Measures to Ensure Safety of Personal Information Taken by Institutions Operating Public Systems
(1) Pursuant to Article 29, a public institution which operates a personal information processing system meeting the standards publicly notified by the Protection Commission (hereafter in this Article referred to as "public system"), such as the scale of personal information processed and the number of personal information handlers granted access authority (hereafter in this Article referred to as "institution operating public systems"), shall take the following measures in addition to the measures to ensure safety under Article 30 of this Decree:
- Including measures to ensure safety prepared for each public system in an internal management plan under Article 30 (1) 1;
- Measures necessary to safely manage access authority, such as allowing an institution that accesses a public system to process personal information (hereafter in this Article referred to as "institution using public systems") to grant access authority to a personal information handler with legitimate authority and to change and cancel such authority;
- Measures such as storage, analysis, inspection, and management of the records of access to public systems to prevent illegal access to personal information and personal information breach incidents.
(2) Where an institution operating public systems or an institution using public systems finds out access to personal information without authority or beyond authorized access thereto, it shall without delay notify data subjects of the relevant fact and matters necessary for the prevention of any damage, etc.; in such cases, notification shall be deemed given in any of the following cases:
- Where data subjects are notified of loss, theft, or divulgence of personal information under Article 34 (1) of the Act;
- Where data subjects are notified of access to their personal information and matters necessary for the prevention of any damage, etc. pursuant to other statutes or regulations.
(3) An institution operating public systems (where there is a separate public institution that develops and distributes a public system, such public institution shall be included; hereafter in this Article, the same shall apply) shall designate and operate a department dedicated to work related to the safe management of personal information or shall assign personnel dedicated to such work, taking into account the size and characteristics of the relevant public system, the number of institutions using the relevant public system, and other relevant factors.
(4) An institution operating public systems shall designate the head of a department responsible for the general management of the relevant public system as a manager for each public system: Provided, That where there is no such department, it shall designate a manager from among the heads of relevant departments in consideration of work-relatedness, work capabilities, and other relevant factors.
(5) An institution operating public systems shall establish and operate a public system operation council comprised of the following institutions for each public system to consult on matters related to examining the implementation of measures to ensure the safety of public systems and improving such systems: Provided, That where one public institution operates at least two public systems, an integrated public system operation council may be established and operated:
- The institution operating public systems;
- Where the operation of public systems is entrusted, the person entrusted;
- An institution using public systems deemed necessary by the institution operating public systems.
(6) The Protection Commission may provide institutions operating public systems with support necessary to implement measures to ensure the safety of personal information.
(7) Except as provided in paragraphs (1) through (6), matters necessary for the measures to ensure the safety of personal information taken by institutions operating public systems, etc. shall be determined and publicly notified by the Protection Commission.