South Korea-specific information concerning the key legal and commercial issues to be considered when drafting an internal IT and communications systems policy for use internationally.
See also Standard document, IT and communications systems policy: International, with country specific drafting notes.
Applicability
Yes, many employers inform employees about IT and communications systems management through these polices. However, they are not legally required.
Terms in a policy are usually referred to as "chapters", "articles" or "clauses".
Personnel responsible for the policy
Yes. It is common to include a section that provides details of the personnel responsible for the policy, called "information protection personnel", like Standard document, IT and communications systems policy: International: clause 2. The provision usually also states their position.
It is permissible, but it is not standard practice. Managers only have their normal supervision responsibility. In the case of IT and communications management, the task of supervision is usually designated to dedicated information security personnel in the company. However, it is possible to designate ensuring the fair application of the policy as the manager's responsibility.
Enforceability
Yes. The provisions of the IT and communications systems policy can either be included in:
Yes. Excessive personal use or misuse of the IT and communications systems can be regarded as employee misconduct, or (where there are relevant provisions within the rules of employment) a breach of the rules of employment. For example, in a case where an employee was dismissed during a probationary period for drinking and excessive use of smartphones during work hours, the Seoul High Court decided that excessive use of smartphones could be recognised as a cause for dismissal during the probationary period (Seoul High Court Decision 2015Nu65140, 28 April 2016).
Yes. However, to do that, a breach of the policy must be either:
The words "immediately without notice" should be deleted from Standard document, IT and communications systems policy: International: clauses 1.3.
The statement at the end of Standard document, IT and communications systems policy: International: clauses 9.1 should be replaced with the following wording:
"Any such action will be treated very seriously and is likely to result in disciplinary measures up to termination of your employment, to the extent permitted under the applicable laws."
The employer need not follow any procedures if no procedures are established for disciplinary action (see Question 9). However, where there is a disciplinary procedure in place, through a collective bargaining agreement or rules of employment, then the employer must follow that procedure.
Yes. Companies with ten or more employees must introduce rules of employment, and these must include matters related to disciplinary actions (Article 93, Labour Standards Act). It is therefore standard practice for most employers to have written disciplinary procedures.
As long as the disciplinary rules do not specify that there must be an investigation before any disciplinary action, the employer does not have to carry one out before responding to a breach of the policy. However, the employer has the burden of proof when taking any disciplinary action against employees. Therefore, on a practical level, the employer may need to carry out an investigation for evidential purposes.
The disciplinary action taken by the employer must be based on the breach in question, and its effects. However, potential action could include a reprimand, suspension, wage reduction and dismissal.
The employer would not usually be able to dismiss an employee unless the breach either created considerable loss for the employer or constituted serious misconduct by the employee.
An employer must give at least 30 days' notice before dismissal, or pay the employee the equivalent of 30 days' usual pay (Article 26, Labour Standards Act).
Yes, if such a policy is not in place, it might be difficult to categorise the misuse of the employer's IT and communications systems as a cause for dismissal.
However, an employer must have a "justifiable cause" to dismiss an employee (Article 23(1), Labour Standards Act) and the courts interpret this very narrowly. Therefore, one cannot dismiss an employee just because they have breached the policy; the breach must constitute serious misconduct or have caused the employer serious loss.
There are various kinds of criminal offence which may result from the misuse of an employer's IT and communications systems. The key offences to be aware of are:
The following civil claims may arise:
Yes. A person who employs another to perform a specific task could be liable for compensating for any loss inflicted on a third person by the employee in the course of performing the employee's specific task, unless the employer exercised due care in appointing the employee, and in supervising the performance of the specific task (Article 756, Civil Act).
Yes, it is, in the following forms:
It should be noted that liability for defamation (both criminal and civil) can occur even when what the person alleges is factual (Article 307(1)).
Contractual status
No. Even if the employer incorporates such a policy into the rules of employment instead of individual employment contracts, any amendments will still need the employer to "hear the opinion" of (when the amendment is not disadvantageous to employees):
Where the proposed amendment is disadvantageous to employees, the employer must obtain their consent to it (Article 94(1), Labour Standards Act). However, since Standard document, IT and communications systems policy: International envisions disciplinary action for those who violate the policy, it would be seen as disadvantageous to employees.
If the policy does not form part of the employee's contract of employment, and is not included in the rules of employment, it is not clear whether the court will recognise an implied contractual duty on the employee to comply with Standard document, IT and communications systems policy: International.
