the current framework and the future approach for protecting privacy in japan october 22nd, 2013 dr....
TRANSCRIPT
The Current Framework and the Future Approach for Protecting Privacy in Japan
October 22nd, 2013Dr. Fumio SHIMPO Professor Keio University Faculty of Policy Management
Email: [email protected]
Privacy in Asia: Building on the APEC Privacy Principles
List of Questions to be addressed
1) What is the current framework for protecting privacy online in your country?
2) How do you assess the prospects for greater alignment/harmonization of national privacy regimes across the Asian region?
3) Will the resulting Asian approach to privacy protection differ in some respect from those now being developed in the US and within the EU; what implications does this have for global privacy governance?
4) What is the current framework for protecting privacy online in your country?
5) How do you assess the prospects for greater alignment/harmonization of national privacy regimes across the Asian region?
6) Will the resulting Asian approach to privacy protection differ in some respect from those now being developed in the US and within the EU; what implications does this have for global privacy governance?
7) Who are the key actors in the privacy debate in your country and what are their roles and powers?
8) How have data privacy regulations in your country affected businesses ・ utilization of cloud services and big data?
Relationship with Personal Information Protection Laws in Other Countries
OECD
APEC
EU
Privacy Guidelines
Privacy Framework
Data Protection Directive
Cross-Border Privacy Rules (CBPR)
Recommendation on Cross-Border Co-operation, Security Guidelines, etc.
International Conference of Data Protection and Privacy Commissioners
(International conference of personal information protection authorities)
GPEN (Global
Privacy Enforcement Network)
• Japan is an observer• Establishment of an internationally-accepted
“Independent personal information protection organization” is a requirement
• Standard for authorization as data protection organization
• Legal basis• Autonomy and independence
• Consistency with international instruments• Appropriate functions
Japan’s task is to satisfy the EU-specified “adequate level of protection”
Japan
Japan’s task is to participate in the network of cross-border OECD member countries that work together on the
protection of personal information
Japan’s task is to create a system of cross-border execution cooperation which can be utilized in cases of
cross-border personal information leakages
Data protection directive that regulates transfers of personal data to third-party
countries
©2013 Fumio SHIMPO
・ Establishment of an independent personal information protection organization is a requirement
・ More rights for data subject (The “right to be forgotten,” data portability)
・ Security (duty to report information leakages within 24 hours)
・ Management responsibilities (data protection impact assessment, data protection seal or mark system)
・ Transmitting personal data (consistent procedures)APPA (Asia
Pacific Privacy Authorities)
USASafe Harbor Rule
(Policy dialogue )
European Data Protection Regulation
(draft) ( January 25, 2012 )
Standard Contractual Clauses (SCC)
Binding Corporate Rules (BCR)
Act on the Protection of Personal Information
Individual laws
Cross-border Privacy Enforcement Arrangement (CPEA)
1. History of Personal Data Protection Systems in Japan
Local Government Regulations Local governments worked quickly to adopt their own personal data protection regulations
before the enactment of the OECD guidelines
OECD Privacy Guidelines : 8 OECD Principles Start of personal data protection systems management
Administrative Agency Personal Protection Laws Establishment of personal data protection laws (national administrative
agencies only) ‘Law relating to protection and management of personal data stored on
administrative agency computers’ (December 16th, 1988 Law No. 95 )
Dealing with the Private Sector ‘Guidelines for personal data protection in the private sector’ - Japan Information
Processing Development Corporation (JIPDEC) (1988) ‘Guidelines relating to the protection and management of personal data on
computers in the private sector’, (March 4th, 1997, Ministry of International Trade and Industry proclamation, No.98)
Privacy Mark System ‘Privacy mark system’ (effected, April 1st, 1998) JIS Q 15001, ‘Personal data protection compliance program requirements’,
(established March 20th, 1999) JIS Q 15001, ‘Personal data protection management system requirements’,
(established March 20th, 2006)
2. History of Establishment of Laws Relating to Personal Data Protection (Japan)
July 14th, 1999, Agreement on formation of ‘Personal Data Protection Investigation Unit’ (Chairman, Masao Horibe, Professor, Chuo University’s Faculty of Law) July 14th, 1999, Agreement on formation of ‘Personal Data Protection Investigation Unit’ (Chairman, Masao Horibe, Professor, Chuo University’s Faculty of Law)
