|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Law Resources |
Summary Report on the Enforcement Status of
Act on the Protection of Personal Information in FY 2005
(Tentative Translation)
June, 2006
Cabinet Office
Section 1 The Enforcement Status Concerning Protection of Personal Information by the State
1. The Status of Review of Guidelines Established for Each Business Field (under Article 8 of the Act)
At the present time, there are a total of 33 guidelines regarding 21 business fields established by ministries and agencies with jurisdiction over the business. Among these, guidelines reviewed in FY 2005 are as follows:
Table 1 Guidelines Reviewed in FY 2005
| Business
Fields |
Ministries
and
Agencies |
Title
of the Guideline |
Date of
Review |
| Telecommunications
Credit management and collection |
Ministry
of Internal Affairs and Communications
Ministry of Justice |
Guideline
on the Protection of Personal Information in the Telecommunications
Business
Guideline for the Protection of Personal Information in the field
of credit management and collection |
October
17, 2005
(public notice)
January 11, 2006
(notice) |
2. Status of Exercise of Authority by the Competent Ministers (under Articles 32 to 34 of the Act)
In FY 2005, the competent ministers carried out guidance and supervision for entities, which includes 1 case of recommendation and 50 cases of collection of reports based on the Act on the Protection of Personal Information (hereinafter referred to as “the Act”):
Table 2 The Status of Exercise of Authorities by the Competent Ministers (FY 2005)
| Competent
Minister |
Type
of Authority Exercised |
Relevant
Article |
| President
of the
Financial Services
Agency
(Note 1) |
Collection of reports: 2cases Recommendation: 1 case |
Article
20 (Security Control
Measures): 3 cases
Article 21 (Supervision of
Employees): 3 cases |
| Minister
of Internal
Affairs and
Communications |
Collection
of reports: 48
cases |
Article
21 (Supervision of
Employees): 22 cases
Article 22 (Supervision of
Trustees): 26 cases |
| Minister
of Health,
Labor and Welfare |
Collection
of reports: 1 case |
Article
20 (Security Control
Measures): 1 case
Article 21 (Supervision of
Employees): 1 case |
| Total
(Note 2) |
Collection
of reports: 50 cases
in total
Recommendation: 1 case
in total |
Article
20: 3 cases in total
Article 21: 25 cases in total
Article 22: 26 cases in total |
(Note): 1. Under Article 52 of the Act and Article 12 of Cabinet Order of the Act, the Prime Minister delegates authority to the President of the FSA.
2. The total number of cases excludes overlapping cases arising from co-jurisdiction.
3. Status of Authorization for Authorized Personal Information Protection Organizations (under Article 37 of the Act)
As of the end of FY 2005, there are a total of 30 authorized personal information protection organizations with competent ministers’ authorization based on Article 37 of the Act.
Table 3 The Status of Authorization by Ministries and Agencies for Authorized Personal Information Protection Organizations (FY 2005)
| Ministries
and Agencies |
Number of
Authorized
Organizations |
| Ministry
of Economy, Trade
and Industry |
14 |
| Financial
Services Agency |
8 |
| Ministry
of Health, Welfare
and Labor |
7 |
| Ministry
of Internal Affairs
and Communications |
3 |
| Ministry
of Land,
Infrastructure and Transport |
2 |
| Total |
30 |
(Note): The total number of authorized organizations excludes overlapping cases arising from co-jurisdiction.
4. Others
(1) Arrangements Made by Inter-ministerial Task Force for Personal Information Protection (February 28, 2006)
On February 28, 2006, Inter-ministerial Task Force for Personal Information Protection was held. Arrangements were made on the smooth promotion of protection of personal information with the aim of protecting individual rights and interests while taking consideration of the usefulness of personal information.
(2) Discussions at the Quality-of-Life Policy Council
The “Basic Policy on the Protection of Personal Information” requires that:
(i) The Cabinet Office should review the enforcement status of the Act approximately 3 years after the full enforcement of the Act, and take necessary measures based upon the results of such review; and,
(ii) To this end, the Quality-of-Life Policy Council should follow up the enforcement status of the Act.
In line with these requirements, the Quality-of-Life Policy Council is conducting an evaluation of the enforcement status of the Act and considering a review of the personal information protection system, based upon extensive hearing of opinions from entities, private associations, and related ministries and agencies.
