Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/125031
|
Title: | 大數據經濟發展下企業利用個資方式所面臨的個資法規範分析—以金控公司建立客戶信用分數的剖析模型(Profiling)專案為例 Personal Data Protection in the Era of Big Data — Case Study of a Taiwanese Financial Holding Company’s Customer Profiling Practice |
Authors: | 鄭依明 Cheng, Yi-Ming |
Contributors: | 鄭菀瓊 Cheng, Wan-Chiung 鄭依明 Cheng, Yi-Ming |
Keywords: | 人工智慧 數據分析 個資法 個資管理 隱私衝擊評估 個案研究 剖析模型 大數據經濟 AI(artificial intelligence) Data analysis Personal data protection Personal data management Privacy risk assessment Case study Profiling model Big data |
Date: | 2019 |
Issue Date: | 2019-08-07 17:05:05 (UTC+8) |
Abstract: | 隨著全球大數據經濟不斷的發展,企業利用手邊數據進行新商業機會開發的行為,逐漸成為受到普遍重視的新商業模式發展策略。尤其是對於面臨著產業轉型需求與傳統產業升級壓力的台灣企業來說,這些企業正嘗試跟隨這波浪潮,不斷的投入公司資源進行數據的利用與研究,以優化舊有服務與打造新服務為目的,盡可能尋找各種能為公司創造價值的數據利用模式。其中,利用大量的個人資料建立客戶剖析模型以創造新商業價值的模式,更是許多企業在近年來成功利用於消費者分析、精準行銷與客製化服務設計等領域之典範,而被視為擁有極大發展潛力的個人資料利用方式。
但企業所追求極大化個人資料價值的利用目的,與個資法中資料隱私權給予資料擁有者控制個人資料的保護目的,兩者是相互矛盾的。針對企業應該如何平衡該矛盾的議題探討,雖然目前相關討論的文獻漸多,但大多數僅以理論面的探討為主,而少有企業內部實際運作的討論,因而難以得知企業實際面對此議題所產生的情境為何。
因此,本文提供了一實際企業進行剖析模型開發案例的介紹,並整理個資法關於個資保護範圍、個資管理模式的現有規範,嘗試分析出企業在個資法的規範下所面臨的問題與困難,並給予未來要利用個人資料進行剖析模型建立的企業一個完整的參考依據。而本研究將藉由與台灣知名金控公司的大數據團隊管理者進行深度訪談,獲取剖析模型建立的實際資料處理情境,並同時進行關於個資保護範圍、企業個資管理模式的文獻探討,最後也會包含結合理論面與實務面綜合分析。
本研究結果發現,由於建立剖析模型的資料處理情境十分複雜且擁有高流程變動性,同時加上有人工智慧特性的演算法參與使得資料處理結果難以預期,造成了企業高昂的管理成本與在資料管理上的限制。而這樣的情形將導致企業在剖析模型建立的過程中容易忽略了對於個人資料的保護,產生許多潛在的隱私侵害來源。因此,企業應在過程中進行隱私衝擊評估,並密切關注隱私衝擊來源的轉換,建立有效率的隱私風險管理模式,以平衡在大數據時代下利用個資行為與個資法保護目的之矛盾。 With the continuous growth in global big data market, it becomes more and more essential for companies to develop their own strategy so as to find new business opportunities by exploiting data. Especially for companies in Taiwan which face the desperate need of transformation in conventional industries and industries upgrading, they are trying to follow up the overwhelming trend of big data by constantly investing resources in exploiting data and related research.
Recently, the method of using lots of personal data to build customer profiling models has been considered as one of the most promising ways to exploit personal data. However, it may somehow cause conflicts between the goal that companies pursue to maximize the value of personal data and the core value that personal data protection law provides people the right to control their own personal data. In spite of the fact that there are more and more researches about the issue of how to resolve the contradiction, most of them were mainly focus on theoretical discussion and yet lack of providing practical cases inside the company. Therefore, the real impact for company in dealing with this issue is still not unveiled.
