Korea University Personal Information Management Policy
All personal information collected, retained, and managed by Korea University (hereinafter referred to as “The University”) is done so pursuant to and in full compliance with the personal information protection rules of relevant Acts and subordinate statutes, such as the Personal Information Protection Act.
The University has implemented the management policy detailed below to protect
personal information, rights and interests and to effectively resolve complaints raised in
connection with personal information pursuant to the Personal Information Protection Act.
The University, in particular, has set forth the Personal Information Management
Policy specifically for its online records database that manages personal information pursuant
to Article 30, Paragraph (1) of the Personal Information Protection Act and Article 31,
Paragraph (1) of its Enforcement Ordinance.
Whenever The University revises its Personal Information Management Policy, it
shall make public the timing of the implementation and the revised content via its online
database (or a separate notice) to allow those who are the subject of information to reliably
and conveniently verify it.
A. Purpose of Managing Personal Information
① The University collects the minimum personal information necessary for the purpose of
providing education services, handling civil complaints, and conducting relevant duties.
② Matters pursuant to Paragraph (1) are published on the websites of each university
department and institution to allow those who are a subject of the information to verify it.
B. Management and Retention Period of Personal Information
① Personal information processed by The University is done so within the limits of the
explicit purposes of collection and use, and the retention period promulgated in the Personal Information
Protection Act and subordinate statutes shall apply mutatis mutandis.
② The list of personal information files collected and retained by The University are as
follows, and the specific details can be verified by accessing the Personal Information Protection General
Support Portal (www.privacy.go.kr) and searching the list of personal information files by entering “Korea
University” in the organization name search box.
C. Items of Personal Information to be Managed
Personal information processed by The University is processed to the minimum extent
specified by relevant duties and statutes, and the details are posted on the websites of each department to
allow those who are subject to the information to verify it.
D. Provision of Personal Information to a Third Party
① The University may manage personal information to fulfill the intended purpose(s) of
collection and use in principle and may not handle it beyond the intended purpose(s) nor provide it to a third
party without the prior consent of the subject(s) of the information except for any of the following cases:
Where the consent of a subject of information has been obtained
Where special provisions exist in any Act
Where it is deemed obviously necessary for the physical safety and property interests
of a subject of the information or a third party when the subject of the information or his/her
legal representative cannot give prior consent because he/she is unable to express his/her
intention or by reason of his/her lack of current address, etc.
Where personal information is necessary for compiling statistics or scientific
research purposes, etc., and the personal information is provided in a form in which a specific
individual cannot be identified
Where not using personal information for any purpose other than the intended
purpose(s) or a failure to provide a third person with such information makes it impossible to
perform affairs provided for in any other Act and has undergone deliberation and resolution by the
Personal Information Protection Committee
Where it is necessary to provide a foreign government or international organization
with personal information in order to implement a treaty or any other international agreement
Where it is necessary to investigate a crime and institute and sustain a public
Where it is necessary for a court to perform its judicial functions
Where it is necessary to execute a punishment, ensure care and custody, or enforce a
② Matters pursuant to Paragraph (1) are published on the websites of each department and
institution to allow those who are a subject of the information to verify it.
E. Entrustment of Management Affairs of Personal Information
① When the processing of personal information is outsourced, the relevant matters will be
published on the websites of each department and institution to allow those who are subject to the information
to verify it, and the following processing of personal information on the websites will be outsourced for the
effective management of relevant tasks.
Outsourcee: SCI Information Service Inc.
Outsourced management functions: I-PIN for identification, conducting cell phone
accreditation by proxy
② When it entered into the current outsourcing contract, The University explicitly
stipulated matters pursuant to personal information protection rules of relevant Acts and subordinate statutes;
if and when the outsourcee is to be changed, such a matter shall be made public via announcement and the
Personal Information Management Policy.
F. Matters Concerning Rights and Duties of a Subject of Information, and How to Exercise
① A subject of information (a legal representative for those under age 14) can exercise
the following rights of personal information protection at any time:
Request for Inspection of Personal Information
Request for Correction of Personal Information
Request for Deletion of Personal Information
Request for Suspension of Management of Personal Information
② The exercise of rights pursuant to Paragraph (1) can be performed by filling in the
[Attached Form 8] of the Enforcement Rules to Personal Information Protection Act and submitting it in writing
or via email (email@example.com), on which basis the appropriate department or institution shall take measures
③ When a subject of information requests an error in personal information be corrected or
deleted, etc., the personal information shall not be used or provided until the correction or deletion, etc.
has been completed.