Section 2. The Status of the Efforts Made by Entities Concerning the Protection of Personal Information
1. The Status of Handling of Complaints Regarding the Protection of Personal Information (under Articles 9 and 13 of the Act)
(1) General Status
In FY 2005, a total of 14,028 complaints regarding the protection of personal information (on a registration basis as of May 31, 2006) were filed with local public bodies and National Consumer Affairs Center of Japan, 81.1% of which were received by local consumer centers.
Table 4 Complaints Filed as Viewed by Receiving Organizations (FY 2005)
| Receiving Organization |
Number
of
Complaints |
Percentage
of Total |
|
| Local
Public Bodies |
Local Consumer Centers | 11,382 |
81.1% |
| Others | 1,298 |
9.3% |
|
| National
Consumer Affairs
Center of Japan |
1,348 |
9.6% |
|
| Total |
14,028 |
100.0% |
|
(Note) 1: The term “local consumer centers” as used in the table refers to local consumer centers with PIO-NET installed therein.
2: The term “others” as used in the table refers to departments and agencies holding jurisdiction over ordinance on the protection of personal information, etc.
(2) Status by Business Fields
Of the total complaints filed, 4,046 (or 28.8% of the total) covers the business field in which proper handling of personal information is specifically required, including medical care, finance and credit, and information and communications businesses, while 5,375 (or 38.3% of the total) covers other business fields.
Table 5 Complaints Filed as Viewed by Business Fields (FY 2005)
| Business
Fields |
Number
of Complaints Filed |
Percentage
of Total |
|
| Individual
business fields in which proper
handling of personal information is
specifically required |
4,046 |
28.8% |
|
| |
Medical
Care |
342 |
2.4% |
| |
Finance
and Credit |
1,734 |
12.4% |
| |
Information
and Communications |
1,970 |
14.0% |
| Other
Business Fields |
5,375 |
3
8.3% |
|
| Unknown |
4,767 |
34.0% |
|
| Total
(excluding overlapping cases) |
14,028 |
100.0% |
|
(3) The Status of the Content of Consultations Filed
In terms of the content of consultations, 6,691 cases (47.7% of the total), which accounted for the largest proportion of the total number of complaints filed, relates to fraudulent or other dishonest acquisition of personal information; while 3,434 cases (24.5% of the total), which accounted for the second-largest proportion, relates to leakage or loss of data; and 2,194 cases (15.6% of the total) relates to provision to third parties without the person’s consent.
Table 6 Breakdown of Complaints by Content (FY 2005)
| Content
of Consultations |
Number
of
Complaint
Filed |
Percentageof
Total |
| Fraudulent
or other dishonest
acquisition |
6,691 |
47.7% |
| Leakage
or loss of data |
3,434 |
24.5% |
| Provision
to third parties
without the person’s consent |
2,194 |
15.6% |
| Handling
of personal
information beyond the
purpose of use specified |
1,702 |
12.1% |
| Disclosure
and related issues |
886 |
6.3% |
| Handling
of complaints, etc. |
718 |
5.1% |
| Data
error |
266 |
1.9% |
| Supervision
of trustees, etc. |
205 |
1.5% |
| Violation
of the opt-out rule |
98 |
0.7% |
| Others |
2,077 |
14.8% |
| Total
(excluding overlapping
cases) |
14,028 |
100.0% |
(4) The Status of Result Concerning Handling of Complaint
The result of handling of complaints was mainly comprised of 10,607 cases ( 75.6% of the total) of guidance and advice, followed by 2,316 cases (16.5% of the total) of other types of information provision, 489 cases (3.5% of the total) of introduction of other appropriate institutions, and 374 cases (2.7% of the total) of successfully mediated.
Table 7 Status of Result of Handling Complaint (FY 2005)
Result of Handling Complaints |
Number of Complaints |
Percentage of Total |
| Guidance and advice | 10,607 |
75.6% |
| Other types of information provision | 2,316 |
16.5% |
| Introducing other appropriate institutions | 489 |
3.5% |
| Successfully mediated | 374 |
2.7% |
| Unsuccessfully mediated | 25 |
0.2% |
| Impossible to handle | 80 |
0.6% |
| Unnecessary to handle | 137 |
1.0% |
| Unknown | 0 |
0% |
| Total (excluding overlapping cases) | 14,028 |
100.0% |
(Note) 1: The term “guidance and advice” as used in the table refers to a method of handling in which advice is given to the complainer as a method for independently solving a problem that could be solved through independent negotiations between concerned parties.
