The Personal Information Protection Commission has established evaluation criteria for public institutions to assess privacy infringement risks in advance when promoting projects using artificial intelligence (AI).
The Personal Information Protection Commission noted on the 4th that it adopted a revised proposal for the 'Personal Information Impact Assessment Notification,' which separately reflects the AI sector during its plenary session on the 3rd. The personal information impact assessment is a system that analyzes the impact on personal information and establishes improvement measures to prevent infringement incidents when building or changing large-scale personal information files.
The existing notification lacked detailed criteria related to AI, requiring public institutions to create their own items for evaluation, making it difficult to verify their appropriateness. The revised proposal newly established two detailed evaluation areas: ▲ AI system learning and development ▲ AI system operation and management.
In the AI learning and development stage, it has been stipulated to review securing legal grounds for processing personal information, checking for the inclusion of unnecessary sensitive information and child information, and establishing regulations for the retention and destruction of training data. In the operation and management stage, evaluation criteria include clarifying responsibilities between development and operation entities, providing acceptable use policies (AUP) for generative AI services, and establishing reporting functions in cases of inappropriate responses or personal information exposure to ensure the rights of information subjects.
Detailed items, explanations, and examples are expected to be disclosed through the 'Personal Information Impact Assessment Implementation Guide,' and the Personal Information Protection Commission plans to continuously supplement evaluation items by reflecting on actual application cases.
The Personal Information Protection Commission stated, "This criterion will be utilized not only by public institutions but also by private enterprises, contributing to the early identification of risks in AI-based personal information processing and the establishment of preventive protection systems."