Naver / Newstapa Article: NCRC Loses External Hard Drive Containing Personal Data of Missing Children.

Posted to Paperslip on October 29th, 2025.
Originally Published in Korea: Oct. 28, 2025, 2:55 p.m.
Updated: Oct. 28, 2025, 4:38 p.m.
Translation via ChatGPT.
Thanks to a Paperslip Contributor for the link.
Please Note: What the article calls “The Korea Child Rights Agency” is NCRC (National Center for the Rights of the Child).

+

“Child Rights Agency (NCRC) Loses External Hard Drive Containing Personal Data of Missing Children

Published: Oct. 28, 2025, 2:55 p.m.
Updated: Oct. 28, 2025, 4:38 p.m.

The Korea Child Rights Agency, which last year was criticized during the National Assembly’s Health and Welfare Committee audit for poorly managing adoption records—such as scanning blank pages, ignoring digitalization guidelines, and failing to properly upload digitized data—has now been found to have mishandled records of missing children as well.

According to a Newstapa investigation, the agency lost an external hard drive in 2020 that contained digitized data of missing children’s record cards. In September last year, it asked the contractor in charge of the project to resend the hard drive. The drive contained personal information on more than 30,000 missing children. The fact that a private company had retained such sensitive data for over four years after the project ended has raised concerns over possible violations of the Personal Information Protection Act.

Whistleblower Report and Official Findings

In January this year, the Anti-Corruption and Civil Rights Commission received a corruption report related to the “Child Card Digitization Project.” According to the commission’s investigation, the agency admitted that it had “lost the external hard drive containing the 2020 project output and re-collected it from the contractor on September 30, 2024.” The commission’s report, reviewed by Newstapa, noted that “the 2020 project data remained with the contractor,” citing poor data security management.

Records Contained Key Information on Missing Children

The “Child Card Digitization Project” began in January 2018, when the agency (then the Central Adoption Agency) was designated as the nation’s Missing Children Center. The agency explained that it “took over missing child cards from ChildFund Korea and digitized them.” ChildFund Korea had managed the project from 2005 to 2017 under contract with the Ministry of Health and Welfare.

These “child cards” — also known as “admission cards” — contained information about missing children who had entered child welfare, disability, or psychiatric care facilities.
Newstapa obtained the agency’s 2020 Project Supervision Report, which highlighted data entry errors and included sample images of the cards. These samples revealed that the cards contained sensitive information such as the child’s name, gender, resident registration number, date and place of disappearance, and physical features.

Same Contractor Won Bids for Three Consecutive Years

Between 2019 and 2021, the agency divided the digitization work into three stages, contracting the same company (“Company A”) for all three. Although the “Child Card Digitization Project” was separate from the previously criticized “Adoption Records Digitization Project,” Company A handled both.

Company A’s tasks included scanning, correcting, and uploading card images, extracting key data, and building a database. The agency and the contractor categorized each record into 23 data fields—such as name, birth date, ID number, age, place of disappearance, and physical traits—referred to collectively as “metadata.”

In 2020, Company A scanned 61,389 pages from 182 binders and extracted 30,843 metadata entries over a two-month period (October–December 2020). A verification document dated December 14, 2020, confirmed that the final output was delivered as an external hard drive.

Lost Hard Drive Later “Recovered” — Still a Legal Violation

The agency admitted it had “re-received one external hard drive from the contractor around late September last year.” However, this implies the contractor still possessed personal data from 2020, violating the agency’s own security requirements, which mandated that all materials “must be completely destroyed or returned under the supervision of the agency’s information security officer at the end of the project.”

Prof. Kim Tae-hyun of Hankuk University of Foreign Studies said, “Private contractors cannot retain personal data after project completion. This is an unusual situation and could constitute a violation of the Personal Information Protection Act.”

Company A, however, denied wrongdoing, claiming, “We never received a request to return the hard drive, nor did we provide one last year,” and added that they “low-level format all computers after each project.” The company declined to provide further clarification.

Over 350 Million Won Spent — But Unclear How Data Is Used

Documents obtained by Newstapa show that the project cost 110 million won in 2020 and 143 million won in 2021. The 2019 budget could not be confirmed, but based on similar levels, total spending over three years likely exceeded 350 million won (about USD 250,000).

Asked where the digitized data is currently stored, the agency stated that it was entered into a separate database called the “Missing Child Operations System,” not the “ACMS” system used for adoption records.

However, when users click on the “Missing Child Operations System” link on the agency’s website, it leads to a “Search for Missing Children/Persons with Disabilities” page connected to the National Police Agency database—not the internal system in question. The agency explained that “the search page is linked to police data and is separate from the digitized child card database.”

Thus, the actual operation and existence of the “Missing Child Operations System” built from 2019–2021 cannot be confirmed through the agency’s website, raising questions about transparency and effectiveness.

Critics Question Agency’s Competence

The agency claimed that the project’s goal was to “digitize and store offline records to facilitate access to information for family reunification and other public services.”

But given the data mishandling and unclear use of the “Missing Child Operations System,” doubts remain about whether the project fulfills its intended purpose.

Jo Min-ho, director of the Child Rights Alliance, said, “I can’t trust the agency’s record management capabilities. Whether it’s child cards or adoption files, the entire digitization process should be redesigned and re-audited from the beginning.”

Reporter: Lee Myung-joo (silk@newstapa.org)
Source: Newstapa”