“Proper security measures” referred to in Item 2 and Item 5 of the proviso to Paragraph 1 of Article 6, “security and maintenance” referred to in Article 18, and “proper security measures” referred to in Item 2 of Paragraph 1 of Article 19 and Paragraph 1 of Article 27 of the Act shall mean the technical or organizational measures taken by the government agency or the non-government agency for the purpose of preventing personal information from being stolen, altered, damaged, destroyed or disclosed.
The measures prescribed in the preceding paragraph may include the following matters and shall follow the principle of appropriate proportionality to achieve the objective of personal information protection:
- allocating management personnel and substantial resources;
- defining the scope of personal information;
- establishing the mechanism of risk evaluation and management of personal information;
- establishing the mechanism of preventing, giving notice of, and responding to accidents;
- establishing an internal management procedure of collecting, processing, and using personal information;
- managing information security and personnel;
- promoting acknowledgement, education and training;
- managing facility security;
- establishing a mechanism of auditing information security;
- keeping records of the use, locus information and proof; and
- Integrated persistent improvements on the security and maintenance of personal information.