In South Korea, employers usually include such policies in the rules of employment, and include a comprehensive clause in the employment contract that the employee must follow the rules of employment. Even if an employment contract does not have such a clause, the employee still has a duty to comply with the rules of employment (Article 5, of the Labour Standards Act).
Yes; even if the policy is not explicitly set out in the contract itself, an employee nevertheless has an obligation to follow the rules of employment if those rules are effectively established, revised and made public under Article 93 of the Labour Standards Act (Article 5, Labour Standards Act). As a result, if Standard document, IT and communications systems policy: International is established as a part of the rules of employment, the employee will be in breach of contract if they breach the policy.
No; even if the policy is not explicitly set out in the contract itself, an employee nonetheless has an obligation to follow the rules of employment if those rules are effectively established, revised and made public under Article 93 of the Labour Standards Act (Article 5, Labour Standards Act).
An employer cannot revise the rules of employment unilaterally. Even if the employer places such a policy in the rules of employment instead of individual employment contracts, amendments to it will still need the employer to "hear the opinion" of:
(Article 94(1), Labour Standards Act.)
Where the proposed amendment is disadvantageous to employees, the employer must obtain their consent to it. That is, where there is a trade union composed of the majority of the employees in the business or workplace, the employer must obtain a consent from the trade union instead of employees.
Yes, as long as their contracts of engagement specify that they must adhere to the IT and communications system policy. However, it must be noted that requiring non-employees' adherence to the company's rules of employment may lead the courts to regard them as de facto employees.
Security
Yes. It is permissible for an employer to make employees responsible for the security of the equipment and the computer terminals provided by the company.
It is permissible to manage emails to prevent harmful viruses gaining access to company IT systems. However, inspecting the email contents of individual employees would require the separate specific approval of the employee. In a case where an employer had passwords to employee's email account (the passwords had been given by the employee in the past) and opened the employee's email without specific approval, the Seoul Central District Court decided the employer had acted illegally (Seoul Central District Court Decision 2002No9492, 15 April 2003).
Yes. Employers can delete, block access to or not transmit emails or attachments in the interests of security.
Yes. Employers can block access to employees' web-based personal emails on the company's computer systems for security reasons.
Yes. Employers can forbid employees' access to their personal email or other social networking sites.
As in Standard document, IT and communications systems policy: International: clause 6.5, Facebook, Twitter, YouTube, and Instagram are the most used social networking sites in South Korea.
Yes. Employers can ask employees to take such precautions when using IT equipment outside work.
Personal use
Employers can withdraw permission or restrict use when there is a relevant clause allowing this in individual contracts or rules of employment. If Standard document, IT and communications systems policy: International: clause 7.1 is established as part of the rules of employment, then the employer can withdraw permission for the personal use of work internet, email, and telephone systems.
Yes.
Yes.
Monitoring
Because the monitoring of employees' emails and internet use risks violating their right to privacy of communication, the employer would need individual consent from every employee for this to be permissible, in addition to a comprehensive agreement. There is no detailed law on this yet, but see Question 24.
There is no case law on this area, but just having a general provision such as this will not be sufficient, since the courts are protective on privacy issues. If possible, the employer should gain the individual employee's consent to monitoring when an issue arises. Since there have been no court decisions on this issue, we are not sure whether ongoing monitoring is likely to be acceptable or not.
There is no case law on this area. Whether this is permissible will depend on the method and range of the automated monitoring, as it could be considered a breach of data protection requirements or the right to private communications (Article 16(1), Personal Information Protection Act; Article 3(1), Protection of Communications Secrets Act; Article 49, Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc).
Best practice would be to include a comprehensive provision regarding automated monitoring, and then, if any
issues are revealed by the automated monitoring, obtain the targeted individual employee's consent before further
investigations of their use of the IT and communications systems are carried out.
It could constitute a breach of data protection requirements or the right to private communications (Article 16(1), Personal Information Protection Act; Article 3(1), Protection of Communications Secrets Act; Article 49, Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc). If possible, the employer should gain the individual employee's consent to monitoring before any monitoring occurs.
Yes. There are no established court cases, but it is best practice for the employer to obtain individual consent, as the law is not currently clear.
A policy of generalised monitoring, even if signed by employees, might not be enough. The employer should have clear consent from employees, specifying what information it will monitor.
