Biometrics such as fingerprint, iris, and face that are used as authentication purpose will be included as sensitive information. As a result, there is a way now for non-profit corporations will be designated as organizations that combine data entrusted by financial companies.
Ministry of the Interior and Safety (MOIS), Korea Communications Commission (KCC), and Financial Services Commission (FSC) prepared an enforcement ordinance of amendments to three major data privacy laws (the Personal Information Protection Act, the Act on the Promotion of Information and Communications Network Utilization and Information Protection, and the Act on the Use and Protection of Credit Information) that include such information and is going to implement pre-announcement of legislation at the same time on the 31st.
The main points of the three major data privacy laws are vitalization of data use through pseudonym, unification of personal information protection systems, introduction of new data industries to the financial field, and combination of data through specialized organizations passed through the National Assembly on January 9th and proclaimed on February 4th. MOIS, KCC, and FSC amended specific enforcement ordinances per act.
By amending enforcement ordinance of the Personal Information Protection Act, biometrics and information on ethnicity and race have been included as sensitive information. Current range of sensitive information includes ideology and belief, membership and withdrawal of union and party, opinion on politics, and health and sex life. The South Korean Government has included information created through constant technical means to check a particular individual by using biometrics and information that can cause unfair discrimination depending on situations using information on race or ethnicity.
Biometrics had been classified as personal information in the past. When a company or an organization collected information on biometrics, it needed to receive an approval to collect sensitive information. “In order to protect personal information according to international environment and social and technology environment that are changing, we have decided to define biometrics as sensitive information.” said a representative for MOIS. “Companies that have been collecting information on biometrics can now go through separate approval procedure from government agencies.”
By amending enforcement ordinance of the Act on the Use and Protection of Credit Information, non-profit corporations and profit-making corporations with certain requirements can now be designated as data-specializing organizations that combine pseudonymous data.
In order to be designated as a specialized organization, corporations need to establish risk management systems such as separating employees who specialize in data from those who perform other tasks.
“We are going to first designate Korea Credit Information Services and Financial Security Institute and designate private companies after we gain trusts from the society in the future.” said a representative for FSC. “We are planning to have discussions regarding the range and the timing on designating private companies in the future.”
Credit information provided includes information on federal and state tax payments in addition to information on financial transactions and insurance payments. As a result, National Tax Service can provide information on tax payments to MyData companies. “From MyData companies’ point of view, information on tax payments indicates obtaining information on income and debt.” said a representative for FSC. “This information will be very important information for financial businesses.”
Besides these changes, procedure of combining pseudonymous data, measure for securing safety of pseudonymous data, introduction of right to request transmission of personal credit information, and restructuring of level of approval for the credit information industry have been newly established or modified. The South Korean Government is going to explain about use of pseudonymous data for industrial research and method of appropriate processing of pseudonym through key examples and reasons after gathering opinions from relevant industries through a legislation guidebook when the law will be enforced on August 5th.
“Considering the fact that the public has high level of interest towards three major data privacy laws, we are going to hold a joint public hearing for relevant departments during the pre-announcement of legislation period and collect opinions from various industries and apply them to enforcement ordinances and official announcements.” said Vice-Minister Yoon Jong-in of MOIS. “Specifics such as procedure related to combination of pseudonymous data and requirements for designating a specialized organization that are not included into enforcement ordinance of the Personal Information Protection Act will be pre-announced sometime in May.”
Staff Reporter Kim, Jiseon | firstname.lastname@example.org & Staff Reporter Kim, Jihye | email@example.com & Staff Reporter Park, Jongjin | firstname.lastname@example.org