Public Institutions with Data Breaches to Face Up to 20-Point Deductions in Government Evaluation

The government will double the maximum penalty for public institutions in the personal information protection level assessment and subdivide the internal evaluation grades into three levels to enhance differentiation.

Song Kyunghee, Chairperson of the Personal Information Protection Commission, is speaking at the 5th plenary session held at the Government Seoul Office in Jongno-gu, Seoul on March 25, 2026. Photo by Jo Yongjun

원본보기 아이콘

The Personal Information Protection Commission announced on April 8 that it finalized the "2026 Plan for Assessing the Personal Information Protection Level of Public Institutions" at the plenary session.

This assessment is a system that evaluates public institutions' overall efforts to protect personal information, including whether they fulfill their statutory obligations under the Personal Information Protection Act. It has been implemented since 2024.

This year, the Commission will strengthen penalties for data breaches and inadequate responses by public institutions. The maximum penalty for incidents will be increased from 10 points to 20 points, and up to 5 points will be deducted for insufficient follow-up actions.

In addition, a new indicator, "efforts to prevent and respond to personal information breaches," will be introduced, and the results of vulnerability checks, including simulated hacking, will be reflected in the assessment. To prevent insider breaches in advance, "insider security" has been selected as this year's theme indicator for focused inspection. The indicator evaluating the efforts of the institution’s head has also been given a higher score weight.

For affiliated organizations and education offices conducting their own assessments, the grading system will be changed to three levels: "Adequate" (90 points or higher), "Partially Inadequate" (80-90 points), and "Inadequate" (below 80 points). The list of "Inadequate" institutions will be made public. Institutions rated as "Partially Inadequate" or "Inadequate" must submit corrective action reports. In addition, the proportion of in-depth evaluations (qualitative indicators) involving experts will be increased to 50%, and points will be deducted if the criteria for selecting the evaluation system are not met.

This year's assessment will cover a total of 1,464 institutions. It will be conducted from September this year to March next year through document reviews and on-site verification. The final results will be announced in April next year after verification by an expert evaluation panel.

The Commission plans to increase awards for institutions and staff with excellent results and will notify the relevant ministries and agencies of outstanding personnel to encourage internal recognition as well. For institutions rated as "Inadequate," improvement recommendations and follow-up checks will be conducted. Additionally, regional briefing sessions will be held from June to September, and the assessment handbook will be distributed both online and offline. For institutions with inadequate results or those requesting assistance, customized one-on-one on-site consultations will also be provided.

Yang Cheongsam, Secretary General of the Personal Information Protection Commission, stated, "As data breaches continue to occur in public institutions, it is necessary to strengthen the safety management system in the public sector. We will raise safety management standards by providing systematic support such as briefing sessions and consulting, so that institutions can voluntarily address deficiencies discovered during the assessment process."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.