Accordingly, this paper provides an actual profiling model building scenario to discuss this problem. In addition, it sorts out the regulations of the personal data protection law, trying to figure out what kind of the data should be protected and how should the company manage them, providing comprehensive suggestions for companies which are going to build profiling model with personal data in the future.
To sum up, the process of building profiling model is so sophisticated and fluctuated as well as the implementation of AI Algorithm which makes output even more unpredictable, the company are now facing heavy managerial cost and the limitation of data management. That leads to the ignorance and reluctance of personal data protection for company; meanwhile, it may also cause lots of potential privacy violations. Therefore, the company should keep an eye on the possible sources of the privacy risks from time to time and establish the adapting risk control system effectively. |
Reference: | ㄧ、中文參考文獻
1. 宋皇志。(2018)。巨量資料交易之法律風險與管理意涵-以個人資料再識別化為中心。 管理評論, 37(4),37-51。 2. 林鴻文。(2013)。個人資料保護法。台北市:書泉出版社。 3. 法務部。(2010)。電腦處理個人資料保護法修正條文對照表。 取自:https://www.moj.gov.tw/dl-19613-da3da130e2ed464fbaf534929cfc9fb0.html 4. 法務部。(2011)。電腦處理個人資料保護法施行細則修正草案條文對照表。取自:http://www.moj.gov.tw/public/Attachment/1102710165577.pdf 5. 法務部。(2016)。公務機關利用去識別化資料之合理風險控制及法律責任。取自:http://ws.ndc.gov.tw/Download.ashx?u=LzAwMS9hZG1pbmlzdHJhdG9yLzEwL2NrZmlsZS9jMzRiN2YzNy03ZjgwLTRiMmQtOTliYS02NWZjNTcyNzczNmQucGRm&n=KDEp6Kqy56iL5ZCN56ixLeWAi%2BS6uuizh%2BaWmeWOu%2BitmOWIpeWMluS5i%2BWIpOaWt%2Baomea6luWPiuebuOmXnOazleW%2Bi%2BiyrOS7u%2BaOouioji5wZGY%3D 6. 范姜真媺。(2013)。個人資料保護法關於「個人資料」保護範圍之檢討。東海大學法學研究(41),91-123。 7. 徐仕瑋。(2015)。從「電信業者別」看我國個資法之適用。人權會訊(115),37-38。 8. 財政部財政資訊中心。(2016)。個人資料去識別化過程驗證案例報告。取自:https://ws.ndc.gov.tw/Download.ashx?u=LzAwMS9hZG1pbmlzdHJhdG9yLzEwL2NrZmlsZS83YzI2YzEwMy0yNzU4LTQ0YTMtODg0Mi03N2ZmNTBkMzNhMWIucGRm&n=KDQp6Kqy56iL5ZCN56ixLeWAi%2BS6uuizh%2BaWmeWOu%2BitmOWIpeWMlumBjueoi%2Bmpl%2BitieahiOS%2Bi%2BWgseWRii5wZGY%3D 9. 張陳弘。(2016)。個人資料之認定-個人資料保護法適用之啟動閥。法令月刊,67(5),67-101。 10. 張陳弘。(2018)。新興科技下的資訊隱私保護:[告知後同意原則] 的侷限性與修正方法之提出。臺大法學論叢,47(1),201-297。 11. 陳佑寰。(2016)。鬆綁部份告知同意規定-個資法修正有利網路產業。取自:網管人 https://www.netadmin.com.tw/article_content.aspx?sn=1601110017 12. 彭金隆、陳俞沛與孫群。(2017)。巨量資料應用在台灣個資法架構下的法律風險。臺大管理論叢,27(2S),93-118。 13. 黃彥棻。(2012)。個資法細則送審,新版草案取消軌跡資料。ithome。取自:https://www.ithome.com.tw/node/74891 14. 經濟部。(2018a)。個資流程衝擊分析表、填寫說明及填寫範例。 取自:https://www.moea.gov.tw/MNS/COLR/content/wHandMenuFile.ashx?file_id=17630 15. 經濟部。(2018b)。經濟部個人資料保護作業手冊107年3月版。取自:https://www.moea.gov.tw/MNS/COLR/content/wHandMenuFile.ashx?file_id=17629 16. 經濟部標準檢驗局。(2016)。「個人資料去識別化」驗證標準規範研訂及推廣。取自:https://www.slideshare.net/vtaiwan/ss-58562437 17. 經濟部標準檢驗局。(2018)。專題報導-資訊大爆炸時代,標準保障使用者的資訊安全。取自:標準資料電子報 http://fsms.bsmi.gov.tw/cat/epaper/0706.html 18. 葉志良。(2016)。大數據應用下個人資料定義的檢討:以我國法院判決為例。[The Adjustment of the Definition of Personal Information in the Age of Big Data: From a Perspective of Court case]。資訊社會研究(31),1-33。 19. 葉志良。(2017)。大數據應用下個人資料的法律保護。人文與社會科學簡訊,19(1),6。 20. 廖緯民。(1996)。論資訊時代的隱私權保護-以「資訊隱私權」為中心。資訊法務透析,8(11),20-27。doi:10.7062/INFOLAW.199611.0013 21. 樊國楨、蔡昀臻。(2016)。個人資料去識別之標準化的進程初探:根基於ISO/IEC 2nd WD 20889:2016-05-30。標準與檢驗雙月刊,196,24。 22. 蔡昀臻。(2016)。巨量資料發布系統之個人資料去識別化要求事項初論。(碩士),國立交通大學,新竹市。取自:https://hdl.handle.net/11296/uk35xw 23. 鍾孝宇。(2016)。巨量資料與隱私權─個人資料保護機制的再思考。(碩士),國立政治大學,台北市。取自:https://hdl.handle.net/11296/hc3kkv
