Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/61197
|
Title: | 基於存取目的之個資控管框架-以銀行業為例 Purpose-Based PII Control Framework - A Banking Perspective. |
Authors: | 鄭明璋 Cheng, Ming Chang |
Contributors: | 陳恭 Chen, Kung 鄭明璋 Cheng, Ming Chang |
Keywords: | 個人資料保護法 隱私 目的 Personal Data Protection Act Privacy Purpose |
Date: | 2012 |
Issue Date: | 2013-10-01 13:46:54 (UTC+8) |
Abstract: | 新版「個人資料保護法」在民國99年5月公布,並正式實施於民國101年10月;隨著新法的實施,不管是公部門或民間組織,都投入大量資源以期改善並確保自己的組織對於個人資料之蒐集、處理與利用,能夠符合「個人資料保護法」的要求。
由於業務特性,個人資料的蒐集、處理與利用,乃是銀行業者日常必須面對的課題。雖然舊版個資相關法令「電腦處理個人資料保護法」與「銀行法」對於個人資料的處理都已有相關規定,但由於稽核與舉證困難、罰則過輕等原因,業者並未真正重視個資保護課題,善盡個資保護的責任,所以銀行發生個資外洩的案例時有所聞。新版「個人資料保護法」正式實施後,舉證責任歸屬由當事人變成企業,在疑似個資外洩事件發生時,企業須舉證其組織之系統或機制已對個人資料之控管機制已滿足「個人資料保護法」的要求,盡到完善管理之責任。因此業者不得不投入大量資源來周全組織內對於個人資料的保護與稽核機制,把新版法規的各項規定要求納入系統功能範疇。
伴隨「個人資料保護法」的實施,法務部頒布了「個人資料保護法之特定目的及個人資料之類別」細則來明確規範個人資料的類別範疇、以及存取個人資料之目的。本研究即針對此項要求,歸納分析銀行業的業務現況,並納入未來業務發展之可能需求,設計一具備彈性之個資存取框架以管理個資分類與存取目的,進而滿足「個人資料保護法」的要求。 As the latest version of the "Personal Data Protection Act (PDPA)" published on May, 2010, and formally implemented since October, 2012, all public and private sector organizations need to put in significant resources to meet the strengthened legal requirements of personal data collection, processing and utilization. Yet banks are among the first to be affected by them, as personal data collection, usage and handling are essential to their daily operations. Therefore, this thesis investigates the compliance of PDPA from a banking perspective.
A distinguished feature of the new "Personal Data Protection Act" is the inclusion of "purposes" in regulating access to personal data, namelyan organization must get the informed consent from its customer regarding how her personal data will be used, namely privacy preferences.
Currently, employing a proper access control mechanism to protect customer`s data is a well-accepted discipline in bank information system (BIS) development. However, the design of such mechanisms hardly includes the requirement of supporting customers’ preferences regarding the use of their personal data. It is therefore highly desirable to extend a BIS`s access control to handle customers` privacy preferences.
This thesis investigates the common practices of bank operations and presents a purpose-based access control framework for future BIS development. Specifically, we derive a classification of bank customers` personal data and purpose categories for bank operations so that the proposedaccees control framework can ensure all accesses to customers` personal data match their granted access purposes. As a result, the framework will lay a foundation to the compliance of PDPA for a bank. |
Reference: | [1] 法務部, 個人資料保護法, 2010
from: http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=I0050021 (Accessed 2013/7)
[2] 法務部, 個人資料保護法施行細則, 2012
from: http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=I0050022 (Accessed 2013/7)
[3] 法務部, 個人資料保護法之特定目的及個人資料之類別, 2012
from: http://mojlaw.moj.gov.tw/LawContentDetails.aspx?id=FL010631 (Accessed 2013/7)
[4] Sandhu R, et al. (1996), Role-based access control models, IEEE Computer, 29(2), 1996, pp. 38-47
[5] OASIS, A Brief Introduction to XACML, 2003
from: https://www.oasis-open.org/committees/download.php/2713/ (Accessed 2013/7)
[6] Maco Casassa Mont, Dealing with Privacy Obligaions in Enterprises ,HP Laboratories Bristol, HPL-2004-109, 2004
[7] OASIS, eXtensible Access Control Markup Language (XACML) V3.0,
from: https://www.oasis-open.org/committees/tc_home.php ?wg_abbrev=xacml (Accessed 2013/7)
[8] MicroSoft, LINQ 簡介
from: http://msdn.microsoft.com/zh-tw/library/bb397897(v=vs.90).aspx (Accessed 2013/7)
[9] MicroSoft, 支援LINQ的C#3.0功能
from: http://msdn.microsoft.com/zh-tw/library/bb397909(v=vs.90).aspx (Accessed 2013/7)
[10] F.Massacci, N. Zannone, Privacy is Linking Permission to Purpose, Lecture Notes in Computer Science Vol. 3957, Springer Berlin / Heidelberg, 2006
[11] Kung Chen and D.W. Wang, Supporting Patients` Privacy Preferences Using Aspects, Japan Journal of Medical Informatics, Vol. 29, No. 3, 2009, pp. 117-128. (ISSN 0289-8055)
[12] Ni Q, Alberto Tromnetta, Bertino E., Lobo J., Privacy-Aware Role Based Access Control, Security & Privacy, IEEE (Volume:7 , Issue: 4 ) , July-Aug.2009, pp. 35-43 (ISSN 1540-7993)
[13] OASIS, XACML v3.0 Privacy Policy Profile Version 1.0 ,2010
from: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-privacy-v1-spec-cs-01-en.pdf
[14] Ji-Won Byun, Ningbui Li, Purpose Based Access Control for Privacy Protection in Relational Database System, VLDB Journal International Journal on Very Large Data Bases;Jul2008, Vol. 17 Issue 4, p603-p619
[15] 陳恭, 從應用系統的權限控管到隱私保護, 2012
[16] APEC, APEC Privacy Framework, 2005
from: http://publications.apec.org/publication-detail.php?pub_id=390 (Accessed 2013/7)
[17] ISO 29100-Privacy Framework First Edt., 2011
[18] Marco Casassa Mont, Dealing with Privacy Obligations: Important Aspects and Technical Approach,HP Laboratories Bristol, HPL-2004-34, 2004
[19] Marco Casassa Mont, Robert Thyne, Privacy Policy Enforcement in Enterprises with Identity Management Solutions,HP Laboratories Bristol
[20] Andrew S. Patrick, Steve Kenny, From Privacy Legislation to Interface Design: Implementing Information Privacy in Human-Computer Interactions,2003 |
Description: | 碩士 國立政治大學 資訊科學學系 95971007 101 |
Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0095971007 |
Data Type: | thesis |
Appears in Collections: | [資訊科學系] 學位論文
|
Files in This Item:
File |
Size | Format | |
index.html | 0Kb | HTML2 | 190 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|