PERSONAL INFORMATION (part2)
- HOME >
- FEATURES OF >
- PERSONAL INFORMATION (part2)
4. HISTORY OF PERSONAL INFORMATION PROTECTION
Next, in the Personal Information Protection Act, we follow the history of the basic provisions on the rights granted to individuals to realize such protection and the obligation imposed on information holding organizations. At first, the necessity of protecting personal information beyond the traditional privacy right was clearly presented in 1967 by Alan Westin (USA) with "Privacy and Freedom" in which its own data distribution control right was raised. In 1974, the "Privacy Act" was established to provide fairness in handling information held by government agencies in USA. Also, in 1977, the Privacy Protection Committee report "Individual Privacy in the Information Society" indicated the eight principles of the "Privacy Act". Those are ① principle of disclosure, ② principle of personal access, ③ principle of individual participation, ④ principle of collection restriction, ⑤ principle of use restriction, ⑥ principle of restriction of supply, ⑦ principle of information management, ⑧ principle of responsibility.
In 1980, the OECD Privacy Guidelines - 8 principles are presented. Those are, ① principle of collection restriction (lawful and fair means and identity agreement), ② principle of data content (limited to purpose), ③ principle of clarification of purpose, ④ principle of use restriction (exception: data subject agreement, or under the provisions of law) ⑤ principle of safety protection, ⑥ principle of public disclosure (development, operation, policy), ⑦ principle of individual participation (confirmation of existence, confirmation of content, opposition, elimination / amendment), ⑧ principle of responsibility (responsibility of principle implementation measures).
In 1995, the European Parliament and the Council's Personal Data Protection Directive (EU Directive) were issued and within three years Member States are seeking legislation to comply with the standards. It is (a) there is a clear agreement of data subjects, (b) processing is necessary for the performance of contracts where the data subject is a party, (c) processing is necessary for the administrator to comply with legal obligations, (d) processing is necessary to protect the serious interests of the data subject, (e) processing is necessary for public interest or exercise of public authority, (f) processing is necessary for the legitimate interests of administrator, third parties to receive data disclosure and other parties. Also, collection restrictions on the type of data are stipulated, and processing of special category data (race, ethnicity, political opinion, religion, thought, beliefs, accession to labor union, or personal data on health and sexual life) are in principle forbidden.
In addition, exemptions are carefully stipulated such as, when the person's consent is given, when authority is given in domestic law in the field of labor law, when protecting the important right of the principal or other person but being difficult to obtain the consent of the person, when the legal activities of the nonprofit organization, when the person himself / herself has been published or judicial need, when necessary for preventive medical treatment, and when it is regulated by domestic law for important public interests. In 2000, the "safe harbor principle" scheme was negotiated between Europe and the United States. It is that EU trading US companies declare that they take protective measures meeting the EU directive standards, and report it to the Ministry of Commerce, and register it in the Department's Safe Harbor list. Further if it is found not to be compliant, the FTC (Federal Trade Commission) will add sanctions as unfair trade. The contents of "Safe Harbor Principles" are: (1) Announcement: An organization (US company) announces a means to enable it to be restricted; (2) Selection: Provides opt-out means for disclosure and opt-in means for confidential information, (3) Data transfer: The transfer to a third party is accepted when it complies with the principles of announcement / selection, and when a third party is carrying out the same level of protection, (4) Security: Make necessary and appropriate management so as not to cause loss, misuse, unauthorized access, leakage, modification, or damage, (5) Data integrity: It is consistent with the purpose of use, it is reasonable to be reliable, accurate and complete, and that it is necessary to manage it properly so as not to cause misuse, unauthorized access, leakage, reform, (6) Access: The information must be held by the organization so that individuals can access and modify or delete. However, this is not the case when burden / cost is incompatible with risk or when the rights of others are infringed. (7) Implementation: Secure an independent complaint handling system to ensure compliance. It has the obligation to solve problems.
In 2005, the "Montreux Declaration" of the International Conference on Data Protection, Privacy Commissioner was issued and its 11 principles were presented. These are: ① principle of legal and fair data collection and handling, ② principle of accuracy, ③ principles of clarification and restriction of purpose, ④ principle of proportionality, ⑤ principles of transparency, ⑥ principle of guarantee of individual participation, especially access rights of stakeholders, ⑦ principle of indiscriminate, ⑧ principle of data security, ⑨ principle of responsibility, ⑩ principle of independent monitoring and legal sanctions, ⑪ principle of sufficient level of protection in international distribution of personal data.
5. WAY OF PERSONAL INFORMATION PROTECTION SYSTEM
As described above, a big global trend of protection of personal information is formed towards the information society, and the basic provisions necessary for personal information protection are almost covered within that trend. Finally, referring it, list the basic provisions of the personal information protection system to ensure thorough use and protection of personal information.
