Act on Anonymized Medical Data and Pseudonymized Medical Data That Are Meant to Contribute to Research and Development in the Medical Field
Table of Contents
Chapter I General Provisions (Articles 1 through 4)
Chapter II Measures Related to Anonymized Medical Data and Pseudonymized Medical Data That Are Meant to Contribute to Research and Development in the Medical Field
Section 1 Basic Policy on Anonymized Medical Data and Pseudonymized Medical Data That Are Meant to Contribute to Research and Development in the Medical Field (Article 5)
Section 2 Measures Taken by the State (Articles 6 through 8)
Chapter III Certified Producers of Anonymized Medical Data and Enterprises Handling Anonymized Medical Data
Section 1 Certified Producers of Anonymized Medical Data (Articles 9 through 17)
Section 2 Regulations on the Handling of Anonymized Medical and Other Data (Articles 18 to 29)
Section 3 Enterprises Handling Anonymized Medical Data (Article 30)
Section 4 Linkage with Anonymized Data Related to Medical Insurance (Articles 31 and 32)
Chapter IV Certified Producers of Pseudonymized Medical Data and Certified Users of Pseudonymized Medical Data
Section 1 Regulations Concerning Certified Producers of Pseudonymized Medical Data and Handling of Pseudonymized Medical Data (Articles 33 through 40)
Section 2 Regulations Concerning Certified Users of Pseudonymized Medical Data and Handling of Provided Pseudonymized Medical Data (Articles 41 through 44)
Chapter V Enterprises Certified for Entrustment with Handling Medical and Other Data (Articles 45 through 51)
Chapter VI Provision of Medical Information to Certified Producer of Anonymized Medical Data or Certified Producer of Pseudonymized Medical Data by an Enterprise Handling Medical Information
Section 1 Provision of Medical Information to Certified Producers of Anonymized Medical Data (Articles 52 through 56)
Section 2 Provision of Medical Information to Certified Producers of Pseudonymized Medical Data (Articles 57 and 58)
Chapter VII Supervision (Articles 59 through 61)
Chapter VIII Miscellaneous Provisions (Articles 62 through 67)
Chapter IX Penal Provisions (Articles 68 through 75)
Supplementary Provisions
Chapter I General Provisions
(Purpose)
Article 1  The purpose of this Act is to promote advanced research and development and creation of new industries in health and medicine (meaning advanced research and development and creation of new industries in health and medicine prescribed in Article 1 of the Act on Promotion of Health and Medical Strategy (Act No. 48 of 2014); the same applies in Article 3), thus contributing to the formation of a healthy and long-lived society (meaning a healthy and long-lived society prescribed in Article 1 of that Act), by providing for the responsibilities of the State, the establishment of a basic policy, the certification of persons engaged in the business of preparing anonymized medical data and persons engaged in the business of preparing pseudonymized medical data, and regulations on handling medical information, anonymized medical data, and pseudonymized medical and other data regarding anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field.
(Definitions)
Article 2  (1) The term "medical information" as used in this Act means information which include the medical history of a specific individual or any other information on the mental or physical condition of that individual; which constitute information concerning an individual that includes an identifier or its equivalent (meaning all items (excluding individual identification codes (meaning an individual identification code prescribed in Article 2, paragraph 2 of the Act on the Protection of Personal Information (Act No. 57 of 2003); the same applies below)) made by writing, recording, sound or motion, or other means, in a document, drawing, or electronic or magnetic record (meaning a record created in electronic or magnetic form (meaning electronic form, magnetic form, or any other form that cannot be perceived with the human senses); the same applies below); the same applies below) specified by Cabinet Order as those of requiring special care so as not to cause unjust discrimination, prejudice, or any other disadvantages to that person or the descendants of that person based on that mental or physical condition; and which fall under any of the following items:
(i) information containing a name, date of birth, or any other identifier or the equivalent that can be used to identify a specific individual (including any information that can be easily collated with other information and then used to identify a specific individual); or
(ii) information containing an individual identification code.
(2) The term "identifiable person" as used in relation to medical information in this Act means a specific individual identifiable by medical information.
(3) The term "anonymized medical data" as used in this Act means data relating to an individual which can be obtained in a way that makes it not possible to identify a specific individual by taking any of the measures specified in each following item in accordance with the divisions of medical information stated in those items, and which are prepared in such a way that the medical information cannot be restored:
(i) medical information falling under paragraph (1), item (i): deleting a part of the identifier or its equivalent contained in that medical information (including replacing the part of the identifiers or their equivalent with other identifiers or their equivalent without following patterns that enable its restoration; or
(ii) medical information falling under paragraph (1), item (ii): deleting all individual identification codes contained in that medical information(including replacing the individual identification codes with other identifiers or their equivalent without following patterns that enable restoration of the individual identification codes).
(4) The term "pseudonymized medical data" as used in this Act means information relating to an individual which can be prepared in a way that makes it not possible to identify a specific individual unless collated with other information by taking any of the measures prescribed in each following item in accordance with the divisions of medical information stated in those items.
(i) medical information falling under paragraph (1), item (i): deleting a part of the identifiers or their equivalent contained in that medical information (including replacing the part of the identifiers or their equivalent with other identifiers or their equivalent without following patterns that enable its restoration); or
(ii) medical information falling under paragraph (1), item (ii): deleting all individual identification codes contained in that medical information (including replacing the individual identification codes with other identifiers or their equivalent without following patterns that enable restoration of the individual identification codes).
(5) The term "enterprise handling medical information" as used in this Act means a person that provides for use in its services a collection of information containing medical information which has been systematically organized so as to enable a person to search for specific medical information using a computer or which is otherwise specified by Cabinet Order as being systematically organized so as to enable a person to easily search for specific medical information (referred to as "database or similar collection of medical information" in Article 68).
(6) The term "business of preparing anonymized medical data" as used in this Act means the business of organizing and processing medical information to produce anonymized medical data (limited to information constituting a database or similar collection of anonymized medical data (meaning a collection of information containing anonymized medical data that has been systematically organized so as to enable a person to search for specific anonymized medical data using a computer or which is otherwise specified by Cabinet Order as being systematically organized so as to enable a person to easily search for specific anonymized medical data; the same applies in Article 30, paragraph (1)); the same applies below), in order to contribute to research and development in the medical field.
(7) The term "business of preparing pseudonymized medical data" as used in this Act means the business of organizing and processing medical information to prepare pseudonymized medical data (limited to information constituting a database or similar collection of pseudonymized medical data (meaning a collection of information containing pseudonymized medical data that has been systematically organized so as to enable a person to search for specific pseudonymized medical data by using computer or that is otherwise specified by Cabinet Order as being systematically organized so as to enable a person to easily search for specific pseudonymized medical data); the same applies below), in order to contribute to research and development in the medical field.
(Responsibility of the State)
Article 3  The State is responsible for taking the necessary measures for anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field, as part of measures for advanced research and development and creation of new industries in health and medicine.
(Responsibility of Enterprises Handling Medical Information)
Article 4  An enterprise handling medical information is to endeavor to cooperate with measures implemented by the State in connection with anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field, by providing medical information to a certified Producer of anonymized medical data prescribed in Article 10, paragraph (1) or to a certified Producer of pseudonymized medical data prescribed in Article 34, paragraph (1).
Chapter II Measures Related to Anonymized Medical Data and Pseudonymized Medical Data That are Meant to Contribute to Research and Development in the Medical Field
Section 1 Basic Policy on Anonymized Medical Data and Pseudonymized Medical Data That are Meant to Contribute to Research and Development in the Medical Field
Article 5  (1) To comprehensively and integrally promote measures for anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field, the government must establish a basic policy for anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field (referred to below as "basic policy").
(2) The basic policy is to provide for the following matters:
(i) a basic direction for the promotion of measures related to anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field;
(ii) matters related to the measures that the State is to take in connection with anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field;
(iii) matters related to measures to prevent the occurrence of undue discrimination, prejudice, or any other disadvantage to a identifiable person, that person's descendants, or any other individual on the grounds of that person's medical history or any other mental or physical condition in connection with medical information used to prepare anonymized medical data or pseudonymized medical data;
(iv) basic matters concerning the certification prescribed in Article 9, paragraph (1), Article 33, Article 41, and Article 45;
(v) other important matters concerning the promotion of measures related to anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field.
(3) The Prime Minister must prepare a draft of the basic policy and call for a cabinet decision.
(4) Once a cabinet decision under the provisions of the preceding paragraph has been made, the Prime Minister must make the basic policy public without delay.
(5) The provisions of the preceding two paragraphs apply mutatis mutandis to the alteration of the basic policy.
Section 2 Measures Taken by the State
(Promoting Public Understanding)
Article 6  The State is to take the necessary measures to enhance public understanding regarding anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field through public relations activities, awareness-raising activities, and other activities.
(Developing Adequate Standards)
Article 7  (1) To contribute to the preparation of anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field, the State is to develop adequate standards for medical information, anonymized medical data, and pseudonymized medical data, promote their dissemination and use, and take other necessary measures.
(2) The standards under the provisions of the preceding paragraph are to be developed based on international trends in this field, the progress of research and development in the medical field, and other factors.
(Development of Information Systems)
Article 8  The State is to endeavor to develop information systems, to promote their dissemination and use, and to take other necessary measures in order to prepare anonymized medical data and pseudonymized medical data that are meant to contribute to research and development in the medical field.
Chapter III Certified Producers of Anonymized Medical Data and Enterprises Handling Anonymized Medical Data
Section 1 Certified Producers of Anonymized Medical Data
(Certification)
Article 9  (1) A person engaged in the business of preparing anonymized medical data (limited to a corporation) may apply to obtain certification from the competent ministers as being capable of carrying out the business of producing anonymized medical data in a proper and reliable manner.
(2) Pursuant to the provisions of order of the competent ministry, a person seeking the certification referred to in the preceding paragraph must submit to the competent minister a written application stating the following matters, accompanied by documents confirming that the certification standards stated in the items of the following paragraph have been met and other documents specified by order of the competent ministry:
(i) its name and address;
(ii) its method of organizing medical information;
(iii) its method of processing medical information;
(iv) medical information, identifiers and their equivalent deleted from medical information used to prepare anonymized medical data, individual identification codes, information concerning the method of processing performed pursuant to the provisions of Article 19, paragraph (1) or Article 47, paragraph (1), and the method of managing anonymized medical data (referred to below as "anonymized medical and other data");
(v) other matters specified by order of the competent ministry.
