개인정보 영향평가 사전진단도구 개발을 위한 평가 요소 분석

Analyzing Assessment Factors to Develop a Privacy Impact Assessment Pre-Diagnostic Tool

  • 정영애 (선문대학교 IT 교육학부)
  • 투고 : 2024.02.07
  • 심사 : 2024.02.26
  • 발행 : 2024.02.28

초록

우리 나라의 개인정보 영향평가는 개인정보보호법 제33조 및 같은 법 시행령 제35조에 규정된 개인정보파일을 운용하는 기관이 필수적으로 수행하여야 하는 위험요인 분석과 개선사항 도출의 과정을 의미한다. 우리나라의 개인정보 영향평가 제도에는 크게 두가지의 한계가 존재한다고 볼 수 있다. 첫 번째 한계는 개인정보 영향평가를 받아야 하는 대상이 공공기관과 공공기관에 준하는 기관으로 한정되어 있다는 점이고, 두번째 한계는 적정한 인력과 설비 및 그 밖에 필요한 요건을 갖춘 기관만이 개인정보 영향평가를 수행할 수 있다는 점이다. 본 연구에서는 최근 들어 급속하게 발전하고 있는 데이터 시대에 민간기업 또는 중소벤처기업, 소상공인 등도 직접 수행할 수 있는 사전진단도구 개발을 위한 제안을 하고, 구체적인 평가 요소에 대한 분석을 제시한다. 본 연구의 결과는 셀프-체크리스트 형식의 제공되어, 일반 국민들이 손쉽게 접근할 수 있는 개인정보 영향평가 사전진단도구의 역할을 할 것으로 기대된다. 국가적으로도 개인정보 보호를 강화하고 관련한 법적 준수를 달성하는 데 기여할 것으로 예상된다.

The Privacy Impact Assessment, PIPA in Korea refers to the process of analyzing risk factors and identifying improvements that must be carried out by organizations that operate personal information files as stipulated in Article 33 of the Personal Information Protection Act, PIPA and Article 35 of the Enforcement Decree of the PIPA. There are two main limitations of the PIA in Korea. The first limitation is that the targets of the PIA are limited to public institutions and organizations that are legally equivalent to public institutions, and the second limitation is that only organizations with adequate manpower, facilities, and other necessary requirements which are regulated upon the Enforcement Decree of the PIPA can conduct a PIA. This paper proposes to develop a preliminary diagnostic tool that can be performed by private companies, small and medium-sized venture companies, and small businesses in the era of rapidly developing data in recent years and presents an analysis of specific assessment factors. The results of this study are provided in the form of a self-checklist, which is expected to serve as a pre-diagnostic tool for the PIA that can be easily accessed by the general public. It is also expected to contribute to strengthening privacy protection and achieving legal compliance at the national level.

키워드

과제정보

이 연구는 2021년도 선문대학교 교내학술연구비 지원에 의하여 이루어졌음.

참고문헌

  1. Y.-H.Choi, K.-H. Han, "Problems and Improvement of Privacy Impact Assessment," Journal of The Korea Institute of Information Security & Cryptology, VOL.26, NO.4, pp.973-983, Aug. 2016. https://doi.org/10.13089/JKIISC.2016.26.4.973
  2. Korean Law Information Center, "Personal Information Protection Act, PIPA," [Online] available : https://www.law.go.kr/LSW/eng/lawEngBodyCompareInfoP.do?lsNm=%EA%B0%9C%EC%9D %B8%EC%A0%95%EB%B3%B4%20%EB%B3%B4%ED%98%B8%EB%B2%95&lsId=01135 7&efYd=20230915&lsiSeq=248613&gubun=EngLs&ancYnChk=undefined
  3. Korean Law Information Center, "Enforcement Decree of the PIPA," [Online] available : https://www.law.go.kr/LSW/eng/lawEngBodyCompareInfoP.do?lsNm=%EA%B0%9C%EC%9D %B8%EC%A0%95%EB%B3%B4%20%EB%B3%B4%ED%98%B8%EB%B2%95%20%EC%8 B%9C%ED%96%89%EB%A0%B9&lsId=011468&efYd=20230915&lsiSeq=254693&gubun=En gLs&ancYnChk=undefined
  4. Korean Law Information Center, "Notification of Privacy Impact Assessment," [Online] available : https://www.law.go.kr/행정규칙/개인정보영향평가에관한고시/(2023-10,20231016)
  5. Personal Information Protection Commission, "Privacy Impact Assessment procedure," [Online] available : https://www.pipc.go.kr/eng/user/lgp/pbp/personalInformationImpactAssessment.do
  6. Public institutions handling personal information are required to disclose 'personal information impact assessment', Safe Times, [Online] available : https://www.safetimes.co.kr/news/articleView.html?idxno=208966(Accessed: 23.12.30)
  7. S.-Y. Chang, "Comparison of the Domestic and International Status of the Privacy Impact Assessment System and Analysis of Implications," ICT & Media Policy, VOL.30, NO.14, pp.1-13, 2018.
  8. Office of the Privacy Commissioner of Canada, "Expectations: OPC's Guide to the Privacy Impact Assessment Process," [Online] available : https://www.priv.gc.ca/en/privacy-topics/privacy-impact-assessments/gd_exp_202003/#toc1(Accessed: 23.12.30)
  9. Privacy Commissioner, "Privacy Impact Assessment Toolkit,"[Online] available : https://www.privacy.org.nz/publications/guidance-resources/privacy-impact-assessment-toolkit/(Accessed: 23.12.20)
  10. Digital New Zealand Government, "Privacy, security and risk," [Online] available : https://www.digital.govt.nz/standards-and-guidance/privacy-security-and-risk/privacy/(Accessed: 23.12.20)
  11. Ireland Data Protection Commission, "Data Protection Impact Assessments," [Online] available : https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments(Accessed: 23.12.20)
  12. The State of Queensland (Office of the Information Commissioner), "Threshold Privacy Assessment of Australia," [Online] available : https://www.oic.qld.gov.au/__data/assets/word_doc/ 0007/37087/template-threshold-privacy-assessment.dotx (Accessed: 23.12.10)