Page 1

National health, health, security, and security
Guidance for the proper handling of personal information

April 14, 2017
Personal Information Protection Commission
Ministry of Health, Labor and Welfare

Page 2

Page 3

table of contents
Ⅰ Purpose, purpose, and basic concept of this guidance .................................................. ................................................................. ......... 1
1. 1. Purpose of this guidance ........................................................ ................................................................. ............................................. 1
2. 2. Structure and basic concept of this guidance ..................................... ................................................................. ........... 1
3. 3. Businesses subject to this guidance ..................................................... ................................................................. ..................... 1
4. Scope of "personal information" covered by this guidance ...................................... ............................................. 2
5. Relationship with the exercise of authority of the Personal Information Protection Commission, etc .................................................. ................................................................. ..... 2
6. Ensuring transparency and external clarification of measures taken by the National Health Insurance Union ..................... ...................................... 2
7. Clarification of responsibility system and establishment of contact points for insured persons, etc ..................................... ................................................................. .. 3
8. Handling of provision of personal information to bereaved families ..................................... ................................................................. ...................... 3
9. Relationship with other laws and regulations ..................................................... ................................................................. ................................................. 4
10. Efforts by an authorized personal information protection organization ..................................................... ................................................................. ........... 4

Ⅱ Definition of terms ........................................................ ................................................................. ................................................................. ..................... 5
1. 1. Personal information (Article 2, Paragraph 1 of the Law) .................................................. ................................................................. ................................. 5
2. 2. Personal identification code (Article 2, Paragraph 2 of the Law) ................................................................. ......................... 6
3. 3. Personal information requiring consideration (Article 2, Paragraph 3 of the Law) ..................................... ................................................................. ..................... 7
4. Specific personal information (Article 2, Paragraph 8 of the Number Act) ..................................... ................................................................. .............. 9
5. Anonymization of personal information .................................................. ................................................................. ................................................................. .. 9
6. Anonymously processed information (Article 2, Paragraph 9 of the Law) ................................................................. .................... 10
7. Personal information database, etc. (Article 2, Paragraph 4 of the Act), personal data (Article 2, Paragraph
Protect
6 of the Act),
Yes Personal data (Article 2, Paragraph 7 of the Law) ................................................................. ................... 11
8. Consent of the person ..................................................... ................................................................. ................................................................. .......... 12

Ⅲ Obligations of the National Health Insurance Association ...................................................... ................................................................. ................................................................. ... 1 4
1. 1. Identification of purpose of use, etc. (Articles 15 and 16 of the Act) ..................... ................................................ 14
2. 2. Notification of purpose of use, etc. (Article 18 of the Act) .................................................. ................................................................. ................... 17
3. 3. Proper acquisition of personal information and ensuring the accuracy of personal data content (Articles 17 and 19 of the Act) ....... 19
4. Safety management measures, supervision of employees and supervision of contractors (Articles 20 to 22 of the Act) .................. 22
5. Provision of personal data to a third party (Article 23 of the Act) ..................................... ................................................................. ...... 28
6. Restrictions on provision to third parties in foreign countries (Article 24 of the Act) .................................. ....................................... 33
7. Creation of records related to provision to a third party (Article 25 of the Act) .................................. ............................................ 35
8. Confirmation when receiving provision to a third party (Article 26 of the Act) .................................. ............................................ 40
9. Publication of matters related to retained personal data (Article 27 of the Act) ..................................... .......................... 45
10. Disclosure of retained personal data upon request from the person (Article 28 of the Act) .................................. ......... 47
11. Correction and suspension of use (Articles 29 and 30 of the Act) ..................................... .......................................... 49
12. Procedures and fees for responding to requests for disclosure, etc. (Articles 32 and 33 of the Act) ............................ 51
13. Explanation of reasons, prior request, handling of complaints (Articles 31, 34 to 35 of the Act) ........ 54

Page 4

Ⅳ Review of guidance, etc ........................................................ ................................................................. .......................................... 56
1. 1. Review as necessary ....................................................... ................................................................. .......................................... 56

Appendix 1 Examples of personal information held by the National Health Insurance Association .................................................. ................................................................. .............. 57
Appendix 2 Main purposes of use expected in the normal business of the National Health Insurance Association .................................. .................................. 59

Page 5

Ⅰ Purpose, purpose, and basic concept of this guidance
1. 1. Purpose of this guidance
This guidance is based on the "Act on the Protection of Personal Information" (Act No. 57 of 2003, hereinafter referred to as the "Act".
That is. ) And "Act on the Use of Numbers to Identify Specific Individuals in Administrative Procedures, etc."
Based on "Ritsu" (Act No. 27 of 2013, hereinafter referred to as "Number Act"), "Protection of personal information"
Guidelines for Laws Concerning (General Rules) ”(2016 Personal Information Protection Commission Notification
No. 6 (Hereinafter referred to as "general guidelines"), the provisions of Articles 6 and 8 of the Act
Proper handling of personal information by the National Health Insurance Association (hereinafter referred to as the "National Health Insurance Association")
It shows specific points to keep in mind and examples to support activities related to securing a living room.
In addition, since this guidance is based on actual examples in the National Health Insurance Association, this Guidan
For matters not stated in the above and related articles, please refer to the general guidelines, "Protection of personal information.
Guidelines for Laws (Providing to Third Parties in Foreign Countries) ”(2016 Personal Information
Protection Commission Notification No. 7), "Guidelines for the Law Concerning the Protection of Personal Information (Third)
(Obligation to confirm and record when provided by a person) ”(2016 Personal Information Protection Commission Notification No. 8) and“ Individual
Guidelines for the Law Concerning the Protection of Human Information (Anonymously Processed Information) ”(2016)
Please refer to the Personal Information Protection Commission Notification No. 9).
2. 2. Structure and basic concept of this guidance
Regarding the handling of personal information, in Article 3 of the Act, "Personal information is the principle of respect for an individual's personality.
Personal information should be treated with caution. "
Everyone who handles personal information is fully aware of the nature and importance of personal information, regardless of its purpose or mode.
It must be handled properly.
The medical field is particularly appropriate based on the provisions of Article 6 of the Act due to the nature and usage of personal information.
Since it is one of the fields where it is necessary to ensure strict handling, it is related to insurance medical treatment.
National Health Insurance Association that handles medical fee statements and dispensing fee statements (hereinafter referred to as "receipt")
In, active efforts are required.
Based on this, in this guidance, personal information in the National Health Insurance Association is based on the purpose of the law.
Matters to be observed and matters to be observed to ensure proper handling of
It is shown as concretely as possible, and in the National Health Insurance Association, the law, "Protection of personal information"
"Basic Policy" (Cabinet decision on April 2, 2004; hereinafter referred to as "Basic Policy") and this Guidan
It is necessary to work on the proper handling of personal information based on the purpose of the information.
Specifically, the National Health Insurance Association will follow the guidance [Matters to be observed pursuant to the provisions of the law].
In addition, we will strictly comply with the provisions of the law regarding matters such as "must do".
Is required to do. In addition, "must try" and "desirable" in [Other matters]
Although it is not an obligation based on the law, we will try to achieve it.
Is required.
3. 3. Businesses subject to this guidance
The business operator covered by this guidance is the National Health Insurance Association.
In addition, input / inspection work of the receipt, creation of the insured person's card, medical examination of the human dock, etc., health instruction
1

