WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Law Resources

You are here:  WorldLII >> Databases >> Privacy Law Resources >> 2006 >> [2006] PrivLRes 10

Database Search | Name Search | Recent Documents | Noteup | LawCite | Help

Summary Report on the Enforcement Status of Act on the Protection of Personal Information in FY 2005 (Japan) [2006] PrivLRes 10 (1 June 2006)

Summary Report on the Enforcement Status of Act on the Protection of Personal Information in FY 2005 (Japan) - [2006] PrivLRes 10

Summary Report on the Enforcement Status of

Act on the Protection of Personal Information in FY 2005

(Tentative Translation)

June, 2006

Cabinet Office

Section 1 The Enforcement Status Concerning Protection of Personal Information by the State

1. The Status of Review of Guidelines Established for Each Business Field (under Article 8 of the Act)

At the present time, there are a total of 33 guidelines regarding 21 business fields established by ministries and agencies with jurisdiction over the business. Among these, guidelines reviewed in FY 2005 are as follows:

Table 1 Guidelines Reviewed in FY 2005

Business Fields
Ministries and
Agencies
Title of the Guideline
Date of Review
Telecommunications
Credit management and collection
Ministry of Internal Affairs and Communications
Ministry of Justice
Guideline on the Protection of Personal Information in the Telecommunications Business
Guideline for the Protection of Personal Information in the field of credit management and collection
October 17, 2005
(public notice)
January 11, 2006
(notice)

2. Status of Exercise of Authority by the Competent Ministers (under Articles 32 to 34 of the Act)

In FY 2005, the competent ministers carried out guidance and supervision for entities, which includes 1 case of recommendation and 50 cases of collection of reports based on the Act on the Protection of Personal Information (hereinafter referred to as “the Act”):

Table 2 The Status of Exercise of Authorities by the Competent Ministers (FY 2005)

Competent Minister
Type of Authority Exercised
Relevant Article
President of the
Financial Services
Agency
(Note 1)

Collection of reports: 2cases

Recommendation: 1 case

Article 20 (Security Control
Measures): 3 cases
Article 21 (Supervision of
Employees): 3 cases
Minister of Internal
Affairs and
Communications
Collection of reports: 48
cases
Article 21 (Supervision of
Employees): 22 cases
Article 22 (Supervision of
Trustees): 26 cases
Minister of Health,
Labor and Welfare
Collection of reports: 1 case
Article 20 (Security Control
Measures): 1 case
Article 21 (Supervision of
Employees): 1 case
Total
(Note 2)
Collection of reports: 50 cases
in total
Recommendation: 1 case
in total
Article 20: 3 cases in total
Article 21: 25 cases in total
Article 22: 26 cases in total

(Note): 1. Under Article 52 of the Act and Article 12 of Cabinet Order of the Act, the Prime Minister delegates authority to the President of the FSA.

2. The total number of cases excludes overlapping cases arising from co-jurisdiction.

3. Status of Authorization for Authorized Personal Information Protection Organizations (under Article 37 of the Act)

As of the end of FY 2005, there are a total of 30 authorized personal information protection organizations with competent ministers’ authorization based on Article 37 of the Act.

Table 3 The Status of Authorization by Ministries and Agencies for Authorized Personal Information Protection Organizations (FY 2005)

Ministries and Agencies
Number of
Authorized
Organizations
Ministry of Economy, Trade
and Industry
14
Financial Services Agency
8
Ministry of Health, Welfare
and Labor
7
Ministry of Internal Affairs
and Communications
3
Ministry of Land,
Infrastructure and Transport
2
Total
30

(Note): The total number of authorized organizations excludes overlapping cases arising from co-jurisdiction.

4. Others

(1) Arrangements Made by Inter-ministerial Task Force for Personal Information Protection (February 28, 2006)

On February 28, 2006, Inter-ministerial Task Force for Personal Information Protection was held. Arrangements were made on the smooth promotion of protection of personal information with the aim of protecting individual rights and interests while taking consideration of the usefulness of personal information.

