• Asian Journal of Innovation and Policy
• /
• v.9 no.3
• /
• pp.339-359
• /
• 2020

The policy change in the Data 3 Act is one of the issues that should be noted at a time when non-face-to-face business strategies become important after COVID-19. The Data 3 Act was implemented in South Korea on August 5, 2020, calling 'Big Data 3 Act' and 'Data Economy 3 Act,' and so personal information that was not able to identify a particular individual could be utilized without the consent of the individual. With the implementation of the Data 3 Act, it is possible to establish a fair economic ecosystem by ensuring fair access to data and various uses. In this paper, the law on the protection of personal information, which is the core of the Data 3 Act, was compared around Korea, the European Union and the United States, and the implications were derived through network analysis of keywords.

• Journal of Information Technology Services
• /
• v.10 no.4
• /
• pp.21-32
• /
• 2011

The recently revised "Telecommunications Business Promotion and Personal Data Protection Act" is an important legal milestone in promoting the Korean telecommunications infrastructure and industry as well as protecting individuals' personal data and individuals' rights to privacy. Special characteristics of information security and privacy protection services including public goods' feature, adaptiveness, relativity, multi-dimensionality, and incompleteness, are reviewed. The responsibility of chief security/privacy officers in the IT industry, and the fairness and effectiveness of the criminal negligence in the Telecommunications Act are analyzed. An assessment of the rationale behind the act as well as a survey of related laws and cases in different countries, offers the following recommendations : i) revise the act and develop new systems for data protection, ii) grant a stay of execution or reduce the sentence given extenuating circumstances, or iii) use technical and managerial measures in data protection for exemption from criminal negligence.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.16 no.2
• /
• pp.587-608
• /
• 2022

The European Union recently established the General Data Protection Regulation (GDPR) for secure data use and personal information protection. Inspired by this, South Korea revised their Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, and the Credit Information Use and Protection Act, collectively known as the "Three Data Bills," which prescribe safe personal information use based on pseudonymous data processing. Based on these bills, the personal data store (PDS) has received attention because it utilizes the MyData service, which actively manages and controls personal information based on the approval of individuals, and it practically ensures their rights to informational self-determination. Various types of PDS models have been developed by several countries (e.g., the US, Europe, and Japan) and global platform firms. The South Korean government has now initiated MyData service projects for personal information use in the financial field, focusing on personal credit information management. There is also a need to verify the efficacy of this service in diverse fields (e.g., medical). However, despite the increased attention, existing MyData models and frameworks do not satisfy security requirements of ensured traceability, transparency, and distributed authentication for personal information use. This study analyzes primary PDS models and compares them to an internationally standardized framework for personal information security with guidelines on MyData so that a proper PDS model can be proposed for South Korea.

• Journal of Information Technology Applications and Management
• /
• v.24 no.1
• /
• pp.81-91
• /
• 2017

In Korea, "Act on the Development of Cloud Computing and Protection of its Users" has been enforced since September 28, 2015. Many countries implemented 'Cloud First' policies and global companies such as Amazon, Microsoft, IBM started cloud services in Korea. Under these circumstance, the Act was established for developing the cloud computing industry. The Act includes clauses for encouraging the use of private cloud computing by public organizations, supporting small- and medium-size cloud service providers, and utilizing secure cloud computing services by users. However, some terms appear to be similar but have different meanings from "Act on Promotion of Information and Communications Network Utilization and Information Protection, etc." and "Personal Information Protection Act". This generated some confusion and conflicts in relation to providing user information to a 3rd party and notifying the intrusion in the Cloud Computing Act. This paper discusses these issues and suggestions for revision of the Cloud Computing Act.

• The Korean Journal of Archival Studies
• /
• no.29
• /
• pp.225-268
• /
• 2011

The general public are interested in the politics and form public opinion and keep in check the government for true democracy. The general public have the right to be furnished information from the government. And the government should enact the Freedom of Information Act to provide the public's right to know. At the same time, the government should enact the Data Protection Act to provide the public's right to privacy. There is a friction between the Freedom of Information Act and the Data Protection Act. It's hard to maintain the proper balance between the Freedom of information Act and the Data Protection Act, but many countries try to do so. The UK enacted the Data Protection Act 1998(DPA), which entered into force on 2000, to comply with EU Directive 1995. The Freedom of Information Act 2000(FOI), which came fully into force on 2005, was passed in 2000. The FOI imposes significant duties and responsibilities on public authorities to give access to the information they hold. The purpose of this study is to consider the provisions of the personal data in FOI and DPA. Besides this, it identifies the complaint cases on public authorities about the disclosure and exemption of the personal data in comparison with the acts. If information is the personal data of the person making the request, it will disclose under the DPA. If information is the personal data of a third party, it will disclose under the FOI. These acts interact each other to make up for the weak points in the other to make a proper application of the act on public authorities. This study may have any limitation in making a comparative study of the disclosure and exemption of the personal data in Korea. But it is expected to provide a basis for understanding the disclosure and exemption of the personal data in the UK.

• Journal of Information Technology Applications and Management
• /
• v.25 no.2
• /
• pp.133-146
• /
• 2018

The technical definition of Blockchain is commonly known 'distributed ledger', however, there is no legal definition for being accepted in worldwide. Therefore, unless legal definitions and concepts of Blockchain are presented, there is a possibility that various legal disputes will occur in the future in Blockchain environment. The purpose of this study is to derive legal issues related to personal information protection that can be conflicted in Blockchain environment based on domestic Privacy Act and GDPR. The outcomes of this study can prevent various legal disputes and provide solutions that may occur due to the spread of Blockchain. It also suggests the foundation for the improvement of Privacy Act. Finally, it contributes to activate of Blockchain, industry, in Korea.

