個人隱私權之保護已為世界之共識，隨著資訊科技之發展，個人資料之蒐集與使用疑慮再再反映於人們之生活上，如何保護個人對其自身資訊的掌控成為各國所關注。而我國在此潮流下，承襲了美國資訊隱私權以及德國資訊自主權之概念，從大法官釋字中對於個人掌握其資訊流向之權利演進以及個人資料保護法之制定與修正，都可看出我國對於資訊隱私權，或稱資訊自主權之重視，釋字第603號及個資法皆認為任何個人資料之蒐集使用都必須符合一定之原則，且這些原則在他國之法制中亦可見其蹤跡，如告知義務、蒐集目的限制、比例原則、目的內使用、當事人權利行使等之限制。
然資訊隱私權之行使，在面臨與學術研究上之利益衝突時，各國個資法皆有相對應之研究例外條款予以衡平，本文比較分析了歐盟之個人資料保護指令與一般個人資料保護規則、英國之資料保護法、美國之隱私權法與健康保險可攜式及責任法之隱私權規則後，發現我國於學術研究例外條款保障上之不足，相較於他國之規範，我國除並無因應資料使用各階段之不同而為不同考量外，標準之設立本身亦較不具有彈性，而僅得以去識別化之方式為之，雖我國亦另有規範個資持有者之資料保護義務，惟對於例外之規定仍應視特定例外情形而有相對應之處理保護手段，我國選擇以去識別化為保護方式，就保障程度而言，尚有改善空間。
因此，參考他國之規範方式與我國之需求後，本文認為在個資之告知階段上，為保障知之權利，應以告知為原則，除實際上運行不可時而為例外，且需有一定之保護措施要求，再者，當資料係直接源自於主體時，應以事後告知為佳。
而在個資之蒐集上，似乎仍應以當事人同意為主，除取得同意為不可能或困難時，在設有保護措施之情形下，應得為研究例外蒐集。
對於個資之處理與目的外利用開放，本文認為處理與利用二者行為應無區分之必要，因資料經蒐集後原則上皆應符合資料使用之基本原則要求；而就目的外利用之保障要求而言，本人認為應將一般個人資料與特種資料作區分，前者可參考歐盟之保護措施要求方式，後者可參考美國或歐盟對於特種資料較高程度之保護規定，以獨立機關審查或是有限資料組之呈現方式為標準。
至於特種資料之蒐集允許，限制特定領域始得蒐集可能對於排除在外之研究過於嚴苛，應可斟酌採以歐盟以利益權衡之方式，並以當事人同意為主，若難以取得當事人同意時，應經第三方之審查，若有審查難以執行之情形時，則至少應先以保護措施為之。
最後，在當事人的權利行使上，接近權之限制應不單純以利益衡平為準，尚應有其他保護手段之要求；而更正權之行使我國雖未有例外規範，惟考量實際情形，在更正為實際不可能，且設有保障措施之情形下，應得為例外規定；至於刪除權以及限制使用權之例外禁止行使，同樣為能保障資料主體之權利，仍應設置相關之保護措施。

Protection of individual privacy has been the consensus of the world. With the development of information technology, the worries about personal information collection and usage arise once and again in our lives, which also causes the world to pay more attention onto the protection of individual control over ones’ own information. Following this trend and inherited from the concept of “information privacy” called in America and “right to informational self-determination” claimed in German, concerns about information privacy also take root in our legal system, including in the interpretation of Taiwan’s constitutional court and the legislative act. Both Interpretation No. 603 of Taiwan’s Constitutional Court and Personal Information Protection Act in Taiwan reveal several basic principles for any collection and use of personal information, which are almost the same as other countries have indicated.
However, most countries set some exemptions against the claim of information privacy when faced with the interest conflict with academic research. After detail comparative analysis of the Data Protection Directive 95/46/EC and General Data Protection Regulation of E.U., Data Protection Act of UK, and Privacy Act and HIPAA Privacy Rule of U.S.A., deficit in personal information protection was found in Taiwan’s academic research exemption. The academic research exemption standard do not vary according to different using stages of personal information; furthermore, the standard itself is a little less flexible since de-identification is the only way to meet the requirement. Although there are some legal data protection obligations upon the data holders, some tailored requirements are needed for specific exemption circumstances. With regard to protection extent, only choosing de-identification process as a way to protect personal information is not sufficent.
Considering the other countries legislation, for the stage of information-providing obligation, in order to protect the right to know, keeping data subject knowing and understanding the relevant information should be the principle, except for the situations when notice is pratically impossible and already with some protection measures. Moreover, when personal information is directly from the data subject, notice afterward is needed.
For the personal information collection stage, data subject’s consent is the primary consideration. Only when getting consent is impossble or quite difficult, and protection measures are taken can researchers collect personal information on the basis of academic research exemption.
For the process and use stage, there is no need to separate process and use into different categories because every behavior on the data should be acted in compliance with the basic principles. For any usage beyond the original colletive aim, general personal data and spcial category data should be distinguished. Protection measures required as in E.U. are needed for general personal data, and a higher-leveled protection standard, such as independent board review or limited data set designed in U.S.A., would be better for special category data.
As for the collection permission of special category data, defining some researches inside the lawful collection range and excludeing others research would be too strict. Interests balance as used in E.U. could be considered an alternative way. Besides, individual consent is primary required; unless when consent is impossble or quite difficult, and reviewed by an independent board can researchers collect special category data. If there is any difficulty for the review processs, protection measures are demanded at least.
Finally, for the individual rights, right to access shouldn’t be rejected simply for interests balance. Protection measures ought to be considered and taken. Although there is no right to rectification specified in Taiwan’s law, taking the practical situations into account, reject of right to rectification should be allowed when correct is practically impossible and protection measures are adopted. With regard to the right to erasure and right to restriction of process, refusal is permited only if related protection measures are carried out during the research.