④ The exercise of rights pursuant to Paragraph (1) can be performed by proxy by the agent
of a subject of information such as a legal representative or delegated individual. In such cases, the
[Attached Form 11] of the Enforcement Rules to Personal Information Protection Act regarding the power of
attorney should be submitted.
⑤ The right of a subject of information to request the suspension of the accessing and
processing of personal information can be restricted pursuant to Articles 35(5) and 37(2) of the Personal
Information Protection Act.
⑥ A request to correct or delete personal information cannot be accepted when such
personal information is stipulated as the object of collection in other Acts.
⑦ When access, correction or deletion, and suspension of the processing of information is
requested based on the rights of a subject of information, the person requesting access should be verified as a
relevant party or a lawful representative.
*[Attached Form 8 of the Enforcement Rules to Personal Information Protection Act]
Application for Access, Correction or Deletion, and Suspension of Processing of Personal Information
*[Attached Form 11 of the Enforcement Rules to Personal Information Protection Act] Power
* Inquiries: Seoul Campus 02-3290-1145, Sejong Campus 044-860-1822
G. Personal Information Destruction Process and Methods
① When the purpose of the management of personal information has been achieved, The
University, in principle, shall destroy the personal information without delay, unless otherwise specified in
other Acts for retention.
② The procedures for, timing of, and methods for destroying personal information are as
Procedures of Destruction : After or as soon as the purpose of
retaining personal information has been achieved, it shall be transferred to a separate storage
unit, stored for a certain period of time, and then destroyed pursuant to internal policies and
other Acts and subordinate statutes. The personal information transferred to the separate storage
unit shall not be used for any other purpose(s) except as stipulated in Acts.
Timing of and Methods for Destruction : When the retention of
personal information becomes unnecessary upon its reaching its expiration date, either its
management purpose is considered achieved or the relevant service is deemed abolished. Accordingly,
the personal information shall be destroyed without delay.
Methods for Destruction : Information in the form of an electronic
file shall be destroyed via technical methods so as to prevent its recycling. Printed or hardcopy
versions of personal information shall be shredded or incinerated.
H. Measures to secure safety of personal information
① The following measures are being taken to secure personal information safety:
Minimization of the Number of Staff ManagingPersonal Information and Staff
Training : The University designates and manages just the necessary number of
staff who manages personal information and trains such staffers on safe management practices of
Access Restriction of Personal Information : TheUniversity takes
necessary measures to control access to personal information by granting, revising, and eliminating
access rights to the database system that manages personal information and also controls
unauthorized access from external parties through the use of firewall systems.
Storage of Access Records : Access records to the Personal
Information Management System shall be stored and managed for a minimum of 6 months.
Installation and Regular Inspection/Update of Security Programs :
Security programs are installed and updated/inspected on a regular basis to prevent unauthorized
outflow or alteration of personal information from hacking or computer viruses.
Access Control against Unauthorized Persons : The University
operates the Personal Information System, which stores personal information at a physically
separate storing place and establishes and runs access control procedures.
Encryption of Personal Information : Personal information is safely
stored and managed via methods such as encryption. Additional security functions are also employed,
such as, for example, encrypting important data during storage and transfer.
I. Resolution for Infringement on Rights and Interests
① A subject of information may apply for conflict resolution or consultation for damage relief against personal information violation(s) at the agencies listed below:
② A person whose personal information-related rights or interests have been infringed upon by measures taken by the head of a public institution against a request by such a person for the inspection, correction/deletion, and the suspension of management of personal information may make an administrative appeal pursuant to the Administrative Appeals Act.
Please refer to the information provided by the Central Administrative Appeals Commission (www.simpan.go.kr
J. Personal Information Protection Managers
Personal Information Chief Manager : Kyung Ho Lee, Vice President for Information Technology and Services
Personal Information Manager : Cheol Ho Choi, IT System Management Dept., Office of Information & Computing
Inquiries: 02-3290-4192, firstname.lastname@example.org
Enforcement date : January 16th, 2019