**Implementation of the Revised ‘Guidelines on Personal Information Impact Assessment’**
(Seoul=Yonhap News) Reporter Lee Sang-seo: The effectiveness of the ‘Personal Information Impact Assessment’ (hereinafter referred to as Impact Assessment) system, which aids in the protection and safe processing of personal information by public institutions, will be enhanced, and the related procedures will be further systematized.
The Personal Information Protection Commission announced on the 31st that the revised ‘Guidelines on Personal Information Impact Assessment’, which was decided in the recent general meeting, will be implemented starting today.
The impact assessment is a system that guides public institutions planning to establish, operate, or modify personal information files of a certain scale or larger to analyze potential risks of personal information infringement in advance and devise improvement measures to ensure safe personal information processing.
The criteria for assessment include:
– Personal information files that involve the processing of sensitive information or unique identifying information of over 50,000 individuals.
– Personal information files concerning over 500,000 individuals when linked with other personal information files.
– Personal information files concerning over 1 million individuals.
The revision aims to improve the effectiveness of the impact assessment system and streamline the evaluation procedures.
First, the name of the ‘Evaluation Agency Designation Review Committee’ will be changed to ‘Personal Information Impact Assessment Committee’, and its role will be expanded.
The Impact Assessment Committee will not only oversee the designation and cancellation of evaluation agencies but will also deliberate on matters related to quality management and system improvement of impact assessments.
To enhance the professionalism of quality management and competency evaluation in impact assessments, the designation criteria for evaluation agencies now explicitly include requirements set by the Enforcement Decree of the Personal Information Protection Act (performance records, personnel, facilities).
Additionally, while affected institutions have so far been required to submit an implementation plan for identified improvement areas within one year, going forward, they will be required to submit implementation plans for issues that can be addressed in the short term within two months.
The Personal Information Protection Commission plans to promote personal information protection in public institutions through the implementation of this revised guideline.
shlamazel@yna.co.kr