,

Personal vs Sensitive Data Under the PDPA of Taiwan

-

Taiwan’s Personal Data Protection Act, or PDPA, is a landmark piece of legislation that provides comprehensive protection regarding the use of personal data by private entities or governmental agencies. Article one of the PDPA’s General Provisions defines the act as “enacted to regulate the collection, processing and use of personal data to prevent harm on personality rights and facilitate the proper use of personal data.”

Entities found in violation of the PDPA face both civil and criminal liability. The provisions of Directive 95/46/EC, the OECD guidelines, and the APEC privacy framework were all referenced while drafting the PDPA. No government agency has been named the official authority over PDPA-related issues. Nor have any official regulations or guidelines been set forth. Instead, each industry is encouraged to draft and follow its own set of personal data guidelines. 

Official channels have published two handbooks on PDPA guidelines. Industries, organizations, and agencies are encouraged to create their own data protection policies using these documents as a guide. These policies govern how entities gather, process, and use personal information. 

Taiwan’s PDPA categorizes data in two ways: personal data and sensitive data. Special protections and procedures cover sensitive data under the Personal Data Protection Act. Understanding what information falls under each category is essential to remain compliant with the PDPA.

Personal Data

Taiwan’s Personal Data Protection Act defines “personal data” as any information used to indirectly or directly identify any individual natural person. This data is the least regulated of the two sets and is subject to few limitations. The use of personal data is permissible under the PDPA following specific guidelines. 

Personal data includes: 

  • name
  • birthdate
  • ID card number
  • passport number
  • characteristics 
  • fingerprints
  • marital status 
  • family 
  • education 
  • occupation 
  • medical records 
  • medical treatment 
  • genetic information 
  • sexual life 
  • health examinations 
  • criminal records 
  • contact information
  • financial situation 
  • social activities

How to Legally Obtain and Use Personal Data in Taiwan

The government of Taiwan may prohibit the use, gathering, processing, or holding of data if said activities are found to be in violation of the PDPA. The consequences of PDPA violations can include data destruction, fines, or arrest. Avoiding these violations begins with obtaining data legally.

Adherence to the PDPA is critical. Understanding the process to obtain and use data legally prevents breaches and violations. There are three steps entities must take to collect, process, and use personal data while remaining PDPA compliant: 

  • Provide the subject with disclosure of intent to gather, process, and utilize their data. This disclosure should include the scope of the matter and how the data will be used. Failure to give proper disclosure violates the subject’s rights to data privacy as outlined in the Personal Data Privacy Act. 
  • Obtain consent, except in certain circumstances. If the data has been legally published, or if the subject has made a willing public disclosure, no permission is needed. Consent does not need to be in written form, but proof of consent is required. 
  • Adhere to the scope and intent of the matter. Data that has been consensually used in one case requires re-authorization for use in future issues. 

Sensitive Data

Article 6 of the PDPA defines sensitive data subset of personal data as any personal information concerning medical records, medical treatment, genetic information, sexual life health examinations, and criminal records. The collection, processing, and use of sensitive data are prohibited under the PDPA except under the following circumstances:

  • Where it is required by a government agency to meet a legal obligation, proper security measures must be adopted before or after collecting, processing, and using this data.
  • The subject has made a voluntary public disclosure of the data or where the data has been legally published.
  • Where it’s necessary to perform academic research or gather statistical information. An educational organization or government agency may collect personal data for public health medical treatment or public safety/crime prevention. The information must not lead to the identification of subjects either through disclosure by the collector or through processing.
  • When it’s necessary for a government agency to meet its legal duties or a non-government agency to meet its legal obligations. Adequate safety measures must be taken.
  • Where the subject has given written consent. Written consent does not authorize the collection, processing, or use of personal data that falls outside the specific intent’s necessary scope, or the data is otherwise restricted by any other statute. Written consent must be given under the subject’s free will.

Sensitive Data vs Personal Data

The differences between personal and sensitive data are clear. Personal data is information about your identity, whereas sensitive data is information about your life. Under the PDPA, a natural person’s identifying information carries less weight than insights into their family life, daily activities, and career. 

The PDPA protects an individual’s life details, which could cause harm, embarrassment, prejudicial treatment, reputational damage, retribution, exclusion, loss of opportunity, and other detriments. A thorough understanding of this legislation is the first step toward compliance.