[Asia Economy Reporter Kim Heung-soon] The Personal Information Protection Commission announced on the 2nd that it has prepared the "Pseudonymized Information Processing Guidelines - Pseudonymization Edition" as a follow-up measure to the enforcement of the revised "Personal Information Protection Act."
The guidelines present standards for how personal information processors should pseudonymize personal information and the procedures to ensure that pseudonymized information is used safely. Pseudonymized information is personal information that has been pseudonymized by deleting or substituting parts of the personal information so that individuals cannot be identified without additional information. This concept was newly introduced by the revision of the Personal Information Protection Act. Since it is a type of personal information, equivalent safety measures must be taken.
The guidelines require personal information processors to carry out the entire process within the scope of complying with the basic principles of personal information processing when performing pseudonymization. Information with a high possibility of personal identification must be deleted or processed so that it cannot be restored to the original information, and in environments with low security levels, it should be processed closer to anonymous information to reduce identifiability.
Additionally, the guidelines require personal information processors to process only the minimum necessary information for the purpose of pseudonymized information processing and to verify whether there is a possibility of re-identification during the pseudonymization process. For information with a low possibility of personal identification, personal information processors may select appropriate pseudonymization methods such as deletion, encryption, generalization, aggregation, or randomization, considering the processing purpose and environment.
The pseudonymization procedure is presented as a four-step process: preparation, pseudonymization, adequacy review and additional pseudonymization, and post-management. Furthermore, when processing pseudonymized information, compliance with the "Safety Assurance Measures Standards" notice is required, and re-identification prevention measures such as separately storing additional information necessary to restore pseudonymized information to its original state must be implemented.
The Personal Information Protection Commission plans to release guidelines on pseudonymized information combination and export later this month, following this pseudonymization edition. Park Sang-hee, Secretary General of the Personal Information Protection Commission, stated, "Once the integrated guidelines combining the pseudonymization edition and the combination/export edition are completed, the legal and institutional foundation for the enforcement of the Three Data Laws will be fully established, and data utilization such as pseudonymized information combination will be actively promoted."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