(3) If the competent minister finds that an application for certification as referred to in paragraph (1) meets the following standards, the minister must grant the certification referred to in that paragraph:
(i) the applicant does not fall under any of the following items:
(a) a person sentenced to a fine for violating a provision of this Act, any other Act on the proper handling of personal information that is specified by Cabinet Order, or an order based on those Acts, and if two years have not yet passed since the day the person finished serving the sentence or ceased to be subject to its enforcement;
(b) a person whose certification has been revoked pursuant to the provisions of Article 16, paragraph (1) or Article 17, paragraph (1) (including as applied mutatis mutandis pursuant to Article 40, Article 44, or Article 51), and if two years have not yet passed since the date of the revocation;
(c) a person with an officer engaging in the business of preparing anonymized medical data or with an employee as specified by order of the competent ministry who falls under any of the following items:
1. a person specified by order of the competent ministry as a person that is unable to properly engage in the business of preparing anonymized medical data due to a mental or physical disorder;
2. a person subject to an order commencing bankruptcy proceeding that has not been released from bankruptcy restrictions, or an equivalent person under foreign laws and regulations;
3. a person sentenced to a fine or heavier punishment for violating a provision of this Act, any other Act on the proper handling of personal information that is specified by Cabinet Order, or an order based on those Acts, and if two years have not yet passed since the day the person finished serving the sentence or ceased to be subject to its enforcement; or
4. if a person who has obtained certification under paragraph (1), Article 33, Article 41, or Article 45 has had the certification revoked pursuant to the provisions of Article 16, paragraph (1) or Article 17, paragraph (1) (including when these provisions are applied mutatis mutandis pursuant to Article 40, Article 44, and Article 51), that person's former officer or employee specified by order of the competent ministry who engaged in the business related to the certification within 30 days before the date of the disposition and for whom two years have not passed from the date of the disposition;
(ii) the applicant meets the standards specified by order of the competent ministry as having sufficient capability to acquire medical information and to organize and process it so as to properly prepare and provide anonymized medical data in order to contribute to research and development in the medical field;
(iii) any measures that order of the competent ministry prescribes as being necessary and appropriate for preventing leaks of, loss of, or damage to anonymized medical and other data and for otherwise implementing the secure management of those anonymized medical and other data have been taken;
(iv) the applicant has sufficient ability to properly implement measures for the secure management of anonymized medical and other data prescribed in the preceding item.
(4) Before granting the certification referred to in paragraph (1), the competent minister must first consult with the Personal Information Protection Commission.
(5) After granting the certification referred to in paragraph (1), the competent minster must notify the applicant of that fact and issue a public notice stating that fact without delay.
(Certification of Changes)
Article 10  (1) If a person that has obtained the certification referred to in paragraph (1) of the preceding Article (referred to below as "certified producer of anonymized medical data") seeks to change any of the matters stated in paragraph (2), items (ii) through (v) of that Article, the person must obtain certification of the competent minister pursuant to the provisions of order of the competent ministry; provided, however, that this does not apply to a minor change specified by order of the competent ministry.
(2) After granting the certification of a change as referred to in the preceding paragraph, the competent minister must notify the certified producer of anonymized medical data of their certification without delay.
(3) If any of the matters stated in paragraph (2), item (i) of the preceding Article changes or if a certified producer of anonymized medical data makes a minor change specified by order of the competent ministry as referred to in the proviso to paragraph (1), it must notify the competent minister of that change without delay.
(4) After receiving a notification under the provisions of the preceding paragraph (limited to one involving a change to any of the matters stated in paragraph (2), item (i) of the preceding Article), the competent minister must issue a public notice stating that fact without delay.
(5) The provisions of paragraph (3) (excluding item (i)) and paragraph (4) of the preceding Article apply mutatis mutandis to the certification of the changes stated in paragraph (1).
(Succession)
Article 11  (1) If a corporation that is a certified producer of anonymized medical data transfers the whole of its business of preparing anonymized medical data subject to the certification referred to in Article 9, paragraph (1) (referred to below as "certified business of preparing anonymized medical data") to another corporation that is a certified producer of anonymized medical data, the transferee succeeds to the status that the transferor held as a certified producer of anonymized medical data under the provisions of this Act.
(2) If a corporation that is a certified producer of anonymized medical data merges with another corporation that is a certified producer of anonymized medical data, the corporation surviving the merger or the corporation incorporated in the merger succeeds to the status of the corporation or corporations disappearing in the merger as a certified producer of anonymized medical data under the provisions of this Act.
(3) A corporation that has succeeded to another corporation's status as a certified producer of anonymized medical data pursuant to the provisions of the preceding two paragraphs must notify the competent minister of that fact without delay pursuant to the provisions of order of the competent ministry.
(4) If a corporation that is a certified producer of anonymized medical data transfers the whole of its certified business of preparing anonymized medical data to a corporation that is not a certified producer of anonymized medical data, and the transferor and the transferee have obtained the authorization of the competent ministers for the transfer and acquisition in advance pursuant to the provisions of Order of the competent ministries, the transferee succeeds to the status of the transferor as a certified producer of anonymized medical data under the provisions of this Act.
(5) If a corporation that is a certified producer of anonymized medical data disappears in a merger with a corporation that is not a certified producer of anonymized medical data and authorization of the competent minister has been obtained for the merger in advance pursuant to the provisions of order of the competent ministry, the corporation surviving the merger or the corporation incorporated in the merger succeeds to the status of the corporation disappearing in the merger as a certified producer of anonymized medical data under the provisions of this Act.
(6) If a corporation that is a certified producer of anonymized medical data has another person succeed to the whole of its certified business of preparing anonymized medical data in a company split, and authorization of the competent minister has been obtained for the company split in advance pursuant to the provisions of order of the competent ministry, the corporation succeeding to the whole of its certified business of preparing anonymized medical data in the company split succeeds to the status of the split corporation as a certified producer of anonymized medical data under the provisions of this Act.
(7) The provisions of Article 9, paragraphs (3) through (5) apply mutatis mutandis to the authorization referred to in the preceding three paragraphs.
(8) If a corporation that is a certified producer of anonymized medical data transfers the whole of its certified business of preparing anonymized medical data to a person that is not a certified producer of anonymized medical data, merges with a corporation that is not a certified producer of anonymized medical data, or has another person succeed to the whole of its certified business of preparing anonymized medical data through a company split, but does not apply for the authorization referred to in paragraphs (4) through (6), it must notify the competent minister of that fact by the date of the transfer, merger, or company split of the whole of its certified business of preparing anonymized medical data, pursuant to the provisions of order of the competent ministry.
(9) If a corporation that is a certified producer of anonymized medical data transfers the whole of its certified business of preparing anonymized medical data to a person that is not a certified producer of anonymized medical data, disappears in a merger with a corporation that is not a certified producer of anonymized medical data, or has another person succeed to the whole of its certified business of preparing anonymized medical data through a company split, and a disposition not to grant the authorization referred to in paragraphs (4) through (6) is reached (or if no application for that authorization is filed, and the whole of the certified business of preparing anonymized medical data is transferred, merged, or split), the certification referred to in Article 9, paragraph (1) ceases to be valid, and the transferee, the corporation surviving the merger, the corporation incorporated in the merger, or the corporation succeeding to the whole of the certified business of preparing anonymized medical data through the company split must delete the anonymized medical and other data it manages in connection with its certified business of preparing anonymized medical data without delay.
(10) After receiving a notification under the provisions of paragraph (3) or paragraph (8) or reaching a disposition not to grant the authorization referred to in paragraphs (4) through (6), the competent minster must issue a public notice stating that fact without delay.
(Notification of Discontinuation)
Article 12  (1) If a certified producer of anonymized medical data seeks to discontinue its certified business of preparing anonymized medical data, it must notify the competent minister of that intention in advance pursuant to the provisions of order of the competent ministry.
(2) If a notification under the provisions of preceding paragraph has been filed, the certification referred to in Article 9, paragraph (1) ceases to be effective, and the corporation that was a certified producer of anonymized medical data must delete the anonymized medical and other data that it manages in connection with its certified business of preparing anonymized medical data without delay.
(3) If a notification under the provisions of paragraph (1) has been filed, the competent minister must issue a public notice stating that fact without delay.
(Notification of Dissolution)
Article 13  (1) If a corporation that is a certified producer of anonymized medical data is dissolved for reasons other than a merger, its liquidator, bankruptcy trustee, or an equivalent person under foreign laws and regulations must notify the competent minister of that fact without delay pursuant to the provisions of order of the competent ministry.
(2) If a corporation that is a certified producer of anonymized medical data is dissolved for reasons other than a merger, the certification referred to in Article 9, paragraph (1) ceases to be valid, and the corporation in liquidation or special liquidation, the corporation against which bankruptcy proceedings have been commenced, or an equivalent corporation under foreign laws and regulations must delete the anonymized medical and other data that it manages in connection with the certified business of preparing anonymized medical data without delay.
(3) If a notification under the provisions of paragraph (1) has been filed, the competent minister must issue a public notice stating that fact without delay.
(Books)
Article 14  Pursuant to the provisions of order of the competent ministry, a certified producer of anonymized medical data must keep books (or electronic or magnetic records if electronic or magnetic records are prepared in lieu of books; the same applies below), enter the matters specified by order of the competent ministry concerning its operations in those books, and preserve them.
(Restriction on the Use of Names)
Article 15  It is prohibited for a person that is not a certified producer of anonymized medical data to use a name that refers to it as a certified producer of anonymized medical data or a name that is misleadingly similar to this.
(Revocation of Certification)
Article 16  (1) If a certified producer of anonymized medical data (other than a corporation that does not have its principal office in Japan and that handles anonymized medical and other data in a foreign state (referred to below as "foreign operator"); the same applies in the following paragraph) falls under any of the following items, the competent minister may revoke the certification referred to in Article 9, paragraph (1):
(i) if the certified producer has obtained the certification referred to in Article 9, paragraph (1), or Article 10, paragraph (1), or authorization referred to in Article 11, paragraphs (4) through (6) by deception or other wrongful means;
(ii) if the certified producer no longer meets any of the standards stated in the items of Article 9, paragraph (3);
(iii) if the certified producer has changed any of the matters for which it must obtain certification pursuant to the provisions of Article 10, paragraph (1), without obtaining the certification referred to in that paragraph;
(iv) if the certified producer provides medical information in violation of the provisions of Article 28, paragraph (1);
(v) if the certified producer has violated an order under the provisions of Article 61, paragraph (1).
(2) If a certified producer of anonymized medical data has its certification referred to in Article 9, paragraph (1) revoked pursuant to the provisions of the preceding paragraph, it must delete the anonymized medical and other data that it manages in connection with its certified business of preparing anonymized medical data without delay.
(3) Before revoking a certification referred to in Article 9, paragraph (1) pursuant to the provisions of paragraph (1), the competent minister must first consult with the Personal Information Protection Commission.
(4) If the competent minister revokes the certification referred to in Article 9, paragraph (1) pursuant to the provisions of paragraph (1), the minister must issue a public notice stating that fact without delay.
