CECC Announced the Guidelines on Contact-Information-Based Measures
In view of Taiwan’s slowing COVID-19 situation and low risk of community transmission, the Central Epidemic Command Center (“CECC”) announced on April 30, 2020 that it will gradually relax the epidemic prevention measures announced and issue some daily epidemic prevention guidelines for the public to follow. On May 28, 2020, the CECC announced the “Guidelines on Contact-Information-Based Measures” to ensure that people who had visited the same places during a certain period of time can be reached immediately when there is a need for an epidemic investigation.
Given that when implementing the contact-information-based measures, government and non-government agencies need to at least collect people’s contact information, in order to enhance the transparency of information and the public’s trust, the CECC requires government and non-government agencies to designate personnel to be responsible for data protection matters. The personal data so collected shall not be retained for more than 28 days and shall be deleted or destructed immediately when the aforesaid retention period expires. In addition, government and non-government agencies have to inform the data subject of the following at the time of collection in accordance with Paragraph 1, Article 8 of the Personal Data Protection Act: (1) the name of the data collector; (2) the purpose for which his/her personal data is collected (i.e., for epidemic prevention purposes); (3) the types of data to be collected (comply with the data minimization principle to avoid collecting data other than phone numbers); (4) how long the data will be used (i.e., within 28 days from the date of collection); (5) to whom and in what manner the data will be used (e.g., provide personal data to health authorities for an epidemic investigation); (6) what rights he/she may exercise in relation to his/her personal data and how he/she can exercise such rights; and (7) how his/her rights or interests would be affected if he/she chooses not to provide the data (e.g., inability to access a venue or participate in activities).
To lessen the burden on government and non-government agencies to perform the above-mentioned notification obligations, the CECC recommended that they adopt a “multi-step notification” approach by disclosing the material information in a conspicuous place and providing other details via a QR Code or URL link. On the other hand, the CECC also required that if the contact-information-based measures will be implemented using information systems or mobile applications, an information security risk assessment should be conducted and appropriate security control measures should be taken to ensure information security.
Should you have any questions or require any assistance, please do not hesitate to contact any member of our Personal Data Protection Practice Group.