On June 30, 2016 the South Korean government announced the Guidelines on Personal Data De-identification Measures and the Comprehensive Guide to Data Protection and Privacy Laws and Regulations (collectively, the “Guidelines”). Prior to the announcement of these Guidelines, the use and transfer of personal data for purposes other than those consented to by the data subject was considered to be nearly impossible due to rigid and complex data protection laws in South Korea and the general ambiguity associated with the concept of personal data.
By specifying the criteria, procedures, and methods of de-identification measures and the criteria for determining what qualifies as personal information, the Guidelines seek to facilitate the utilisation of de-identified personal data under the data protection laws in South Korea.
Key provisions of the guidelines
In this section, we examine the key provisions of the new guidelines which serves to assist organizations in understanding and establishing proper methods for protecting and using personal information under the data protection laws in South Korea.
 Establishment of clear criteria for personal data de-identification measures
The Guidelines classify personal data de-identification measures into four stages – e.g., “‘pre-evaluation,” “de-identification measures,” “adequacy assessment,” and “ex post facto management” and provide detailed guidance on the recommended measures and considerations to be made for each stage.
- 1st Stage: Pre-evaluation
This stage determines whether the subject data can be classified as personal information. If it is clear that the subject data is not personal information, then the information may be used without having to take any additional measures.
- 2nd Stage: De-identification measures
Once the subject data is determined to constitute personal information, certain measures that delete or substitute all or parts of the personally identifiable elements within the personal data must be implemented, so that a specific individual can no longer be identified from the de-identified information. Such measures include pseudonymisation, aggregation, data reduction, data suppression and data masking.
- 3rd Stage: Adequacy assessment
In this stage, an assessment is made as to whether the subject data which has passed through the first two stages can still be easily combined with other information to identify a specific individual. The Guidelines prescribe detailed rules on the persons to perform the assessment, and the methods and standards for the assessment, and the highlights of these rules and standards are as follows:
- The adequacy assessment must be performed by a “Task Force to Assess the Adequacy of De-Identification Measures” (the “Assessment TF”). The Assessment TF will be comprised of at least three members with the relevant expertise (the majority of whom must be from outside the data controller, and will be recommended and appointed by the privacy officer of the data controller).
- The Assessment TF will assess the adequacy of the de-identification measures by examining various information provided by the Data Handler, such as a description of the subject data, the implementation status of de-identification measures, and the management proficiency of the Data Handler. The k-anonymity privacy protection model will be primarily used when assessing the adequacy of de-identification measures.
- 4th Stage: Ex post facto management
The Guidelines prescribe detailed ex post facto management measures designed to ensure that the de-identified information does not become re-identifiable during the course of subsequent data processing. Such measures include (i) the implementation of technical and managerial safeguards for the secure management of the de-identified information, (ii) regular monitoring that can detect changes in the possibility of re-identification, and (iii) the inclusion of contractual provisions on re-identification risk management when entering into agreements with a third party for the provision of the de-identified information or outsourcing of the processing of the de-identified information.