Legislative Yuan has completed revised the long-delayed new version of Personal Information Protection Act in 2010 and was formally implemented in 2012. The new Personal Data Protection Act has expand including "Collection of personal data, processing and use of personal data." Institutions are actively involved in the protection of personal data. Whether schools in recent years introduced information security management system, ISMS, or establishing personal information management systems, PIMS. Even if one of the university in Taiwan has adopt the protection mechanisms and also received a BS 10012 certification, but an information leak event took place in its library (Lu Rui-Lin, 2014), librarians accidentally give-away vendors information, resulting in the leakage of personal information. Adopting the protection mechanisms alone is not enough. Develop of mechanism to examine or evaluate the appropriateness of the protection mechanisms that educational institutions have introduced is also critical. This study adopt the international internal audit practice guidelines (IPPF 2013) as the framework of the audit procedure, the Executive Yuan issued Internal audits should be performed Precautions, The principles of self-assessment of internal control system, Guidelines for company to establish on internal control system for detail specification ; Through literature review, this study developed 69 check items, classification by COSO principles obtained initial prototype of this study and through Delphi method, this study conducted a total of two rounds of questionnaires, make further amendments and confirmation of check items of this study; According to the internal control self-assessment system principles the scoring method is supported by CMMI assessment methods. Finally, through case study the auditing mechanism, has modified by interviewees' recommendations to ensure the feasibility of this mechanism. With the above mechanisms rapid and effective identification of the state of protection of personal data in each educational institution is possible. Reduce the improper operation of personal data, avoiding breach of Personal Data Protection Act resulting of fines and damage the image of the educational institution.