Article 17  (1) If a certified producer of anonymized medical data (limited to a foreign operator; the same applies in item (iii) and paragraph (3)) falls under any of the following items, the competent minister may revoke the certification referred to in Article 9, paragraph (1):
(i) if the certified producer falls under any of the items (i) through (iv) of paragraph (1) of the preceding Article;
(ii) if the certified producer has failed to respond to the request made under the provisions of Article 61, paragraph (1) as applied mutatis mutandis pursuant to paragraph (5) of that Article following the deemed replacement of terms;
(iii) if the competent minister, to the extent necessary for the enforcement of this Act, has required the certified producer of anonymized medical data to report the necessary information or attempted to have the relevant officials enter that producer's office or another place of business of that producer and inspect that producer's books, documents, or other items, or to have those officials ask the relevant persons questions, but the producer fails to make a report or files a false report, refuses, obstructs, or evades the inspection, or fails to answer or provides a false answer to the questions; or
(iv) if the producer fails to bear the costs under the provisions of paragraph (3).
(2) The provisions of paragraphs (2) through (4) of the preceding Article apply mutatis mutandis to the revocation of a certification under the provisions of the preceding paragraph.
(3) The costs required to perform an inspection under the provisions of paragraph (1), item (iii) (limited to the cost specified by Cabinet Order) are to be borne by the certified producer of anonymized medical data subject to the inspection.
Section 2 Regulations on the Handling of Anonymized Medical and Other Data
(Restrictions Based on Purpose of Use)
Article 18  (1) If a certified producer of anonymized medical data has been provided with medical information pursuant to the provisions of Article 27, paragraph (1) or Article 52, paragraph (1), the producer must not handle that medical information beyond the scope necessary for achieving the purpose of the certified business of preparing anonymized medical data, so as not to contravene the purpose of the medical information being provided to contribute to research and development in the medical field.
(2) The provisions of the preceding paragraph do not apply to the following cases:
(i) when the relevant laws and regulations apply;
(ii) in an emergency in order to save a person's life, provide disaster relief, or otherwise respond to an emergency.
(Preparation of Anonymized Medical Data)
Article 19  (1) When a certified producer of anonymized medical data prepares anonymized medical data, the producer must process the medical information in accordance with the standards specified by order of the competent ministry as being necessary to make it impossible to identify a specific individual or to restore the medical information used to produce the anonymized medical information.
(2) When preparing anonymized medical data and handling that anonymized medical data on its own, a certified producer of anonymized medical data must not collate the anonymized medical data with other data to identify the identifiable person whose medical information has been used to prepare the anonymized medical data.
(3) The provisions of Article 43 of the Act on the Protection of Personal Information do not apply if a certified producer of anonymized medical data prepares anonymized medical data pursuant to the provisions of paragraph (1).
(Deletion)
Article 20  If a certified producer of anonymized medical data no longer needs to use anonymized medical and other data that it manages in connection with its certified business of preparing anonymized medical data, the producer must delete that anonymized medical and other data without delay.
( Measures for Secure Data Management)
Article 21  A certified producer of anonymized medical data must take the necessary and appropriate measures specified by order of the competent ministry to prevent leaks of, loss of, or damage to the anonymized medical and other data that it manages in connection with its certified business of preparing anonymized medical data, and to otherwise securely manage the anonymized medical and other data.
(Supervision of Workers)
Article 22  If a certified producer of anonymized medical data has its employees handle anonymized medical and other data that it manages in connection with its certified business of preparing anonymized medical data, the producer must supervise those employees as necessary and appropriate, pursuant to the provisions of order of the competent ministry, so as to ensure that the anonymized medical and other data are securely managed.
(Obligations of Employees)
Article 23  It is prohibited for a current or former officer or employee of a certified producer of anonymized medical data to disclose anonymized medical and other data acquired in connection with its certified business of preparing anonymized medical data to another person without due cause or to use that information for an unjust purpose.
(Entrustment)
Article 24  (1) A certified producer of anonymized medical data may entrust all or part of the handling of anonymized medical and other data that it manages in connection with its certified business of preparing anonymized medical data only to an enterprise certified for entrustment with handling medical and other data prescribed in Article 46, paragraph (1) (referred to below as "enterprise certified for entrustment with handling medical and other data" in this Article).
(2) An enterprise certified for entrustment with handling medical and other data that has been entrusted with all or part of the handling of anonymized medical and other data pursuant to the provisions of the preceding paragraph may further entrust all or part of that handling only if it obtains authorization of the certified producer of anonymized medical data that has entrusted it with handling of the anonymized medical and other data, and only if it further entrusts that handling to an enterprise certified for entrustment with handling medical and other data.
(3) An enterprise certified for entrustment with handling medical and other data that has been further entrusted with all or part of the handling of anonymized medical and other data pursuant to the provisions of the preceding paragraph is deemed to be an enterprise certified for entrustment with handling medical and other data that has been entrusted with all or part of the handling of that anonymized medical and other data, and the provisions of that paragraph apply.
(Supervision of Entrusted Persons)
Article 25  If a certified producer of anonymized medical data entrusts another person with all or part of the handling of anonymized medical and other data that it manages in connection with its certified business of preparing anonymized medical data, the producer must supervise the entrusted person as necessary and appropriate pursuant to the provisions of order of the competent ministry so as to ensure that the anonymized medical and other data the handling of which it has entrusted are securely managed.
(Reporting Leaks)
Article 26  If a leak of, loss of, or damage to anonymized medical and other data that a certified producer of anonymized medical data manages in connection with its certified business of preparing anonymized medical data or any other situation that involves ensuring the safety of anonymized medical and other data and is specified by order of the competent ministry as being highly likely to harm the rights and interests of individuals occurs, the certified producer of anonymized medical data must report this to the competent minister pursuant to the provisions of order of the competent ministry.
(Provision of Medical Information to Other Certified Producers of Anonymized Medical Data)
Article 27  (1) At the request of another certified producer of anonymized medical data and pursuant to the provisions of order of the competent ministry, a certified producer of anonymized medical data that has been provided with medical information pursuant to the provisions of Article 52, paragraph (1) may provide the medical information that has been provided to it pursuant to the provisions of that paragraph to that other certified producer of anonymized medical data to the extent necessary for preparing anonymized medical data, pursuant to the provisions of order of the competent ministry.
(2) A certified producer of anonymized medical data that has been provided with medical information pursuant to the provisions of the preceding paragraph is deemed to be a certified producer of anonymized medical data that has been provided with medical information pursuant to the provisions of Article 52, paragraph (1), and the provisions of the preceding paragraph apply.
(Restrictions on Provision of Information to Third Parties)
Article 28  (1) It is prohibited for a certified producer of anonymized medical data to provide a third party with medical information provided pursuant to the provisions of paragraph (1) of the preceding Article or Article 52, paragraph (1), except if that producer provides that information pursuant to the provisions of paragraph (1) of the preceding Article or Article 31, paragraph (2) and except in any of the cases stated in the following items.
(i) when the relevant laws and regulations apply;
(ii) in an emergency in order to save a person's life, provide disaster relief, or otherwise respond to an emergency.
(2) In the following cases, the recipient of the medical information is not to be considered a third party in applying the provisions of the preceding paragraph:
(i) if medical information is provided as a result of the succession of business due to a business transfer under the provisions of Article 11, paragraph (1), paragraph (2), or paragraphs (4) through (6) or for any other reason;
(ii) if medical information is provided as a result of a certified producer of anonymized medical data entrusting a person with all or part of the handling of that medical information pursuant to the provisions of Article 24, paragraph (1).
(Processing Complaints)
Article 29  (1) Pursuant to the provisions of order of the competent ministry, a certified producer of anonymized medical data must properly and promptly process any complaints about the handling of anonymized medical and other data that it manages in connection with its certified business of preparing anonymized medical data.
(2) Pursuant to the provisions of order of the competent ministry, a certified producer of anonymized medical data must set in place the necessary system to achieve the purpose referred to in the preceding paragraph.
Section 3 Enterprises Handling Anonymized Medical Data
Article 30  (1) When handling anonymized medical data prepared pursuant to the provisions of Article 19, paragraph (1) or Article 47, paragraph (1) (excluding anonymized medical data that an enterprise handling anonymized medical data (meaning a person that has a database or similar collection of anonymized medical data available for use in its business; the same applies below) personally prepares by processing medical information), an enterprise handling anonymized medical data must not acquire information about an identifier or its equivalent or an individual identification code that has been deleted from the medical information or information about the method of processing that has been performed pursuant to the provisions of Article 19, paragraph (1) or Article 47, paragraph (1), nor must it collate the anonymized medical data with other information, in order to identify the identifiable person whose medical information was used to prepare the anonymized medical data.
(2) The provisions of Articles 44 through 46 of the Act on the Protection of Personal Information do not apply if an enterprise handling anonymized medical data handles the anonymized medical data prescribed in the preceding paragraph.
Section 4 Linkage with Anonymized Data Related to Medical Insurance
(Provision of Linkable Anonymized Medical Data)
Article 31  (1) A certified producer of anonymized medical data may provide anonymized medical data it has prepared pursuant to the provisions of Article 19, paragraph (1) or Article 47, paragraph (1) in a form that makes it possible to link that data to anonymized data related to medical insurance and any other information specified by Cabinet Order, but only to a person that is permitted to be provided with anonymized data related to medical insurance pursuant to the provisions of Article 16-2, paragraph (1) of the Act on Assurance of Medical Care for Elderly People (Act No. 80 of 1982) (meaning anonymized data related to medical insurance prescribed in that paragraph; the same applies below in this paragraph) or to any other person specified by Cabinet Order.
(2) To put anonymized medical data into the form prescribed in the preceding paragraph, a certified producer of anonymized medical data may, pursuant to the provisions of order of the competent ministry, provide the Minister of Health, Labour and Welfare or other ministers specified by Cabinet Order (referred to below as "Minister of Health, Labour and Welfare or a relevant authority" in this Article) with the anonymized medical and other data, and request them to provide the information specified by order of the competent ministry as the information necessary to put the anonymized medical data into that form.
(3) After receiving a request under the provisions of the preceding paragraph, the Minister of Health, Labour and Welfare or a relevant authority may provide a certified producer of anonymized medical data with the information specified by order of the competent ministry which is referred to in that paragraph.
(4) The Minister of Health, Labour and Welfare or a relevant authority may entrust all or part of the affairs related to the provision of information under the provisions of the preceding paragraph to Health Insurance Claims Review and Reimbursement Services under the Health Insurance Claims Review and Reimbursement Services Act (Act No. 129 of 1948), a Federation of National Health Insurance Association prescribed in Article 45, paragraph (5) of the National Health Insurance Act (Act No. 192 of 1958), or other persons specified by order of the competent ministry (referred to below as "reimbursement service or another organization" in this Article).
