Portal field news

Portal field news


😷 | Re-entrustment of handling personal information, 2% without approval Kanagawa Prefecture warns

Photo Kanagawa Prefectural Office

Kanagawa Prefecture warns 2% of subcontractors handling personal information without approval

If you write the contents roughly
According to the prefectural government, 23 of the cases were related to events and training, and no leaks of personal information to outside parties have been confirmed.

Handling of personal information regarding "subcontracting", in which a company entrusted with work from Kanagawa Prefecture outsources part of the work... → Continue reading

 Kanaroko by Kanagawa Shimbun

Kanaroko is a news site operated by the Kanagawa Shimbun. As the only local newspaper in Kanagawa Prefecture, we have a news gathering network throughout the prefecture to provide a wealth of information on incidents and accidents, political administration, economics, sports, culture, and heartwarming topics in the region.

Wikipedia related words

If there is no explanation, there is no corresponding item on Wikipedia.

Personal Information

Personal Information(Kojinjoho) is information about any one individual, and refers to something that can identify a specific individual by the description contained in that information. in English personally identifiable information (PIIOr sensitive personal information (SPI),[1][2][3] More generally personal data Called.


National Institute of Standards and Technology (NIST)Computer security-related guidelines issued by[4] In SP800-800, one of the SP122 series, personal information is defined as follows:

Any information about an individual that is maintained by the agency, including:
1. Any information that can be used to identify or track an individual's identity. For example a name,social Security number, Birthday and birth location, mother's maiden name, biometric information
2. Any other information that is or can be linked to an individual. Information about healthcare, education, finance, and employment, for example. — NIST SP800-122

EU General Data Protection RegulationDefines as follows:

"Personal Data" means all information about an identified or identifiable natural person ("Data Subject"). An identifiable natural person refers in particular to an identifier (such as a name, identification number, location data, online identifier) ​​or the uniqueness of that natural person (physical, physiological, genetic, spiritual, economic). , Cultural, or social) that can be identified directly or indirectly by reference to one or more indicators that are unique. — GDPR Article 4 (1)

JapanesePrivacy PolicyDefines as follows:

The term "personal information" as used in this Act refers to information relating to living individuals that falls under any of the following items.

(I) Name, date of birth or other description included in the information (document, drawing or electromagnetic record (electromagnetic method (electronic method, magnetic method or any other method that cannot be recognized by human perception. The same shall apply in item XNUMX of the following paragraph.) The same shall apply in paragraph XNUMX of Article XNUMX), or shall be recorded, or shall be recorded using voice, motion or any other method. (Excluding personal identification code. The same shall apply hereinafter.) that can identify a specific individual (being able to easily collate with other information and thereby identify a specific individual). Including that.)

(Ii) Personal identification code included — Personal Information Protection Law Article 2

Name(Name) ・Date of Birth-age-Sex-Address-Phone Number・ E-mail address ・Social MediaUpper connection ・school name-Bank accounts-credit card numberInformation that may be identified as "who" is not personal information, but the entire information including such information is personal information.

Japanese Industrial StandardPersonal information protectionManagement systemIsJIS Q 15001So, in the 2006 edition, there was no restriction on living individuals, and data on the dead was also included.[5], The current 2017 edition has the same definition as the Personal Information Protection Law[6].

In any of the above definitions,Personal information includes a description that makes it possible to identify an individual even if they cannot identify the individual at first glance, if combined with other information..

When the Personal Information Protection Law was revised in 2015, the personal identification code was added to the article,Keidanren"The mobile phone number can be changed on the same day if the user requests it, and can be reused by another user. It cannot be said that an individual can be identified."[7] In addition, Shinkeiren said, "In the first place, it is not possible to identify an individual by letters or numbers alone. The definition of the code shown in (2) of the revised law is actually the empty set (= no code is included. )[7] Both groups claimed that mobile phone numbers were not included in personal information.Opposition to the revision of the law from the business community, including both organizations, is ultimately "specific" (Article 2, Paragraph 2, Item 1 of the Law) "to identify a specific user or purchaser or person who receives the issue. It was settled by inserting words such as "What can be done" (Article 2, Paragraph 2, Item 2 of the Law) into the definition of the personal identification code.[8]..However, although the term personal identification code was introduced at the time of the 2015 amendment, when the Act on the Protection of Personal Information Related to Computer Processing Held by Administrative Organizations was enacted in 63, "numbers, symbols and other codes assigned to each individual" were enacted. Was included in the definition of personal information[8]..If the mobile phone number that both groups claim is not personal information by itself is included in the information about the individual, it is understood that it is personal information by itself even if it is not a personal identification code by itself. can do[9].

