金融分野における個人情報保護に関するガイドラインの安全管理措置等についての実務指針
Practical Guidelines on Measures for Managing the Security of Personal Data Under the Guidelines for the Protection of Personal Information in the Financial Sector
金融分野における個人情報保護に関するガイドラインの安全管理措置等についての実務指針
Practical Guidelines on Measures for Managing the Security of Personal Data Under the Guidelines for the Protection of Personal Information in the Financial Sector
金融分野における個人情報保護に関するガイドラインの
安全管理措置等についての実務指針
Practical Guidelines on Measures for Managing the Security of Personal Data Under the Guidelines for the Protection of Personal Information in the Financial Sector
令和4年4月
個人情報保護委員会
金融庁
February 2017
Personal Information Protection Commission
Financial Services Agency
金融分野における個人情報保護に関するガイドラインの
安全管理措置等についての実務指針
Practical Guidelines on Measures for Managing the Security of Personal Data Under the Guidelines for the Protection of Personal Information in the Financial Sector
目次
Table of Contents
I.金融分野における個人情報保護に関するガイドライン第8条に定める安全管理措置の実施について 6
I. Implementation of Measures for Managing the Security of Personal Data Specified in Article 8 of the Guidelines for the Protection of Personal Information in the Financial Sector
(1)個人データの安全管理に係る基本方針・取扱規程等の整備 6
(1) Development of Basic Policies, Handling Rules, etc. for Managing the Security of Personal Data
1-1 個人データの安全管理に係る基本方針の整備 6
1-1 Development of Basic Policies for Managing the Security of Personal Data
1-2 個人データの安全管理に係る取扱規程の整備 7
1-2 Development of Handling Rules for Managing the Security of Personal Data
1-3 個人データの取扱状況の点検及び監査に係る規程の整備 8
1-3 Development of Rules for Inspection and Audit of the Handling Status of Personal Data
1-4 外部委託に係る規程の整備 9
1-4 Development of Rules for Entrustment
(2)個人データの安全管理措置に係る実施体制の整備 9
(2) Development of Implementation Systems for Measures for Managing the Security of Personal Data
1)実施体制の整備に関する組織的安全管理措置 9
1) Institutional Measures for Managing the Security of Personal Data for the Development of Implementation Systems
2-1 個人データ管理責任者等の設置 10
2-1Appointment of a Person Responsible for the Management of Personal Data, etc.
2-2 就業規則等における安全管理措置の整備 12
2-2 Development of Measures for Managing the Security of Personal Data in Rules of Employment, etc.
2-3 個人データの安全管理に係る取扱規程に従った運用 13
2-3 Operation in Line with the Handling Rules for Managing the Security of Personal Data
2-4 個人データの取扱状況を確認できる手段の整備 13
2-4 Development of Means to Check the Handling Status of Personal Data
2-5 個人データの取扱状況の点検及び監査体制の整備と実施 13
2-5 Development and Implementation of Systems for Inspection and Audit of the Handling Status of Personal Data
2-6 漏えい等事案に対応する体制の整備 15
2-6 Development of Systems for Responding to Cases of Leaking, etc.
2)実施体制の整備に関する人的安全管理措置 16
2) Personnel Measures for Managing the Security of Personal Data for the Development of Implementation Systems
3-1 従業者との個人データの非開示契約等の締結 16
3-1 Conclusion of a Non-Disclosure Contract Concerning Personal Data with Employees
3-2 従業者の役割・責任等の明確化 16
3-2 Clarification of Roles and Responsibilities of Employees
3-3 従業者への安全管理措置の周知徹底、教育及び訓練 17
3-3 Informing All Employees of the Measures for Managing the Security of Personal Data and Education and Training of Employee
3-4 従業者による個人データ管理手続の遵守状況の確認 18
3-4 Checking of Employees' Compliance with Predetermined Personal Data Management Procedures
3)実施体制の整備に関する物理的安全管理措置 6
3) Physical Measures for Managing the Security of Personal Data for the Development of Implementation Systems
4-1 個人データの取扱区域等の管理 6
4-1 Management of the Area in which Personal Data Is Handled, etc.
4-2 機器及び電子媒体等の盗難等の防止 6
4-2 Prevention of Theft of Equipment and Electronic Media, etc.
4-3 電子媒体等を持ち運ぶ場合の漏えい等の防止 7
4-3 Prevention of the Leaking, etc. of Personal Data when Carrying Electronic Media, etc.
4-4 個人データの削除及び機器、電子媒体等の廃棄 7
4-4 Deletion of Personal Data and Disposal of Equipment and Electronic Media, etc.
4)実施体制の整備に関する技術的安全管理措置 20
4) Technological Measures for Managing the Security of Personal Data for the Development of Implementation Systems
5-1 個人データの利用者の識別及び認証 21
5-1 Identification and Authentication of Personal Data Users
5-2 個人データの管理区分の設定及びアクセス制御 21
5-2 Setting of Management Categories of Personal Data and Access Control
5-3 個人データへのアクセス権限の管理 22
5-3 Management of Authority to Access Personal Data
5-4 個人データの漏えい等防止策 23
5-4 Measures to Prevent the Leaking, etc. of Personal Data
5-5 個人データへのアクセスの記録及び分析 24
5-5 Recording and Analysis of Access to Personal Data
5-6 個人データを取り扱う情報システムの稼動状況の記録及び分析 24
5-6 Recording and Analysis of the Operation Status of Information Systems for Handling of Personal Data
5-7 個人データを取り扱う情報システムの監視及び監査 24
5-7 Monitoring and Audit of the Information Systems for Handling of Personal Data
Ⅱ.金融分野における個人情報保護に関するガイドライン第9条に定める「従業者の監督」 について 25
II. "Supervision of Employees" Specified in Article 9 of the Guidelines for the Protection of Personal Information in the Financial Sector
Ⅲ.金融分野における個人情報保護に関するガイドライン第10条に定める「委託先の監督」について 25
III. "Supervision of an Entrusted Person" Specified in Article 10 of the Guidelines for the Protection of Personal Information in the Financial Sector
6-1・6-2 個人データ保護に関する委託先選定の基準 26
6-1 · 6-2 Criteria for Selecting the Persons to Whom the Handling of Personal Data Is to Be Entrusted in Relation to the Protection of Personal Data
6-3・6-4 委託契約において盛り込むべき安全管理に関する内容 28
6-3 · 6-4 Terms and Conditions Concerning Security Management to Be Included in Entrustment Contracts
(別添1)金融分野における個人情報保護に関するガイドライン第8条第7項(2)に定める各管理段階における安全管理に係る取扱規程について 29
(Attachment 1) Handling Rules for the Security Management at Each Stage Specified in Article 8, paragraph 7 (2) of the Guidelines for the Protection of Personal Information in the Financial Sector
7-1 取得・入力段階における取扱規程 29
7-1 Handling Rules at the Stage of Acquisition and Input of Data
7-2 利用・加工段階における取扱規程 31
7-2 Handling Rules at the Stage of Use and Processing of Data
7-3 保管・保存段階における取扱規程 34
7-3 Handling Rules at the Stage of Storage and Keeping of Data
7-4 移送・送信段階における取扱規程 37
7-4 Handling Rules at the Stage of Transfer and Sending of Data
7-5 消去・廃棄段階における取扱規程 38
7-5 Handling Rules at the Stage of Deletion and Disposal of Data
7-6 漏えい等事案への対応の段階における取扱規程 39
7-6 Handling Rules at the Time of Responding to a Case of Leaking, etc.
(別添2)金融分野における個人情報保護に関するガイドライン第5条に定める「機微(センシティブ)情報」(生体認証情報を含む。)の取扱いについて 40
(Attachment 2) Handling of "Sensitive Information" (Including Biometric Information) Specified in Article 5 of the Guidelines for the Protection of Personal Information in the Financial Sector
8-1・8-2 41
8-1 · 8-2
(別添3)金融分野における個人情報保護に関するガイドライン第2条第4項に規定する個人信用情報機関における会員管理について 45
(Attachment 3) Management of Members at a Personal Credit Data Institution Specified in Article 2, Paragraph 4 of the Guidelines for the Protection of Personal Information in the Financial Sector
9-1 資格審査 46
9-1 Eligibility Examination
9-2 モニタリング 46
9-2 Monitoring of Access to Personal Credit Data
9-3 不適正使用に対する処分 46
9-3 Disposition Against Improper Use
9-4 外部監査 47
9-4 External Audits
I.金融分野における個人情報保護に関するガイドライン第8条に定める安全管理措置の実施について
I. Implementation of Measures for Managing the Security of Personal Data Specified in Article 8 of the Guidelines for the Protection of Personal Information in the Financial Sector
(1)個人データの安全管理に係る基本方針・取扱規程等の整備
(1) Development of Basic Policies, Handling Rules, etc. for Managing the Security of Personal Data
(個人データの安全管理に係る基本方針の整備)
(Development of Basic Policies for Managing the Security of Personal Data)
1-1 金融分野における個人情報保護に関するガイドライン(平成29年個人情報保護委員会・金融庁告示第1号。以下「金融分野ガイドライン」という。)第1条第1項に規定する金融分野における個人情報取扱事業者は、金融分野ガイドライン第8条第7項(1)①に基づき、次に掲げる事項を定めた個人データの安全管理に係る基本方針を策定し、当該基本方針を公表するとともに、必要に応じて基本方針の見直しを行わなければならない。
1-1 A business handling personal information in the financial sector provided in Article 1, paragraph 1 of the Guidelines for the Protection of Personal Information in the Financial Sector (Public Notice of the Personal Information Protection Commission and the Financial Services Agency No. 1 of 2017; hereinafter referred to as the "Guidelines for the Financial Sector") must formulate basic policies for managing the security of personal data that provide the following particulars under Article 8, paragraph 7 (1) (i) of the Guidelines for the Financial Sector", disclose the basic policies to the public, and review the basic policies as necessary:
① 個人情報取扱事業者の名称
(i) the name of the business handling personal information;
② 安全管理措置に関する質問及び苦情処理の窓口
(ii) contact information on offices processing inquiries and complaints concerning measures for managing the security of personal data;
③ 個人データの安全管理に関する宣言
(iii) pronouncement concerning the secure management of personal data;
④ 基本方針の継続的改善の宣言
(iv) pronouncement of continuous improvement of the basic policies; and
⑤ 関係法令等遵守の宣言
(v) pronouncement of compliance with related laws and regulations.
