Hello. I am Attorney Lee Young-kyung from Cheongchul Law Firm.
I am currently serving as a specialized member of the deliberation committee for health and medical data at the Korea Health and Medical Information Service. I would like to introduce the main contents of the 'Guidelines for Using Health and Medical Data' jointly announced by the Ministry of Health and Welfare and the Personal Information Protection Commission in January 2024, following my last column.
[Question]
Please explain the contents regarding the combination and export of pseudonymized information and the measures to ensure safety according to the 'Guidelines for Using Health and Medical Data'.
[Answer]
Combination and Export of Pseudonymized Information
The guidelines provide detailed explanations on the combination of pseudonymized information. It states that "personal data handlers who intend to utilize pseudonymized information can combine it for purposes such as statistical preparation, scientific research, and public record preservation through a specialized combining institution."
The combination procedure is as follows: ① Application by the combining applicant ② Generation of combination key linkage information by the key management institution ③ Combination and export of pseudonymized information by the specialized combining institution ④ Utilization and management of export information by the combining applicant.
In particular, the guidelines emphasize that "combining applicants can choose to apply for mock combinations, check combination rates, and extract pseudonymized information when submitting their application."
The guidelines describe the combination and export procedures in four stages: 1) Application for combination, 2) Combination and additional processing, 3) Export and utilization, and 4) Secure management, detailing the roles and tasks of the combining applicant, the specialized combining institution, and the key management institution at each stage.
Measures to Ensure Safety
The guidelines present specific measures for the safe management of pseudonymized information. These measures are broadly categorized into administrative protective measures, technical protective measures, and physical protective measures.
Regarding administrative protective measures, the guidelines specify that "personal data handlers must establish and implement internal management plans to securely manage pseudonymized information and additional information." The internal management plan must emphasize that it should include "separate storage of additional information and the separation of access rights to such information."
Technical protective measures include "separate storage of pseudonymized information and additional information, access right management, access control, and storage and inspection of access records." It particularly mentions that "the principle is to store additional information and pseudonymized information separately, and if physical separation is difficult due to unavoidable reasons, logical separation such as separating DB tables is also possible."
Concerning physical protective measures, it states that "personal data handlers must establish procedures such as access control to protect pseudonymized information or additional information stored in data processing rooms or storage rooms from unauthorized access."
Guarantee of Rights for Data Subjects
The guidelines also mention the protection of the rights of data subjects. It emphasizes that "personal data handlers must guarantee that data subjects can request the cessation of pseudonymization of their personal information in accordance with Article 37 of the Protection Act."
However, it specifies that "if the personal information of the relevant subject has already been pseudonymized, the request for cessation of pseudonymization does not apply, and the personal information of the relevant subject must be processed in a way that prevents further pseudonymization for purposes such as statistical preparation, scientific research, and public record preservation."
Interpretation of the Medical Law Related to Pseudonymized Information Processing
The guidelines provide a specific interpretation regarding their relationship with medical law. For example, it states that "if a personal data handler (such as a medical institution) pseudonymizes records related to patients for purposes such as scientific research according to Article 28-2 of the Personal Information Protection Act and allows staff belonging to the same institution, who have been granted the authority for pseudonymization by the personal data handler, to view or obtain copies of records related to patients, such actions do not constitute providing to a third party as prohibited under Article 21 of the Medical Law."
Interpretation of the Bioethics Law Related to Pseudonymized Information Processing
The guidelines also provide a specific interpretation regarding their relationship with bioethics law. For example, it states that regarding "exemptions from review by the Institutional Review Board," according to the "2021 Guidelines for Using Health and Medical Data," research confirmed to be pseudonymized according to the Personal Information Protection Act at the institutional level is eligible for exemption from review.
Additionally, it emphasizes that concerning "exemptions from written consent for human subject research," the use of consent or exemption thereof obtained under the Personal Information Protection Act or within the scope of other laws does not constitute an exemption from consent under this law.
In conclusion, we have looked at the main contents of the Guidelines for Using Health and Medical Data regarding the combination and export of pseudonymized information, measures to ensure safety, and the relationship with relevant laws. These guidelines provide detailed instructions for the safe and effective utilization of health and medical data. We hope that those who utilize health and medical data will reference these guidelines to protect the rights of data subjects while maximizing the value of the data.
Cheongchul Law Firm is a corporate-focused law firm established by attorneys from the four major law firms, providing comprehensive solutions related to national contracts, bids, and investigations by the Fair Trade Commission related to bidding. If you have any additional inquiries, please feel free to contact us via email or phone.
Related work cases that are good to see together
