Enforcement Rules for the Act on the Protection of Personal Information(Rules of the Personal Information Protection Commission No. 3 of 2016)
Last Version:
TOC
History
Check All Uncheck All

  • July 10, 2017
    • Last Version:
    • Translated Date: November 24, 2016
    • Dictionary Version: 11.0

Enforcement Rules for the Act on the Protection of Personal Information (Any data that the title of a law indicates to be a "Tentative translation" has not yet been proofread or corrected by a native English speaker or legal translation expert; this data may be revised in the future.Tentative translation)
Rules of the Personal Information Protection Commission No. 3 of October 5, 2016
(Definition)
Article 1Terms used in these rules are governed by the terms used in the Act on the Protection of Personal Information (hereinafter referred to as the "Act").
(Standards in the character, letter, number, symbol or other codes produced by having bodily features converted thereinto so as to be provided for use in computers)
Article 2Standards prescribed by rules of the Personal Information Protection Commission under Article 1, item (i) of the Order to Enforce the Act on the Protection of Personal Information (hereinafter referred to as the "Order") shall be to convert for the purpose of being provided for use in computers an appropriate scope by using an appropriate method so as to ensure the level of ability to identify a specific individual.
(Character, letter, number, symbol or other codes which are stated on a certificate in a way to give each person who receives its issuance a different one)
Article 3Character, letter, number, symbol or other codes prescribed by rules of the Personal Information Protection Commission under Article 1, item (vii) of the Order shall be, for a certificate set forth in each following item, those prescribed in each said item respectively.
(i)a certificate set forth in Article 1, item (vii), (a) of the Order; Symbol and number of, and insurer's number on, a certificate set forth in Article 1, item (vii), (a) of the Order
(ii)a certificate set forth in Article 1, item (vii), (b) and (c) of the Order; Number of, and insurer's number on, a certificate set forth in Article 1, item (vii), (b) and (c) of the Order
(Character, letter, number, symbol or other codes which are equivalent to a passport number etc.)
Article 4Character, letter, number, symbol or other codes prescribed by rules of the Personal Information Protection Commission under Article 1, item (viii) of the Order shall be those set forth in the following.
(i)symbol and number of, and insurer's number on, an insured person's certificate under Article 47, paragraph (2) of the Ordinance for Enforcement of the Health Insurance Act (Ordinance of Home Ministry No. 36 of 1926)
(ii)symbol and number of, and insurer's number on, an elderly recipient's certificate under Article 52, paragraph (1) of the Ordinance for Enforcement of the Health Insurance Act
(iii)symbol and number of, and insurer's number on, an insured person's certificate under Article 35, paragraph (1) of the Ordinance for Enforcement of the Mariner Insurance Act (Ordinance of the Ministry of Welfare No.5 of 1940)
(iv)symbol and number of, and insurer's number on, an elderly recipient's certificate under Article 41, paragraph (1) of the Ordinance for Enforcement of the Mariner Insurance Act
(v)number of a passport (excluding those issued by the Japanese government) under Article 2, item (v) of the Immigration Control and Refugee Recognition Act (Cabinet Order No. 319 of 1951)
(vi)number of a residence card under Article 19-4, paragraph (1), item (v) of the Immigration Control and Refugee Recognition Act
(vii)subscriber number on a subscriber's certificate under Article 1-7 of the Ordinance for Enforcement of Private School Personnel Mutual Aid (Ordinance of the Ministry of Education No. 28 of 1953)
(viii)subscriber number on a subscriber's dependent certificate under Article 3, paragraph 1 of the Ordinance for Enforcement of Private School Personnel Mutual Aid;
(ix)subscriber number on an elderly recipient's certificate under Article 3-2, paragraph (1) of the Ordinance for Enforcement of Private School Personnel Mutual Aid
(x)symbol and number of, and insurer's number on, an elderly recipient's certificate under Article 7-4, paragraph (1) of the Ordinance for Enforcement of National Health Insurance Act (Ordinance of the Ministry of Health and Welfare No.53 of 1958)
(xi)symbol and number of, and insurer's number on, a member certificate under Article 89 of the Ordinance for Enforcement of National Public Servants Mutual Aid Association Act (Ordinance of the Ministry of Finance No. 54 of 1958)
(xii)symbol and number of, and insurer's number on, a member's dependent certificate under Article 95, paragraph (1) of the Ordinance for Enforcement of National Public Servants Mutual Aid Association Act
(xiii)symbol and number of, and insurer's number on, an elderly recipient's certificate under Article 95-2, paragraph (1) of the Ordinance for Enforcement of National Public Servants Mutual Aid Association Act
(xiv)symbol and number of, and insurer's number on, a mariner member certificate and a mariner member's dependent certificate under Article 127-2, paragraph (1) of the Ordinance for Enforcement of National Public Servants Mutual Aid Association Act