Page 6

For businesses that carry out operations entrusted by the National Health Insurance Association, such as guidance, this guidance
Ⅲ 4. It is required to take appropriate safety management measures in line with the above, and the entrustment is carried out.
The National Health Insurance Association understands the purpose of this guidance when entrusting its business, and follows this guidance.
Select a business operator that will take appropriate measures as a consignee, and prevent the leakage of personal information in the consignment contract.
The entrustor and the entrustor so that the entrustor can secure the protection measures including the above.
Effective supervisory body, including cases of subcontracting, by clearly defining each responsibility, etc.
It is important to secure the system. At the same time, regarding the handling of personal information by contractors
It is necessary to check regularly and take measures such as confirming that proper operation is being carried out.
There is a need.
In addition, the National Health Insurance Association is appropriate from the insured who provides the personal information and receives the service.
Smooth insurance benefits and health services (hereinafter referred to as "insurance benefits, etc.") are expected to be implemented.
We request that you comply with this Guidance in view of the need to make the best efforts to implement it.
It is a thing.
4. Scope of "personal information" covered by this guidance
By law, "personal information" is information about living individuals, and is used by businesses handling personal information.
Obligations are limited to information about living individuals.
Even after the insured person dies, the National Health Insurance Association keeps the information of the insured person, etc.
If it exists, a safety tube equivalent to personal information is provided to prevent leakage, loss, or damage.
Legal measures shall be taken.

5. Relationship with the exercise of authority of the Personal Information Protection Commission, etc.
In this guidance, the contents described in [Matters to be observed according to the provisions of the law] by the National Health Insurance Association
Of these, the countries that are obliged to handle the contents of the National Health Insurance Association as a business operator handling personal information.
If the insurance association does not comply, the Personal Information Protection Commission will provide the provisions of Articles 40 to 42 of the Act.
To perform "report collection", "on-site inspection", "guidance", "advice", "recommendation" and "order" based on
There is.
In addition, based on the provisions of Article 44, Paragraph 1 of the Law, the authority under the provisions of Article 40, Paragraph 1 of the Law is an individual.
If the Information Protection Commission delegates to the minister in charge of the business, the Minister of Health, Labor and Welfare will "collect reports".
And "on-site inspection" can be performed.
Furthermore, Article 77 of the Law and "Law Enforcement Ordinance on the Protection of Personal Information" (December 1, 2003)
0th Cabinet Order No. 507. Hereinafter referred to as "decree". ) In Article 21, stipulated in Article 40, Paragraph 1 of the Law
Delegated to the minister in charge of the business pursuant to the authority of the Personal Information Protection Commission and the provisions of Article 44, Paragraph 1 of the Act
The office work that belongs to the authority given is the business performed by the business operator handling personal information and is carried out by the minister in charge of the business.
All or part of the affairs belonging to the authority related to the collection of reports and on-site inspections
However, according to the provisions of other laws and regulations, it is supposed to be done by the head of a local public body or other executive organs.
In some cases, the head of the local public body, etc. may collect reports and conduct on-site inspections based on the law.
6. Ensuring transparency and external clarification of measures taken by the National Health Insurance Union
Article 3 of the law points out that personal information should be handled carefully under the principle of respect for the personality of individuals.
2