October 20th, 1999, Announcement of paper 'Regarding Protection of Personal Data' (Central theme, Chairman’s plan) October 20th, 1999, Announcement of paper 'Regarding Protection of Personal Data' (Central theme, Chairman’s plan)
November 19th, Announcement of 'State of Personal Data Protection Systems in Japan‘, by High-Tech Telecommunications’ Society Promotion Committee’s Personal Data Protection Investigation Unit (Mid-Term Report) November 19th, Announcement of 'State of Personal Data Protection Systems in Japan‘, by High-Tech Telecommunications’ Society Promotion Committee’s Personal Data Protection Investigation Unit (Mid-Term Report)
February 4th, 2000, Formation of 'Personal Data Protection Legislation Specialist Committee‘, (Committee Chairman, Itsuo Sonobe, Professor at Ritsumeikan University’s Graduate School) (Session No.28) February 4th, 2000, Formation of 'Personal Data Protection Legislation Specialist Committee‘, (Committee Chairman, Itsuo Sonobe, Professor at Ritsumeikan University’s Graduate School) (Session No.28)
October 11th, 2000, Agreement on 'Fundamentals relating to Personal Data Protection Laws' October 11th, 2000, Agreement on 'Fundamentals relating to Personal Data Protection Laws'
Drawing up of proposed legislation in accordance with fundamentals. Submitted as Cabinet Legislation No.90 to the 151st Diet on March 27th, 2001. Drawing up of proposed legislation in accordance with fundamentals. Submitted as Cabinet Legislation No.90 to the 151st Diet on March 27th, 2001.
April 18th, 2001, Formation of 'Administrative Agency Personal Data Protection Law Research Group' (Chairman, Takashi Mogushi, former Director-General of the Cabinet Legislation Bureau), presided over by the Secretary to the Minister of Internal Affairs and Communications on approval of the Minister.
April 18th, 2001, Formation of 'Administrative Agency Personal Data Protection Law Research Group' (Chairman, Takashi Mogushi, former Director-General of the Cabinet Legislation Bureau), presided over by the Secretary to the Minister of Internal Affairs and Communications on approval of the Minister.
March 15th, 2002, Submission of Cabinet Legislation Nos. 70-73 to the 154th Diet. March 15th, 2002, Submission of Cabinet Legislation Nos. 70-73 to the 154th Diet.
December 13th, 2002, five personal data protection bills rejected by the Lower House Committee of the Cabinet. December 13th, 2002, five personal data protection bills rejected by the Lower House Committee of the Cabinet.
March 7th, 2003, five revised personal data protection bills, Cabinet Legislation Nos. 71 – 75, submitted to the 156th Diet. March 7th, 2003, five revised personal data protection bills, Cabinet Legislation Nos. 71 – 75, submitted to the 156th Diet.
May 23rd, 2003, five personal data protection bills approved and formally announced on May 30th. May 23rd, 2003, five personal data protection bills approved and formally announced on May 30th.
3. Laws relating to Personal Data Protection
Approved on May 23rd, 2003, formally announced and enacted on May 30th. Regulations in Chapters 4-6, and additional regulations in Articles 2-6 imposing specific responsibilities on
companies handling personal data under the Personal Data Protection laws and Administrative Agency Personal Data Protection laws, enacted April 1st. 2005.
Act on the Protection of Personal Information (2003 Law No.57)
Act on the Protection of Personal Information Held by Administrative Organs (2003 Law No.58)
Act on the Protection of Personal Information Held by Administrative Agencies (2003 Law No.59)
Act for Establishment of the Information Disclosure and Personal Information Protection Review Board (2003 Law No.60)
Act on Preparation of Relevant Acts Accompanying Effectuation of the Act on the Protection of Personal Information Held by Administrative (2003 Law No.61)
4 Overall Outline of Personal Data Protection Laws in Japan
Basic Policy
Personal Data Protection Laws
Administrative Agency Personal Data Protection Laws
Individual Laws
Personal Data Protection Regulations
Guidelines
Basic Policy (basic policy on personal data protection approved by the Cabinet)
Basic laws and laws relating to the private sector (laws and ordinances regarding the protection of personal data)
Laws relating to administrative agencies in the public sector. (laws and ordinances concerning administrative agency personal data protection)
Protection of personal data by following regulations with the aim of personal data protection under each individual law (existing laws such as ‘The Dispatch Industry Law’ and ‘Employment Security Law’)
Laws with regard to legal liability concerning leakage and misuse of personal data. (‘Unfair Competition Prevention Law’)
Local government personal data protection regulations.