(5) A certified producer of anonymized medical data that is provided with information under the provisions of paragraph (3) must pay a fee to the State (or to the reimbursement service or another organization if the reimbursement service or another organization handles all of the affairs connected with the provision of information under paragraph (3) as entrusted by the Minister of Health, Labour and Welfare or a relevant authority pursuant to the provisions of the preceding paragraph) in an amount specified by Cabinet Order based on the actual costs.
(6) The fees paid to the reimbursement service or another organization pursuant to the provisions of the preceding paragraph are the income of the reimbursement service or another organization.
(7) A certified producer of anonymized medical data may provide anonymized medical data under the provisions of paragraph (1) through the reimbursement service or another organization which has been entrusted under the provisions of paragraph (4).
(Regulations on the Handling of Linkable Anonymized Medical Data)
Article 32  (1) When handling linkable anonymized medical data (meaning anonymized medical data provided pursuant to the provisions of paragraph (1) of the preceding Article; the same applies below), a person that is provided with and uses that anonymized medical data pursuant to the provisions of paragraph (1) of the preceding Article (referred to below as "user of linkable anonymized medical data") must not acquire information about an identifier or its equivalent or an individual identification code that has been deleted from the medical information, information about the processing method used to prepare the linkable anonymized medical data pursuant to the provisions of Article 19, paragraph (1) or Article 47, paragraph (1), or information about any other processing method used to prepare the linkable anonymized medical data, or must not collate the linkable anonymized medical data with other information, in order to identify the identifiable person whose medical data was used to prepare the linkable anonymized medical data.
(2) The provisions of Articles 20 through 23 apply mutatis mutandis to the handling of linkable anonymized medical data by a user of linkable anonymized medical data. In that case, the phrase "it manages in connection with its certified business of preparing anonymized medical data" in Articles 20 through 22 is deemed to be replaced with "the user of linkable anonymized medical data manages"; the phrase "officer or employee of a certified producer of anonymized medical data" in Article 23 is deemed to be replaced with " a certified producer of anonymized medical data or its employee (or, if a certified producer of anonymized medical data is a corporation (or an organization without legal personality for which a representative or administrator has been designated), its officer, representative, or administrator)"; and the phrase " its certified business of preparing anonymized medical data" in that Article is deemed to be replaced with "the use of linkable anonymized medical data".
Chapter IV Certified Producers of Pseudonymized Medical Data and Certified Users of Pseudonymized Medical Data
Section 1 Regulations Concerning Certified Producers of Pseudonymized Medical Data and Handling of Pseudonymized Medical Data
(Certification)
Article 33  A person engaged in the business of preparing pseudonymized medical data (limited to a corporation) may apply to obtain certification from the competent minister as being capable of carrying out the business of preparing pseudonymized medical data in a proper and reliable manner.
(Restrictions Based on Purpose of Use)
Article 34  (1) If a person that has obtained certification as referred to in the preceding Article (referred to below as "certified producer of pseudonymized medical data") is provided with medical information pursuant to the provisions of Article 38, paragraph (1) or Article 57, paragraph (1), it must not handle that medical information beyond the scope necessary for achieving the purpose of the business of preparing pseudonymized medical data to which the certification referred to in the preceding Article is related (referred to below as "business certified for preparing pseudonymized medical data"), so as not to contravene the purpose of the medical information being provided to contribute to research and development in the medical field.
(2) The provisions of the preceding paragraph do not apply to the following cases:
(i) when the relevant laws and regulations apply;
(ii) in an emergency in order to save a person's life, provide disaster relief, or otherwise respond to an emergency.
(Preparation of Pseudonymized Medical Data)
Article 35  (1) When a certified producer of pseudonymized medical data prepares pseudonymized medical data, it must process the medical information in accordance with the standards specified by order of the competent ministry as being necessary for ensuring that it is not possible to identify a specific individual unless it is collated with other information.
(2) Notwithstanding the provisions of the preceding Article, if a certified producer of pseudonymized medical data has prepared pseudonymized medical data pursuant to the provisions of the preceding paragraph, it must not handle that pseudonymized medical data beyond the scope necessary for achieving the purpose of the business certified for preparing pseudonymized medical data, except as otherwise provided by laws and regulations.
(3) When preparing pseudonymized medical data and handling it on its own, a certified producer of pseudonymized medical data must not collate the pseudonymized medical data with other information in order to identify the identifiable person whose medical information was used to prepare the pseudonymized medical data; provided, however, that this does not apply if that certified producer needs to do so in order to cooperate in an investigation it has undergone under Article 14, paragraph (6) of the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices (Act No. 145 of 1960) or under the provisions of any other law specified by order of the competent ministry (including an equivalent investigation under foreign laws and regulations).
(4) When handling pseudonymized medical data that a certified producer of pseudonymized medical data manages in connection with its business certified for preparing pseudonymized medical data, the certified producer must not use the contact information or any other information contained in that pseudonymized medical data to make telephone calls, send letters by mail or by correspondence delivery prescribed in Article 2, paragraph (2) of the Act on Correspondence Delivery by Private Business Operators (Act No. 99 of 2002) made by a general correspondence delivery service operator prescribed in paragraph (6) of that Article or by a specified correspondence delivery service operator prescribed in paragraph (9) of that Article (referred to as "correspondence delivery" in Article 42, paragraph (3) and Article 48, paragraph (4)), deliver telegrams, transmit information by using a facsimile machine or by electronic or magnetic means (meaning using an electronic data processing system or any other means that involves using information and communications technology as specified by order of the competent ministry; the same applies in Article 42, paragraph (3) and Article 48, paragraph (4)), or visit residences.
(5) The provisions of Article 41, paragraph (1) of the Act on the Protection of Personal Information do not apply if a certified producer of pseudonymized medical data prepares pseudonymized medical data pursuant to the provisions of paragraph (1), and the provisions of Article 26; Articles 32 through 39; Article 41, paragraphs (2) through (9); and Article 42 of that Act do not apply if a certified producer of pseudonymized medical data handles pseudonymized medical data that it manages in connection with its business certified for preparing pseudonymized medical data.
(Provision of Pseudonymized Medical Data)
Article 36  (1) Pursuant to the provisions of order of the competent ministry, a certified producer of pseudonymized medical data may provide pseudonymized medical data prepared pursuant to the provisions of paragraph (1) of the preceding Article or Article 48, paragraph (1) only to a certified user of pseudonymized medical data prescribed in Article 42, paragraph (1).
(2) Notwithstanding the provisions of Article 39, paragraph (1), a certified producer of pseudonymized medical data must not provide third parties with the pseudonymized medical data that it manages in connection with its business certified for preparing pseudonymized medical data, except when it provides the information pursuant to the provisions of the preceding paragraph or when the relevant laws and regulations apply.
(3) In the following cases, the recipient of the pseudonymized medical data is not to be considered a third party in applying the provisions of the preceding paragraph:
(i) if pseudonymized medical data is provided as a result of the succession of business due to a business transfer under the provisions of Article 11, paragraph (1), paragraph (2), or paragraphs (4) through (6), as applied mutatis mutandis pursuant to Article 40, or for any other reason;
(ii) if the pseudonymized medical data is provided as a result of a certified producer of pseudonymized medical data entrusting all or part of the handling of the pseudonymized medical data pursuant to the provisions of paragraph (1) of the following Article;
(Entrustment)
Article 37  (1) A certified producer of pseudonymized medical data may entrust all or part of the handling of medical information that it manages in connection with its business certified for preparing pseudonymized medical data; of identifiers and their equivalent deleted from medical information used to prepare pseudonymized medical data; of individual identification codes; of information on the processing methods used pursuant to the provisions of Article 35, paragraph (1) or Article 48, paragraph (1); and of pseudonymized medical data (referred to below as "pseudonymized medical and other data"), but only if it does so to an enterprise certified for entrustment with handling medical and other data prescribed in Article 46, paragraph (1) (referred to below as "enterprise certified for entrustment with handling medical and other data" in this Article).
(2) An enterprise certified for entrustment with handling medical and other data that has been entrusted with all or part of the handling of pseudonymized medical and other data pursuant to the provisions of the preceding paragraph may further entrust all or part of that handling only if it obtains authorization of the certified producer of pseudonymized medical data that has entrusted it with the handling of that pseudonymized medical and other data, only if it further entrusts that handling to an enterprise certified for entrustment with handling medical and other data.
(3) An enterprise certified for entrustment with handling medical and other data that has been further entrusted with all or part of the handling of pseudonymized medical and other data pursuant to the provisions of the preceding paragraph is deemed to be an enterprise certified for entrustment with handling medical and other data that has been entrusted with all or part of the handling of that pseudonymized medical and other data, and the provisions of that paragraph apply.
(Provision of Medical Information to Other Certified Producers of Pseudonymized Medical Data)
Article 38  (1) Pursuant to the provisions of order of the competent ministry, in response to a request from another certified producer of pseudonymized medical data, a certified producer of pseudonymized medical data that has been provided with medical information pursuant to the provisions of Article 57, paragraph (1) may provide another certified producer of pseudonymized medical data with the medical information that has been provided to it pursuant to the provisions of that paragraph, to the extent necessary for preparing pseudonymized medical data.
(2) A certified producer of pseudonymized medical data that has been provided with medical information pursuant to the provisions of the preceding paragraph is deemed to be a certified producer of pseudonymized medical data that has been provided with medical information pursuant to the provisions of Article 57, paragraph (1), and the provisions of the preceding paragraph apply.
(Restrictions on the Provision of Medical Information to Third Parties)
Article 39  (1) A certified producer of pseudonymized medical data must not provide a third party with medical information provided pursuant to the provisions of paragraph (1) of the preceding Article or Article 57, paragraph (1), except when it provides that information pursuant to the provisions of that paragraph or in the following cases:
(i) when the relevant laws and regulations apply;
(ii) in an emergency in order to save a person's life, provide disaster relief, or otherwise respond to an emergency.
(2) In the following cases, the recipient of the medical information is not to be considered a third party in applying the provisions of the preceding paragraph:
(i) if medical information is provided as a result of the succession of business due to a business transfer under the provisions of Article 11, paragraph (1), paragraph (2), or paragraphs (4) through (6) as applied mutatis mutandis pursuant to the following Article or for any other reason;
(ii) when medical information is provided as a result of a certified producer of pseudonymized medical data entrusting all or part of its handling of medical information pursuant to the provisions of Article 37, paragraph (1).
