On June 30, 2016, government authorities responsible for
enforcing data protection and privacy laws and regulations,
including the Ministry of the Interior, the Korea Communications
Commission, the Financial Services Commission, the Ministry of
Science, ICT and Future Planning, the Ministry of Health and
Welfare, and the Office for Government Policy Coordination, jointly
announced the "Guidelines on Personal Information
De-identification Measures" (the
"Guidelines") and the
"Comprehensive Guide to Data Protection and Privacy Laws and
Regulations" (the "Comprehensive
By specifying (i) the criteria, procedures, and methods of de-identification measures necessary for utilizing big data, and (ii) the criteria for determining what qualifies as personal information, the Guidelines and the Comprehensive Guide seek to reduce much of the existing ambiguity associated with the concepts of "personal information" and "de-identification," and are laying the foundation for utilizing big data and promoting the security of personal information in Korea. Hence, companies with an interest in big data-related businesses should find the Guidelines and the Comprehensive Guide of interest. In addition, with the increased clarity provided by the Comprehensive Guide with respect to the previously-ambiguous concept of 'personal information', business entities involved in the handling of personal information now have a need to double check if the information they are handling indeed constitutes "personal information" under Korean law, and, if so, whether they are implementing necessary measures accordingly.
1. Key Provisions of the Guidelines
(1) Consolidation of the criteria and procedures for de-identification measures
To ensure their practical effectiveness, the Guidelines will apply uniformly across the board to various entities that are subject to Korea's data protection and privacy laws such as the Personal Information Protection Act ("PIPA"), the Act on Promotion of Information and Communications Network Utilization and Information Protection ("Network Act"), the Utilization and Protection of Credit Information Act ("Credit Information Act"), and the Medical Service Act. Any prior government-sponsored publications on personal information de-identification measures such as manuals, guidebooks, and guidelines were all repealed on June 30, 2016 and were replaced by the Guidelines on July 1, 2016.
(2) Establishment of clear criteria for personal information de-identification measures
The Guidelines classify personal information de-identification measures into four stages -- e.g., "'pre-evaluation," "de-identification measures," "adequacy assessment," and "ex post facto management" -- and provide detailed guidance on the recommended measures and considerations to be made for each stage.
1st Stage: Pre-evaluation
This stage determines whether the subject data can be classified as personal information. If it is clear that the subject data is not personal information, then the information may be used without having to take any additional measures.
2nd Stage: De-identification Measures
Once the subject data is determined to constitute personal information, certain measures that delete or substitute all or parts of the personally identifiable elements within the personal information must be implemented, so that the specific individual is no longer identifiable from the de-identified information. The Guidelines provide detailed explanations regarding the processing methods for identifiers/attribute values, the five (5) types of de-identification methods (pseudonymization, aggregation, data reduction, data suppression, data masking), and the seventeen (17) specific techniques for implementing the five (5) de-identification methods in practice.
3rd Stage: Adequacy Assessment
In this stage, an assessment is made as to whether the subject data which has passed through the first two stages can still be easily combined with other information to identify a specific individual. The Guidelines prescribe detailed rules on the persons to perform the assessment, and the methods and standards for the assessment, and the highlights of these rules and standards are as follows:
- The adequacy assessment must be performed by a "Task Force to Assess the Adequacy of De-Identification Measures" (the "Assessment TF"). The Assessment TF will be comprised of at least three members with the relevant expertise (the majority of whom must be from outside the entity that handles the personal information ("Data Handler")), and will be recommended and appointed by the privacy officer of the Data Handler.
- The Assessment TF will assess the adequacy of the de-identification measures by examining various information provided by the Data Handler, such as a description of the subject data, the implementation status of de-identification measures, and the management proficiency of the Data Handler. Among all the privacy protection models, k-anonymity will be applied with priority as the assessment standard.
4th Stage: Ex Post Facto Management
The Guidelines prescribe detailed ex post facto management measures designed to ensure that the de-identified information does not become re-identifiable during the course of follow-on data processing. Such measures include (i) the implementation of technical and managerial safeguards for the secure management of the de-identified information, (ii) regular monitoring that can detect changes in the possibility of re-identification due to changes in internal factors and the external environment, (iii) inclusion of provisions addressing issues regarding the re-identification risk management and the suspension of processing and destruction of the information in the event that the information becomes re-identifiable when entering into agreements with a third party for the provision of the de-identified information or outsourcing of the processing of the de-identified information.
(3) Regulations on the Handling of De-Identified Information
Though any de-identified information which has passed the Adequacy Assessment stage (3rd stage of de-identification measures) is presumed not to be personal information any more, and any information that is presumed not to be personal information may be used and provided to third parties without obtaining the data subject's further consent, the Data Handler must still implement certain safeguards in order to prevent re-identification. The foregoing presumption implies that, while such de-identified information will not initially be considered personal information, it will be viewed as personal information if any evidence is discovered to the contrary.
(4) Operation of Specialized Agencies to Support Personal Information De-identification Measures (such agencies to be established by August 2016)
Personal Information De-identification Support Center (Korea Internet & Security Agency, "KISA"): The Personal Information De-identification Support Center will be responsible for establishing guidelines for the operation of specialized agencies for each sector and monitoring compliance therewith, managing and training the pool of Assessment TF candidates for each sector, and updating and supporting the implementation of the Guidelines.
Specialized agencies for each sector (each relevant government agency): Each relevant government agency will designate, announce, and operate one or more of the following organizations as a specialized agency for the sector(s) the agency is responsible for: KISA, Korea Credit Information Services, Financial Security Institute, Social Security Information Service, and National Information Society Agency. Specialized agencies are expected to support the combination of databases from different Data Handlers in the respective sectors through the use of temporary surrogate keys.
(5) Sanctions for Re-identifying De-identified Information
The Guidelines explicitly state that the re-identification of previously de-identified information and its further use/provision to third parties will be deemed as the use/provision of personal information for a purpose other than for which consent was granted ("Data Use/Provision Beyond Consented Purposes"), and that the failure to immediately destroy re-identified information is punishable as the collection of personal information without obtaining the data subject's proper consent.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.