以PMBOK®方法論探討BS 10012個資管理制度專案規劃

Abstract

在國際保護隱私權的潮流及國內個資法立法之背景下，過去的研究多偏重法令、國際標準、專案管理等單一領域的探討；甚少跨法令、標準及專案管理等領域，探討組織進行個資保護管理變革所需的專案規劃方法及相關工具、技術之建議，自行導入或由委外顧問輔導之決策考量因素，以及對組織內、外部各利害關係者，在管理上的意涵。本研究以PMBOK®方法論，探討BS 10012個資管理制度專案規劃；運用系統方法及深入訪談，分析及歸納出188個組織個資保護管理專案規劃之方法及相關工具、技術使用上的建議事項。此外，依據不同組織的現況，以組織是否具備ISO 27001導入及通過認證的經驗，將個資保護制度執行模式權衡因素，綜合於企業環境因素及組織流程資產對專案執行之成熟度與整備度內，歸納出四種導入模式。最後，針對組織制度相關之內、外部利害關係者：高階管理者、專案經理、各部門參與專案人員，以及個資當事人(消費者)，其欲達成之價值、目標、目的和績效輸出，闡述對應的利益、期望、需求和效用，提供專案規劃相關參考。

The purpose of this research is to explore project planning for personal information protection management by proposing relevant methods, tools, and technologies. It also took into consideration the differences in change management of personal information protection project performance mode among various organizations, along with their relevant stakeholders' managerial implications. In the past, most researches placed more focus around domestic laws, international standards, and project management. Under the environment of increasingly attentiveness around international privacy protection, and domestic law legislation, it is uncommon for researches to emphasize on an organization's change in management of personal data protection planning methods, relevant tools, evolving technologies, and then provide appropriate recommendations. There are also fewer studies found that considered decision making of implementation models for various organization and relevant meaning of management. This research uses the PMBOK® methodologies to explore the BS 10012 personal information management system project planning. With a systematic approach and in-depth interviews, it concluded 188 relevant recommendations about methods, tools, technologies of personal data protection management project planning. In addition, four unique project implementation models were introduced to accommodate each organization’s ISO 27001 certification status and to consider the decision factors of personal information uniform implementation models. Moreover, enterprise environment factors and organization process assets embedded in the maturity and preparation of project implementation were also considered in these models. Finally, within the boundary of each organizational system and its relevant stakeholders’ interests, expectations, needs, and effectiveness, correlated references and recommendations were made. These proposals are established for internal stakeholders (i.e. senior management, project managers, and team members) and external stakeholders (i.e. customers), to support their expected values, goals, aspirations, and performance output on the planning of personal information protection management project.