SOUTH KOREA Law and Practice Contributed by: Kyungsun Kyle Choi, Eui Seok Kim, Han Kyul Nam and Eun Sun Jang, Kim & Chang
to prevent and contain the spread of electronic intrusion activities (Article 14). For more specific guidance, the MFDS has adopted the Digital Medical Device Electronic Intrusion Security Guidelines, which provide security measures to prevent digital medical devices from being vulnerable to electronic intru- sions, and establish global-level requirements, including: • end-to-end encryption; Meanwhile, South Korea’s regulation of privacy protection in digital healthcare spans several laws, each applicable depending on the context in which the data is collected or processed. Key laws include the PIPA, the Medical Service Act (MSA), and the Bioethics and Safety Act (BSA). Personal Information Protection Act (PIPA) PIPA is South Korea’s general privacy law and applies to all processing of personal information unless another specific law takes precedence. It defines personal information as any information related to a living individual that can identify that individual, either on its own or when combined with other data. Information that can no longer be used to identify an individual, even when combined with other information, is considered “anonymous information” and is not subject to the PIPA. In general, the PIPA regime requires data pro- cessors to obtain consent from data subjects to collect, use and provide their personal informa- tion, but it requires additional separate consent to be obtained for the processing of sensitive • real-time threat assessments; • access control protocols; and • secure communication channels. Data/privacy protection
information, such as health-related information, or for the transfer of information to a third party. Pseudonymised information, on the other hand, refers to information that cannot identify a spe- cific individual without the use of additional information. Such pseudonymised information is regulated by the PIPA, but unlike other person- al information, it may be used for the purpose of compiling statistics, conducting scientific research and preserving records for the public interest, without the consent of the data subject, but it cannot be processed for the purpose of identifying a specific individual. Accordingly, to promote utilisation of data, the PIPC and the MOHW have jointly published the Guidelines on Utilisation of Healthcare Data to explain the standards, methods and procedures for pseudonymising individual healthcare data. For example, in the case of image informa- tion such as endoscopy, X-ray and ultrasound, if identifiers (eg, patient number or name) are deleted or masked and the Digital Imaging and Communications in Medicine (DICOM) header is deleted from the metadata, such information may be considered pseudonymised. Further, in January 2024, the government released an updated version of the Guidelines that expands the scope of pseudonymised information. Unlike the previous Guidelines that only permitted pseu- donymisation of structured data (data stored in standardised formats, such as spreadsheets), the updated Guidelines now provide methods to pseudonymise different types of unstructured data, such as genomic data. This means a wid- er range of data is now available for industrial research and analysis without the need for data subject consent.
108 CHAMBERS.COM
Powered by FlippingBook