Personal vs Sensitive Data Under the PDPA of Taiwan

Taiwan’s Personal Data Protection Act, or PDPA, is a landmark piece of legislation that provides comprehensive protection regarding the use of personal data by private entities or governmental agencies. Article one of the PDPA’s General Provisions defines the act as “enacted to regulate the collection, processing and use of personal data to prevent harm to personality rights and facilitate the proper use of personal data.”

Entities found in violation of the PDPA face both civil and criminal liability. The provisions of Directive 95/46/EC, the OECD guidelines, and the APEC privacy framework were all referenced while drafting the PDPA. However, no government agency has been named the official authority over PDPA-related issues. Nor have any official regulations or guidelines been set forth. Instead, each industry is encouraged to draft and follow its data guidelines. 

Official channels have published two handbooks on PDPA guidelines. Industries, organizations, and agencies are encouraged to create data protection policies using these documents as a guide. These policies govern how entities gather, process, and use personal information. 

Taiwan’s PDPA categorizes data in two ways: personal and sensitive data. Special protections and procedures cover sensitive data under the Personal Data Protection Act. Therefore, understanding what information falls under each category is essential to remain compliant with the PDPA.

Personal Data

Taiwan’s Personal Data Protection Act defines “personal data” as any information used to indirectly or directly identify any individual natural person. This data is the least regulated of the two sets and is subject to a few limitations. Therefore, the use of personal data is permissible under the PDPA, following specific guidelines. 

Personal data includes: 

  • name
  •  birthdate
  •  ID card number
  •  passport number
  •  characteristics 
  •  fingerprints
  •  marital status 
  •  family 
  •  education 
  •  occupation 
  •  medical records 
  •  medical treatment 
  •  genetic information 
  •  sexual life 
  •  health examinations 
  •  criminal records 
  •  contact information
  •  financial situation 
  •  social activities

How to Legally Obtain and Use Personal Data in Taiwan

The government of Taiwan may prohibit the use, gathering, processing, or holding of data if said activities violate the PDPA. The consequences of PDPA violations can include data destruction, fines, or arrest. Therefore, avoiding these violations begins with obtaining data legally.

Adherence to the PDPA is critical. Understanding the process of obtaining and using data legally prevents breaches and violations. There are three steps entities must take to collect, process, and use personal data while remaining PDPA compliant: 

  • Provide the subject with disclosure of intent to gather, process, and utilize their data. This disclosure should include the scope of the matter and how the data will be used. Failure to give proper disclosure violates the subject’s rights to data privacy as outlined in the Personal Data Privacy Act. 
  •  Obtain consent, except in certain circumstances. No permission is needed if the data is legally published or the subject has made a willing public disclosure. Consent does not need to be in written form, but proof of consent is required. 
  •  Adhere to the scope and intent of the matter. Data that has been used in one case involves re-authorization for use in future issues. 

Sensitive Data

Article 6 of the PDPA defines sensitive data subset of personal data as any personal information concerning medical records, medical treatment, genetic information, sexual life health examinations, and criminal records. The collection, processing, and use of sensitive data are prohibited under the PDPA except under the following circumstances:

  • Where it is required by a government agency to meet a legal obligation, proper security measures must be adopted before or after collecting, processing, and using this data.
  •  The subject has made a voluntary public disclosure of the data or where the data has been legally published.
  •  Where it’s necessary to perform academic research or gather statistical information. An educational organization or government agency may collect personal data for public health, medical treatment, or public safety/crime prevention. The information must not lead to the identification of subjects either through disclosure by the collector or through processing.
  •  When a government agency must meet its legal duties or a non-government agency must meet its legal obligations: adequate safety measures must be taken.
  •  Where the subject has given written consent. Written consent does not authorize collecting, processing, or using personal data that falls outside the specific intent’s necessary scope. In addition, data restricted by any other statute is not authorized for use. Finally, written consent must be given under the subject’s free will.

Sensitive Data vs. Personal Data

The differences between personal and sensitive data are apparent. Personal data is information about your identity, whereas sensitive data is information about your life. Under the PDPA, a natural person’s identifying information carries less weight than insights into their family life, daily activities, and career. 

The PDPA protects an individual’s life details, which could cause harm, embarrassment, prejudicial treatment, reputational damage, retribution, exclusion, loss of opportunity, and other detriments. Therefore, thoroughly understanding this legislation is the first step toward compliance.