(個人データの安全管理に係る取扱規程の整備)
(Development of Handling Rules for Managing the Security of Personal Data)
1-2 金融分野における個人情報取扱事業者は、金融分野ガイドライン第8条第7項(1)②に規定する「個人データの安全管理に係る取扱規程の整備」として、同項(2)に規定する個人データの各管理段階における安全管理に係る取扱規程を整備し、各管理段階ごとに別添1に規定する事項を定めるとともに、必要に応じて規程の見直しを行わなければならない。
1-2 A business handling personal information in the financial sector must develop handling rules for managing the security of personal data at each stage specified in Article 8, paragraph 7 (2) of the Guidelines for the Financial Sector, as the ""Development of handling rules for managing the security of personal data" prescribed in Article 8, paragraph 7 (1) (ii) of the Guidelines for the Financial Sector" and provide the particulars prescribed in Attachment 1 for each stage, and review the rules as necessary.
なお、全ての管理段階を同一人が取り扱う小規模事業者等においては、各管理段階ごとに取扱規程を定めることに代えて、全管理段階を通じた安全管理に係る取扱規程において次に掲げる事項を定めることも認められる。
However, it is permissible for a business such as a small business in which one person handles personal data at all stages to provide the following particulars in the handling rules for managing the security of personal data throughout all stages, instead of establishing handling rules at each stage:
① 取扱者の役割・責任
(i) roles and responsibilities of the person handling personal data;
② 取扱者の限定
(ii) limitation of the number of persons handling personal data; and
③ 各管理段階において個人データの安全管理上必要とされる手続
(iii) procedures necessary for managing the security of personal data at each stage.
(個人データの取扱状況の点検及び監査に係る規程の整備)
(Development of Rules for Inspection and Audit of the Handling Status of Personal Data)
1-3 金融分野における個人情報取扱事業者は、金融分野ガイドライン第8条第7項(1)③に基づき、個人データの取扱状況に関する点検及び監査の規程を整備し、次に掲げる事項を定めるとともに、必要に応じて規程の見直しを行わなければならない。
1-3 A business handling personal information in the financial sector must develop rules for inspection and audit of the handling status of personal data under Article 8, paragraph 7 (1) (iii) of the Guidelines for the Financial Sector and provide the following particulars, and review the rules as necessary.
なお、個人データ取扱部署が単一である事業者においては、点検により監査を代替することも認められる。
If the business has only one division that handles personal data, it is permissible for the business to conduct inspections instead of audits.
① 点検及び監査の目的
(i) Purpose of inspections and audits
② 点検及び監査の実施部署
(ii) Division that conducts inspections and audits
③ 点検責任者及び点検担当者の役割・責任
(iii) Roles and responsibilities of an inspection supervisor and an inspector in charge
④ 監査責任者及び監査担当者の役割・責任
(iv) Roles and responsibilities of an audit supervisor and an auditor in charge
⑤ 点検及び監査に関する手続
(v) Procedures for inspections and audits
(外部委託に係る規程の整備)
(Development of Rules for Entrustment)
1-4 金融分野における個人情報取扱事業者は、金融分野ガイドライン第8条第7項(1)④に基づき、外部委託に係る取扱規程を整備し、次に掲げる事項を定めるとともに、定期的に規程の見直しを行わなければならない。
1-4 A business handling personal information in the financial sector must develop handling rules for entrustment under Article 8, paragraph 7 (1) (iv) of the Guidelines for the Financial Sector and provide the following particulars, and review the rules on a regular basis:
① 委託先の選定基準
(i) criteria for selecting a person to whom the handling of personal data is to be entrusted; and
② 委託契約に盛り込むべき安全管理に関する内容
(ii) terms and conditions concerning the secure management to be included in an entrustment contract.
(2)個人データの安全管理措置に係る実施体制の整備
(2) Development of Implementation Systems for Measures for Managing the Security of Personal Data
1)実施体制の整備に関する組織的安全管理措置
1) Institutional Measures for Managing the Security of Personal Data for the Development of Implementation Systems
金融分野における個人情報取扱事業者は、金融分野ガイドライン第8条第8項に基づき、個人データの安全管理措置に係る実施体制の整備における「組織的安全管理措置」として、次に掲げる措置を講じなければならない。
A business handling personal information in the financial sector must take the following measures as the "institutional measures for managing the security of personal data" in terms of the development of implementation systems for measures for managing the security of personal data under Article 8, paragraph 8 of the Guidelines for the Financial Sector:
① 個人データの管理責任者等の設置
(i) appointment of a person responsible for the management of personal data, etc.;
② 就業規則等における安全管理措置の整備
(ii) development of measures for managing the security of personal data in rules of employment, etc.;
③ 個人データの安全管理に係る取扱規程に従った運用
(iii) operation in line with the handling rules for managing the security of personal data;
④ 個人データの取扱状況を確認できる手段の整備
(iv) development of means to check the handling status of personal data;
⑤ 個人データの取扱状況の点検及び監査体制の整備と実施
(v) development and implementation of systems for inspection and audit of the handling status of personal data; and
⑥ 漏えい等事案に対応する体制の整備
(vi) development of systems for responding to cases of leaking, etc.
(個人データ管理責任者等の設置)
(Appointment of a Person Responsible for the Management of Personal Data, etc.)
2-1 金融分野における個人情報取扱事業者は、「個人データの管理責任者等の設置」として次に掲げる役職者を設置しなければならない。
2-1 A business handling personal information in the financial sector must appoint the following executives as the "appointment of a person responsible for the management of personal data, etc.":
① 個人データの安全管理に係る業務遂行の総責任者である個人データ管理責任者
(i) a person responsible for the management of personal data who supervises the execution of operations for managing the security of personal data; and
② 個人データを取り扱う各部署における個人データ管理者
(ii) a person managing personal data of each division that handles personal data.
なお、個人データ取扱部署が単一である事業者においては、個人データ管理責任者が個人データ管理者を兼務することも認められる。個人データ管理責任者は、株式会社組織であれば取締役又は執行役等の業務執行に責任を有する者でなければならない。
However, if the business has only one division that handles personal data, it is permissible for a person responsible for the management of personal data to concurrently work as a person managing personal data. In an organizational structure of a stock company, a person responsible for the management of personal data must be a person responsible for the execution of business, such as a director or executive officer.
(注)金融分野における個人情報取扱事業者は、「個人データの管理責任者等の設置」として、個人データの取扱いの点検・改善等の監督を行う部署又は合議制の委員会を設置することが望ましい。
(Note) It is desirable that a business handling personal information in the financial sector establishes a division or committee with a council system that supervises the inspection, improvement, etc. of the handling of personal data as the "appointment of a person responsible for the management of personal data, etc.".
2-1-1 金融分野における個人情報取扱事業者は、2-1①に規定する個人データ管理責任者に、次に掲げる業務を所管させなければならない。
2-1-1 A business handling personal information in the financial sector must have a person responsible for the management of personal data specified in 2-1 (i) supervise the following operations:
① 個人データの安全管理に関する規程及び委託先の選定基準の承認及び周知
(i) approval of rules for managing the security of personal data and criteria for selecting the persons to whom the handling of personal data is to be entrusted and informing all the relevant persons of the rules and criteria;
② 個人データ管理者及び5-1に規定する「本人確認に関する情報」の管理者の任命
(ii) appointment of a person managing personal data and a person managing "identity verification information" specified in 5-1;
③ 個人データ管理者からの報告徴収及び助言・指導
(iii) calling for reports from a person managing personal data and provision of advice and guidance thereto;
④ 個人データの安全管理に関する教育・研修の企画
(iv) planning of education and training for managing the security of personal data; and
⑤ その他個人情報取扱事業者全体における個人データの安全管理に関すること
(v) other particulars relating to the secure management of personal data at the businesses handling personal information as a whole.
2-1-2 金融分野における個人情報取扱事業者は、2-1②に規定する個人データ管理者に、次に掲げる業務を所管させなければならない。
2-1-2 A businesses handling personal information in the financial sector must have a person managing personal data specified in 2-1 (ii) supervise the following operations:
① 個人データの取扱者の指定及び変更等の管理
(i) management of the designation and change, etc. of a person handling personal data;
② 個人データの利用申請の承認及び記録等の管理
(ii) management of the approval of requests to use personal data and the records thereof, etc.;
③ 個人データを取り扱う保管媒体の設置場所の指定及び変更等
(iii) designation and change, etc. of the place where a data storage medium for handling personal data is installed;
④ 個人データの管理区分及び権限についての設定及び変更の管理
(iv) management of the setting of and changes in the management categories of and authority to access personal data;
⑤ 個人データの取扱状況の把握
(v) understanding of the handling status of personal data;
⑥ 委託先における個人データの取扱状況等の監督
(vi) supervision of the handling status of personal data at an entrusted person;
⑦ 個人データの安全管理に関する教育・研修の実施
(vii) provision of education and training for managing the security of personal data;
⑧ 個人データ管理責任者に対する報告
(viii) reporting to a person responsible for the management of personal data; and
⑨ その他所管部署における個人データの安全管理に関すること
(ix) other particulars relating to the secure management of personal data at a division that supervises the operations.
(就業規則等における安全管理措置の整備)
(Development of Measures for Managing the Security of Personal Data in Rules of Employment, etc.)
2-2 金融分野における個人情報取扱事業者は、「就業規則等における安全管理措置の整備」として、次に掲げる事項を就業規則等に定めるとともに、従業者との個人データの非開示契約等の締結を行わなければならない。
2-2 A business handling personal information in the financial sector must provide the following particulars in its rules of employment, etc. as the "development of measures for managing the security of personal data in rules of employment, etc." and have its employees sign a non-disclosure contract concerning personal data, etc.:
① 個人データの取扱いに関する従業者の役割・責任
(i) roles and responsibilities of employees concerning handling of personal data; and
② 違反時の懲戒処分
(ii) disciplinary action for violations.
(個人データの安全管理に係る取扱規程に従った運用)
(Operation in Line with the Handling Rules for Managing the Security of Personal Data)
2-3 金融分野における個人情報取扱事業者は、「個人データの安全管理に係る取扱規程に従った運用」として、個人データの安全管理に係る取扱規程に従った体制を整備し、当該取扱規程に従った運用を行うとともに、取扱規程に規定する事項の遵守状況の記録及び確認を行わなければならない。
2-3 A business handling personal information in the financial sector must develop systems in line with the handling rules for managing the security of personal data as the "operation in line with the handling rules for managing the security of personal data," and operate the systems in line with the handling rules, and record and check the compliance with the particulars provided in the handling rules.