(xv)symbol and number of, and insurer's number on, a member certificate under Article 93, paragraph (2) of the Ordinance for Enforcement of Local Public Care Service Mutual Aid Association Act (Ordinance of the Prime Minister's Office, Ministry of Education, Ministry of Home Affairs No. 1 of 1962)
(xvi)symbol and number of, and insurer's number on, a member's dependent certificate under Article 100, paragraph (1) of the Ordinance for Enforcement of Local Public Care Service Mutual Aid Association Act
(xvii)symbol and number of, and insurer's number on, an elderly recipient's certificate under Article 100-2, paragraph (1) of the Ordinance for Enforcement of Local Public Care Service Mutual Aid Association Act
(xviii)symbol and number of, and insurer's number on, a mariner member certificate and a mariner member's dependent certificate under Article 176-2, paragraph (2) of the Ordinance for Enforcement of Local Public Care Service Mutual Aid Association Act
(xix)insured person's number on an employment insurance-insured person's certificate under Article 10, paragraph (1) of the Ordinance for Enforcement of the Employment Insurance Act (Ordinance of Ministry of Labor No. 3 of 1975)
(xx)number of a special permanent resident certification under the Special Act on the Immigration Control of, Inter Alia, Those who have Lost Japanese Nationality Pursuant to the Treaty of Peace with Japan (Act No. 71 of 1991)
(Special Care-Required Personal Information)
Article 5Physical and mental functional disabilities prescribed by rules of the Personal Information Protection Commission under Article 2, item (i) of the Order shall be those disabilities set forth in the following.
(i)physical disabilities set forth in an appended table of the Act for Welfare of Persons with Physical Disabilities (Act No.283 of 1949)
(ii)intellectual disabilities referred to under the Act for the Welfare of Persons with Intellectual Disabilities (Act No.37 of 1960)
(iii)mental disabilities referred to under the Act for the Mental Health and Welfare of the Persons with Mental Disabilities (Act No.123 of 1950) (including developmental disabilities prescribed in Article 2, paragraph (2) of the Act on Support for Persons with Development Disabilities, and excluding intellectual disabilities under the Act for the Welfare of Persons with Intellectual Disabilities)
(iv)a disease with no cure methods established thereof or other peculiar diseases of which the severity by those prescribed by cabinet order under Article 4, paragraph (1) of the Act on Comprehensive Support for Daily and Social Lives of Persons with Disabilities (Act No. 123 of 2005) is equivalent to those prescribed by the Minister of Health, Labor and Welfare under the said paragraph
(Person prescribed by rules of the Personal Information Protection Commission under Article 17, paragraph (2), item (v) of the Act)
Article 6A person prescribed by rules of the Personal Information Protection Commission under Article 17, paragraph (2), item (v) shall be a person falling under any of each following item.
(i)a foreign government, a foreign governmental organization, a local government in a foreign country, or an international organization
(ii)a person who is equivalent to a person set forth in each item of Article 76, paragraph (1) of the Act in a foreign country
(Advance notification etc. regarding a third-party provision)
Article 7(1)Action for informing or putting into a state where a principal can easily know pursuant to the provisions of Article 23, paragraph (2) and paragraph (3) is to be carried out as set forth in the following.
(i)setting a necessary period for a principal identifiable by the provided personal data (referred to as "the principal" in the succeeding item) to request the provision to be ceased.
(ii)adopting an appropriate and reasonable method to enable the principal to recognize without fail a matter set forth in each item of Article 23, paragraph (2) of the Act.
(2)A notification pursuant to the provisions of Article 23, paragraph (2) or paragraph (3) shall be given by any of each method set forth in the following.
(i)a method using an electronic data processing system (meaning an electronic data processing system connecting a computer relating to use by the Personal Information Protection Commission and a computer relating to use by a notifying person via electronic telecommunication line) as prescribed by the Personal Information Protection Commission.
(ii)a method submitting a written notification in an appended form No. 1 and an optical disc (including, an object that can assuredly keep a record of certain matters by an equivalent method to such an optical disc; hereinafter referred to as an "optical disc etc.") that has kept a record of a matter to be stated in the written notification.
(3)A personal information handling business operator shall, in case of giving a notification pursuant to the provisions of Article 23, paragraph (2) or paragraph (3) of the Act by an agent, submit to the Personal Information Protection Commission a document (including an electromagnetic record; hereinafter the same.) verifying the power of agency in an appended form No. 2.