Page 7

It has been.
The National Health Insurance Union declares the concept and policy regarding the protection of personal information (so-called private).
Clarity regarding the handling of personal information (sea policy, privacy statement, etc.)
It is required to formulate appropriate rules and publicize them to the outside world. Also, the insured
Want to know how the personal information of the person concerned is handled from
If there is a problem, take necessary measures such as promptly providing information based on the relevant rules.
And.
The content of the declaration regarding the way of thinking and policy regarding the protection of personal information is that the National Health Insurance Association is an individual.
Handling personal information under the principle of respect for personality, as well as related laws and regulations and this guidance, etc.
In the rules regarding the handling of personal information, such as compliance, safety management related to personal information
Regarding the outline of measures, procedures such as disclosure from the person, handling of provisions to third parties, response to complaints, etc.
It is conceivable to determine concretely.
It should be noted that the purpose of publicizing the purpose of use, etc. is limited to the following.
You should be willing.
(1) Obtain the insured's understanding of the significance of using personal information in the National Health Insurance Association.
(2) Attitude of the National Health Insurance Association to comply with the law and actively work to protect personal information
To clarify to the outside world.
7. Clarification of responsibility system and establishment of contact points for insured persons, etc.
The National Health Insurance Association promotes the proper handling of personal information and establishes a system to deal with problems such as leakage.
Need to be prepared. For this reason, we have expertise and guidance regarding the handling of personal information, and we are a business.
Establish an organizational system and responsibility system that controls the entire person, formulate rules and plan safety management measures
We shall build a system that can effectively implement the proposals.
In addition, it is necessary to explain to the insured the purpose of use of personal information at the start of use.
It is necessary to give an easy-to-understand explanation according to the situation, but in addition, the insured and others have doubts.
It is important to secure a window function that allows you to easily inquire about the contents at any time. further,
Established a window function to handle consultations and complaints from insured persons regarding the handling of personal information
At the same time, the contact point organically cooperates with the consultation function regarding the provision of services.
It is necessary to take measures from the standpoint of the insured, such as establishing a system that allows the insured.
In addition, a method of accepting requests for disclosure, maintenance of contact functions, etc., explanation of the purpose of use of personal information
It is also necessary to consider the insured with disabilities when stipulating.
8. Handling of provision of personal information to bereaved families
Based on the purpose of the OECD8 principle, the law applies information on living individuals and personal information.
In principle, the consent of the person is obtained when using the information for purposes other than the intended purpose or providing it to a third party, resulting in death.
As a general rule, personal information is not subject to the law and this guidance.
Not. However, when the insured dies, the bereaved family will provide personal information such as medical fee statements.
If an inquiry is made, the National Health Insurance Association will fully respect the insured's will and honor during his / her life.
While weighting, special consideration is required. For this reason, a guideline (“Clinical fee statement, etc.”
Disclosure to insured persons, etc. ”(Contents of March 31, 2005, No. 0331090))
3

Page 8

Based on the above, personal information such as medical fee statements shall be provided to the bereaved family.
9. Relationship with other laws and regulations
The National Health Insurance Association handles the items shown in the law, basic policy and this guidance when handling personal information.
In addition, we must comply with the provisions of other laws and regulations regarding the protection of personal information or confidentiality.
I.
10. Efforts in an authorized personal information protection organization
In Article 47 of the Act, ensuring the proper handling of personal information, etc. of businesses handling personal information, etc.
Corporations, etc. that carry out the intended business are certified by the Personal Information Protection Commission and certified by the Personal Information Protection Commission.
It is supposed to be a body. Affiliated organizations that become certified personal information protection organizations are umbrellas
In addition to promoting the dissemination and enlightenment of personal information protection for the National Health Insurance Association below, it is in line with the purpose of the law.
Insured persons, etc. regarding the handling of personal information, etc.
It is expected that active efforts will be made, such as opening a consultation desk for the purpose.

4

Page 9

Ⅱ Definition of terms
1. 1. Personal information (Article 2, Paragraph 1 of the Law)
(Definition)
Article 2 of the Act "Personal information" in this Act is information about living individuals.
Anything that falls under any of the following items.
(I) Name, date of birth and other descriptions contained in the information (documents, drawings or electromagnetic)
Recording (Electromagnetic method (electronic method, electromagnetic method, etc.) Recognized by human perception
It is a method that cannot be done. The same shall apply in item 2 of the next section. ) Is a record made. Tenth
The same applies in Article 8, paragraph 2. ), Or voice, action, etc.
It means all matters (excluding personal identification code) expressed by the method of. same as below. )
What can identify a specific individual by (easily collated with other information)
Includes those that can, and thereby identify a particular individual. )
(Ii) Those containing a personal identification code

"Personal information" is information about a living individual, and the name included in the information,
Items that can identify a specific individual by date of birth, other description, etc. (with other information)
Includes those that can be easily matched and thereby identify a particular individual
Mu. ), Or those that include a personal identification code. "Personal information" includes name, gender,
Not limited to personally identifiable information such as date of birth and facial image, personal body, property, occupation, title, etc.
All information that represents facts, judgments, and evaluations regarding the attributes of
Information that is made public, video and audio information is also included, and it is kept secret by encryption etc.
It doesn't matter if it is done or not.
In addition, for example, if there is data in the receipt that objectively inspects the insured person,
On the other hand, the name of the injury or illness judged by the doctor and the medical practice are described. All of these are insured
This is information about an individual person, but at the same time, a medical examination related to the receipt is conducted.
From the point of view of the doctor who did it, it also writes the name of the injury or illness that he / she judged and the medical practice.
Therefore, it is easy to identify a specific doctor from the medical institution name or when the name is clearly stated on the receipt.
If possible, it can also be said to be information about an individual doctor. Therefore,
Among the information described in Septo, etc., there are two aspects: personal information of both the insured and doctors.
It should be noted that some parts have sex.
In addition, the place where the information about the dead is also the information about the surviving individuals such as the bereaved family.
In that case, it becomes information about the living individual.
This guidance is intended for personal information held by the National Health Insurance Association.
Even if it is not organized in the database etc. (see 7.), it corresponds to personal information.
See Appendix 1 for personal information held by the National Health Insurance Association.
* A specific individual can be identified by the written name, date of birth, and other descriptions.
Those correspond to personal information.

5

Page 10

2. 2. Personal identification code (Article 2, Paragraph 2 of the Law)

(Definition)
Article 2 of the law
2 In this Act, "personal identification code" means a character or number that falls under any of the following items.
No., symbol, or other code specified by a Cabinet Order.
Characters converted to use the characteristics of a part of the body of a specific individual for use in a computer,
Numbers, symbols and other codes that can identify the particular individual
(Ii) Allocation regarding the use of services provided to individuals or the purchase of products sold to individuals
Cards or other documents issued to individuals, or electromagnetic
Characters, numbers, symbols or other codes recorded by the formula and the user or
Assigned or described to be different for each purchaser or issuer
Received a specific user or purchaser or issuance by being or recorded
Things that can identify the person