Yes. The Personal Information Protection Act restricts the use of CCTV as follows:
Where CCTV is installed:
The Personal Information Protection Act restricts the installation of CCTV to certain purposes only, and monitoring employees' work is not included in the list of legitimate purposes (Article 25(1)) (see Question 36). Therefore, unless every employee individually agrees to being monitored at their work by CCTV, the monitoring will be unlawful (Article 15(1), Personal Information Protection Act).
No. An employer can only collect personal information when it receives consent from the individuals (see Question 37).
Retrieving private information from a personal device is unlawful under Article 316 of the Criminal Act. Also, infringement of another person's secret information processed through an information and communications network is not permitted (Article 49, Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc).
It is unlawful to censor any mail, wiretap any telecommunications, provide communication confirmation data, record or listen to any conversation between others that are not made public (Article 3(1), Protection of Communications Secrets Act). The term "communication confirmation data" means the data on the records of telecommunications falling under any one of the following (Article 2(11), Protection of Communications Secrets Act):
As a result, an employer must obtain individual consent before retrieving the contents of an email or checking
internet use.
None of these reasons will be permissible without obtaining individual consent (see Question 38).
Retrieved emails /internet usage relate to the employee
Even if the employee is suspected to have committed any wrongdoing, individual consent is required.
Retrieved emails /internet usage relate to another employee
Retrieving emails and internet usage related to another employee also requires the employee's individual consent.
Transfers internally
If employee consent was obtained for the initial investigation, consent is not required for internal transfers.
Transfers externally for an independent investigation
Because the information investigator is external, separate consent is required (Article 15, Personal Information Protection Act).
Transfers to the police for criminal investigation
Information may be transferred without further employee consent when the police require it through a warrant (Article 215, Criminal Procedure Act). When the police do not have a warrant, then they also need individual consent from the employee.
Execution and other formalities
Formalities
There are no specific formalities required by law.
Language requirements
There are no language requirements. However, it is advisable to have a Korean version so that employees can understand the policy better and avoid contravening the policy (there is no case law on this area yet, but providing a Korean version will ensure that the employee cannot argue that their breach was due to not understanding the policy).
When an employer wants to change the IT and communications policy, the employer must hear the opinion of a trade union (if there one) composed of the majority of the employees in the business or workplace concerned or otherwise hear the opinion of the majority of the employees if there is no such trade union composed of the majority of the employees (see Question 17).
However, where the proposed amendment is disadvantageous to employees, the employer must obtain their consent.
(Article 94(1), Labour Standards Act.)
Standard document, IT and communications systems policy: International: clause 1.4 should be amended to read as follows:
"[This policy has been [agreed OR implemented following consultation] with the [[TRADE UNION] OR [majority of the employees in the business or workplace]].]"
General
As discussed throughout, disciplinary action is permissible when the breach is listed as a disciplinary cause in the rules of employment, but a breach will not constitute reasonable grounds for dismissal unless it constitutes serious misconduct or causes the employer serious loss.
Monitoring the content of personal communications or online accounts could be in breach of the Personal Information Protection Law if they contain any personal data; as a result, the employer will need to obtain individual consent to the monitoring.
No. Standard document, IT and communications systems policy: International contains most of the provisions that IT and communications policies usually have in South Korea.
See also Standard document, IT and communications systems policy: International, with country specific drafting notes.
Applicability
1. In your jurisdiction, is a policy such as Standard document, IT and communications systems policy: International usually put in place by employers?
Yes, many employers inform employees about IT and communications systems management through these polices. However, they are not legally required.
2. What are the terms in a policy called in your jurisdiction? For example, clauses, paragraphs, articles.
Terms in a policy are usually referred to as "chapters", "articles" or "clauses".
Personnel responsible for the policy
3. Is it common practice to include a section in the IT and communications systems policy stating who the personnel responsible for the policy are as set out in Standard document, IT and communications systems policy: International: clause 2?
Yes. It is common to include a section that provides details of the personnel responsible for the policy, called "information protection personnel", like Standard document, IT and communications systems policy: International: clause 2. The provision usually also states their position.
4. Is it standard practice and permissible for managers to have specific responsibility for ensuring the fair application of the IT and communications systems policy as set out in Standard document, IT and communications systems policy: International: clause 2.2?
It is permissible, but it is not standard practice. Managers only have their normal supervision responsibility. In the case of IT and communications management, the task of supervision is usually designated to dedicated information security personnel in the company. However, it is possible to designate ensuring the fair application of the policy as the manager's responsibility.
