Order for Enforcement of the Act on the Protection of Personal Information(Cabinet Order No. 507 of 2003)
Last Version: Cabinet Order No. 166 of 2008
目次
履歴
-
▶
-
平成29年7月10日
- 最終更新:平成二八年政令第三二四号
- 翻訳日:平成28年11月24日
- 辞書バージョン:11.0
-
平成28年2月4日
- 最終更新:平成二十年政令第百六十六号
- 翻訳日:平成26年3月18日
- 辞書バージョン:8.0
Order for Enforcement of the Act on the Protection of Personal Information
Cabinet Order No. 507 of December 10, 2003
The Cabinet hereby enacts this Cabinet Order pursuant to Article 2, paragraph (2), item (ii) of the Act on the Protection of Personal Information (Act No. 57 of 2003) and pursuant to paragraph (3), item (iv) and paragraph (5) of that Article; Article 24, paragraph (1), item (iv) of that Act; Article 25 paragraph (1) of that Act; Article 29, paragraph (1) and paragraph (3) of that Act; Article 37, paragraph (2) of that Act; Article 40, paragraph (1) of that Act; and Article 51, Article 52, and Article 55 of that Act.
(Databases, etc. of Personal Information )
Article 1The set of data that Cabinet Order provides for which is referred to in Article 2, paragraph (2), item (ii) of the Act on the Protection of Personal Information (hereinafter referred to as "the Act") is any set of data to which a fixed set of rules is applied to arrange the personal information contained therein so that it is structurally organized to enable personal information to be easily retrieved from it, and which has a table of contents, an index, or anything else that aids in retrieval.
( Business operators Excluded from Consideration as Business Operators Handling Personal Information)
Article 2The business operator that Cabinet Order provides for which is referred to in Article 2, paragraph (3), item (v) of the Act is any business operator with a database, etc. of personal information for business use which is made up of personal information that could be used to identify no more than a total of five thousand certain individuals on any single day in the past six months (if all or part of that database, etc. of personal information was created by another business operator and the entity using it for business has not edited or reworked any of the data set forth in the following items, the certain individuals that can be identified using the personal information that makes up the whole or the relevant part of that database, etc. of personal information are excluded from being calculated as among the number of certain individuals that the personal information could be used to identify on any single day during the past six months):
(i)data that contains only the following details as personal information:
(a)an individual's name;
(b)an individual's residence or domicile (including any indication on a map or computer screen showing where the individual's residence or domicile is located);
(c)an individual's telephone number.
(ii)data that has been released for sale to the general public and that can now or could formerly be purchased by the general public at any time.
(Data Excluded from Consideration as Retained Personal Data)
Article 3The personal data that Cabinet Order provides for which is referred to in Article 2, paragraph (5) of the Act is:
(i)any personal data whose known presence or absence of a database is likely to threaten the life, body, or property of the identifiable person;
(ii)any personal data whose known presence or absence of a database is likely to prompt or trigger an illegal activity or wrongful conduct;
(iii)any personal data whose known presence or absence of a database is likely to undermine national security, damage a relationship of confidence with a foreign country or international organization, or put the country at a disadvantage in negotiations with another country or with an international organization;
(iv)any personal data whose known presence or absence of a database is likely to interfere with crime prevention, crime control, or criminal investigations or with otherwise upholding public safety and order.
(Period to Deletion of Data Excluded from Consideration as Retained Personal Data )
Article 4The period that Cabinet Order specifies which is referred to in Article 2, paragraph (5) of the Act is six months.
(Matters That Needs to Be Made Accessible in Order to Ensure the Proper Handling of Retained Personal Data)
Article 5The matters specified by Cabinet Order which is referred to in Article 24, paragraph (1), item (iv) of the Act is:
(i)where to file a complaint about the handling, by the business operator handling personal information, of the retained personal data;
(ii)if the business operator handling personal information is the covered enterprise of an accredited personal information protection organization, the name of the accredited personal information protection organization and where to file for it to resolve the complaint.
(Means by Which a Business Operator Handling Personal Information Discloses the Retained Personal Data)
Article 6The means that Cabinet Order provides for which is referred to in Article 25, paragraph (1) of the Act is any paper-based means of delivery (or a means agreed to by the person requesting disclosure, if any).
(How a Business Operator Handling Personal Information Accepts Requests for Disclosure and Other Handling)
Article 7The matters that a Business Operators Handling Personal Information may establish, pursuant to the provisions of Article 29, paragraph (1) of the Act, as how that business operator will accept requests for disclosure and other handling are:
(i)where to file a request for disclosure or other handling;
(ii)the format of any paper document (or of any record created in electronic form, magnetic form, or any other form that cannot be perceived with the human senses) a person must submit when requesting disclosure or other handling, and other ways of requesting disclosure or other handling;
(iii)the way of verifying that the person requesting disclosure or other handling is the identifiable person or the representative prescribed in the following Article;
(iv)how the fee referred to in Article 30, paragraph (1) of the Act is collected.
