  • 學位論文


A Study of Sensitive Personal Data Protection

指導教授 : 湯德宗


2011年,我國通過新修正之個人資料保護法,第六條第一項規定,有關醫療、基因、健康檢查、性生活與犯罪前科之個人資料,為敏感性個人資料,或謂特種資料。 個人資料是否屬於敏感性個人資料,應考量資料之性質,並以法律列舉之方式定義。個人資料保護法目前列舉之類別,有四類與健康相關,且遺漏病歷資料,類別有待重整。指紋雖屬生物辨識資訊,具敏感性個人資料之特質,惟目前各國立法仍缺乏共識,暫時無須列為敏感性個人資料。 敏感性個人資料因性質特殊,不當蒐集、處理或利用容易侵害個人資訊隱私,故各國原則上率皆禁止蒐集、處理或利用之,例外始得蒐集、處理或利用。個人資料保護法規定四種得蒐集、處理或利用敏感性個人資料之例外情形,現行各款規定有欠明確,且四種情形與各國立法例相較為少,將來可新增「當事人書面知情同意」、「基於醫療行為」或「重大公益所必要」之例外條款。 個人資料保護法對敏感性個人資料之保護,尚有不足,尤其關於公務機關或非公務機關是否須履行通知義務,以及特定目的外利用之情形,適用上仍有疑義,應修正補強。


Sensitive Data or Sensitive Information is a sub-set of personal information and is given a higher level of protection under Personal Information Protection Act(PIPA) Art.6(1). The definition of Sensitive Data(special categories of data) in the PIPA refers to information about an individual’s: medical treatment, genetic information, sexual life, health examination and criminal record. Any Information can be considered to be sensitive, depending on the nature. The better approach to define sensitive data is specifically enumerating special categories of sensitive data by Law. Almost all Sensitive data enumerated in current PIPA is about medical information and lacks medical record, therefore the list should be consolidated and amended. Fingerprint is biometric information which can be considered sensitive, but there is no legislation in other country, so it may not be added to the list temporarily. PIPA prohibits Government agency or Non-government agency from collecting, processing and using sensitive data unless at least one of the conditions(exemption) set out in Art.6(1) is fulfilled. However, the definition of the exemptions is vague and ambiguous. The types of the exemptions defined in PIPA are less than legislation in other country as well. Therefore this thesis suggests that PIPA should be amended and many other conditions, such as “data subject’s informed consent”, “for medical purposes” exemption, “for public interest” exemption and “in order to protect the vital interests of another person” exemption should be added. Although PIPA gives higher level of protection to sensitive data, it does not specifically state whether Government agency or Non-government agency should notice data subject before collecting sensitive data, or whether sensitive data can be used for secondary purpose. It should be amended immediately before the date for enforcement of the Act.


Bainbridge, David (1996), EC Data Protection Directive, London: Butterworths.
Morgan, Richard & Ruth Boardman (2003), Data Protection Strategy: Implementing Data Protection Compliance, London: Sweet & Maxwell.
Beckman, Christel (2011), Regulating Privacy: Vocabularies of Motive in Legislating Right of Access to Criminal Records in Sweden, in Serge Gutwirth, Yves Poullet, Paul De Hert, Ronald Leenes eds., Computers, Privacy and Data Protection: an Element of Choice 111-37.