Enforceability
5. Is Standard document, IT and communications systems policy: International enforceable against employees? How?
Yes. The provisions of the IT and communications systems policy can either be included in:
- The rules of employment.
- Individual employment contracts.
6. Would excessive personal use or misuse of the employer's IT and communications systems by an employee be regarded as misconduct in your jurisdiction? If not, please state the position.
Yes. Excessive personal use or misuse of the IT and communications systems can be regarded as employee misconduct, or (where there are relevant provisions within the rules of employment) a breach of the rules of employment. For example, in a case where an employee was dismissed during a probationary period for drinking and excessive use of smartphones during work hours, the Seoul High Court decided that excessive use of smartphones could be recognised as a cause for dismissal during the probationary period (Seoul High Court Decision 2015Nu65140, 28 April 2016).
7. Can an employer take disciplinary action for breach of the IT and communications systems policy (as set out in Standard document, IT and communications systems policy: International: clauses 1.3, 7.3 and 9)?
Yes. However, to do that, a breach of the policy must be either:
- Listed specifically as a cause for disciplinary action (in the policy and/or the employment contract).
- Written as a cause for disciplinary action under the rules of employment, and the breach must be recognised as "justifiable cause" for such disciplinary action.
The words "immediately without notice" should be deleted from Standard document, IT and communications systems policy: International: clauses 1.3.
The statement at the end of Standard document, IT and communications systems policy: International: clauses 9.1 should be replaced with the following wording:
"Any such action will be treated very seriously and is likely to result in disciplinary measures up to termination of your employment, to the extent permitted under the applicable laws."
8. What disciplinary procedures should the employer follow where the employee is in breach of Standard document, IT and communications systems policy: International?
The employer need not follow any procedures if no procedures are established for disciplinary action (see Question 9). However, where there is a disciplinary procedure in place, through a collective bargaining agreement or rules of employment, then the employer must follow that procedure.
9. Is it standard practice in your jurisdiction for employers to have written disciplinary procedures in place which are made available to their employees?
Yes. Companies with ten or more employees must introduce rules of employment, and these must include matters related to disciplinary actions (Article 93, Labour Standards Act). It is therefore standard practice for most employers to have written disciplinary procedures.
10. Is the employer required to carry out an investigation before taking any action against an employee in respect of Standard document, IT and communications systems policy: International?
As long as the disciplinary rules do not specify that there must be an investigation before any disciplinary action, the employer does not have to carry one out before responding to a breach of the policy. However, the employer has the burden of proof when taking any disciplinary action against employees. Therefore, on a practical level, the employer may need to carry out an investigation for evidential purposes.
11. What disciplinary sanctions may be brought against the employee for breach of the IT and communications systems policy? Can an employee be dismissed immediately without notice (as set out in Standard document, IT and communications systems policy: International: clauses 1.3 and 9.2)?
The disciplinary action taken by the employer must be based on the breach in question, and its effects. However, potential action could include a reprimand, suspension, wage reduction and dismissal.
The employer would not usually be able to dismiss an employee unless the breach either created considerable loss for the employer or constituted serious misconduct by the employee.
An employer must give at least 30 days' notice before dismissal, or pay the employee the equivalent of 30 days' usual pay (Article 26, Labour Standards Act).
12. Would the existence of Standard document, IT and communications systems policy: International reduce the risk of claims from employees if the employer terminates their employment for misuse of the employer's IT and communications systems?
Yes, if such a policy is not in place, it might be difficult to categorise the misuse of the employer's IT and communications systems as a cause for dismissal.
However, an employer must have a "justifiable cause" to dismiss an employee (Article 23(1), Labour Standards Act) and the courts interpret this very narrowly. Therefore, one cannot dismiss an employee just because they have breached the policy; the breach must constitute serious misconduct or have caused the employer serious loss.
13. What potential criminal offences could result from the misuse of an employer's IT and communications systems in your jurisdiction?
There are various kinds of criminal offence which may result from the misuse of an employer's IT and communications systems. The key offences to be aware of are:
- The circulation of unlawful information (Article 44-7, Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc). This includes (among other things) information whose content:
• is obscene;
• defames other persons by divulging a fact or false information, openly and with intent to disparage the person's reputation;
• arouses fear or apprehension by reaching other persons repeatedly; or
• compromises, destroys, alters or forges an information and communications system, data, a program or similar, or interferes with the operation of such system, data, program, or similar without a justifiable ground. - Infringement of copyright (Article 136, Copyright Act). This is punishable by imprisonment for up to five years or by a fine up to KRW50 million, or both.