Privacy protection obligation regulations from a professional standing. (‘Public Servant Law’, various industrial laws)
Guidelines for each Ministry in accordance with Article 8 of the Personal Data Protection Law.
JIS Q 15001 'Personal Data Protection Management System, Requirements'
Standards and guidelines in accordance with laws (guidelines adhering to ‘The Industry Standardisation Law’ and ‘Provider Limited Liability Law’)
Administrative agencies setting guidelines for themselves (safety management and use of telecommunications technology)
Setting guidelines for private organisations and the private sector (business world guidelines)
©2013 Fumio SHIMPO
Application of the Act on the Protection of Personal Information
Act on the Protection of Personal Information
Act on the Protection of
Personal Information Held by
Administrative Organs
Act on the Protection of
Personal Information Held by
Independent Administrative Agencies, etc.
Act for Establishment of the Information Disclosure and Personal Information
Protection Review Board
Ordinances in
local governments
Basic Policy portion
Private sector Public sector
Act on Preparation of Relevant Acts Accompanying Effectuation of the Act on the Protection of Personal Information Held by
Administrative Organs
Measures for the Protection of Personal Information, etc.
Basic principleResponsibilities of the state and local
governments
Basic Policy on the Protection of Personal Information
1742 bodies(As of Oct 1, 2012)
©2013 Fumio SHIMPO
5. Areas for Establishing Ministerial Guidelines Relating to Personal Data Protection Laws
Land transportReal estate distribution
companies
Ship crew employment management
Credit retrieval
Medicine / nursing
justice
police
Welfare
finance Agriculture, forestry and fisheries
General operations
General employment management
Health information
Worker dispatch
Employment introduction
Pe
rso
na
l ge
ne
tic
info
rma
tion
Human genome / genetic analysis
research
Genetic therapy clinical research
Epidemiological research
Human hepatic cell clinical research
schools
Telecommunications
Broadcasting
Ministry of Economy Trade
and Industry
Ministry of Economy Trade
and Industry
Ministry of Justice
Ministry of Justice
National Public Safety Commission
National Public Safety Commission
Ministry of Finance
Ministry of Finance
Ministry of Agriculture, Forestry
and Fisheries
Ministry of Agriculture, Forestry
and Fisheries
Ministry of Internal Affairs and
Communications
Ministry of Internal Affairs and
Communications
Ministry of Education, Culture, Sports, Science
and Technology
Ministry of Education, Culture, Sports, Science
and Technology
Ministry of Health, Labour and Welfare
Ministry of Health, Labour and Welfare
Financial
Financial Services Agency
Financial Services Agency
Credit information safety management practice guidelines
Local public employee’s mutual
aid association
Health insurance union
National health insurance union
Police mutual aid association
Trade unions
Medical information systemsSafety management
Ministry of Foreign Affairs
Ministry of Foreign Affairs
Italics = communication / Underline = notification
Foreign affairs
Ministry of Land, Infrastructure and Transport
Ministry of Land, Infrastructure and Transport
Corporate pensions
Clinical research
Ministry of Defense
Ministry of Defense
defense
Me
dic
al i
nfo
rma
tion
m
an
ag
em
en
t
Postal Service
Correspondence service
6. Ministerial Guideline Policy Decisions / Basis of Revisions
Personal Data Protection Law
Secondary Resolutions
Article 6 3rd Clause Article 7 Article 8
Medical Services
Financial and Credit Services Telecommunications
Medical Services
Financial and Credit Services
Telecommunications
Ministerial Guidelines
En
terp
rise
s u
nd
er
the
juris
dic
tion
of
Pe
rso
na
l Da
ta P
rote
ctio
n L
aw
Art
icle
36
1
st C
lau
se
Individual laws, other measure management
Basic policy settlement Settlement of guidelinesother necessary measures
Individual Investigation Measures
Revision of Guideline Policy Settlement
Justice Finance Agriculture,
Forestry and Fisheries
Ove
rall
En
terp
rise
s
Employment Education Welfare Land
Infrastructure and Transport
Police
Basic Policies
etc
©2013 Fumio SHIMPO
PrivacyMark System
Assessed and certified by third-party organization JIPDEC (and its specified organs)