(2) Discussions at the Quality-of-Life Policy Council

The “Basic Policy on the Protection of Personal Information” requires that:

(i) The Cabinet Office should review the enforcement status of the Act approximately 3 years after the full enforcement of the Act, and take necessary measures based upon the results of such review; and,

(ii) To this end, the Quality-of-Life Policy Council should follow up the enforcement status of the Act.

In line with these requirements, the Quality-of-Life Policy Council is conducting an evaluation of the enforcement status of the Act and considering a review of the personal information protection system, based upon extensive hearing of opinions from entities, private associations, and related ministries and agencies.

Section 2. The Status of the Efforts Made by Entities Concerning the Protection of Personal Information

1. The Status of Handling of Complaints Regarding the Protection of Personal Information (under Articles 9 and 13 of the Act)

(1) General Status

In FY 2005, a total of 14,028 complaints regarding the protection of personal information (on a registration basis as of May 31, 2006) were filed with local public bodies and National Consumer Affairs Center of Japan, 81.1% of which were received by local consumer centers.

Table 4 Complaints Filed as Viewed by Receiving Organizations (FY 2005)

Receiving Organization
Number of
Complaints
Percentage
of Total
Local
Public Bodies
Local Consumer Centers
11,382
81.1%
Others
1,298
9.3%
National Consumer Affairs
Center of Japan
1,348
9.6%
Total
14,028
100.0%

(Note) 1: The term “local consumer centers” as used in the table refers to local consumer centers with PIO-NET installed therein.

2: The term “others” as used in the table refers to departments and agencies holding jurisdiction over ordinance on the protection of personal information, etc.

(2) Status by Business Fields

Of the total complaints filed, 4,046 (or 28.8% of the total) covers the business field in which proper handling of personal information is specifically required, including medical care, finance and credit, and information and communications businesses, while 5,375 (or 38.3% of the total) covers other business fields.

Table 5 Complaints Filed as Viewed by Business Fields (FY 2005)

Business Fields
Number of Complaints Filed
Percentage of Total
Individual business fields in which proper
handling of personal information is
specifically required
4,046
28.8%

Medical Care
342
2.4%

Finance and Credit
1,734
12.4%

Information and Communications
1,970
14.0%
Other Business Fields
5,375
3 8.3%
Unknown
4,767
34.0%
Total (excluding overlapping cases)
14,028
100.0%

(3) The Status of the Content of Consultations Filed

In terms of the content of consultations, 6,691 cases (47.7% of the total), which accounted for the largest proportion of the total number of complaints filed, relates to fraudulent or other dishonest acquisition of personal information; while 3,434 cases (24.5% of the total), which accounted for the second-largest proportion, relates to leakage or loss of data; and 2,194 cases (15.6% of the total) relates to provision to third parties without the person’s consent.

Table 6 Breakdown of Complaints by Content (FY 2005)

Content of Consultations
Number of
Complaint
Filed
Percentageof Total
Fraudulent or other dishonest
acquisition
6,691
47.7%
Leakage or loss of data
3,434
24.5%
Provision to third parties
without the person’s consent
2,194
15.6%
Handling of personal
information beyond the
purpose of use specified
1,702
12.1%
Disclosure and related issues
886
6.3%
Handling of complaints, etc.
718
5.1%
Data error
266
1.9%
Supervision of trustees, etc.
205
1.5%
Violation of the opt-out rule
98
0.7%
Others
2,077
14.8%
Total (excluding overlapping
cases)
14,028
100.0%

(4) The Status of Result Concerning Handling of Complaint

The result of handling of complaints was mainly comprised of 10,607 cases ( 75.6% of the total) of guidance and advice, followed by 2,316 cases (16.5% of the total) of other types of information provision, 489 cases (3.5% of the total) of introduction of other appropriate institutions, and 374 cases (2.7% of the total) of successfully mediated.

