新版個資法加重企業個資蒐集、控管責任
文/蘇文彬 2010-04-28 ITHome
新法明定個資蒐集不論直接或間接都要盡到告知的義務,且需取得當事人書面同意。另外也對個資使用定出詳細規範,比舊法標準更為嚴格。
個人資料保護法立法院三讀通過,未來新法實施後,資策會科法中心認為,由於詳盡規範個人資料蒐集與處理程序,預計將加重企業相關責任。
新版個資法與現行電腦處理個人資料保護法最大差異,在於將法律規範的對象從原來醫療、電信、大眾傳播、金融等8大行業擴大至所有公民營機關,將過去不適用電腦處理個人資料保護法的行業,例如網路零售業,以及一般個人、團體,全都納入規範,擴大了個資法影響範圍。
新法對於個人資料相對舊法有更詳盡與明確的規範,對經常存有上千上萬筆用戶資料的企業而言,影響程度更甚於一般個人、團體,勢必得及早因應調整個資蒐集、處理、保護。
資策會科法中心二組組長邱映曦表示,新版個資法規定蒐集個人資料時,不論是直接或間接蒐集都要盡到告知的義務,需詳細告知蒐集人都是誰,以及其目的,與用途等等,並取得當事人書面同意。相較之下電腦處理個人資料保護法僅規定直接蒐集資料才需告知,且未明定告知內容及取得同意,新法對個資蒐集、處理規定趨向更嚴格的做法,企業勢必得因應調整內部資料控管流程、處理機制。
新法對個資使用也有嚴格規定,同一筆資料若要用於當初蒐集目的以外的其他用途也需要告知當事人。邱映曦表示,這是為了保護當事人的做法,但企業集團內不同子公司未來基於不同目的使用資料,就得再次告知當事人,為避免麻煩,應在一開始蒐集資料時就明確告知未來可能的用途。
不只詳細規範新資料取得方式,新版個資法也對新法實施之前便蒐集到的資料定下規定,要求蒐集者需在新法實施一年內告知當事人,否則不能再使用,迫使企業必需重新檢視已取得的資料,避免資料無法使用的問題。
另一個問題則是新法實施後,舉證的義務落在企業身上。邱映曦表示,舊法時代許多行業未被列入規範,因此當發生個資外洩時,依民法規定控告企業外洩的消費者需要自己舉證證明該公司洩露資料,消費者舉證常有困難,但新法要求企業必需舉證說明並非自己過失,因此需做好內部資料控管、保護採取嚴格管理,才能事先避免或事後提出有利證據保護自己。
在處罰部份,新法也加入民法、刑法、行政罰等不同裁罰方式,依不同規定增加法律處罰的效力。另外,還增加了最少20人以上的團體訴訟機制,讓被個資外洩的消費者可以進行團體訴訟、求償。個人每筆資料求償金額為500元至2萬元不等,團體求償金額上限則從舊法2千萬上推至最高2億元。
不過,新版個資法雖然已三讀通過,但需等待行政院公告實施時間,因此在新法實施前,企業有一段緩衝期可因應新法調整內部資料蒐集、控管,避免新法為營運帶來的法律風險。
美國加州醫療人員因違反 HIPPA 隱私法律入監服刑
Health worker is first HIPAA privacy violator to get jail time
Dan Kaplan .April 28, 2010 SC magazine
A former UCLA Health System employee, apparently disgruntled over an impending firing, has been sentenced to four months in federal prison after pleading guilty in January to illegally snooping into patient records, mainly those belonging to celebrities.
Huping Zhou, 47, of Los Angeles, who was sentenced Tuesday, now has the dubious distinction of being the first person to ever receive prison time for violating the privacy stipulations under Health Insurance Portability and Accountability Act (HIPAA), according to the U.S. Attorney's Office for the Central District of California.
Zhou, a licensed surgeon in China, was working as a researcher at the UCLA School of Medicine in 2003 when he began accessing medical records of his supervisor and co-workers after being notified that he soon would be fired for job performance issues, prosecutors said. Over the next three weeks, he extended his snooping to mostly celebrity records. In total, he accessed the patient records system 323 times.
As part of a plea agreement, Zhou admitted he "obtained and read" private medical records on four separate occasions and had no legitimate reason to do so, prosecutors said.
Zhou's attorney did not return a telephone call seeking comment.
"UCLA considers patient confidentiality a critical part of our mission of providing the highest level of teaching, research and patient care and fully supports the U.S. attorney's initiatives to protect patient privacy by vigorous enforcement of HIPAA," the health system said in a statement.
The prosecution of Zhou appears to be proof that attorneys generals are increasingly willing to take HIPAA violators to court.
New York-based health care lawyer Sara Krauss told SCMagazineUS.com on Thursday that she expects to see increased prosecution against HIPAA offender, partly because of the federal government's heightened focus around privacy.
"It's possible that the increased enforcement and penalties under HIPAA are reflective of what's going on in the rest of the privacy arena," Krauss said.
This is not the first time UCLA Medical Center has faced privacy intrusions. In 2008, it moved to fire 13 employees and suspended six others for unauthorized access to confidential medical records of pop star Britney Spears.
解決方案:
PGP 加密