In Korea, all citizens and foreign residents (i.e. any foreign nationals who reside in Korea for more than 90 days) are obliged to register and are provided with the resident registration number. The resident registration number is a combination of numbers uniquely developed for each and every different person based on the person’s date of birth, gender and so on.
Korean Personal ID Card image.
This is an information guideline published by the Ministry of the Interior and Safety
regarding an introduction of a new ID card system.
In light of the significance of this number, the Personal Information Protection Act (“PIPA”), being one of three main data privacy laws along with the Act on the Promotion of the Use of the Information Network and Information Protection (the “Network Act”) and the Credit Information Use and Protection Act (the “Credit Information Act”), expressly prohibits processing of this resident registration number, except for certain cases permitted otherwise.
Article 24-2 of the PIPA provides that:
Article 24-2 (Limitation to Processing of Resident Registration Numbers)
(1) Notwithstanding Article 24 (1), a personal information controller shall not process any resident registration number, except in any of the following cases:
- Where any Act, Presidential Decree, National Assembly Regulations, Supreme Court Regulations, Constitutional Court Regulations, National Election Commission Regulations or Board of Audit and Inspection Regulations specifically requires or permits the processing of resident registration numbers;
- Where it is deemed manifestly necessary for the protection, from imminent danger, of life, bodily and property interests of a data subject or a third party;
- Where it is inevitable to process resident registration numbers in line with subparagraphs 1 and 2 in circumstances publicly notified by the Protection Commission.
(2) Notwithstanding Article 24 (3), a personal information controller shall retain resident registration numbers in a safe manner by means of encryption so that the resident registration numbers may not be lost, stolen, divulged, forged, altered, or damaged. In such cases, any necessary matters in relation to the scope of encryption objects and encryption timing by object, etc. shall be prescribed by Presidential Decree, taking into account the amount of personal information processed, data breach impact, etc.
(3) A personal information controller shall provide data subjects with an alternative sign-up tool without using their resident registration numbers in the stage of being admitted to membership via the website while processing the resident registration numbers pursuant to paragraph (1).
(4) The Protection Commission may prepare and support such measures as legislative arrangements, policy-making, necessary facilities, and systems build-up in order to support the provision of the measures provided for in paragraph (3).