中文文獻（依筆劃數遞增）

書籍
Friedhelm Hufen（著），翁曉玲（譯）（2010）。〈人格保護與資訊自決權〉，收於：《德國聯邦憲法法院第五十週年紀念論文集下冊》，頁113-133。台北：聯經。
Viktor Mayer Schonberger、Kenneth Cukier（著），林俊宏（譯）（2013）。《大數據》。台北：天下文化。
王建（2015）。《資訊法研究》。台北市：元華文創。
李震山（2004）。〈基因資訊利用與資訊隱私權之保障〉，收於：法治斌教授紀念論文集編輯委員會（編），《法治與現代行政法學—法治斌教授紀念論文集》，頁83-110。台北市：元照。
林子儀（2003）。〈資訊與基因隱私權—從保障隱私權的觀點論基因資訊的利用與法的規制〉，收於：林子儀、蔡明誠（編），《基因技術挑戰與法律回應—基因科技與法律研討會論文集》，頁239-295。台北市：學林文化。
林鴻文（2013）。《個人資料保護法》。台北市：書泉。
法務部法律事務司（2016）。《個人資料保護法規及參考資料彙編》。二版。台北市：法務部。
孫森焱（2006）。《民法債編總論(上) 》。台北：自刊。
翁逸泓、廖福特（2014）。《私生活之權利—探索歐洲，反思臺灣》。台北市：新學林。
許文義（2001）。《個人資料保護法論》。台北市：三民書局。
黃昭元（2005）。〈無指紋則無身分證？〉，收於：國際刑法學會臺灣分會（編），《民主、人權、國家—蘇俊雄教授七秩華祝壽論文集》，頁461-507。台北：元照。

