b. A current examination of establishment of: a system for granting
marks to enterprises instituting appropriate protection of personal
data; a consumer consultation service for general complaints or
inquiries related to the protection of personal data; and a supervising
system to study measures of enterprises concerning the protection
of personal data and to push for improvements at enterprises providing
inadequate protection.
c. The formulation by the ECOM of guidelines on the handling of
personal data collected by electronic moles and other means, to
be published in late Sring 1997.
d. Cooperation and coordination among related government ministries
and agencies, such as the Ministry of Finance, Ministry of Social
Welfare, and Ministry of Labor, in the development of policies
for the protection of personal data.
GUIDELINES CONCERNING THE PROTECTION OF COMPUTER PROCESSED
PERSONAL DATA IN THE PRIVATE SECTOR
Chapter 1. Purpose of Guidelines
Article 1. Purpose
The purpose of these guidelines is to protect adequately personal
data handled by enterprises in the private sector. These guideines
help business organizations to establish guidelines for each industry
sector according to the status of the operations of member enterprises,
with a view to supporting and promoting the enterprises' establishment
of a compliance program aimed at protecting personal data according
to the activities of enterprises.
Chapter 2. Definitions
Article 2. Definitions
For the purposes of these guidelines, the meaning of the terms
set forth in the following subparagraphs shall be provided for
in the said subparagraphs.
(1) The term "personal data" means data which relate
to an individual, and ones that the individual can be identified
from name, date of birth or other descriptions or from number,
symbol, other mark, image or sound assigned to the individual
contained in the data (including data that the individual can
not be identified only from the data, but be identified by easily
collating with other data). They exclude, however, such data concerning
directors of a corporation or other organization as contained
in the data recorded with regard to the corporaion or other organization.
(2) The term "manager" means a person designated by
the representative of enterprises who has authority to determine
the purpose, method, etc. of collection, use and disclosure of
personal data.
(3) The term "recipient" means a person or an enterprise
that personal data are disclosed to.
(4) The term "consent of data subject" means the declaration
of intent, by the data subject, to give consent to the handling
of personal data concerning him through an explicit response given
through a signed and sealed statement or oral agreement. However,
in the case of actions including transactions, applications, subscriptions,
etc. not associated with contract procedures through the issue
of documents, etc. this shall include the tacit declaration of
intent, in which opposition is not expressed, given in the procedures
associated with the actions.
Chapter 3. Scope of Application of Guidelines
Article 3. Personal Data to which Guidelines Apply
These guidelines shall apply to personal data processed, either
wholly or in part, using electronic computers, optical information
processing devices or other automatic processing systems within
enterprises, including personal data processed in document form
for the purpose of processing by an automatic processing system.
This shall not apply, however, to personal data collected by an
individual for personal uses.
Article 4. Extension of Guidelines
Provisions to these guidelines may be added or revised according
to the activities of the industry sector or enterprises in so
far as these additions or revisions are in line with the purpose
of adequately protecting personal data.
Chapter 4. Measures Concerning Collection of Personal Data
Article 5. Limitation on Collection of Personal Data
The collection of personal data shall specify clearly the purpose
of the collection within the limit of legitimate business of enterprises
and shall be conducted to the extent necessary to achieve the
purpose.
Article 6. Limitation on Methods of Collection
The collection of personal data shall be conducted by lawful and
fair means.
Article 7. Prohibition against Collection of Specific Personal
Data of a Delicate Nature
Personal data which include the following types of data shall
not be collected, used or disclosed. This shall not apply, however,
in the case where the data subject has given explicit consent
to the collection, use or disclosure of the data, or where there
are special provisions in laws, or where it is necessary for the
judicial procedures to collect, use or disclosure the data.
(1) Race or ethnicity
(2) Family origin or legal domicile (not including data relating
to prefectures of current residence)
(3) Religion (including ideology and beliefs), political opinions
or trade-union membership
(4) Health, medical treatment or sex life
Article 8. Measures for Collection of Personal Data Directly from
Data Subject
When personal data are collected directly from the data subject,
the consent of the data subject concerning the collection, use
and disclosure of the personal data shall be obtained through
written notification of at least the information given below,
or of equivalent information. This shall not apply, however, in
the case where it is clear that the data subject has been notified
in writing of the information given below, or where personal data
are collected from data made public by the data subject to a large
number of unspecified persons.