(Application Mutatis Mutandis)
Article 40  The provisions of Article 9, paragraphs (2) through (5); Articles 10 through 17; Articles 20 through 23; Article 25; Article 26; and Article 29 apply mutatis mutandis to the certification referred to in Article 33, the certified producer of pseudonymized medical data, and the business certified for preparing pseudonymized medical data. In that case, the words listed in the right-hand column of the following table are deemed to replace the words listed in the middle column of that table in the provisions listed in the left-hand column of that table, and, additionally, Cabinet Order provides for the necessary technical replacement of terms.
|Article 9, paragraph (2), item (iv)|Medical information, identifiers or their equivalent deleted from medical information used to prepare anonymized medical data, individual identification codes, information concerning the method of processing performed pursuant to the provisions of Article 19, paragraph (1) or Article 47, paragraph (1), and  anonymized medical data (referred to below as "anonymized medical and other data")|seudonymized medical and other data (meaning the pseudonymized medical  and other data prescribed in Article 37, paragraph (1); the same applies below);|
|Article 9, paragraph (3), item (i), (c)|Business of Preparing  Anonymized Medical Data|Business of Producing Pseudonymized Medical Data|
|Article 9, paragraph (3), item (ii)|Anonymized Medical Data|Pseudonymized Medical Data|
|Article 9, paragraph (3), items (iii) and (iv), Article 11, paragraph (9), Article 12, paragraph (2), Article 13, paragraph (2), Article 16, paragraphs (1) and (2), Articles 20 through 23, Article 25, Article 26, and Article 29, paragraph (1)|Anonymized Medical and Other Data|Pseudonymized Medical and Other Data|
|Article 16, paragraph (1), item (iv)|provides medical data in violation of the provisions of Article 28, paragraph (1)|provides pseudonymized medical data in violation of the provisions of Article 36, paragraph (2), or provides medical data in violation of the provisions of Article 39, paragraph (1)|
|Article 16, paragraph (1), item (v)|Article 61, paragraph (1)|Article 61, paragraph (2)|
|Article 17, paragraph (1), item (ii)|Article 61, paragraph (1)|Article 61, paragraph (2)|
Section 2 Regulations Concerning Certified Users of Pseudonymized Medical Data and Handling of Provided Pseudonymized Medical Data
(Certification)
Article 41  A person (limited to a corporation) that receives pseudonymized medical data prepared pursuant to the provisions of Article 35, paragraph (1) or Article 48, paragraph (1) from a certified producer of pseudonymized medical data and seeks to engage in the business of conducting research and development in the medical field using that pseudonymized medical data may apply to obtain certification from the competent minister as being capable of carrying out that business in a proper and reliable manner.
(Restrictions on the Purpose of Use of Provided Pseudonymized Medical Data)
Article 42  (1) Except when the relevant laws and regulations apply, a person that has obtained the certification referred to in the preceding Article (referred to below as "certified user of pseudonymized medical data") must not handle pseudonymized medical data provided pursuant to the provisions of Article 36, paragraph (1) or based on the application of the provisions of paragraph (2) of the following Article (referred to below as "provided pseudonymized medical data") beyond the scope necessary for research and development in the medical field.
(2) When handling provided pseudonymized medical data, it is prohibited for a certified user of pseudonymized medical data to acquire information about an identifier or its equivalent or an individual identification code that has been deleted from the medical information or information about the method of processing that has been performed pursuant to the provisions of Article 35, paragraph (1) or Article 48, paragraph (1), or to collate the provided pseudonymized medical data with other information, in order to identify the identifiable person whose medical information was used to prepare that provided pseudonymized medical data.
(3) When handling provided pseudonymized medical data, a certified user of pseudonymized medical data must not use the contact information or any other information contained in the provided pseudonymized medical data in order to make telephone calls, send letters by mail or correspondence delivery, deliver telegrams, transmit information by using a facsimile machine or by electronic or magnetic means, or visit a residence.
(4) The provisions of Article 26; Articles 32 through 39; Article 41, paragraphs (2) through (9); and Article 42 of the Act on the Protection of Personal Information do not apply if a certified user of pseudonymized medical data handles provided pseudonymized medical data.
(Restrictions on Provision of Provided Pseudonymized Medical Data to Third Parties)
Article 43  (1) A certified user of pseudonymized medical data must not provide any third party with the provided pseudonymized medical data except in the following cases.
(i) when the relevant laws and regulations apply;
(ii) if it is necessary to provide the Minister of Health, Labour and Welfare or any other person specified by order of the competent ministry as a person engaged in the affairs related to the relevant disposition with provided pseudonymized medical data, in order to obtain marketing approval for the pharmaceuticals prescribed in Article 14, paragraph (1) of the Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices under the provisions of Article 14, paragraph (1) of that Act or to be subject to any other disposition specified by order of the competent ministry (including equivalent acts under foreign laws and regulations).
(2) In the following cases, the recipient of the pseudonymized medical data is not to be considered a third party in applying the provisions of the preceding paragraph:
(i) if provided pseudonymized medical data are provided as a result of the succession of business due to a transfer of business under the provisions of Article 11, paragraph (1), paragraph (2), or paragraphs (4) through (6) as applied mutatis mutandis pursuant to the following Article or for any other reason;
(ii) if the provided pseudonymized medical data that is used jointly with another certified user of pseudonymized medical data is provided to that other certified user of pseudonymized medical data;
(Application Mutatis Mutandis)
Article 44  The provisions of Article 9, paragraph (2) (excluding item (iii)) and paragraphs (3) through (5), Articles 10 through 17, Articles 20 through 23, Article 26, and Article 29 apply mutatis mutandis to the certification referred to in Article 41 and to the certified user of pseudonymized medical data referred to in that Article. In that case, the words listed in the right-hand column of the following table are deemed to replace the words listed in the middle column of that table in the provisions listed in the left-hand column of that table, and, additionally, Cabinet Order provides for the necessary technical replacement of terms.
|Article 9, paragraph (2), item (ii)|organizing medical information|using provided pseudonymized medical data (meaning the provided pseudonymized medical data prescribed in Article 42, paragraph (1); the same applies below)|
|Article 9, paragraph (2), item (iv)|medical information, identifiers or their equivalent deleted from medical information used to produce anonymized medical data, individual identification codes, information concerning the method of processing performed pursuant to the provisions of Article 19, paragraph (1) or Article 47, paragraph (1), and the method of managing anonymized medical data (referred to below as "anonymized medical and other data")|provided pseudonymized medical data|
|Article 9, paragraph (3), item (i), (c)|business of preparing anonymized medical data|relevant business|
|Article 9, paragraph (3), item (ii)|acquire medical information and to organize and process it so as to properly prepare and provide anonymized medical data|properly use the provided pseudonymized medical data|
|Article 9, paragraph (3), items (iii) and (iv), Article 16, paragraph (1), and Article 23|anonymized medical and other data|provided pseudonymized medical data|
|Article 10, paragraph (1)|paragraph (2), items (ii) through (v) of that Article|paragraph (2), items (ii), (iv), or (v) of the preceding Article|
|Article 11, paragraph (1)|business of preparing anonymized medical data subject to the certification referred to in Article 9, paragraph (1) (referred to below as "certified business of preparing anonymized medical data")|business prescribed in Article 41 subject to the certification referred to in that Article (referred to below as "certified business using pseudonymized medical data" in this Article, paragraph (1) of the following Article, and Article 23)|
|Article 11, paragraphs (4), (6), (8), and (9)|of its certified business of preparing anonymized medical data|of its certified business of preparing pseudonymized medical data|
|Article 11, paragraph (9), Article 12, paragraph (2), Article 13, paragraph (2), and Article 16, paragraph (2)|anonymized medical and other data it manages in connection with its certified business of preparing anonymized medical data|provided pseudonymized medical data|
|Article 12, paragraph (1)|certified business of preparing anonymized medical data|certified business  using pseudonymized medical data|
|Article 16, paragraph (1), item (iv)|Article 28, paragraph (1)|Article 43, paragraph (1)|
|medical information|provided pseudonymized medical data|
|Article 16, paragraph (1), item (v)|Article 61, paragraph (1)|Article 61, paragraph (3)|
|Article 17, paragraph (1), item (ii)|Article 61, paragraph (1)|Article 61, paragraph (3)|
|Articles 20 through 22, Article 26, and Article 29, paragraph (1)|anonymized medical and other data that it manages in connection with its certified business of preparing anonymized medical data|provided pseudonymized medical data|
|Articles 20 through 22|that anonymized medical and other data|that provided pseudonymized medical data|
|Article 23|its certified business of preparing anonymized medical data|its certified business using anonymized medical data|
|Article 26|anonymized medical and other data|the provided pseydonymized medical data|
Chapter V Enterprise Certified for Entrustment with Handling Medical and Other Data
(Certification)
Article 45  A person (limited to a corporation) that has been entrusted by a certified producer of anonymized medical data or a certified producer of pseudonymized medical data (including multi-tier entrustment) and seeks to engage in the business of handling medical information, an identifier or its equivalent deleted from medical data used to prepare anonymized medical data or pseudonymized medical data, an individual identification code, information concerning the method of processing performed pursuant to the provisions of Article 19, paragraph (1), Article 35, paragraph (1), Article 47, paragraph (1), or Article 48, paragraph (1), anonymized medical data, or pseudonymized medical data (referred to below as "medical and other data") may apply to obtain certification from the competent ministers as being capable of carrying out the business in a proper and reliable manner.
(Restrictions Based on Purpose of Use)
Article 46  (1) If a person that has obtained the certification referred to in the preceding Article (referred to below as "enterprise certified for entrustment with handling medical and other data") is entrusted or further entrusted with all or part of the handling of medical information pursuant to the provisions of Article 24, paragraph (1) or paragraph (2) or Article 37, paragraph (1) or paragraph (2), that person must not handle the medical information beyond the scope necessary for achieving the purpose of the business subject to the certification referred to in the preceding Article (referred to below as "business certified for entrustment with handling medical and other data"), so as not to contravene the purpose of the medical information being provided to contribute to research and development in the medical field.
(2) The provisions of the preceding paragraph do not apply to the following cases:
(i) when the relevant laws and regulations apply;
(ii) in an emergency in order to save a person's life, provide disaster relief, or otherwise respond to an emergency.
(Preparation of Anonymized Medical Data)
Article 47  (1) If an enterprise certified for entrustment with handling medical and other data prepares anonymized medical data, it must process the medical information in accordance with the standards specified by order of the competent ministry as referred to in Article 19, paragraph (1).
(2) If an enterprise certified for entrustment with handling medical and other data prepares anonymized medical data and handles the anonymized medical data on its own, it must not collate the anonymized medical data against other information in order to identify the identifiable person whose medical information was used to prepare the anonymized medical data.
(3) The provisions of Article 43 of the Act on the Protection of Personal Information do not apply if an enterprise certified for entrustment with handling medical and other data prepares anonymized medical data pursuant to the provisions of paragraph (1).
(Preparation of Pseudonymized Medical Data)
Article 48  (1) If an enterprise certified for entrustment with handling medical and other data prepares pseudonymized medical data, it must process the medical information in accordance with the standards specified by order of the competent ministry as referred to in Article 35, paragraph (1).
(2) Notwithstanding the provisions of Article 46, if an enterprise certified for entrustment with handling medical and other data prepares pseudonymized medical data pursuant to the provisions of the preceding paragraph, it must not handle that pseudonymized medical data beyond the scope necessary for achieving the purpose of the business certified for entrustment with handling medical and other data, unless the relevant laws and regulations apply.
