Return to search

基於存取目的之個資控管框架-以銀行業為例 / Purpose-Based PII Control Framework - A Banking Perspective.

新版「個人資料保護法」在民國99年5月公布,並正式實施於民國101年10月;隨著新法的實施,不管是公部門或民間組織,都投入大量資源以期改善並確保自己的組織對於個人資料之蒐集、處理與利用,能夠符合「個人資料保護法」的要求。
由於業務特性,個人資料的蒐集、處理與利用,乃是銀行業者日常必須面對的課題。雖然舊版個資相關法令「電腦處理個人資料保護法」與「銀行法」對於個人資料的處理都已有相關規定,但由於稽核與舉證困難、罰則過輕等原因,業者並未真正重視個資保護課題,善盡個資保護的責任,所以銀行發生個資外洩的案例時有所聞。新版「個人資料保護法」正式實施後,舉證責任歸屬由當事人變成企業,在疑似個資外洩事件發生時,企業須舉證其組織之系統或機制已對個人資料之控管機制已滿足「個人資料保護法」的要求,盡到完善管理之責任。因此業者不得不投入大量資源來周全組織內對於個人資料的保護與稽核機制,把新版法規的各項規定要求納入系統功能範疇。
伴隨「個人資料保護法」的實施,法務部頒布了「個人資料保護法之特定目的及個人資料之類別」細則來明確規範個人資料的類別範疇、以及存取個人資料之目的。本研究即針對此項要求,歸納分析銀行業的業務現況,並納入未來業務發展之可能需求,設計一具備彈性之個資存取框架以管理個資分類與存取目的,進而滿足「個人資料保護法」的要求。 / As the latest version of the "Personal Data Protection Act (PDPA)" published on May, 2010, and formally implemented since October, 2012, all public and private sector organizations need to put in significant resources to meet the strengthened legal requirements of personal data collection, processing and utilization. Yet banks are among the first to be affected by them, as personal data collection, usage and handling are essential to their daily operations. Therefore, this thesis investigates the compliance of PDPA from a banking perspective.
A distinguished feature of the new "Personal Data Protection Act" is the inclusion of "purposes" in regulating access to personal data, namelyan organization must get the informed consent from its customer regarding how her personal data will be used, namely privacy preferences.
Currently, employing a proper access control mechanism to protect customer's data is a well-accepted discipline in bank information system (BIS) development. However, the design of such mechanisms hardly includes the requirement of supporting customers’ preferences regarding the use of their personal data. It is therefore highly desirable to extend a BIS's access control to handle customers' privacy preferences.
This thesis investigates the common practices of bank operations and presents a purpose-based access control framework for future BIS development. Specifically, we derive a classification of bank customers' personal data and purpose categories for bank operations so that the proposedaccees control framework can ensure all accesses to customers' personal data match their granted access purposes. As a result, the framework will lay a foundation to the compliance of PDPA for a bank.

Identiferoai:union.ndltd.org:CHENGCHI/G0095971007
Creators鄭明璋, Cheng, Ming Chang
Publisher國立政治大學
Source SetsNational Chengchi University Libraries
Language中文
Detected LanguageEnglish
Typetext
RightsCopyright © nccu library on behalf of the copyright holders

Page generated in 0.002 seconds