2010年4月27日立法院三讀通過了個人資料保護法,這讓個人資料保護議題受到社會大眾的重視。在未來企業組織無論規模大小、擁有個人資料數量多寡都會受到個資法規範,此法進而影響企業在顧客資料蒐集、員工資料處理及行銷方式等等的運用,加上個資法對於受罰企業在刑責與罰則的加重處理,賠償金最高可求償兩億元,此法無疑對企業組織造成衝擊。因此積極著手規劃及實行個人資料的資安防護是企業現階段重要的研究課題。 BS 10012是一套資訊安全管理系統國際標準,目前也是台灣普遍認同的企業資安認證,透過PDCA的管理循環,將資訊安全管制流程標準化,訂定必要的控制項目與標準,藉以提升企業的資訊安全機密性(Confidentiality)、完整性(Integrity)、與可用性(Availability)目的。 本研究提出個人資料保護法符合性的隱私權政策揭露程度自評表,先透過BS 10012與國內個人資料保護法結合,歸納出一套包括四個控制領域、十三控制目標。而藉由本研究成果,期望能夠提供一套個人資料保護的管理制度,提供企業組織無論是否已有導入個資法解決方案,都可做為參考與遵循之用,幫助企業達成遵法目的,降低罰鍰與訴訟風險且讓企業善盡個人資料保護與管理職責。
The Legislative Yuan passed the Personal Data Protection Act on April 27th, 2010, and it let the personal data protection issues call the public's attention. In the future organization, regardless of their size or the amount of personal data, will be subject to the Personal Data Protection Act. It affect the data collection and processing way and the marketing practices, and it also increase criminal penalties and compensation that is up to $200 million when the enterprise is against the law. Therefore, the enterprise should engage in planning and implement information security protection of personal data at this stage in quickly. BS 10012 is the international standard of information security management system. It is also accepted to take the security authentication by Taiwan enterprises. Follow PDCA management cycle, it standardizes Information security control flows. Finally, it needs to decide what the control standards and policies will be set up to conform BS 10012 standard. So as to achieve the information security goals of the Confidentiality, Integrity and Availability. This study apply the self-assessment of privacy disclosure form and sorted out 4 control domains, 13 control objectives which develop the Enterprise Privacy Protection Management Mechanism by literature review about BS 10012 and Personal Data Protection Act. This research shows that the research outcome, the Enterprise Privacy Protection Management Mechanism, provides organizations a reference and compliance purpose to help them obey the law, reduce the risk of litigation, and fulfill the responsibilities of protect personal data.