Those familiar with the potential fines for non-compliant data handling in Taiwan understand the importance of following Personal Data Protection Act (PDPA) best practices. PDPA protocols protect the data privacy rights of individuals and hold organizations responsible. Specifically, organizations have responsibilities to individuals when collecting, sharing, storing, and using sensitive information.
One key consideration relevant to PDPA best practices is the distinction between personal data versus sensitive data. Some of an individual’s data may be common knowledge, such as a name, occupation, or marital status. Sensitive information, such as criminal records, financial data, or health information, could be embarrassing or damaging if subject to a data breach.
In Taiwan, proper data handling means protecting personal and sensitive information, especially sensitive data. Without diving into the entire text of the 2012 data privacy act from Taiwan, three of the most essential best PDPA best practices involve proper disclosure of intent, proof of consent, and adherence to the scope and intent of the matter.
Data privacy leaders who consider all of those things can take actionable steps toward PDPA compliance. By respecting the rights of individuals, organizational leaders also limit their exposure to criminal, civil, and administrative retribution.
Proper Disclosure of Intent
The organization collecting information must be forthcoming with the individual about the intent to gather, process, and use personal and sensitive information. The organization must explicitly state which data will be collected and how it will be used.
The data collector must express intent in some cases, and consent is not required. For example, when the individual willingly provides data, consent is implied, and only the disclosure of intent is required. When data is collected via other means, or more data is collected than is necessary for the function of the application, the collector must receive express consent.
Proof of Consent
When the data has not been legally published, or when the data subject has not made a willful public disclosure, the data collector must receive express consent to collect, store, and use data. Acquiring consent is a core pillar of other data privacy regulations, including the GDPR and the APEC Privacy Framework.
Consent does not need to be in written form, but the data collector must obtain proof that the data subject gave express permission to collect sensitive information. The word “consent” appears more than a dozen times in this explanation of the PDPA. Requiring consent is one of the core pillars of data handling in Taiwan. It ensures the data subject’s free will governs data collection, storage, and utilization.
Adherence to the Scope and Intent of the Matter
Once the intent of data collection has been disclosed, and once the data subject has consented, when applicable, the scope of data utilization is defined. The organization or party collecting data may not share, store, or use the data in any way not explicitly outlined in the disclosure of intent. If the intent changes over time and the organization is to use the data in any other way, the organization must revisit the disclosure phase.
Specifically, the organization requires re-authorization. It must disclose the new intent to the individual and achieve consent when relevant. Any circumstance that would require consent upon initial disclosure will also require consent when the scope or purpose of data handling changes.
Whenever sensitive information is collected, its collection, storage, sharing, and consumption are limited to the specific disclosure of intent issued. Organizations might need to consider how their data utilization practices will change over time to provide accurate disclosure proactively. Such forethought regarding scope and purpose can prevent the need to make another disclosure.
Actionable Steps for Compliant Data Handling in Taiwan
Understanding the protocols for data handling in Taiwan is essential. Implementing practices to live by those protocols is equally crucial. Organizations may leverage all of the following to keep themselves in line with PDPA best practices:
- Forensics – Data forensics services can help organizations track and demonstrate compliance with data privacy. Advanced analysis tools expedite reviews and provide documentation related to compliant data handling.
- eDiscovery Managed Services – Whether self-service or full-service, managed services give organizations a helping hand when implementing PDPA best practices.
- Privacy Consulting – Many organizations lack the internal resources to ensure sufficient data handling in Taiwan. For those organizations, specialized consultants can make all the difference.
- Document Management – Managing documents and information diligently helps ensure all information stays within its intended use cases.
Offerings like these help organizations stay ahead of PDPA protocols and avoid compliance problems for data handling in Taiwan.