(個人データの取扱状況を確認できる手段の整備)
(Development of Means to Check the Handling Status of Personal Data)
2-4 金融分野における個人情報取扱事業者は、「個人データの取扱状況を確認できる手段の整備」として、次に掲げる事項を含む台帳等を整備しなければならない。
2-4 A business handling personal information in the financial sector must develop a ledger, etc. including the following particulars as the "development of means to check the handling status of personal data":
① 取得項目
(i) items to acquire;
② 利用目的
(ii) purpose of use;
③ 保管場所・保管方法・保管期限
(iii) data storage places, storage methods, and storage limitation
④ 管理部署
(iv) division managing the personal data; and
⑤ アクセス制御の状況
(v) control of access to personal data.
(個人データの取扱状況の点検及び監査体制の整備と実施)
(Development and Implementation of Systems for Inspection and Audit of the Handling Status of Personal Data)
2-5 金融分野における個人情報取扱事業者は、「個人データの取扱状況の点検及び監査体制の整備と実施」として、個人データを取り扱う部署が自ら行う点検体制を整備し、点検を実施するとともに、当該部署以外の者による監査体制を整備し、監査を実施しなければならない。
2-5 A business handling personal information in the financial sector must develop systems for the division handling personal data to conduct inspections by itself as the "development and implementation of systems for inspection and audit of the handling status of personal data" and conduct inspections, develop a system for a person outside that division to conduct audits, and conduct audits"
なお、個人データ取扱部署が単一である事業者においては、点検により監査を代替することも認められる。
If such business has only one division that handles personal data, it is permissible for the business to conduct inspections instead of audits.
2-5-1 金融分野における個人情報取扱事業者は、個人データを取り扱う部署において点検責任者及び点検担当者を選任するとともに、点検計画を策定することにより点検体制を整備し、定期的及び臨時の点検を実施しなければならない。また、点検の実施後において、規程違反事項等を把握したときは、その改善を行わなければならない。
2-5-1 A business handling personal information in the financial sector must appoint an inspection supervisor and an inspector in charge in the division handling personal data and develop an inspection system by formulating an inspection plan, and conduct regular and unscheduled inspections. Moreover, if it identifies any violation of rules after the inspection, it must take remedial actions.
2-5-2 金融分野における個人情報取扱事業者は、監査の実施に当たっては、監査対象となる個人データを取り扱う部署以外から監査責任者・監査担当者を選任し、監査主体の独立性を確保するとともに、監査計画を策定することにより監査体制を整備し、定期的及び臨時の監査を実施しなければならない。また、監査の実施後において、規程違反事項等を把握したときは、その改善を行わなければならない。
2-5-2 In conducting audits, a business handling personal information in the financial sector must develop an audit system by appointing an audit supervisor and an auditor in charge from outside the division handling personal data to be audited, while securing the independence of the auditing body and formulating an audit plan, and conduct regular and unscheduled audits. Moreover, if it identifies any violation of rules after the audit, it must take remedial actions.
なお、監査部署が監査業務等により個人データを取り扱う場合には、当該部署における個人データの取扱いについて、個人データ管理責任者が特に任命する者がその監査を実施しなければならない。
In the case where an audit division handles personal data in providing auditing services or the like, a person appointed in a special case by a person responsible for the management of personal data must conduct audit of the handling of personal data at the relevant division.
(注)金融分野における個人情報取扱事業者は、新たなリスクに対応するための、安全管理措置の評価、見直し及び改善に向けて、個人情報保護対策及び最新の技術動向を踏まえた情報セキュリティ対策に十分な知見を有する者による、社内の対応の確認(必要に応じ、外部の知見を有する者を活用し確認させることを含む。)等を実施することが望ましい。
(Note) It is desirable for a business handling personal information in the financial sector to conduct a check by a person having sufficient knowledge of personal data protection measures and information security measures based on the latest trends in technology as to whether the measures for risk management are taken within the company, for evaluating, reviewing, and improving its measures for managing the security of personal data so as to respond to new risks (including checking the risk management measures by utilizing a person outside the company having relevant knowledge as necessary).
(漏えい等事案に対応する体制の整備)
(Development of Systems for Responding to Cases of Leaking, etc.)
2-6 金融分野における個人情報取扱事業者は、「漏えい等事案に対応する体制の整備」として、次に掲げる体制を整備しなければならない。
2-6 A business handling personal information in the financial sector must develop the following systems as the "development of systems for responding to cases of leaking, etc.":
① 対応部署
(i) a division responding to cases of leaking, etc.;
② 漏えい等事案の影響・原因等に関する調査体制
(ii) a system for investigating the impacts, causes, etc. of cases of leaking, etc.;
③ 再発防止策・事後対策の検討体制
(iii) a system for examining preventive measures and ex-post measures; and
④ 自社内外への報告体制
(iv) a system for reporting internally and to parties outside the company.
2)実施体制の整備に関する人的安全管理措置
2) Personnel Measures for Managing the Security of Personal Data for the Development of Implementation Systems
金融分野における個人情報取扱事業者は、金融分野ガイドライン第8条第8項に基づき、個人データの安全管理措置に係る実施体制の整備における「人的安全管理措置」として、次に掲げる措置を講じなければならない。
A business handling personal information in the financial sector must take the following measures as "personnel measures for managing the security of personal data" for the development of implementation systems for measures for managing the security of personal data under Article 8, paragraph 8 of the Guidelines for the Financial Sector:
① 従業者との個人データの非開示契約等の締結
(i) conclusion of a non-disclosure contract concerning personal data with employees;
② 従業者の役割・責任等の明確化
(ii) clarification of roles and responsibilities of employees;
③ 従業者への安全管理措置の周知徹底、教育及び訓練
(iii) informing all employees of the measures for managing the security of personal data and education and training of employees; and
④ 従業者による個人データ管理手続の遵守状況の確認
(iv) checking of employees’ compliance with predetermined personal data management procedures.
(従業者との個人データの非開示契約等の締結)
(Conclusion of a Non-Disclosure Contract Concerning Personal Data with Employees)
3-1 金融分野における個人情報取扱事業者は、「従業者との個人データの非開示契約等の締結」として、採用時等に従業者と個人データの非開示契約等を締結するとともに、非開示契約等に違反した場合の懲戒処分を定めた就業規則等を整備しなければならない。
3-1 A business handling personal information in the financial sector must have its employees sign a non-disclosure contract concerning personal data, etc. as " conclusion of a non-disclosure contract concerning personal data with employees" when recruiting an employee, etc. and develop rules of employment, etc. specifying disciplinary actions in the case of violation of the non-disclosure contract , etc.
(従業者の役割・責任等の明確化)
(Clarification of Roles and Responsibilities of Employees)
3-2 金融分野における個人情報取扱事業者は、「従業者の役割・責任等の明確化」として、次に掲げる措置を講じなければならない。
3-2 A business handling personal information in the financial sector must take the following measures as "clarification of roles and responsibilities of employees":
① 各管理段階における個人データの取扱いに関する従業者の役割・責任の明確化
(i) clarification of roles and responsibilities of employees concerning the handling of personal data at each stage;
② 個人データの管理区分及びアクセス権限の設定
(ii) setting of management categories of and authority to access personal data;
③ 違反時の懲戒処分を定めた就業規則等の整備
(iii) development of rules of employment, etc. prescribing disciplinary actions in the case of violation; and
④ 必要に応じた規程等の見直し
(iv) review of rules, etc. as necessary.
(従業者への安全管理措置の周知徹底、教育及び訓練)
(Informing All Employees of the Measures for Managing the Security of Personal Data and Education and Training of Employees)
3-3 金融分野における個人情報取扱事業者は、「従業者への安全管理措置の周知徹底、教育及び訓練」として、次に掲げる措置を講じなければならない。
3-3 A business handling personal information in the financial sector must take the following measures as "informing all employees of measures for managing the security of personal data and education and training of employees":
① 従業者に対する採用時の教育及び定期的な教育・訓練
(i) providing education to its employees when recruiting them and regular education and training for the employees;
② 個人データ管理責任者及び個人データ管理者に対する教育・訓練
(ii) providing education and training to a person responsible for the management of personal data and persons managing personal data;
③ 個人データの安全管理に係る就業規則等に違反した場合の懲戒処分の周知
(iii) informing all employees of disciplinary actions in the case of violation of rules of employment for managing the security of personal data, etc.; and
④ 従業者に対する教育・訓練の評価及び定期的な見直し
(iv) evaluation and regular review of education and training of employees.
(従業者による個人データ管理手続の遵守状況の確認)
(Checking of Employees’ Compliance with Predetermined Personal Data Management Procedures)
3-4 金融分野における個人情報取扱事業者は、「従業者による個人データ管理手続の遵守状況の確認」として、1-2の個人データの安全管理に係る取扱規程に定めた事項の遵守状況について、2-3に基づく記録及び確認を行うとともに、2-5に基づき点検及び監査を実施しなければならない。
3-4 A business handling personal information in the financial sector must record and check whether the employees comply with the particulars specified in the handling rules for managing the security of personal data referred to in 1-2 based on the requirements referred to in 2-3, as "checking of employees’ compliance with predetermined personal data management procedures" and conduct inspection and audit based on the requirements referred to in 2-5.
3)実施体制の整備に関する物理的安全管理措置
3) Physical Measures for Managing the Security of Personal Data for the Development of Implementation Systems
金融分野における個人情報取扱事業者は、金融分野ガイドライン第8条第8項に基づき、個人データの安全管理措置に係る実施体制の整備における「物理的安全管理措置」として、次に掲げる措置を講じなければならない。ただし、「組織的安全管理措置」又は「技術的安全管理措置」として措置を講じている場合は、この限りでない。
A business handling personal information in the financial sector must take the following measures as "physical measures for managing the security of personal data" for the development of implementation systems for measures for managing the security of personal data under Article 8, paragraph 8 of the Guidelines for the Financial Sector; provided, however, that this does not apply if the business takes the measures as "institutional measures for managing the security of personal data" or "technical measures for managing the security of personal data":
① 個人データの取扱区域等の管理
(i) Management of the area in which personal data is handled, etc.;
② 機器及び電子媒体等の盗難等の防止
(ii) Prevention of theft of equipment and electronic media, etc.;
③ 電子媒体等を持ち運ぶ場合の漏えい等の防止
(iii) Prevention of the leaking, etc. of personal data when carrying electronic media, etc.; and
④ 個人データの削除及び機器、電子媒体等の廃棄
(iv) Deletion of personal data and disposal of equipment and electronic media, etc.
