Personal Information Protection Commission

Overview

It is a system for preliminary investigation, analysis and assessment to analyze and improve the risk factors before adopting anew or changing personal information files

Legal Ground and Objects

• (Legal ground)Article 33(privacy impact assessment) of the Personal Information Protection Act
• (Object institutions)Public institutions that will establish or operate personal information files prescribled in Article 35 of the Enforcement Decree of the Act, or change or connect the existing system

Procedure

1. Personal Information Protection Commission KISA
2. Public Institution (Object institutions)
3. Conducting assessment (Privacy impact assessment institution)
4. Requesting assessment
5. Submitting the result
6. Providing opinions (if necessary)
7. Designating the privacy impact assessment institution

Assessment Procedures

• (When is the assessment conducted) The assessment is conducted in the stage of analyzing or designing the personal information processing system before establishing the system
• (Who conducts the assessment)The assessment is conducted by privacy impact assessment team which is comprised of the person in charge in the department of the assessment, the privacy officer, the person in charge of personal information protection, etc.

* Public institutions request the assessment to the privacy impact institution designated by the Personal Information Protection Commission

Enlarge image

1. Privacy impact assessment
2. Preparing in advance
3. Conducting the assessment
4. Implementing
5. Preparing project plan (Securing budget)
6. Selecting proejct contractor
7. Establishing assessment carry-out plan
8. Collecting assessment materials
9. Analyzing the flow of personal information
10. Analyzing infringing factors
11. Establishing improvement plan
12. Preparing assessment report
13. Reflecting and checking improvement plan
14. Checking implementation status
15. Assessment Process
16. Examining the necessity of the impact assessment
17. Preparing a project plan (Securing budget)
18. Preparing a written request for proposal
19. Project ordering
20. Selecting the evaluation institution
21. Establishing assessment carry-out plan
22. Organizing the evaluation team
23. Analyzing inside materials
24. Analyzing outside materials
25. Analyzing materials related to the target system
26. Analyzing the actual status of personal information processing
27. Preparing a flow statement of personal information
28. Preparing a flow chart of personal information
29. Preparing a system structure map
30. Preparing a system structure map
31. Preparing assessment item list
32. Understanding the actual status of personal information protection
33. Deducing infringing factors
34. Calculating the risk level
35. Deducing things to improve
36. Establishing improvement plan
37. Preparing assessment report
38. Submitting the report
39. Reflecting improvement plan (developing stage)
40. Checking the reflecting of improvement plan (testing stage)
41. Confirming the implement of improvement (within 1 year)
42. Submitting a written confirmation (Protection Commission)
43. Year of Performance
44. A year immediately before
45. Current year of the assessment
46. A year immediately after the assessment
47. Evaluating Body
48. Object (Public Institution)
49. Impact assessment evaluating institution (carrying out the assessment and preparing a written evaluation report)
50. Object Institution (Cooperation, submitting the report, and implementing the improvement plan)
51. Object Institution
52. Supervising entity
53. Object Institution

Expected Effects

Minimizing the risk of privacy infringement at the stag of establishing and operating the system to prepare effective responses by reviewing and improving the risks from the stage of designing the system.