Personal information is easily obtained in our internet-driven information society, and there have been many cases of abuse. Recently, financial companies, search engines, game companies, and others have been the victims of information hacking, resulting in a plethora of spam mail, illegal use of other people's names, voice phishing, and identity theft. Accordingly, in the endeavor to provide a consistent code to protect personal information, the Personal information Protection Act was signed into law on March 29, 2011, and enforced from September 20, 2011. This act is a general law that combines all laws related to protection of personal information and contains strong penal provisions. This law also covers all processes of gathering personal information, both on- and offline. The Ministry of Public Administration & Security has enforced the law after the six month period between September 20, 2011 and March 29, 2012 for intensive guidance.


1. Major Details of the Personal information Protection Act

The Personal information Protection Act regulates matters concerning the use of personal information in order to protect and promote people's rights and interests by protecting them from unwanted collection, leakage, illegal use and abuse of their personal information. The law includes the following six major subjects.

(1) Expansion of Scope
The Personal information Protection Act is a general law applying to the relationship between individuals and those collecting their personal information. Previously, personal information was protected in specifically designated ways through separate laws such as the Information & Communication Act and the Credit Information Act, but the protections offered there have been expanded and applied to all handlers of personal information working in either the public or private sector. Accordingly, this law also applies to companies that do not conduct any online business.

(2) Expansion of Protection
The scope of protection of personal information covers not only information processed electronically, but also paper records such as those used in Civil Service Offices, etc. Personal information means data that distinguishes or reveals individual identity (including name, resident registration number, date of birth, address, etc.) and data that reveals an individual's past and current conditions and situations (including educational background, financial status, medical history and health, etc.).

(3) Restrictions on use of unique identifying information
Unique identifying information provided to the individual by law, such as resident registration numbers, shall be prohibited, in principle, from processing. In cases where a specific law requires such information, or where it is deemed obviously necessary for the urgent benefit of life, body or property of a subject of information or a third party, gathering such information is permitted. Individual resident registration numbers shall not be required on websites. Any person violating this shall be punished with imprisonment of up to five years or with a fine not exceeding fifty million won.

(4) Restrictions against use of video recording devices
Installation and operation of video recording devices in open places is now restricted. A video recording device is any instrument, such as CCTV (closed-circuit television) or network cameras, which is installed and remains in a designated place and is meant to videotape objects and/or people, or transmit the video recordings through a wired or wireless network. The arbitrary use of such operations in a way that differs from its intended purpose, recording video in places other than the originally intended area, and recording of voices, are all prohibited. Any person violating this shall be punished with imprisonment of up to three years or with a fine not exceeding thirty million won.

(5) Collection and use of personal information
The collection of personal information must satisfy certain criteria, and any information gathered shall only be used in the specified way. These criteria are: 1) The target person must have agreed to give such information; 2) an article of law exists which requires the collection of such information in order to observe the law; 3) it is needed by a public agency to carry out duties assigned by related law; 4) it is necessary for one party to enter into or implement a legal contract with the individuals concerned; 5) such information is urgently necessary to protect life, body, and interest of individuals and/or third parties; 6) it is necessary for the justifiable interests of the handler of such information, and is more important than the rights of individuals. In this last case, it shall be closely related to the justifiable interest of the handler of such information, and shall not exceed a reasonable scope. A person who violates this shall be punished with a fine for negligence up to fifty million won.

(6) Duty to report leaks of personal information
When recognizing that personal information has been leaked, the handler of such information shall notify the individuals concerned of this fact without delay, and shall include: 1) the details of the leaked personal information; 2) the time the leak occurred, and any related details; 3) information about how the individual can minimize any damage caused by the leak; 4) any countermeasures the handler of such information has taken, and procedures for remedy for any damage; and 5) the contact information of the department individuals can contact to report any resulting damage.
Any person violating this duty to report leaks of personal information shall be punished with a fine for negligence of up to thirty million won. Any person responsible for failing to report to the appropriate government authority on the way the organization handled the leak shall be punished with a fine for negligence of up to thirty million won.


2. Management of Personnel and Personal information

Laws related to the protection of personal information are applied equally to most companies. Regarding the management of personnel, the main issues are the management of employees' personal information and the company use and management of video recording devices.

(1) Details on management of employees' personal information
Collecting and using personal information is tightly restricted, but in cases where an employee enters into an employment contract to offer work in return for wages from the employer, the employer shall know the employee's name, resident registration number, address, wage information, and other necessary data, as this is an example of it is necessary for one party to enter into or implement a legal contract with the individuals concerned. These items of personal information are essential to management of personnel regarding the four social insurances, year-end income tax adjustment, and issuance of various certificates. Accordingly, no individual agreement is necessary regarding the use of personal information in this way. However, it is still necessary for the employer to inform the employee of the collection and use of his/her personal information related to the making of an employment contract. This notification shall include the purpose for collecting the personal information, where to read and/or correct such information, the period it will be retained, and management after he/she leaves the company, etc.

(2) Company use and management of video recording devices
Video recording devices shall not be installed or operated in public places. Exceptions are as follows: 1) In cases where its use is concretely permitted by law and/or decree; 2) In cases where its use is necessary to prevent or investigate crime; 3) In cases where its use is nec