• Korean Security Journal
• /
• no.61
• /
• pp.333-352
• /
• 2019

In January and August 2019, there were amendments to the Unfair Competition and Trade Secrets Protection Act (UCPA) and the Industrial Technology Protection Act(ITPA). These amendments will contribute to technology protection. But these amendments need to be supplemented further. In the area of civil remedies, despite the introduction of treble damages in the case of the UCPA and ITPA, the provisions related to the submission of supporting data have not been maintained. Therefore, it is necessary to recognize the claim of the other party as true if it is maintained at the level of the revised Patent Act and the scope of submission of supporting data. And the enforcement of the case of compulsory submission for the calculation of damages, and the order of filing documents are not followed. ITPA, on the other hand, has introduced the compensation for damages, but there is no provision for estimating the amount of damages. Therefore, it is necessary to estimate the amount of lost profits, profits, and royalties. In the area of criminal remedies, both the UCPA and ITPA have raised the penalty, but the sentencing regulations are not maintained. In addition, although the recent outflow of technology has expanded beyond organizational deviations to organizational outflows, amendments need to be made in relation to the serious consequence for the punishment of related juristic persons, such as companies involved in it. It should be noted that Japan and the United States have corporate regulations and regulations. In addition, in relation to the confiscation system, Act on Regulation and Punishment of criminal proceeds concealment require that domestic defenses be confiscated by defense industry technology, while trade secrets and industrial technologies are confiscated only by "foreign" outflows, and an amendment is necessary.

• Convergence Security Journal
• /
• v.24 no.3
• /
• pp.81-93
• /
• 2024

The purpose of this paper is to derive considerations when improving the Personal Information Protection Act based on the personal information protection life cycle of the generative artificial intelligence model as generative artificial intelligence models are introduced and used in Korea a lot. Through the study, the necessity of using open information in the collection stage, using personal information preservation technology in the learning stage, and preparing the basis for the development of protection technology in the holding stage was derived. It also revealed the necessity of managing the generated information in the generation and inference stage, re-learning in the limitation and destruction stage, and preparing a filtering basis. It is expected that the results of this study can be used to revise the Personal Information Protection Act and make policies in the future.

• The Korean Society of Law and Medicine
• /
• v.13 no.1
• /
• pp.359-395
• /
• 2012

In a broad term, health and medical data means all patient information that has been generated or circulated in government health and medical policies, such as medical research and public health, and all sorts of health and medical fields as well as patients' personal data, referred as medical data (filled out as medical record forms) by medical institutions. The kinds of health and medical data in medical records are prescribed by Articles on required medical data and the terms of recordkeeping in the Enforcement Decree of the Medical Service Act. As EMR, OCS, LIS, telemedicine and u-health emerges, sharing and protecting digital health and medical data is at issue in these days. At medical institutions, health and medical data, such as medical records, is classified as "sensitive information" and thus is protected strictly. However, due to the circulative property of information, health and medical data can be public as well as being private. The legal grounds of health and medical data as such are based on the right to informational self-determination, which is one of the fundamental rights derived from the Constitution. In there, patients' rights to refuse the collection of information, to control recordkeeping (to demand access, correction or deletion) and to control using and sharing of information are rooted. In any processing of health and medical data, such as generating, recording, storing, using or disposing, privacy can be violated in many ways, including the leakage, forgery, falsification or abuse of information. That is why laws, such as the Medical Service Act and the Personal Data Protection Law, and the Guideline for Protection of Personal Data at Medical Institutions (by the Ministry of Health and Welfare) provide for technical, physical, administrative and legal safeguards on those who handle personal data (health and medical information-processing personnel and medical institutions). The Personal Data Protection Law provides for the collection, use and sharing of personal data, and the regulation thereon, the disposal of information, the means of receiving consent, and the regulation of processing of personal data. On the contrary, health and medical data can be inspected or delivered of the copies, based on the principle of restriction on fundamental rights prescribed by the Constitution. For instance, Article 21(Access to Record) of the Medical Service Act, and the Personal Data Protection Law prescribe self-disclosure, the release of information by family members or by laws, the exchange of medical data due to patient transfer, the secondary use of medical data, such as medical research, and the release of information and the release of information required by the Personal Data Protection Law.

• The Korean Society of Law and Medicine
• /
• v.22 no.3
• /
• pp.31-55
• /
• 2021

The Personal Information Protection Act, one of the revised 3 Data Laws, established a special cases concerning pseudonymous data. As a result, a personal information controller may process pseudonymized information without the consent of data subjects for statistical purposes, scientific research purposes, and archiving purposes in the public interest, etc. In addition, as a follow-up to the revised Personal Information Protection Act, a 'Guidelines for Utilization of Healthcare Data' was prepared, which deals with the pseudonymization in the medical sector. The guidelines are meaningful in that they provide practical criteria for accomplices by defining specific interpretations and examples that take into account the characteristics of healthcare data. However, the guidelines need to clarify the purpose of using pseudonymous data and strengthen the fairness of the composition of the data deliberation committee. The guidelines also require establishing a healthcare data compensation framework and strengthening the protection of rights for vulnerable subjects. In addition, the guidelines need to be adjusted for inconsistency with the Bioethics and Safety Act and the Medical Service Act. It is expected that this study will contribute to the creation of a safe environment for the utilization of healthcare data as well as the improvement of related laws and systems.