(3) When an enterprise certified for entrustment with handling medical and other data prepares pseudonymized medical data and handles it on its own, it must not collate that pseudonymized medical data with other information in order to identify the identifiable person whose medical information was used to prepare that pseudonymized medical data.
(4) When an enterprise certified for entrustment with handling medical and other data handles pseudonymized medical data that it manages in connection with its business certified for entrustment with handling medical and other data, it must not use the contact information or any other information contained in that pseudonymized medical data to make telephone calls, send letters by mail or correspondence delivery, deliver telegrams, transmit information by using a facsimile machine or electronic or by magnetic means, or visit a residence.
(5) The provisions of Article 41, paragraph (1) of the Act on the Protection of Personal Information do not apply if an enterprise certified for entrustment with handling medical and other data prepares pseudonymized medical data pursuant to the provisions of paragraph (1), and the provisions of Article 26; Articles 32 through 39; Article 41, paragraphs (2) through (9); and Article 42 of that Act do not apply if an enterprise certified for entrustment with handling medical and other data handles pseudonymized medical data that it manages in connection with its business certified for entrustment with handling medical and other data.
(Restrictions on Provision of Pseudonymized Medical Data to Third Parties)
Article 49  (1) Notwithstanding the provisions of paragraph (1) of the following Article, an enterprise certified for entrustment with handling medical and other data must not provide a third party with pseudonymized medical data that it manages in connection with its business certified for entrustment with handling medical and other data, except in the following cases.
(i) when the relevant laws and regulations apply;
(ii) if that enterprise provides a certified producer of pseudonymized medical data that it has entrusted under the provisions of Article 37, paragraph (1) or an enterprise certified for entrustment with handling medical and other data that it has further entrusted under the provisions of paragraph (2) of that Article with the pseudonymized medical data subject to that entrustment or further entrustment.
(2) In the following cases, the recipient of the pseudonymized medical data is not to be considered a third party with regard to the application of the provisions of the preceding paragraph:
(i) if pseudonymized medical data is provided as a result of the succession of business due to a transfer of business under the provisions of Article 11, paragraph (1), paragraph (2), or paragraphs (4) through (6), as applied mutatis mutandis pursuant to Article 51, or for any other reason;
(ii) if the pseudonymized medical data is provided as a result of an enterprise certified for entrustment with handling medical and other data further entrusting the whole or a part of its handling of pseudonymized medical data pursuant to the provisions of Article 37, paragraph (2).
(Restrictions on the Provision of Medical Information to Third Parties)
Article 50  (1) Except in the following cases, an enterprise certified for entrustment with handling medical and other data must not provide a third party with medical information which it has been entrusted or further entrusted to handle in whole or in part pursuant to the provisions of Article 24, paragraph (1) or paragraph (2) or Article 37, paragraph (1) or paragraph (2).
(i) when the relevant laws and regulations apply;
(ii) in an emergency in order to save a person's life, provide disaster relief, or otherwise respond to an emergency.
(iii) if that enterprise provides a certified producer of anonymized medical data that has undertaken an entrustment under the provisions of Article 24, paragraph (1), a certified producer of pseudonymized medical data that has undertaken an entrustment under the provisions of Article 37, paragraph (1), or an enterprise certified for entrustment with handling medical and other data that has undertaken a further entrustment under the provisions of Article 24, paragraph (2) or Article 37, paragraph (2) with medical information provided in connection with that entrustment or further entrustment;
(2) In the following cases, the recipient of the medical information is not to be considered a third party in applying the provisions of the preceding paragraph:
(i) if medical information is provided as a result of the succession of business due to a business transfer under the provisions of Article 11, paragraph (1), paragraph (2), or paragraphs (4) through (6) as applied mutatis mutandis pursuant to the following Article or for any other reason;
(ii) when medical information is provided as a result of an enterprise certified for entrustment with handling medical and other data further entrusting all or a part of its handling of medical information to another person pursuant to the provisions of Article 24, paragraph (2) or Article 37, paragraph (2);
(Application Mutatis Mutandis)
Article 51  The provisions of Article 9, paragraph (2) (excluding items (ii) and (iii)); paragraph (3) (excluding item (ii)); paragraphs (4) and (5); Articles 10 through 17; Articles 20 through 23; Article 25; Article 26; and Article 29 apply mutatis mutandis to the certification referred to in Article 45, the enterprise certified for entrustment with handling medical and other data, and the business certified for entrustment with handling medical and other data. In that case, the words listed in the right-hand column of the following table are deemed to replace the words listed in the middle column of that table in the provisions listed in the left-hand column of that table, and, additionally, Cabinet Order provides for the necessary technical replacement of terms.
|Article 9, paragraph (2)|the items of the following paragraph|items (i), (iii), and (iv) of the following paragraph|
|Article 9, paragraph (2), item (iv)|medical information, identifiers or their equivalent deleted from medical information used to prepare anonymized medical data, individual identification codes, information concerning the method of processing performed pursuant to the provisions of Article 19, paragraph (1) or Article 47, paragraph (1), and anonymized medical data (referred to below as "anonymized medical and other data");|Medical and other data (meaning medical and other data prescribed in Article 45; the same applies below);|
|Article 9, paragraph (3), item (i), (c)|the business of preparing anonymized medical data|the relevant business|
|Article 9, paragraph (3), items (iii) and (iv), Article 11, paragraph (9), Article 12, paragraph (2), Article 13, paragraph (2), Article 16, paragraphs (1) and (2), Articles 20 through 23, Article 25, Article 26, and Article 29, paragraph (1)|anonymized medical and other data|medical and other data|
|Article 10, paragraph (1)|aragraph (2), items (ii) through (v) of that Article|paragraph (2), item (iv) or (v) of the preceding Article|
|Article 10, paragraph (5)|item (i)|items (i) and (ii)|
|Article 11, paragraph (7)|Article 9, paragraphs (3) through (5)|Article 9, paragraph (3) (excluding item (ii)), paragraph (4), and paragraph (5)|
|Article 16, paragraph (1), item (ii)|the items of Article 9, paragraph (3)|Article 9, paragraph (3), item (i), (iii), or (iv)|
|Article 16, paragraph (1), item (iv)|Article 28, paragraph (1)|if the certified business provides pseudonymized medical data in violation of the provisions of Article 49, paragraph (1), or if the certified business provides medical information in violation of the provisions of Article 50, paragraph (1);|
|Article 16, paragraph (1), item (v)|Article 61, paragraph (1)|Article 61, paragraph (4)|
|Article 17, paragraph (1), item (ii)|Article 61, paragraph (1)|Article 61, paragraph (4)|
|Article 26|ministry.|ministry. Provided, however, that this does not apply if the enterprise certified for entrustment with handling medical and other data  has been entrusted with all or part of the handling of medical and other data by a certified business preparing anonymized medical data, a certified business preparing  pseudonymized medical data (meaning a certified business preparing pseudonymized medical data prescribed in Article 34, paragraph (1); the same applies below in this Article), or another enterprise certified for entrustment with handling medical and other data, and the enterprise certified for entrustment with handling medical and other data has notified the relevant certified business preparing anonymized medical data, certified business preparing pseudonymized medical data, or that other enterprise certified for entrustment with handling medical and other data of that situation, pursuant to the provisions of order of the competent ministry.|
Chapter VI Provision of Medical Information to a Certified Producer of Anonymized Medical Data or a Certified Producer of Pseudonymized Medical Data by an Enterprise Handling Medical Information
Section 1 Provision of Medical Information to Certified Producers of Anonymized Medical Data
(Provision of Medical Information by Enterprises Handling Medical Information)
Article 52  (1) If an enterprise handling medical information agrees to cease to provide a certified producer of anonymized medical data with medical information that identifies an identifiable person (excluding medical information acquired by deception or other wrongful means; the same applies below in this paragraph and Article 57, paragraph (1)) at the request of the identifiable person or a surviving family member of that person (meaning a child, grandchild, or any other person specified by Cabinet Order of an identifiable person who is deceased; the same applies below) pursuant to the provisions of order of the competent ministry, and the enterprise handling medical information has notified the identifiable person and the competent minister of the following matters in advance, pursuant to the provisions of order of the competent ministry, the enterprise handling medical information may provide the certified producer of anonymized medical data with that medical information:
(i) the name and address of the enterprise handling medical information and, for a corporation, the name of its representative (or, if it is an organization without legal personality for which a representative or administrator has been designated, the representative or administrator; the same applies in Article 55, paragraph (1), item (i) and Article 57, paragraph (1), item (i));
(ii) the fact that the enterprise handling medical information is providing that information to a certified producer of anonymized medical data to prepare anonymized medical data that are meant to contribute to research and development in the medical field;
(iii) the items included in the medical information provided to the certified producer of anonymized medical data;
(iv) the method of acquiring medical information to be provided to a certified producer of anonymized medical data;
(v) the method of providing medical information to a certified producer of anonymized medical data;
(vi) the fact that the enterprise handling medical information will cease to provide medical information that can be used to identify the identifiable person to a certified producer of anonymized medical data at the request of the identifiable person or a surviving family member of that person;
(vii) the method of accepting requests from the identifiable person or their surviving family members;
(viii) other matters specified by order of the competent ministry as being necessary for protecting the rights and interests of individuals.
(2) Pursuant to the provisions of order of the competent ministry, if there has been a change in a matter stated in item (i) of the preceding paragraph or if an enterprise handling medical information has ceased to provide medical information under the provisions of that paragraph, the enterprise must notify the person concerned and the competent minister of that fact without delay, and if the enterprise seeks to change a matter stated in items (iii) through (v), (vii), or (viii) of that paragraph, it must notify the identifiable person and the competent minister of that intention in advance.
(3) When a notification under the provisions of paragraph (1) has been filed, the competent minister must issue a public announcement of the matters to which the notification is related pursuant to the provisions of order of the competent ministry. The same applies when a notification under the provisions of the preceding paragraph has been filed.
(Delivery of Documents)
Article 53  (1) If an identifiable person or a surviving family member of the identifiable person who has received a notice under the provisions of paragraph (1) of the preceding Article requests an enterprise handling medical information to cease to provide certified producers of anonymized medical data with medical information that identifies the identifiable person, the enterprise handling medical information must, without delay, deliver a document to the person making the request stating the fact that the request has been made and other matters specified by order of the competent ministry, pursuant to the provisions of order of the competent ministry.
(2) In lieu of delivering a document under the provisions of the preceding paragraph, an enterprise handling medical information may provide an electronic or magnetic record stating the matters that are required to be stated in that document after having first obtained the consent of the person that has made the request prescribed in that paragraph. In that case, the enterprise handling medical information is deemed to have delivered the document under the provisions of that paragraph.