(An agent for a personal information handling business operator in a foreign country)
Article 8A personal information handling business operator in a foreign county shall, in case of giving a notification pursuant to the provisions of Article 23, paragraph (2) or paragraph (3) of the Act, appoint a person domiciled in Japan who has the authorization to act for the personal information handling business operator on any action relating to the notification.In this case, the said personal information handling business operator shall submit a document (including texts translated into Japanese) verifying that it has conferred the power of agency on the person domiciled in Japan to the Personal Information Protection Commission at the same time of giving the said notification.
(Public disclosure by the Personal Information Protection Commission regarding a third-party provision)
Article 9Public disclosure pursuant to the provisions of Article 23, paragraph (4) of the Act shall be made without delay by utilizing the Internet or other appropriate method after a notification has been given under paragraph (2) or paragraph (3) of the said Article.
(Public disclosure by a personal information handling business operator regarding a third-party provision)
Article 10A personal information handling business operator shall, promptly after public disclosure pursuant to the provisions of Article 23, paragraph (4) of the Act has been made, disclose to the public those matters set forth in paragraph (2) of the said Article (when a matter set forth in item (ii), item (iii) or item (v) has been modified, a post-modified matter set forth in each said item) by utilizing the Internet or other appropriate method.
(Standards in the system necessary for continuously taking measures equivalent to those which shall be taken by a personal information handling business operator)
Article 11Standards prescribed by rules of the Personal Information Protection Commission under Article 24 of the Act are to be falling under any of each following item.
(i)a personal information handling business operator and a person who receives the provision of personal data have ensured in relation to the handling of personal data by the person who receives the provision the implementation of measures in line with the purport of the provisions under Chapter IV, Section 1 of the Act by an appropriate and reasonable method
(ii)a person who receives the provision of personal data has obtained a recognition based on an international framework concerning the handling of personal information
(Keeping a Record regarding a Third-party Provision)
Article 12(1)A method of keeping a record under Article 25, paragraph (1) of the Act pursuant to the said paragraph shall be a method to keep it by using a written document, electromagnetic record or microfilm.
(2)A record under Article 25, paragraph (1) of the Act shall be kept promptly at each time of personal data having been provided to a third party (meaning a third party set forth in the said paragraph; the same shall apply in this Article, the succeeding Article, and from Articles 15 to 17.). Such a record, however, may not be kept at each time of provision if personal data has been provided (excluding a provision pursuant to the provisions of Article 23, paragraph (2) of the Act; the same shall apply in this paragraph.) continuously or repeatedly to the third party, or if a certainty has been anticipated that personal data will be provided continuously or repeatedly to the said third party.
(3)Notwithstanding the provisions of the preceding paragraph, in cases where personal data relating to a principal, pursuant to the provisions of Article 23, paragraph (1) or Article 24 of the Act, has been provided to a third party in connection with supplying goods or services to the principal with having his or her consent obtained and when a matter prescribed in each item of paragraph (1) of the succeeding Article is stated in a contract or other document produced in connection with the said supply, such a document may substitute for a record relating to the said matter.
(Matter to be recorded regarding a third-party provision)
Article 13(1)Matters prescribed by rules of the Personal Information Protection Commission under Article 25, paragraph (1) of the Act shall be, in accordance with the categories of those cases set forth in each following item, those matters prescribed in each said item respectively.
(i)cases in which personal data has been provided to a third party pursuant to the provisions of Article 23, paragraph (2) of the Act; a matter set forth in the following (a) to (d)
(a)the date on which the personal data was provided
(b)the name or appellation of the third party or other matter sufficient to identify the said third party (when provided to a large number of unspecified persons, the fact to that effect)
(c)the name of a principal identifiable by the personal data and other matter sufficient to specify the principal
(d)the categories of the personal data
(ii)cases in which personal data has been provided to a third party pursuant to the provisions of Article 23, paragraph (1) or Article 24 of the Act; a matter set forth in the following (a) and (b)
(a)the fact to the effect that a principal's consent has been obtained under Article 23, paragraph (1) or Article 24 of the Act
(b)a matter set forth in (b) to (d) under the preceding item.
(2)Regarding those matters prescribed in each item of the preceding paragraph which are identical in contents to those matters contained in a record already kept by using a method prescribed in the preceding Article (limited to those in the case of such a record having been maintained), a record on the said matters may be omitted.