Article 1 of the Ordinance Law Concerning the Protection of Personal Information (hereinafter referred to as the "Law") Article 2, Paragraph 2 of the Cabinet Order
The specified characters, numbers, symbols and other codes shall be as follows.
1-2 (omitted)
(Iii) The basic pension number stipulated in Article 14 of the National Pension Act (Act No. 141 of 1959)
4-5 (omitted)
(Vi) Act on the Use of Numbers for Identifying Specific Individuals in Administrative Procedures (Heisei)
25 Year Law No. 27) Personal number prescribed in Article 2, Paragraph 5
(Vii) It is stated in the following certificates that it will be different for each person who receives the issuance.
Characters, numbers, symbols and other codes specified by the rules of the Personal Information Protection Commission
B. Insured person's certificate under Article 9, Paragraph 2 of the National Health Insurance Act (Act No. 192 of 1958)
(B) Law Concerning Ensuring Medical Care for the Elderly (Law No. 80 of 1982) Article 54, 3
Insured person's card
C. Insured person's certificate under Article 12, Paragraph 3 of the Long-Term Care Insurance Act (Act No. 123 of 1997)
(Viii) Other characters, numbers, etc. specified by the rules of the Personal Information Protection Commission as equivalent to the preceding items
Symbols and other signs
Rules Article 3 Characters, numbers, symbols specified by the rules of the Personal Information Protection Commission, Article 1, Item 7 of the Ordinance
Other codes shall be specified in each of the following items for each certificate.
(I) Certificate listed in Article 1, item 7 (a) of the Ordinance Symbol, number and insurance of the certificate listed in item (a) of the same item
Person number
(Ii) Certificates listed in Article 1, item 7 (b) and (c) of the Ordinance
And insurer number
Rules Article 4 Characters, numbers, symbols specified by the rules of the Personal Information Protection Commission, Article 1, Item 8 of the Ordinance
Other codes shall be listed below.
(I) Insured under Article 47, Paragraph 2 of the Health Insurance Law Enforcement Regulations (Ministry of Interior Ordinance No. 36 of 1918)
6

Page 11

Certificate symbol, number and insurer number
(Ii) Symbol, number and insurer number of the elderly beneficiary certificate set forth in Article 52, Paragraph 1 of the Health Insurance Law Enforcement Regulations
issue
3-9 (omitted)
(X) National Health Insurance Law Enforcement Regulations (Ministry of Health and Welfare Ordinance No. 53, 1958) Article 7-4, Paragraph 1
The symbol, number and insurer number of the elderly beneficiary certificate to be determined
Eleven to twenty (omitted)

"Personal identification code" means personal information that can identify a specific individual from the information alone.
Stipulated in the Law Enforcement Ordinance on the Protection of Information (Cabinet Order No. 507 of 2003; hereinafter referred to as "Cabinet Order")
The information that includes the letters, numbers, symbols, and other codes that correspond to them.
It becomes personal information.
The specific contents are Article 1 of the Cabinet Order and the Law Enforcement Regulations on the Protection of Personal Information (2016).
Personal Information Protection Commission Rule No. 3. Hereinafter referred to as "rules". ) Stipulated in Articles 2 to 4
As for those related to the National Health Care Act (Act No. 192 of 1958), it is insured.
The symbols, numbers and insurer numbers of the rugged person's card and the elderly beneficiary's card are applicable.
Therefore, the information including all of the symbol, number and insurer number is personal information.
It becomes.
3. 3. Personal information requiring consideration (Article 2, Paragraph 3 of the Law)

(Definition)
Article 2 of the law
3 In this law, "sensitive personal information" means the person's race, beliefs, social status, medical history, etc.
Criminal history, facts of being harmed by a crime, or other unfair discrimination against the person, prejudice, etc.
It is stipulated by a Cabinet Order that special consideration should be given to its handling so as not to cause any disadvantages.
Personal information that includes descriptions, etc.
Article 2 of the Ordinance The description, etc. specified by the Cabinet Order under Article 2, Paragraph 3 of the Act contains any of the following matters.
(Excluding those that correspond to the medical history or criminal history of the person).
(I) Physical disability, intellectual disability, mental disability (including developmental disability) and other personal information protection commissions
There is a physical or mental disability specified in the rules.
(Ii) A person who engages in medical-related duties such as a doctor for the person (in the next issue, "Doctor"
Etc. " ) Health checkups and other tests for prevention and early detection of illness
Results of inspection (referred to as "health diagnosis, etc." in the same issue)
(Iii) Based on the results of a medical examination, etc., or because of illness, injury, or other physical or mental changes.
Guidance, medical treatment, or dispensing for improving the physical and mental condition of the person by a doctor, etc.
What was done.
(Iv) Arrest, search, seizure, detention, prosecution, etc.

7

Page 12

The procedure for the criminal case was carried out.
(V) The juvenile or the juvenile stipulated in Article 3, Paragraph 1 of the Juvenile Law (Law No. 168 of 1948)
As a suspected person, investigation, guardianship measures, referees, protective measures and other juvenile protection matters
The procedure for the matter has been carried out.

Regulations Article 5 Disorders of mental and physical functions stipulated by the rules of the Personal Information Protection Commission, Article 2, Item 1 of the Ordinance
The following obstacles are considered.
(I) Physical disabilities listed in the attached table of the Welfare Law for Persons with Disabilities (Law No. 283 of 1945)

(Ii) Intellectual disabilities referred to in the Welfare Law for Persons with Intellectual Disabilities (Law No. 37 of 1960)
(Iii) Refers to the Act on Mental Health and Welfare for Persons with Mental Illness (Act No. 123 of 1950)
Mental disorders (prescribed in Article 2, Paragraph 2 of the Developmental Disability Support Act (Act No. 167 of 2004)
Including developmental disabilities, excluding those listed in the previous item. )
(Iv) Diseases for which treatment methods have not been established and other special diseases that affect the daily lives of persons with disabilities.
Article 4 of the Act for Comprehensive Support for Social Life (Act No. 123 of 2005)
The degree of disability due to what is specified by the Cabinet Order in paragraph 1 is the degree specified by the Minister of Health, Labor and Welfare in the same paragraph.
Things

