資安政策與法律課責－兼論我國2010年個人資料保護法中的資安管理體制

我國新版個資法在過去二年多受到資安界與產業界的高度關注；因為其中訂定眾多法律責任。民間之研討多直接認定新法相關法律文字的實務內涵及實質內容。惟，這並非全然正確。我國個資法採取母法、施行細則、部會辦法及法院判決四階結構；母法條文之具體內容在其後之三階法規或程序中才得以明確化。甚至，即連母法之規範主旨迄今亦未明朗。法制上的主要癥結，在於第27條第2項雖足以開展出組織之資安政策與實務指針（Policies and Practices）；但其僅規定中央目的事業主管機關「得」指定，並非「應」指定非公務機關訂定安全維護計畫。當主管部會殆於指定產業或訂定辦法時，即產生法制漏洞。本文對此種法制缺陷作出整體回顧式探討，希望資安界與產業界能更深入理解國家法制的來龍去脈。同時也提出「組織資安」與「行政管理制」之具體範圍，期待主管部會與政府相關決策者能縮小對象先行導入資安規範。全文以OECD（Organization for Economic Cooperation and Development）八大原則中之Accountability為論述主軸。

關鍵字

個資法；個資法第27條；資訊安全；法律究責；個資資安

並列摘要

The Personal Information Protection Act of Taiwan was officially announced on 26. May 2010, but not yet in effect. Much interpretation of the articles is heard; most of it is not legally binding. The abstractness of the wording and the little experience with the new Act result in such a dilemma. The information security branches are especially confused by such a dilemma. The author tries to find a solid legal ground for developing information security management of the personal information. Article 27 of PIPA authorizes the ministries to publish specifications and standards for the industries to follow. Such an administrative framework is ideal for developing information security policies and practices to protect the personal information. Organizational Accountability is legally clearer and thus manageable, than that the personal information official is individually accountable.