1. Reasons for Amendment

Special case regulations for information and communications services in the Enforcement Decree of the Personal Information Protection Act (Article 48-2) have been integrated into standard regulations (Article 30) and accordingly, this Amendment combines the Standards on Measures to Ensure the Security of Personal Information with Standards on Technical and Managerial Safeguards for Personal Information and reflects changes in the personal information processing environment to make technologically neutral improvements.

2. Major Provisions

A. Organize provisions by combining the standard regulations of the Standards on Measures to Ensure the Security of Personal Information with special case regulations in the Standards on Technical and Managerial Safeguards for Personal Information (Articles 4 through 9, Article 11)

Make personal information controllers the single addressee and delete “[Table] Standards on Safeguards According to Personal Information Controller Type and Volume of Personal Information Held”

B. Formulation, implementation, and inspection of internal management plans (Article 4)

Combine and organize matters to be included in internal management plans pursuant to the standard regulations and special case regulations, and newly insert provisions on the training of personal information handlers, etc.

C. Management of access permissions (Article 5)

Amend provisions towards technological neutrality by modifying password rules to instead prescribe the secure application and management of a means of authentication and thereby allowing non-password means of authentication.

D. Encryption of personal information (Article 7)

When a personal information controller sends or receives personal information via the internet through an information and communications network, it shall be encrypted using a safe encryption algorithm. However, when personally identifiable information or biometric information is sent or received through an information and communications network, it shall be encrypted using a safe encryption algorithm.

E. Retention and inspection of access records (Article 8)

Personal information controllers shall create access records on persons who access personal information processing systems and shall retain and manage the records for at least three months.

F. Prevention of malicious programs, etc. (Article 9)

Allow daily updates of security programs and immediate installation of security updates to application programs to be delayed when justified.

G. Security measures for printing and photocopying (Article 13)

Combine security measures for printing and photocopying in the special case regulations with the Standards on Measures to Ensure the Security of Personal Information.

Prescribe that when a public institution manages sensitive information or personally identifiable information by including it in personal information files, or when it processes sensitive information on at 50,000 or more data subjects, it shall take the necessary measures to ensure the secure management of paper printouts.

H. Destruction of personal information (Article 14)

When there is substantial difficulty in permanently deleting information due to its technical nature, it shall be treated as information falling under Article 58-2 of the Act and measures shall be taken to make restoration impossible [amended Article 16 of the Enforcement Decree (July 19, 2022)].

I. Apply standards on security measures for public system operating agencies (Article 15)

Prescribe designation criteria for personal information processing systems that correspond to public systems.

J. Formulation and implementation of internal management plans by public system operating agencies (Article 16)

Public system operating agencies shall formulate internal management plans including the designation of a person in charge of management for each public system and matters concerning the roles and responsibilities of persons in charge of management.

K. Management of access permissions by public system operating agencies (Article 17)

Public system operating agencies shall ensure that the granting, modification, or termination of access permissions to a public system shall be coordinated with personnel information.

Public system operating agencies shall administer training on personal information protection and obtain a security agreement when issuing an account under Article 5 (4).

Public system operating agencies shall conduct an inspection of details on the granting, modification, and termination of access permissions at least once every six months.

L. Retention and inspection of access records by public system operating agencies (Article 18)

Access records of persons who have accessed a public system shall be analyzed using automated methods to detect attempts to unlawfully leak, misuse, or abuse personal information and determine the reasons therefor.

Public system operating agencies shall provide a feature allowing any institution using the public system to directly examine the access records of personal information handlers under its management.