• Convergence Security Journal
• /
• v.19 no.5
• /
• pp.25-36
• /
• 2019

With the development of information and communication technology, hospitals that electronically process and manage medical information of patients are increasing. However, if medical information is processed electronically, there is still room for infringing personal information of the patient or medical staff. Accordingly, in 2017, the International Organization for Standardization (ISO) published ISO TS 25237 Health Information - Pseudonymization[1]. In this paper, we examine the re - identification process based on ISO TS 25237, the procedure and the problems of our proposed method. In addition, we propose a new processing scheme that adds a re-identification procedure to our secure differential privacy method [2] by keeping a mapping table between de-identified data sets and original data as ciphertext. The proposed method has proved to satisfy the requirements of ISO TS 25237 trust service providers except for some policy matters.

• Convergence Security Journal
• /
• v.19 no.1
• /
• pp.41-48
• /
• 2019

In the era of Internet of Things and Artificial Intelligence, it has become essential to digitize mass data, which leads 'data-driven economy'. Digitalized personal data can be easily collected, stored, duplicated and analyzed. As ICT technology is evolving the concept of traditional personal data has changed. The United States, the European Union, Japan, Korea and many countries have introduced new concept of personal data into law such as de-identification, anonymization, and pseudonymization to protect and utilize digitalized personal information. These concepts are distinguishable depending on countries. Therefore, this study will be done by researching and analyzing personal data related policies of several countries. Based on this study, this paper will suggest policy on di-identification to draw the right balance between personal data protection and use, which contributes to the development of digital economy.

• Informatization Policy
• /
• v.28 no.3
• /
• pp.49-72
• /
• 2021

This study analyzes the major content, significances, and future outlook of Three Data Acts amendment enacted in August 2020 in South Korea, with the focus on their impact on the financial and data industries. It seems that the revision of the Credit Information Act will enable the specification of a business which had previously only been regulated as the business of credit inquiry, and also enable the domestic data industry to activate the MyData industry, data trading and platforms, and specify data pseudonymization and trading procedures. For the rational and efficient implementation of the amendments to the Three Data Acts, the Personal Information Protection Committee must be as transparent and lawful in its activities as possible, and fairness must be guaranteed. Even in the utilization of personal information, the development or complementation of the related data processing technologies is essential, and clear data processing methods and areas must be regulated. Furthermore, the amendments must be supported with guarantees and the systematization of a fair competitive system in the data market, stricter regulations on penalties for illegal acts related to data, establishment and strengthening of the related security systems, and reinforcement of the system of cooperation for data transfer.

• The Korean Society of Law and Medicine
• /
• v.22 no.3
• /
• pp.31-55
• /
• 2021

The Personal Information Protection Act, one of the revised 3 Data Laws, established a special cases concerning pseudonymous data. As a result, a personal information controller may process pseudonymized information without the consent of data subjects for statistical purposes, scientific research purposes, and archiving purposes in the public interest, etc. In addition, as a follow-up to the revised Personal Information Protection Act, a 'Guidelines for Utilization of Healthcare Data' was prepared, which deals with the pseudonymization in the medical sector. The guidelines are meaningful in that they provide practical criteria for accomplices by defining specific interpretations and examples that take into account the characteristics of healthcare data. However, the guidelines need to clarify the purpose of using pseudonymous data and strengthen the fairness of the composition of the data deliberation committee. The guidelines also require establishing a healthcare data compensation framework and strengthening the protection of rights for vulnerable subjects. In addition, the guidelines need to be adjusted for inconsistency with the Bioethics and Safety Act and the Medical Service Act. It is expected that this study will contribute to the creation of a safe environment for the utilization of healthcare data as well as the improvement of related laws and systems.

• Proceedings of the Korean Institute of Navigation and Port Research Conference
• /
• 2023.05a
• /
• pp.202-203
• /
• 2023

The Ministry of Oceans and Fisheries is providing maritime safety services through the operation of the Korean e-Navigation service, and research is continuously needed to improve reliability and quality to secure the competitiveness of the system. In order to secure such competitiveness, we presented the basic design for the big-data maritime information gateway system for minimizes thereal-time operation impact of the Korean e-Navigation service, and a theoretical hardware structure diagram including pseudonymization procedures to implement the overall system and solve privacy security issues. However, the proposed structure diagram and design include only the overall concept, to link real-time maritime information, required detailed privacy security method to satisfy the Privacy Act of the Republic of Korea. To solve this problem, this study will identify factors to violate the Privacy Act within the real-time maritime information(privacy of shipowner, shipping company, captain, navigator, fisherman, etc.) linked by the big-data maritime information gateway system, and research the method to link the secured information to other institutions by encrypting identified the factors.

• The Korean Society of Law and Medicine
• /
• v.23 no.4
• /
• pp.29-74
• /
• 2022

As social disasters occur under the Disaster Management Act, which can damage the people's "life, body, and property" due to the rapid spread and spread of unexpected COVID-19 infectious diseases in 2020, information collected through inspection and reporting of infectious disease pathogens (Article 11), epidemiological investigation (Article 18), epidemiological investigation for vaccination (Article 29), artificial technology, and prevention policy Decision), (3) It was used as an important basis for decision-making in the context of an infectious disease crisis, such as promoting vaccination and understanding the current status of damage. In addition, medical policy decisions using infectious disease data contribute to quarantine policy decisions, information provision, drug development, and research technology development, and interest in the legal scope and limitations of using infectious disease data has increased worldwide. The use of infectious disease data can be classified for the purpose of spreading and blocking infectious diseases, prevention, management, and treatment of infectious diseases, and the use of information will be more widely made in the context of an infectious disease crisis. In particular, as the serious stage of the Disaster Management Act continues, the processing of personal identification information and sensitive information becomes an important issue. Information on "medical records, vaccination drugs, vaccination, underlying diseases, health rankings, long-term care recognition grades, pregnancy, etc." needs to be interpreted. In the case of "prevention, management, and treatment of infectious diseases", it is difficult to clearly define the concept of medical practicesThe types of actions are judged based on "legislative purposes, academic principles, expertise, and social norms," but the balance of legal interests should be based on the need for data use in quarantine policies and urgent judgment in public health crises. Specifically, the speed and degree of transmission of infectious diseases in a crisis, whether the purpose can be achieved without processing sensitive information, whether it unfairly violates the interests of third parties or information subjects, and the effectiveness of introducing quarantine policies through processing sensitive information can be used as major evaluation factors. On the other hand, the collection, provision, and use of infectious disease data for research purposes will be used through pseudonym processing under the Personal Information Protection Act, consent under the Bioethics Act and deliberation by the Institutional Bioethics Committee, and data provision deliberation committee. Therefore, the use of research purposes is recognized as long as procedural validity is secured as it is reviewed by the pseudonym processing and data review committee, the consent of the information subject, and the institutional bioethics review committee. However, the burden on research managers should be reduced by clarifying the pseudonymization or anonymization procedures, the introduction or consent procedures of the comprehensive consent system and the opt-out system should be clearly prepared, and the procedure for re-identifying or securing security that may arise from technological development should be clearly defined.