[Healthcare Attorney - Explanation of Guidelines for Utilizing Health and Medical Data (1)]

Hello. I am Attorney Lee Yeong-kyung from Cheongchul Law Firm.

I am serving as a specialized committee member in health and medical data review at the Korea Health and Medical Information Agency. Starting today, I would like to introduce the main contents of the 'Guidelines for Utilizing Health and Medical Data' jointly announced by the Ministry of Health and Welfare and the Personal Information Protection Commission in January 2024 over two sessions. In this post, we will cover the overview of the guidelines and pseudonymization.

Attorney Lee Yeong-kyung, appointed as 'Specialized Committee Member for Health and Medical Data Review' at the Korea Health and Medical Information Agency - Cheongchul Law Firm

[Question]

Please explain the overview of the ‘Guidelines for Utilizing Health and Medical Data’ and pseudonymization.

[Answer]

1. Overview of Guidelines and Legal Basis

The main purpose of these guidelines is to provide a legal basis for the utilization of pseudonymous information, which is the core of data utilization, enabling personal information handlers to utilize personal information for purposes such as statistical compilation, scientific research, and public record preservation.

The scope of application includes "all personal information handlers processing health and medical data, such as medical institutions, researchers, companies, public institutions, and universities."

2. Definition of Key Terms and Principles for Pseudonymous Information Utilization

The guidelines define pseudonymous information as "information that cannot identify a specific individual without the use or combination of additional information necessary to restore it to its original state through pseudonymization of personal information."

The core principle for the utilization of pseudonymous information emphasizes that "personal information must be processed within the minimum necessary scope for the purpose of processing as per Article 3 of the Personal Information Protection Act (Principles of Personal Information Protection)." It also states that "if it is possible to achieve the purpose using anonymous information according to paragraph 7 of Article 3 of the Protection Act, it should be processed as anonymous information."

3. Concept and Scope of Scientific Research

The guidelines present specific examples regarding "scientific research." "Scientific research" refers to research that applies scientific methods, including technological development, empirical studies, basic research, applied research, and private investment research, and includes the following examples:

• Research aimed at improving or developing drugs, or evaluating the effects of existing drugs

• Research aimed at improving or developing medical devices, or evaluating the effects of existing medical devices

• Research aimed at improving or developing diagnostic or treatment methods, or evaluating the effectiveness of existing diagnostic or treatment methods

• Research aimed at improving or developing software for medical purposes or evaluating the effectiveness of existing medical-purpose software

• Research that examines the number of patients with a specific disease or clinical criteria suitable for specific treatments, the regional and age distribution, or the correlation with other diseases

4. Pseudonymization Procedures

The pseudonymization process consists of ① setting objectives and other preparatory steps, ② risk assessment, ③ executing pseudonymization, ④ reviewing appropriateness and additional pseudonymization, and ⑤ ensuring the safe management of pseudonymized information.

During the risk assessment phase, the review must be categorized into '① risk of identifying the data' and '② risk of identifying the processing environment.' When assessing the risk of identifying the data, factors such as the presence of identifiable information, identifiable information, and the potential impact of re-identification must be considered. When assessing the risk of identifying the processing environment, aspects such as the form of use, processing location, and processing methods must be taken into account.

5. Pseudonymization Techniques

The guidelines introduce various pseudonymization techniques. For example:

• Deletion Technique: Simple deletion of personal information from the original data

• Masking: Replacing part or all of specific items with blanks or characters

• Aggregation: Processing into averages, maximums, minimums, etc.

• Categorization: Converting numerical data into ranges

• Encryption: Encrypting specific information using algorithms

Specific application methods and examples of each technique are detailed in the guidelines.

6. Role of the Health and Medical Data Review Committee (DRB)

The guidelines describe in detail the composition and role of the DRB. It states that "the holding institution of pseudonymous information can form a review committee (hereinafter referred to as 'DRB') based on an internal management plan specifying the pseudonymization process to perform appropriateness reviews and related tasks." It recommends that the DRB be composed of at least 5 members (including at least 2 external members).

7. Safe Management and Prohibition of Re-identification

In the safe management phase, specific monitoring methods and measures related to the prohibition of re-identification are crucial. The guidelines emphasize that "no one shall process pseudonymous information for the purpose of identifying a specific individual (Article 28-5, Paragraph 1 of the Protection Act), and if a specific individual is incidentally identified during the pseudonymization process, appropriate measures such as halting processing, recovery, or destruction must be taken immediately to eliminate the risk (Article 28-5, Paragraph 2 of the Protection Act)."

8. Relationship with Other Laws

The guidelines explain the relationship with laws such as the Bioethics Act and the Medical Law. For example, it states that "if scientific research falls under 'human subject research' as per the Bioethics Act, researchers must obtain written consent from research subjects according to Article 16 of this law or receive approval from the Institutional Bioethics Committee for exemption from written consent."

9. Receiving Compensation for Providing Pseudonymous Information

The guidelines clarify that "receiving compensation when providing to a third party as per Article 28-2, Paragraph 2 of the Protection Act is not prohibited." However, it also warns that "processing pseudonymous information without specifying the targets or the purpose of pseudonymization, and subsequently providing that pseudonymous information and receiving compensation, may be considered as sales intentions and is not permitted."

Thus, we have examined the main contents of the guidelines for utilizing health and medical data. These guidelines provide important instructions for the safe and effective utilization of health and medical data.

In the next post, we will take a detailed look at the merging and transfer of pseudonymous information and measures to ensure security.

Cheongchul Law Firm is a corporate law firm established by attorneys from the four major law firms, offering comprehensive solutions related to national contracts, tenders, and investigations by the Fair Trade Commission related to bids. Please feel free to contact us via email or phone for any further inquiries.