(1) When collecting personal information by an information gathering organization or information holding organization, unless collecting is forced legally, it must be collected in principle based on the consent of the principal and under clarifying the purpose and by lawful and fair means.
(2) Referring to collecting privacy information (such as information on health and personal life) and sensitive information (information on race, ethnicity, political opinion, religion, beliefs, etc.) by information gathering organizations and information holding organizations, it is strictly forbidden except carrying out by a public institution that is legally administrative or organizations legally authorized to handle it, or providing by principle.
(3) Information holding organizations have an obligation to disclose what kind of personal information they possess and the usage form to be kept up to date so that in principle anyone can know it. Cases where it is possible to keep secret the existence of retained information or the contents of information are necessary to be restricted and strictly specify it.
(4) When handling personal information, information holding organizations are prohibited from using outside purpose for clarification at the time of collection.
(5) Information holding organizations are prohibited in principle to provide their personal information to third parties unless they agree with them. Provided, however, that this shall not apply in cases where it is necessary to fulfill a legal obligation, or when it is necessary for securing the serious interests of individuals.
(6) When an information holding organization provides personal information to a third party, even if where information to be provide are public institutions such as police, public security or tax agencies, and even if information provision is provided that it is unnecessary for the consent of the principal to be carried out on the public interest or the execution of legal and administrative affairs, there is an obligation to inform the principal of facts that provided information and the contents of the information at least after the incident.
(7) Information holding organizations have an obligation to manage their holding personal information with responsibility. There is an obligation to compensate for damage caused by leakage.
(8) An individual can know the presence or absence of own personal information possessed by an information holding organization and can access and confirm the contents thereof.
(9) If an individual wishes to restrict the use of his / her own personal information owned by the information holding organization, he / she has means to realize it and can request correction / deletion of the personal information.
(10) Establish high expertise and practically effective monitoring and investigating institutions independently from government and local government agencies in order to monitor and investigate the legitimacy of personal information processing against collecting organizations and holding organizations of personal information originally or at the request of individuals.
(11) The monitoring / investigation institution shall make a judgment as to whether or not it is a proper process for personal information protection and accept consultations on judge appropriateness from individuals and information holding organizations so as to avoid excessive inappropriate protection of personal information and to make effective use of necessary personal information, and their judgments and decisions consider authoritative.
Next, in the Personal Information Protection Act, we follow the history of the basic provisions on the rights granted to individuals to realize such protection and the obligation imposed on information holding organizations. At first, the necessity of protecting personal information beyond the traditional privacy right was clearly presented in 1967 by Alan Westin (USA) with "Privacy and Freedom" in which its own data distribution control right was raised. In 1974, the "Privacy Act" was established to provide fairness in handling information held by government agencies in USA. Also, in 1977, the Privacy Protection Committee report "Individual Privacy in the Information Society" indicated the eight principles of the "Privacy Act". Those are ① principle of disclosure, ② principle of personal access, ③ principle of individual participation, ④ principle of collection restriction, ⑤ principle of use restriction, ⑥ principle of restriction of supply, ⑦ principle of information management, ⑧ principle of responsibility.
In 1980, the OECD Privacy Guidelines - 8 principles are presented. Those are, ① principle of collection restriction (lawful and fair means and identity agreement), ② principle of data content (limited to purpose), ③ principle of clarification of purpose, ④ principle of use restriction (exception: data subject agreement, or under the provisions of law) ⑤ principle of safety protection, ⑥ principle of public disclosure (development, operation, policy), ⑦ principle of individual participation (confirmation of existence, confirmation of content, opposition, elimination / amendment), ⑧ principle of responsibility (responsibility of principle implementation measures).
In 1995, the European Parliament and the Council's Personal Data Protection Directive (EU Directive) were issued and within three years Member States are seeking legislation to comply with the standards. It is (a) there is a clear agreement of data subjects, (b) processing is necessary for the performance of contracts where the data subject is a party, (c) processing is necessary for the administrator to comply with legal obligations, (d) processing is necessary to protect the serious interests of the data subject, (e) processing is necessary for public interest or exercise of public authority, (f) processing is necessary for the legitimate interests of administrator, third parties to receive data disclosure and other parties. Also, collection restrictions on the type of data are stipulated, and processing of special category data (race, ethnicity, political opinion, religion, thought, beliefs, accession to labor union, or personal data on health and sexual life) are in principle forbidden.
