Page 1

About measures in case of leakage of personal data, etc.
(2017 Personal Information Protection Commission Notification No. 1)

The Personal Information Protection Commission has "Guidelines for the Law Concerning the Protection of Personal Information (General Rules)"
(2016 Personal Information Protection Commission Notification No. 6; hereinafter referred to as "General Guidelines") 2016
Announced on November 30, 2014.
In the general guidelines "4 Responses in the event of a leak, etc.", "Leakage"
From the viewpoint of prevention of secondary damage, prevention of similar cases, etc.
The measures that are desired to be taken by the business operator handling personal information will be determined separately. "
However, the relevant measures will be stipulated as follows.
Unless otherwise specified, the terms used in this notification shall be used in the general guidelines.
According to an example of terms.
In addition, in case of leakage of specific personal information, etc., regardless of this notification, "Business
About correspondence in case of leakage case of specific personal information in person "(2015 identification
According to Personal Information Protection Commission Notification No. 2).

1. 1. Target case

This notification is a case that falls under any of the following (1) to (3) (hereinafter referred to as "leakage, etc."
Say. ).

(1) Leakage of personal data (excluding those related to specific personal information) held by businesses handling personal information
Ei, loss or damage
(2) Information such as processing methods held by businesses handling personal information (Act Enforcement Regulations on the Protection of Personal Information)
Regulations (October 5, 2016 Personal Information Protection Commission Rule No. 3) Article 20 No. 1
Information such as processing methods, excluding information related to specific personal information. ) Leakage
(3) Risk of (1) or (2) above

2. 2. Measures to be taken when a case such as a leak is discovered

Businesses handling personal information should list the following (1) to (6) when a case such as leakage is discovered.
It is desirable to take necessary measures for the item.

1

Page 2

(1) Report within the business operator and prevent the spread of damage
Immediately report to the responsible person, and from the time when the damage caused by the leak etc. is discovered
Take necessary measures to prevent expansion.

(2) Investigation of facts and investigation of the cause
Take necessary measures to investigate the facts of cases such as leaks and investigate the cause.

(3) Identification of the range of influence
Identify the range of influence of the facts grasped in (2) above.

(4) Examination and implementation of recurrence prevention measures
Based on the result of (2) above, take necessary measures to consider and implement measures to prevent recurrence of cases such as leaks.
Take promptly.

(5) Contacting the person who may be affected, etc.
From the viewpoint of prevention of secondary damage, prevention of similar cases, etc., depending on the content of the case such as leakage
Promptly contact the person about the facts, etc., or put it in a state where the person can easily know.

(6) Publication of facts and measures to prevent recurrence
From the viewpoint of prevention of secondary damage, prevention of similar cases, etc., depending on the content of the case such as leakage
Promptly announce the facts and measures to prevent recurrence.

3. 3. Report to the Personal Information Protection Commission, etc.

When a personal information handling business operator discovers a case such as a leak, the facts and measures to prevent recurrence, etc.
We will endeavor to promptly report to the Personal Information Protection Commission, etc. as follows.

(1) Report method

As a general rule, report to the Personal Information Protection Commission. However, it is stipulated in Article 47, Paragraph 1 of the Law.
The business operator handling personal information, which is the target business operator of the certified personal information protection organization, is the certified personal information insurance company.
Report to the protection group.
Notwithstanding the above, personal information protection stipulated in Article 40, Paragraph 1 of the Law based on Article 44, Paragraph 1 of the Law
Individuals in the field where the authority of the committee (report collection and on-site inspection) is delegated to the minister in charge of the business.
The report destination of the information handling business operator will be announced separately (* 1).

2

Page 3

(* 1) Personal Information Protection Commission stipulated in Article 40, Paragraph 1 of the Law based on Article 44, Paragraph 1 of the Law
Details of the fields in which the authority of the company is delegated to the minister in charge of the business will also be announced separately.
It depends on where you are.

(2) When reporting is not required

If any of the following (1) or (2) applies, no report is required (* 2).

(* 2) In this case as well, investigation of facts, investigation of the cause, examination of recurrence prevention measures, and actual results
It is also desirable to implement each of the measures in 2. above, including the treatment.

(1) When it is judged that personal data or information such as processing method is not leaked to the outside
(* 3)

(* 3) In addition, "Personal data or information such as processing method is not leaked to the outside.
When it is determined that ", for example, the following cases are applicable.
・ Highly encrypted personal data related to cases such as leaks or information such as processing methods
When it is concealed
・ Personal data related to cases such as leaks or information such as processing methods should not be viewed by a third party.
If you collect everything in the meantime
・ A specific individual can be identified by personal data related to cases such as leaks or information such as processing methods.
When identification can only be done by the business operator who caused the incident such as leakage (just
However, only personal data related to cases such as leaks or information such as processing methods will damage the person.
Excludes cases where information that may cause information is leaked. )
・ Personal data or information such as processing methods will be lost or damaged, and will be leaked by a third party.
It is reasonably expected to view personal data related to such cases or information such as processing methods.
If you cannot measure

(2) In the case of minor cases such as incorrect transmission of fax or email, or incorrect delivery of luggage (* 4)

(* 4) For example, the following cases correspond to "minor things".
・ Of misdelivery of fax or e-mail, misdelivery of luggage, etc., address and sender name
When personal data or information such as processing method is not included other than

3

