Internally, we have formulated “Data Governance Policy” and relevant regulations regarding data governance to demonstrate the Company’s determination in achieving “zero tolerance” for privacy incidents. The Policy is applied to all CHT business groups, branch offices, subsidiaries, and suppliers.
Prior to any business promotion, risk assessment will be conducted to examine and ensure data access in compliance with the regulatory requirements and to check if data protection mechanisms are in place to avoid risks in data processing. To take it further in terms of “customer privacy protection,” we proactively introduced ISO 27701 system to assure the effectiveness and legal compliance in the lifecycle of data, which has been certified in 2023.
Regarding the collection, processing, use, and protection of personal information and privacy involved in the operation, aside from compliance with government’s relevant laws and regulations, personal information is used within the defined scope of regulatory requirements and will not be disclosed to a third-party via exchange, lease or otherwise at will. Also, relevant actions are implemented in accordance with the “Privacy Protection Policy” stipulated by the Company so as to uphold the security of customer information and privacy.
As a response to the potential innovation, advantage, and impacts arising from the development of AI technology, the 8 Guidelines in the “AI Technology R&D Guidelines” promulgated by the Ministry of Technology are also adopted as a reference for the Company in research, innovation, and development to ensure proper management measures in place in the use of AI technology, reducing the potential concerns from the public on AI technology as well as the risks thereof in order to develop under the premise of customer privacy protection. As such, we shall live up to the core values of “human-oriented,” “sustainable development,” and “diversity inclusion.”
Customer Privacy Protection Management Mechanisms
Data Governance Organs and Responsibilities
The data governance organs, structure, and responsibilities at Chunghwa Telecom:
- Data Governance Committee (Level-1 Organization)： President as the Convener and the final decision-making body for issues of data governance, responsible for the data governance development at Chunghwa Telecom
- Data Development Department (Level-2 Organization): Stipulation and promotion of corporate data governance regulations and systems; tracking of implementation results
- Data Governance Team (Level-3 Organization): Data governance implementer to ensure implementation of the data governance system in terms of data protection, data compliance, data quality, data access, data tools, and data maintenance throughout Chunghwa Telecom
Privacy Protection Risk Management
- Personal Data and Privacy Risk Management (Group-wide risk management)
Our performance of cybersecurity and privacy risk management has been incorporated into the monthly tracking by the Risk Management Committee for management. Any material risk issue will be submitted to the Audit Committee or directly reported to the Board of Directors.
- Performance Evaluation & Disciplinary Actions
In order to ensure the cybersecurity implementation by all employees, the performance of cybersecurity and personal data protection is incorporated as part of the performance evaluation of all employees, which has come into force upon approval by the President. The performance is reviewed regularly, and correction is required for any failure to meet the targets.
- Internal Audit of Privacy Protection
‐ Branches: self-audit conducted regularly each year
‐ Headquarters: annual personal data audit organized once a year
‐ Audit Department at Headquarters (directly under the Board of Directors): internal control audits organized each year
- External Audit of Privacy Protection
- Enhance Supplier Security
- Supervision and Management Approach：Depending on the nature of the commissioned business and the degree of risk, We employs corresponding supervision methods. These methods include daily inspections, supplier self-assessments, regular/irregular meetings, information system security measures, automating third-party risk management tool, on-site audits, requiring suppliers to obtain third-party certification, etc., as necessary.
- Inspect Items：Following the template of the "Personal Data Security Audit Checklist" published by the competent authority under the Personal Data Protection Act, the audit includes the following:
- establishing a mechanism of risk assessment and management of personal data
- establishing a mechanism of preventing, giving notice of, and responding to a data breach
- establishing an internal control procedure for the collection, processing, and use of personal data
- managing data security and personnel
- promoting awareness, education and training
- managing facility security
- establishing an audit mechanism of data security
- keeping records, log files and relevant evidence
- implementing integrated and persistent improvements on the security and maintenance of personal data
- Supervision Results：Suppliers who fail to meet the requirements must make improvements within a given deadline, and the overall supervision results will be included in the management review.
Internal System and Results
Procedures for Personal Data Incident Prevention, Report, and Response
A sound mechanism of reporting, emergency response, and follow-up correction for breaches of customer privacy as well as the “Procedures for Personal Data Incident Prevention, Report, and Response” has been established at Chunghwa Telecom. With rigorous protection measures in force, we prevent any unauthorized access, disclosure, use, or tampering of personal data. Exercises are conducted on a regular basis to raise awareness and knowledge of our employees in reporting and response processes.
Upon detection of potential privacy incident, it is required to complete reporting based on the reporting list of contact in the specified periods. Should a privacy incident be verified, emergency response procedures will be set in motion immediately in line with the existing incident handling procedures to complete the emergency handling in the specified timeframes as follows:
- Assess and respond in line with the scope and severity of impacts, where a major privacy incident is to be report to the Cyber Security Department and the CISO.
- The privacy data response team is established with emergency response mechanism in place for incident investigation and analysis to determine the root cause, define scope of damage, and preserve relevant evidence of an incent.
- Changes of public opinions and client grievance are monitored to learn about the personal data illegally collected, processed, used in the incident and prevent further damage.
- Individuals affected and the competent authorities are notified in line with the laws. Where the incident has led to damage to clients’ rights, we provide compensation or legal support to the individuals involved to assist and protect our clients’ rights to the best of our ability.
- Review and improvement are conducted in terms of the impacts, damages, and influences of an incident to prevent reoccurrence.。
There were 10 “alleged information breach cases” filed via the customer hotline of Chunghwa Telecom in 2022, of which 7 were notified by the National Communications Commission (NCC) and 3 submitted via the customer service hotline (accounting for 0.00001% of the customer hotline service provided of the year). All the cases were investigated and verified that there had not been any fact of privacy breach.
Specific Data Management Mechanisms
In alignment with the major areas of Data Management Knowledge (DMBOK) of Data Management Association (DAMA), Chunghwa Telecom constructed its data governance structure of three-level organization and respective responsibilities. Also, the data use system throughout the Company has been constructed in terms of data quality, data protection, data access/sharing, data tools, data compliance, and data maintenance, so that data can be regulated, authorized, tracked, and protected. As such, it warrants an effective data governance at the Company and the subordinate entities to achieve consistency, availability, security, and compliance in data asset management that meets international standards.
- Data Quality: Assurance of definition and monitoring of data with Chunghwa Telecom as well as maintenance of data integrity to elevate data quality
- Data Protection: Construction of data protection process with the Company to protect data in transmission and in storage; stipulation of data asset access authorization in line with data classes, and assurance in purposes of privacy protection, confidentiality, and proper access
- Data Access/Sharing: Assurance of proper access permission granted by Chunghwa Telecom at the right time to access of right data so as to ensure the availability, integrity, and confidentiality of data
- Data Tools: Assurance that data governance tools used are monitored and updated, reviewed, and approved following the stipulated procedures
- Data Maintenance: Assurance of proper maintenance of databases and data assets of various businesses and logs for data maintenance operation kept
- Data Compliance: Assurance in compliance with laws and regulations at the Company and of governments to protect the data security and privacy of itself and customers