我國「個人資料保護法」已於99年5月26日於立法院三讀通過,讓個人資料保護成為一個重要的議題。未來不論組織規模大小、擁有個人資料數量多寡,皆受到個資法的規範。又國內已有眾多組織導入ISO 27001資訊安全管理標準,已具備良好的資安防護基礎,但就個人資料保護面向而言,其防護深度及廣度仍有不足。為提供已導入ISO 27001的組織一套可自我評鑑個人資料管理現況的方法,本研究參照BS 10012:2009英國個人資訊管理標準之精神,比對ISO 27001與BS 10012條文精神之差異,再自「個資政策」、「管理組織」、「人員訓練」、「作業流程」、「技術措施」、「紀錄管理」、「合約管理」及「管理審查」等八構面,建立以ISO 27001為基礎並符合BS 10012標準之自我評鑑表。經歸納產出自我評鑑表雛形後,再經以專家訪談法邀集專精於管理面、技術面及法律面之專家分別提供修正意見,以修正自我評鑑表,修正後評鑑項目合計244項。為確保自我評鑑表之可用性,最後以實證組織進行驗證,經由邀請實證組織內資訊、法務及稽核部門人員代表,分別依其認知填具自我評鑑表,以了解組織內推動個資保護推動之情形,本研究亦針對實證組織評鑑結果尚未建置完成的評鑑項目提供改善建議,以作為該實證組織精進個資保護的參考方向。冀望藉由本研究成果,提供不論是否導入ISO 27001的組織皆可參考運用的一套自我評鑑參考機制,以協助各組織符合個資法令相關要求,善盡個人資料保護與管理責任並降低訴訟風險。
The Taiwan Legislative Yuan has approved the Personal Information Protection Act on April 27, 2010, which has made the personal information protection issues call the public's attention. In the future, all organizations, regardless of their scale or the amount of personal data, will be subject to the Personal Information Protection Act. Many organizations implemented ISO 27001 have showed good performance on information security; however, from the viewpoint of personal information protection, their security measures are still insufficient in scope and depth. In order to provide a self-evaluation model to analyze the status of personal information protection in organizations, the study assessed personal information protection system based on BS 10012. It compared and analyzed the differences between ISO 27001 and BS10012, and constructed self-evaluation items on the basis of eight phrases—personal information protection policy, management organization, job training, operation processes, technical protection, records management, contract management and management system review. By building the prototype of the self-evaluation model, and integrating the professionals’ opinions from managerial, technical and legal interviews, the approach corrected self-evaluation items and came up with 244 ones. To assure the availability of the self-evaluation model, a case study was applied to test and verify this mechanism. The study invited users of MIS, legal affair and auditing division within the organization to complete the questionnaires by their own concept, so as to understand the situation of promoting personal information protection. It also offers suggestions for some behind-scheduled items of the organization for improvement. The research aimed to provide organizations a reference mechanism to self-evaluate the mature level of personal information protection, whether they were implemented ISO 27001 or not, as well as to help the organizations to comply with the law, fulfill the responsibilities of personal information protection and reduce the risk of litigation.