"Personal information requiring consideration" is taken so as not to cause unfair discrimination, prejudice or other disadvantages.
It is stipulated in Article 2, Paragraph 3 of the Law, Article 2 of the Cabinet Order, and Article 5 of the Regulations that special consideration is required for handling.
Personal information that includes a description, etc. In addition, the sensitive personal information assumed by the National Health Insurance Association
The information corresponding to the report is the medical history posted on the receipt, the fact that the person was harmed by the crime, and the report.
Facts of disabilities (physical disability, intellectual disability, mental disability, etc.) confirmed from the contract, results of medical examination
And the fact that measures after the medical examination (improvement guidance or medical treatment by a doctor, dispensing) were taken.
Be done.
As a general rule, personal consent is required to obtain sensitive personal information and provide it to a third party.
As a method of obtaining the consent of the person, it is usually considered necessary for insurance benefits to the insured.
Clarify the scope of use of personal information by posting it on the website, etc., and from the insured
Use of personal information within these ranges unless there is a clear manifestation of opposition or reservation
It is possible to use the idea of ​"implicit consent", which assumes that consent has been obtained.
To (Refer to III5. (3) for details)
On the other hand, regarding sensitive personal information, certain conditions are met in accordance with the provisions of Article 23, Paragraph 2 of the Law.
How to provide to a third party without obtaining the consent of the person by adding (third party proposal by opt-out)
(Supplement) is not allowed.
In addition, in the National Health Insurance Association, it is not possible to acquire personal information for the purpose of providing it to a third party.
Usually not expected.
[Points of sensitive personal information]
When acquiring sensitive personal information, the consent of the person is required. (See III.3)

8

Page 13

4. Specific personal information (Article 2, Paragraph 8 of the Number Act)

Numbering Law Article 2
8 In this law, "specific personal information" means an individual number (corresponding to an individual number and the individual concerned).
Numbers, symbols and other codes used in place of numbers, other than resident's card codes
Including. Article 7, paragraphs 1 and 2, Article 8 and Article 48, and Supplementary Provisions Article 3, 1
The same shall apply hereinafter except for paragraphs 3 to 3 and paragraph 5. ) Is included in the content.

"Specific personal information" refers to personal information that includes the personal number specified in the Number Act. Special
Fixed personal information is not only subject to the numbering method, but also subject to the law as personal information.
It should be noted that.
Regarding the specific handling of "specific personal information", please refer to "Proper handling of specific personal information".
Guidelines for Business (Business) December 11, 2014 Personal Information Protection Commission "and
And see the "Digital PMO for Health Insurers" site.
5. Anonymization of personal information
From the personal information, the name, date of birth, address, personal identification code, etc. included in the information, etc.
It refers to making it impossible to identify a specific individual by removing the information that identifies the person.
For facial photographs, it is generally possible to identify a specific individual by masking the area of ​the eyes.
It is considered that there is no such thing. If necessary, add a code or number that is not related to the person.
Sometimes.
Even if such processing is performed, if personal information is used within the National Health Insurance Association, within the National Health Insurance Association
Refer to other information obtained and the correspondence table between the code or number attached at the time of anonymization and personal information.
It is conceivable that a specific insured person can be identified by matching. In the law, "other information
Can be easily matched with, thereby identifying a specific individual.
"Things" are also included in personal information, and when anonymizing, this is the case.
It is necessary to take into consideration the purpose of use of the information and the user, etc., and at the same time, obtain the consent of the person.
It is also necessary to consider measures such as obtaining.
In addition, we will introduce the results of medical examinations of specific insured persons and examples of health guidance in the group health guidance.
If you want to publish it in the National Health Insurance Association's bulletin, your name, date of birth, address, personal identification, etc.
It is thought that it will be anonymized by erasing the code etc., but in the result of medical examination and the case of health guidance
If more sufficient anonymization is difficult, the consent of the person must be obtained.
In addition, specific insured persons used for referrals in health guidance conducted by such groups.
The definition and handling rules of anonymization of medical examination results, etc. are different from those of anonymously processed information (see II6.).
Therefore, it is necessary to be careful.

9

Page 14

6. Anonymously processed information (Article 2, Paragraph 9 of the Law)

(Definition)
Article 2 of the law
9 In this law, "anonymously processed information" means according to the classification of personal information listed in each of the following items.
Individuals so that they cannot identify a specific individual by taking the measures specified in each item.
Information about an individual obtained by processing the information, and it is possible to restore the personal information.
It means something that cannot be done.
(I) Personal information corresponding to paragraph (1), item (i) Delete some of the descriptions, etc. contained in the personal information.
To do (by a method that does not have regularity that can restore the part of the description, etc.
Includes replacement with other descriptions. ).
(Ii) Personal information corresponding to paragraph (1), item (ii) All personal identification codes included in the personal information
(A method without regularity that can restore the personal identification code)
Including replacing with other description etc. ).

"Anonymously processed information" means taking measures that determine personal information according to the classification of personal information.
Information about an individual obtained by processing it so that a specific individual cannot be identified.
The personal information is restored so that a specific individual cannot be re-identified.
Say.
[Points of anonymous processing information]
When creating anonymously processed information from personal information, process it according to the standards stipulated in the rules.
It will be subject to certain restrictions. For details, see the "Act on the Protection of Personal Information"
Guidelines (Anonymously Processed Information) ”(2016 Personal Information Protection Commission Notification No. 9
No.).
Businesses handling anonymously processed information (related to Article 2, Paragraph 10 of the Law)
Regarding the definition of an anonymously processed information handling business operator, the separately defined "Act on the Protection of Personal Information"
Guidelines for Ritsu (Anonymously Processed Information) ”(2016 Personal Information Protection Commission Notification No.
See No. 9).
(reference)
(Definition)
Article 2 of the law
10 In this Act, "anonymously processed information handling business operator" means information including anonymously processed information.
It is an aggregate, and you can search for specific anonymously processed information using a computer.
You can easily search for information that is systematically configured and other specific anonymously processed information.
What is specified by a Cabinet Order as being systematically constructed so as to be (in Article 36, paragraph 1)
It is called "anonymous processing information database, etc." ) Is used for business purposes. However
However, the persons listed in each item of paragraph 5 are excluded.