- Criminal destruction or damage of property (Article 366, Criminal Act). This is punishable by imprisonment for not more than three years or by a fine not exceeding KRW7 million. It covers the destruction, damage or concealment of another's property, document or special media records (such as electromagnetic records), or the reduction of their utility by any other means.
- Interference with business (Article 314, Criminal Act). This is punishable by imprisonment for not more than five years or by a fine not exceeding KRW15 million. It covers interference with another person's business by damaging or destroying any data processor, such as computer, or special media records, such as electromagnetic records, or inputting false information or improper order into the data processor, or making any impediment in processing any data by any other way.
14. What potential civil claims could arise against employees from incorrect or improper statements made in the content of email messages as set out in Standard document, IT and communications systems policy: International: clauses 5.3 and 5.4?
The following civil claims may arise:
- Tort (which arises where any person causes losses to or inflicts injuries on another person by an illegal act, wilfully or negligently) (on an indemnity basis) (Article 750, Civil Act).
- Breach of the prohibition against workplace harassment (Article 76-2, Labour Standards Act).
- Breach of a confidentiality clause (under the individual employment contract).
15. Could an employer be liable for any of the above claims?
Yes. A person who employs another to perform a specific task could be liable for compensating for any loss inflicted on a third person by the employee in the course of performing the employee's specific task, unless the employer exercised due care in appointing the employee, and in supervising the performance of the specific task (Article 756, Civil Act).
16. Is defamation understood in your jurisdiction (see Standard document, IT and communications systems policy: International: clauses 5.3 and 9.1(c))? If not, is there an equivalent claim for adversely affecting a person's reputation?
Yes, it is, in the following forms:
- The offences in the Criminal Act of:
• Article 307 (defamation);
• Article 308 (defamation of a dead person); and
• Article 309 (defamation through printed materials). - The civil tort of defamation (on an indemnity basis) (Article 750, Civil Act).
It should be noted that liability for defamation (both criminal and civil) can occur even when what the person alleges is factual (Article 307(1)).
Contractual status
17. Is it advisable for the IT and communications systems policy not to form part of an employee's contract of employment in your jurisdiction so that an employer can make changes as it wishes without breaching the contract of employment with its employees (as set out in Standard document, IT and communications systems policy: International: clause 1.5)?
No. Even if the employer incorporates such a policy into the rules of employment instead of individual employment contracts, any amendments will still need the employer to "hear the opinion" of (when the amendment is not disadvantageous to employees):
- A trade union (if there is one) composed of the majority of the employees in the business or workplace concerned.
- The majority of the employees, if there is no trade union composed of the majority of the employees.
Where the proposed amendment is disadvantageous to employees, the employer must obtain their consent to it (Article 94(1), Labour Standards Act). However, since Standard document, IT and communications systems policy: International envisions disciplinary action for those who violate the policy, it would be seen as disadvantageous to employees.
18. If Standard document, IT and communications systems policy: International does not form part of the employee's contract of employment, could there be an implied contractual duty on the employee to comply with this policy?
If the policy does not form part of the employee's contract of employment, and is not included in the rules of employment, it is not clear whether the court will recognise an implied contractual duty on the employee to comply with Standard document, IT and communications systems policy: International.
In South Korea, employers usually include such policies in the rules of employment, and include a comprehensive clause in the employment contract that the employee must follow the rules of employment. Even if an employment contract does not have such a clause, the employee still has a duty to comply with the rules of employment (Article 5, of the Labour Standards Act).
19. Could an employee be in breach of contract if they are in breach of the IT and communications systems policy, even where it is stated that the policy does not form part of the employee's contract of employment as set out in Standard document, IT and communications systems policy: International: clause 1.5?
Yes; even if the policy is not explicitly set out in the contract itself, an employee nevertheless has an obligation to follow the rules of employment if those rules are effectively established, revised and made public under Article 93 of the Labour Standards Act (Article 5, Labour Standards Act). As a result, if Standard document, IT and communications systems policy: International is established as a part of the rules of employment, the employee will be in breach of contract if they breach the policy.
20. If Standard document, IT and communications systems policy: International is non-contractual could this reduce its legal force in your jurisdiction?
