Information Safety Statement of Fisheries Agency, Council of Agriculture, Executive Yuan

This statement is made to achieve the following operational and management goals of the Fisheries Agency, Council of Agriculture, Executive Yuan and its affiliated departments.

1. Uninterrupted operation of digitalizing the information system for core business will be promoted to maintain the effectiveness of internal systematic administration thus maximizing the quality of information service to the public.
2. All data collected, processed, and utilized will treated in the manner of confidentiality, completeness, and accuracy.
3. The collection, processing, and utilization of personal data will be conducted in accordance with the requirements of the Personal Data Protection Law.

I. Scope of Applications

1. Management System

This policy is applicable to the data security system and personal data information system.

2. Organizations:

(1) Information Security Management System

Applicable to all personnel in different departments and affiliates of FA, business counterparts, contractors, outsourcing business counterparts, visitors, and all users of FA’s information services.

(2) Personal Data Management System

Applicable to all personnel in charge of FA business in various departments, departments of business contacts, and outsourcing businesses commissioned by FA to collect, process, or utilize personal data.

II. Policy Requirements

1. FA will consolidate the enforcement of the relevant laws and regulations, including the Intellectual Property Rights Protection Law, the Personal Data Protection Law, the Regulations Governing Information Security Management of the Executive Yuan and Agencies under the Executive Yuan, and any agreements and contracts with outside businesses.

2. FA will endeavor to promote the exercise, auditing, communication and coordination of plans and projects relating to the management system and conducts educational training and propagation relating information and personal data protection to ensure all personnel has the knowledge of the duties of maintaining security in their work.

3. It is a principle that information properties possessed by staff in their work should be treated as public if they are publicly owned. All data are classified in accordance with their need as planned and business required risk evaluation will be taken to achieve effective management and control. Digitalization of information system will be operated and managed in accordance with actual business requirements to ensure the applicability of digitalized operation.

4. Access to the office areas and computers installation rooms will be properly controlled and monitored to ensure their security.

5. Technological protection and management are enhanced to ensure maximum security of the computer hardware and the information system. Minimum accessibility need is adopted in accordance with the duty assignments of the personnel and their access authority to prevent system sabotage resulting from improper access, modification, damage, or net attack.

6. In order to prevent computer viruses and malicious system operation, only authorized systems and software are permitted to be used. All other unauthorized software is prohibited.

7.Protection of all personal information should meet the following requirements:

(1) The collection, processing and utilization of personal information will be operated within the scope of business so required to ensure the legality, accuracy and appropriateness of the data access, with prior authorization for such access.

(2)For the commission of third parties to collect, process, and utilize personal data, proper administration and review need to be developed.

(3) Channels are provided to the parties of direct concern for inquiring, copying, modifying, supplementing, deleting, and terminating the usage of personal data, as well as procedures for complaints and reporting, and automatic reporting to the related parties in case of incidents involving the security of personal data.

III. Responsibilities

1. The management level personnel should actively participate in and support the management system, and implement this policy through appropriate standard and procedures.

2. All FA personnel, outsourcing businesses, and visitors should comply with this policy.

3. All FA personnel and outsourcing businesses have the responsibility of reporting any information security incidents and faults through the appropriate reporting mechanism.

4. Any infringement of information security or personal data protection should be liable to administrative, civil or criminal actions in accordance with the applicable law, based on its severity, or accountable for administrative actions in accordance with the relevant rules and regulations of FA.