Resident registration number

Each Korean citizen is given an ID number at birth – the resident registration number (RR number, 주민등록번호/住民登錄番號). Under the Resident Registration Act, the head of a city, county or ward shall maintain the computer systems to record resident registration by individual and household, manage the resident registration record index by household, and issue the resident registration card to its resident who becomes 17 years old.

These days the once highly useful universal identifier has turned out to be a key of large scale data breach incidents. The newly implemented Personal Information Protection Act provides for the RR number and other unique identifier shall be handled with due care.

Key words
resident registration number, universal identifier, ID card,

Historical background
This number contains 13 digits conveying information about the holder. This ID system was generally implemented just after the armed guerrilla attack of the Presidential Residence in Seoul in January 1968.

So, without the resident registration card, ordinary Koreans have trouble getting inside government buildings, or applying for financial transactions and website membership. Sometimes they are asked by policemen to show the identity card on the street.

Now the ID number is used for administrative purposes, from applying for various government services to proving that one is a real person with a real name. As a result, someone with access to administrative databases associated with use of the card can gain detailed information about where its holder is living, how much he earns and pays in tax, and what kind of business he is engaged in. It is because the residence, tax and other government databases are constructed based on this general identifier.

Functions of RR number
The resident registration number functions as a link to government-maintained databases. This number makes it possible for government officials to compile personal information and to do profiling and data matching of extensive information about Korean citizens. The 13-digit number is like ‘Aladdin’s sesame’ to open government databases. Because it is easy to centralize and profile citizens’ data, privacy-conscious South Koreans seek assurances that the ID number is not used for purposes of surveillance.

Several civic groups have acted as watchdogs against government plans to establish and consolidate databases for administrative efficiency.

Side effects
In the private sector, on-line information service providers usually demand users’ resident registration numbers. To protest this practice, some users submit made-up numbers instead of real ones; others steal someone else’s ID number. For example in 2005, 53.9 per cent of those who filed claims with the Personal Data Protection Center in Seoul reported their ID numbers had been illegally used or stolen. Against this backdrop, some critics suggested that information service providers should not be allowed to collect individual users’ ID number.

A series of massive scale data breach incidents prompted the government to amend the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. The newly amended Act, which came into effect on 18 August 2012, prohibits the information and communication service providers (ICSPs) from collecting RR numbers from their users. The exceptions are (i) the authentication agencies, designated by the government for the purpose of provision of alternative ID numbers, (ii) qualified ICSPs permitted by the relevant laws, or (iii) the KCC-notified ICSPs which rely on the collection and use of RR Numbers on business. Article 23-2 (1) of the Act.

Total ban of RR number collection
Recently amended by Act No. 11990 on August 6, 2013, effective on August 7, 2014 Since the enactment of the current Personal Information Protection Act in 2011, massive data breach incidents have occurred from time to time. The government thought the companies, which used to collect the national ID - RR numbers - would not take sufficient caution and safety measures. Then heavier responsibilities will await those in charge of data protection and safety measures. At last, in August 2013, the Personal Information Protection Act was amended to prohibit ISPs from collecting and processing the national ID, to destroy the ID numbers possessed by them within two years from the enforcement date, and to add stiffer penalties including disciplinary action against company executives responsible for a serious lapse in personal data protection.

The amendment to the current Act comes into force on August 7, 2014, one year later. Failure to protect an individual's national ID number, for example, would constitute a serious violation. The newly added measure allows the Ministry of Security and Public Administration to demand the dismissal of top executives at companies found in violation of privacy rules and regulations. The new Act also would give the Ministry the power to impose fines in the form of surcharge up to 500 million won (equivalent to U$460 thousand) against companies that collect and store national ID numbers if they are lost, stolen, breached, or altered.