Protection of personal information and privacy

The move to legalize the protection of personal information begins with the 1980 announcement by the OECD Council of the OECD Council Recommendations on the Guidelines for Privacy Protection and International Distribution of Personal Data (OECD Privacy Guidelines).[10][11].. The eight principles of the OECD Privacy Guidelines, which are collection restriction principles, data content principles, purpose clarification principles, use restriction principles, security protection principles, disclosure principles, individual participation principles, and responsibility principles, are in many countries. Was adopted in the legislation of[11].

Your Privacy

One of the most popular theories of privacy[12]Is the "right to control over information about himself," as described by Alan Westin in his 1967 book "Privacy and Freedom."[13][14]That is. Based on this idea also in Japanese constitutional studiesRight to control personal informationHas become the dominant interpretation of privacy rights[15].

References in this section:


International UniversityGLOCOMThe professor wrote in his book, "Personal identification information is originally shared socially and is not a subject that should be kept secret. For example, if you hide your name and address, you will not receive mail, on the other hand, under the current law, We cannot protect personal information from misuse or defamation, and we need active protection."[16].

Status by organization and area

Administrative agency

Government agencies such as municipal offices, tax offices, and police stations have a large amount of extremely important personal information such as permanent domicile, address, family structure, and income.

According to the 2013 (Heisei 25) survey report,Personal information leakageAbout 44% of these are via government agencies[17].

Since there is a large amount of personal information, it is highly necessary to thoroughly manage personal information and prevent leakage.

In addition, the formerBasic Resident RegisterWas able to be viewed by a third party without the consent of the person. Those who use the Basic Resident Register reading system,Handyman,RosterMost of the people are in the gray zone, such asHuman tacticsIndirectly brought out from the administrative body by copying it in "handwriting" and recording it in the databasedirect mailDue to the occurrence of situations such as use for commercial purposes such as sending and the use for criminal purposes in some cases,Basic Resident Registration ActHas been revised to restrict viewing.

In recent years, the government has outsourced business to external private companies (outsourcing,ア ウ ト ソ ー シ ン グ) Is also increasing, in which case,Region-National Civil Service Lawbased onconfidentialityTherefore, there are many government agencies that have outsourced contracts to supervise the orderer so that safety management can be achieved at the subcontractor.

National examanation,National qualificationWho passedSelf-bankruptcyThose who didOfficial gazette,PrefecturesSuch asBulletinPublished in.

There are about 2000 personal information protection laws in Japan. Not only the law that targets national administrative bodies, but also each local government has established its own personal information protection regulations. Due to the existence of a large number of laws concerning the protection of personal information, the laws and regulations to be applied and their contents are subtly different depending on each region/local government.Ministry of DefenseAccording to the Human Resource Development Division, the Ministry of Defense requires the municipalities to submit a list each year regarding the address, name, date of birth, and gender of young people (18 and 22 years old) who are graduating from high school or university to recruit SDF personnel. ing. 9% of local governmentsSDFTo the relevant information. Hisashi SonodaKonan UniversityThe law professor (personal information problem) said that "there is a high possibility that it is illegal" for the local government who handed over the list in response to the request of the Self-Defense Forces. Of each local governmentPersonal Information Protection OrdinanceCriticized for suspecting that[18].. on the other hand,Self Defense Force ActArticle 97SDFThe SDF Law Enforcement Ordinance Article 120 states that the Minister of Defense may require the Chief to submit "materials" regarding recruitment of SDF personnel. This issue has been discussed since 2016, and Professor Masamasa Suzuki (Information Law) of Niigata University graduate school said that the Minister of Defense requested the local government to provide information on the Basic Resident Register and the local government responded to it by the Basic Resident Registration Act. It cannot be said that it is illegal because there is no provision provision in the SDF, and it is said that it is legal because the SDF law and the enforcement order have a legal basis. In addition, the decision to provide information is entrusted to the local governments in light of each personal information protection ordinance, and the state respects the individual decisions of each local government, which is appropriate for the operation of the law. He said that the risk of abuse of the list could be suppressed if each local government sends a direct mail on behalf of the Self-Defense Forces based on the information in the Basic Resident Register.[19].. As can be seen from this matter, each local government has its own method of operating personal information protection and its method of operation.

