Xiaomei, who was working at the bank counter, met an artist one day who came to open an account. Xiaomei felt it was strange to meet a celebrity, so she secretly took a photo of the customer's name, phone number, address and other information, and told the story on social media. As a result, the customer was very dissatisfied and complained to the Financial Supervisory Commission. After the Financial Supervisory Commission intervened in the investigation, it believed that Xiaomei leaked customer personal information and seriously violated the Personal Information Law and the bank's internal control regulations. The bank may face a maximum fine of 15 million yuan, and Xiaomei may face a maximum prison sentence of less than 5 years.
If you are not careful, you may violate the Personal Information Law, and companies must strengthen the concept of protecting personal information.
Xiaomei's case is not uncommon. Even if many companies repeatedly promote the concept of personal data protection, employees often think it is "not that serious" and leak it. Therefore, it is best to use data transfer in daily business as an example to allow employees to implement the concept of personal data protection into their work. For example, the transfer of data and the exchange of information between different departments may cause customer personal information to be handed over to personnel who are not necessary for business, thus causing information security risks.
For example, when the human resources department conducted training for new employees, in order to show the real operating conditions, it mistakenly provided complete information including customer names, phone numbers, addresses, purchase records, etc. as examples to training participants. These personnel had nothing to do with the information and training. As a result, not only may the data be improperly used, but the company will also be exposed to information security and legal risks. This will let employees know that internal data transmission security and access rights management must be maintained in every aspect of work.
In terms of regulations, the "Personal Data Protection Law" (referred to as the Personal Data Law) stipulates that enterprises should adopt appropriate personal data protection measures. Targeting the digital economy such as finance, digital industries, and retail industries, "Personal Data File Security Maintenance and Management Measures" are also formulated. " stipulates that companies with capital of more than NT$10 million, or companies with more than 5,000 personal capital transactions, should implement and review improvements every 12 months after formulating a security maintenance plan, which shows that the government attaches great importance to this .
Secondly, the "Personal Information Law" also establishes clear principles, such as "specification of collection purposes" and "specific purpose use." In other words, when a company obtains other people's personal information, it can only use it within the scope of specific purposes. For example, when consumers purchase goods from an e-commerce platform, the platform can require personal information such as name, phone number, and address to complete delivery services, but unnecessary information such as medical records cannot be collected. E-commerce platforms cannot use consumers' addresses and personal information for advertising, or even authorize them to be transferred to others for use.
It is not enough for employees to have information security awareness, firewalls and other equipment must also be effective
The reason why we have repeatedly called on companies to pay attention to personal data protection is because there have been many cases in the courts. For example, a well-known passenger transport company did not properly manage information security. As a result, a consumer received a scam call because his personal information was leaked after booking a ticket online. He was defrauded of more than 80,000 yuan, so he requested damages from the passenger transport company. The court held that the passenger transport company failed to fulfill its personal data protection obligations by using an old firewall and failing to update the security equipment. Therefore, it constituted negligence and ruled that the passenger transport company should pay compensation of NT$57,593.
It can be seen from this that it is not enough for enterprises to conduct information security training and establish infrastructure such as firewalls. They must ensure the effectiveness of protective measures and update them regularly to avoid legal risks. According to the "Personal Information Law", if an enterprise fails to formulate personal information protection measures or a personal information file security maintenance plan in accordance with the law, the fine amount can start from NT$20,000 and reach a maximum of NT$2 million. Those who fail to make corrections within the prescribed time limit will be fined 150,000 to 15 million yuan per case. What's more, a fine is only a small thing, but once the information security is not done well, it will affect the trust of customers and consumers and affect the image of the company, which will be a greater harm.
In general, when information security becomes a basic function of an enterprise, it is best to carefully sort out every link in the work process and comprehensively inventory the customer personal information required for products and services, thereby confirming the necessary scope of collection and avoiding inappropriate or excessive collection. collect. The use of customer personal information in the business process must also comply with the purpose of collection. It is also necessary to classify personal information and provide different protections.
By clearly defining the scope of employees' access to and use of customer personal information, and in accordance with the requirements of the Personal Information Law, covering core principles such as collection restrictions, utilization restrictions, security protection, retention periods, party participation and responsibilities, etc., employees can fully understand The company's emphasis on data protection and legality. Only by regularly updating and reviewing relevant information equipment and network security measures can you strengthen your information security capabilities.