(個人データの取扱区域等の管理)
(Management of the Area in which Personal Data Is Handled, etc.)
4-1 金融分野における個人情報取扱事業者は、「個人データの取扱区域等の管理」として、次に掲げる措置を講じなければならない。
4-1 A business handling personal information in the financial sector must take the following measures as "management of the area in which personal data is handled, etc.":
① 個人データ等を取り扱う重要な情報システムの管理区域への入退室管理等
(i) room entry/exit management in an area in which an important information system for handling personal data, etc. is managed;
② 管理区域への持ち込み可能機器等の制限等
(ii) Limitation of equipment that can be brought into the area in which personal data is managed; and
③ のぞき込み防止措置の実施等による権限を有しない者による閲覧等の防止
(iii) Prevention of inspection, etc. of personal data by unauthorized persons by implementing measures such as a peeping prevention measure.
(機器及び電子媒体等の盗難等の防止)
(Prevention of Theft of Equipment and Electronic Media, etc.)
4-2 金融分野における個人情報取扱事業者は、「機器及び電子媒体等の盗難等の防止」として、次に掲げる措置を講じなければならない。
4-2 A business handling personal information in the financial sector must take the following measures as "prevention of theft of equipment and electronic media, etc.":
① 個人データを取り扱う機器等の施錠等による保管
(i) storage of equipment for handling personal data, etc.; and
② 個人データを取り扱う情報システムを運用する機器の固定等
(ii) fixation of equipment for operating information systems for handling of personal data.
(電子媒体等を持ち運ぶ場合の漏えい等の防止)
(Prevention of the Leaking, etc. of Personal Data when Carrying Electronic Media, etc.)
4-3 金融分野における個人情報取扱事業者は、「電子媒体等を持ち運ぶ場合の漏えい等の防止」として、次に掲げる措置を講じなければならない。
4-3 A business handling personal information in the financial sector must take the following measures as "prevention of the leaking, etc. of personal data when carrying electronic media, etc.":
① 持ち運ぶ個人データの暗号化、パスワードによる保護等
(i) protection of personal data to be carried by means of encryption or password; and
② 書類等の封緘、目隠しシールの貼付等
(ii) sealing of or attachment of an information-protection sticker to a document, etc.
(個人データの削除及び機器、電子媒体等の廃棄)
(Deletion of Personal Data and Disposal of Equipment and Electronic Media, etc.)
4-4 金融分野における個人情報取扱事業者は、「個人データの削除及び機器、電子媒体等の廃棄」として、次に掲げる措置を講じなければならない。
4-4 A business handling personal information in the financial sector must take the following measures as "deletion of personal data and disposal of equipment and electronic media, etc.":
① 容易に復元できない手段によるデータ削除
(i) deletion of data by a means whereby it is not easy to restore the contents thereof; and
② 個人データが記載された書類等又は記録された機器等の物理的な破壊等
(ii) physical destruction of a document, etc. in which personal data is described or equipment, etc. in which personal data is recorded.
4)実施体制の整備に関する技術的安全管理措置
4) Technological Measures for Managing the Security of Personal Data for the Development of Implementation Systems
金融分野における個人情報取扱事業者は、金融分野ガイドライン第8条第8項に基づき、個人データの安全管理措置に係る実施体制の整備における「技術的安全管理措置」として、次に掲げる措置を講じなければならない。
A business handling personal information in the financial sector must take the following measures as "technological measures for managing the security of personal data" for the development of implementation systems for measures for managing the security of personal data under Article 8, paragraph 8 of the Guidelines for the Financial Sector:
① 個人データの利用者の識別及び認証
(i) identification and authentication of personal data users;
② 個人データの管理区分の設定及びアクセス制御
(ii) setting of management categories of personal data and access control;
③ 個人データへのアクセス権限の管理
(iii) management of authority to access personal data;
④ 個人データの漏えい等防止策
(iv) measures to prevent the leaking, etc. of personal data;
⑤ 個人データへのアクセスの記録及び分析
(v) recording and analysis of access to personal data;
⑥ 個人データを取り扱う情報システムの稼動状況の記録及び分析
(vi) recording and analysis of the operation status of information systems for handling of personal data;
⑦ 個人データを取り扱う情報システムの監視及び監査
(vii) monitoring and audit of the information systems for handling of personal data.
(個人データの利用者の識別及び認証)
(Identification and Authentication of Personal Data Users)
5-1 金融分野における個人情報取扱事業者は、「個人データの利用者の識別及び認証」として、次に掲げる措置を講じなければならない。
5-1 A business handling personal information in the financial sector must take the following measures as "identification and authentication of personal data users":
① 本人確認機能の整備
(i) development of identity verification functions;
② 本人確認に関する情報の不正使用防止機能の整備
(ii) development of functions to prevent unauthorized use of identity verification information; and
③ 本人確認に関する情報が他人に知られないための対策
(iii) measures to prevent identity verification information from being disclosed to others.
(個人データの管理区分の設定及びアクセス制御)
(Setting of Management Categories of Personal Data and Access Control)
5-2 金融分野における個人情報取扱事業者は、「個人データの管理区分の設定及びアクセス制御」として、次に掲げる措置を講じなければならない。
5-2 A business handling personal information in the financial sector must take the following measures as "setting of management categories of personal data and access control":
① 従業者の役割・責任に応じた管理区分及びアクセス権限の設定
(i) setting of management categories of and authority to access personal data according to the roles and responsibilities of its employees;
② 事業者内部における権限外者に対するアクセス制御
(ii) control of access to personal data by unauthorized persons within the business; and
③ 外部からの不正アクセスの防止措置
(iii) measures for preventing unauthorized access by outsiders.
5-2-1 金融分野における個人情報取扱事業者は、「外部からの不正アクセスの防止措置」として、次に掲げる措置を講じなければならない。
5-2-1 A business handling personal information in the financial sector must take the following measures as "measures for preventing unauthorized access by outsiders":
① アクセス可能な通信経路の限定
(i) limitations on accessible communication channels;
② 外部ネットワークからの不正侵入防止機能の整備
(ii) development of functions to prevent hacking from external networks;
③ 不正アクセスの監視機能の整備
(iii) development of functions to monitor unauthorized access; and
④ ネットワークによるアクセス制御機能の整備
(iv) development of network-based access control functions.
(個人データへのアクセス権限の管理)
(Management of Authority to Access Personal Data)
5-3 金融分野における個人情報取扱事業者は、「個人データへのアクセス権限の管理」として、次に掲げる措置を講じなければならない。
5-3 A business handling personal information in the financial sector must take the following measures as "management of authority to access personal data":
① 従業者に対する個人データへのアクセス権限の適切な付与及び見直し
(i) appropriate granting of authority to access personal data to its employees and review thereof;
② 個人データへのアクセス権限を付与する従業者数を必要最小限に限定すること
(ii) limitation of the number of employees to whom authority to access personal data is granted to the minimum necessary; and
③ 従業者に付与するアクセス権限を必要最小限に限定すること
(iii) limitation of the authority to access that is granted to its employees to the minimum necessary.
(個人データの漏えい等防止策)
( Measures to Prevent the Leaking, etc. of Personal Data)
5-4 金融分野における個人情報取扱事業者は、「個人データの漏えい等防止策」として、個人データの保護策を講ずることとともに、障害発生時の技術的対応・復旧手続を整備しなければならない。
5-4 A business handling personal information in the financial sector must take measures to protect personal data as "measures to prevent the leaking, etc. of personal data" and to improve technical responses and develop recovery procedures when a failure occurs.
5-4-1 金融分野における個人情報取扱事業者は、「個人データの保護策を講ずること」として、次に掲げる措置を講じなければならない。
5-4-1 A business handling personal information in the financial sector must take the following measures as "measures to protect personal data":
① 蓄積データの漏えい等防止策
(i) preventive measures against the leaking, etc. of data at rest;
② 伝送データの漏えい等防止策
(ii) preventive measures against the leaking, etc. of transmitted data; and
③ コンピュータウイルス等不正プログラムへの防御対策
(iii) protective measures against computer viruses and other malicious programs.
5-4-2 金融分野における個人情報取扱事業者は、「障害発生時の技術的対応・復旧手続の整備」として、次に掲げる措置を講じなければならない。
5-4-2 A business handling personal information in the financial sector must take the following measures as "improvement of technical responses and development of recovery procedures when a failure occurs":
① 不正アクセスの発生に備えた対応・復旧手続の整備
(i) improvement of responses and development of recovery procedures to prepare for any unauthorized access which may occur;
② コンピュータウイルス等不正プログラムによる被害時の対策
(ii) measures to be taken when the computer systems are harmed by viruses and other malicious programs; and
③ リカバリ機能の整備
(iii) development of recovery functions.
(個人データへのアクセスの記録及び分析)
(Recording and Analysis of Access to Personal Data)
5-5 金融分野における個人情報取扱事業者は、「個人データへのアクセスの記録及び分析」として、個人データへのアクセスや操作を記録するとともに、当該記録の分析・保存を行わなければならない。また、不正が疑われる異常な記録の存否を定期的に確認しなければならない。
5-5 A business handling personal information in the financial sector must record access to and manipulation of personal data as "recording and analysis of access to personal data" and analyze and keep those records. In addition to that, it must also regularly check whether or not anomalies in records exist that may be suspected of being unauthorized access.
(個人データを取り扱う情報システムの稼動状況の記録及び分析)
(Recording and Analysis of the Operation Status of Information Systems for Handling of Personal Data)
5-6 金融分野における個人情報取扱事業者は、「個人データを取り扱う情報システムの稼動状況の記録及び分析」として、個人データを取り扱う情報システムの稼動状況を記録するとともに、当該記録の分析・保存を行わなければならない。
5-6 A business handling personal information in the financial sector must record the operation status of information systems for handling of personal data as "recording and analysis of the operation status of information systems for handling of personal data" and analyze and keep the relevant records.