(Representatives That May Request Disclosure or Other Handling)
Article 8The following representatives may request disclosure or other handling pursuant to the provisions of Article 29, paragraph (3) of the Act:
(i)the statutory agent of a minor or of an adult ward;
(ii)a representative appointed by the identifiable person to request the disclosure or other handling.
(Applying for Accreditation as an Accredited Personal Information Protection Organization)
Article 9(1)To apply for certification pursuant to the provisions of Article 37, paragraph (2) of the Act, a person must submit a written application to the competent minister, stating:
(i)the name and address of the applicant and the name of its representative or manager;
(ii)the location of the office where the applicant seeks to perform the services for which it is applying to be accredited;
(iii)an outline of the services for which the applicant is applying to be accredited.
(2)The following documents must accompany the written application referred to in the preceding paragraph:
(i)the applicant's articles of incorporation, articles of endowment, and other governing documents;
(ii)a document in which the business operator applying to be accredited pledges that it does not fall under the provisions of any item of Article 38 of the Act;
(iii)documents describing how the applicant will implement the services for which it is applying to be accredited;
(iv)documents showing that the applicant's knowledge and capabilities are sufficient to allow it to perform the services for which it is applying to be accredited properly and reliably;
(v)business reports, balance sheets, inventories of assets, and any other documents to show that the applicant has a financial base in the most recent business year (for a corporation incorporated in the business year in which it is applying for accreditation, an inventory of property at the time of incorporation);
(vi)documents giving the names, addresses, and career summaries of the applicant's officers;
(vii)a document giving the names of the covered enterprises and documents evidencing that those covered enterprises are members of the business operator applying to be accredited or are entities that have agreed to be covered by the services for which the applicant is applying to be accredited;
(viii)if the applicant engages in services other than the services for which it is applying to be accredited, a document describing the type of services and giving a business outline;
(ix)documents giving other information of reference.
(3)If matters set forth in paragraph (1), item (i) or item (ii) or matters given in a document set forth in item (ii) through item (iv), item (vi), or item (viii) of the preceding paragraph change, the accredited personal information protection organization must submit written notice of this to the competent minister without delay (and must also give the reason for the change, if the matters given in the document set forth in item (iii) of that paragraph changes).
(Notification of Discontinuation of Accredited Services)
Article 10Before discontinuing accredited services, an accredited personal information protection organization must submit written notice to the competent minister three months prior to the date it plans to discontinue the services, giving the following information:
(i)the name and address of the organization and the name of its representative or manager;
(ii)the last date the organization plans to accept requests referred to in Article 42, paragraph (1) of the Act;
(iii)the date the organization plans to discontinue its accredited services;
(iv)its reasons for discontinuing the accredited services.
(Affairs Handled by the Head, etc. of the Local Government or Chief Executive)
Article 11(1)If, pursuant to any other law or regulation, it has been decided that the head of a local government or other executive agencies (hereinafter referred to as the "Head, etc. of the Local Government or Chief Executive" in this Article) is to collect reports, conduct investigations, or issue recommendations in connection with business that Business Operators Handling Personal Information conduct which falls under the administrative jurisdiction of the competent minister, or that the Head, etc. of the Local Government or Chief Executive is to otherwise perform all or a part of the functions that are part of the supervisory authority of the competent minister, the Head of the Local Government or Chief Executive performs the affairs that Article 32 through Article 34 of the Act prescribe as being part of the authority of the competent minister. If, in such a case, there are multiple Heads, etc. of Local Government or Chief Executives that are to perform those affairs, nothing prevents each of those Heads, etc. of Local Government or Chief Executives from independently performing the affairs that Article 32 and Article 33 of the Act prescribe as being part of the authority of the competent minister.
(2)If, pursuant to any other law or regulation, it is decided that the Head, etc. of the Local Government or Chief Executive is to perform affairs connected with the permission or authorization for incorporation of an accredited personal information protection organization (or of a business operator seeking to be accredited as referred to in Article 37, paragraph (1) of the Act) which are part of the authority of the competent minister, the Head, etc. of the Local Government or Chief Executive performs affairs that Article 37, Article 40, and Article 46 through Article 48 of the Act prescribe as being part of the authority of the competent minister.
(3)The provisions of paragraph (1) do not prevent the competent minister from independently performing the affairs provided for in that paragraph.
(4)A Head, etc. of Local Government or Chief Executive performing, pursuant to paragraph (1), affairs that that paragraph prescribes to be part of the authority of the competent minister must promptly report the results of this affair to the competent minister.