(3) An enterprise handling medical information that has delivered a document pursuant to the provisions of paragraph (1) or that has provided an electronic or magnetic record pursuant to the provisions of the preceding paragraph must preserve a copy of the document or the electronic or magnetic record pursuant to the provisions of order of the competent ministry.
(Preparing Records of Provision of Medical Information)
Article 54  (1) After providing medical information to a certified producer of anonymized medical data pursuant to the provisions of Article 52, paragraph (1), an enterprise handling medical information must prepare a record of the date on which it provided the medical data, the name and address of the certified producer of anonymized medical data, and other information specified by order of the competent ministry, pursuant to the provisions of order of the competent ministry.
(2) An enterprise handling medical information must preserve the record referred to in the preceding paragraph for the period specified by order of the competent ministry after the date on which the enterprise prepared that record.
(Confirmations to Be Made When Medical Information Is Provided)
Article 55  (1) When a certified producer of anonymized medical data receives medical information from an enterprise handling medical information pursuant to the provisions of Article 52, paragraph (1), the producer must confirm the following matters, pursuant to the provisions of order of the competent ministry:
(i) the name and address of the enterprise handling medical information and, for a corporation, the name of its representative;
(ii) the circumstances under which the medical information was acquired by the enterprise handling medical information.
(2) When a certified producer of anonymized medical data confirms the matters under the provisions of the preceding paragraph, the enterprise handling medical information referred to in that paragraph must not provide false information to that certified producer of anonymized medical data regarding any of the matters subject to that confirmation.
(3) After confirming the matters under the provisions of paragraph (1), a certified producer of anonymized medical data must prepare a record of the date on which it was provided with the medical information, the matters subject to that confirmation, and other matters specified by order of the competent ministry, pursuant to the provisions of order of the competent ministry.
(4) A certified producer of anonymized medical data must preserve the record referred to in the preceding paragraph for the period specified by order of the competent ministry after the date on which that certified producer prepared the record.
(Cases Where Medical Information Must Not Be Provided by an Enterprise Handling Medical Information)
Article 56  Except when the relevant laws and regulations apply, a certified producer of anonymized medical data must not be provided with the following medical information by an enterprise handling medical information:
(i) medical information for which no notice or notification under the provisions of Article 52, paragraph (1) or (2) has been made;
(ii) medical information requested pursuant to the provisions of Article 53, paragraph (1).
Section 2 Provision of Medical Information to Certified Producers of Pseudonymized Medical Data
(Provision of Medical Information by Enterprises Handling Medical Information)
Article 57  (1) If an enterprise handling medical information agrees to cease to provide a certified producer of pseudonymized medical data with medical information that identifies an identifiable person at the request of the identifiable person or a surviving family member of that person, pursuant to the provisions of order of the competent ministry, and the enterprise handling medical information has notified the identifiable person and the competent minister of the following matters in advance, pursuant to the provisions of order of the competent ministry, the enterprise handling medical information may provide the certified producer of pseudonymized medical data with that medical data.
(i) the name and address of the enterprise handling medical information and, for a corporation, the name of its representative;
(ii) the fact that the enterprise handling medical information is providing that information to a certified producer of pseudonymized medical data as data to be used by certified users of pseudonymized medical data to prepare pseudonymized medical data used for research and development in the medical field;
(iii) the items included in the medical information provided to the certified producer of pseudonymized medical data;
(iv) the method of acquiring medical information to be provided to a certified producer of pseudonymized medical data;
(v) the method of providing medical information to a certified producer of pseudonymized medical data;
(vi) the fact that the enterprise handling medical information will cease to provide medical information that can be used to identify the identifiable person to a certified producer of pseudonymized medical data at the request of the identifiable person or a surviving family member of that person.
(vii) the method of accepting requests from the identifiable person or their surviving family members;
(viii) other matters specified by order of the competent ministry as being necessary for protecting the rights and interests of individuals.
(2) Pursuant to the provisions of order of the competent ministry, if there has been a change in a matter stated in item (i) of the preceding paragraph or if an enterprise handling medical information has ceased to provide medical information under the provisions of that paragraph, the enterprise must notify the person concerned and the competent minister of that fact without delay, and if the enterprise seeks to change a matter stated in items (iii) through (v), (vii), or (viii) of that paragraph, it must notify the identifiable person and the competent minister of that intention in advance.
(3) When a notification under the provisions of paragraph (1) has been filed, the competent ministers must issue a public announcement of the matters to which the notification is related pursuant to the provisions of order of the competent ministry. The same applies when a notification under the provisions of the preceding paragraph has been filed.
(Application Mutatis Mutandis)
Article 58  The provisions of Articles 53 through 56 apply mutatis mutandis to the provision of medical information by an enterprise handling medical information to a certified producer of pseudonymized medical data. In that case, the phrase "paragraph (1) of the preceding Article" in Article 53, paragraph (1) is deemed to be replaced with "Article 57, paragraph (1)" and the phrase "Article 52, paragraph (1)" in Article 54, paragraph (1); Article 55, paragraph (1); and Article 56, item (i) is deemed to be replaced with "Article 57, paragraph (1)".
Chapter VII Supervision
(On-site Inspections)
Article 59  (1) To the extent necessary for enforcing this Act, the competent minister may require a certified producer of anonymized medical data, certified producer of pseudonymized medical data, certified user of pseudonymized medical data, or enterprise certified for entrustment with handling medical and other data (excluding foreign operators), an enterprise handling anonymized medical data, a user of linkable anonymized medical data (excluding any other administrative organ of the State; the same applies in Article 61, paragraph (7)), or an enterprise handling medical information to submit the necessary reports; and may have the relevant officials enter the offices or other places of business of these persons, inspect their books, documents, or other items, or question the relevant persons.
(2) An official who performs an on-site inspection under the provisions of the preceding paragraph must carry identification and present it if requested by a person concerned.
(3) The authority for an on-site inspection under the provisions of the paragraph (1) must not be construed as being granted for criminal investigation purposes.
(4) Before requiring to submit a report or conducting an on-site inspection under paragraph (1), the competent minister must first consult with the Personal Information Protection Commission.
(Guidance and Advice)
Article 60  The competent minister is to provide a certified producer of anonymized medical data, a certified producer of pseudonymized medical data, a certified user of pseudonymized medical data, or an enterprise certified for entrustment with handling medical and other data with the necessary guidance and advice to properly implement the business to which the certification referred to in Article 9, paragraph (1), Article 33, Article 41, or Article 45 is related.
(Order for Rectification)
Article 61  (1) If the competent minister finds that a certified producer of anonymized medical data (excluding foreign operators) is in violation of the provisions of Article 18, paragraph (1); Article 19, paragraph (1) or (2); Articles 20 through 22; Article 24, paragraph (1); Article 25; Article 26; Article 27, paragraph (1); Article 28, paragraph (1); Article 29; Article 31, paragraph (1); Article 55 (excluding paragraph (2)); or Article 56, the minister may order the person to take the necessary measures to rectify the violation.
(2) If the competent minister finds that a certified producer of pseudonymized medical data (excluding foreign operators) is in violation of the provisions of Article 34, paragraph (1); Article 35 (excluding paragraph (5)); Article 36, paragraph (2); Article 37, paragraph (1); Article 38, paragraph (1); or Article 39, paragraph (1); the provisions of Articles 20 through 22 as applied mutatis mutandis pursuant to Article 40; Article 25; Article 26; or Article 29; or the provisions of Article 55 (excluding paragraph (2)) or Article 56 as applied mutatis mutandis pursuant to Article 58, the minister may order the person to take the necessary measures to rectify the violation.
(3) If the competent minister finds that a certified user of pseudonymized medical data (excluding foreign operators) is in violation of the provisions of Article 42 (excluding paragraph (4)) or Article 43, paragraph (1), or the provisions of Articles 20 through 22, Article 26, or Article 29 as applied mutatis mutandis pursuant to Article 44, the minister may order the person to take the necessary measures to rectify the violation.
(4) If the competent minister finds that an enterprise certified for entrustment with handling medical and other data (excluding foreign operators) is in violation of the provisions of Article 24, paragraph (2); Article 37, paragraph (2); Article 46, paragraph (1); Article 47 (excluding paragraph (3)); Article 48 (excluding paragraph (5)); Article 49, paragraph (1); or Article 50, paragraph (1), or the provisions of Articles 20 through 22, Article 25, Article 26, or Article 29 as applied mutatis mutandis pursuant to Article 51, the minister may order the person to take the necessary measures to rectify the violation.
(5) The provisions of each of the preceding paragraphs apply mutatis mutandis to certified producers of anonymized medical data, certified producers of pseudonymized medical data, certified users of pseudonymized medical data, and enterprises certified for entrustment with handling medical and other data (limited to foreign operators). In that case, the term "order" in those provisions is deemed to be replaced with "request".
(6) If the competent minister finds that an enterprise handling anonymized medical data is in violation of the provisions of Article 30, paragraph (1), the minister may order the person to take the necessary measures to rectify the violation.
(7) If the competent minister finds that a user of linkable anonymized medical data is in violation of the provisions of Article 32, paragraph (1) or the provisions of Articles 20 through 22 as applied mutatis mutandis pursuant to Article 32, paragraph (2), the minister may order the user to take the necessary measures to rectify the violation.
(8) If the competent minister finds that an enterprise handling medical information is in violation of the provisions of Article 52, paragraph (1) or (2); Article 53, paragraph (1) or (3); or Article 54 (including as applied mutatis mutandis pursuant to Article 58); or Article 57, paragraph (1) or (2), the minister may order the person to take the necessary measures to rectify the violation.
(9) Before issuing an order under the provisions of paragraphs (1) through (4) or the preceding three paragraphs, or making a request under the provisions of paragraphs (1) through (4) as applied mutatis mutandis pursuant to paragraph (5) following the deemed replacement of terms, the competent minister must first consult with the Personal Information Protection Commission.
Chapter VIII Miscellaneous Provisions
(Communication and Cooperation)
Article 62  When enforcing this Act, the competent minister and the Personal Information Protection Commission must maintain a close liaison and cooperate with each other regarding matters related to proper handling of medical and other data.
(Competent Ministers)
Article 63  (1) The competent ministers in this Act are the Prime Minister, the Minister of Education, Culture, Sports, Science and Technology, the Minister of Health, Labour and Welfare, and the Minister of Economy, Trade and Industry.
(2) Order of the competent ministry as referred to in this Act means the order issued by the competent minister.
(3) Before establishing or altering an order of the competent ministry, the competent ministers must first consult with the Personal Information Protection Commission.
(Affairs to Be Handled by Local Governments)
Article 64  The affairs under the authority of the competent minister prescribed in Article 59, paragraph (1) (limited to those related to enterprises handling medical information) may be handled by the head of a local government pursuant to the provisions of Cabinet Order.