(A record-maintaining period regarding a third-party provision)
Article 14A period of time prescribed by rules of the Personal Information Protection Commission under Article 25, paragraph (2) of the Act shall be, in accordance with the categories of those cases set forth in each following item, a period of time prescribed in each said item respectively.
(i)cases in which a record was kept by using a method prescribed in the provisions of Article 12, paragraph (3); a period of time up to the day on which one year has passed from the last date of personal data relating to the record having been provided
(ii)cases in which a record was kept by using a method prescribed in the provisions of the proviso under Article 12, paragraph (2); a period of time up to the day on which three years have passed from the last date of personal data relating to the record having been provided
(iii)cases other than the preceding two items; three years
(Confirmation when receiving a third-party provision)
Article 15(1)A method of confirming those matters set forth in Article 26, paragraph (1), item (i) of the Act pursuant to the provisions of the said paragraph shall be a reasonable method such as receiving a declaration from a third party who provides personal data.
(2)A method of confirming those matters set forth in Article 26, paragraph (1), item (ii) of the Act pursuant to the provisions of the said paragraph shall be a reasonable method such as receiving from a third party the production of a contract or other document showing those circumstances under which the personal data was acquired by the third party.
(3)Notwithstanding the provisions of the preceding two paragraphs, a method of confirming those matters which have already been confirmed when receiving the provision of other personal data from a third party (limited to those in cases where a record has been kept and maintained by using a method prescribed in the succeeding Article relating to the confirmation) shall be a method to confirm that the said matters are identical in contents to those matters set forth in each item of Article 26, paragraph (1) relating to the said provision.
(Keeping a record regarding a confirmation when receiving a third-party provision)
Article 16(1)A method of keeping a record under Article 26, paragraph (3) of the Act pursuant to the said paragraph shall be a method to keep it by using a written document, electromagnetic record or microfilm.
(2)A record under Article 26, paragraph (3) of the Act shall be kept promptly at each time when the provision of personal data has been received from a third party. Such a record, however, may not be kept at each time of receipt if the provision of personal data has been received continuously or repeatedly from the third party (excluding a provision pursuant to the provisions of Article 23, paragraph (2) of the Act; hereinafter the same in this Article.), or when a certainty has been anticipated that the provision of personal data will be received continuously or repeatedly from the said third party.
(3)Notwithstanding the provisions of the preceding paragraph, in cases where the provision of personal data relating to a principal has been received from a third party in connection with supplying the principal with goods or services and when a matter prescribed in each item of the succeeding Article, paragraph (1) is stated in a contract or other document produced in connection with the supply, such a document may substitute for a record relating to the matter.
(Matter to be recorded when receiving a third-party provision)
Article 17(1)Matters prescribed by rules of the Personal Information Protection Commission under Article 26, paragraph (3) of the Act shall be, in accordance with the categories of those cases set forth in each following item, those matters prescribed in each said item respectively.
(i)cases in which a personal information handling business operator has received the provision of personal data pursuant to the provisions of Article 23, paragraph (2) of the Act; a matter set forth in the following (a) to (e)
(a)the date on which the provision of personal data was received
(b)a matter set forth in each item of Article 26, paragraph (1) of the Act
(c)the name of a principal identifiable by the personal data and other matters sufficient to specify the principal
(d)the categories of the personal data
(e)the fact to the effect that disclosure has been made pursuant to the provisions of Article 23, paragraph (4) of the Act.
(ii)cases in which a personal information handling business operator has received the provision of personal data pursuant to the provisions of Article 23, paragraph (1) or Article 24 of the Act; a matter set forth in the following (a) and (b)
(a)the fact to the effect that a principal's consent has been obtained under Article 23, paragraph (1) or Article 24 of the Act
(b)a matter set forth in (b) to (d) under the preceding item
(iii)cases in which the provision of personal data has been received from a third party (excluding a person falling within the purview of a personal information handling business operator)
(a)a matter set forth in (b) to (d) under item (i).
(2)Regarding those matters prescribed in each item of the preceding paragraph which are identical in contents to matters contained in a record already kept by using a method prescribed in the preceding Article (limited to those in the case of such a record having been maintained), a record on the said matters may be omitted.
(A record-maintaining period when receiving a third-party provision)
Article 18A period of time prescribed by rules of the Personal Information Protection Commission under Article 26, paragraph (4) of the Act shall be, in accordance with the categories of those cases set forth in each following item, a period of time prescribed in each said item respectively.
