1 |
公務機關之間傳輸個人資料保護規範之研究-以我國、美國及英國法為中心 / A Comparative Study of Regulations for the Protection of Personal Data Transmitted between Government Agencies in Taiwan, the U.S. and the U.K.林美婉, Lin, Mei Wan Unknown Date (has links)
政府利用公權力掌握之個人資訊包羅萬象,舉凡姓名、生日、身分證字號、家庭、教育、職業等。科技進步與網際網路發達,使原本散置各處之資料,可以迅速連結、複製、處理、利用;而為了增加行政效率與減少成本,機關透過網路提供公眾服務日益頻繁,藉由傳輸共用個人資料等情況已漸成常態。這些改變雖然對政府與民眾帶來利益,但是也伴隨許多挑戰,尤其當數機關必須共用資訊時,將使管理風險更添複雜與難度,一旦過程未加妥善管制,遭人竊取、竄改、滅失或洩露,不僅當事人隱私受損,也嚴重傷害政府威信。因此,凡持有個人資料的政府機關,均必須建立適當行政、技術與實體防護措施,以確保資料安全與隱密,避免任何可能危及資料真實之威脅與機會,而造成個人人格與公平之侵害。
隨著全球經濟相互連結以及網路普及,個人資料保護如今已是國際事務,這個趨勢顯現在愈來愈多的國家法律與跨國條款如OECD、歐盟、APEC等國際組織規範。而在先進國家中,美國與英國關於資訊隱私法制發展有其不同歷史背景,目前美國聯邦機關持有使用個人資料必須遵循的主要法規為隱私法、電腦比對與隱私保護法、電子化政府法、聯邦資訊安全管理法,以及預算管理局發布的相關指導方針;英國政府則必須遵守人權法與歐盟指令架構所制定的資料保護法,並且受獨立資訊官監督審核。此外,為了增加效率,減少錯誤、詐欺及降低個別系統維護成本,公務機關之間或不同層級政府所持有之個人資料流用有其必要性,故二國在資料傳輸實務上亦有特殊規定或作業規則。相較之下,我國2012年10月1日始施行的「個人資料保護法」對於公部門間傳輸個人資料之情形並無具體規定,機關內外監督機制亦付之闕如,使個人資料遭不當使用與揭露之風險提高。
為了保障個人資訊隱私權,同時使公務機關之間傳輸利用個人資訊得以增進公共服務而不違反當事人權益,本研究建議立法或決策者可參酌美國與英國法制經驗,明定法務部負責研擬詳細實施規則與程序以供各機關傳輸個人資料之遵循,減少機關資訊流用莫衷一是的情況;而為保證個人資訊受到適當保護,除了事先獲得當事人同意外,機關進行資料共用之前,應由專業小組審核,至於考慮採取的相關重要措施尚有:(1)建置由政策、程序、人力與設備資源所組成之個人資訊管理系統(PIMS),並使成為整體資訊管理基礎設施的一部分;(2)指派高階官員負責施行及維護安全控制事項;(3)教育訓練人員增加風險意識,塑造良好組織文化;(4)諮詢利害關係人,界定共用資料範圍、目的與法律依據;(5)實施隱私衝擊評估(PIA),指出對個人隱私的潛在威脅並分析風險減緩替代方案;(6)簽定正式書面契約,詳述相關權利與義務;(7)執行內外稽核,監督法規遵循情況,提升機關決策透明、誠信與責任。
關鍵詞:個人資料保護、隱私權、資訊隱私、資料傳輸、資料共用 / Governments have the power to hold a variety of personal information about individuals, such as the name, date of birth, I.D. Card number, family, education, and occupation. Due to advanced technology and the use of the Internet, personal data stored in different places can be connected, copied, processed, and used immediately. It is relatively common for government agencies to provide people with services online as well as transmit or share individual information to improve efficiency and reduce bureaucratic costs. These changes clearly deliver great benefits for governments and for the public, but they also bring new challenges. Specifically, managing risks around sharing information can sometimes become complicated and difficult when more than one agency is involved. If the government agency which keeps personal information cannot prevent it from being stolen, altered, damaged, destroyed or disclosed, it can seriously erode personal privacy and people’s trust in the government. Therefore, each agency that maintains personal data should establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of data and to protect against any anticipated threats or hazards to the integrity which could result in substantial harm on personality and fairness to any individual .
As the global economy has become more interconnected and the Internet ubiquitous, personal data protection is by now a truly international matter. The trend is fully demonstrated by the growing number of national laws, supranational provisions, and international regulations, such as the OECD, the EU or the APEC rules. Among those developed countries, both the U.S. and the U.K. have their historical contexts of developing legal framework for information privacy. The U.S. Federal agency use of personal information is governed primarily by the Privacy Act of 1974, the Computer Matching and Privacy Protection Act of 1988, the E-Government Act of 2002 , the Federal Information Security Management Act of 2002, and related guidance periodically issued by OMB. The U.K. government has to comply with the Human Rights Act and the Data Protection Act of 1998 which implemented Directive 95/46/EC. Its use of individual data is overseen and audited by the independent Information Commissioner. Further, because interagency data sharing is necessary to make government more efficient by reducing the error, fraud, and costs associated with maintaining a segregated system, both countries have made specific rules or code of practice for handling the transmission of information among different agencies and levels of government. By contrast, Taiwan Personal Information Protection Act of 2010 which finally came into force on 1 October 2012 contains no detailed and clear provisions for data transmitted between government agencies. Moreover, there are also no internal or external oversight of data sharing practices in the public sector. These problems will increase the risk of inappropriate use and disclosure of personal data.
To protect individual information privacy rights and ensure that government agencies can enhance public services by data sharing without unreasonably impinging on data subjects’ interests, I recommend that law makers draw on legal experiences of the U.S. and the U.K., and specify that the Ministry of Justice has a statutory duty to prescribe detailed regulations and procedures for interagency data transmission. This could remove the fog of confusion about the circumstances in which personal information may be shared. Also, besides obtaining the prior consent of the data subject and conducting auditing by a professional task force before implementing interagency data sharing program, some important measures as follows should be taken: (1) Establish a Personal Information Management System which is composed of the policies, procedures, human, and machine resources to make it as part of an overall information management infrastructure; (2) Appoint accountable senior officials to undertake and maintain the implementation of security controls; (3) Educate and train personnel to raise risk awareness and create a good organizational culture; (4) Consult interested parties and define the scope, objective, and legal basis for data sharing; (5) Conduct privacy impact assessments to identify potential threats to individual privacy and analyze risk mitigation alternatives; (6) Establish a formal written agreement to clarify mutual rights and obligations; (7) Enforce internal as well as external auditing to monitor their compliance with data protection regulations and promote transparency, integrity and accountability of agency decisions.
Key Words: personal data protection, privacy rights, information privacy, data transmission, data sharing
|
Page generated in 0.0148 seconds