Korea recently enacted the Personal Information Protection Act in order to protect rights and interests in connection with personal information; the act took effect on September 30 2011. If any person processing personal information fails to comply with the obligations set out in the act, such person may be subject to penalties including criminal punishment or an administrative fine. All public organisations and private enterprises in Korea (around 3.5 million in total) are subject to the act. The act protects even information that is not processed by computers or other electronic devices – in other words, even personal information of employees and executives of private enterprises is protected. In particular, as companies maintain databases to manage personal information of their employees, a compromise of such databases will cause massive damage and thus, if companies do not examine and update their current personal information handling practice, potential disputes may arise.
Although the act is already in force, the Ministry of Public Administration and Security has provided for a six-month transition period until March 29 2012, during which time the ministry will focus on educating companies about the act. Accordingly, many businesses are undertaking compliance projects.
Under the act, 'personal information' includes:
- general personal information (eg, name, resident registration number, address and date of birth);
- family information (eg, name, resident registration number and occupation of a family member);
- communication information (eg, email address, log file and cookies);
- location information (eg, information about the location of a person via GPS or mobile phone);
- biometric information (eg, fingerprints, iris and height); and
- information about habits and hobbies (eg, smoking, alcohol consumption and leisure activities).
While previously only the protection of customers' personal information was an issue, following the implementation of the act businesses should also be aware of issues relating to the personal information of employees.
Companies begin to collect, use and provide personal information of potential employees during the recruitment and hiring process, and maintain such information both during and after those employees' employment with the company.
Under the act, a company that violates the act in relation to personal information (whether of customers or employees) may be punished by either imprisonment for up to 10 years or a fine of up to KRW100 million. An administrative fine of up to KRW50 million may be imposed and a violator of the act may also be subject to civil liability for damages through an individual or class action suit, which has been introduced by the act. The enforcement decree of the act sets forth the standard for imposing administrative fines and provides that the amount of a fine will increase if violations have occurred within the three preceding years. In addition, the minister of public administration and security has discretion to increase the amount of the fine by up to 50% when the nature and degree of the violation are particularly serious and harmful to consumers.
The level of penalties that may be imposed for a violation of the act is significant, and the protection of personal information of employees therefore requires serious attention from all employers. The precautions that employers should take to ensure compliance with the act are as follows.
Recruitment and hiring
In principle, individual consent from each applicant should be obtained in order to collect, use and provide personal information in connection with the recruitment process.
Only the minimum information necessary for the recruitment and hiring process should be collected and used, and separate consent should be obtained in connection with the collection and use of personal identification information (eg, resident registration number) or other sensitive information (eg, religion or health-related information). If applications are received online, compliance with the Act on Promotion of Information and Communication Network Utilisation and Information Protection is also required.
Conducting reference checks qualifies as the collection of personal information from third parties, and therefore the applicant should be notified of the source of the information received through reference checks. The personal information of applicants who are not hired should be destroyed since the objective of making a hiring decision has been achieved.
When entering into an employment agreement with a potential employee, it may be convenient to obtain a comprehensive consent covering the collection, use and provision of personal information necessary for the hiring process; however, even in such case, details of each item being consented to should be listed.
In addition, it is advisable to obtain comprehensive consent from a potential employee covering the collection, use and provision of personal information necessary during the course of the employment.
According to the Standard Guidelines for Protection of Personal Information (Administrative Ruling 45, Ministry of Public Administration and Security, September 30 2011), the collection and use of personal information for the purposes of wage payment, education, issuance of certification or provision of employee benefits may be permitted without prior consent of the employee.
If the personal information of employees is to be shared with a foreign affiliated company (ie, through an agreement to transfer personal information outside Korea) or provided to a labour union, social insurance institution or organisation related to employee benefits, education or retirement pension, consent by the subject employee or executive is required, as personal information will be disclosed to a third party. Accordingly, special care should be taken if a parent company located in a foreign country manages the personal information of employees employed by a subsidiary in Korea.
It is possible that email communications exchanged by employees for business purposes may be regarded as personal information under the act; thus, email messages should not be accessed without the prior consent of the respective employee in order to avoid potential liability under the applicable laws such as the Criminal Code and the Protection of Communication Secrets Act.
In principle, the act restricts the installation and operation of visual information processing devices (eg, closed circuit television) in open spaces. However, the installation and operation of such devices may be allowed in exceptional circumstances, such as where it is permitted by law or when it is necessary to prevent or investigate a crime or to maintain the safety of facilities, in which case a sign regarding the installation and operation of the device should be installed.
When an employee leaves his or her employment, it is advisable to destroy the personal information of such person unless the preservation of such information is required by law.
Previously, in Korea, it was common practice for employers to collect, use and provide their employees' personal information with almost no restrictions, and no general law regulated such practices in relation to private enterprises. However, with the implementation of the act, employers will be required to refrain from the indiscriminate collection of personal information. Further, it will be necessary to obtain consent from employees throughout the different stages of employment for the collection, use and provision of their personal information and to adopt a systematic approach to the management of personal information. To begin with, many companies may need to amend their work rules, company regulations or employment agreements in order to ensure compliance with the act.
In addition, it is expected that many companies will need to conduct a compliance review and analysis of their current practices in order to ensure compliance with the act, especially since:
- the act is still at the initial stage of being implemented and the related rules and regulations (eg, the Standard Guidelines for the Protection of Personal Information) are still being established;
- there is no court or administrative ruling addressing issues relating to the protection of personal information under the act; and
- the act is unclear on what types of measure should be taken by businesses in connection with the protection of employees' personal information, as no specific guidelines addressing the subject have been issued.
Furthermore, businesses may face potential disputes or criminal charges if they process employees' personal information according to their former customs and practices. In order to avoid any potentially serious legal risks, companies should seek advice from legal experts.
For further information on this topic please contact Hee-Chul Kang, Sang Wook Cho or Raymond Kang at Yulchon by telephone (+82 2 528 5200), fax (+82 2 528 5228) or email ([email protected], [email protected] or [email protected]).