期刊論文
Christian Starck（著），陳愛娥（譯）（2008）。〈研究自由與其界線〉，《台大法學論叢》，37卷4期，頁391-406。
王澤鑑（2007）。〈人格權保護的課題與展望（三）—人格權的具體化與保護範圍（6）—隱私權（上）〉，《台灣本土法學雜誌》，96期，頁21-44。
王澤鑑（2007）。〈人格權保護的課題與展望（三）—人格權的具體化與保護範圍（6）—隱私權（下-1）〉，《台灣本土法學雜誌》，99 期，頁47-66。
王澤鑑（2007）。〈人格權保護的課題與展望（三）—人格權的具體化與保護範圍（6）—隱私權（中）〉，《台灣本土法學雜誌》，97期，頁27-50。
江耀國、李振瑋（2010）。〈英國資料保護法中資料所有人權利之研究—兼論我國個資法之相關規範及案例〉，《中原財經法學》，24期，頁29-84。
吳芝儀（2011）。〈以人為主體之社會科學研究倫理議題〉，《人文社會科學研究》，5卷4期，頁19-39。
李崇僖（2008）。〈基因隱私與科學研究之調和—基本原則與特殊利益考量〉，《台灣科技法律與政策論叢》，5卷1期，頁47-85。
李惠宗（2013）。〈個資法上的帝王條款—目的拘束原則〉，《法令月刊》，64卷1期，頁37-61。
李寧修（2015）。〈公務機關合理利用特種個人資料之法定要件—最高行103判600判決〉，《台灣法學雜誌》，269期，頁153-156。
李震山（1992）。〈人性尊嚴之憲法意義〉，《律師通訊》，150期，頁34-45。
李震山（2005）。〈來者猶可追，正視個人資料保護問題¬—司法院大法官釋字第六〇三號解釋評析〉，《台灣本土法學雜誌》，76期，頁222-234。
林世宗（2001）。〈隱私權〉，《全國律師》，5卷4期，頁33-51。
陳起行（2000）。〈資訊隱私權法理探討—以美國法為中心〉，《政大法學評論》，64期，第297-341。
楊智傑（2014）。〈美國醫療資訊保護法規之初探—以HIPAA/HITECH之隱私規則與資安規則為中心〉，《軍法專刊》，60卷5期，頁79-116。
劉靜怡（2006）。〈隱私權的哲學基礎、憲法保證及其相關辯論—現在、過去與未來〉，《月旦法學教室》，46期，頁40-50。
劉靜怡（2010）。〈不算進步的立法：「個人資料保護法」初步評析〉，《月旦法學雜誌》，183期，頁147-164。
蕭奕弘（2012）。〈論個人資料保護法的法制性問題〉，《成大法學雜誌》，23期，頁141-191。
戴正德、李明濱（2011）。〈社會行為科學研究之倫理及其審查機制〉，《醫學教育》，15卷2期，頁165-181。
謝祥揚（2007）。〈論資訊隱私權〉，《東吳法研論集》，3卷，頁123-156。
謝碩駿（2014）。〈全民健康保險研究資料庫：一個不可想像其不存在的網羅？〉，《台灣法學雜誌》，260期，頁209-217
顏厥安（2006）。〈戶籍法第八條與全民指紋建檔合憲性問題之鑑定意見〉，《台灣本土法學》，79期，頁145-177。
蘇柏毓（2016）。〈104年之個人資料保護法修正簡評〉，《科技法律透析》，28卷4期，頁13-17。

學位論文
施佩岑（2014）。《敏感性個人資料保護之比較研究—以歐盟與英國為例》，中原大學財經法律研究所碩士論文，桃園。
陳雅婷（2016）。《論我國個資法對蒐集目的外研究利用之規範—兼論歐盟個資立法之趨勢》。中原大學財經法律研究所碩士論文，桃園。
楊震宇（2015）。《論資訊隱私權及其相關保障—以個人資料保護法為中心》，國立國防大學法律學系碩士論文，台北。
詹文凱（1998）。《隱私權之研究》，國立台灣大學法律學研究所博士論文，台北。

其他
林梅鳳（2015）。《音樂介入對心理困擾-睡眠-倦怠感的影響：增進乳癌婦女在化療期間的調適與生活品質》，科技部補助專題研究計畫成果報告（執行編號：MOST-102-2410-H-006-013-）。
林麗惠（2015）。《高齡教育社會效果之調查及國際比較》，科技部補助專題研究計畫成果報告（執行編號：MOST-102-2410-H-194-110-SSS）。
范姜真微、劉定基、李寧修（2016）。《歐盟及日本個人資料保護立法最新發展之分析報告》，法務部委託研究案成果報告（執行編號：W1050224）。
廖洲棚（2014）。《運用巨量資料實踐良善治理：網路民意導入政府決策分析之可行性研究》，行政院研究發展考核委員會委託計畫結案報告（執行編號：RDEC-MIS-102-003）。
蔣維倫（2016）。《台灣流感疫情也可以問問Google大神！》。載於：pansci.asia/archives/96812（最後瀏覽日：05/28/2017）。