10

Page 15

Article 6 of the Ordinance The information specified by the Cabinet Order under Article 2, Paragraph 10 of the Act contains certain anonymously processed information.
By organizing according to the rules of, you can easily search for specific anonymously processed information.
A collection of information systematically organized so that it can be easily searched for a table of contents, index, etc.
It means something that has something to do.

7. Personal information database, etc. (Article 2, Paragraph 4 of the Act), personal data (Article 2, Paragraph 6 of the Act), possession
Personal data (Article 2, Paragraph 7 of the Law)

(Definition)
Article 2 of the law
4 In this law, "personal information database, etc." is a collection of information including personal information.
However, the following items (there is little risk of harming the rights and interests of individuals in terms of usage)
Excludes those specified by Cabinet Order. ).
Systematically configured so that specific personal information can be searched using a computer
What you did
(Ii) In addition to the items listed in the previous item, so that specific personal information can be easily searched.
What is specified by a Cabinet Order as a systematic structure

Article 3 of the Ordinance There is little risk of harming the rights and interests of individuals from the viewpoint of how to use Article 2, Paragraph 4 of the Act.
Those specified by Cabinet Order shall fall under any of the following items.
(I) It was issued for the purpose of selling to an unspecified number of people, and
The issuance was not made in violation of the law or the provisions of an order based on the law.
(Ii) It can be purchased or made at any time by an unspecified number of people.
When.
(Iii) It is used for its original purpose without adding other information about the living individual.
That is.
2 What is specified by a Cabinet Order under Article 2, Paragraph 4, Item 2 of the Act is a certain rule regarding the personal information contained therein.
To make it easier to search for specific personal information by organizing according to the rules
A collection of information systematically organized in the table of contents, index, and other information to facilitate searching.
Those that have things.

"Personal information database, etc." is to search for specific personal information using a computer.
A collection of information, including personal information, systematically structured so that it can be done, or a computer
Even if you do not use, there are certain rules (for example, fifty) for personal information processed on paper.
Organize and classify according to syllabary, date of birth, etc.) and easily search for specific personal information.
Add a table of contents, index, code, etc. so that it can be easily searched by others.
It means what you are saying.

11

Page 16

(Definition)
Article 2 of the law
6 In this law, "personal data" means personal information that constitutes a personal information database, etc.
Tell the news.

"Personal data" refers to personal information that constitutes a "personal information database, etc."

(Definition)
Article 2 of the law
7 In this law, "retained personal data" is disclosed and disclosed by the business operator handling personal information.
You can make corrections, additions or deletions, suspend use, delete, and suspend provision to third parties.
It is personal data that has the authority to do so, and the public interest and others can be clarified by clarifying its existence.
Those specified by Cabinet Order as being detrimental to the interests of
It means something other than the one that will be erased inside.
Article 4 of the Ordinance The items specified by Cabinet Order under Article 2, Paragraph 7 of the Act shall be as follows.
(I) By clarifying the existence or nonexistence of the personal data, the life and body of the person or a third party
Or something that could harm your property
(Ii) By clarifying the existence or nonexistence of the personal data, it promotes illegal or unjust acts.
Or something that may induce
(Iii) There is a risk that the security of the country will be impaired by clarifying the existence of the personal data.
There is a risk that the relationship of trust with other countries or international organizations will be damaged, or other countries or international organizations
Those that may suffer disadvantages in negotiations with
(Iv) By clarifying the existence or nonexistence of the personal data, crime prevention, suppression or investigation
Others that may interfere with the maintenance of public safety and order
Article 5 of the Ordinance The period specified by a Cabinet Order under Article 2, Paragraph 7 of the Act shall be June.

"Retained personal data" is the content of personal data disclosed by the business operator handling personal information.
Corrections, additions or deletions, suspension of use, erasure and suspension of provision to third parties can be made.
Those who have authority. However, (1) the public interest and others will be clarified as to whether or not it exists.
(2) It will be deleted within 6 months (excluding renewal).
Excludes.
Regarding receipts, medical examination results, health guidance records, etc., regardless of the medium, personal day
Corresponds to tabas, etc.

8. Consent of the person
"Personal consent" means the handling of personal information of the person indicated by the business operator handling personal information.
A manifestation of the person's intention to consent to be handled by the method (the person concerned)
12

Page 17

It is assumed that you can confirm that. ).
In addition, "obtaining the consent of the person" means taking the personal information to indicate the intention of the person's consent.
It means that the handling business operator recognizes it, and the person himself / herself is the same depending on the nature of the business and the handling status of personal information.
You must use reasonable and appropriate methods that you consider necessary to make your judgment.
Absent.
In addition, regarding the result caused by agreeing to the handling of personal information, minors
Persons, adult guardians, guardians and assisted persons do not have the ability to judge
Needs to obtain consent from a parent or legal representative.
[Case with the consent of the person]
Case 1) Oral manifestation of consent from the person
Case 2) Receipt of a written consent (including electromagnetic records) from the person
Case 3) Receiving an email from the person to the effect that he / she agrees
Case 4) Checking the confirmation column to the effect that the person agrees
Case 5) Click the button on the homepage to the effect that the person agrees
Case 6) Voice input to the effect that the person agrees, touch to the touch panel, buttons and screens
Input by switch etc.
In principle, the law requires the consent of the individual in the case of unintended use of personal information or provision to a third party.
I'm asking for that. This is one of the eight OECD principles that form the basis of the law, which is the principle of usage restrictions.
As a manifestation of the idea, the National Health Insurance Association will provide appropriate insurance benefits to the insured.
The scope of use of personal information that is normally considered necessary by the National Health Insurance Association for the purpose of
In addition to posting on the National Health Insurance Association website, distribution of pamphlets, posting and equipment on bulletin boards
Clarify by insured or public notice, etc., of which the insured will benefit or must
Although it is not profitable, the burden on the National Health Insurance Association such as notification of medical expenses is enormous and it is not always covered.
Anything that is not rational for the insurer is particularly clear from the insured.
If there is no manifestation of opposition or reservation, the use of personal information within these ranges
It is probable that consent has been obtained. (See III5. (3) (4))
In these cases, insured as much as possible according to the insured's understanding and judgment.
It is important to notify the insurer and others and try to obtain their consent.
[About the consent of the person in the sensitive personal information]
When the National Health Insurance Association properly obtains sensitive personal information directly from the person in writing or verbally, etc.
When the person provides the information, the business operator handling the personal information takes the information.
It is understood that there was the consent of the person to obtain.

