The 2020 revision of South Korea’s Personal Information Protection Act (PIPA) updated procedures for the use of medical data for research. The PIPA provision allowing “pseudonymized information” to be used without the consent of the data subject for scientific research introduced ambiguity regarding the applicability of the PIPA versus the Bioethics and Safety Act (BSA), which allows “anonymized information” to be used for research only after data-subject consent and IRB approval for human-subject research are obtained. The main points requiring clarification include the distinction between “human-subject” and “scientific” research, the definition of anonymization and pseudonymization, the requirements for data-subject consent, and the procedures for institutional review boards (IRBs) and data review boards (DRBs). After reviewing the legal concepts and processes, this article recommends clarification of the guidelines for the use of medical data in research by distinguishing the concept and, in the long run, categorizing medical data based on the degree of risk.