No; even if the policy is not explicitly set out in the contract itself, an employee nonetheless has an obligation to follow the rules of employment if those rules are effectively established, revised and made public under Article 93 of the Labour Standards Act (Article 5, Labour Standards Act).
21. Can the IT and communications systems policy be amended at any time by an employer in your jurisdiction (as set out cStandard document, IT and communications systems policy: International: clause 1.5)? If not, what steps should the employer take when it needs to amend this policy?
An employer cannot revise the rules of employment unilaterally. Even if the employer places such a policy in the rules of employment instead of individual employment contracts, amendments to it will still need the employer to "hear the opinion" of:
- A trade union (if there is one) composed of the majority of the employees in the business or workplace concerned.
- The majority of the employees, if there is no trade union composed of the majority of the employees.
(Article 94(1), Labour Standards Act.)
Where the proposed amendment is disadvantageous to employees, the employer must obtain their consent to it. That is, where there is a trade union composed of the majority of the employees in the business or workplace, the employer must obtain a consent from the trade union instead of employees.
22. Can the IT and communications systems policy apply to officers, consultants, contractors, volunteers, interns, casual workers and agency workers as set out in Standard document, IT and communications systems policy: International: clause 1.2?
Yes, as long as their contracts of engagement specify that they must adhere to the IT and communications system policy. However, it must be noted that requiring non-employees' adherence to the company's rules of employment may lead the courts to regard them as de facto employees.
Security
23. Is it permissible for an employer to make employees responsible for the security of:
- The equipment allocated to them and used by them as set out in Standard document, IT and communications systems policy: International: clause 3.1?
- The computer terminal used by them as set out in Standard document, IT and communications systems policy: International: clause 3.2?
Yes. It is permissible for an employer to make employees responsible for the security of the equipment and the computer terminals provided by the company.
24. Can employers monitor emails passing through their systems for viruses as set out in Standard document, IT and communications systems policy: International: clause 4.4?
It is permissible to manage emails to prevent harmful viruses gaining access to company IT systems. However, inspecting the email contents of individual employees would require the separate specific approval of the employee. In a case where an employer had passwords to employee's email account (the passwords had been given by the employee in the past) and opened the employee's email without specific approval, the Seoul Central District Court decided the employer had acted illegally (Seoul Central District Court Decision 2002No9492, 15 April 2003).
25. Can employers delete, block access to or not transmit emails or attachments in the interests of security, as set out in Standard document, IT and communications systems policy: International: clause 4.4?
Yes. Employers can delete, block access to or not transmit emails or attachments in the interests of security.
26. Can employers block access to employees' web-based personal email such as gmail and Hotmail on the employers' computer systems for security reasons?
Yes. Employers can block access to employees' web-based personal emails on the company's computer systems for security reasons.
27. Can employers not allow employees to access their personal email or other social networking sites as set out in Standard document, IT and communications systems policy: International: clauses 5.9 and 6.5?
Yes. Employers can forbid employees' access to their personal email or other social networking sites.
28. What social networking sites are typically available and used in your jurisdiction (see Standard document, IT and communications systems policy: International: clause 6.5)?
As in Standard document, IT and communications systems policy: International: clause 6.5, Facebook, Twitter, YouTube, and Instagram are the most used social networking sites in South Korea.
29. When using the employer's IT equipment outside of work, can employers require employees to take such precautions as the employer may require from time to time against importing viruses and compromising system security as set out in Standard document, IT and communications systems policy: International: clause 4.6?
Yes. Employers can ask employees to take such precautions when using IT equipment outside work.
Personal use
30. Where employers permit employees to use their IT and communications systems for personal use, can the permission be withdrawn at any time or can access be restricted at the employer's discretion as set out in Standard document, IT and communications systems policy: International: clause 7.1?
Employers can withdraw permission or restrict use when there is a relevant clause allowing this in individual contracts or rules of employment. If Standard document, IT and communications systems policy: International: clause 7.1 is established as part of the rules of employment, then the employer can withdraw permission for the personal use of work internet, email, and telephone systems.
31. Can an employer require employees' personal emails sent from the employer's IT systems to be labelled "personal" in the subject header, as set out in Standard document, IT and communications systems policy: International: clause 7.2(b)?
Yes.
32. Can an employer restrict or prevent access to certain telephone numbers or internet sites if the employer considers personal use to be excessive as set out in Standard document, IT and communications systems policy: International: clause 7.3?