(1) The name or title, department and telephone number or address,
etc. of the manager or his agent concerned with personal data
within enterprises.
(2) Purpose of the collection and the use of personal data.
(3) If there is a plan to disclose personal data, the purpose
thereof, the recipient of the personal data or the type and character
of the recipient's organization, and whether or not a contract
has been concluded concerning the handling of personal data.
(4) The voluntariness of the data subject conserning provision
or non-provision of personal data and the result not to provide
personal data.
(5) The existence of the right to request access to personal data
and the right to request correction or deletion thereof if the
personal data are found to be errorneous following the access,
and the specific method by which the right is to be exercised.
Article 9. Measures for Indirect Collection of Personal Data Other
than from Data Subject
When personal data are collected indirectly from a source other
than the data subject, the consent of the data subject concerning
the collection, use and disclosure of the personal data shall
be obtained through written notification of at least the information
given in (1) through (3) and (5) of the preceding Article. This
shall not apply, however, in the case given in (1) through (4)
below.
(1) If personal data are collected from enterprises that have
obtained the data subject's consent to disclose the personal data
in accordance with (3) of the preceding Article when the personal
data were collected from the data subject
(2) If personal data are collected and disclosed from enterprises
with a guarantee that personal data are handled in a manner equivalent
to that of the enterprises through conclusion of a contract stipulating
the obligation to maintain confidentiality, the prohibition against
re-disclosure and the assignment of responsibility when accidents
occur in respect of personal data disclosed.
(3) If it is clear that the data subject has been notified of
the information given in (1) through (5) of the preceding Article,
and if personal data are collected from data made public by the
data subject to a large number of unspecified persons.
(4) If personal data are collected in the case where it is not
likely to infringe on the interests of the data subject worthy
of protection within the limit of legistmate business of enterprises.
Chapter 5. Measures Concerning Use of Personal Data
Article 10. Limitation on Use of Personal Data
The use of personal data shall, in principle, be limited within
the scope of the purpose of the collection.
Article 11. Measures for Use of Personal Data within the Scope
of the Purpose
The use of personal data within the scope of the purpose of the
collection shall be done solely in the case given in (1) through
(6) below.
(1) If the data subject has given consent.
(2) If the use is necessary to permit the data subject to prepare
for or to perform a contract to which he is a party.
(3) If the use is necessary for compliance with legal obligations
to which enterprises are subject.
(4) If the use is necessary in order to protect the vital interests
of the data subject including life, health, property, etc.
(5) If the use is necessary for protecting the public interest
or for exercising authority under laws by enterprises or a third
party that personal data are disclosed to.
(6) If the use is necessary for the legitimate interests of enterprises,
or a third party or other parties that the personal data are disclosed
to, in so far as the interests of the data subject are not infringed.
Article 12. Measures for Use of Personal Data beyond the Scope
of the Purpose
When the use of personal data exceeds the scope of the purpose
of the collection, or when the use of personal data is done in
the cases other than any of the cases given in (1) through (6)
of the preceding Article, it shall be carried out with the prior
acknowledgment of the data subject secured by obtaining the prior
consent of the data subject or by giving the data subject an opportunity
to refuse prior to use, through written notification of at least
the information given in (1) through (3) and (5) of Article 8.
Chapter 6. Measures Concerning Disclosure of Personal Data
Article 13. Limitation on Disclosure of Personal Data
The disclosure of personal data shall, in principle, be limited
within the scope of the purpose of the collection.
Article 14. Measures for Disclosure of Personal Data within the
Scope of the Purpose
The disclosure of personal data within the scope of the purpose
of the collection shall be carried out with the prior acknowledgment
of the data subject secured by obtaining the prior consent of
the data subject or by giving the data subject an opportunity
to refuse prior to disclosure, through written notification of
at least the information given in (1) through (3) and (5) of Article
8. This shall not apply, however, in the case given in (1) through
(4) below.
(1) If personal data are disclosed to the recipient that the data
subject has given consent to disclose the personal data to in
accordance with (3) of Article 8 when the personal data were collected
from the data subject.
(2) If personal data are disclosed to the recipient with a guarantee
that personal data are handled in a manner equivalent to that
of enterprises that disclose the personal data through conclusion
of a contract stipulating the obligation to maintain confidentiality,
the prohibition against re-disclosure and the assignment of responsibility
when accidents occur in respect of personal data disclosed.
(3) If it is clear that the recipient is to take measures to obtain
the data subject's consent through notification of the information
given in (1) through
(5) of Article 8 concerning the personal data.
(4) If personal data are disclosed in the case where it is not
likely to infringe on the interests of the data subject worthy
of protection within the limit of legitimate business of enterprises.
Article 15. Measures for Disclosure of Personal Data beyond the
Scope of the Purpose
When the disclosure of personal data exceeds the scope of the
purpose of the collection, or when the disclosure of personal
data is done in cases other than any of the cases given in (1)
through (4) of the preceding Article, the consent of the data
subject shall be obtained through written notification of at least
the information corresponding to (1) through (3) and (5) of Article
8 concerning the recipient of the personal data. In such cases,
"enterprises" given in (1) of Article 8 shall be amended
to read "recipient", and "disclose" given
in (3) of Article 8 shall be amended to read "re-disclose".
This shall not apply, however, in the case where it is clear that
the data subject has been notified of the information and has
given blanket consent.
Chapter 7. Obligation to Manage Personal Data Properly
Article 16. Ensuring the Accuracy of Personal Data
Personal data shall be kept accurate and up-to-date to the extent
necessary for the purpose of the use.
Article 17. Ensuring Security in Use of Personal Data
Reasonable security measures shall be taken through both technical
and organizational means against such risks as unauthorized access
to personal data or as loss, destruction, alteration, leakage,
etc. of personal data.
Article 18. Obligation of Employees to Maintain Confidentiality
of Personal Data
Persons within enterprises engaged in the collection, use and
disclosure of personal data shall perform, using sufficient care,
the obligation to maintain the confidentiality of personal data
in accordance with the provisions of laws, or regulations and
instructions specified by the manager of the enterprises.
Article 19. Measures Concerning Entrustment of Personal Data
In the case where enterprises entrust personal data to an outside
enterprise, they shall select one that can handle the personal
data at a sufficient level of protection, and shall guarantee,
through conclusion of a contract or other legal measure, that
the instructions of the manager of the enterprises are observed,
that the confidentiality of personal data is maintained, that
the redisclosure of personal data is prohibited, and that responsibility
when accidents occur is assigned, and shall maintain the contract,
etc. as written documents or magnetically-stored records for the
period that the personal data are managed by the outside enterprise.
Chapter 8. Rights of Data Subject Concerning Data Regarding
Self
Article 20. Rights Concerning Own Personal
Data Requests for access to personal data by the data subject
shall, in principle, be accepted within a reasonable period of
time. If the personal data is found to be errorneous folowing
the access, requests for correction or deletion of the personal
data shall, in principle, be accepted within a reasonable period
of time. In such cases, recipients of the personal data shall
be notified to the extent possible.
Article 21. Right to Refuse Use or Disclosure of Own Personal
Data
Refusals of the use or the disclosure, by the data subject, of
personal data managed by enterprises shall be accepted. This shall
not apply, however, in the case where the use or the disclosure
is necessary for protecting the public interest, or for exercising
authority or performing obligations under laws by the enterprises
or a third party that the personal data are disclosed to.
Chapter 9. Organization and Implementation Accountability
Article 22. Designation of Manager by the Representative
The representative of enterprises shall designate from within
the enterprises a person who understands the contents of these
guidelines and has the capacity to put them into practice, and
shall cause the person to function as the manager of personal
data.
Article 23. Duties of Manager
The manager of personal data within enterprises shall understand
and observe the provisions of these guidelines, and shall accept
responsibility for causing employees to understand and observe
these guidelines by providing training, establishing internal
regulations, implementing security measures, establishing a compliance
program and taking measures to ensure that the program is made
known to everyone.
Chapter 10. Other Provisions
Article 24. Notification when Magnetically-Stored Records are
Transmitted and
Received Using Communication Networks In the case where magnetically-stored
records are transmitted and received using a communication network,
enterprises that collect personal data concerning the sender or
receiver of the records using a communication network can notify
the data subject, who is the sender or receiver, through transmission
of magnetically-stored records rather than through written notification
of the data subject, as provided for in Article 8, Article 9,
Article 12, Article 14, and Article 15 of these guidelines.
|