Personal Information Protection Commission

Overview

• It is a system that the Personal Information Protection Commission assesses the data breach incident factors when the head of a central administrative agency adopts or changes a policy or a system which entails personal information processing by enacting or amending laws under his/her jurisdiction
• The Personal Information Protection Commission makes recommendation for improvement to the head of the agency if data incident factors exist in the laws

Purpose

• To protect the personal information of citizens by analyzing and assessing data breach incident factors comprehensively and systematically in the stage of drafting laws or systems
• To remove overlapping or conflicting factors by considering the mutual consistency between the laws related to the personal information

Legal Ground

Article 8-2(Assessment of Data Breach Incident Factors) of the Personal Information Protection Act

Objects

Legislative bills(laws, Presidential Decrees, Ordinances of the Prime Minister or Ordinances of the Ministries) to be enacted or amended by central administrative agencies

Assessment Contents

Assessment Procedures

Enlarge image

1. Legislative procedure
2. Drafting legislative bills and consulting with relevant agencies (10 days)
3. Pre-announcement of legislation (40 days)
4. Regulatory Review (10-45 days)
5. Review by the Ministry of Government Legislation
6. Promulgation and enforcement

1. Steps and details
2. Requesting the Personal Information Protection Commission to assess data breach incident factors * Attaching the legislative bills and the table comparing new and old provisions
3. Reviewing the assessment request form : Reviewing whether the submitted bills entails personal information processing
4. If there is no data breach incident factor
5. End of the procedure : Notifying that there is no data breach incident factor if personal information processing is not entailed
6. Continuing assessment
7. Reviewing the request form(contined) : Reviewing data breach incident factors
8. Notifying the assessment result : Notifying “agree to the original bill” or “recommend improvement.
9. Agreeing to the original bill : End of the procedure , Assessment of data breach incident factors ends, and the legislative procedure continues.
10. Recommending improvement : Reviewing the request form(continued) :Reflecting the improvement opinions and submitting the result of reflection
11. Managing the result of reflection : Checking and managing whether the relevant agency (department) accepted the improvement opinions

1. Central administrative agency
2. Relevant agency (-> Personal Information Protection Commission)
3. Personal Information Protection Commission
4. Relevant agency (-> PPersonal Information Protection Commission)
5. The relevant agency submits the result of data breach incident factor assessment to the Ministry of Government Legislation, and submits the result of reflection to the Personal Information Protection Commission
6. Personal Information Protection Commission