(i)cases in which a record was kept by using a method prescribed in Article 16, paragraph (3); a period of time up to the day on which one year has passed from the last date on which the provision of personal data relating to the record was received
(ii)cases in which a record was kept by using a method prescribed in the proviso under Article 16, paragraph (2); a period of time up to the day on which three years have passed from the last date on which the provision of personal data relating to the record was received
(iii)cases other than the preceding two items; three years
(Standards in the methods of producing anonymously processed information)
Article 19Standards prescribed by rules of the Personal Information Protection Commission under Article 36, paragraph (1) of the Act shall be as follows.
(i)deleting a whole or part of those descriptions etc. which can identify a specific individual contained in personal information (including replacing such descriptions etc. with other descriptions etc. using a method with no regularity that can restore the whole or part of descriptions etc.)
(ii)deleting all individual identification codes contained in personal information (including replacing such codes with other descriptions etc. using a method with no regularity that can restore the individual identification codes)
(iii)deleting those codes (limited to those codes linking mutually plural information being actually handled by a personal information handling business operator) which link personal information and information obtained by having taken measures against the personal information (including replacing the said codes with those other codes which cannot link the said personal information and information obtained by having taken measures against the said personal information using a method with no regularity that can restore the said codes)
(iv)deleting idiosyncratic descriptions etc. (including replacing such descriptions etc. with other descriptions etc. using a method with no regularity that can restore the idiosyncratic descriptions etc.)
(v)besides action set forth in each preceding item, taking appropriate action based on the results from considering the attribute etc. of personal information database etc. such as a difference between descriptions etc. contained in personal information and descriptions etc. contained in other personal information constituting the personal information database etc. that encompass the said personal information
(Standards in the security control action concerning processing method etc. related information)
Article 20Standards prescribed by rules of the Personal Information Protection Commission under Article 36, paragraph (2) of the Act shall be as follows.
(i)defining clearly the authority and responsibility of a person handling information relating to those descriptions etc. and individual identification codes which were deleted from personal information used to produce anonymously processed information and information relating to a processing method carried out pursuant to the provisions of Article 36, paragraph (1) (limited to those which can restore the personal information by use of such relating information) (hereinafter referred to as "processing method etc. related information" in this Article.)
(ii)establishing rules and procedures on the handling of processing method etc. related information, handling appropriately processing method etc. related information in accordance with the rules and procedures, evaluating the handling situation, and based on such evaluation results, taking necessary action to seek improvement
(iii)taking necessary and appropriate action to prevent a person with no legitimate authority to handle processing method etc. related information from handling the processing method etc. related information
(Public disclosure by a personal information handling business operator when producing anonymously processed information)
Article 21(1)Public disclosure pursuant to the provisions of Article 36, paragraph (3) of the Act shall, without delay after anonymously processed information has been produced, be made by utilizing the Internet or other appropriate method.
(2)In cases where a personal information handling business operator entrusted by another personal information handling business operator has produced anonymously processed information, the said other personal information handling business operator shall disclose the categories of information relating to an individual contained in the anonymously processed information by a method prescribed in the preceding paragraph. In such cases, it shall be deemed that the public disclosure of the said categories has been made by the said entrusted personal information handling business operator.
(Public Disclosure etc. by a personal information handling business operator when providing anonymously processed information to a third party)
Article 22(1)Public disclosure pursuant to the provisions of Article 36, paragraph (4) of the Act shall be made by utilizing the Internet or other appropriate method.
(2)An explicit statement pursuant to the provisions of Article 36, paragraph (4) of the Act shall be given by sending an e-mail, delivering a written document or employing other appropriate method.
(Public Disclosure etc. by an Anonymously Processed Information Handling Business Operator when Providing Anonymously Processed Information to a Third Party)
Article 23(1)The provisions of the preceding Article, paragraph (1) shall apply mutatis mutandis to public disclosure pursuant to the provisions of Article 37 of the Act.
(2)The provisions of the preceding Article, paragraph (2) shall apply mutatis mutandis to an explicit statement pursuant to the provisions of Article 37 of the Act.
(Notifying a Personal Information Protection Guideline)
Article 24A notification pursuant to the provisions of Article 53, paragraph (2) shall be given in writing in an appended form No. 3.
(Public Disclosure of a Personal Information Protection Guideline by the Personal Information Protection Commission)
Article 25Public disclosure pursuant to the provisions of Article 53, paragraph (3) of the Act shall be made by utilizing the Internet or other appropriate method.
(Public Disclosure of a Personal Information Protection Guideline by an Accredited Personal Information Protection Organization)
Article 26An accredited personal information protection organization shall, without delay after a personal information protection guideline has been disclosed to the public pursuant to the provisions of Article 53, paragraph (3) of the Act, disclose the personal information protection guideline to the public by utilizing the Internet or other appropriate method.