Yes.
Monitoring
33. Can an employee's use of the employer's IT and communications systems be monitored by employers as set out in Standard document, IT and communications systems policy: International: clauses 7.3 and 8?
Because the monitoring of employees' emails and internet use risks violating their right to privacy of communication, the employer would need individual consent from every employee for this to be permissible, in addition to a comprehensive agreement. There is no detailed law on this yet, but see Question 24.
34. On what basis can an employer legally monitor its employees' use of its IT and communications systems? Are the reasons stated in Standard document, IT and communications systems policy: International: clause 8.1 (for business reasons and in order for their employer to carry out its role as the employee's employer) permitted?
There is no case law on this area, but just having a general provision such as this will not be sufficient, since the courts are protective on privacy issues. If possible, the employer should gain the individual employee's consent to monitoring when an issue arises. Since there have been no court decisions on this issue, we are not sure whether ongoing monitoring is likely to be acceptable or not.
35. Can an employee's use of the employer's IT and communications systems be continually monitored by automated software as set out in Standard document, IT and communications systems policy: International: clause 8.1?
There is no case law on this area. Whether this is permissible will depend on the method and range of the automated monitoring, as it could be considered a breach of data protection requirements or the right to private communications (Article 16(1), Personal Information Protection Act; Article 3(1), Protection of Communications Secrets Act; Article 49, Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc).
Best practice would be to include a comprehensive provision regarding automated monitoring, and then, if any
issues are revealed by the automated monitoring, obtain the targeted individual employee's consent before further
investigations of their use of the IT and communications systems are carried out.
36. Are there any legal requirements or limitations that an employer needs to be aware of when monitoring its employees' use of its IT and communications systems in your jurisdiction?
It could constitute a breach of data protection requirements or the right to private communications (Article 16(1), Personal Information Protection Act; Article 3(1), Protection of Communications Secrets Act; Article 49, Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc). If possible, the employer should gain the individual employee's consent to monitoring before any monitoring occurs.
37. Is the employee's consent required for such monitoring? If so, can the employee signing and returning a copy of Standard document, IT and communications systems policy: International be deemed to be consent?
Yes. There are no established court cases, but it is best practice for the employer to obtain individual consent, as the law is not currently clear.
A policy of generalised monitoring, even if signed by employees, might not be enough. The employer should have clear consent from employees, specifying what information it will monitor.
38. Are there any legal requirements or limitations that an employer needs to be aware of when using CCTV on the exterior of the workplace premises and recording the data as set out in Standard document, IT and communications systems policy: International: clause 8.2?
Yes. The Personal Information Protection Act restricts the use of CCTV as follows:
- No one may install and operate any visual data processing device at open places, except in certain cases (Article 25(1)).
- No one may install and operate any visual data processing device so as to look into a place which is likely to threaten individual privacy considerably, such as a bathroom, restroom, sauna or changing room used by many unspecified persons (Article 25(2)).
Where CCTV is installed:
- An entity responsible for the installation and operation must take necessary measures to inform those who may be filmed, including posting a sign (Article 25(4)).
- Sound recording functions of CCTV must not be used (Article 25(5)).
- The responsible entity must take all measures necessary to ensure that personal information is not be lost, stolen, divulged, forged, altered or damaged (Article 25(6)).
- The responsible entity must create an appropriate policy to operate and manage the visual data processing devices (Article 25(7)).
39. What would the position be if the CCTV was recording employees inside the employee's workplace?
The Personal Information Protection Act restricts the installation of CCTV to certain purposes only, and monitoring employees' work is not included in the list of legitimate purposes (Article 25(1)) (see Question 36). Therefore, unless every employee individually agrees to being monitored at their work by CCTV, the monitoring will be unlawful (Article 15(1), Personal Information Protection Act).
40. Can an employer retrieve the contents of email messages or check internet usage by employees in the interests of the business as set out in Standard document, IT and communications systems policy: International: clause 8.3?
No. An employer can only collect personal information when it receives consent from the individuals (see Question 37).
Retrieving private information from a personal device is unlawful under Article 316 of the Criminal Act. Also, infringement of another person's secret information processed through an information and communications network is not permitted (Article 49, Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc).
It is unlawful to censor any mail, wiretap any telecommunications, provide communication confirmation data, record or listen to any conversation between others that are not made public (Article 3(1), Protection of Communications Secrets Act). The term "communication confirmation data" means the data on the records of telecommunications falling under any one of the following (Article 2(11), Protection of Communications Secrets Act):
- The date of telecommunications by subscribers.
