PIPC Revises 'Biometric Information Protection Guidelines'

[Asia Economy Reporter Eunmo Koo] On the 8th, the Personal Information Protection Commission revised and released the ‘Biometric Information Protection Guidelines’ to protect and safely utilize biometric information such as fingerprints, facial features, veins, and irises.

The Biometric Information Protection Guidelines are a complete overhaul of the previous ‘Bioinformation Protection Guidelines,’ serving as a manual that specifically presents basic principles for protecting biometric information, protection measures at each stage of biometric information processing, and case examples. The Personal Information Protection Commission prepared the guidelines by identifying usage practices of institutions, companies, and manufacturers utilizing biometric information and collecting opinions from stakeholders and experts in various fields.

Looking at the main revisions of the guidelines, first, terminology and concepts were clarified. To clearly define the concept of the existing term ‘bioinformation,’ it was changed to the Korean expression ‘saengchejeongbo’ (biometric information), and the name of the guidelines was also changed to ‘Biometric Information Protection Guidelines.’ Information defined as subject to encryption under personal information protection laws was defined as ‘biometric recognition information,’ clarifying the scope of encryption.

Relationship Among Personal Information, Biometric Information, and Biometric Recognition Information

Additionally, the previous guidelines, which were centered on protection principles, were reorganized into a system that guides a total of 15 protection measures required at each of the five stages where biometric recognition information is processed, enhancing understanding.

Legal amendments were also reflected. The scope of application was expanded from the previous ‘information and communication service providers, etc.’ to ‘personal information processors (including information and communication service providers, etc.),’ and it was also indicated that separate consent is required when collecting and using biometric recognition characteristic information classified as sensitive information according to the amendment of the Enforcement Decree of the Personal Information Protection Act.

Furthermore, manufacturer and user sections and a self-checklist were added to increase usability. In the manufacturer section, since protection measures for the safe management of biometric recognition information greatly affect system development and function settings of manufacturers, the role of manufacturers necessary for creating a safe usage environment was added. In the user section, pre-check items before using services and precautions during service use were provided to help users easily understand and safely utilize biometric recognition information services in daily life. Additionally, a self-checklist summarizing the contents was newly established in the appendix so that personal information processors, manufacturers, and users can easily and conveniently check compliance with the guidelines during the biometric recognition information utilization process.

Finally, various biometric information utilization cases confirmed through on-site inspections were specifically reflected to enhance overall understanding of the guidelines.

Yoon Jong-in, Chairperson of the Personal Information Protection Commission, said, “Biometric information is unique personal information that is conveniently used for authentication and identification services, but unlike passwords that can be changed, it is irreversible when leaked, making damage recovery difficult, thus emphasizing the need for its protection. We hope that these guidelines will be the starting point for biometric information protection in which all citizens participate together.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.