Act on the Protection of Personal Information
Jan 19, 2017
Changes to Act on the Protection of Personal Information
The amended Act on the Protection of Personal Information will be effective from May 30, 2017 setting another milestone in Japan’s development in governance of personal information. Advances and more prevalent use of big-data technology by business operator have been a factor in the law reforms. National reform such as the My Number system has also raised debate of privacy and misuse of personal information.
Changes to the Act focused on clarifying definitions, setting rules and providing power to local and central government to set up compliance mechanisms and handle complaints. The Personal Information Protection Commission was set up as a new administrator to assist with the changes.
Translation of the latest law can be accessed from the official site: http://www.ppc.go.jp/en/legal/
It is important to note the changes in the definition section of the Act.
For example, “personal information handling business operator” previously excluded operators that handle a lesser amount of personal information under Article 2(5)(v). The previous threshold was no more than 5000 personal information data on any given day in the last 6 months period. This change means that business operators previously excluded will now need to be careful with certain compliance regulations.
For small and medium business operator it is important to remember the following basic points:
- When obtaining personal information, the purpose of use must be communicated to the particular person unless the purpose is apparent from the context. For example, a business obtaining client’s postal address for delivery of goods does not need to state that purpose to each client. Communication can be in forms of a public notice, poster, and homepage or in person.
- Use of personal information shouldn’t exceed what was originally communicated to the particular person. Consent should be obtained for subsequent change of use.
- When the personal information obtained has been transferred to searchable data, business need to implement safe management practices. For example, setting passwords, physical locks and internal education of staffs.
- Not transferring personal information without the particular person’s consent. Exceptions are when business is obliged by law or consent if difficult to obtain due to life-threating circumstances or it is part of the business operation agreed by the particular person.
- Operator must clarify or amend the personal information when requested by the particular person.
Personal information can include name, address, contact details, family structure, obtained qualification, education, identification numbers and more.
It is important to note that the Act does not protect personal privacy or personal information handled by individuals. For example, the Act cannot help you if some individual has spread your personal information on social media.
If you have specific queries regarding the handling of personal information, please do not hesitate to contact our firm.