Private enterprises

For private companies,

  • Personal information collected in the course of business activities
  • Personal information of employees and their families
    • It is collected by having a written guarantee of identity, etc. be entered when joining the company.
  • Personal information of people who have applied for recruitment or company briefing sessions

There is.

Educational institution

In addition to the above personal information, we also handle student health examination data, grades, career choice surveys, internal reports, proof of attendance, diplomas, etc. Documents must be retained for a certain period of time after graduation or withdrawal from school.

In the past, an emergency contact network for each student was created for each class, but after the enforcement of the Personal Information Protection Law, he became reluctant to create an emergency contact network.電子 メ ー ルAre often used. To protect minorsUniversityRare below,University-graduate studentThen in the laboratoryHome PageMay be forcibly posted in the middle of the name.

Under the Personal Information Protection Act, the obligation of a business operator handling personal information is not applicable when a university or other institution or organization for the purpose of academic research or a person who belongs to it is for the purpose of providing academic research (50 article).


In the case of households, at least the address and name will be leaked if the postal matter that is sent as garbage is collected by someone (DetectiveIs one of the information gathering methods used byGarbage catchCalled).

Depending on the mail,Credit cardNumber orbankaccountNumbers are also leaked,crimeThe risk of being injured increases. For this reason, mailshredderHouseholds that dispose of garbage after cutting are increasing. In addition, recently, the company side has provided a character string (account number,Credit card numberEtc.) is part of the letters.


With the development of search technology,インターネットNow you can easily collect personal information. NameSearch engine,FacebookEtcEgosearchIf you search, you may be able to get the detailed attributes of that individual (The same nameHowever, there is a possibility that personal information of another person may be collected without intention). This is increasing due to the spread of SNS.

Note that search engines are not subject to the Personal Information Protection Act. In addition, since the Internet is a global network, it is difficult to deal with international leakage of personal information,Winny,ShareIt is regarded as a problem that there is a case where the outflow does not stop inside the file exchange network such as.

Specific method
In some cases, personal information can be specified by combining multiple pieces of fragmentary information, such as landscape photographs and snapshots, which are not personal information. For exampledigital camera,SmartphoneFor photos taken in, unless otherwise specifiedExifIs built in by default, and the shooting date and time and the shooting location received by GPS (if GPS function is available) are recorded here, so it is easy to identify.
There is also a method of identifying the shooting location from a photograph in which the shooting location is not recorded.Landscape photographyIn the case of,Window glass,(I.e. OfbonnetReflected inobjectResearched or reflected in the backgroundHouse(Building, store sign, etc.)(I.e.With hints of very small information such asGoogle Earth,Street viewThe same)Everyday LifeAnd the positional relationship so thatdirectionThere is a method to identify the place where the picture was taken[20].
twitter,FacebookThis is also the case when posting to SNS services such as, the risk of identifying your home, friendship, commuting to school, etc. from fragment information such as your favorite shops, travel, work-related contents, followers, followers, etc. There is also.

Personal information protection in Japan

Law concerning the protection of personal information

Until 2005, there was no comprehensive law in Japan other than administrative organs, but the Personal Information Protection Law realized comprehensive legislation between the government and the private sector.[21].

Addition was announced on September 2015, 9, and enforced by the revised Personal Information Protection Law on May 9, 2017.[22].

Added handling of sensitive personal information
"Race, creed, social status, medical history, criminal history, facts of being harmed by a crime, and other unfair discrimination against the person, prejudice, and other disadvantages should be taken into consideration when handling the decree. "Personal information including the description specified in the above" is regarded as sensitive personal information, and it is judged that it is necessary for the protection of human life and property and it is necessary for the person to disagree with it or for the legal agency to carry out the business. There are exceptions such as cases, but in principle, revisions have been made that require the consent of the person in charge.
Added obligation to delete personal information
Erase personal data that is no longer needed as much as possible
Added rules regarding anonymously processed information
Added restrictions on provision to foreign third parties
Personal Information Protection CommitteeInstallation

Personal information

Ministry of Economy, Trade and IndustryIn "Guidelines for the Law on the Protection of Personal Information for the Economic and Industrial Fields", "Information on the individual" in the Personal Information Protection Law is explained as follows.