13

Page 18

Ⅲ Obligations of National Health Insurance Association, etc.
1. 1. Identification of purpose of use, etc. (Articles 15 and 16 of the Act)
(Specification of purpose of use)
Article 15 of the Act When a business operator handling personal information handles personal information, the purpose of its use
(Hereinafter referred to as "purpose of use") must be specified as much as possible.
2 When changing the purpose of use, the business operator handling personal information shall change the purpose of use before the change and its relevance.
Do not go beyond what is reasonably acceptable to have.
(Restrictions depending on the purpose of use)
Article 16 of the Act A business operator handling personal information shall comply with the provisions of the preceding Article without obtaining the consent of the person in advance.
Personal information must not be handled beyond the scope necessary to achieve the specified purpose of use.
2 A business operator handling personal information may start a business from another business operator handling personal information due to a merger or other reasons.
If personal information is acquired in connection with the succession, without obtaining the consent of the person in advance,
Beyond the scope necessary to achieve the purpose of use of the personal information before the succession, the personal information
Do not handle.
(3) The provisions of the preceding two paragraphs shall not apply in the following cases.
When required by law
When it is necessary to protect the life, body or property of two people, and obtain the consent of the person
When it is difficult to do.
(Iii) When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person.
Shikoku organizations or local public bodies or those entrusted with them carry out the affairs stipulated by laws and regulations.
When it is necessary to cooperate with what you do, and by obtaining the consent of the person
When there is a risk of hindering the performance of the office work.
(1) Identification and restriction of purpose of use
When the National Health Insurance Association obtains personal information from an insured person who wishes to receive insurance benefits, etc.
Report to the provision of insurance benefits, etc. to the insured, office work related to insurance benefits, etc. of the National Health Insurance Association and the Number Act
It is considered clear to the insured that the personal number will be used based on the personal number.
When using personal information other than these, it is not always obvious to the insured.
Not the target. In this case, when acquiring personal information, the public for the purpose of use is clearly stated.
Measures such as tables must be taken. (See III2.)
The intended use of the National Health Insurance Association in its normal business is illustrated in Appendix 2, and the National Health Insurance
The union will use these as a reference to identify what is normally needed in the light of its business.
Must be published. (See III2.)
Regarding the scope of the purpose of use listed in Attached Table 2, the purpose of use stipulated in Article 15, Paragraph 2 of the Act
When making changes, the changed purpose of use must be notified or announced to the person.
Absent. (See III2.)

14

Page 19

(2) Exceptions to restrictions depending on the purpose of use
The National Health Insurance Union shall have the interest specified by the provisions of Article 15 of the Act without obtaining the consent of the person in advance.
Personal information must not be handled beyond the scope necessary to achieve the purpose of use (Article 16 of the Law).
In the cases listed in paragraph 1) and paragraph 3 of the same Article, it is not necessary to obtain the consent of the person. Specific example
It is as follows.
① When required by law
Use personal information based on laws and regulations, such as collecting reports based on Article 106 of the National Health Insurance Law
If you do
As the provisions of the laws and regulations that form the basis, generally, Article 218 of the Code of Criminal Procedure (investigation by warrant),
Article 72-63 of the Local Tax Law (question inspection right related to investigations on individual business tax, various tax laws
There are similar provisions), etc. are conceivable.
Since these laws and regulations are obligatory to respond, the National Health Insurance Association conducts investigations, etc.
If you do, you will be obliged to answer.
In addition, regarding Article 197, Paragraph 2 of the Code of Criminal Procedure (interrogation necessary for investigation), etc., examples of the law
Although it is subject to external regulations, it is considered as voluntary cooperation under the relevant law, and the National Health Insurance Association is interrogating.
If such a case is done, it is necessary to judge whether or not to answer for each individual case.
In this case, even if personal information is handled without the consent of the person, it is not a violation of Article 16 of the Act.
However, there is a risk that the person concerned will be required to claim damages based on the Civil Code.
(2) Obtain the consent of the person when it is necessary to protect the life, body or property of the person.
When it is difficult
(Example)
・ For insured persons who have become unconscious, provide medical institutions with information on family contact information, etc.
When providing
③ When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person
(Example)
・ For epidemiological investigations and research, use personal names for information obtained from health examinations and cancer examinations.
When providing to researchers face down
・ Medical matters that occurred at medical institutions that submit receipts to the National Health Insurance Association to improve medical safety.
Personal information to provide information to the national government, local governments, third parties, etc. regarding the deceased, etc.
When handling information
④ A national institution, a local public body, or a person entrusted with it carries out the affairs stipulated by laws and regulations.
When it is necessary to cooperate with the matter, and by obtaining the consent of the person concerned
When there is a risk of hindering the performance of office work
(Example)
・ When the business operator handles personal information at the request of the police
15

