From now on, the protection obligations for public sector entities that possess or operate personal information processing systems will be further strengthened.
The Personal Information Protection Commission announced on the 12th that after a one-year grace period following the amendment of the protection law, starting from the 15th of this month, government ministries and affiliated public institutions that possess or operate major personal information processing systems must comply with additional safety measures obligations beyond the existing ones.
The targets for the additional safety measures are 63 government ministries and affiliated agencies operating 382 public systems that hold personal information of over one million individuals, have more than 200 personal information handlers, or process sensitive or unique identification information. The Commission explained that the majority of major public institutions fall under this category.
As a result of this measure, they will be subject to a total of 10 additional safety obligations across four major areas.
In the system management framework area, the obligations include establishing and operating consultative bodies, designating responsible persons for each system, and establishing and implementing safety measures plans for each system. In the strict access rights granting and management area, obligations include automatic linkage of personnel information, granting minimum necessary permissions and updating access rights, and introducing procedures for issuing non-government employee accounts. In the area of strengthening access log inspections, obligations include inspecting access logs and detecting anomalies, and preparing pre- and post-procedures. Lastly, in the area of dedicated personnel and system expansion, the tasks include expanding dedicated personnel and personal information protection education, as well as enhancing personal information protection functions of systems.
According to the Personal Information Protection Commission, reports of personal information leaks in the public sector increased approximately 3.8 times from 16 cases in the first half of this year to 52 cases compared to the previous year. This is because last year’s protection law expanded the reporting obligation in the public sector from leaks involving over 1,000 cases to requiring reporting even if only one case of sensitive information or illegal external access occurs.
The Commission plans to minimize blind spots in the application of the law through the expansion of reporting obligations and to continuously encourage public institutions to strengthen their leak prevention efforts.
Furthermore, to raise awareness, the Commission has increased the level of sanctions. In cases of personal information leaks due to violations of safety obligations, public sector entities were previously subject to fines but will now be subject to administrative penalties. While fines mainly serve as sanctions for simple order violations, administrative penalties have a stronger punitive purpose.
The Commission also made it possible to apply a one-strike-out policy, allowing immediate dismissal or removal of public officials who intentionally leak or misuse personal information causing significant secondary damage to the public, even if it occurs only once, and criminal penalties are also applicable.
A representative of the Personal Information Protection Commission stated, "With the strengthening of safety obligations under the protection law for major public system operating institutions starting from the 15th of this month, special attention is required for the applicable public institutions and others," adding, "In the event of a leak incident at a public institution, we plan to actively encourage efforts to strengthen personal information protection in the public sector by conducting strict investigations and sanctions."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
