The Personal Information Protection Commission will strengthen preventive management, starting with public agencies that process large volumes of key personal information such as resident registration numbers.

To that end, it set principles to encourage voluntary improvement through risk-based management, evidence-based inspections and linking outcomes to incentives. It plans to pursue preventive tasks in line with those principles.

In the case of public agencies, risks are high because they process large volumes of people’s personal information under laws regardless of whether individuals consent. The commission explained that ex-post sanctions such as administrative fines have limited effect, so it decided to prioritize fact-finding inspections and establishing safety management systems.

The commission newly designated 8 systems with heavy handling of people’s personal information, including the Blood Information Management System (Korean Red Cross), as intensive management systems. It excluded the Epidemiological Investigation Support System (Korea Disease Control and Prevention Agency), which was used temporarily during the spread of infectious diseases. It also changed the designation of intensive management systems after 3 existing systems, including Worknet, were consolidated into Employment24, designating Employment24 (Korea Employment Information Service) as an intensive management system.

As a result, public-sector intensive management systems expanded from 382 systems (57 operating agencies) in 2024 to 387 systems (58 operating agencies) in 2026. Systems designated as intensive management systems must apply strengthened safety measures compared with general systems, including linking personnel information when granting handler access rights and automatic analysis of access logs.

The commission will conduct emergency fact-finding inspections through March covering 387 intensive management systems at public agencies and systems that process resident registration numbers for 10,000 people or more. The inspections aim to check and address key vulnerability factors identified in recent major data leak incidents. For intensive management systems, the main checks include whether the latest security patches are applied, whether secure authentication methods such as certificates and one-time passwords are used for handler access, and whether de-identification measures are taken so key information such as resident registration numbers does not remain in log records.

For systems that process 10,000 or more cases of resident registration numbers, it will check whether secure encryption algorithms are used when encrypting resident registration numbers and how encryption keys are managed. Agencies will prioritize addressing shortcomings by institution, while the commission plans to secure the effectiveness of inspections by supporting improvements such as consulting depending on risk levels.

Under the Personal Information Protection Act, the commission must inspect the status of safety management at institutions that process unique identifying information such as resident registration numbers above a certain scale. Until now, inspections were limited to formal checks in which agencies submitted self-inspection results in writing, and there was criticism that, due to the lack of compulsory investigative power, the system depended heavily on processors’ autonomy. The commission will select inspection targets by assessing risk levels based on types of unique identifying information and processing scale listed in public agencies’ personal information file inventories, in line with the original purpose of inspections of unique identifying information management.

To that end, it plans to update the personal information file inventory in the first half of the year. It will also overhaul 26 inspection items, conducting in-depth checks focused on key items such as the status of granting permissions to handlers who can access unique identifying information, de-identification measures such as partial masking when handlers view information, and the state of encryption key management, while requiring submission of specific supporting materials. When shortcomings are found, it will make submission of improvement plans mandatory, and it plans to provide incentives such as exempting excellent institutions from inspections for a certain period and awarding prizes.

PIPC Chairperson Kyung-hee Song (송경희) said, "Public agencies process important personal information of all people on a large scale under laws even without individuals’ consent, so this is an area where preventive management is more strongly required." She added, "Starting with the public sector, the commission will actively pursue a 'preventive policy' so that a preventive-focused personal information protection system can take root across our society."