The system allows the use of the PrivacyMark logo as proof of certification
For enterprises that have prepared a management system in compliance with requirements of JIS Q 15001 for the protection of personal information, and properly handle personal information
Report of the Study Group on the Use and Flow of Personal Data
- Measures to Promote the Proper Use and Flow of Personal Data - (Summary)
Ministry of Internal Affairs and Communications, Japan
◎Masao Horibe, Professor Emeritus at Hitotsubashi University
○Shigeo Tsujii, Professor at Chuo University
Fumio Shimpo, Professor at Keio University
Masahiro Sogabe, Professor at Kyoto University
Hiroyuki Kuwako, Japan Data Communications Association
Hisamichi Okamura, Attorney, Visiting Professor at National
Institute of Informatics
Miki Nagata, National Federation of Regional Women’s
organizations
Naohiro Yoshikawa, ATKearney
Hiromichi Yasuoka Nomura Research Institute
The other members include representatives from businesses
and local government etc.
(Observers) Consumer Affairs Agency , METI ◎Chair, ○Vice-Chair
Members
Request for Public Comments
Request for Public Comments
Discussion based on presentations by the members or other people
▲1st (Nov.1,2012)
Held once or twice every month
Ministry of Internal Affairs and Communications, Japan has held the Study Group on Use and Flow of Personal Data.
Dissemination and development of ICT
Capable of using a large volume of diverse information so-called “big data”, including personal data(information about an individual)
Making it possible to provide a variety of services that match the needs of each individual better
utilisation of Big Data
● Uncertainty of rules for personal data and privacy protection obstructs development of new types of businesses using personal data
●Increase of concerns about privacy due to accumulation and use of a large volume of information about individuals
Issues related to Protection of Privacy etc.
It is necessary to make rules for personal data utilisation clear , considering harmonisation between free flow of information and privacy protection etc.
Study Group on the Use and Flow of Personal Data
Meeting schedule
▲7th(April 3,2013)
Draft Report
▲8th(May 14,2013)
▲9th(June 11,2013)
Points of Issues Report(Released on June 12,2013)
・ Industrial Competitiveness Council・ IT Strategic Headquarters・ Regulatory Reform Council
Recognition of importance of making good environment for personal data utilisation
Measures by MIC
Cabinet level meetings
※Following the various discussions concerning the scope of protected information related to an individual, the Study Group defined ‘Personal Data’ as information about an individual in general, not limited to information which is personally identifiable and defined as ‘Protected Personal Data’; ie. information about an individual to be protected.
The Scope of “Protected Personal Data”
• Basically, it is appropriate to define the scope as ‘Personal Identifiability’, and it is necessary to make a substantial judgement in the light of privacy protection. • ‘Protected Personal Data’ is considered to include any identification data on any individuals’ PCs and smartphones as well as continuously collected information, such as purchase history data.
Directions for Prompt Implementation (1)
System of Personal Data Utilisation Framework • It is important to harmonise the promotion of a framework of personal data utilisation and the appropriate protection of privacy. • It is vital to maintain and reinforce people’s trust in the appropriate handling of personal data in order to promote its utilisation. • It is necessary to make rules for personal data utilisation clear.
The Content of Rules for Personal Data Utilisation • ‘Protected Personal Data’ is classified into the following three types according to the level of privacy: ✓ General personal data (e.g., widely known information, public information, and business-related information, such as business card information); ✓ Personal data which requires careful handling (e.g., address book, location, and subscriber information on smartphones); ✓ Sensitive data (e.g., information on thoughts and creeds and health information).
• Personal data should be handled in accordance with the context at the time of data acquisition and with the level of privacy of the data.
