Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Cybersecurity: The CSMA regulates matters with regard to cybersecurity, including government agencies and providers of critical infrastructure. Financial instructions and healthcare providers such as hospitals are likely to be designated as critical infrastructure providers and subject to the CSMA.
National security: The National Security Act regulates general matters with regard to the protection of Taiwan’s national security. There is no reference in this act to cybersecurity, personal data or cybercrime; but in general, it will apply to any national security matters in relation to cyberspace.
Financial services: The financial industry is subject to strict scrutiny by its primary regulator. There are many rules and guidelines on the information security measures that financial institutions must implement. Meanwhile, certain financial institutions are likely to be designated as critical infrastructure providers, in which case they will be subject to the security and reporting requirements under the CSMA.
Healthcare: The healthcare industry is also subject to strict scrutiny by its primary regulator. Hospitals are likely to be designated as critical infrastructure providers and be subject to the CSMA.
(b) Certain types of information (personal data, health information, financial information, classified information)?
Personal data: The protection of personal data is governed by the PDPA, including the protection of health-related personal information and financial-related personal information.
Health information: Certain medical records and health check information are classified as sensitive personal data, and the collection and use of such data are subject to strict restrictions under the PDPA. Meanwhile, pursuant to the relevant statutes governing healthcare professionals, patient information must be kept strictly confidential.
Financial information: Banking laws and other statutes governing the operation of financial institutions require such institutions to keep clients’ data strictly confidential.
Classified information: Under the Criminal Code of Taiwan, breach of confidentiality obligations with regard to certain business secrets as stipulated under the law or a contract may incur criminal liability. Disclosing or compromising secret information with regard to national defence may also be subject to criminal sanctions.