2: The term “other types of information provision” as used in the table refers to handling results other than mediation that do not fall under “guidance and advice.”
2. The Status of Cases Concerning Leakage of Personal Information from Entities
(1) General Status
The “Basic Policy on the Protection of Personal Information” (Cabinet decision on April 2, 2004) states that, in case of leakage of personal information, it is important that the concerned entity should make public the fact of the cases as far as possible in order to prevent secondary damage and avoid occurrence of similar cases.
In line with this principle, a total of 1,556 cases concerning leakage concerning personal information were reported by entities in FY 2005.[*]
(2) Scale of Leakage and Type of Leaked Information
(i) Concerning the number of persons allegedly affected by the leakage (hereinafter referred to as “the number of leakage-affected persons”), many cases were relatively small in scale, which is represented by the fact that cases of 500 persons or less account for 71.6% of the total cases.
Table 8 The Number of Leakage-affected Persons (FY 2005)
Number of Leakage-affected Persons |
Fiscal 2005 |
|
| Number of Cases | Percentage of Total | |
| 500 or less |
1,114 |
71.6% |
| 501 to 5,000 |
220 |
14.1% |
| 5,001 to 50,000 |
167 |
10.7% |
| 50,001 or more |
37 |
2.4% |
| Unknown |
18 |
1.2% |
| Total |
1,556 |
100.0% |
(Note) The term “Percentage of Total” as used in the Table refers to the percentage of a total of 1, 556 cases concerning leakage.
(ii) In terms of types of leaked information, which include customer information, employee information, and other information, cases of leakage of customer information account for 98.4% of the total cases.
In terms of the content of leaked information, the categories consisting of name, date of birth, gender, and postal address (hereinafter collectively referred to as “basic information”) and other information (hereinafter referred to as “additional information”), cases of leakage exclusively consisting of basic information account for 7.2% of the total cases of leakage, and most cases involve leakage of additional information such as telephone number, bank account number, e-mail address, and credit card number.
Table 9 Types of Leaked Information (FY 2005)
Types of Leaked Information |
Number of Cases of Leakage |
Exclusively Consisting
of Basic Information |
||
| Customer Information |
1,531 |
(98.4%) |
112 |
(7.2%) |
| Employee Information |
51 |
(3.3%) |
3 |
(0.2%) |
| Other Information |
22 |
(1.4%) |
1 |
(0.1%) |
Total (excluding overlapping cases) |
1,556 |
(100.0%) | 112 |
(7.2%) |
(Note) 1: The figures in parentheses are percentages of a total of 1, 556 cases concerning leakage.
2. The figures under the title of the “Exclusively Consisting of Basic Information” in the Table represents the number of such cases out of the total number of cases concerning leakage, and the proportion of such cases of a total of 1,556 cases , respectively.
(3) Protective Measure(s) such as Encryption against Leakage of Information
(i) Concerning whether or not leaked information has been provided with any protective measure, such as encryption against leakage, cases of leakage with no protective measures provided account for more than half, 51.7% of the total cases.
(ii) In contrast, cases of leakage of information with any protective measure provided, including a limited one, account for 11.8% of the total cases.
Table 10 Protective Measures such as Encryption (FY 2005)
With or Without Protective Measures |
Number of Cases | |
| With protective measures | 105 (11.8%) | |
| With limited protective measures | 17 (1.9%) | |
| Without protective measures | 459 (51.7%) | |
| Unknown | 323 (36.4%) | |
| Total (excluding overlapping cases) | 887 (100.0%) | |
(Note) 1: The figures in parentheses are percentages of a total of 887 cases of leakage. (The total number of cases in this Table differs from that under other items because some ministries and agencies only covered the latter half of FY 2005 in their counting.)
2: The term “Protective Measure(s) such as Encryption” as used in this Table refers to measure(s) taken to protect information, including encryption and restriction of access for lost PC(s) through passwords.
