PIPC Presents Personal Data Protection Standards for Autonomous Checks in AI Development and Operation
[Asia Economy Reporter Eunmo Koo] A guidebook for developers and operators to prevent personal information infringement that may occur during the development and operation of artificial intelligence (AI) services has been announced.
The Personal Information Protection Commission finalized and released the ‘AI Personal Information Protection Self-Checklist’ on the 31st after gathering opinions from the industry and discussions with experts and the full committee.
The newly released self-checklist is a guide designed to allow step-by-step self-inspection of the major obligations and recommended items under the ‘Personal Information Protection Act’ that must be observed to safely handle personal information during the AI design, development, and operation processes. It presents six principles to be observed throughout the entire workflow?legality, safety, transparency, etc.?along with 16 key items and 54 verification points to be checked at each stage. These contents reflect the characteristics of AI’s personal information processing and incorporate the Personal Information Protection Act, AI ethical standards, and internationally accepted privacy-by-design principles.
Looking at the main inspection items by workflow stage, in the ‘Planning and Design’ phase, since unexpected personal information infringements may occur due to the nature of AI services, the guide applies the Privacy by Design (PbD) principle from the planning stage for prior inspection and prevention, and requires conducting a personal information impact assessment if infringement concerns arise. In the ‘Personal Information Collection’ phase, considering that large-scale personal information is collected and used during AI development and operation, it instructs checking lawful consent methods, grounds for collection other than consent, and precautions when collecting from sources other than the data subject such as publicly available information, and provides consent examples to prevent improper consent acquisition.
Additionally, in the ‘Use and Provision’ phase, personal information must be used and provided within the collection purpose, and any use beyond the purpose must verify lawful grounds. Furthermore, if pseudonymization is used without consent, it provides inspection items to check whether the purpose is permitted, such as scientific research or statistical compilation, and whether it meets related standards. It also guides precautions for pseudonymizing training data and restrictions on disclosing pseudonymized information. Finally, in the ‘Storage and Destruction’ phase, it inspects safety measures to prevent leakage, exposure, and hacking of personal information, and requires secure destruction when personal information is no longer needed.
Moreover, it clarifies personal information protection standards by presenting ongoing inspection items related to ‘AI Service Management and Supervision,’ ‘User Protection,’ ‘Voluntary Protection Activities,’ and ‘AI Ethics Inspection.’
While AI-related privacy issues discussed domestically and internationally have been at an abstract principle level, the Personal Information Protection Commission explained that this self-checklist concretely reflects AI service personal information infringement cases and industry concerns to be helpful in the field. The Commission expects the checklist to be greatly helpful in preventing personal information infringement factors in new technology fields, as it can be applied not only to AI but also to the development and operation of various ICT services. To promote widespread use of the checklist in the AI field, the Commission plans active promotion and will hold explanatory sessions for AI startups starting early next month, as well as actively utilize it in consulting and education for small and medium enterprises.
Yoon Jong-in, Chairperson of the Personal Information Protection Commission, said, “I hope AI developers and operators actively use this self-checklist to prevent personal information infringement caused by AI and help create a safer and more trustworthy AI service environment.” He added, “The Commission will continue to strive to ensure personal information is safely protected in the field by responding to changes in new technology environments such as bio-information, autonomous vehicles, and drones.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
