On April 28, 2022, Korea’s central data privacy regulator, the Personal Information Protection Commission (the “PIPC”), announced its amended Guidelines on Processing Pseudonymized Data (the “Amended Guidelines”). 

The concept of “pseudonymization” was first introduced through an amendment to the Personal Information Protection Act (the “PIPA”) in August 2020 as a result of the Korean government’s effort to promote the safer use of data.  Following the PIPA’s amendment, the PIPC published the Guidelines on Processing Pseudonymized Data in September 2020 to guide businesses in various industries on combining pseudonymized data.

The Amended Guidelines, which reflect the opinions of relevant legal and industry experts, have been prepared to iron out uncertainties that may arise while processing pseudonymized data and to encourage data controllers and processors to use pseudonymized data.

 

Summary of Key Aspects of the Amended Guidelines

Our discussion focuses on the chapters on (i) Pseudonymization, (ii) Combination/Transfer of Pseudonymized Data, and (iii) the Appendix, which provides various sample documents and forms.  Each chapter of the Amended Guidelines includes the following topics and relevant reference materials.

 

1. Pseudonymization

Pseudonymization means the processing of personal information by deleting a part of, or replacing all or a part of, personal information so that the personal information can no longer be attributed to a specific person without the use of additional information.  The Amended Guidelines provide details on how to pseudonymize data, determine the level of pseudonymization, and measure risk (for reidentification)—a preliminary procedure for processing pseudonymous data—through case examples and checklists.

Among others, the Amended Guidelines detail the re-assessment procedures to be applied if the “appropriateness review,” which is conducted after pseudonymization, renders inadequate results.  The following table illustrates such re-assessment procedures, specifically, what is reviewed in each stage of the appropriateness review and what measures are to be taken if a determination of inadequacy results from the review of a particular stage.

Stages Matters to Review Measures to take if the result is inadequate
(i) Preparation Stage Whether the required documents have been prepared in line with the purpose of the laws and regulations Revise and/or supplement the contents of the required documents
*Relevant Materials: Application for the Provision/Use of Pseudonymized Data, Certificate of Commitment for the Implementation of Safety Measures for Pseudonymized Data, etc.
(*Sample documents and forms of the Relevant Materials are provided in Appendix 1 and 2 of the Amended Guidelines)
 
(ii) Adequacy of the Purpose of Pseudonymization Whether the purpose of pseudonymization corresponds to the purposes stipulated by the PIPA (i.e., statistical, scientific research, or preservation of records for the public interest) Specify and/or re-establish the purpose
Relevant Materials: *Evidentiary materials for pseudonymization and the purpose of the combination of pseudonymized data, etc. 
(*Please refer to Appendix 1, Reference 5 of the Amended Guidelines)
 
(iii) Review of Risk Measurement   Whether the risk measurement is performed based on the risk measurement checklist and the risk measurement report Reassess the risk of identification and update the risk measurement report 
Relevant Materials: Personal Information Classification Table, Report of Identification Risk Reassessment, etc.
 
(iv) Appropriateness of the Plan for Pseudonymizing Data by Items Whether the method and the level of the pseudonymization by items have been planned appropriately Supplement the pseudonymization plan  by items
Relevant Materials: Table for the Plan for Pseudonymizing Data by Items
 
(v) Appropriateness of the Result of Pseudonymization Whether the data has been appropriately pseudonymized pursuant to the plan for processing (pseudonymizing) data Re-perform pseudonymization or perform additional pseudonymization for some items
Relevant Materials: Detailed List of Basic Materials for Processing Pseudonymized Data
 
(vi) Possibility of Achieving the Purpose Whether the pseudonymized data will achieve the intended purpose Supplement the pseudonymization plan  by items, perform additional pseudonymization, etc.
Relevant Materials: Evidentiary materials for pseudonymization and the purpose of the combination of pseudonymized data, etc.

 

2. Combination and Transfer of Pseudonymized Data

Article 28-2 of the PIPA provides that a personal information controller may process (i.e., use, provide, or combine) pseudonymized information without the consent of data subjects for statistical, scientific research, and archiving purposes.  The Amended Guidelines elaborate on which pseudonymized data may be transferred after being combined (e.g., through “inner join” or “outer join”) as follows:

Types of Combination Data that may be combined and transferred
(shaded area)
Explanation (from the perspective of Combination Applicant A)
INNER JOIN • The intersected (shaded) area represents data that may be transferred after being combined.
• Such data is data that is commonly owned by all the Combination Applicants (i.e., data for which the applicants have a combination key).
OUTER JOIN • Combination Applicant A’s data is combined with the data of Combination Applicant B (and Combination Applicant C).
• Applicant A may transfer the intersected data and Applicant A’s data that is not intersected with other Applicants’ data.

 

3. Appendix

As briefly mentioned above, the appendix of the Amended Guidelines provides reference materials (e.g., checklists for each stage of processing pseudonymized data), samples and forms of required documents, and hypothetical case examples.

The FAQ section of the Appendix provides answers to frequently asked questions such as whether sensitive information and particular identification data can be pseudonymized (the answer of which is yes, except for resident registration numbers, which can be pseudonymized only under limited circumstances prescribed by the relevant laws) and whether pseudonymized data may be sold for a fee (the answer of which is a conditional yes since one may do so only for the purposes permitted by the PIPA (i.e., statistical, scientific research, and archival purposes)).

 

Implications

In today’s data economy, the active use of data is essential for the development of the national economy and businesses.  Although the concept of pseudonymization was first introduced in August 2020 to create added value through data sharing and data combination, pseudonymization was not initially utilized much by businesses due to a lack of regulatory guidance and the complex steps involved in the pseudonymization process.  To address such infrequent use, the Presidential Committee on the Fourth Industrial Revolution, which oversees policies related to the Fourth Industrial Revolution including data, networks, and AI, analyzed the factors that were discouraging businesses from utilizing pseudonymized data and suggested improvements to encourage more active processing of pseudonymized data by announcing the “Measures to Promote the Use of Pseudonymized Data” in July 2021.  Given the foregoing, the Amended Guidelines are expected to enable businesses to utilize personal information and pseudonymized data more safely and efficiently.  As additional guidelines may continue to develop regarding pseudonymization, we recommend the continued monitoring of relevant legislative and regulatory updates.

 

About Shin & Kim’s ICT Group

Shin & Kim’s data protection and security experts provide comprehensive advice on personal information protection and data security based on our in-depth experience in the relevant areas, including data protection regulations of Korea and other countries, such as Korea’s Personal Information Protection Act (“PIPA”) and the EU GDPR, responding to personal information leakage, establishing a personal information protection/data privacy compliance system, among others. In particular, our professionals have advised numerous public and private sector clients, performing leading roles in the amendments to Korea’s “Three Major Data Privacy Laws” and its subordinate regulations. Our team of experts continues to advise numerous private sector clients, both domestic and foreign, in their efforts to improve their data protection and compliance systems.

Should you have any questions or comments on the contents of this newsletter, or if you wish to further discuss the Handbook or the Guidelines, please do not hesitate to contact us.

 

[Korean version]   개인정보보호위원회, ‘가명정보 처리 가이드라인’ 개정