Report of the Study Group on the Use and Flow of Personal Data (Summary)①
Method of Rulemaking for Personal Data Utilisation
• Good use of multi-stakeholder processes (i.e., an open process which includes a variety of parties, such as the government, enterprises, consumers, and experts etc).
Directions for Prompt Implementation (2)
Utilisation of Technologies for Personal Data Protection(Anonymisation, Cryptography etc.)
• In order to promote utilisation of personal data, it is appropriate to make the maximum use of technologies to protect privacy (eg, anonymisation and encryption). • It is considered that anonymised data, of which re-identification is impossible or sufficiently difficult, can be utilised freely.
Method of Securing Compliance with Rules for Personal Data Utilisation
• Incorporation of privacy policies into contracts.• Establishment of bodies consisting of experts which present opinions on rules for personal data
utilisation and resolving of disputes.
Securing free flow of personal data beyond borders
• In order to ensure international free flow of personal data, Japan should actively contribute to discussions for international rulemaking.
Report of the Study Group on the Use and Flow of Personal Data (Summary)②
The Need for the study of the following items by the Japanese Government.
● Privacy Commissioner System Appropriate for Japan • It is essential to establish a system in which knowledgeable human resources deal with issues relating to personal data ‘horizontally’, in a prompt and proper manner, making substantial judgments in order to secure people’s trust.
• Many countries including the US, the EU and other developed countries have independent supervisory bodies, (Privacy Commissioners) for personal data protection.
Under the present circumstances, there exists an international environment for Privacy Commissioners of respective countries to exchange views and adjust policies relating to personal data.
●Method for Securing the Effectiveness of Multi-Stakeholder Processes etc. • Institutional arrangements to ensure compliance of enterprises and other organisations with their own policies or rules declared voluntarily. • Incentives for enterprises to participate in multi-stakeholder processes. • A mechanism to ensure privacy protection by enterprises not participating in multi-stakeholder processes protect privacy.
●Other Issues relating to the Current Law (Act on the Protection of Personal Information).
• Treatment of small businesses, shared use, certification systems to ensure substantial privacy protection, etc.
• The voluntary efforts of business operators and operational improvements in the current system will not have sufficient legal binding power. In order to ensure consistency and stability, institutional efforts, such as a review of the Act on the Protection of Personal Information is essential.
• As a result, international expansion of enterprises and the effective trans-national use of big data etc. will become easier, thus contributing to the realisation of world-wide, highly literate ICT society and economic growth.
Directions for Full-Scale Implementation
Report of the Study Group on the Use and Flow of Personal Data (Summary)③
Smartphones are continuing to make up a rapidly growing percentage of the mobile phones shipped in Japan, and are expected to reach 80% in FY 2013.
Change in and Forecast of the Number of Domestic Smartphone Shipments
* Survey conducted by MM Laboratories (values from FY 2012 onwards are estimated). (“Recorded and projected numbers of smartphones shipped annually (as of March 2012)” (13th March 2012) and “Smartphone terminals shipped in Japan in the first half of FY 2012” (1st November 2012)).
110 234
855
2,417
3,1103,510 3,520
3,790 3,7603,479 3,210
2,909
1,857
1,130860
740
690
630
3.1%6.8%
22.7%
56.6%
73.3%
80.3%82.6% 84.6%
85.6%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
100.0%
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
5,000
08年度 09年度 10年度 11年度 12年度 13年度 14年度 15年度 16年度
スマートフォン出荷台数 フィーチャーフォン出荷台数 スマートフォン出荷台数比率(万台)
3,5893,444
3,764
4,274 4,2404,370
4,2604,480 4,390
(Units: million) Feature PhonesSmartphones Smartphones, as
percentage
FY2008
FY2009
FY2010
FY2011
FY2012
FY2013
FY2014
FY2015
FY2016
©2012 Ministry of Internal Affairs and Communications
Structure of Smartphone Services
Provision of individual apps
Provision of places where apps can be provided to users
Mobile terminal layer
Network layer
Platform layer
Contents service layer
User
3G networkWiFi
WiMAX
Bro
ws
ing
Smartphone
App.