英文參考文獻
24. APEC privacy framework.(2005). Paper presented at the Asia Pacific Economic Cooperation Secretariat. http://publications.apec.org/-/media/APEC/Publications/2005/12/APEC-Privacy-Framework/05_ecsg_privacyframewk.pdf 25. Barbaro, M, & Zeller Jr., T.(2006). A Face Is Exposed for AOL Searcher No. 4417749. The New York Times Retrieved from https://www.nytimes.com/2006/08/09/technology/09aol.html 26. Bing, J. (1984). The Council of Europe Convention and OECD Guidelines on Data Protection. Mich. YBI Legal Stud., 5, 271. 27. Calo, R.(2013). Against notice skepticism in privacy(and elsewhere). Notre Dame Law Review, 87(3), 1027. 28. Cooley, T. M., & Lewis, J.(1907). A treatise on the law of torts, or the wrongs which arise independently of contract. Chicago: Callaghan & company. 29. Davis, W.(2013). AOL Settles Data Valdez Lawsuit For $5 Million. from Media Post https://www.mediapost.com/publications/article/193831/aol-settles-data-valdez-lawsuit-for-5-million.html 30. El Emam, K.(2011). Methods for the de-identification of electronic health records for genomic research. Genome Medicine, 3(4), 25. doi:10.1186/gm239 31. Garfinkel, S. L.(2015a). The Data Identifiability Spectrum. In De-identification of personal information (Ed.). 32. Garfinkel, S. L.(2015b). De-identification of personal information. Retrieved from https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf 33. Harford, T.(2014). Big data: A big mistake? Significance, 11(5), 14-19. 34. Information and privacy commissioner of Ontario(2016). De-identification Guidelines for Structured Data. 35. King, N. J., & Forder, J.(2016). Data analytics and consumer profiling: Finding appropriate privacy principles for discovered data. Computer Law & Security Review, 32(5), 696-714. doi:https://doi.org/10.1016/j.clsr.2016.05.002 36. Li, C. (2016). A Gentle introduction to gradient boosting. URL: http://www.ccs.neu. edu/home/vip/teach/MLcourse/4_ boosting/slides/gradient_boosting.pdf. 37. Longhurst, R.(2003). Semi-structured interviews and focus groups. Key methods in geography, 3, 143-156. 38. Malin, B.(2013). A De-identification Strategy Used for Sharing One Data Provider’s Oncology Trials Data through the Project Data Sphere® Repository. Project Data Sphere. 39. Mantelero, A.(2014). The future of consumer data protection in the EU Re-thinking the “notice and consent” paradigm in the new era of predictive analytics. Computer Law Security Review, 30(6), 643-660. 40. Mayer-Schönberger, V., & Cukier, K.