即通稱「去識別化(De-identification)」之議題，自2014年11月17日法務部法律字第10303513040號函的函釋：「去識別化之個人資料依其呈現方式已無從直接或間接識別該特定個人者即非屬個人資料」起，其「驗證(Certification)」成為我國標準化工作項目的優先項目。根基於此，本文探討包含前述「去識別化」之歐盟「一般資料保護條例」規範的「個人資料管理系統」驗證，其遵循之國際標準化組織(International Organization for Standardization, ISO)於此議題的標準化作業之脈絡及前景，並在最後提出本文的觀察與建議代為結論。

關鍵字

驗證；個人可識別資訊；個人資料管理系統；資訊安全管理系統；標準化

並列摘要

Enforcement Rules of the Personal Information Protection Act Article 17 states that ＂the Act shall mean the personal information processed by ways of code, anonymity, hiding parts of information or other manners so as to fail to identify such a specific person.＂, so as call the ＂De-identification＂ issue. Since 2014, Nov 17th the Ministry of Justice has explained that ＂De-identified personal information cannot identify directly or in-directly a specified individual.＂ certification has become our standardization primary issue. Thus, we discuss EU's ＂General Data Protection Regulation＂ including ＂De-identification＂ mention before in ＂Personal information management system＂ certification, whose implementation follows International Organization for Standardization (ISO) standardization. The article is going to conclude with observation and suggestion to the status quo of protecting personal data in Taiwan subject to learning experience from the ISO standardization in striving for protecting personal data.