[Reporter’s Notebook] Public Institutions Fail to Set Example in Information Security

by Roh Kyungjo

Published 28 Apr.2026 10:00(KST)

Report Card on Personal Data Protection in Public Institutions

In 2025, a year marked by a series of hacking incidents targeting private companies such as the three major telecom operators, Coupang, and Lotte Card, public institutions also received failing grades for their personal data protection performance. According to the results of the '2025 Public Institution Personal Data Protection Level Assessment' released by the Personal Information Protection Commission, only 54 out of 1,442 institutions surveyed (6.6%) achieved the highest S grade, an increase of nine from the previous year. At first glance, this figure may seem commendable. However, it is noteworthy that the number of institutions with an A grade dropped by as many as 60.

Pixabay

The commission explained that in this evaluation, the overall score for 'efforts to ensure safety measures' in public institutions was just 2.26 out of 5, a notably low figure. The main causes cited included missing decision-making procedures such as obtaining approval from the head of the institution when establishing internal management plans, as well as performing only formal compliance checks.

Particularly striking is the fact that the Ministry of Science and ICT—the main authority for technological and user protection—and the Korea Communications Commission each received a B grade and C grade, respectively. Both agencies dropped one grade compared to the previous year. This means that, despite emphasizing guidelines to private companies, they failed to adhere to them themselves. Given the symbolic role of the Ministry of Science and ICT as the chief agency for national information security policy and the leader in security technology research and development (R&D), this result is disappointing. The failure to achieve a high grade for its own protection level invites criticism that it "failed to set an example." The same applies to the Korea Communications Commission. Receiving a C grade, despite being responsible for protecting the rights of telecom service users and regulating personal data breaches, undermines the credibility of its policies.

The chronic issue of failing grades among basic local governments remains unresolved. The National Fire Agency, the Korea Aerospace Administration (KASA), some basic local governments, and other public institutions received the lowest grades. The average score for basic local governments was 73.2 points, down from 74.8 points a year ago. The gap with public enterprises and quasi-governmental organizations (which averaged 87.5 points) reached as much as 14.3 points, highlighting a severe disparity in protection capabilities. Despite handling vast amounts of personal data closely tied to daily life, these bodies have not been able to strengthen their management systems due to budget and personnel shortages.

The threat of hacking is intensifying with the development of artificial intelligence (AI) technology. The sophistication and speed of attacks have reached levels that are virtually impossible for humans to defend against, and AI models themselves are now being targeted. Security has moved beyond merely setting up 'firewalls' to an era where 'AI must be countered with AI.' Reflecting this trend, the total government budget for information security in 2026 was set at 401.2 billion won, an increase of approximately 7.7% compared to the previous year (372.4 billion won). This amount will be used to raise the overall security level of the country and to help grow the private sector. While such efforts are important, it is also crucial for each public institution to strive to set an example in the field of security to give real momentum to policy.

Hot Picks Today

"Pay for the Postpartum Care Center with My Car...

The Personal Information Protection Commission plans to link this evaluation’s results with government work assessments and will provide improvement recommendations and follow-up checks to underperforming institutions. The commission also plans to enhance the protection level of public institutions through customized consulting. In addition to the annual guidance efforts, there is a need to consider practical measures such as securing specialized personnel and strengthening penalties to reinforce accountability.

한글 기사 보기

This content was produced with the assistance of AI translation services.