"Information about an individual" is not limited to information that identifies an individual, such as name, sex, and date of birth, but is all information that represents facts, judgments, and evaluations regarding attributes of the individual's body, financial category, title, etc. It includes evaluation information, information made public by publications, and information by video and audio, regardless of whether it is concealed by encryption or the like (omitted). In addition, when the information related to the dead person is also the information related to the surviving individual such as the bereaved family, the information is related to the surviving individual. In addition, "surviving individuals" are not limited to Japanese nationals, and include foreign nationals, but since corporations and other groups do not fall under "individuals", information about corporations and other organizations themselves is not included (however, , Information about employees, etc. is personal information). — Guidelines for the law on the protection of personal information in the economic and industrial fields(pdf) p2

First of all, it is a necessary condition that the personal information is a whole unit of information about any one individual. Then, if a specific individual is identified by the description or the like included in the information, the entire "information about the individual" corresponds to personal information.

Personal information database

Information including personal informationDatabaseWhen converted, the database is treated as a personal information database. Generally, one unit of information registered in a database is called a record, and a record in a personal information database is treated as personal data.

Personal information that is not stored in a database is scattered information. On the other hand, personal data is easier to perform processing such as searching and merging with other databases as compared with scattered information, as long as a database including the personal data can be accessed. Therefore, the business operator handling the personal information database can utilize the personal data under the regulation as the business operator handling personal information.

Positioning of personal information, personal data, and retained personal data under the Personal Information Protection Law

Personal Information Protection CommitteeStates that the personal information, personal data, and retained personal data have the following positional relationship.[23].

Personal information (such as information that can identify a specific individual) (Privacy Policy(Article 2 paragraph 1)
  • Unorganized business cards, questionnaires, memos, things that are remembered by employees, etc.
  • Image data that is not organized and cannot be searched
Constituting (Personal Information Protection Law Article 2 Clause 4) (Personal Information Protection Law Article 2 Clause 6)
  • Data deleted within 6 months
  • Data that promotes illegal and unlawful acts when the existence of the data is revealed
  • Data required by competitors to search for other parties
Contracted data without disposal authority
  • Information provided by the contractor
  • Shared users without disposal authority
  • Information provided through business tie-ups, etc. that does not have disposal authority
(Those who have the authority to dispose) (Personal Information Protection Law, Article 2, Paragraph 7)

Data that can be disclosed without disclosure restrictions

  • Customer data
  • Employee data

Other data

Classification of personal information, etc.

The following is an example of the classification of personal information, etc. in the ethical guidelines for life science and medical research on humans (text) (partially revised on March 10, XNUMX).[24][25].

Personal Information
  • Information that can identify a specific individual by name, date of birth, or other description contained in the information
    Examples) Name, medical information, name-based questionnaire, facial image, etc.
  • Items containing a personal identification code
    Ex.) Genome data, insurer number and insured person symbol/number on National Health Insurance card
Kana processing information
  • Information about an individual obtained by processing personal information in a manner stipulated by the Personal Information Protection Law so that a specific individual cannot be identified unless collated with other information.
  • However, pseudonymously processed information falls under personal information if it is in a state where it can be "easily collated with other information, thereby enabling the identification of a specific individual" (Article XNUMX of the Personal Information Protection Law). Paragraph XNUMX)
Anonymous processing information
  • Information about an individual obtained by processing personal information so that the specific individual cannot be identified by the method stipulated by the Personal Information Protection Act, and the personal information cannot be restored.
Personal information
  • Information that does not correspond to personal information, pseudonymously processed information, or anonymously processed information
    Examples) Website browsing history, terminal identifiers such as cookies, genome data that does not correspond to personal identification codes

Law Concerning Protection of Personal Information Held by Administrative Organs

Personal information protection in the United States

In the United States, there are federal privacy laws enacted in 1974, etc., but protection of personal information is handled by individual laws in each field, and third-party committees have been established for each.[11].

Personal information protection in Europe

In the EU, the "Directive on the protection of individuals regarding the processing of personal data and the free movement of data" (EU Personal Data Protection Directive) was issued in 1995.[11].

In 2002, the "Direction on the processing of personal information and protection of privacy in the electronic communications sector" (ePrivacy Directive) was issued, and was partially revised in 2009.[11].