(4) Source(s) of Leakage, and Leaker(s)
(i) In terms of the source(s) of leakage, cases of direct leakage from “entities” account for 76.2%, and cases of leakage from “trustees” 23.0% of the total cases.
(ii) In terms of the person(s) actually involved in the leakage (hereinafter referred to as “the Leaker(s)”) in “entities” and “trustees” cases in which the Leakers were “employees” account for 78.7% of the total cases.
(iii) In terms of the cause(s) for leakage, 10 cases were caused “intentionally,” and 1,184 cases “by negligence,” thus most cases being attributable to “negligence,” as far as “entities” are concerned as the source of leakage.
For “third parties” as the source of leakage, most of the cases of leakage (235 cases) were caused “intentionally.”
Table 11 Source(s) of Leakage, and Leaker(s) (FY 2005)
(Note) The figures in parentheses represent proportions of a total of 1,556 cases of leakage.
(5) The Status of Remedial Measure(s) Taken after Leakage
(i) In terms of remedial measure(s) taken after leakage, 96.5% of entities concerned have taken some form of security control measure(s).
(ii)The breakdown of such security control measures indicates that 93.0% of entities concerned have taken organizational measure(s) such as provision of educational and training programs.
Table 12 Remedial Measure(s) Taken after Leakage (FY 2005)
| PeriodCovered |
Total |
Remedial Measures Taken by Entities |
No
remedial
measure
taken |
Unknown |
||||
| Security
Control Measure(s) |
Other
Measures |
|||||||
| Organizational |
Technical |
|||||||
| FY2005 |
1,556
(100.0%) |
1,553(99.8%) |
1,501(96.5%) |
1,447(93.0%) |
180(11.6%) |
1,497(96.2%) |
2(0.1%) |
1(0.1%) |
(Note) 1: “Organizational” Security Control Measure(s) in the Table refers to the creation of the post of Manager in charge of Security Control, the improvement of internal rules, the implementation of education and training program(s), the carrying out of audit(s), etc.
“Technical” Security Control Measure(s) in the Table refers to the formulation of fire walls, the introduction of leakage prevention software, and the monitoring of the status of access to personal data.
“Other Measures” refers to the transmission of apologetic letter(s), the establishment of windows to respond to complaints, the replacement of information card(s), etc.2: Figures for “Security Control Measure(s)” and “Other Measures” involve multiple answers.
3: Figures in parentheses represent proportions of a total of 1,556 cases of leakage.
3. The Status of the Efforts Made by Authorized Personal Information Protection Organizations (under Articles 42 and 43 of the Act)
Authorized personal information protection organizations handled complaints and made the following efforts in relation to entities, including requests for explanations and documents, guidance, recommendations and other actions under Article 42 and 43 of the Act:
Table 13 Efforts made by Authorized Personal Information Protection Organizations (FY 2005)
| Competent
Ministries and Agencies |
Handling
of Complaints |
Request
for
Explanations |
Request
for Documents |
Guidance
|
Recommen-
dations |
Other
Measures |
| Financial
Services
Agency |
237 |
55 |
1 |
135 |
1 |
0 |
| Ministry
of Internal
Affairs and
Communications |
114 |
59 |
0 |
0 |
0 |
2 |
| Ministry
of Health,
Welfare and Labor |
0 |
0 |
0 |
0 |
0 |
0 |
| Ministry
of Economy,
Trade and Industry |
107 |
54 |
0 |
2 |
0 |
0 |
| Ministry
of Land,
Infrastructure and
Transport |
0 |
0 |
0 |
0 |
0 |
2 |
| Total (excluding
overlapping cases arising from co-jurisdiction)
|
355 |
118 |
1 |
137 |
1 |
4 |
(Source) Reports from relevant ministries and agencies
Section 3 The Enforcement Status Concerning Protection of Personal Information by Local Public Bodies
Article 11 of the Act prescribes that local public bodies shall endeavor to take necessary measures to ensure the proper handling of personal information it holds in consideration of the nature of the personal information, etc.
Handling of personal information held by local public bodies is historically governed by ordinance. Regarding the status of the establishment of ordinance on the protection of personal information by local public bodies, all of the prefectures (47 bodies in total) and the municipalities (1,843 bodies in total) have established such ordinances as of April 1, 2006.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2006/10.html