Data protection and management

Definition of `health data'

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

There is no law that specifically defines ‘health data’ per se, but ‘health information’ is categorised as a type of sensitive information under Article 23 of the Personal Information Protection Act (PIPA). According to the Guidelines for Use of Health-Medical Data co-published by the Ministry of Health and Welfare (MOHW) and PIPA in September, 2020, ‘health information’ includes but is not limited to the following:

  • medical records and electronic medical records under the Medical Service Act (MSA), and other records produced in hospitals that indicate or easily enable the indication of medical treatment details (eg, hospital receipts containing medical treatment details);

  • data for insurance claims collected by the National Health Insurance Service, the Health Insurance Review and Assessment Service, and other private insurance companies, data related to health, illness, injury, etc, used in the subscription design and ancillary data; (

  • health examination data, health examination result data;

  • health status information diagnosed by a physician, measured by medical devices, or identified or estimated through estimation of insurance claim records, other algorithms, etc; and

  • information collected through medical devices to measure health status or health habits (eg, number of steps, heart rate, oxygen saturation, blood sugar, blood pressure, ECG).

 

In particular, if information that is normally not considered health information is used for the diagnosis, treatment, prevention or management of diseases, such information will also be viewed as health information (eg, a voice recording is not health information under normal circumstances, but if the risk of disease is predicted using a voice recording, that voice recording file will be considered health information). Meanwhile, pseudonymised information refers to personal information that has been processed, such as deletion or replacement of certain parts, so that a specific individual cannot be identified without additional information (PIPA, article 2), and anonymised information refers to personal information that can no longer be used to identify a specific individual even if additional information is used in reasonable consideration of time, cost and technology (PIPA, article 58-2). Anonymous information is not subject to PIPA. In addition, the Bioethics and Safety Act defines ‘anonymisation’ as permanent deletion of personally identifiable information or full or partial substitution of personally identifiable information with an identification code assigned by an institution (article 2). Therefore, anonymisation under the Bioethics and Safety Act is construed as being conceptually similar to pseudonymisation under PIPA. Because there exist discrepancies in definitions between different laws, it is necessary to carefully review and determine the applicable law on a case-by-case basis when actually processing health data.

Data protection law

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

Personal information protection in Korea is principally governed by PIPA. PIPA is similar to Europe’s General Data Protection Regulation in terms of structure and principle, but consent is regarded as the main lawful basis for the use and processing of personal information under PIPA. In particular, health data (or health information) is categorised as a type of sensitive information under article 23 of PIPA. Sensitive information must be obtained through separate consent from the data subject, apart from other general personal information, and PIPA provides for stronger legal protection to sensitive information compared to regular personal information (eg, security measures to prevent the loss, theft, leakage, forgery, alteration or damage of sensitive information are required). In addition, in the case of medical records, MSA specifically defines and regulates matters related to its recording, access, provision to third parties, electronic medical records, etc. Violation of such provisions of PIPA and MSA may result in administrative sanctions and even imprisonment.

Anonymised health data

Is anonymised health data subject to specific regulations or guidelines?

As a bottom line, personal information is subject to PIPA and its subordinate legislation. In particular, in light of the newly added provisions to PIPA in 2020, personal information controllers may process pseudonymised information without the consent of data subjects for the purposes of statistics, scientific research and archiving in the public interest. Such pseudonymised information may then also be provided to third parties without the consent of data subjects, as long as such provision is within the scope of the above purposes. However, in order to process pseudonymised information, various measures to ensure stability (managerial, technical and physical) specified in the Presidential Decree must be in place, regarding which the PIPC published the Guidelines on Processing Pseudonymised Data to serve as general guidance. Meanwhile, specifically regarding pseudonymised health information, the MOHW and PIPC also co-published the Guidelines for Use of Health-Medical Information in September 2020. In addition, while there is no clear guideline specifically regarding anonymised information under PIPA, the aforementioned two sets of guidelines also include explanations on anonymised information, and therefore, they should be referred to as applicable. However, because anonymisation under the Bioethics and Safety Act is conceptually similar to pseudonymisation under PIPA, when anonymising personal information under the Bioethics and Safety Act, the aforementioned two sets of guidelines will directly apply.

