The Personal Information Protection Commission Establishes 'Processing Guidelines' for Safe Use of Pseudonymized Information

Image source=Yonhap News

View original image

[Asia Economy Reporter Kim Heung-soon] The Personal Information Protection Commission announced on the 2nd that it has prepared the "Pseudonymized Information Processing Guidelines - Pseudonymization Edition" as a follow-up measure to the enforcement of the revised "Personal Information Protection Act."

The guidelines present standards for how personal information processors should pseudonymize personal information and the procedures to ensure that pseudonymized information is used safely. Pseudonymized information is personal information that has been pseudonymized by deleting or substituting parts of the personal information so that individuals cannot be identified without additional information. This concept was newly introduced by the revision of the Personal Information Protection Act. Since it is a type of personal information, equivalent safety measures must be taken.

The guidelines require personal information processors to carry out the entire process within the scope of complying with the basic principles of personal information processing when performing pseudonymization. Information with a high possibility of personal identification must be deleted or processed so that it cannot be restored to the original information, and in environments with low security levels, it should be processed closer to anonymous information to reduce identifiability.

View original image

Additionally, the guidelines require personal information processors to process only the minimum necessary information for the purpose of pseudonymized information processing and to verify whether there is a possibility of re-identification during the pseudonymization process. For information with a low possibility of personal identification, personal information processors may select appropriate pseudonymization methods such as deletion, encryption, generalization, aggregation, or randomization, considering the processing purpose and environment.

The pseudonymization procedure is presented as a four-step process: preparation, pseudonymization, adequacy review and additional pseudonymization, and post-management. Furthermore, when processing pseudonymized information, compliance with the "Safety Assurance Measures Standards" notice is required, and re-identification prevention measures such as separately storing additional information necessary to restore pseudonymized information to its original state must be implemented.

Hot Picks Today

"Rather Than Endure a 1.5 Million KRW Stipend, I'd Rather Earn 500 Million in the U.S." Top Talent from SNU and KAIST Are Leaving [Scientists Are Disappearing] ①

• "Not Jealous of Winning the Lottery"... Entire Village Stunned as 200 Million Won Jackpot of Wild Ginseng Cluster Discovered at Jirisan
• "I'll Stop by Starbucks Tomorrow": People Power Chungbuk Committee and Geoje Mayoral Candidate Face Criticism for Alleged 5·18 Demeaning Remarks
• Woman Experiences Eye Protrusion After 20 Years of Contraceptive Injections, Plans Lawsuit Against Major Pharmaceutical Company
• "How Did an Employee Who Loved Samsung End Up Like This?"... Past Video of Samsung Electronics Union Chairman Resurfaces

The Personal Information Protection Commission plans to release guidelines on pseudonymized information combination and export later this month, following this pseudonymization edition. Park Sang-hee, Secretary General of the Personal Information Protection Commission, stated, "Once the integrated guidelines combining the pseudonymization edition and the combination/export edition are completed, the legal and institutional foundation for the enforcement of the Three Data Laws will be fully established, and data utilization such as pseudonymized information combination will be actively promoted."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.