(個人データを取り扱う情報システムの監視及び監査)
(Monitoring and Audit of the Information Systems for Handling of Personal Data)
5-7 金融分野における個人情報取扱事業者は、「個人データを取り扱う情報システムの監視及び監査」として、個人データを取り扱う情報システムの利用状況、個人データへのアクセス状況及び情報システムへの外部からのアクセス状況を5-5及び5-6により監視するとともに、監視システムの動作の定期的な確認等、監視状況についての点検及び監査を行わなければならない。また、セキュリティパッチの適用や情報システム固有の脆弱性の発見・その修正等、ソフトウェアに関する脆弱性対策を行わなければならない。
5-7 A business handling personal information in the financial sector must monitor the status of use of the information systems for handling of personal data, the status of access to personal data, and the status of access to the information systems by outsiders based on the requirements referred to in 5-5 and 5-6 and also conduct inspections and audits of the monitoring status, for example, checking the operations of the monitoring system regularly as "monitoring and audit of the information systems for handling of personal data." Moreover, it must take preventive measures for software vulnerabilities, including applying security patches and finding, and fixing vulnerabilities unique to the information systems.
Ⅱ.金融分野における個人情報保護に関するガイドライン第9条に定める「従業者の監督」 について
II. "Supervision of Employees" Specified in Article 9 of the Guidelines for the Protection of Personal Information in the Financial Sector
金融分野における個人情報取扱事業者は、金融分野ガイドライン第9条に基づき、「Ⅰ.(2)2)実施体制の整備に関する人的安全管理措置」に規定する措置を講ずることにより、従業者に対し「必要かつ適切な監督」を行わなければならない。
A business handling personal information in the financial sector must exercise "necessary and adequate supervision" over its employees by taking measures provided in "I.(2) 2) Personnel Measures for Managing the Security of Personal Data for the Development of Implementation Systems, under Article 9 of the Guidelines for the Financial Sector.
Ⅲ.金融分野における個人情報保護に関するガイドライン第10条に定める「委託先の監督」について
III. "Supervision of an Entrusted Person" Specified in Article 10 of the Guidelines for the Protection of Personal Information in the Financial Sector
金融分野における個人情報取扱事業者は、金融分野ガイドライン第10条第3項に基づき、個人データを適正に取り扱っていると認められる者を選定し、個人データの取扱いを委託するとともに、委託先における当該個人データに対する安全管理措置の実施を確保しなければならない。
A business handling personal information in the financial sector must select a person that is found to be properly handling personal data, and entrust the handling of personal data thereto, and secure the implementation of measures for managing the security of the personal data by the entrusted person, pursuant to the provisions of Article 10, paragraph 3 of the Guidelines for the Financial Sector.
(個人データ保護に関する委託先選定の基準)
(Criteria for Selecting the Persons to Whom the Handling of Personal Data Is to Be Entrusted in Relation to Protection of Personal Data)
6-1 金融分野における個人情報取扱事業者は、個人データの取扱いを委託する場合には、金融分野ガイドライン第10条第3項①に基づき、次に掲げる事項を委託先選定の基準として定め、当該基準に従って委託先を選定するとともに、当該基準を定期的に見直さなければならない。
6-1 If a business handling personal information in the financial sector entrusts the handling of personal data, it must provide the following particulars as the criteria for selecting the persons to whom the handling of personal data is to be entrusted based on the requirements referred to in Article 10, paragraph 3 (i) of the Guidelines for the Financial Sector, and select such persons in accordance with the relevant criteria and must review the criteria on a regular basis:
① 委託先における個人データの安全管理に係る基本方針・取扱規程等の整備
(i) development of basic policies, handling rules, etc. for managing the security of personal data by the entrusted person;
② 委託先における個人データの安全管理に係る実施体制の整備
(ii) development of systems for managing the security of personal data by the entrusted person;
③ 実績等に基づく委託先の個人データ安全管理上の信用度
(iii) credibility of the entrusted person in terms of security management of personal data based on its security management to date, etc.; and
④ 委託先の経営の健全性
(iv) soundness of the management of the entrusted person.
6-1-1 委託先選定の基準においては、「委託先における個人データの安全管理に係る基本方針・取扱規程等の整備」として、次に掲げる事項を定めなければならない。
6-1-1 Criteria for selecting the persons to whom the handling of personal data is to be entrusted must provide the following particulars as the" development of basic policies, handling rules, etc. for managing the security of personal data by the entrusted person":
① 委託先における個人データの安全管理に係る基本方針の整備
(i) development of basic policies for managing the security of personal data by the entrusted person;
② 委託先における個人データの安全管理に係る取扱規程の整備
(ii) development of handling rules for managing the security of personal data by the entrusted person;
③ 委託先における個人データの取扱状況の点検及び監査に係る規程の整備
(iii) development of rules for inspection and audit of the handling status of personal data by the entrusted person; and
④ 委託先における外部委託に係る規程の整備
(iv) development of rules for entrustment by the entrusted person.
6-1-2 委託先選定の基準においては、「委託先における個人データの安全管理に係る実施体制の整備」として、Ⅰ.(2)1)の組織的安全管理措置、同2)の人的安全管理措置、同3)の物理的安全管理措置、同4)の技術的安全管理措置及び金融分野ガイドライン第8条第6項の外的環境の把握に記載された事項を定めるとともに、委託先から再委託する場合の再委託先の個人データの安全管理に係る実施体制の整備状況に係る基準を定めなければならない。
6-1-2 Criteria for selecting the persons to whom the handling of personal data is to be entrusted must provide the particulars prescribed in institutional measures for managing the security of personal data referred to in I. (2) 1), personnel measures for managing the security of personal data referred to in I. (2) 2), physical measures for managing the security of personal data referred to in I. (2) 3), technological measures for managing the security of personal data referred to in I. (2) 4), and the identification of the external environment referred to in Article 8, paragraph 6 of the Guidelines for the Financial Sector as "development of systems for managing the security of personal data by the entrusted person" and establish criteria for the status of development of systems for managing the security of personal data by further entrusted person in the case where an entrusted person further entrusts personal information-related duties.
6-2 金融分野における個人情報取扱事業者は、6-3に基づき、委託契約後に委託先選定の基準に定める事項の委託先における遵守状況を定期的又は随時に確認するとともに、委託先が当該基準を満たしていない場合には、委託先が当該基準を満たすよう監督しなければならない。
6-2 A business handling personal information in the financial sector must check whether an entrusted person complies with the particulars provided in the criteria for selecting the persons to whom the handling of personal data is to be entrusted regularly or as needed based on the requirements referred to in 6-3 after signing the entrustment contract, and if the entrusted person does not meet those criteria, the business must supervise the entrusted person so as to meet the relevant criteria.
(委託契約において盛り込むべき安全管理に関する内容)
(Terms and Conditions Concerning Security Management to Be Included in Entrustment Contracts)
6-3 金融分野における個人情報取扱事業者は、委託契約において、次に掲げる安全管理に関する事項を盛り込まなければならない。
6-3 A business handling personal information in the financial sector must include the following particulars concerning security management in an entrustment contract:
① 委託者の監督・監査・報告徴収に関する権限
(i) authority of the entrustor on the supervision and audit of and the calling for reports;
② 委託先における個人データの漏えい等の防止及び目的外利用の禁止
(ii) prevention of the leaking, etc. and prohibition of use of personal data for any purpose other than the purpose of use by the entrusted person;
③ 再委託に関する条件
(iii) conditions concerning further entrustment of the handling of personal data; and
④ 漏えい等事案が発生した場合の委託先の責任
(iv) responsibility of the entrusted person in the event of a case of leaking, etc.
(注)
(Notes)
・金融分野における個人情報取扱事業者は、「再委託に関する条件」として、再委託の可否及び再委託を行うに当たっての委託元への文書による事前報告又は承認手続等を、委託契約に盛り込むことが望ましい。
· It is desirable for a business handling personal information in the financial sector to include, in an entrustment contract, whether or not further entrustment is permitted and matters such as reporting in advance or a prior approval process that is required to be made to the entrusting person in writing in the case of making further entrustment as the "conditions concerning further entrustment of the handling of personal data."
・金融分野における個人情報取扱事業者は、委託先において個人データを取り扱う者の氏名・役職又は部署名を、委託契約に盛り込むことが望ましい。
· It is desirable for a business handling personal information in the financial sector to include, in an entrustment contract, the name and the title or name of the division of the person handling personal data at the entrusted person.
6-4 金融分野における個人情報取扱事業者は、6-3に基づき、定期的に監査を行う等により、定期的又は随時に委託先における委託契約上の安全管理措置等の遵守状況を確認するとともに、当該契約内容が遵守されていない場合には、委託先が当該契約内容を遵守するよう監督しなければならない。また、金融分野における個人情報取扱事業者は、定期的に委託契約に盛り込む安全管理措置を見直さなければならない。
6-4 A business handling personal information in the financial sector must check whether an entrusted person complies with the measures for managing the security of personal data, etc. included in the entrustment contract, regularly or as needed, by conducting audits regularly, etc. based on the requirements referred to in 6-3. Moreover, if the entrusted person does not comply with the terms and conditions of the contract, the business must supervise the entrusted person so that the entrusted person complies with the terms and conditions of the contract. A business handling personal information in the financial sector must also review the measures for managing the security of personal data included in an entrustment contract regularly.
(別添1)金融分野における個人情報保護に関するガイドライン第8条第7項(2)に定める各管理段階における安全管理に係る取扱規程について
(Attachment 1) Handling Rules for the Security Management at Each Stage Specified in Article 8, paragraph 7 (2) of the Guidelines for the Protection of Personal Information in the Financial Sector
金融分野における個人情報取扱事業者は、1-2に基づき、各管理段階ごとの安全管理に係る取扱規程において、7-1から7-6-1までの事項を定めなければならない。
A business handling personal information in the financial sector must provide the particulars referred to in 7-1 through 7-6-1 under the handling rules for the secure management at each stage based on the requirements referred to in 1-2.
(取得・入力段階における取扱規程)
(Handling Rules at the Stage of Acquisition and Input of Data)
7-1 金融分野における個人情報取扱事業者は、取得・入力段階における取扱規程において、次に掲げる事項を定めなければならない。
7-1 A business handling personal information in the financial sector must provide the following particulars under the handling rules at the stage of acquisition and input of data:
① 取得・入力に関する取扱者の役割・責任
(i) roles and responsibilities of a person handling personal data concerning acquisition and input of the data;
② 取得・入力に関する取扱者の限定
(ii) limitation of the persons handling personal data concerning acquisition and input of the data;
③ 取得・入力の対象となる個人データの限定
(iii) limitations on personal data to be acquired and inputted;
④ 取得・入力時の照合及び確認手続
(iv) matching and checking procedures at the time of acquiring and inputting personal data;
⑤ 取得・入力の規程外作業に関する申請及び承認手続
(v) requesting and approval procedures for the acquisition and input of personal data that are not specified in the rules;
⑥ 機器・記録媒体等の管理手続
(vi) management procedures for equipment, recording media, etc.;
⑦ 個人データへのアクセス制御
(vii) control of access to personal data; and
⑧ 取得・入力状況の記録及び分析
(viii) recording and analysis of the status of personal data acquisition and input.
