This Policy is established in order to ensure the confidentiality, integrity and availability of the information assets held by the Taiwan Research-based Biopharmaceutical Manufacturers Association (hereafter the Association) and to comply with the requirements of the "Cyber Security Management Act" and its sub-laws, as well as other relevant laws and regulations, so as to protect the information from internal or external attacks, either intentional or accidental, and to fully protect and manage personal information in accordance with the "Personal Data Protection Act".
II. The Scope
This Policy applies to the systems and the personal information processing procedures concerning all staff, outsourced service providers, data users (including data custodians), visitors, etc. of the Association.
The scope of the information security management covers 14 areas for preventing information from being improperly used, leaked, tampered or damaged due to factors such as human negligence, intentional acts or natural disasters, and subjecting the Association to various possible risks.
III. The Targets
With a view to protecting the confidentiality, integrity and availability of the Association’s information assets, the Association aims to achieve the following targets through the implementation of this Policy:
To create a safe and reliable information operating environment so as to ensure the safety of the Association’s data, systems, equipment and network and to ensure the sustainability of the Association’s operations.
To protect the safety of the Association’s services by allowing only authorized personnel to access or retrieve the information so as to maintain the confidentiality of the information.
To protect the safety of the Association’s services by prohibiting unauthorized modifications so as to maintain the accuracy and integrity of the information.
To formulate a sustainable business plan in order to facilitate the Association’s sustainable information services.
To ensure that all of the Association’s services are in compliance with the "Cyber Security Management Act" and its sub-laws, as well as relevant laws and regulations.
To protect the safety of the personal information associated with the Association’s services by taking preventive measures against the theft, tampering, damage, loss or leakage of the information by cause of external threats or the mismanagement/misuse by internal personnel.
To improve the protection and management of personal information, to reduce the operational risk and to create a reliable environment for the protection of personal information and privacy.
To regularly assess the risks to the personal information processing procedures, and to identify the risk tolerance levels.
IV. The Liability
The Association should establish an information security body to coordinate the tasks of promoting the information security.
The management should actively participate in and support the information security management system, and should implement the Policy through establishing appropriate standards and procedures.
The Policy should be observed by all staff, outsourced service providers, data users (including data custodians), visitors, etc. of the Association.
All staff, outsourced service providers, data users (including data custodians), visitors, etc. of the Association are obliged to report any information security events or flaws through appropriate notification mechanism.
Any conducts that threaten information security will be subject to civil or criminal investigations based on the seriousness of the circumstances, or be dealt with according to relevant regulations of the Association.
V. The Management Index
A plan for achieving the information security targets should therefore be formulated in order to ensure the achievement of the information security management targets and to evaluate the performance, as well as to ensure the conformity to the objectives of the Policy and the full implementation of the information security management system.
VI. The Protection of Personal Information
The Association has already established a personal information protection body and has clearly defined the responsibilities and obligations of relevant personnel.
The Association has already established the Personal Information Management system (PIMS) to ensure the implementation of this Policy. All staff and outsourced service providers of the Association must comply with the regulations and requirements of the PIMS.
All personal information is protected by the Association with strict measures and policies. Trainings of personal information protection, privacy protection and information security are compulsory for, including but not limited to, all staff of the Association. When the Association outsources services or engages in collaborative works, it is necessary for the Association to sign a confidentiality agreement with the contractors or collaborators so that the other parties are fully aware of the importance of personal information protection and their legal responsibility for personal information breaches. Any violation of the confidentiality agreement will be subject to strict internal discipline, the damage claim for breach of contract and the investigation of civil and criminal liabilities.
The personal information, including but not limited to a person's name, date of birth, ID Card number (passport number), features, fingerprints, marital status, family information, education background, occupation, etc., which is obtained or collected by the Association for its business purposes should be processed in an appropriate, fair and legal manner and in compliance with the "Personal Data Protection Act" and other relevant laws and regulations. Pursuant to Article 5 of the "Personal Data Protection Act", the collection, processing and use of personal information shall be carried out in a manner that respects the data subject's rights and interest and in an honest and good-faith way. It should be sufficiently relevant to the purposes of the data collection without going beyond the necessary scope of the specific purposes.
All personal information collected or processed by the Association is subject to the regulations of the "Personal Data Protection Act" and the Association’s Personal Information Management System. Furthermore, the staff of the Association can access the personal information only when such an access is necessary for carrying out the Association’s operation or services.
In situations where cross-border transmission of the personal information held by the Association is required, it must be done in strict compliance with Article 21 of the "Personal Data Protection Act" and other relevant laws and regulations. Such data transmission must neither affect any major national interest, nor be indirectly diverted to a third country, nor be used to circumvent the provisions of the "Personal Data Protection Act". If the data subjects’ rights could be breached by a special regulation in a national treaty or agreement or by the lack of proper regulations on the protection of personal information in the receiving country, the Association will not carry out the cross-border transmission of the personal information for security reasons.
When the Association receives a request to access or change the personal information, the processing of the personal data of the concerned party should follow a procedure in accordance with the "Personal Data Protection Act" and within the legal scope.
VII. The Management Review
The Policy should be subject to a management review at least once a year to take into account of the latest developments in government laws, technologies and business requirements so as to ensure that the Association could operate sustainably. Feedbacks from stakeholders such as the information security bodies, the competent authorities (or laws and regulations), experts and scholars, should be included in the discussion agenda of the management review meeting.
VIII. The Implementation
The Policy will be implemented after being developed and approved by the Information Security Management Body. The same procedure also applies to its revision.