This site is the official e-Government website of the Republic of Korea.
Notice / Press Release
| Title | The PIPC’s 1st No-Action Letter for Joint International Research Using Pseudonymized Data of Deceased Patients | ||
|---|---|---|---|
| Department | Date | 2026.01.02 | |
| Attachment | press release The PIPC's 1st No-Action Letter for Joint International Research Using Pseudonymized Data of Deceased Patients.pdf | ||
| Page URL | https://pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=2947 | ||
| Contents |
Press Release The PIPC’s 1st No-Action Letter for Joint International Research Using Pseudonymized Data of Deceased Patients - The first decision under the No-Action Letter Scheme for Pseudonymized Data, in operation since November 2025
December 28, 2025 (This is an unofficial translation of a press release, originally prepared in Korean.)
The Personal Information Protection Commission (PIPC) announced on December 26, 2025, that it has responded to a request regarding a joint international research project using pseudonymized data of deceased patients, stating that it is not subject to the PIPC’s administrative sanctions under the Personal Information Protection Act (PIPA).
It marks the first response issued by the PIPC under the No-Action Letter Scheme for Pseudonymized Data, that has been in operation since November 2025. The scheme was introduced to minimize compliance risks for businesses and researchers using pseudonymized data and to rapidly address legal uncertainties surrounding lawful pseudonymization. It is devised modeling after a no-action letter in the financial sector.
This scheme allows entities to request a no-action letter by providing details and purposes for their pseudonymization practices. To determine whether a requester’s pseudonymization practice complies with the PIPA, the PIPC reviews the request. If it does not constitute a violation, the PIPC informs the requester that its pseudonymization practice will not be subject to administrative sanctions. The scheme will provide clarification for entities that find it difficult to interpret the PIPA or refer to relevant guidelines for pseudonymization.
In this case, Seoul National University Hospital (SNUH) sent an inquiry about whether its pseudonymization practice of data of deceased patients for research and educational purposes is subject to the PIPA.
Under Korea’s privacy legal framework, personal information means the information relating to a living individual, so that the information of a deceased person is not technically personal information. However, such information may remain subject to the PIPA if it is able to identify or infer relationships with bereaved family members. Accordingly, the PIPC reviewed this request with a focus on whether the pseudonymization practice redacts the relationships (identifiability) with bereaved family members, and whether there remained any risks of data misuse or abuse.
SNUH redacted all information relating to the deceased patients' families from the data to prevent any inference and had the data reviewed and approved by the Data Review Board (DRB). In addition, patient numbers, all dates and times, and diagnosis codes were pseudonymized. SNUH also had the data reviewed by the Institutional Review Board (IRB) and approved it as involving minimal risk. Furthermore, such data should be processed only on a platform built by SNUH, and a user control plan was established to prevent researchers from carrying out data outside the organization.
● A DRB is a committee to review the adequacy of pseudonymization inside the organization pursuant to Article 28-2 of the PIPA. A data processor may process pseudonymized data without obtaining consent from data subjects for statistical, scientific research, and archiving purposes in the public interest. ● An IRB is a committee at an institution that applies research ethics by reviewing the methods proposed for research involving human subjects, to ensure that the projects are ethical pursuant to Article 10 of the Bioethics and Safety Act.
The PIPC reviewed the measures and practices that SNUH has taken in a comprehensive manner and clarified that its processing of deceased patients’ data is not subject to the PIPA. The PIPC noted that SNUH has implemented high levels of security and ethical safeguards for data processing, even though such data processing is outside of the remit of the PIPA.
The PIPC publishes the review results on the Platform for Supporting Pseudonymized Data (www.dataprivacy.go.kr), which can be accessed via the menu named “No-Action Letter for Pseudonymized Data.” Businesses and researchers experiencing difficulties in interpreting regulations and guidelines on pseudonymization can resort to this scheme for clarification.
Meanwhile, the PIPC and the Ministry of Health and Welfare will explore and establish pseudonymization criteria and deliberation procedures for the use of deceased patients’ data and reflect the discussions in the relevant guidelines.
Chairperson Kyung Hee Song emphasized the importance of this no-action letter request, saying, “The first No-Action Letter request by the SNUH is meaningful in that this case is not subject to the PIPA, but it serves as a compass for entities that have found it difficult to use data of deceased patients due to identifiability risks of the bereaved family members or uncertainties arising from vagueness in legal interpretation.” She added, “The PIPC will closely work with the Ministry of Health and Welfare and other ministries to actively make improvements in promoting data utilization.”
* A PDF file, formatted for better readability, is attached.
|
||