(注)金融分野における個人情報取扱事業者は、取得・入力段階における取扱規程について、「個人データへのアクセス制御」として、次に掲げる事項を定めることが望ましい。
(Note) It is desirable for a business handling personal information in the financial sector to provide the following particulars under the handling rules at the stage of acquisition and input of data as "control of access to personal data":
① 入館(室)者による不正行為の防止のための、業務実施場所及び情報システム等の設置場所の入退館(室)管理の実施
(i) building (room) entry/exit management in the place where operations are conducted and the place where information systems, etc. are installed in order to prevent a person entering the building (room) from committing an improper act
(例)入退館(室)の記録の保存
(e.g.) keeping of the building (room) entry record
② 盗難等の防止のための措置
(ii) preventive measures for theft, etc.
(例)カメラによる撮影や作業への立会い等による記録又はモニタリングの実施
(e.g.) recording or monitoring persons by filming or photographing with a camera, or by attending the operations, etc.
(例)記録機能を持つ媒体の持込み・持出し禁止又は検査の実施
(e.g.) prohibiting persons from physically transferring a medium with a recording function to or from the building (room) or conducting inspections
③ 不正な操作を防ぐための、個人データを取り扱う端末に付与する機能の、業務上の必要性に基づく限定
(iii) limitations on functions added to a terminal equipment for handling personal data based on the necessity for operations to prevent unauthorized manipulation thereof
(例)スマートフォン、パソコン等の記録機能を有する機器の接続の制限及び機器の更新への対応
(e.g.) limited connection to equipment with a recording function, including smartphones and computers, and replacement of equipment with new ones
(利用・加工段階における取扱規程)
(Handling Rules at the Stage of Use and Processing of Data)
7-2 金融分野における個人情報取扱事業者は、利用・加工段階における取扱規程において、組織的安全管理措置及び技術的安全管理措置を定めなければならない。
7-2 A business handling personal information in the financial sector must provide institutional measures for managing the security of personal data and technological measures for managing the security of personal data under the handling rules at the stage of use and processing of data.
7-2-1 利用・加工段階における取扱規程に関する組織的安全管理措置は、次に掲げる事項を含まなければならない。
7-2-1 Institutional measures for managing the security of personal data concerning the handling rules at the stage of use and processing of data must include the following particulars:
① 利用・加工に関する取扱者の役割・責任
(i) roles and responsibilities of a person handling personal data concerning use and processing of the data;
② 利用・加工に関する取扱者の限定
(ii) limitation of the number of persons handling personal data who use and process the data;
③ 利用・加工の対象となる個人データの限定
(iii) limitations on personal data to be used and processed;
④ 利用・加工時の照合及び確認手続
(iv) matching and checking procedures at the time of using and processing personal data;
⑤ 利用・加工の規程外作業に関する申請及び承認手続
(v) requesting and approval procedures for the use and processing of personal data that are not specified in the rules;
⑥ 機器・記録媒体等の管理手続
(vi) management procedures for equipment, recording media, etc.;
⑦ 個人データへのアクセス制御
(vii) control of access to personal data;
⑧ 個人データの管理区域外への持出しに関する上乗せ措置
(viii) additional measures against physically transferring personal data outside the area in which personal data is managed; and
⑨ 利用・加工状況の記録及び分析
(ix) recording and analysis of the status of use and processing of personal data.
(注)金融分野における個人情報取扱事業者は、利用・加工段階における取扱規程について、「個人データへのアクセス制御」として、次に掲げる事項を定めることが望ましい。
(Note) It is desirable for a business handling personal information in the financial sector to provide the following particulars concerning the handling rules at the stage of use and processing of data as "control of access to personal data":
① 入館(室)者による不正行為の防止のための、業務実施場所及び情報システム等の設置場所の入退館(室)管理の実施
(i) building (room) entry/exit management in the place where operations are conducted and the place where information systems, etc. are installed in order to prevent a person entering the building (room) from committing an improper act
(例)入退館(室)の記録の保存
(e.g.) Keeping of the building (room) entry record
② 盗難等の防止のための措置
(ii) preventive measures for theft, etc.
(例)カメラによる撮影や作業への立会い等による記録又はモニタリングの実施
(e.g.) recording or monitoring persons by filming or photographing with a camera, or by attending the operations, etc.
(例)記録機能を持つ媒体の持込み・持出し禁止又は検査の実施
(e.g.) prohibiting persons from physically transferring a medium with a recording function to or from the building (room) or conducting inspections
③ 不正な操作を防ぐための、個人データを取り扱う端末に付与する機能の、業務上の必要性に基づく限定
(iii) limitations on functions added to a terminal equipment for handling personal data based on the necessity for operations in order to prevent unauthorized manipulation thereof
(例)スマートフォン、パソコン等の記録機能を有する機器の接続の制限及び機器の更新への対応
(e.g.) limited connection to equipment with a recording function, including smartphones and computers, and replacement of equipment with new ones
7-2-1-1 「個人データの管理区域外への持出しに関する上乗せ措置」は、次に掲げる事項を含まなければならない。
7-2-1-1 "Additional measures against physically transferring personal data outside the area in which personal data is managed" must include the following particulars:
① 個人データの管理区域外への持出しに関する取扱者の役割・責任
(i) roles and responsibilities of a person handling personal data concerning physical transfer of the data outside the area in which personal data is managed;
② 個人データの管理区域外への持出しに関する取扱者の必要最小限の限定
(ii) limitation of the number of persons handling personal data who physically transfer personal data outside the area in which personal data is managed to the minimum necessary;
③ 個人データの管理区域外への持出しの対象となる個人データの必要最小限の限定
(iii) limitation of the personal data to be physically transferred outside the area in which personal data is managed to the minimum necessary;
④ 個人データの管理区域外への持出し時の照合及び確認手続
(iv) matching and checking procedures at the time of physically transferring personal data outside the area in which personal data is managed ;
⑤ 個人データの管理区域外への持出しに関する申請及び承認手続
(v) requesting and approval procedures for physically transferring personal data outside the area in which personal data is managed;
⑥ 機器・記録媒体等の管理手続
(vi) management procedures for equipment, recording media, etc.; and
⑦ 個人データの管理区域外への持出し状況の記録及び分析
(vii) recording and analysis of the status of physical transfer of personal data outside the area in which personal data is managed.
7-2-2 利用・加工段階における取扱規程に関する技術的安全管理措置は、次に掲げる事項を含まなければならない。
7-2-2 Technological measures for managing the security of personal data concerning the handling rules at the stage of use and processing of data must include the following particulars:
① 個人データの利用者の識別及び認証
(i) identification and authentication of personal data users;
② 個人データの管理区分の設定及びアクセス制御
(ii) setting of management categories of personal data and access control;
③ 個人データへのアクセス権限の管理
(iii) management of authority to access personal data;
④ 個人データの漏えい等防止策
(iv) measures to prevent the leaking, etc. of personal data;
⑤ 個人データへのアクセス記録及び分析
(v) recording and analysis of access to personal data; and
⑥ 個人データを取り扱う情報システムの稼動状況の記録及び分析
(vi) recording and analysis of the operation status of information systems for handling of personal data.
(保管・保存段階における取扱規程)
(Handling Rules at the Stage of Storage and Keeping of Data)
7-3 金融分野における個人情報取扱事業者は、保管・保存段階における取扱規程において、組織的安全管理措置及び技術的安全管理措置を定めなければならない。
7-3 A business handling personal information in the financial sector must establish institutional measures for managing the security of personal data and technological measures for managing the security of personal data under the handling rules at the stage of storage and keeping of data.
7-3-1 保管・保存段階における取扱規程に関する組織的安全管理措置は、次に掲げる事項を含まなければならない。
7-3-1 Institutional measures for managing the security of personal data concerning the handling rules at the stage of storage and keeping of data must include the following particulars:
① 保管・保存に関する取扱者の役割・責任
(i) roles and responsibilities of a person handling personal data concerning storage and keeping of the data;
② 保管・保存に関する取扱者の限定
(ii) limitation of the number of persons handling personal data who store and keep the data;
③ 保管・保存の対象となる個人データの限定
(iii) limitations on personal data to be stored and retained;
④ 保管・保存の規程外作業に関する申請及び承認手続
(iv) requesting and approval procedures for the storage and keeping of personal data that are not specified in the rules;
⑤ 機器・記録媒体等の管理手続
(v) management procedures for equipment, recording media, etc.;
⑥ 個人データへのアクセス制御
(vi) control of access to personal data;
⑦ 保管・保存状況の記録及び分析
(vii) recording and analysis of the status of storage and keeping of personal data; and
⑧ 保管・保存に関する障害発生時の対応・復旧手続
(viii) response to a failure occurred in storage and keeping of personal data and recovery procedures.
(注)金融分野における個人情報取扱事業者は、保管・保存段階における取扱規程について、「個人データへのアクセス制御」として、次に掲げる事項を定めることが望ましい。
(Note) It is desirable for a business handling personal information in the financial sector to provide the following particulars under the handling rules at the stage of storage and keeping of data as "control of access to personal data":
① 入館(室)者による不正行為の防止のための、業務実施場所及び情報システム等の設置場所の入退館(室)管理の実施
(i) building (room) entry/exit management in the place where operations are conducted and the place where information systems, etc. are installed in order to prevent a person entering the building (room) from committing an improper act
(例)入退館(室)の記録の保存
(e.g.) keeping of the building (room) entry record
② 盗難等の防止のための措置
(ii) preventive measures for theft, etc.
(例)カメラによる撮影や作業への立会い等による記録又はモニタリングの実施
(e.g.) recording or monitoring persons by filming or photographing with a camera, or by attending the operations, etc.
