생체정보 보호 강화를 위한 입법정책적 고찰

Legislative Policy Consideration for Reinforcement of Biometrics Protection

Article 23 (1) of the Personal Information Protection Act stipulates that “A personal information controller shall not process any information prescribed by Presidential Decree (hereinafter referred to as ‘sensitive data’), including ideology, belief, admission to or withdrawal from a trade union or political party, political opinions, health, sex life, and other personal information that is likely to markedly threaten the privacy of any data subject.” Article 18 of the Enforcement Decree of the Personal Information Protection Act stipulates that ‘Information prescribed by Presidential Decree’ in the main clause , with the exception of the subparagraph, of Article 23 (1) of the Act means the following data or information. In subparagraph 3, “Personal information resulting from specific technical processing of data relating to the physical, physiological or behavioral characteristics of an individual for the purpose of uniquely identifying that individual” is defined as one of the sensitive data. The range of sensitive data is wider than that of biometrics. ‘Data that constitutes a criminal history record’ defined in subparagraph 5 of Article 2 of the Act on the Lapse of Criminal Sentences, etc. as stipulated in Article 18 (3) of the Enforcement Decree of the Personal Information Protection Act and Article 18 (4) of the Enforcement Decree of the Personal Information Protection Act ‘Personal information revealing racial or ethnic origin’ is sensitive data completely different from biometric information. Therefore, it is necessary to enact a separate law to protect and manage biometrics or biometric information that requires more protection than sensitive data. As safety measures for biometrics security, there are first, security measures for forged/falsified biometric information, second, protection of the transmission section when collecting and inputting biometric information, third, use within the scope of the agreed purpose, fourth, biometric information collection and input processing at the terminal, fifth, encryption when storing biometric information, sixth, destruction of biometric information, seventh, separate storage when storing original biometric information, eighth, in case of leakage of biometric information, protective measures are taken. The Act on Protection and Management of Biometrics (draft) includes Chapter 1 General Provisions, Chapter 2 Establishment of Biometrics Protection Policy, Chapter 3 Collection and Use of Biometrics and Restrictions on It, Chapter 4 Safe Management of Biometrics, and Chapter 5, Guarantee of Rights of Data Subjects.