SitesApps providers & individuals
OS providers
Website operators for
apps distribution
Mobile telecommunicat
ions carriers
Mobile terminal providers
Ap
plicatio
n
pro
vision
sites of
con
tents
bu
siness
op
erators
App.App. App.App.Advertiser
Information collectionproviders
User Information
Advertisement
Provision of information collection modules
Ap
plicatio
n
pro
vision
sites of
OS
pro
viders
Ap
plicatio
n
pro
vision
sites of
mo
bile
telecom
mu
nicatio
ns carriers
Ap
plicatio
n
pro
vision
sites of
device
man
ufactu
rers
Downloading apps
Ad. Serviceproviders
Advertisement
Examples of the parties related to user information on smartphones
As for smartphones, a variety of business operators with different roles offer services in each layer. On the other hand, as for traditional mobile phones, mobile phone carriers offer all services from infrastructure to contents.
Business operators which provide the operating system (OS) equipped with smartphones usually operate sites for providing applications and have an influence on each layer, such as the development of devices, use of communication networks, provision of applications, charging/authorization, etc.
It is pointed out that an application developer gains certain compensation for incorporating information collection modules provided by an advertisement delivery business operator into applications and that user information may be transmitted to information collection business operators through information collection modules.
©2012 Ministry of Internal Affairs and Communications
1. Ensuring Transparency 2. Securing the Opportunity of User Participation3. Ensuring Data Collection through Proper Means
Fundamental Principles
1. Making Application Privacy Policy ☞ A privacy policy including the following items should be
created for each app and each information collecting module. Such privacy policy should be easily understandable and a simplified version or short notice should also be made available.
2. Proper Management of User Information3. Special Instructions regarding Information Collection
Module Providers and Advertisement Delivery Service providers
Measures Undertaken by User Information Acquirers(e.g., Apps provider, information collection modules providers, Advertisement delivery service providers)
1. Mobile Network Operators and Mobile
Terminal Providers
☞ when selling smartphone services, etc.
☞ Application distribution portals
operated
by mobile telecommunication carriers
2. Application Distribution Portal
Operators,
and OS Providers
☞ Application distribution portals
3. Other relevant business operators
☞ Reviews on applications, etc.
Measures taken by other relevant business operators
19“Smartphone Privacy Initiative”Structure of the Guideline for Handling Smartphone User Information
Anxiety of users regarding user information should be eliminated voluntarily by responsible business actors. The Guideline provides the principles to which a variety of different stakeholders (including app providers who do not take part in
the industry associations) can refer. Taking into account the status quo of the industry, the industry is encouraged to make their industry-specific guidelines by enriching and further developing the principles proposed in the Guideline.
4. Ensuring Proper management of User Information 5. Properly Handling Complaints and Requests for Advice 6. Privacy by Design
i) Name of the apps provider who acquires personal information;
ii) Details of the personal information to be acquired;
iii) How to acquire such personal information;
iv) Specifying and explicitly explaining the purpose of acquiring personal information
v) How to notify and disclose privacy policy, and acquire user
consent, and how the user participates are ensured;
vi) Whether or not the acquired information is to be transmitted to the third party; whether or not it is transmitted to information collecting module providers;
vii) Contact point for queries; andviii) Procedure for changing privacy
policy
Guideline for Handling Smartphone User Information: Fundamental Principles
1 General Provisions
1. Ensuring Transparency Users should be notified of the details of the target information, its utilization and opportunities for user participation in case personal information is collected. Otherwise such details should be placed where that they are easily noticeable. In case of notifying users of the collection of their personal information, announcing it or acquiring consent from users, such notification, announcement and acquisition should be conducted in an easily recognizable and understandable manner. 2. Securing Opportunities of User Participation Relevant businesses operators should notify or disclose necessary details in case of collecting personal information (e.g., information to be collected, purpose of information usage, and a range of information that is to be provided to the third party). Users should be able to know how to stop personal data being collected and how to get involved in the process.3. Ensuring Personal Data Collection by Proper Means Relevant businesses acquire target personal information by proper acceptable means. 4. Ensuring Proper Management of User Information Relevant businesses take necessary and proper measures in order to prevent targeted personal information from leaking, being
lost or damaged, etc. 5. Properly Handling Complaints and Request for Advice Relevant businesses are required to respond to complaints and requests for advice regarding personal information. 6. Privacy by Design When designing new apps and services, relevant businesses should take into account how personal information should be
handled and ensure personal information and privacy be protected and respected. They should well recognize the protection of personal information and privacy needs to be enhanced. From the users’ perspective, apps and services should be designed and developed in a user-friendly manner.