(例)記録機能を持つ媒体の持込み・持出し禁止又は検査の実施
(e.g.) prohibiting persons from physically transferring a medium with a recording function to or from the building (room) or conducting inspections
③ 不正な操作を防ぐための、個人データを取り扱う端末に付与する機能の、業務上の必要性に基づく限定
(iii) limitations on functions added to a terminal equipment for handling personal data based on the necessity for operations to prevent unauthorized manipulation thereof
(例)スマートフォン、パソコン等の記録機能を有する機器の接続の制限及び機器の更新への対応
(e.g.) limited connection to equipment with a recording function, including smartphones and computers, and replacement of equipment with new ones
7-3-2 保管・保存段階における取扱規程に関する技術的安全管理措置は、次に掲げる事項を含まなければならない。
7-3-2 Technological measures for managing the security of personal data concerning the handling rules at the stage of storage and keeping of data must include the following particulars:
① 個人データの利用者の識別及び認証
(i) identification and authentication of personal data users;
② 個人データの管理区分の設定及びアクセス制御
(ii) setting of management categories of personal data and access control;
③ 個人データへのアクセス権限の管理
(iii) management of authority to access personal data;
④ 個人データの漏えい等防止策
(iv) measures to prevent the leaking, etc. of personal data;
⑤ 個人データへのアクセス記録及び分析
(v) recording and analysis of access to personal data; and
⑥ 個人データを取り扱う情報システムの稼動状況の記録及び分析
(vi) recording and analysis of the operation status of information systems for handling of personal data.
(移送・送信段階における取扱規程)
(Handling Rules at the Stage of Transfer and Sending of Data)
7-4 金融分野における個人情報取扱事業者は、移送・送信段階における取扱規程において、組織的安全管理措置及び技術的安全管理措置を定めなければならない。
7-4 A business handling personal information in the financial sector must provide institutional measures for managing the security of personal data and technological measures for managing the security of personal data under the handling rules at the stage of transfer and sending of data.
7-4-1 移送・送信段階における取扱規程に関する組織的安全管理措置は、次に掲げる事項を含まなければならない。
7-4-1 Institutional measures for managing the security of personal data concerning the handling rules at the stage of transfer and sending of data must include the following particulars:
① 移送・送信に関する取扱者の役割・責任
(i) roles and responsibilities of a person handling personal data concerning transfer and sending of the data;
② 移送・送信に関する取扱者の限定
(ii) limitation of the number of persons handling personal data who transfer and send the data;
③ 移送・送信の対象となる個人データの限定
(iii) limitations on personal data to be transferred and sent;
④ 移送・送信時の照合及び確認手続
(iv) matching and checking procedures at the time of transferring and sending personal data;
⑤ 移送・送信の規程外作業に関する申請及び承認手続
(v) requesting and approval procedures for the transfer and sending of personal data that are not specified in the rules;
⑥ 個人データへのアクセス制御
(vi) control of access to personal data;
⑦ 移送・送信状況の記録及び分析
(vii) recording and analysis of the status of transfer and sending of personal data; and
⑧ 移送・送信に関する障害発生時の対応・復旧手続
(viii) response to a failure occurred in transfer or sending of personal data and recovery procedures.
7-4-2 移送・送信段階における取扱規程に関する技術的安全管理措置は、次に掲げる事項を含まなければならない。
7-4-2 Technological measures for managing the security of personal data concerning the handling rules at the stage of transfer and sending of data must include the following particulars:
① 個人データの利用者の識別及び認証
(i) identification and authentication of personal data users;
② 個人データの管理区分の設定及びアクセス制御
(ii) setting of management categories of personal data and access control;
③ 個人データへのアクセス権限の管理
(iii) management of authority to access personal data;
④ 個人データの漏えい等防止策
(iv) measures to prevent the leaking, etc. of personal data; and
⑤ 個人データへのアクセス記録及び分析
(v) recording and analysis of access to personal data.
(消去・廃棄段階における取扱規程)
(Handling Rules at the Stage of Deletion and Disposal of Data)
7-5 金融分野における個人情報取扱事業者は、消去・廃棄段階における取扱規程において、次に掲げる事項を定めなければならない。
7-5 A business handling personal information in the financial sector must provide the following particulars under the handling rules at the stage of deletion and disposal of data:
① 消去・廃棄に関する取扱者の役割・責任
(i) roles and responsibilities of a person handling personal data concerning deletion and disposal of the data;
② 消去・廃棄に関する取扱者の限定
(ii) limitation of the number of persons handling personal data who delete and dispose of the data;
③ 消去・廃棄時の照合及び確認手続
(iii) matching and checking procedures at the time of deletion and disposal of personal data:
④ 消去・廃棄の規程外作業に関する申請及び承認手続
(iv) requesting and approval procedures for the deletion and disposal of personal data that are not specified in the rules;
⑤ 機器・記録媒体等の管理手続
(v) management procedures for equipment, recording media, etc.;
⑥ 個人データへのアクセス制御
(vi) control of access to personal data; and
⑦ 消去・廃棄状況の記録及び分析
(vii) recording and analysis of the status of deletion and disposal of personal data.
(漏えい等事案への対応の段階における取扱規程)
(Handling Rules at the Time of Responding to a Case of Leaking, etc.)
7-6 金融分野における個人情報取扱事業者は、漏えい等事案への対応の段階における取扱規程において、次に掲げる事項を定めなければならない。
7-6 A business handling personal information in the financial sector must provide the following particulars under the handling rules at the time of responding to a case of leaking, etc.:
① 対応部署の役割・責任
(i) roles and responsibilities of the division responding to cases of leaking, etc.;
② 漏えい等事案への対応に関する取扱者の限定
(ii) limitation of the number of persons handling personal data who respond to cases of leaking, etc.;
③ 漏えい等事案への対応の規程外作業に関する申請及び承認手続
(iii) requesting and approval procedures for the response to cases of leaking, etc. that is not specified in the rules;
④ 漏えい等事案の影響・原因等に関する調査手続
(iv) procedures for investigating the impacts, causes, etc. of cases of leaking, etc.;
⑤ 再発防止策・事後対策の検討に関する手続
(v) procedures for examining preventive measures and ex-post measures;
⑥ 自社内外への報告に関する手続
(vi) procedures for reporting internally and to parties outside the company; and
⑦ 漏えい等事案への対応状況の記録及び分析
(vii) recording and analysis of the status of responses to cases of leaking, etc.
7-6-1 自社内外への報告に関する手続は、次に掲げる事項を含まなければならない。
7-6-1 The procedures for reporting internally and to parties outside the company must include the following particulars:
① 個人情報保護委員会又は監督当局への報告
(i) reporting of the case to the Personal Information Protection Commission or the supervisory authority, etc.;
② 本人への通知等
(ii) notification, etc. to the identifiable person; and
③ 二次被害の防止・類似事案の発生回避等の観点からの漏えい等事案の事実関係及び再発防止策等の速やかな公表
(iii) prompt disclosure of the facts concerning cases of leaking, etc. and preventive measures, etc. to the public from the perspective of preventing secondary damage or the occurrence of any similar cases.
(注) 金融分野における個人情報取扱事業者は、個人情報の保護に関する法律施行規則(平成28年個人情報保護委員会規則第3号)第7条各号に定める事態を知ったときは、個人情報の保護に関する法律(平成15年法律第57号)第26条及び個人情報の保護に関する法律についてのガイドライン(通則編)(平成28年個人情報保護委員会告示第6号)3-5-3及び3-5-4に従い、必要な措置を講ずる必要があるため、この点に留意して上記手続を定めること。
(Note) If a business handling personal information in the financial sector learns about any of the situations specified in the items of Article 7 of the Enforcement Rules for the Act on the Protection of Personal Information (Rules of the Personal Information Protection Commission No. 3 of 2016), it needs to take necessary measures in accordance with the Article 26 of the Act on the Protection of Personal Information (Act No. 57 of 2003) and 3-5-3 and 3-5-4 of the Guidelines on the Act on the Protection of Personal Information (Volume on General Rules) (Public Notice of the Personal Information Protection Commission No. 6 of 2016). Therefore, the business is to provide for the procedures above by taking this point into consideration.
(別添2)金融分野における個人情報保護に関するガイドライン第5条に定める「機微(センシティブ)情報」(生体認証情報を含む。)の取扱いについて
(Attachment 2) Handling of "Sensitive Information" (Including Biometric Information) Specified in Article 5 of the Guidelines for the Protection of Personal Information in the Financial Sector
金融分野における個人情報取扱事業者は、金融分野ガイドライン第5条に基づき、機微(センシティブ)情報について、同条第1項各号に掲げられた場合を除き、取得、利用又は第三者提供を行わず、同条第2項に基づき、同条第1項各号の事由を逸脱した取得、利用又は第三者提供を行うことのないよう、本実務指針Ⅰ~Ⅲに規定する措置に加えて、8-1、8-1-1、8-1-2、8-1-3、8-1-4、8-1-5及び8-2に規定する措置を実施することとする。また、機微(センシティブ)情報に該当する生体認証情報(機械による自動認証に用いられる身体的特徴のうち、非公知の情報。以下同じ。)の取扱いについては、別添2に規定する全ての措置を実施しなければならない。
A business handling personal information in the financial sector is not to acquire, use, or provide to a third party any sensitive information pursuant to the provisions of Article 5 of the Guidelines for the Financial Sector, except for the cases set forth in the items of paragraph 1 of that Article, and is to implement the measures provided in 8-1, 8-1-1, 8-1-2, 8-1-3, 8-1-4, 8-1-5, and 8-2, in addition to the measures provided in I through III of these Practical Guidelines so as to avoid acquisition, use, or provision to a third party of the information beyond the grounds referred to in the items of paragraph 1 of that Article pursuant to the provisions of paragraph 2 of that Article. Moreover, with regard to handling of biometric information, which falls under the category of sensitive information (information on physical characteristics which the public is not commonly aware of used for automatic authentication by machines; the same applies hereinafter), a business handling personal information in the financial sector must implement all the measures provided in Attachment 2.
8-1 金融分野における個人情報取扱事業者は、1-2に規定する「個人データの各管理段階における安全管理に係る取扱規程」において、機微(センシティブ)情報の取扱いについて規程を整備するとともに、情報通信技術の状況等を踏まえ、必要に応じて、当該規程の見直しを行うこととする。
8-1 A business handling personal information in the financial sector is to develop rules for handling sensitive information under the "handling rules for managing the security of personal data at each stage" provided in 1-2 and is to review those rules as necessary in light of the recent trends in information and communications technology, etc.