In addition, exemptions are carefully stipulated such as, when the person's consent is given, when authority is given in domestic law in the field of labor law, when protecting the important right of the principal or other person but being difficult to obtain the consent of the person, when the legal activities of the nonprofit organization, when the person himself / herself has been published or judicial need, when necessary for preventive medical treatment, and when it is regulated by domestic law for important public interests. In 2000, the "safe harbor principle" scheme was negotiated between Europe and the United States. It is that EU trading US companies declare that they take protective measures meeting the EU directive standards, and report it to the Ministry of Commerce, and register it in the Department's Safe Harbor list. Further if it is found not to be compliant, the FTC (Federal Trade Commission) will add sanctions as unfair trade. The contents of "Safe Harbor Principles" are: (1) Announcement: An organization (US company) announces a means to enable it to be restricted; (2) Selection: Provides opt-out means for disclosure and opt-in means for confidential information, (3) Data transfer: The transfer to a third party is accepted when it complies with the principles of announcement / selection, and when a third party is carrying out the same level of protection, (4) Security: Make necessary and appropriate management so as not to cause loss, misuse, unauthorized access, leakage, modification, or damage, (5) Data integrity: It is consistent with the purpose of use, it is reasonable to be reliable, accurate and complete, and that it is necessary to manage it properly so as not to cause misuse, unauthorized access, leakage, reform, (6) Access: The information must be held by the organization so that individuals can access and modify or delete. However, this is not the case when burden / cost is incompatible with risk or when the rights of others are infringed. (7) Implementation: Secure an independent complaint handling system to ensure compliance. It has the obligation to solve problems.
In 2005, the "Montreux Declaration" of the International Conference on Data Protection, Privacy Commissioner was issued and its 11 principles were presented. These are: ① principle of legal and fair data collection and handling, ② principle of accuracy, ③ principles of clarification and restriction of purpose, ④ principle of proportionality, ⑤ principles of transparency, ⑥ principle of guarantee of individual participation, especially access rights of stakeholders, ⑦ principle of indiscriminate, ⑧ principle of data security, ⑨ principle of responsibility, ⑩ principle of independent monitoring and legal sanctions, ⑪ principle of sufficient level of protection in international distribution of personal data.
5. WAY OF PERSONAL INFORMATION PROTECTION SYSTEM
As described above, a big global trend of protection of personal information is formed towards the information society, and the basic provisions necessary for personal information protection are almost covered within that trend. Finally, referring it, list the basic provisions of the personal information protection system to ensure thorough use and protection of personal information.
(1) When collecting personal information by an information gathering organization or information holding organization, unless collecting is forced legally, it must be collected in principle based on the consent of the principal and under clarifying the purpose and by lawful and fair means.
(2) Referring to collecting privacy information (such as information on health and personal life) and sensitive information (information on race, ethnicity, political opinion, religion, beliefs, etc.) by information gathering organizations and information holding organizations, it is strictly forbidden except carrying out by a public institution that is legally administrative or organizations legally authorized to handle it, or providing by principle.
(3) Information holding organizations have an obligation to disclose what kind of personal information they possess and the usage form to be kept up to date so that in principle anyone can know it. Cases where it is possible to keep secret the existence of retained information or the contents of information are necessary to be restricted and strictly specify it.
(4) When handling personal information, information holding organizations are prohibited from using outside purpose for clarification at the time of collection.
(5) Information holding organizations are prohibited in principle to provide their personal information to third parties unless they agree with them. Provided, however, that this shall not apply in cases where it is necessary to fulfill a legal obligation, or when it is necessary for securing the serious interests of individuals.
(6) When an information holding organization provides personal information to a third party, even if where information to be provide are public institutions such as police, public security or tax agencies, and even if information provision is provided that it is unnecessary for the consent of the principal to be carried out on the public interest or the execution of legal and administrative affairs, there is an obligation to inform the principal of facts that provided information and the contents of the information at least after the incident.
(7) Information holding organizations have an obligation to manage their holding personal information with responsibility. There is an obligation to compensate for damage caused by leakage.
(8) An individual can know the presence or absence of own personal information possessed by an information holding organization and can access and confirm the contents thereof.
(9) If an individual wishes to restrict the use of his / her own personal information owned by the information holding organization, he / she has means to realize it and can request correction / deletion of the personal information.
(10) Establish high expertise and practically effective monitoring and investigating institutions independently from government and local government agencies in order to monitor and investigate the legitimacy of personal information processing against collecting organizations and holding organizations of personal information originally or at the request of individuals.
(11) The monitoring / investigation institution shall make a judgment as to whether or not it is a proper process for personal information protection and accept consultations on judge appropriateness from individuals and information holding organizations so as to avoid excessive inappropriate protection of personal information and to make effective use of necessary personal information, and their judgments and decisions consider authoritative.