Privacy Protection
Protection Policy of Personal Information
Taishin has a personal information protection policy in place to ensure legitimate collection and use of customers' and employees' personal data. This policy is constantly reviewed and revised in line with changes in regulation. In addition to conducting regular inspections on the security of personal information, Taishin also assesses possible personal information risks and uses the findings to establish proper management practices, responses, reporting channels and preventions for incidents such as theft, alteration, destruction, loss or leakage of personal information, and thereby enforce the personal information protection system of the organization.
Taishin continues to execute training programs that are aimed at raising employees' awareness and respect towards personal information and promoting thorough understanding of relevant legal requirements, responsibilities, systems, procedures and measures the organization has in place for the protection of personal information.
Training for Protection of Personal Information in 2020
-
New recruits (to complete training within six months after coming onboard)
-
- Online course on personal information protection
- Classroom/online courses on information security
- Compliance and behavior guidelines
-
100
-
100
-
General employees
-
- Personal information protection reminder publications
- Online course on information security and personal information protection (Note: The coverage rate equals the completion rate for this online course.)
- Classroom course on personal information protection
-
100
-
100
-
Personal information management contacts of various units
-
- Personal information infringement response drills
-
100
-
100
Personal Information Protection Measures
With regards to the handling of personal information incidents and employees' crisis awareness, Taishin has implemented "Management Regulations on Personal Information Misuse Incidents" to facilitate effective emergency response should an incident arise. If a personal information incident occurs, employees are required to report immediately to the line manager and complete risk assessment and incident classification within the given timeframe. Depending on the severity of the incident, an emergency response team may be assembled to execute response, coordination, communication and investigation in relation to the incident. In 2020, Taishin received no penalty from the authority for violation of personal information.
Furthermore, out of respect for customers' personal information and their rights, Taishin has implemented "Operation Regulations on the Exercise of a Party's Rights" to facilitate proper handling of customers' rights to inquire, review, make duplicate copy of, supplement, correct and delete their personal information maintained with Taishin, as well as their rights to stop Taishin from further gathering, processing and use of information.
The Handling of Each Level of Incident and the Reporting Level
-
Level 2 Incident
Must be reported within 4 hours; the Emergency Response Team must be convened within 24 hours; the response plan must be established within 48 hours.
-
- the incident involves more than 100 records of personal information that have been disclosed, or used without the Party's authorization, or improperly processed, used, or disclosed; or the collection of personal information without going through legal and proper channels;
- the incident appears to have been caused by the Bank's improper control of its information technology system and operating procedures;
- the incident was notified by law enforcement agencies or the central competent authorities, and that has been determined as a major incident; involving highly-sensitive information (ex: public figures etc.);
- incidents reported by the media.
-
Emergency Response Team
-
President
-
Level 1 Incident
Must be handled within 48 hours.
-
- the incident involves fewer than 100 records of personal information that have been disclosed, or used without the Party's authorization, or improperly processed, used, or disclosed; or the collection of personal information without going through legal and proper channels;
- the incident was notified by law enforcement agencies or the central competent authorities, and that has been determined as a Level 1 incident.
-
Personal Information Protection Implementation Department
-
Said department's supervisor
Taishin places great emphasis on the protection of personal information. To enhance security management practices, Taishin Bank engaged certified public accountants to perform a special audit on personal information protection in 2020 for which the CPAs issued a statement claiming that the design and implementation of the internal control system for personal information protection are effective.
Information Security Measures for e-Commerce Services
Includes: User Identification and Authentication, Personal Information and Sensitive Data Masking, Network Encryption, Secure Software Development Life Cycle, Access Control and Monitoring Management, Intrusion Prevention System Management, and Security Information Event Management.
We monitor the percentage of users whose customer data is used for secondary purposes
- Taishin has incorporated strict management approaches for 100% monitoring and protecting customer personal data which contains the use for primary and secondary purposes.
- In 2020, we conducted marketing contacts for secondary purposes with 5.51 million customers, which accounted for approximately 80.3% of our total customers. The scope of use is fully complied with the purposes agreed with customers (we only use the customer data that the customers agree for the purposes on the notification of the provided products and services, or agree with "Consent to Clients Data Cross-referencing"; and all the customers can go through a written "Declaration of not Accepting Marketing Information" to request discontinuing using their data at any time.)
Grievance Mechanism of Personal Information Protection
Taishin attaches great importance to the protection of personal information, and customers can raise questions or file complaints through different channels. If the results of an investigation confirm a violation of personal information, we will take disciplinary actions (e.g., downgrading of performance evaluation, withholding of bonuses, and internal penalties). We shall also propose specific system and process improvements to address the root cause of the complaint and avoid the recurrence of similar situations. The cases are compiled and submitted to the Fair Customer Treatment and Consumption Review Committee and the Board of Directors each quarter. The management department unit shall continue to monitor improvements to ensure implementation.