 
英文文獻（依字母排序）

Books
DANIEL J. SOLOVE & PAUL M. SCHWARTZ, INFORMATION PRIVACY LAW, New York: Wolters Kluwer Law & Business (4th ed. 2011).
DANIEL J. SOLOVE ET AL., PRIVACY, INFORMATION AND TECHNOLOGY, New York: Aspen Publishers (2006).
GRAEME LAURIE, GENETIC PRIVACY, United Kindom: Cambridge University Press (2002).
HEROLD REBECCA & KEVIN BEAVER, THE PRACTICAL GUIDE TO HIPAA PRIVACY AND SECURITY COMPLIANCE, Boca Raton: Auerbach Publications (2d ed. 2015).
IAN J. LOYD., INFORMATION TECHNOLOGY LAW, New York: Oxford University Press (6th ed. 2011).
JOHN W. CRESWELL, EDUCATIONAL RESEARCH: PLANNING, CONDUCTING, AND EVALUATING QUANTITATIVE AND QUALITATIVE RESEARCH, Boston: Pearson (5th ed. 2015).
KENNETH E. HIMMA & HERMAN T. TAVANI, THE HANDBOOK OF INFORMATION AND COMPUTER ETHICS, New Jersey: John Wiley & Sons (2008).
LEE A. BYGRAVE, DATA PRIVACY LAW, United Kindom: Oxford University Press (2014).
LEEDY, P. D. & ORMROD, J. E., PRACTICAL RESEARCH: PLANNING AND DESIGN, New Jersey: Prentice Hall (8th ed. 2005).
PETER CAREY, DATA PROTECTION: A PRACTICAL GUIDE TO UK AND EU LAW, United Kindom: Oxford University Press (4th ed. 2015).
PRIVACY, BIG DATA, AND THE PUBLIC GOOD: FRAMEWORKS FOR ENGAGEMENT, New York: Cambridge University Press (Julia Lane & Victoria Stodden eds., 2014).
RAYMOND WACKS, PRIVACY: A VERY SHORT INTRODUCTION, Oxford: Oxford University Press (2d ed. 2015).
RICHARD C. TURKINGTON & ANITA L. ALLEN, PRIVACY LAW: CASES AND MATERIALS, Minnesota: West Group (2002).
RICHARD M. GRINNELL & YVONNE A. UNRAU, SOCIAL WORK RESEARCH AND EVALUATION: QUANTITATIVE AND QUALITATIVE APPROACHES, New York: Oxford University Press (7th ed. 2005).