Table 7 Status of Result of Handling Complaint (FY 2005)

Result of Handling Complaints

Number of Complaints

Percentage of Total
Guidance and advice
10,607
75.6%
Other types of information provision
2,316
16.5%
Introducing other appropriate institutions

489

3.5%
Successfully mediated
374
2.7%
Unsuccessfully mediated
25
0.2%
Impossible to handle
80
0.6%
Unnecessary to handle
137
1.0%
Unknown
0
0%
Total (excluding overlapping cases)
14,028
100.0%

(Note) 1: The term “guidance and advice” as used in the table refers to a method of handling in which advice is given to the complainer as a method for independently solving a problem that could be solved through independent negotiations between concerned parties.

2: The term “other types of information provision” as used in the table refers to handling results other than mediation that do not fall under “guidance and advice.”

2. The Status of Cases Concerning Leakage of Personal Information from Entities

(1) General Status

The “Basic Policy on the Protection of Personal Information” (Cabinet decision on April 2, 2004) states that, in case of leakage of personal information, it is important that the concerned entity should make public the fact of the cases as far as possible in order to prevent secondary damage and avoid occurrence of similar cases.

In line with this principle, a total of 1,556 cases concerning leakage concerning personal information were reported by entities in FY 2005.[*]

(2) Scale of Leakage and Type of Leaked Information

(i) Concerning the number of persons allegedly affected by the leakage (hereinafter referred to as “the number of leakage-affected persons”), many cases were relatively small in scale, which is represented by the fact that cases of 500 persons or less account for 71.6% of the total cases.

Table 8 The Number of Leakage-affected Persons (FY 2005)

Number of Leakage-affected Persons

Fiscal 2005
Number of Cases Percentage of Total
500 or less
1,114
71.6%
501 to 5,000
220
14.1%
5,001 to 50,000
167
10.7%
50,001 or more
37
2.4%
Unknown
18
1.2%
Total
1,556
100.0%

(Note) The term “Percentage of Total” as used in the Table refers to the percentage of a total of 1, 556 cases concerning leakage.

(ii) In terms of types of leaked information, which include customer information, employee information, and other information, cases of leakage of customer information account for 98.4% of the total cases.

In terms of the content of leaked information, the categories consisting of name, date of birth, gender, and postal address (hereinafter collectively referred to as “basic information”) and other information (hereinafter referred to as “additional information”), cases of leakage exclusively consisting of basic information account for 7.2% of the total cases of leakage, and most cases involve leakage of additional information such as telephone number, bank account number, e-mail address, and credit card number.

Table 9 Types of Leaked Information (FY 2005)

Types of Leaked Information

Number of Cases of Leakage
Exclusively Consisting of Basic Information
Customer Information
1,531
(98.4%)
112
(7.2%)
Employee Information
51
(3.3%)
3
(0.2%)
Other Information
22
(1.4%)
1
(0.1%)

Total (excluding overlapping cases)

1,556

(100.0%)
112
(7.2%)

(Note) 1: The figures in parentheses are percentages of a total of 1, 556 cases concerning leakage.

2. The figures under the title of the “Exclusively Consisting of Basic Information” in the Table represents the number of such cases out of the total number of cases concerning leakage, and the proportion of such cases of a total of 1,556 cases , respectively.

(3) Protective Measure(s) such as Encryption against Leakage of Information

(i) Concerning whether or not leaked information has been provided with any protective measure, such as encryption against leakage, cases of leakage with no protective measures provided account for more than half, 51.7% of the total cases.

(ii) In contrast, cases of leakage of information with any protective measure provided, including a limited one, account for 11.8% of the total cases.

Table 10 Protective Measures such as Encryption (FY 2005)

With or Without

Protective Measures

Number of Cases
With protective measures 105 (11.8%)
With limited protective measures 17 (1.9%)
Without protective measures 459 (51.7%)
Unknown 323 (36.4%)
Total (excluding overlapping cases) 887 (100.0%)

(Note) 1: The figures in parentheses are percentages of a total of 887 cases of leakage. (The total number of cases in this Table differs from that under other items because some ministries and agencies only covered the latter half of FY 2005 in their counting.)

2: The term “Protective Measure(s) such as Encryption” as used in this Table refers to measure(s) taken to protect information, including encryption and restriction of access for lost PC(s) through passwords.

