South Korea's Personal Information Protection Commission on Tuesday urged businesses to strengthen protections such as access control and minimal transfer of personal data as data processing through application programming interfaces (APIs) expands in web and app upgrades, platform linkages and integration with partners' services.
The commission first told businesses that process personal information through APIs that they must follow the data minimisation principle from the design stage.
It said APIs should be designed to exclude personal information not visible on user screens or not needed for the purpose of providing the service from response data. It also called for limiting bulk data queries or repeated API calls to prevent mass personal data queries and leaks.
The commission also highlighted that API permissions should be granted and managed in line with the principle of least privilege.
It said accessible APIs and the scope of personal information should be differentiated and limited to the minimum necessary by user type, such as users, administrators and partner collaborators. It said requests without authentication or authorisation, or that do not meet policy, should be blocked by default.
The commission also stressed identifying, updating and reviewing the list of operating APIs. It said businesses should check whether externally callable APIs remain after function improvements, test completion or service overhauls, and whether unnecessary information is included in API responses, and delete unnecessary information.
Yang Cheong-sam (양청삼), secretary general of the commission, said, "Because APIs can transmit personal information that is not displayed on service screens, they must be designed and operated so that only the minimum personal information needed to provide the service is processed."