[How to use footnotes]
  1. ^ "Management of Data Breaches Involving Sensitive Personal Information (SPI)". Va.gov. Washington, DC: Department OF Veterans Affairs (January 2012, 1). As of May 6, 2015original[Broken link]More archives.April 2015, 5Browse.
  2. ^ Stevens, Gina (April 2012, 4). “Data Security Breach Notification Laws". fas.org. April 2015, 5Browse.
  3. ^ Greene, Sari Stern (2014). Security Program and Policies: Principles and Practices. Indianapolis, IN, US: Pearson IT Certification. P. 349. ISBN 9780789751676. OCLC 897789345. https://books.google.com/books?id=UbwiAwAAQBAJ&pg=PA349&lpg=PA349&dq=%22Sensitive+Personal+Information%22+SPI+%22Personally+identifiable+information%22&source=bl&ots=J9qIzMKebf&sig=Bdxa9ct4X4_2tmz44jmGCna3ZrE&hl=en&sa=X&ei=PaljVZfkJcvjoASh_4KYDA&ved=0CFQQ6AEwCA#v=onepage&q=%22Sensitive%20Personal%20Information%22%20SPI%20%22Personally%20identifiable%20information%22&f=false April 2015, 5Browse. 
  4. ^ "NIST SP800 series”. NRI Secure. As of March 2016, 3original[Broken link]More archives.April 2016, 9Browse.
  5. ^ Japan Institute for Promotion of Digital Economy and Society (JIPDEC) (October 2006, 5). “JIS Q 15001: 2006 Personal Information Protection Management System-Requirements (PDF)". Ministry of Economy, Trade and Industry. April 2020, 12Browse.
  6. ^ Japan Institute for Promotion of Digital Economy and Society (JIPDEC) "JIS Q 15001: 2017 Personal Information Protection Management System-Requirements" Japanese Standards Association (JSA), 2017. 
  7. ^ a b Asakawa, Naoki. “"Mobile phone numbers do not correspond to personal information," asked Shinkeiren.”(Japanese). Nikkei Cross Tech (xTECH). p. 2. April 2015, 4Browse.
  8. ^ a b Takagi, Hiromitsu "From personal information protection to personal data protection-examination for the integration of regulations between the private sector and the public sector (2)". Information law research 2: 88. two:10.32235 / alis.2.0_75. https://www.jstage.jst.go.jp/article/alis/2/0/2_75/_article/-char/ja/. 
  9. ^ Personal Information Protection Commission Secretariat (February 2017). “Anonymous processing information For both promoting utilization of personal data and ensuring consumer reliability”. Personal Information Protection Commission. April 2018, 4Browse.
  10. ^ Uchikawa, Kazuo, "A Book That Understands the Acquisition of Privacy Marks" (4th Edition), 2018, p. 10. 
  11. ^ a b c d e "Current situation in other countries”. Ministry of Internal Affairs and Communications. April 2019, 2Browse.
  12. ^ Solove 2008, p. 24.
  13. ^ Privacy Rights 2004, p. 50.
  14. ^ Information privacy rights 2013, p. 239.
  15. ^ Information privacy rights 2013, p. 243.
  16. ^ Aoyagi "Privacy Research in the Information Age" NTT Publishing. 
  17. ^ Otani, Naomichi (June 2014, 6). “2013 Information Security Incident Investigation Report-Personal Information Leakage-”. JNSA. April 2018, 8Browse.
  18. ^ Chunichi Shimbun: Morning edition 14 pages. (February 2019, 2) 
  19. ^ Asahi Shimbun(July 2016, 3) 
  20. ^ "How to identify the shooting location from the photos uploaded to Twitter and Instagram”(Japanese). GIGAZINE. April 2014, 7Browse.
  21. ^ Kazuo Uchikawa, "Books that Understand the Acquisition of Privacy Marks, 4th Edition," 2018, p. 11. 
  22. ^ "Law concerning the protection of personal information". e-Gov Law SearchDigital Agency. April 2022, 1Browse.
  23. ^ Personal Information Protection Committee, ed. (2017). Personal Information Protection Law Consultation Standard HandbookTokyo: Japanese Law Co., Ltd. p. 64. ISBN 978-4-539-72548-1. OCLC 994728851. https://www.worldcat.org/oclc/994728851 
  24. ^ "Ethical Guidelines for Life Science and Medical Research Involving Human Subjects (pdf)”. Ministry of Education, Culture, Sports, Science and Technology, Ministry of Health, Labor and Welfare, Ministry of Economy, Trade and Industry (March 2022, 3). April 2022, 9Browse.
  25. ^ "https://www.mhlw.go.jp/content/000946358.pdf (pdf)”. Ministry of Health, Labor and Welfare (June 2022, 6). April 2022, 9Browse.

Related item

    23 of


    Back to Top