Public Institutions' Personal Information Security Levels Revealed: National Fire Agency, Korea Aerospace Administration, and Basic Local Governments Fall Short
Korea Hydro & Nuclear Power, Ministry of Health and Welfare Among 54 Institutions Receiving Top Rating
Personal Information Protection Commission to Inspect and Advise Underperforming Institutions
The Personal Information Protection Commission announced the results of its assessment of personal information security levels among public institutions handling citizens' personal data on April 27. The Ministry of Health and Welfare and Korea Hydro & Nuclear Power received the highest ratings, while the National Fire Agency, the Korea Aerospace Administration (KASA), and some basic local governments ranked at the bottom.
Song Kyunghee, Chairperson of the Personal Information Protection Commission, is speaking at the 5th plenary meeting held at the Government Seoul Office in Jongno-gu, Seoul on March 25, 2026. Photo by Jo Yongjun
View original imageThis assessment covered a total of 1,442 public institutions, including central government ministries, local governments, and public enterprises. The Commission reviewed whether legal obligations were being met through each institution's self-assessment, and conducted a comprehensive evaluation of personal information protection efforts and performance via in-depth reviews by panels of experts. Final scores were calculated by applying additional points for safe use of personal data and deductions for incidents such as data breaches.
The average total score was 76.5 out of 100. A total of 54 institutions, or 6.6% of the total, received the highest rating, while 342 institutions (41.8%) received a B grade, making this the most common result. By institution type, public enterprises and quasi-governmental agencies had the best personal information protection scores (average 87.5 points), while basic local governments scored the lowest (73.2 points).
The self-assessment scored institutions based on 40 quantitative indicators regarding compliance with legal obligations. The average compliance rate across all institutions was found to be 90%. Compliance was high for indicators such as safety measures when handling pseudonymized information, installation and operation of security programs, and program updates. However, compliance was low for indicators such as the maintenance and management of personal video information records and the notification and clarification of key information when obtaining consent.
During the in-depth assessment, panels of personal information experts examined each institution’s achievements and level of effort. As a result, the average score for the “efforts to ensure safety” indicator was the lowest, at 2.26 out of 5 points. The main reasons cited were the lack of management governance, such as missing approval from the head of the institution when establishing internal management plans and the perfunctory operation of compliance checks.
The additional/deduction point assessment examined factors such as “cases of safe use of personal information in new technology environments” (bonus points) and “whether there were data breaches, legal dispositions, or submission of false information” (deductions). Institutions that received bonus points for new technology also tended to have high base evaluation scores. According to the Commission, this shows that institutions with well-established personal information management systems also make strong efforts for the safe use of personal data in new technology environments. Conversely, institutions that received deductions for breaches or legal dispositions tended to have lower evaluation scores, indicating a correlation between the level of personal information protection and the likelihood of incidents.
Hot Picks Today
“Everyone Said You’d Make Money” ? Chinese I...
- "Let's Make Money Actively": Double the Delinquency, Double the Profitability......
- "Isn't Pain Supposed to Be Good?"...Descending Stairs Is More Effective Than Cli...
- Shaken Again... "Should I Just Cancel My Trip to Japan?" Heightened Tension as E...
- Once a Leading 'Outdoor Legend'...Is Nepa Headed Down the Same Path as Homeplus?...
The Commission will link these assessment results with government work evaluations. Institutions and staff that perform well will receive commendations and awards on Personal Information Protection Day, and a collection of best practices will be published. For underperforming institutions, the Commission will issue recommendations for improvement and conduct follow-up checks to ensure compliance.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
