Customer Care

Privacy Protection

Issue Date:2022/06/30

Privacy Policy

“Customer Privacy Protection” is emphasized at Chunghwa Telecom in compliance with “Personal Data Protection Act” and “Regulations Governing Non-governmental Personal Data Security Protection Designated by the National Communications Commission.” Privacy Policy has been stipulated, along with rigorous privacy security management and protection measures. Also, a data governance system has been constructed. Data standards and classification are set. Data access management and data owner review mechanisms are exercised to ensure access and sharing of data as well as the availability, integrity, and confidentiality thereof are properly managed and protected. The scope of application encompasses all groups, branch offices, subsidiaries, and suppliers of the Company.

Internally, we have formulated “Data Governance Policy” and relevant regulations regarding data governance to demonstrate the Company’s determination in achieving “zero tolerance” for privacy incidents. The Policy is applied to all CHT business groups, branch offices, subsidiaries, and suppliers.

Prior to any business promotion, risk assessment will be conducted to examine and ensure data access in compliance with the regulatory requirements and to check if data protection mechanisms are in place to avoid risks in data processing. To take it further in terms of “customer privacy protection,” we proactively introduced ISO 27701 system to assure the effectiveness and legal compliance in the lifecycle of data.

Regarding the collection, processing, use, and protection of personal information and privacy involved in the operation, aside from compliance with government’s relevant laws and regulations, personal information is used within the defined scope of regulatory requirements and will not be disclosed to a third-party via exchange, lease or otherwise at will. Also, relevant actions are implemented in accordance with the “Privacy Protection Policy” stipulated by the Company so as to uphold the security of customer information and privacy.

As a response to the potential innovation, advantage, and impacts arising from the development of AI technology, the 8 Guidelines in the “AI Technology R&D Guidelines” promulgated by the Ministry of Technology are also adopted as a reference for the Company in research, innovation, and development to ensure proper management measures in place in the use of AI technology, reducing the potential concerns from the public on AI technology as well as the risks thereof in order to develop under the premise of customer privacy protection. As such, we shall live up to the core values of “human-oriented,” “sustainable development,” and “diversity inclusion.”

Customer Privacy Protection Management Mechanisms

Data Governance Organs and Responsibilities

The three-level organization framework and responsibilities for data governance are as follows:

  1. Data Governance Committee (Level-1 Organization): President as the Convener and the final decision-making body for issues of data governance, responsible for the data governance development at Chunghwa Telecom
  2. Data Development Department (Level-2 Organization): Stipulation and promotion of corporate data governance regulations and systems; tracking of implementation results
  3. Data Governance Team (Level-3 Organization): Data governance implementer to ensure implementation of the data governance system in terms of data protection, data compliance, data quality, data access, data tools, and data maintenance throughout Chunghwa Telecom
Specific Data Management Mechanisms

In alignment with the major areas of Data Management Knowledge (DMBOK) of Data Management Association (DAMA), Chunghwa Telecom constructed its data governance structure of three-level organization and respective responsibilities. Also, the data use system throughout the Company has been constructed in terms of data quality, data protection, data access/sharing, data tools, data compliance, and data maintenance, so that data can be regulated, authorized, tracked, and protected. As such, it warrants an effective data governance at the Company and the subordinate entities to achieve consistency, availability, security, and compliance in data asset management that meets international standards.

  1. Data Quality: Assurance of definition and monitoring of data with Chunghwa Telecom as well as maintenance of data integrity to elevate data quality
  2. Data Protection: Construction of data protection process with the Company to protect data in transmission and in storage; stipulation of data asset access authorization in line with data classes, and assurance in purposes of privacy protection, confidentiality, and proper access
  3. Data Access/Sharing: Assurance of proper access permission granted by Chunghwa Telecom at the right time to access of right data so as to ensure the availability, integrity, and confidentiality of data
  4. Data Tools: Assurance that data governance tools used are monitored and updated, reviewed, and approved following the stipulated procedures
  5. Data Maintenance: Assurance of proper maintenance of databases and data assets of various businesses and logs for data maintenance operation kept
  6. Data Compliance: Assurance in compliance with laws and regulations at the Company and of governments to protect the data security and privacy of itself and customers
Privacy Protection Risk Management
  1. Personal Data and Privacy Risk Management
    The Company has established a sound group-wide risk management mechanism to identify critical business and privacy information in operation. It conducts privacy impact analysis, identifies internal/external threats and their impact levels and likelihood, prioritizes risks to be handled, and regularly convenes senior-level review meetings as vital references for privacy policy stipulation.
    Our performance of cybersecurity and privacy risk management has been incorporated into the monthly tracking by the Risk Management Committee for management. Any material risk issue will be submitted to the Audit Committee or directly reported to the Board of Directors.
  2. Performance Evaluation & Award/Discipline
    With “zero tolerance” as the highest guiding principle, our Privacy Policy incorporates cybersecurity and privacy protection performance in the employees’ appraisals, which come into force upon approval by the President. The results are reviewed regularly, while failures in target achievement demand improvement. In the event of any conduct that leads to loss from negligence or improper inquiry, access, use or intentional leak of customers’ personal data will render disciplinary actions from demerit to termination of labor contract.
  3. External Third-party Audits
    We ceaselessly strengthen the privacy protection procedures, ensure implementation of privacy protection security measures throughout the operation processes, organize trainings pertaining to privacy protection, elevate the overall privacy protection competency of the Company, and examine and evaluate effectiveness in privacy protection measures via regular tests and exercises. Externally, our Privacy Policy has obtained the third-party conformity verification. Also, we conduct internal/external audits and certifications each year (e.g. ISO 27001 / ISO 27011 / ISO 27017 / ISO 27018 / BS 10012 / CSA STAR Certification with ongoing validity) so as to offer consumers a better cybersecurity and privacy data protection.

Internal System and Results

Privacy Incidents

A sound mechanism of reporting, emergency response, and follow-up correction for breaches of customer privacy as well as the “Procedures for Personal Data Incident Prevention, Report, and Response” has been established at Chunghwa Telecom. With rigorous protection measures in force, we prevent any unauthorized access, disclosure, use, or tampering of personal data. Exercises are conducted on a regular basis to raise awareness and knowledge of our employees in reporting and response processes.

Upon detection of potential privacy incident, it is required to complete reporting based on the reporting list of contact in the specified periods. Should a privacy incident be verified, emergency response procedures will be set in motion immediately in line with the existing incident handling procedures to complete the emergency handling in the specified timeframes as follows:

  1. Assess and respond in line with the scope and severity of impacts, where a major privacy incident is to be report to the Cyber Security Department and the CISO.
  2. The privacy data response team is established with emergency response mechanism in place for incident investigation and analysis to determine the root cause, define scope of damage, and preserve relevant evidence of an incent.
  3. Changes of public opinions and client grievance are monitored to learn about the personal data illegally collected, processed, used in the incident and prevent further damage.
  4. Individuals affected and the competent authorities are notified in line with the laws. Where the incident has led to damage to clients’ rights, we provide compensation or legal support to the individuals involved to assist and protect our clients’ rights to the best of our ability.
  5. Review and improvement are conducted in terms of the impacts, damages, and influences of an incident to prevent reoccurrence.
Procedures for Personal Data Incident Prevention, Report, and Response

There were 8 “alleged information breach cases” filed via the customer hotline of Chunghwa Telecom in 2021, of which 6 were notified by the National Communications Commission (NCC) and 2 submitted via the customer service hotline (same number of cases compared with those in 2020, accounting for 0.000027% of the customer hotline service provided of the year). All the cases were investigated and verified that there had not been any fact of privacy breach.