[DigitalToday reporter Chi-gyu Hwang] The Personal Information Protection Commission (PIPC) said on Tuesday it briefed major public institutions, including the Ministry of the Interior and Safety, the Ministry of Health and Welfare and the National Health Insurance Service, at the Government Complex-Sejong on expanded measures for personal data portability and shared details of updated regulations.

The PIPC is revising its guidance to inform the public about key elements of the amended enforcement decree and assessment standards.

Key revisions include expanding the scope of portability requests (entities subject to portability and the information subject to requests) and prior consultations on transfer methods.

First, when determining whether an entity falls under those subject to portability, average revenue is calculated based on total domestic and overseas revenue. The number of data subjects is calculated based on the total number of data subjects processed by all systems. Public system operators are assessed based on all systems they manage, not only public systems.

However, considering the circumstances of each institution, it can first prepare portability methods for systems expected to face high demand for transfer requests. It can also post a schedule in its privacy policy for expanding to other systems and take measures in line with that schedule.

Information subject to transfer requests must be information collected based on the data subject's consent or a contract, and information collected under laws that the PIPC has deliberated and resolved on. It must be personal information processed by information processing devices and not information separately created by the personal information controller. The amended enforcement decree excluded from the scope information that could infringe on others' rights or legitimate interests, as well as trade secrets and industrial technologies.

By contrast, implementing a function that allows data subjects to transmit (download) personal information to themselves that they can immediately view or check through a website is also recognized as data portability. If requested by a data subject, institutions can review and prepare response measures such as gradually expanding the scope of information transferred.

Lastly, it specified items that must be discussed in advance between the entity subject to portability and an agent when the agent uses automated tools (scraping) to make a portability request on the data subject's behalf. These include the scope, purpose and method of transfer, verification of the agent's delegated authority, the agent's safeguards and safety management measures, and the agent's responsibilities.

The PIPC said it plans to review opinions heard at the meeting and, if necessary, reflect them in the revised guidance. It plans to release the final revised guidance in June as part of efforts to ensure smooth implementation of the system.