Home >> News & Publications >> Newsletter

Newsletter

搜尋

  • 年度搜尋:
  • 專業領域:
  • 時間區間:
    ~
  • 關鍵字:

National Development Council Prescribed the Guidelines for Trial Operation of Data Interface on MyData Platform




To promote personalized digital services (MyData), the National Development Council (“NDC”) prescribed the Guidelines for Trial Operation of Data Interface on MyData Platform ("MyData Guidelines") on February 18, 2020, which took effect on the same date. According to the NDC official website and the MyData Guidelines, the purpose of this innovative service is to promote digital government incorporating the Executive Yuan's "Open Government Data" policy, which aims to deliver personalized precision services while protecting data security and privacy through establishment of the MyData Platform ("MyData Platform" or "Platform") with personal data authorized by the general public. The MyData Platform is intended to deliver personalized services that the general public need through measures that (i) enable the general public to download personal data by themselves based on their individual needs; or (ii) enable government authorities or the private sector to obtain the personal data of the general public through online authorization by the individuals. The trial operation of MyData Platform currently focuses on government agencies. Enterprises eligible to participate in the trial are limited to banks and state-owned enterprises.
 
Below is a summary of certain major points of the trial operation of MyData Platform:
 
1.     Entities qualified to apply to the NDC for acting as a “data provider” or “service provider”:
 
In addition to government authorities (e.g. Executive Yuan, municipal government, county or city government and relevant authorities) and universities (subject to approval from Ministry of Education), the following enterprises/non-governmental organizations are also eligible: banks, Joint Credit Information Center (“JCIC”) and state-owned enterprises (subject to approval from relevant central competent authorities). (Point 3 of MyData Guidelines)
 
2.     Interface testing and operation of MyData Platform (for banks and state-owned enterprises):
 
The above-mentioned banks and state-owned enterprises contemplating to apply for MyData Platform interface need to fill out relevant application forms and apply for approval from the industry competent authority. After such approval is obtained, the application should then be submitted to the NDC. (Point 4 of MyData Guidelines)
 
3.     Rules governing entities participating in the MyData Platform interface:
 
a)     For data providers:
                         i.       adopt appropriate level of identity verification in order to meet the personalized data security requirements; and
                       ii.       provide accurate personalized data.
 
b)     For service providers:
                         i.       follow the principle of minimum level of personal data collection, and use the data within the purpose of collection;
                       ii.       before obtaining the individual's consent to download personal data, inform the individual of the terms and conditions of the service to ensure acknowledgement and understanding by the individual; and
                     iii.       relevant rights under the personalized data obtained from the Platform should still be owned by the individual.
 
c)     In case the interface with the Platform needs to be suspended, except for emergencies, a thirty-day prior notice shall be published on the service platform of the entity or organization. The entity/organization should also notify the Platform via email or written notifications.
 
(Point 5 of MyData Guidelines)
 
4.     Data security control and verification:
 
a)     Data providers and service providers should produce data transmission records, which should be kept for at least one year. The records should include transmission time, recipient, identity of the individual and whether the transmission is successful as well as cooperate with the request for examination by the NDC.
 
b)     Service providers should implement annual internal audit on the process of personal data collection, processing and use and should produce an audit report which should be kept for at least two years, unless a longer period is otherwise prescribed by the service provider. The service provider should also cooperate with the request for examination by the NDC or the industry competent authority.
c)     The data providers should be solely responsible for personal data error or data security events, which should be handled in accordance with relevant laws and regulations. Additionally, the NDC may terminate its interface.
 
d)     The service providers should be solely responsible for misuse or leakage of personal data or data security events, which should be handled in accordance with relevant laws and regulations. Additionally, the NDC may terminate its interface.
 
(Point 6 of MyData Guidelines)
 
Open data and open banking are hot topics and surging trends that attract heated discussions recently. However, these new business and operating models may involve legal issues relating to Cyber Security Management Act, Personal Data Protection Act, Banking Act, Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, etc. If you wish to further understand the legal aspects and issues regarding MyData, open data, open banking and related business or operating models, please feel free to contact our banking practice group and personal data protection practice group for more details.


 
回上一頁