(2014). Big Data: A Revolution That Will Transform How We Live, Work, and Think: Houghton Mifflin Harcourt. 41. McCallister, E.(2010). Guide to protecting the confidentiality of personally identifiable information: Diane Publishing. 42. Nissenbaum, H.(2011). A Contextual Approach to Privacy Online. Daedalus, 140(4), 32-48. doi:10.1162/DAED_a_00113 43. Palinkas, L. A., Horwitz, S. M., Green, C. A., Wisdom, J. P., Duan, N., & Hoagwood, K.(2015). Purposeful Sampling for Qualitative Data Collection and Analysis in Mixed Method Implementation Research. Administration and policy in mental health, 42(5), 533-544. doi:10.1007/s10488-013-0528-y 44. Article 29 Data Protection Working Party.(2007). Opinion 4/2007 on the concept of personal data. 45. Article 29 Data Protection Working Party.(2017). Guidelines on Data Protection Impact Assessment(DPIA)and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. 46. Executive Office of the President, Munoz, C., Director, D. P. C., Megan (US Chief Technology Officer Smith (Office of Science and Technology Policy)), & DJ (Deputy Chief Technology Officer for Data Policy and Chief Data Scientist Patil (Office of Science and Technology Policy)). (2016). Big data: A report on algorithmic systems, opportunity, and civil rights. Executive Office of the President. 47. Rustici, C.(2018). GDPR Profiling and Business Practice. In Computer Law Review International(Vol. 19, pp. 34). 48. Schermer, B. W.(2011). The limits of privacy in automated profiling and data mining. Computer Law & Security Review, 27(1), 45-52. doi:https://doi.org/10.1016/j.clsr.2010.11.009 49. Schwartz, P. M., & Solove, D. J.(2011). The PII problem: Privacy and a new concept of personally identifiable information. NYUL rev., 86, 1814. 50. President`s Council of Advisors on Science Technology.(2014). Report to the President, Big Data and Privacy: A Technology Perspective. Executive Office of the President, President`s Council of Advisors on Science and Technology 51. Sweeney, L.(2002). k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness Knowledge-Based Systems, 10(05), 557-570. 52. United States v. Knotts.(1983). In US Report(Vol. 460, pp. 276): United States Supreme Court 53. Voigt, P., & Von dem Bussche, A.(2017). The EU General Data Protection Regulation(GDPR)(Vol. 18): Springer. 54. Warren, S. D., & Brandeis, L. D.(1890). The Right to Privacy. Harvard Law Review, 4(5). doi:10.2307/1321160 55. Zuiderveen Borgesius, F. J.(2016). Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection Regulation. Computer Law & Security Review, 32(2), 256-271. doi:https://doi.org/10.1016/j.clsr.2015.12.013 |
Description: | 碩士 國立政治大學 科技管理與智慧財產研究所 105364210 |
Source URI: | http://thesis.lib.nccu.edu.tw/record/#G1053642101 |
Data Type: | thesis |
DOI: | 10.6814/NCCU201900050 |
Appears in Collections: | [科技管理與智慧財產研究所] 學位論文
|
Files in This Item:
File |
Size | Format | |
210101.pdf | 3083Kb | Adobe PDF2 | 107 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|