- The time that the telecommunications commence and end.
- The communications number of the outgoing and incoming call, and the subscriber number of the other party.
- The frequency of use.
- The computer communications or internet log records relating to facts that the users of computer communications or the internet have used the telecommunications services.
- The data on tracing a location of information communications apparatus connecting to the information communications networks.
- The data on tracing a location of connectors capable of confirming the location of information communications apparatus to be used by the users of computer communications or internet for connecting with the information communications networks.
As a result, an employer must obtain individual consent before retrieving the contents of an email or checking
internet use.
41. Are all the reasons listed in Standard document, IT and communications systems policy: International: clause 8.3 permissible?
None of these reasons will be permissible without obtaining individual consent (see Question 38).
42. Specifically, if the retrieved emails or internet usage check is to assist in an investigation of wrongdoing as set out in Standard document, IT and communications systems policy: International: clause 8.3(c), please comment on the situation where the retrieved emails or internet use information will be used in an investigation:
- Relating to the employee in question.
- Relating to another employee.
Retrieved emails /internet usage relate to the employee
Even if the employee is suspected to have committed any wrongdoing, individual consent is required.
Retrieved emails /internet usage relate to another employee
Retrieving emails and internet usage related to another employee also requires the employee's individual consent.
43. Can the employer pass any information found during monitoring to the following parties (see Standard document, IT and communications systems policy: International: clause 9.2):
- Internal managers and staff?
- External parties to conduct an independent enquiry or investigation?
- The police for their criminal investigation into an employee?
- If so, what legal requirements does the employer have to comply with for such disclosures?
Transfers internally
If employee consent was obtained for the initial investigation, consent is not required for internal transfers.
Transfers externally for an independent investigation
Because the information investigator is external, separate consent is required (Article 15, Personal Information Protection Act).
Transfers to the police for criminal investigation
Information may be transferred without further employee consent when the police require it through a warrant (Article 215, Criminal Procedure Act). When the police do not have a warrant, then they also need individual consent from the employee.
Execution and other formalities
44. Are there any formalities or language requirements that must be adhered to in relation to the creation or execution of Standard document, IT and communications systems policy: International?
Formalities
There are no specific formalities required by law.
Language requirements
There are no language requirements. However, it is advisable to have a Korean version so that employees can understand the policy better and avoid contravening the policy (there is no case law on this area yet, but providing a Korean version will ensure that the employee cannot argue that their breach was due to not understanding the policy).
45. Under what circumstances is consultation with or approval of a works council or trade union required for the IT and communications systems policy to be effective in your jurisdiction (as set out in Standard document, IT and communications systems policy: International: clause 1.4)?
When an employer wants to change the IT and communications policy, the employer must hear the opinion of a trade union (if there one) composed of the majority of the employees in the business or workplace concerned or otherwise hear the opinion of the majority of the employees if there is no such trade union composed of the majority of the employees (see Question 17).
However, where the proposed amendment is disadvantageous to employees, the employer must obtain their consent.
(Article 94(1), Labour Standards Act.)
Standard document, IT and communications systems policy: International: clause 1.4 should be amended to read as follows:
"[This policy has been [agreed OR implemented following consultation] with the [[TRADE UNION] OR [majority of the employees in the business or workplace]].]"
General
46. Are any of the parts of Standard document, IT and communications systems policy: International not legally valid and enforceable or not standard practice in your jurisdiction?
As discussed throughout, disciplinary action is permissible when the breach is listed as a disciplinary cause in the rules of employment, but a breach will not constitute reasonable grounds for dismissal unless it constitutes serious misconduct or causes the employer serious loss.
Monitoring the content of personal communications or online accounts could be in breach of the Personal Information Protection Law if they contain any personal data; as a result, the employer will need to obtain individual consent to the monitoring.
47. Are there any other standard clauses that would be usual to see in an IT and communications systems policy such as Standard document, IT and communications systems policy: International and/or that are standard practice to include in your jurisdiction?
No. Standard document, IT and communications systems policy: International contains most of the provisions that IT and communications policies usually have in South Korea.
KOREA LEGAL INSIGHT
Implications to PEFs of Supreme Court Ruling on “Good Faith” Cooperation in Shareholder Exit Processes
2021.07.19