(5)In cases as provided in paragraph (1) and paragraph (2), the provisions of the Act and of this Cabinet Order concerning the competent minister, as they relate to the functions provided for in paragraph (1) and paragraph (2), apply to the Head, etc. of the Local Government or Chief Executive as provisions of the Act and of this Order which concern the Head, etc. of the Local Government or Chief Executive.
(Delegation of Authority or Affairs)
Article 12(1)The competent minister, pursuant to the provisions of Article 52 of the Act, may delegate any authority or affairs that is within the minister's jurisdiction and is prescribed in Article 32 through Article 34, Article 37, Article 39, Article 40, or Article 46 through Article 48 of the Act to the head of an agency provided for in Article 49, paragraph (1) of the Act for Establishment of the Cabinet Office (Act No. 89 of 1999), to the head of an agency provided for in Article 3, paragraph (2) of the National Government Organization Act (Act No. 120 of 1948), or to the Commissioner General of the National Police Agency.
(2)The competent minister (or the head of the relevant agency, if the competent minister's authority or affairs are delegated to the head of an agency provided for in Article 49, paragraph (1) of Act for Establishment of the Cabinet Office or to the head of an agency provided for in Article 3, paragraph (2) of the National Government Organization Act, pursuant to the preceding paragraph), pursuant to the provisions of Article 52 of the Act, may delegate any authority or affairs that is within the minister's jurisdiction and is prescribed in Article 32 through Article 34, Article 37, Article 39, Article 40, or Article 46 through Article 48 of the Act to the head of a secretariat, bureau, or department provided for in Article 17 or Article 53 of the Act for Establishment of the Cabinet Office; to a person in a position provided for in Article 17, paragraph (1) or Article 62, paragraph (1) or paragraph (2) of that Act; to the head of a local branch office provided for in Article 43 or Article 57 of that Act; to the head of a secretariat, bureau, or department provided for in Article 7 of the National Government Organization Act; to the head of a local branch office provided for in Article 9 of that Act; or to a person in a position provided for in Article 20, paragraph (1) or paragraph (2) of that Act.
(3)The Commissioner General of the National Police Agency, pursuant to the provisions of Article 52 of the Act, may delegate any authority or affairs with which the commissioner has been delegated pursuant to paragraph (1) to the head of the Commissioner General's Secretariat; to the head of a bureau provided for in Article 19, paragraph (1) of the Police Act (Act No. 162 of 1954); to the head of a department provided for in paragraph (2) of that Article; or to the head of a regional institution provided for in Article 30, paragraph (1) of that Act.
(4)Before delegating authority or an affair pursuant to the provisions of one of the preceding three paragraphs, the competent minister, head of an agency provided for in Article 49, paragraph (1) of the Act for Establishment of the Cabinet Office, head of an agency provided for in Article 3, paragraph (2) of the National Government Organization Act, or Commissioner General of the National Police Agency must issue public notice of the official position of the member of personnel being delegated, the authority or affair being delegated, and the date the delegation comes into effect.
(Exercise of Authority by the Competent Minister)
Article 13(1)If multiple competent ministers under Article 36, paragraph (1) of the Act have jurisdiction over the handling of personal information that a Business Operator Handling Personal Information carries out, nothing prevents each competent minister from independently exercising the authority prescribed in Article 32 and Article 33 of the Act.
(2)A competent minister independently exercising authority pursuant to the provisions of the preceding paragraph must promptly report the results to the other competent ministers.
Supplementary Provisions
This Cabinet Order comes into effect as of the date of its promulgation; provided, however, that the provisions of Article 5 through Article 13 come into effect as of April 1, 2005.
Supplementary Provisions[Cabinet Order No. 389 of December 10, 2004]
This Cabinet Order comes into effect as of the date of its promulgation, and the provisions of Article 2 of the Order for Enforcement of the Act on the Protection of Personal Information following its revision by this Cabinet Order apply beginning on October 1, 2004.
Supplementary Provisions[Cabinet Order No. 166 of May 1, 2008]
(Effective Date)
(1)This Cabinet Order comes into effect as of the date of its promulgation.
(Transitional Measures)
(2)If, before this Cabinet Order comes into effect, a business operator that handles personal information is requested to make a report pursuant to Article 32 of the Act on the Protection of Personal Information or is issued an order pursuant to Article 34, paragraph (2) or paragraph (3) of that Act but, based on the application of Article 2, item (ii) as revised by this Cabinet Order, that business operator comes to no longer fall under the category of a business operator that handles personal information, the report or order of which the laws in force at the time of the request or order in question, and penal provisions apply to any violation as referred to in Article 57 or 58 of that Act in connection with such a request or order continue to be in effect, even after the enterprise is no longer considered to be a business operator handling personal information.