(Delegation of Authority)
Article 65  Part of the authority of the competent minister prescribed in this Act may be delegated to the head of a local branch office, pursuant to the provisions of Cabinet Order.
(Delegation to Orders of Competent Ministries)
Article 66  Beyond what is provided for in this Act, procedures for the enforcement of this Act and other matters necessary for the enforcement of this Act are specified by order of the competent ministry.
(Transitional Measures)
Article 67  When enacting, amending, or repealing an order pursuant to the provisions of this Act, necessary transitional measures (including transitional measures concerning penal provisions) may be specified by that order to the extent considered reasonably necessary for that enactment, amendment, or repeal.
Chapter IX Penal Provisions
Article 68  If a current or former officer or employee of a certified producer of anonymized medical data, a certified producer of pseudonymized medical data, or an enterprise certified for entrustment with handling medical and other data, provides another person with a database or similar collection of medical information (or a database or similar collection of medical information whose content has been reproduced or processed in whole or in part) containing an individual's confidential information managed in the course of the operations handled by that officer or employee, without legitimate grounds for doing so, that officer or employee is subject to imprisonment for not more than two years, a fine of not more than one million yen, or both.
Article 69  (1) If a current or former officer or employee of a certified producer of anonymized medical data provides another person with or misappropriates anonymized medical and other data acquired in the course of the operations they handled, and if that officer or employee does so to secure unlawful gain for themselves or a third party, that officer or employee is subject to imprisonment for not more than one year, a fine of not more than one million yen, or both.
(2) If a current or former officer or employee of a certified producer of pseudonymized medical data provides another person with or misappropriates pseudonymized medical and other data acquired in the course of the operations they handled, and if that officer or employee does so to secure unlawful gain for themselves or a third party, that officer or employee is subject to imprisonment for not more than one year, a fine of not more than one million yen, or both.
(3) If a current or former officer or employee of a certified user of pseudonymized medical data provides another person with or misappropriates the provided pseudonymized medical data acquired in the course of the operations they handled, and if that officer or employee does so to secure unlawful gain for themselves or a third party, that officer or employee is subject to imprisonment for not more than one year, a fine of not more than one million yen, or both.
(4) If a current or former officer or employee of an enterprise certified for entrustment with handling medical and other data provides another person with or misappropriates medical and other data acquired in the course of the operations they handled, and if that officer or employee does so to secure unlawful gain for themselves or a third party, that officer or employee is subject to imprisonment for not more than one year, a fine of not more than one million yen, or both.
Article 70  If a person falls under any of the following items, the person committing the relevant violation is subject to imprisonment for not more than one year, a fine of not more than one million yen, or both:
(i) a person has obtained certification prescribed in Article 9, paragraph (1), Article 10, paragraph (1) (including when it is applied mutatis mutandis pursuant to Article 40, Article 44, and Article 51), Article 33, Article 41, or Article 45, or authorization under Article 11, paragraphs (4) through (6) (including when these provisions are applied mutatis mutandis pursuant to Article 40, Article 44, and Article 51) by deception or other wrongful means;
(ii) a person has changed any of the matters stated in Article 9, paragraph (2), items (ii) through (v) in violation of the provisions of Article 10, paragraph (1);
(iii) a person has changed any of the matters stated in Article 9, paragraph (2), items (ii) through (v) as applied mutatis mutandis pursuant to Article 40 in violation of the provisions of Article 10, paragraph (1) as applied mutatis mutandis pursuant to Article 40;
(iv) a person has changed any of the matters stated in Article 9, paragraph (2), item (ii), (iv), or (v) as applied mutatis mutandis pursuant to Article 44 in violation of the provisions of Article 10, paragraph (1) as applied mutatis mutandis pursuant to Article 44;
(v) a person has changed any of the matters stated in Article 9, paragraph (2), item (iv) or (v) as applied mutatis mutandis pursuant to Article 51 in violation of the provisions of Article 10, paragraph (1) as applied mutatis mutandis pursuant to Article 51;
(vi) a person has violated an order under the provisions of Article 61, paragraphs (1) through (4) or paragraphs (6) through (8).
Article 71  If a person falls under any of the following items, the person committing the relevant violation is subject to imprisonment for not more than one year, a fine of not more than 500,000 yen, or both:
(i) a person discloses the content of anonymized medical and other data that the person has acquired in connection with the certified business of preparing anonymized medical data to another person without due cause or uses it for an unjust purpose, in violation of the provisions of Article 23;
(ii) a person discloses the content of linkable anonymized medical data that the person has acquired while using that information to another person without due cause or uses it for an unjust purpose, in violation of the provisions of Article 23 as applied mutatis mutandis pursuant to Article 32, paragraph (2);
(iii) a person discloses the content of pseudonymized medical and other data that the person has acquired in connection with the business certified for preparing pseudonymized medical data to another person without due cause or uses it for an unjust purpose, in violation of the provisions of Article 23 as applied mutatis mutandis pursuant to Article 40;
(iv) a person discloses the content of provided pseudonymized medical data that the person has acquired in connection with the certified business using pseudonymized medical data prescribed in Article 11, paragraph (1) as applied mutatis mutandis pursuant to Article 44 to another person without due cause or uses it for an unjust purpose, in violation of the provisions of Article 23 as applied mutatis mutandis pursuant to Article 44;
(v) a person discloses the content of medical and other data acquired in connection with the business certified for entrustment with handling medical and other data to another person without due cause or uses it for an unjust purpose, in violation of the provisions of Article 23 as applied mutatis mutandis pursuant to Article 51.
Article 72  If a person falls under any of the following items, the person committing the relevant violation is subject to a fine of not more than 500,000 yen:
(i) a person fails to make a notification under the provisions of Article 10, paragraph (3), Article 11, paragraph (3) or (8), or Article 12, paragraph (1) (including as applied mutatis mutandis pursuant to Article 40, Article 44, and Article 51), or makes a false notification;
(ii) a person fails to delete anonymized medical and other data in violation of the provisions of Article 11, paragraph (9); Article 12, paragraph (2); Article 13, paragraph (2); or Article 16, paragraph (2) (including as applied mutatis mutandis pursuant to Article 17, paragraph (2));
(iii) a person fails to delete pseudonymized medical and other data in violation of the provisions of Article 11, paragraph (9), Article 12, paragraph (2), Article 13, paragraph (2), or Article 16, paragraph (2) (including as applied mutatis mutandis pursuant to Article 17, paragraph (2)) as applied mutatis mutandis pursuant to Article 40;
(iv) a person fails to delete the provided pseudonymized medical data in violation of the provisions of Article 11, paragraph (9), Article 12, paragraph (2), Article 13, paragraph (2), or Article 16, paragraph (2) (including as applied mutatis mutandis pursuant to Article 17, paragraph (2)) as applied mutatis mutandis pursuant to Article 44;
(v) a person fails to delete medical and other data in violation of the provisions of Article 11, paragraph (9); Article 12, paragraph (2); Article 13, paragraph (2); or Article 16, paragraph (2) as applied mutatis mutandis pursuant to Article 51 (including as applied mutatis mutandis pursuant to Article 17, paragraph (2));
(vi) a person fails to keep books, fails to make entries in the books, makes false entries in the books, or fails to preserve the books in violation of the provisions of Article 14 (including as applied mutatis mutandis pursuant to Article 40, Article 44, and Article 51);
(vii) a person fails to make a report under the provisions of Article 59, paragraph (1) or makes a false report, or refuses, obstructs, or evades an inspection under the provisions of that paragraph, or fails to answer or gives a false answer to questions under the provisions of that paragraph.
Article 73  The offenses referred to in Article 68, Article 69, Article 70 (limited to the part related to item (vi) (limited to the part related to Article 61, paragraph (1) (excluding the part related to Article 55 (excluding paragraph (2)) and Article 56), paragraph (2) (limited to the part related to Article 55 (excluding paragraph (2)) and Article 56 as applied mutatis mutandis pursuant to Article 58), paragraph (3), paragraph (4) and paragraph (7))), Article 71 and the preceding Article (limited to the part related to items (ii) through (v)) also apply to persons who have committed the offenses stated in these Articles outside of Japan.
Article 74  (1) If the representative of a corporation (including an organization without legal personality for which a representative or administrator has been designated; the same applies below in this paragraph) or the agent, employee, or another worker of a corporation or individual violates the provisions stated in one of the following items in connection with the business of the corporation or individual, in addition to the offender being subject to punishment, the corporation is subject to the fine prescribed in the relevant item and the individual is subject to the fine prescribed in the relevant Article:
(i) Articles 68 to 70: a fine of not more than 100 million yen;
(ii) Article 71 or 72: the fine prescribed in the respective Articles.
(2) If the provisions of the preceding paragraph apply to an organization without legal personality, its representative or administrator represents the organization without legal personality as regards its procedural act, and the provisions of laws on criminal proceedings in which a corporation is the accused or a suspect apply mutatis mutandis.
Article 75  A person who falls under any of the following items is subject to a civil fine of not more than 100,000 yen:
(i) a person failing to file a notification under the provisions of Article 13, paragraph (1) (including as applied mutatis mutandis pursuant to Article 40, Article 44, or Article 51) or filing a false notification;
(ii) a person that violates the provisions of Article 15 (including as applied mutatis mutandis pursuant to Article 40, Article 44, or Article 51) or Article 55, paragraph (2) (including as applied mutatis mutandis pursuant to Article 58).
Supplementary Provisions  [Extract]
(Effective Date)
Article 1  This Act comes into effect as of the day specified by Cabinet Order within a period not exceeding one year from the date of promulgation; provided, however, that the provisions of the following Article and Article 4 of the Supplementary Provisions come into effect as of the date of promulgation.
(Transitional Measures Concerning the Basic Policy)
Article 2  (1) Even before the enforcement of this Act, the government may establish the basic policy pursuant to the provisions of Article 4. In this case, even before the enforcement of this Act, the Prime Minister may make the basic policies public pursuant to the provisions of that Article.
(2) The basic policy established pursuant to the provisions of the preceding paragraph is deemed to have been established pursuant to the provisions of Article 4 on the date of enforcement of this Act.
(Transitional Measures Concerning the Restrictions on the Use of Names)
Article 3  For six months after this Act comes into effect, the provisions of Article 14 (including as applied mutatis mutandis pursuant to Article 29) do not apply to a person using a name that refers to the person as a certified producer of anonymized medical data, a certified enterprise certified for entrustment with handling medical and other data, or a name that is misleadingly similar to either of these at the time this Act comes into effect.
(Delegation to Cabinet Order)
Article 4  Beyond what is provided for in the preceding two Articles, the transitional measures necessary for the enforcement of this Act are specified by Cabinet Order.
(Review)
Article 5  When five years have elapsed since the enforcement of this Act, the government is to review the status of enforcement of this Act and, if it finds it necessary, take the necessary measures based on the results of the review.