To develop an environment in which users can use smartphones and services provided through them in a safe and secure manner, all the relevant business players are required to appropriately handle user information, thereby securing users’ trust in the provided services. (e.g. Providing sufficient explanation to users and ensuring transparency of services; ensuring substantive opportunities for user participation)
20
Fundamental Principles
Guideline for Handling Smartphone User Information: Specific Issues (1)
1. Creation of privacy policy The privacy policy that indicates the provisions below should be created, and displayed or hyper-lined in a easily recognizable and referable manner. (A simplified, summarized version or short notice should better be created and posted on smartphone screens.
2. Proper management of user information3. Special notes on information collection module providers Notify apps providers regarding the items and purposes, etc. of the personal information to be acquired.4. Special note on advertisement delivery services providers Notes on how to behave as apps providers or information collection module providers.
2 Specific Issues (1) : Measures undertaken by Apps Providers, Information Collection Module Providers etc.
1) Names of apps providers who acquire personal information :Indicate names and contact details, etc. of apps providers. 2) Details of the personal information to be acquired :List items and contents of acquired user information. 3) How to acquire personal information :
Indicate whether personal information is acquired by users’ input or whether apps automatically collect personal information stored in smartphones.
4) Specifying and explicitly explaining the purpose of information usageIndicate whether user information is used for the purpose of service provision or for other purposes. In particular, if the
information is used for advertisement or marketing purposes, it should be explicitly noted as such. 5) How to notify or disclose privacy policy, how to acquire user consent, and the way of user participationIndicate how to access the privacy policy, from whom the consent for personal data collection is to be obtained, and
when the consent is to be obtained, etc. Also indicate the way of user participation and how users can stop their information being used.
6) Whether personal information is to be transmitted to an external third party and whether information collection modules are installed
Indicate whether personal information is to be transmitted to a third party. Also indicate whether information collection modules are installed.
7) Contact for user queryIndicate a telephone number, email address, etc. for user queries. 8) Procedure for changing privacy policy
Indicate how to announce changes in the privacy policy (another consent is required if the range of the personal information that was agreed to be collected is changed).
21
Function and Structure of the Social Welfare and National Taxation Number System Data-Holding Organisation
User( Data
Subject )
‘My Portal’( My Portal Management Organisation )
Information Coordination Infrastructure
Access Log
Administrative Officer
1. Demand confirmation of the access log
2. Ensure confirmation of the access log request is transmitted
3. Respond to access request via access log
transmission
1. Demand the confirmation of the 'information about
oneself
2. Inquire into the confirmation of 'information about oneself'
request
3. Transmit the inquiry confirmation request about 'information about oneself' as received
and approved
1. Make the `One-Stop` application 5.申請・審査
1. Acknowledge receipt of information request via
`notice`
2. Acknowledge receipt of information request via `notice`4. Log into the 'My
Portal'
5. The receipt of information request via
`notice` is displayed on the screen
2. Transmit the application 5.申請・審査
3. The application is
received by the 'organisation'
①Confirmation of the Access Log to Access Information about Oneself
②Confirmation of the Organisationally-Held 'Information about Oneself' is Given
③The Electronic Applications System (The `One-Stop Service`)
④Displaying the Information from Administrative Agencies(the 'Push-Type Service')
8. The 'Holding Organisation' accepts
the application6. The application process
continues
7. The application is transmitted to the Data-Holding
Organisation
Notice
3. Information Stored
※Information on the access log temporarily preserved in the user folder is deleted at the same time as logging out.
< User Folder>
4. Transmit the necessary information
Information about Oneself< User Folder
>
5. Information Stored
※After logging out, information stored by the Data-Holding Organisation, temporarily preserved in the user folder, is deleted.
Information about Oneself
7. Display the 'Information about
Oneself
6. Log into the 'My Portal'
Accss Log< User folder>
>
4. Information Stored
6. Display the access log
5. Log into the 'My Portal'