8-1-1 金融分野における個人情報取扱事業者は、7-1に規定する取得・入力段階における取扱規程において、機微(センシティブ)情報の取扱いについては、7-1に規定する事項に加えて、次に掲げる事項を定めることとする。
8-1-1 With regard to handling of sensitive information, a business handling personal information in the financial sector is to provide the following particulars, in addition to the particulars provided in 7-1, under the handling rules at the stage of acquisition and input of data specified in 7-1:
① 金融分野ガイドライン第5条第1項各号に定める場合のみによる取得
(i) acquisition of personal data only in the cases specified in the items of Article 5, paragraph 1 of the Guidelines for the Financial Sector;
② 取得・入力を行う取扱者の必要最小限の限定
(ii) limitation of the number of persons handling personal data who acquire and input the data to the minimum necessary; and
③ 取得に際して本人同意が必要である場合における本人同意の取得及び本人への説明事項
(iii) obtainment of the consent from the identifiable person and the explanations given to the identifiable person if the consent from the identifiable person is needed for acquiring the personal data.
8-1-1-1 機微(センシティブ)情報に該当する生体認証情報の取扱いは、取得・入力段階における取扱規程において、8-1-1に規定する事項に加えて、次に掲げる事項を含まなければならない。
8-1-1-1 With regard to handling of biometric information, which falls under the category of sensitive information, the handling rules at the stage of acquisition and input of data must include the following particulars, in addition to the particulars provided in 8-1-1:
① なりすましによる登録の防止策
(i) measures to prevent impersonated users from registering their personal information;
② 本人確認に必要な最小限の生体認証情報のみの取得
(ii) acquisition of minimum biometric information needed for the identity verification of the identifiable person; and
③ 生体認証情報の取得後、基となった生体情報の速やかな消去
(iii) prompt deletion of the original biological information after acquisition of the biometric information.
8-1-2 金融分野における個人情報取扱事業者は、7-2に規定する利用・加工段階における取扱規程において、機微(センシティブ)情報の取扱いについては、7-2-1、7-2-1-1及び7-2-2に規定する事項に加えて、次に掲げる事項を定めることとする。
8-1-2 With regard to handling of sensitive information, a business handling personal information in the financial sector is to provide the following particulars, under the handling rules at the stage of use and processing of data provided in 7-2, in addition to the particulars provided in 7-2-1, 7-2-1-1, and 7-2-2:
① 金融分野ガイドライン第5条第1項各号に定める目的のみによる利用・加工
(i) use and processing of personal data only for the purposes specified in the items of Article 5, paragraph 1 of the Guidelines for the Financial Sector;
② 利用・加工を行う取扱者の必要最小限の限定
(ii) limitation of the number of persons handling personal data who use and process the data to the minimum necessary;
③ 利用に際して本人同意が必要である場合における本人同意の取得及び本人への説明事項
(iii) obtainment of the consent from the identifiable person and the explanations given to the identifiable person if the consent from the identifiable person is needed for using the personal data; and
④ 必要最小限の者に限定したアクセス権限の設定及びアクセス制御の実施
(iv) granting of authority to access personal data to a minimum necessary number of persons and implementation of access control.
8-1-2-1 機微(センシティブ)情報に該当する生体認証情報の取扱いは、利用段階における取扱規程において、8-1-2に規定する事項に加えて、次に掲げる事項を含まなければならない。
8-1-2-1 With regard to handling of biometric information, which falls under the category of sensitive information, the handling rules at the stage of use of data must include the following particulars, in addition to the particulars provided in 8-1-2:
① 偽造された生体認証情報による不正認証の防止措置
(i) preventive measures for unauthorized authentication by using forged biometric information;
② 登録された生体認証情報の不正利用の防止措置
(ii) preventive measures for unauthorized use of registered biometric information;
③ 残存する生体認証情報の消去
(iii) deletion of existing biometric information;
④ 認証精度設定等の適切性の確認
(iv) checking the appropriateness of configuration for accuracy of authentication, etc.; and
⑤ 生体認証による本人確認の代替措置における厳格な本人確認手続
(v) strict identity verification procedure in place of identity verification based on biometric authentication.
8-1-3 金融分野における個人情報取扱事業者は、7-3に規定する保管・保存段階における取扱規程において、機微(センシティブ)情報の取扱いについては、7-3-1及び7-3-2に規定する事項に加えて、次に掲げる事項を定めることとする。
8-1-3 With regard to handling of sensitive information, a business handling personal information in the financial sector is to provide the following particulars, in addition to the particulars provided in 7-3-1 and 7-3-2, under the handling rules at the stage of storage and keeping of data specified in 7-3:
① 保管・保存を行う取扱者の必要最小限の限定
(i) limitation of the number of persons handling personal data who store and keep the data to the minimum necessary; and
② 必要最小限の者に限定したアクセス権限の設定及びアクセス制御の実施
(ii) grant of authority to access personal data to a minimum necessary number of persons, and implementation of access control.
8-1-3-1 機微(センシティブ)情報に該当する生体認証情報の取扱いは、保管・保存段階における取扱規程において、8-1-3に規定する事項に加えて、保存時における生体認証情報の暗号化を含まなければならないほか、サーバー等における氏名等の個人情報との分別管理を含むこととする。
8-1-3-1 With regard to handling of biometric information, which falls under the category of sensitive information, the handling rules at the stage of storage and keeping of data must include encoding of biometric information at the time of keeping the data, in addition to the particulars provided in 8-1-3, and are to include the fact that such biometric information is managed separately from personal information, such as the names of identifiable persons, stored in the server, etc.
8-1-4 金融分野における個人情報取扱事業者は、7-4に規定する移送・送信段階における取扱規程において、機微(センシティブ)情報の取扱いについては、7-4-1及び7-4-2に規定する事項に加えて、次に掲げる事項を定めることとする。
8-1-4 With regard to handling of sensitive information, a business handling personal information in the financial sector is to provide the following particulars, in addition to the particulars provided in 7-4-1 and 7-4-2, under the handling rules at the stage of transfer and sending of data specified in 7-4:
① 金融分野ガイドライン第5条第1項各号に定める目的のみによる移送・送信
(i) transfer and sending of sensitive data only for the purposes specified in the items of Article 5, paragraph 1 of the Guidelines for the Financial Sector; and
② 必要最小限の者に限定したアクセス権限の設定及びアクセス制御の実施
(ii) grant of authority to access sensitive data to a minimum necessary number of persons, and implementation of access control.
8-1-5 金融分野における個人情報取扱事業者は、7-5に規定する消去・廃棄段階における取扱規程において、機微(センシティブ)情報の取扱いについては、7-5に規定する事項に加えて、消去・廃棄を行う取扱者の必要最小限の限定について定めることとする。
8-1-5 With regard to handling of sensitive information, a business handling personal information in the financial sector is to provide limitation of the number of persons handling personal data who delete and dispose of the data to the minimum necessary, in addition to the particulars provided in 7-5, under the handling rules at the stage of deletion and disposal of data specified in 7-5.
8-1-5-1 機微(センシティブ)情報に該当する生体認証情報の取扱いは、消去・廃棄段階における取扱規程において、8-1-5に規定する事項に加えて、生体認証情報を本人確認に用いる必要性がなくなった場合は、速やかに保有する生体認証情報を消去することを含まなければならない。
8-1-5-1 With regard to handling of biometric information, which falls under the category of sensitive information, the handling rules at the stage of deletion and disposal of data must include the prompt deletion of the biometric information held by the business in the case where there is no longer a need to use biometric information for identity verification, in addition to the particulars provided in 8-1-5.
8-2 金融分野における個人情報取扱事業者は、2-5-2に規定する監査の実施に当たっては、機微(センシティブ)情報に該当する生体認証情報の取扱いに関し、外部監査を行うとともに、必要に応じて、その他の機微(センシティブ)情報の取扱いについても外部監査を行うこととする。
8-2 In conducting an audit specified in 2-5-2, a business handling personal information in the financial sector is to conduct external audit of the handling of biometric information, which falls under the category of sensitive information, and is to also conduct external audit of the handling of other sensitive information as necessary.
(別添3)金融分野における個人情報保護に関するガイドライン第2条第4項に規定する個人信用情報機関における会員管理について
(Attachment 3) Management of Members at a Personal Credit Data Institution Specified in Article 2, Paragraph 4 of the Guidelines for the Protection of Personal Information in the Financial Sector
個人信用情報機関は、その会員が適正に個人信用情報(信用情報機関に登録される資金需要者の返済能力に関する情報。以下同じ。)を登録・照会し、個人信用情報を返済能力の調査以外の目的のために使用しないことを確保するため、本実務指針Ⅰ.(2)に規定する措置に加え、9-1から9-4までの措置を講ずることとする。
A personal credit data institution is to take measures as specified in 9-1 through 9-4, in addition to the measures provided in I. (2) of these Practical Guidelines, to ensure that its members properly register their personal credit data and make inquiries about it (information on the repayment capacity of persons seeking funds that is registered with the personal credit data institution; the same applies hereinafter) and do not use personal credit data for purposes other than the investigation of repayment capacity.
(資格審査)
(Eligibility Examination)
9-1 個人信用情報機関は、入会申込時においては、適正な事業者のみが会員となるよう、あらかじめ定めた入会基準に基づき、厳正に入会審査を行うこととする。
9-1 When an application for membership is filed, a personal credit data institution is to conduct a membership examination rigorously based on the predetermined criteria for membership so that only a proper business may become its member.
(モニタリング)
(Monitoring of Access to Personal Credit Data)
9-2 個人信用情報機関は、入会後においては、会員が入会基準を逸脱し、また返済能力の調査以外の目的のために個人信用情報を使用しないよう、会員による個人信用情報へのアクセスに対する適切かつ継続的なモニタリングを行うこととする。
9-2 After a business has become a member, a personal credit data institution is to conduct appropriate and continuous monitoring of the member's access to personal credit data so that the member neither goes beyond the scope of criteria for membership nor uses personal credit data for purposes other than the investigation of repayment capacity.
(不適正使用に対する処分)
(Disposition Against Improper Use)
9-3 個人信用情報機関は、個人信用情報の不適正な使用があった場合、あらかじめ定めた会員管理に関する規程に基づき、利用停止、退会その他の処分を実施するとともに再発防止策を講ずることとする。
9-3 If personal credit data is used improperly, a personal credit data institution is to implement a disposition, such as suspension of use thereof, withdrawal from membership, under the predetermined membership management rules and is to take preventive measures.
(外部監査)
(External Audits)
9-4 個人信用情報機関は、個人信用情報機関における金融分野ガイドライン及び本実務指針に従った安全管理措置が実施されていることを確認するため、外部監査を受けることとする。
9-4 A personal credit data institution is to undergo an external audit in order to make sure that measures for managing the security of personal data have been implemented in accordance with the Guidelines for the Financial Sector and these Practical Guidelines by the personal credit data institution.