Korea University Personal Information Management Policy
All personal information collected, retained, and managed by Korea University (hereinafter referred to as “The University”) is done so pursuant to and in full compliance with the personal information protection rules of relevant Acts and subordinate statutes, such as the Personal Information Protection Act.
- 1. The University has implemented the management policy detailed below to protect personal information, rights and interests and to effectively resolve complaints raised in connection with personal information pursuant to the Personal Information Protection Act.
- 2. The University, in particular, has set forth the Personal Information Management Policy specifically for its online records database that manages personal information pursuant to Article 30, Paragraph (1) of the Personal Information Protection Act and Article 31, Paragraph (1) of its Enforcement Ordinance.
- 3. Whenever The University revises its Personal Information Management Policy, it shall make public the timing of the implementation and the revised content via its online database (or a separate notice) to allow those who are the subject of information to reliably and conveniently verify it.
A. Purpose of Managing Personal Information
- ① The University collects the minimum personal information necessary for the purpose of providing education services, handling civil complaints, and conducting relevant duties.
- ② Matters pursuant to Paragraph (1) are published on the websites of each university department and institution to allow those who are a subject of the information to verify it.
B. Management and Retention Period of Personal Information
- ① Personal information processed by The University is done so within the limits of the explicit purposes of collection and use, and the retention period promulgated in the Personal Information Protection Act and subordinate statutes shall apply mutatis mutandis.
- ② The list of personal information files collected and retained by The University are as follows, and the specific details can be verified by accessing the Personal Information Protection General Support Portal (www.privacy.go.kr) and searching the list of personal information files by entering “Korea University” in the organization name search box.
C. Items of Personal Information to be Managed
Personal information processed by The University is processed to the minimum extent specified by relevant duties and statutes, and the details are posted on the websites of each department to allow those who are subject to the information to verify it.
D. Provision of Personal Information to a Third Party
- ① The University may manage personal information to fulfill the intended purpose(s) of collection and use in principle and may not handle it beyond the intended purpose(s) nor provide it to a third party without the prior consent of the subject(s) of the information except for any of the following cases:
1. Where the consent of a subject of information has been obtained
2. Where special provisions exist in any Act
3. Where it is deemed obviously necessary for the physical safety and property interests of a subject of the information or a third party when the subject of the information or his/her legal representative cannot give prior consent because he/she is unable to express his/her intention or by reason of his/her lack of current address, etc.
4. Where personal information is necessary for compiling statistics or scientific research purposes, etc., and the personal information is provided in a form in which a specific individual cannot be identified
5. Where not using personal information for any purpose other than the intended purpose(s) or a failure to provide a third person with such information makes it impossible to perform affairs provided for in any other Act and has undergone deliberation and resolution by the Personal Information Protection Committee
6. Where it is necessary to provide a foreign government or international organization with personal information in order to implement a treaty or any other international agreement
7. Where it is necessary to investigate a crime and institute and sustain a public prosecution
8. Where it is necessary for a court to perform its judicial functions
9. Where it is necessary to execute a punishment, ensure care and custody, or enforce a protective disposition.
- ② Matters pursuant to Paragraph (1) are published on the websites of each department and institution to allow those who are a subject of the information to verify it.
E. Entrustment of Management Affairs of Personal Information
- ① When the processing of personal information is outsourced, the relevant matters will be published on the websites of each department and institution to allow those who are subject to the information to verify it, and the following processing of personal information on the websites will be outsourced for the effective management of relevant tasks.
1. Outsourcee: SCI Information Service Inc.
2. Outsourced management functions: I-PIN for identification, conducting cell phone accreditation by proxy
- ② When it entered into the current outsourcing contract, The University explicitly stipulated matters pursuant to personal information protection rules of relevant Acts and subordinate statutes; if and when the outsourcee is to be changed, such a matter shall be made public via announcement and the Personal Information Management Policy.
F. Matters Concerning Rights and Duties of a Subject of Information, and How to Exercise Them
- ① A subject of information (a legal representative for those under age 14) can exercise the following rights of personal nformation protection at any time:
1.Request for Inspection of Personal Information
2.Request for Correction of Personal Information
3.Request for Deletion of Personal Information
4.Request for Suspension of Management of Personal Information
- ② The exercise of rights pursuant to Paragraph (1) can be performed by filling in the [Attached Form 8] of the Enforcement Rules to Personal Information Protection Act and submitting it in writing or via email (firstname.lastname@example.org), on which basis the appropriate department or institution shall take measures immediately.