Enforcement

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

In general, regulations on personal information, including health data, are relatively strict in Korea. In particular, the PIPC, which became the new primary regulatory body as a result of the major amendments to PIPA in 2020, has expressed on many recent occasions its intention to regulate issues relating to personal information protection considerably more rigorously than before, regardless of domestic or offshore businesses. Meanwhile, when it comes to any notable regulatory or private enforcement actions with regard to digital healthcare technologies in particular, during the period 2011–2015, the Korea Pharmaceutical Information Centre (affiliated with the Korean Pharmaceutical Association) encrypted billions of cases of personal information of patients and physicians (including a large amount of sensitive information, such as name, resident registration number, licence number and dispensing details) registered through its preparation management and evaluation request program PM2000 and sold such information to IMS Health Korea, a global medical data company. There were allegations of personal information leakage owing to the low level of encryption, and the affected data subjects brought both civil and criminal claims to court, but the civil court determined that there was no damage caused by the personal information leakage and dismissed the data subjects’ claims for damages compensation (currently appealed to the Supreme Court), while the criminal court did not find the defendants guilty on the grounds that it was difficult to determine the wilfulness of the defendants and that the act in question was initiated before 30 September 2011, the date on which PIPA took effect.

Another noteworthy case is SK Telecom’s SKT Smart Health Electronic Prescription Service, which launched around October 2011. SK Telecom’s service involved electronic prescription information (including sensitive information such as prescription details) prescribed by physicians via an electronic chart program, which was then transmitted to and stored on SK Telecom’s relay server without consent from the patient, and ultimately transmitted to a member pharmacy upon request at a fixed fee. The service was also alleged to be in violation of PIPA and MSA, but in September 2020, the Seoul High Court dismissed the allegations based on the grounds that the transmission of personal information could be viewed as a simple relay rather than actual processing of personal information, that encrypted electronic prescription information does not qualify as sensitive information under PIPA, and processors entrusted with personal information from a controller do not have to separately obtain consent from data subjects.

Cybersecurity

What cybersecurity laws and best practices are relevant for digital health offerings?

As in other countries, regulations regarding security in Korea can be categorised into data security regulations and cybersecurity regulations. With regard to data security, PIPA prescribes a list of technical, managerial and physical safety measures to be taken by personal information controllers. This list includes:

  • establishing and implementing an internal management plan for the safe processing of personal information;

  • measures to block illegal access to personal information;

  • measures to prevent forgery and alteration of access records;

  • measures to ensure that personal information is safely stored and transmitted; and

  • installation and periodic updates and inspections of anti-virus software to ensure that the personal information processing system and personal information handlers can always check and treat any penetration of malicious programs such as computer viruses and spyware into information devices used for personal information processing (Presidential Decree of PIPA, article 48-2).

 

Furthermore, in order to ensure the performance of a personal information controller’s obligation for damages to any data subject in the event of a violation of the personal information controller’s obligations under PIPA, PIPA requires the personal information controller to take necessary measures, such as signing up for insurance or setting aside reserves (PIPA, article 39-9). The Presidential Decree of PIPA further details thresholds for which such an obligation applies, but the minimum coverage or reserve amount differs based on sales and the average daily users of the service in the previous year (minimum 50 million won, maximum 1 billion won). Meanwhile, under MSA, healthcare professionals and founders of medical institutions are required to have in place facilities and equipment necessary for managing and storing electronic medical records (EMR) safely, and when an addition or revision is made to EMR, such access records shall be separately stored (MSA, article 23). Details of these requirements are provided in article 16 of the Presidential Decree of MSA, as well as the Standards on Facilities and Equipment Required for Management and Preservation of Electronic Medical Records published by the MOHW. To give a few examples, the Standards explain details on backup storage equipment for EMR, facilities and equipment related to network and system security, facilities and equipment to prevent physical access to EMR storage locations, facilities and equipment for real-time inspection of EMR systems, spare equipment, surveillance equipment such as CCTV, and disaster prevention facilities.

With regard to cybersecurity, the Act on the Promotion of Information and Communications Network Utilisation and Information Protection requires IT service providers (data controllers) and, if applicable, their data processors to take technical, managerial and physical measures to ensure the safety of the security of the information and communications network and the reliability of the information. Such measures include, inter alia, requirements to:

  • establish and operate an internal information protection organisation;

  • establish and implement an internal personal information management policy;

  • ensure personnel security;

  • prevent unauthorised access to personal information by controlling access authority and implementing technical measures to control access;

  • encrypt important information; and

  • retain logs for a certain period of time.

Best practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

As the law and relevant guidelines already stipulate in detail matters such as the retention, use and provision of personal information and also pseudonymised information, the best practice would be to consider and observe the same as much as practicable. However, there are a number of uncertain or unprecedented issues, as Korea is only now in the early stages of deregulation of the digital healthcare sector. Still, the Korean government has indicated that it is aware of the necessity of fostering and developing the digital healthcare sector, and there is a visible trend toward easing existing regulations.

Law stated date

Correct on

Give the date on which the above content is accurate.

20 November 2020.