政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/61197
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 113392/144379 (79%)
Visitors : 51204056      Online Users : 952
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/61197


    Title: 基於存取目的之個資控管框架-以銀行業為例
    Purpose-Based PII Control Framework - A Banking Perspective.
    Authors: 鄭明璋
    Cheng, Ming Chang
    Contributors: 陳恭
    Chen, Kung
    鄭明璋
    Cheng, Ming Chang
    Keywords: 個人資料保護法
    隱私
    目的
    Personal Data Protection Act
    Privacy
    Purpose
    Date: 2012
    Issue Date: 2013-10-01 13:46:54 (UTC+8)
    Abstract: 新版「個人資料保護法」在民國99年5月公布,並正式實施於民國101年10月;隨著新法的實施,不管是公部門或民間組織,都投入大量資源以期改善並確保自己的組織對於個人資料之蒐集、處理與利用,能夠符合「個人資料保護法」的要求。
    由於業務特性,個人資料的蒐集、處理與利用,乃是銀行業者日常必須面對的課題。雖然舊版個資相關法令「電腦處理個人資料保護法」與「銀行法」對於個人資料的處理都已有相關規定,但由於稽核與舉證困難、罰則過輕等原因,業者並未真正重視個資保護課題,善盡個資保護的責任,所以銀行發生個資外洩的案例時有所聞。新版「個人資料保護法」正式實施後,舉證責任歸屬由當事人變成企業,在疑似個資外洩事件發生時,企業須舉證其組織之系統或機制已對個人資料之控管機制已滿足「個人資料保護法」的要求,盡到完善管理之責任。因此業者不得不投入大量資源來周全組織內對於個人資料的保護與稽核機制,把新版法規的各項規定要求納入系統功能範疇。
    伴隨「個人資料保護法」的實施,法務部頒布了「個人資料保護法之特定目的及個人資料之類別」細則來明確規範個人資料的類別範疇、以及存取個人資料之目的。本研究即針對此項要求,歸納分析銀行業的業務現況,並納入未來業務發展之可能需求,設計一具備彈性之個資存取框架以管理個資分類與存取目的,進而滿足「個人資料保護法」的要求。
    As the latest version of the "Personal Data Protection Act (PDPA)" published on May, 2010, and formally implemented since October, 2012, all public and private sector organizations need to put in significant resources to meet the strengthened legal requirements of personal data collection, processing and utilization. Yet banks are among the first to be affected by them, as personal data collection, usage and handling are essential to their daily operations. Therefore, this thesis investigates the compliance of PDPA from a banking perspective.
    A distinguished feature of the new "Personal Data Protection Act" is the inclusion of "purposes" in regulating access to personal data, namelyan organization must get the informed consent from its customer regarding how her personal data will be used, namely privacy preferences.
    Currently, employing a proper access control mechanism to protect customer`s data is a well-accepted discipline in bank information system (BIS) development. However, the design of such mechanisms hardly includes the requirement of supporting customers’ preferences regarding the use of their personal data. It is therefore highly desirable to extend a BIS`s access control to handle customers` privacy preferences.
    This thesis investigates the common practices of bank operations and presents a purpose-based access control framework for future BIS development. Specifically, we derive a classification of bank customers` personal data and purpose categories for bank operations so that the proposedaccees control framework can ensure all accesses to customers` personal data match their granted access purposes. As a result, the framework will lay a foundation to the compliance of PDPA for a bank.
    Reference: [1] 法務部, 個人資料保護法, 2010
    from: http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=I0050021 (Accessed 2013/7)
    [2] 法務部, 個人資料保護法施行細則, 2012
    from: http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=I0050022 (Accessed 2013/7)
    [3] 法務部, 個人資料保護法之特定目的及個人資料之類別, 2012
    from: http://mojlaw.moj.gov.tw/LawContentDetails.aspx?id=FL010631 (Accessed 2013/7)
    [4] Sandhu R, et al. (1996), Role-based access control models, IEEE Computer, 29(2), 1996, pp. 38-47
    [5] OASIS, A Brief Introduction to XACML, 2003
    from: https://www.oasis-open.org/committees/download.php/2713/ (Accessed 2013/7)
    [6] Maco Casassa Mont, Dealing with Privacy Obligaions in Enterprises ,HP Laboratories Bristol, HPL-2004-109, 2004
    [7] OASIS, eXtensible Access Control Markup Language (XACML) V3.0,
    from: https://www.oasis-open.org/committees/tc_home.php ?wg_abbrev=xacml (Accessed 2013/7)
    [8] MicroSoft, LINQ 簡介
    from: http://msdn.microsoft.com/zh-tw/library/bb397897(v=vs.90).aspx (Accessed 2013/7)
    [9] MicroSoft, 支援LINQ的C#3.0功能
    from: http://msdn.microsoft.com/zh-tw/library/bb397909(v=vs.90).aspx (Accessed 2013/7)
    [10] F.Massacci, N. Zannone, Privacy is Linking Permission to Purpose, Lecture Notes in Computer Science Vol. 3957, Springer Berlin / Heidelberg, 2006
    [11] Kung Chen and D.W. Wang, Supporting Patients` Privacy Preferences Using Aspects, Japan Journal of Medical Informatics, Vol. 29, No. 3, 2009, pp. 117-128. (ISSN 0289-8055)
    [12] Ni Q, Alberto Tromnetta, Bertino E., Lobo J., Privacy-Aware Role Based Access Control, Security & Privacy, IEEE (Volume:7 , Issue: 4 ) , July-Aug.2009, pp. 35-43 (ISSN 1540-7993)
    [13] OASIS, XACML v3.0 Privacy Policy Profile Version 1.0 ,2010
    from: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-privacy-v1-spec-cs-01-en.pdf
    [14] Ji-Won Byun, Ningbui Li, Purpose Based Access Control for Privacy Protection in Relational Database System, VLDB Journal International Journal on Very Large Data Bases;Jul2008, Vol. 17 Issue 4, p603-p619
    [15] 陳恭, 從應用系統的權限控管到隱私保護, 2012
    [16] APEC, APEC Privacy Framework, 2005
    from: http://publications.apec.org/publication-detail.php?pub_id=390 (Accessed 2013/7)
    [17] ISO 29100-Privacy Framework First Edt., 2011
    [18] Marco Casassa Mont, Dealing with Privacy Obligations: Important Aspects and Technical Approach,HP Laboratories Bristol, HPL-2004-34, 2004
    [19] Marco Casassa Mont, Robert Thyne, Privacy Policy Enforcement in Enterprises with Identity Management Solutions,HP Laboratories Bristol
    [20] Andrew S. Patrick, Steve Kenny, From Privacy Legislation to Interface Design: Implementing Information Privacy in Human-Computer Interactions,2003
    Description: 碩士
    國立政治大學
    資訊科學學系
    95971007
    101
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0095971007
    Data Type: thesis
    Appears in Collections:[Department of Computer Science ] Theses

    Files in This Item:

    File SizeFormat
    index.html0KbHTML2192View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback