Protection of Personal Data and Privacy
1. Policy Objectives and Principles
In recent years, the rapid technological advances and increasingly large number of users of open networks like the Internet have made possible the massive and high-speed processing of personal data by a variety of enterprises, at the same time increasing the danger of leakage, alteration, etc. of personal data. Under the present circumstances that there is the difference in public awareness and measures of enterprises concerning the protection of personal data, the legal imposition of uniform restrictions could impair the development of efficient commercial activities that meet the increasingly diversified and individualized needs of consumers. For this reason, MITI has set a goal of providing appropriate protection of personal data through the presentation of guidelines and a civil code of conduct conforming with those guidelines.
2. Present Actions
(1) Past Actions
a. "Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector" (Reported by the Sub-Committee on the Protection of Personal Data of the Informatization Committee, April 1989).
b. "Notification Relating to the Register System for the Measures on Personal Data Protection (Notification of MITI NO.348, July 7, 1989).
(2) Present Actions
a. Amendment of the guidelines
The guidelines have been amended after soliciting and incorporating
opinions from Japan and abroad, and the final version has been
published in March 1997. The main contents of the amendment will
be as follows:
(i) Prohibition on the collection of personal data leading to
social discrimination.
(ii) Clarification of the conditions under which personal data
are collected, used, and disclosed.
(iii) Clarification of the right to request access to, correction
and deletion of personal data and methods by which that right
may be exercising.
(iv) Clarification of the proper management of personal data and
the implementation accountability.
c. The formulation by the ECOM of guidelines on the handling of personal data collected by electronic moles and other means, to be published in late Sring 1997.
d. Cooperation and coordination among related government ministries and agencies, such as the Ministry of Finance, Ministry of Social Welfare, and Ministry of Labor, in the development of policies for the protection of personal data.
GUIDELINES CONCERNING THE PROTECTION OF COMPUTER PROCESSED PERSONAL DATA IN THE PRIVATE SECTOR
Chapter 1. Purpose of Guidelines
Article 1. Purpose
The purpose of these guidelines is to protect adequately personal data handled by enterprises in the private sector. These guideines help business organizations to establish guidelines for each industry sector according to the status of the operations of member enterprises, with a view to supporting and promoting the enterprises' establishment of a compliance program aimed at protecting personal data according to the activities of enterprises.
Chapter 2. Definitions
Article 2. Definitions
For the purposes of these guidelines, the meaning of the terms set forth in the following subparagraphs shall be provided for in the said subparagraphs.
(1) The term "personal data" means data which relate to an individual, and ones that the individual can be identified from name, date of birth or other descriptions or from number, symbol, other mark, image or sound assigned to the individual contained in the data (including data that the individual can not be identified only from the data, but be identified by easily collating with other data). They exclude, however, such data concerning directors of a corporation or other organization as contained in the data recorded with regard to the corporaion or other organization.
(2) The term "manager" means a person designated by the representative of enterprises who has authority to determine the purpose, method, etc. of collection, use and disclosure of personal data.
(3) The term "recipient" means a person or an enterprise that personal data are disclosed to.
(4) The term "consent of data subject" means the declaration of intent, by the data subject, to give consent to the handling of personal data concerning him through an explicit response given through a signed and sealed statement or oral agreement. However, in the case of actions including transactions, applications, subscriptions, etc. not associated with contract procedures through the issue of documents, etc. this shall include the tacit declaration of intent, in which opposition is not expressed, given in the procedures associated with the actions.
Chapter 3. Scope of Application of Guidelines
Article 3. Personal Data to which Guidelines Apply
These guidelines shall apply to personal data processed, either wholly or in part, using electronic computers, optical information processing devices or other automatic processing systems within enterprises, including personal data processed in document form for the purpose of processing by an automatic processing system. This shall not apply, however, to personal data collected by an individual for personal uses.
Article 4. Extension of Guidelines
Provisions to these guidelines may be added or revised according to the activities of the industry sector or enterprises in so far as these additions or revisions are in line with the purpose of adequately protecting personal data.
Chapter 4. Measures Concerning Collection of Personal Data
Article 5. Limitation on Collection of Personal Data
The collection of personal data shall specify clearly the purpose of the collection within the limit of legitimate business of enterprises and shall be conducted to the extent necessary to achieve the purpose.
Article 6. Limitation on Methods of Collection
The collection of personal data shall be conducted by lawful and fair means.
Article 7. Prohibition against Collection of Specific Personal Data of a Delicate Nature
Personal data which include the following types of data shall not be collected, used or disclosed. This shall not apply, however, in the case where the data subject has given explicit consent to the collection, use or disclosure of the data, or where there are special provisions in laws, or where it is necessary for the judicial procedures to collect, use or disclosure the data.
(1) Race or ethnicity
(2) Family origin or legal domicile (not including data relating to prefectures of current residence)
(3) Religion (including ideology and beliefs), political opinions or trade-union membership
(4) Health, medical treatment or sex life
Article 8. Measures for Collection of Personal Data Directly from Data Subject
When personal data are collected directly from the data subject, the consent of the data subject concerning the collection, use and disclosure of the personal data shall be obtained through written notification of at least the information given below, or of equivalent information. This shall not apply, however, in the case where it is clear that the data subject has been notified in writing of the information given below, or where personal data are collected from data made public by the data subject to a large number of unspecified persons.
(1) The name or title, department and telephone number or address, etc. of the manager or his agent concerned with personal data within enterprises.
(2) Purpose of the collection and the use of personal data.
(3) If there is a plan to disclose personal data, the purpose thereof, the recipient of the personal data or the type and character of the recipient's organization, and whether or not a contract has been concluded concerning the handling of personal data.
(4) The voluntariness of the data subject conserning provision or non-provision of personal data and the result not to provide personal data.
(5) The existence of the right to request access to personal data and the right to request correction or deletion thereof if the personal data are found to be errorneous following the access, and the specific method by which the right is to be exercised.
Article 9. Measures for Indirect Collection of Personal Data Other than from Data Subject
When personal data are collected indirectly from a source other than the data subject, the consent of the data subject concerning the collection, use and disclosure of the personal data shall be obtained through written notification of at least the information given in (1) through (3) and (5) of the preceding Article. This shall not apply, however, in the case given in (1) through (4) below.
(1) If personal data are collected from enterprises that have obtained the data subject's consent to disclose the personal data in accordance with (3) of the preceding Article when the personal data were collected from the data subject
(2) If personal data are collected and disclosed from enterprises with a guarantee that personal data are handled in a manner equivalent to that of the enterprises through conclusion of a contract stipulating the obligation to maintain confidentiality, the prohibition against re-disclosure and the assignment of responsibility when accidents occur in respect of personal data disclosed.
(3) If it is clear that the data subject has been notified of the information given in (1) through (5) of the preceding Article, and if personal data are collected from data made public by the data subject to a large number of unspecified persons.
(4) If personal data are collected in the case where it is not likely to infringe on the interests of the data subject worthy of protection within the limit of legistmate business of enterprises.
Chapter 5. Measures Concerning Use of Personal Data
Article 10. Limitation on Use of Personal Data
The use of personal data shall, in principle, be limited within the scope of the purpose of the collection.
Article 11. Measures for Use of Personal Data within the Scope of the Purpose
The use of personal data within the scope of the purpose of the collection shall be done solely in the case given in (1) through (6) below.
(1) If the data subject has given consent.
(2) If the use is necessary to permit the data subject to prepare for or to perform a contract to which he is a party.
(3) If the use is necessary for compliance with legal obligations to which enterprises are subject.
(4) If the use is necessary in order to protect the vital interests of the data subject including life, health, property, etc.
(5) If the use is necessary for protecting the public interest or for exercising authority under laws by enterprises or a third party that personal data are disclosed to.
(6) If the use is necessary for the legitimate interests of enterprises, or a third party or other parties that the personal data are disclosed to, in so far as the interests of the data subject are not infringed.
Article 12. Measures for Use of Personal Data beyond the Scope of the Purpose
When the use of personal data exceeds the scope of the purpose of the collection, or when the use of personal data is done in the cases other than any of the cases given in (1) through (6) of the preceding Article, it shall be carried out with the prior acknowledgment of the data subject secured by obtaining the prior consent of the data subject or by giving the data subject an opportunity to refuse prior to use, through written notification of at least the information given in (1) through (3) and (5) of Article 8.
Chapter 6. Measures Concerning Disclosure of Personal Data
Article 13. Limitation on Disclosure of Personal Data
The disclosure of personal data shall, in principle, be limited within the scope of the purpose of the collection.
Article 14. Measures for Disclosure of Personal Data within the Scope of the Purpose
The disclosure of personal data within the scope of the purpose of the collection shall be carried out with the prior acknowledgment of the data subject secured by obtaining the prior consent of the data subject or by giving the data subject an opportunity to refuse prior to disclosure, through written notification of at least the information given in (1) through (3) and (5) of Article 8. This shall not apply, however, in the case given in (1) through (4) below.
(1) If personal data are disclosed to the recipient that the data subject has given consent to disclose the personal data to in accordance with (3) of Article 8 when the personal data were collected from the data subject.
(2) If personal data are disclosed to the recipient with a guarantee that personal data are handled in a manner equivalent to that of enterprises that disclose the personal data through conclusion of a contract stipulating the obligation to maintain confidentiality, the prohibition against re-disclosure and the assignment of responsibility when accidents occur in respect of personal data disclosed.
(3) If it is clear that the recipient is to take measures to obtain the data subject's consent through notification of the information given in (1) through
(5) of Article 8 concerning the personal data.
(4) If personal data are disclosed in the case where it is not likely to infringe on the interests of the data subject worthy of protection within the limit of legitimate business of enterprises.
Article 15. Measures for Disclosure of Personal Data beyond the Scope of the Purpose
When the disclosure of personal data exceeds the scope of the purpose of the collection, or when the disclosure of personal data is done in cases other than any of the cases given in (1) through (4) of the preceding Article, the consent of the data subject shall be obtained through written notification of at least the information corresponding to (1) through (3) and (5) of Article 8 concerning the recipient of the personal data. In such cases, "enterprises" given in (1) of Article 8 shall be amended to read "recipient", and "disclose" given in (3) of Article 8 shall be amended to read "re-disclose". This shall not apply, however, in the case where it is clear that the data subject has been notified of the information and has given blanket consent.
Chapter 7. Obligation to Manage Personal Data Properly
Article 16. Ensuring the Accuracy of Personal Data
Personal data shall be kept accurate and up-to-date to the extent necessary for the purpose of the use.
Article 17. Ensuring Security in Use of Personal Data
Reasonable security measures shall be taken through both technical and organizational means against such risks as unauthorized access to personal data or as loss, destruction, alteration, leakage, etc. of personal data.
Article 18. Obligation of Employees to Maintain Confidentiality of Personal Data
Persons within enterprises engaged in the collection, use and disclosure of personal data shall perform, using sufficient care, the obligation to maintain the confidentiality of personal data in accordance with the provisions of laws, or regulations and instructions specified by the manager of the enterprises.
Article 19. Measures Concerning Entrustment of Personal Data
In the case where enterprises entrust personal data to an outside enterprise, they shall select one that can handle the personal data at a sufficient level of protection, and shall guarantee, through conclusion of a contract or other legal measure, that the instructions of the manager of the enterprises are observed, that the confidentiality of personal data is maintained, that the redisclosure of personal data is prohibited, and that responsibility when accidents occur is assigned, and shall maintain the contract, etc. as written documents or magnetically-stored records for the period that the personal data are managed by the outside enterprise.
Chapter 8. Rights of Data Subject Concerning Data Regarding Self
Article 20. Rights Concerning Own Personal
Data Requests for access to personal data by the data subject shall, in principle, be accepted within a reasonable period of time. If the personal data is found to be errorneous folowing the access, requests for correction or deletion of the personal data shall, in principle, be accepted within a reasonable period of time. In such cases, recipients of the personal data shall be notified to the extent possible.
Article 21. Right to Refuse Use or Disclosure of Own Personal Data
Refusals of the use or the disclosure, by the data subject, of personal data managed by enterprises shall be accepted. This shall not apply, however, in the case where the use or the disclosure is necessary for protecting the public interest, or for exercising authority or performing obligations under laws by the enterprises or a third party that the personal data are disclosed to.
Chapter 9. Organization and Implementation Accountability
Article 22. Designation of Manager by the Representative
The representative of enterprises shall designate from within the enterprises a person who understands the contents of these guidelines and has the capacity to put them into practice, and shall cause the person to function as the manager of personal data.
Article 23. Duties of Manager
The manager of personal data within enterprises shall understand and observe the provisions of these guidelines, and shall accept responsibility for causing employees to understand and observe these guidelines by providing training, establishing internal regulations, implementing security measures, establishing a compliance program and taking measures to ensure that the program is made known to everyone.
Chapter 10. Other Provisions
Article 24. Notification when Magnetically-Stored Records are Transmitted and
Received Using Communication Networks In the case where magnetically-stored records are transmitted and received using a communication network, enterprises that collect personal data concerning the sender or receiver of the records using a communication network can notify the data subject, who is the sender or receiver, through transmission of magnetically-stored records rather than through written notification of the data subject, as provided for in Article 8, Article 9, Article 12, Article 14, and Article 15 of these guidelines.
