The assessment of impact on personal information protection shall include the following contents:
- whether the purposes and means of personal information handling, are legitimate, justified and necessary;
- the impact on individuals’ rights and interests, and security risks; and
- whether the protection measures taken are legitimate, effective, and compatible with the degree of risks.
The report of the impact assessment on personal information protection and the handling record shall be retained for at least three years.
- Conditions requiring an impact assessment
- Legal bases for handling personal information
- Technical and organizational security measures