Procedures for Assessment of Personal Information Breach Incident Factors
(1) The head of a central administrative agency who intends to request an assessment of personal information breach incident factors pursuant to Article 8-2 (1) of the Act (hereinafter referred to as “assessment of personal information breach incident factors”) shall submit to the Protection Commission a written request (or an electronic request form) for an assessment of personal information breach incident factors which contains the following matters:
- The purposes and major contents of the policy and systems in need of personal information processing to be adopted or changed by the statutes or regulations (including the draft);
- Self-analysis of personal information breach incident factors with respect to the matters prescribed in paragraph (2) following the adoption and change of the policy and system in need of personal information processing;
- Measures to protect personal information following the adoption and change of the policy and system in need of personal information processing.
(2) Upon receipt of a written request under paragraph (1), the Protection Commission shall assess data breach incident factors taking into account the following matters, and shall notify the result thereof to the head of the related central administrative agency:
- Necessity for processing personal information;
- Appropriateness of guarantees for the rights of data subjects;
- Safety in the management of personal information;
- Other matters necessary to assess data breach incident factors.
(3) The head of a central administrative agency who has been advised as prescribed in Article 8-2 (2) of the Act shall endeavor to implement as advised, such as incorporating such advice in the relevant draft statute or regulation: Provided, that where it is impracticable to implement as advised by the Protection Commission, the reason therefor shall be notified to the Protection Commission.
(4) The Protection Commission may request materials necessary to assess data breach incident factors from the head of the related central administrative agency.
(5) The Protection Commission may establish guidelines necessary to assess data breach incident factors, including detailed criteria for and methods of the assessment of data breach incident factors; and shall notify the heads of central administrative agencies of the guidelines.
(6) The Protection Commission may seek counsel, etc. from relevant experts where necessary to assess data breach incident factors.