Sound Personal Information Management System
Cathay FHC established a Personal Information Management Committee and a sound personal information management system to properly manage personal information. Facing rapidly changing new technologies and new types of cyber attacks, Cathay Life, CUB, and Cathay Century successively obtained the BSI 10012:2017 Personal Information Management System certification to actively protect customer rights. We are transitioning to new international standards in coordination with international privacy protection trends via international certification institutions, which allow us to comply with the EU's General Data Protection Regulation (GDPR). We are also incorporating the provisions of the new version into the personal information protection process, and continue to upgrade personal information protection mechanisms to provide customers with secured services and system environments.
Complete Personal Information Protection Education and Training
Cathay FHC organizes annual campaigns, education, and training for raising all employees’ awareness towards personal information protection, so that they understand the regulatory requirements, the scope of their responsibilities, and the various mechanisms, procedures, and measures related to the protection of personal information. The completion rate of personal information training of Cathay FHC and its subsidiaries was 100% in 2020.
Note: The completion rate above excludes employees due to characteristics of their duties and leave plans (temporary dispatch, parental leave, maternity leave, etc.).
Infringement Incident Management
Cathay FHC and its subsidiaries collect, process, and use personal information in accordance with the Personal Data Protection Act and related laws and regulations. Customers are informed of the purpose for collecting personal information and who the information will be shared with, and will not exceed the scope necessary for specific purposes. Customers' rights to access, request to view, make a copy, correct, supplement, cease the collection, processing, and use, or request the deletion of personal information are explicitly stated. All third parties are required to comply with company policies relating to personal information protection. Cathay FHC has aligned its personal information management mechanism with international standards in response to the EU's GDPR, and monitors the optimization and implementation of protection measures, as well as emergency response procedures and drills. Cathay FHC is able to provide more considerate and complete services through these layers of protection for customer data and rights, so that customers and partners can rest assured when they provide their personal information. Cathay FHC and its subsidiaries were not fined for any infringements on personal information in 2020.
In addition to the Personal Information Protection and Administration System (PIPAS) established by CUB, Cathay Life established a private cloud "Personal File Administration Classified Section" in 2020, which improves personal information protection by limiting the personnel with access rights and the time that files can be accessed, thus lowering the risk of important personal information stored on personal computers being leaked. Furthermore, major subsidiaries maintain the effectiveness of their personal information certifications each year to keep our personal information management mechanisms up to date. Cathay Life (subsidiary) implemented PCI DSS in 2020 to enhance encryption and access mechanisms, and expects to obtain the certification of international credit card organizations in 2Q 2021 to ensure transaction security for policy holders.
Continually strengthen response measures to personal data incidents
Cathay FHC and its subsidiaries have all established emergency response procedures and periodic drill mechanism for infringement incidents, and established the cross-departmental emergency response team and regulations for reporting and handling. We enhance the response abilities of employees through periodic drills, preventing the impact of personal information breach incidents on the Company. Besides minimizing the harm caused to parties involved, we also verify the effectiveness of internal operating procedures to identify any deficiencies and continue to improve our personal information protection measures.
Cathay FHC and its subsidiaries attach great importance to the protection of customers' personal information, and were not involved in any customer personal information violations in 2020, which can be verified by the penalties announced by the FSC and material information announced on the MOPS. Still, we handled a total of 17 personal information cases (see the table below for details), either received from customers through complaint channels or found through investigations conducted by sales managers. After looking into the cases, we found that most cases were the result of sales agents neglecting to inform customers of third parties. We have obtained the customers' understanding and will continue to step up education, training, and promotion for service personnel. Cathay FHC will continue to strengthen and monitor the use of customers' personal information, and improve related protection measures to reduce personal information breach incidents.