- ③ When a subject of information requests an error in personal information be corrected or deleted, etc., the personal information shall not be used or provided until the correction or deletion, etc. has been completed.
- ④ The exercise of rights pursuant to Paragraph (1) can be performed by proxy by the agent of a subject of information such as a legal representative or delegated individual. In such cases, the [Attached Form 11] of the Enforcement Rules to Personal Information Protection Act regarding the power of attorney should be submitted.
- ⑤ The right of a subject of information to request the suspension of the accessing and processing of personal information can be restricted pursuant to Articles 35(5) and 37(2) of the Personal Information Protection Act.
- ⑥ A request to correct or delete personal information cannot be accepted when such personal information is stipulated as the object of collection in other Acts.
- ⑦ When access, correction or deletion, and suspension of the processing of information is requested based on the rights of a subject of information, the person requesting access should be verified as a relevant party or a lawful representative.
*[Attached Form 8 of the Enforcement Rules to Personal Information Protection Act] Application for Access, Correction or Deletion, and Suspension of Processing of Personal Information
*[Attached Form 11 of the Enforcement Rules to Personal Information Protection Act] Power of Attorney
* Inquiries: Seoul Campus 02-3290-1145, Sejong Campus 044-860-1822
G. Personal Information Destruction Process and Methods
- ① When the purpose of the management of personal information has been achieved, The University, in principle, shall destroy the personal information without delay, unless otherwise specified in other Acts for retention.
- ② The procedures for, timing of, and methods for destroying personal information are as follows:
1. Procedures of Destruction : After or as soon as the purpose of retaining personal information has been achieved, it shall be transferred to a separate storage unit, stored for a certain period of time, and then destroyed pursuant to internal policies and other Acts and subordinate statutes. The personal information transferred to the separate storage unit shall not be used for any other purpose(s) except as stipulated in Acts.
2. Timing of and Methods for Destruction : When the retention of personal information becomes unnecessary upon its reaching its expiration date, either its management purpose is considered achieved or the relevant service is deemed abolished. Accordingly, the personal information shall be destroyed without delay.
3. Methods for Destruction : Information in the form of an electronic file shall be destroyed via technical methods so as to prevent its recycling. Printed or hardcopy versions of personal information shall be shredded or incinerated.
H. Measures to secure safety of personal information
- ① The following measures are being taken to secure personal information safety:
1. Minimization of the Number of Staff ManagingPersonal Information and Staff Training : The University designates and manages just the necessary number of staff who manages personal information and trains such staffers on safe management practices of personal information.
2. Access Restriction of Personal Information : TheUniversity takes necessary measures to control access to personal information by granting, revising, and eliminating access rights to the database system that manages personal information and also controls unauthorized access from external parties through the use of firewall systems.
3. Storage of Access Records : Access records to the Personal Information Management System shall be stored and managed for a minimum of 1 year.
4. Installation and Regular Inspection/Update of Security Programs : Security programs are installed and updated/inspected on a regular basis to prevent unauthorized outflow or alteration of personal information from hacking or computer viruses.
5. Access Control against Unauthorized Persons : The University operates the Personal Information System, which stores personal information at a physically separate storing place and establishes and runs access control procedures.
6. Encryption of Personal Information : Personal information is safely stored and managed via methods such as encryption. Additional security functions are also employed, such as, for example, encrypting important data during storage and transfer.
I. Resolution for Infringement on Rights and Interests
- ① A subject of information may apply for conflict resolution or consultation for damage relief against personal information violation(s) at the agencies listed below:
1. Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
2. Privacy Violation Reporting Center : (no telephone exchange number) 118 (privacy.kisa.or.kr)
3. Cyber Criminal Investigation Division of the Supreme Prosecutors’ Office : (no telephone exchange number) 1301 (email@example.com) www.spo.go.kr
4. Cyber Bureau of the National Police Agency : (no telephone exchange number) 182 (cyberbureau.police.go.kr).
- ② A person whose personal information-related rights or interests have been infringed upon by measures taken by the head of a public institution against a request by such a person for the inspection, correction/deletion, and the suspension of management of personal information may make an administrative appeal pursuant to the Administrative Appeals Act.
1. Please refer to the information provided by the Central Administrative Appeals Commission (www.simpan.go.kr).
J. Personal Information Protection Managers
- 1. Personal Information Chief Manager : Gyu Tae Kim, Vice President for Digital Information
- 2. Personal Information Manager : Cheol Ho Choi, IInformation Infrastructure Dept. Office of Digital Information
- 3. Inquiries: 02-3290-4192, firstname.lastname@example.org