Personal Information Protection Commission Approves Revision of Disclosure Guidelines
Sanction Results Must Be Posted for 10 to 12 Days Upon Disclosure Order
On June 25, the Personal Information Protection Commission revised its guidelines in a plenary session to strengthen measures against public institutions that violate the Personal Information Protection Act. The revised guidelines will take effect starting July 1.
On this day, the Commission approved a partial amendment to the "Guidelines on Disclosure and Disclosure Orders for Violations of the Personal Information Protection Act." The disclosure system is a policy that publicly announces to the general public when an institution is sanctioned by the Commission for violating regulations.
The Commission operates a system that either discloses the details of such sanctions on its official website for one year or orders the representative website of the relevant personal information handler to make the disclosure.
Recently, as incidents of personal information leaks have continued to occur at public institutions, the Commission has introduced a "full disclosure of sanction results" system to encourage greater accountability and efforts to enhance the level of personal information protection.
Previously, the Commission disclosed sanctions only in limited cases, such as criminal complaints, orders for corrective action within three years, or when an institution received two or more penalties such as fines or administrative surcharges. From now on, however, the Commission will post the results of all sanctions against public institutions that violate protection regulations on its website.
Additionally, until now, the Commission only ordered disclosure in limited cases, such as when an institution received a fine or administrative surcharge for leaking unique identification or sensitive information of 1,000 or more individuals. Going forward, any public system operating institution that is sanctioned by the Commission will be required to make such disclosures by order.
Accordingly, public institutions that receive a disclosure order must post the sanction results on their main website, workplace, or in newspapers for a period of at least 10 days and no more than 12 days.
In the future, the Commission plans to raise awareness of personal information protection in the public sector by conducting pilot post-incident inspections of institutions involved in major incidents and by supporting the inclusion of such matters in management evaluations.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