Journals
B. Malin & L. Sweeney, How (not) to Protect Genomic Data Privacy in a Distributed Network: Using Trail Re-Identification to Evaluate and Design Anonymity Protection Systems, 37 JOURNAL OF BIOMEDICAL INFORMATICS 179-192 (2004)
Bob Brown, Research and the Hipaa Privacy Rule Use of Privacy Board Can Help Entities Meet Hipaa Requirements and Speed Up Research Approval Process, 8(4) J. HEALTH CARE COMPLIANCE 43-46 (2006)
Charles Fried, Privacy, 77 YALE LAW JOURNAL 475-493 (1968)
Chung-Lin Chen, In Search of A New Approach of Information Privacy Judicial Review: Interpretation No. 603 of Taiwan's Constitutional Court As A Guide, 20 INDIANA INTERNATIONAL AND COMPARATIVE LAW REVIEW 21-46 (2010)
D. J. Kaufman, J. Murphy-Bollinger, J Scott., K. L. Hudson, Public Opinion about the Importance of Privacy in Biobank Research, 85 AMERICAN JOURNAL OF HUMAN GENETICS 643-654 (2009)
Daniel Wartenberg & W. Douglas Thompson, Privacy Versus Public Health: The Impact of Current Confidentiality Rules, 100(3) AMERICAN JOURNAL OF PUBLIC HEALTH 407-412 (2010)
David Erdos, Freedom of Expression Turned on Its Head? Academic Social Research and Journalism in the European Privacy Framework, PUBLIC LAW 52-73 (2013)
David Lazer, Ryan Kennedy, Gary King & Alessandro Vespignani, The Parable of Google Flu: Traps in Big Data Analysis, 343 SCIENCE 1203-2015 (2014)
Elbert Lin, Prioritizing Privacy: A Constitutional Response to the Internet, 17 BERKELEY TECHNOLOGY LAW JOURNAL 1085-1154 (2002)
Francoise Gilbert, Proposed EU Data Protection Regulation: The Good, the Bad, and the Unknown, 15 JOURNAL OF INTERNET LAW 20-34 (2012)
Gabriele Piccoli. & Erica L. Wagner, The Value of Academic Research, 44(2) THE CORNELL HOTEL AND RESTAURANT ADMINISTRATION QUARTERLY 29-38 (2003)
Gerrit Hornung & Christoph Schnabel, Data Protection in Germany I: The Population Census Decision and the Right to Informational Self-Determination, 25 COMPUTER LAW AND SECURITY REVIEW 84-88 (2009)
Harold Gershinowitz, Industrial Research Programs And Academic Research, 46(1) AMERICAN SCIENTIST 24-32 (1958)
Julie E. Cohen, Examined Lives: Informational Privacy and the Subject As Object, 52 STANFORD LAW REVIEW 1373-1437 (2000)
L. Sweeney, K-anonymity: A Model for Protecting Privacy, 10 INTERNATIONAL JOURNAL ON UNCERTAINTY, FUZZINESS AND KNOWLEDGE-BASED SYSTEMS 557-570 (2002)
Lieutenant Colonel Evan M. Stone, The Invasion of Privacy Act: The Disclosure of My Information in Your Government File, 19 WIDENER LAW REVIEW 345-388 (2013)
Marc Rotenberg & David Jacobs, Updating the Law of Information Privacy: The New Framework of the European Union, 36 HARVARD JOURNAL OF LAW AND PUBLIC POLICY 605-52 (2013)
Marc Rotenberg & David Jacobs, Updating the Law of Information Privacy: The New Framework of the European Union, 36 HARVARD JOURNAL OF LAW AND PUBLIC POLICY 605-52 (2013)
Mary L. Durham, How Research Will Adapt to HIPAA: A View from Within the Healthcare Delivery System, 28 AMERICAN JOURNAL OF LAW AND MEDICINE 491-502 (2002)
Norman M. Bradburn, Medical Privacy and Research, 30 JOURNAL OF LEGAL STUDIES 687-701 (2001)
Patrick J. Murray, The Adequacy Standard Under Directive 95/46/EC: Does U.S. Data Protection Meet This Standard?, 21 FORDHAM INTERNATIONAL LAW JOURNAL 932-1018 (1998)
Peter A. Winn, Confidentiality in Cyberspace: The HIPAA Privacy Rules and the Common Law, 33 RUTGERS LAW JOURNAL 617-682 (2002)
Robyn Durie, An Overview of the Data Protection Act 1998, 6(4) COMPUTER TECHNOLOGY LAW REPORT 88-93 (2000)
Rothstein, M. A., Is Deidentification Sufficient to Protect Health Privacy in Research?, 10 THE AMERICAN JOURNAL OF BIOETHICS 3-11 (2010)
Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4(5) HARVARD LAW REVIEW 193-220 (1890)
Sarah Fendrick, The Role of Privacy Law in Genetic Research, 4 I/S: A JOURNAL OF LAW AND POLICY FOR THE INFORMATION SOCIETY 798-815 (2009)
Stacey A. Tovino, The Use and Disclosure of Protected Health Information for Research Under the HIPAA Privacy Rule: Unrealized Patient Autonomy and Burdensome Government Regulation, 49 SOUTH DAKOTA LAW REVIEW 447-502 (2004)
Stéphan Vincent-Lancrin,, What is Changing in Academic Research? Trends and Futures Scenarios, 41(2) EUROPEAN JOURNAL OF EDUCATION 169-202 (2006)
Stephen A. Oxman, Exemptions to the European Union Personal Data Privacy Directive: Will They Swallow the Directive?, 24 BOSTON COLLEGE INTERNATIONAL AND COMPARATIVE LAW REVIEW 191-204 (2000)
Timothy J. Ellis & Yair Levy, Framework of Problem-Based Research: A Guide for Novice Researchers on the Development of a Research-Worthy Problem, 11 INFORMING SCIENCE: THE INTERNATIONAL JOURNAL OF AN EMERGING TRANSDISCIPLINE 17-33 (2008)
Todd Robert Coles, Does the Privacy Act of 1974 Protect Your Right to Privacy? An Examination of the Routine Use Exemption, 40 AMERICAN UNIVERSITY LAW REVIEW 957-1002 (1991)

Others
Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisa-tion Techniques, WP216, p.3 (2014), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf
Article 29 Data Protection Working Party, Opinion 4/2007 on the Concep-t of Personal Data, WP 136, 20-21 (2007), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf
European Commission, Big Data, retrieved from: https://ec.europa.eu/digital-single-market/en/big-data (last visited on Mar 15, 2017)
Golle Pilippe, Revisiting the Uniqueness of Simple Demographics in the U.S. Population, Workshop on privacy in the electronic society, 77-80(2006), available at http://www.privacylives.com/wp-content/uploads/2010/01/golle-reidentification-deanonymization-2006.pdf
M. Beránková, R. Kvasnička & M. Houška, Towards the Definition of K-nowledge Interoperability, 2010 2nd International Conference on Software Technology and Engineering, 232-236 (2010), available at http://ieeexplore.ieee.org/document/5608843/?reload=true
Ron Davies, The Internet Of Things: Opportunities And Challenges, Euro-pean Parliamentary Research Service Blog, retrieved from: https://epthinktank.eu/2015/05/21/the-internet-of-things-opportunities-and-challenges/ (last visi-ted on Mar 15, 2017)