(4) Source(s) of Leakage, and Leaker(s)

(i) In terms of the source(s) of leakage, cases of direct leakage from “entities” account for 76.2%, and cases of leakage from “trustees” 23.0% of the total cases.

(ii) In terms of the person(s) actually involved in the leakage (hereinafter referred to as “the Leaker(s)”) in “entities” and “trustees” cases in which the Leakers were “employees” account for 78.7% of the total cases.

(iii) In terms of the cause(s) for leakage, 10 cases were caused “intentionally,” and 1,184 cases “by negligence,” thus most cases being attributable to “negligence,” as far as “entities” are concerned as the source of leakage.

For “third parties” as the source of leakage, most of the cases of leakage (235 cases) were caused “intentionally.”

Table 11 Source(s) of Leakage, and Leaker(s) (FY 2005)

(Note) The figures in parentheses represent proportions of a total of 1,556 cases of leakage.

(5) The Status of Remedial Measure(s) Taken after Leakage

(i) In terms of remedial measure(s) taken after leakage, 96.5% of entities concerned have taken some form of security control measure(s).

(ii)The breakdown of such security control measures indicates that 93.0% of entities concerned have taken organizational measure(s) such as provision of educational and training programs.

Table 12 Remedial Measure(s) Taken after Leakage (FY 2005)

PeriodCovered
Total
Remedial Measures Taken by Entities
No remedial
measure
taken
Unknown
Security Control Measure(s)
Other
Measures

Organizational
Technical
FY2005
1,556
(100.0%)
1,553(99.8%)
1,501(96.5%)
1,447(93.0%)
180(11.6%)
1,497(96.2%)
2(0.1%)
1(0.1%)

(Note) 1: “Organizational” Security Control Measure(s) in the Table refers to the creation of the post of Manager in charge of Security Control, the improvement of internal rules, the implementation of education and training program(s), the carrying out of audit(s), etc.
“Technical” Security Control Measure(s) in the Table refers to the formulation of fire walls, the introduction of leakage prevention software, and the monitoring of the status of access to personal data.
“Other Measures” refers to the transmission of apologetic letter(s), the establishment of windows to respond to complaints, the replacement of information card(s), etc.

2: Figures for “Security Control Measure(s)” and “Other Measures” involve multiple answers.

3: Figures in parentheses represent proportions of a total of 1,556 cases of leakage.

3. The Status of the Efforts Made by Authorized Personal Information Protection Organizations (under Articles 42 and 43 of the Act)

Authorized personal information protection organizations handled complaints and made the following efforts in relation to entities, including requests for explanations and documents, guidance, recommendations and other actions under Article 42 and 43 of the Act:

Table 13 Efforts made by Authorized Personal Information Protection Organizations (FY 2005)

Competent Ministries and Agencies
Handling of Complaints
Request for
Explanations
Request for Documents
Guidance

Recommen-
dations
Other
Measures
Financial Services
Agency
237
55
1
135
1
0
Ministry of Internal
Affairs and
Communications
114
59
0
0
0
2
Ministry of Health,
Welfare and Labor
0
0
0
0
0
0
Ministry of Economy,
Trade and Industry
107
54
0
2
0
0
Ministry of Land,
Infrastructure and
Transport
0
0
0
0
0
2
Total (excluding
overlapping cases arising from co-jurisdiction)
355
118
1
137
1
4

(Source) Reports from relevant ministries and agencies

Section 3 The Enforcement Status Concerning Protection of Personal Information by Local Public Bodies

Article 11 of the Act prescribes that local public bodies shall endeavor to take necessary measures to ensure the proper handling of personal information it holds in consideration of the nature of the personal information, etc.

Handling of personal information held by local public bodies is historically governed by ordinance. Regarding the status of the establishment of ordinance on the protection of personal information by local public bodies, all of the prefectures (47 bodies in total) and the municipalities (1,843 bodies in total) have established such ordinances as of April 1, 2006.


[*] The figures noted above include cases of “loss” or “damage,” in addition to those of “leakage.”


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2006/10.html