Effective from September 30, 2011, the Personal Information Protection Act (“PIP Act”) was newly enacted to provide the underlying principles and safeguards when processing personal information and to be consistent with international standards while covering both the public and private sectors. Its basic premise is to prevent the type of leakage, misuse and abuse of personal information recently seen in Korea.
Prior to the enactment of the PIP Act, only certain industries in the private sector were subject to the various privacy-related laws existing in Korea. The new PIP Act was enacted to provide the overarching protective measures irrespective of industry, manner of collection and type of personal information. The salient points of the PIP Act are as follows.
Scope of Application
Personal information refers to the information pertaining to a living individual that contains information identifying a specific person with a name, a resident registration number, or similar in a form of an image, etc. (including information that does not, by itself, make it possible to identify a specific person but that does readily identify such a person when combined with other information). Accordingly, customer and employee information will be at issue for corporate entities.
Regardless of for-profit or non-profit, all corporations, which process personal information by way of “Personal Information Files” when conducting businesses, must comply with the protective measures as prescribed under the PIP Act.
Requirements for Disclosure and Prior Consent
The “Personal Information Proces-sor” must disclose certain items such as the purpose and period of collection and use of the personal information, when seeking consent from the “Principal” (owner of the personal information) to collect and use such personal information.
If the personal information is to be provided to a third party, the Personal Information Processor must notify the details of the transfer and acquire the Principal’s express consent.
M&A or Overseas Transfer of Personal Information
When transferring personal information to another person in the context of a merger or acquisition, the following must be notified prior to such transfer: (i)the fact that the personal information will be transferred, (ii) the identity of the person to whom the personal information is being transferred, and (iii) the methods or procedures to be implemented in case the transfer is objected to.
Further, a separate notice and prior consent (in a prescribed manner) must be obtained when transferring personal information overseas.
Establishment and Disclosure of Guidelines for the Processing of Personal Information and Appointment of the Chief Privacy Officer
The Personal Information Processor must establish and disclose guidelines for processing personal information (“Processing Policy”). This Processing Policy must include (i) the purpose for processing the personal information, (ii) the time period of process and retention of the personal information, (iii) the delegation or the transfer of personal information to a third party (if any), (iv) rights and obligations of the Principal and the methods to pursue or satisfy such rights and obligations. Further, a Chief Privacy Officer must be appointed in the company.
Technical, Managerial, and Phys-ical Protective Measures
The Personal Information Processor must implement technical, managerial, and physical measures necessary to prevent personal information from being lost, stolen, unlawfully leaked, altered or damaged. In this regard, we expect a certain level of regulatory guidance to be provided for the specific requirements thereof which may have an impact on IT systems and human resources.
Limits on Processing Sensitive Information and Unique Identi-fication Information
Sensitive information (such as ideology/faith, political views and health) or unique identification information (i.e., information given to meet its purpose for distinguishing each individual as unique as prescribed by laws, such as the resident registration number) is prohibited from being processed in principle and requires a separate consent from the Principal.
Regulations on Installing and Operating a Visual Information Processing Device (“CCTV”)
Installing and operating a CCTV shall only be permitted for limited purposes such as for preventing and investigating crimes, facility safety and fire prevention.
Additional obligations are imposed on the CCTV operator such as installing an indentifying marker or sign, the prohibition from using recording functions and devices for purposes other than the purpose for which it was initially installed, and establishing internal guidelines for the operation of CCTVs.
Duty to Notify and Report Le-akage of Personal Information
When personal information has been leaked, the Personal Information Processor shall promptly notify the Principal of the leakage, the specific items of personal information that were leaked, details of when and how the leakage occurred, and the methods to minimize damage.
If the extent of the leakage is extensive (defined under the sub-regulations), the Personal Information Processor must promptly without delay report such leakage and the results of the remedial measures employed to the Minister of Public Administration and Security.