Application of enhanced safety measures standards to 1515 major systems… Strict management of access rights and strengthened inspection of access records
In the future, public system operating institutions that handle sensitive personal information on a large scale must designate a person in charge of personal information protection for each system and establish and operate a personal information protection council.
In addition, access rights must be strictly managed in connection with personnel information, and a function to check access records must be introduced.
On the 7th, the Personal Information Protection Committee held a ‘Personal Information Policy Council’ with the participation of related ministries and announced the ‘Plan to Strengthen Personal Information Safety Measures for the Centralized Management System in the Public Sector’.
This reinforcement plan is a follow-up measure to the ‘Measures to Prevent Leakage of Personal Information in the Public Sector’ jointly announced by related ministries in July last year. Considering the amount of personal information held in each system, the number of handlers, and the processing of sensitive or resident registration information as important factors, 1515 centralized management systems are selected and stricter safety measures are imposed.
Institutions with the selected centralized management system must implement 10 tasks in 4 areas, including ▲system management system ▲granting and managing access rights ▲checking access records ▲expanding personnel and systems in charge.
Accordingly, an integrated personal information management system for each institution will be established, including the designation of a person in charge of each system and the establishment and operation of a council in which operating institutions and entrusted institutions participate.
In addition, access rights are strictly managed in connection with personnel information, and the possibility of leakage by internal employees is expected to be significantly reduced as monitoring for evasion and deviation of personal information handlers is strengthened by introducing and supplementing the access record inspection function.
The authority to use each account will be granted to the minimum necessary according to the division of duties, and a procedure for prior approval or post-reporting from a superior will be prepared for access to large-scale personal information or sensitive/private information.
In order to secure the effectiveness of the strengthening plan, each institution should expand personnel dedicated to personal information, and strive to improve the system to expand personal information protection functions, such as linking personnel information and checking access records.
Furthermore, the Personal Information Commission plans to prepare additionally strengthened standards for personal information safety measures in the public sector and gradually expand and apply them to the entire public sector from next year. In addition, it plans to intensively inspect the implementation status over the next three years.
This year, education/learning and real estate/architectural fields will be inspected first. Even if it is not a centralized management system, a system in which a major leakage accident has occurred, such as the National Association of Education Assessment System, is included in the annual inspection.
Choi Jang-hyeok, vice chairman of the Personal Information Committee, said at the policy council that day, “In order to lead the digital era, public trust in the safe handling of personal information is essential, so we ask for active participation from each institution.” We will do our best to eradicate information leakage.”
Personal Information Protection Committee
Source: Policy news, link