Personal information is being collected to prevent the spread of COVID-19.
/Photography by Park Ji-won
The Korean government’s guidelines to prevent the spread of COVID-19 are controversial as they lead to concerns about personal information infringement. Writing one’s name and phone number when visiting places can lead to individual’s privacy violation. Moreover, credit card and telecommunication companies inquiring personal information to find out the movements of people who have contacted with the infected can cause privacy violation. Even before the COVID-19 era, personal information has circulated rapidly in the information society. In addition to simply identifying individuals, nowadays, personal information is used for marketing or value-added creation of an entity. With the development of technology and the increasing number of personal information infringements and associated concerns, the importance of managing personal information safely should be emphasized.
Personal information is divided into various types
There are three main definitions of personal information. First, it is an information that can identify an individual through his/her name, resident registration number, video, and so on. Second, it means information that can be easily recognized by combining with other information, even if that information alone does not identify a particular individual. In this case, whether it can be easily combined should reasonably be considered by the time, cost, and technology required to identify the availability of other information. Lastly, it means information that is not recognizable to a particular individual without the use and combination of additional information to restore the information to its original state, by substituting for the information referred to in the above two definitions. Known as alias processing, referring to delete or replace his/her personal information so that a person cannot be identified without additional information. It is called pseudonym information.
Various personal information can be classified into diverse types by law. There are generally 16 types of personal information. Among them, general information includes names, resident registration numbers, and phone numbers, while physical information includes fingerprints, iris, and Deoxyribonucleic Acid (DNA). In addition, medical information includes past medical records, mental illness records, and physical disabilities. Besides, various types of personal information such as credit information, real estate information, and telecommunication information are also defined.
The current regulations on privacy vary from country to country
The third part of the Korean Privacy Act states the following principle. Personal information processors shall process personal information within the scope necessary for the purpose and should not use it for any other purpose. They should ensure the accuracy, completeness, and update personal information to the extent necessary for the purpose and should not change or damage either unintentionally or by negligence. Also, they should safely manage personal information through appropriate management, technically and physically protective measures, considering the possibility of risk of infringement. Finally, if they can achieve their objectives anonymously, they should ensure that personal information can be anonymously processed.
In the United States, regulations on personal information tend to be minimized. They believe good use of personal information can provide greater benefits to customers. Therefore, personal information can be collected and used to the extent that it does not violate privacy, such as disclosing unwanted details. If identification can be made through personal information, only sensitive matters require prior consent, and the information is not obliged to be protected if identification is difficult. Therefore, in most cases, the relevant parties and sectors can collect, analyze, and utilize personal data even if they do not obtain prior consent from users. Moreover, there are no comprehensive laws in the United States to cover the public and private sectors. Accordingly, laws enacted on a state-by-state basis vary. An example is the “California Consumer Privacy Protection Act (CCPA),” which has been in effect in California since 2020. CCPA gives residents of California greater control over their personal information by emphasizing transparency, privacy control, and accountability. They also guarantee various rights, such as perusal, deletion, and refusal of sale, to personal information providers.
In Europe, personal information is traditionally protected strictly as a human right after experiencing the massacre of Jews due to the Nazi’s misuse of personal information. The European Parliament first published an integrated regulation in 2016, called “General Data Protection Regulation (GDPR),” to strengthen the protection of personal information. After a grace period of about two years, it has been implemented in European Union (EU) nations since May 25th, 2018. It mainly includes provider’s rights to be informed, to access, to erase, and to restrict processing of their personal information.
Infringement of personal information occurs frequently
The number of personal information infringement totaled 159,255 in 2019, which declined about 3% from the previous year. The number of violations seems to have decreased numerically, but this is because in 2018, the number of infringements of personal information increased rapidly by about 56% compared to 2017 due to electioneering, recording 164,498. As of 2019, reports of personal information infringement, such as resident registration number, accounted for 84% of the total, with 134,271 cases (approximately 20% increase from the previous year), followed by 6,055 reports of exploitation or third-party provision. Such infringement of personal information has become an ongoing problem, recording high frequency. It causes big and small issues and puts people in trouble. In fact, there are various cases related to the invasion of personal information.
On January 8th, 2014, three credit card companies (KB Card, NH Card, and Lotte Card) in Korea leaked customers’ personal information. An anti-fraud system developer exposed the personal information of more than 100 million people, by selling data received for development to a third party. So far in Korea, it was the largest personal information leakage case in financial company. Besides, basic personal information (names, social security numbers, contacts, home addresses) and sensitive financial information (salary, marriage status, credit limit, credit rating) were leaked, disturbing people who were customers of those credit card companies. Also, Mega Study Education, Korean online education service company, announced an apology on their site after recognizing that some of the members’ personal information was leaked by external hacking in June 2019. The leak of information was caused by an intentional hacking using IP, internet protocal address, in China.
In some cases, people make mistakes without even recognizing that it is a violation of personal information. For example, some people dig up and leak personal information of others who caused social problems, such as smoking on the subway or making a fuss for not wearing a face mask. Usually, these actions are taken under the name of justice implementation. However, such acts are also illegal due to invasion of privacy or defamation. This case demonstrates the importance of clearly understanding the privacy-infringing boundaries. Yoon Yeo-hun, a student of the Department of Statistics of Dongguk University, said, “To prevent personal information leakage, I read the personal information terms in detail when joining a new site. In addition, I erase personal information on unused sites time to time.” He also added, “Due to the era of the Fourth Industrial Revolution, personal information is spreading rapidly as information is digitized and automated. The speed and amount of personal information may already be beyond our control. Above all, the most frightening thing is that we do not even recognize that our personal information has been leaked.”
To prevent personal information infringement, a paradigm shift should be made so that the purpose of privacy protection is not only identified as “protection of personal information” but also as “safe utilization.” In the upcoming era of the Fourth Industrial Revolution, harmony between the protection of personal information and the safe use of it is inevitable. Moreover, the current privacy law, which stipulates various obligations and sanctions, is confusing due to the unclear targets. Therefore, it is necessary to revise the definition of personal information or at least clarify the criteria for judgment.
Personal efforts are also needed in everyday life to prevent infringement. For example, when making membership registration, using I-PIN would be safer than using a resident registration number. I-PIN refers to an Internet Personal Identification Number which identifies oneself on online. Since it is a way for Internet users to verify themselves without providing a resident registration number, misuse of personal information can be reduced. Also, personal information files should not be shared in folders provided by Peer-to-Peer (P2P) services, which allow users to receive information directly from any personal computer (PC) connected to the Internet. Storing one’s or other’s persoanl information in a shared folder and posting it on the P2P site can increase personal information exposure, misuse, and abuse. In other words, files containing personal information should be sent by private mail or distributed offline without posting them on the homepage or in a shared folder.
Many people leak their personal information without even noticing it. However, the problem of personal information infringement can adversely affect individual characteristic and fame as well as result in financial damage. Therefore, it is necessary to clearly understand the types of personal information and the boundaries of exposure. The most important thing is to manage one’s personal information thoroughly. People should refrain from providing personal information indiscriminately in cyberspace. Also, they should not subscribe to services that have possibility to misuse personal information.
Park Ji-won email@example.com
<저작권자 © 동국포스트, 무단 전재 및 재배포 금지>