Page 20

・ When handling personal information in general statistical surveys and statistical surveys conducted by local governments
[Matters to be observed according to the provisions of the law]
・ When handling personal information, the National Health Insurance Association must specify the purpose of use as much as possible.
Must be.
・ When changing the purpose of use, the National Health Insurance Association will be related to the purpose of use before the change.
Do not go beyond what is reasonably acceptable.
・ The National Health Insurance Association is necessary to achieve the specified purpose of use without obtaining the consent of the person in advance.
Do not handle personal information beyond the scope. In addition, in order to obtain the consent of the individual
Use information (a place to call using the insured's contact information to obtain consent
In such cases), it is permissible to process the personal information in order to anonymize it.
・ Although the consent of the person was obtained at the time of acquiring the personal information, after that, the person himself / herself
If there is a request to revoke the consent for a part of the purpose of use, personal information after that
Regarding the handling of information, we will handle it only to the extent that the consent of the person has not been revoked.
・ The National Health Insurance Association is an individual due to the succession of business from another business operator due to a merger or other reasons.
When personal information is acquired, the individual before the succession without obtaining the consent of the person in advance.
The personal information must not be handled beyond the scope necessary to achieve the purpose of using personal information.
I.
・ If you fall under the exception of restrictions on the purpose of use (Article 16, Paragraph 3 of the Law), without obtaining the consent of the person.
Can handle personal information.
(Refer to III2. For the handling when changing the purpose of use)
[Other matters]
・ Even if it is based on the law, which is an exception to the restriction on the purpose of use, it is not the purpose of use.
When handling personal information for the purpose of, based on the purpose of the relevant law, etc., the scope of handling
Is required to be limited to the range that is truly necessary.
・ If the insured person is a minor, etc., it is sufficient to obtain the consent of a legal representative, but a certain judgment
For minors with abilities, obtain the consent of the legal representative, etc.
To

16

Page 21

2. 2. Notification of purpose of use, etc. (Article 18 of the Act)

(Notification of purpose of use at the time of acquisition, etc.)
Article 18 of the Act When a business operator handling personal information acquires personal information, it uses it in advance.
Unless the purpose is announced, promptly notify the person of the purpose of use or publicly.
Must be represented.
2 The business operator handling personal information shall conclude a contract with the person regardless of the provisions of the preceding paragraph.
In accordance with the contract and other documents (including electromagnetic records; the same shall apply hereinafter in this section).
When acquiring the personal information of the person mentioned, it is written directly from the person in writing.
When acquiring the personal information of the person concerned, the purpose of use is given to the person in advance.
Must be specified. However, it is urgently necessary to protect human life, body or property.
This does not apply if there is a need.
3 When the business operator handling personal information changes the purpose of use, the changed purpose of use will be discussed.
The person must be notified or made public.
4. The provisions of the preceding three paragraphs shall not apply in the following cases.
(I) By notifying or disclosing the purpose of use to the person, the life, body, of the person or a third party,
When there is a risk of harming property or other rights and interests
(Ii) The right of the business operator handling personal information by notifying or publicizing the purpose of use.
When there is a risk of harming profits or legitimate interests
Cooperate with national organizations or local public bodies to carry out the affairs stipulated by law
When it is necessary, the purpose of use is notified or announced to the person concerned.
When there is a risk of hindering the performance of office work.
(Iv) When it is recognized that the purpose of use is clear from the status of acquisition

[Matters to be observed according to the provisions of the law]
・ The National Health Insurance Association announces the purpose of use in advance when acquiring personal information.
When personal information is acquired, the purpose of use is promptly notified to the person or publicly available.
Must be represented.
・ As a method of disclosing the purpose of use, posting on the National Health Insurance Association website and distributing pamphlets
It is necessary to make it public as widely as possible by posting / installing it on cloth and bulletin boards, and making public notices.
・ Is the National Health Insurance Association the person himself / herself, such as when requesting the entry of a questionnaire when accepting an application for a medical examination?
If you want to obtain the personal information of the person directly written in writing, please contact the person in advance.
On the other hand, the purpose of use must be clearly stated on a bulletin board or the like.
・ If the purpose of use is changed, the National Health Insurance Association will notify the person of the changed purpose of use.
Or must be published.
・ Notification of purpose of use, etc. when it is recognized that the purpose of use is clear from the status of acquisition, etc.
If the exception is applicable, the above contents do not apply. (When "the purpose of use is clear"
Ⅲ1. (Refer to (1))
[Other matters]
17

Page 22

・ The purpose of use is an exception to this regulation. "It is recognized that the purpose of use is clear from the status of acquisition.
Indicate the purpose of use to the insured in an easy-to-understand manner even if it corresponds to "when it is sought"
From the viewpoint, when the purpose of use is announced, the purpose of use is also described.
・ If the insured wishes, a detailed explanation and a document describing the contents will be issued.

18

Page 23

3. 3. Proper acquisition of personal information and ensuring the accuracy of personal data content (Articles 17 and 19 of the Act)

(Proper acquisition)
Article 17 of the Act A business operator handling personal information acquires personal information by deception or other improper means.
Must not be.
2 Businesses handling personal information obtain the consent of the person in advance, except in the following cases.
Therefore, you must not obtain sensitive personal information.
When required by law
When it is necessary to protect the life, body or property of two people, with the consent of the person
When it is difficult to get
(Iii) If there is a particular need for improving public health or for the sound development of children, this book
When it is difficult to obtain the consent of a person
Shikoku organizations or local public bodies or those entrusted with them complete the affairs stipulated by laws and regulations.
If you need to cooperate in doing something, by getting your consent
When there is a risk of hindering the performance of the relevant affairs.
(V) The personal information requiring consideration is the person, national institution, local public body, each item of Article 76, paragraph 1.
When it is disclosed by the person listed in the above or other person specified by the rules of the Personal Information Protection Commission
(Vi) Other cases specified by Cabinet Order as equivalent to the cases listed in the preceding items
Rule Article 6 Persons stipulated by the rules of the Personal Information Protection Commission, Article 17, Paragraph 2, Item 5 of the Act shall be as follows:
A person who falls under any of the items.
(I) Foreign governments, foreign government agencies, foreign local governments or international organizations
(Ii) A person equivalent to a person listed in each item of Article 76, paragraph 1 of the Act in a foreign country.
Article 7 of the Ordinance When specified by a Cabinet Order under Article 17, Paragraph 2, Item 6 of the Act, the following cases shall apply.
By visually observing or photographing the person, personal information requiring consideration that is clear in appearance can be obtained.
When to get
(Ii) In the cases listed in each item of Article 23, Paragraph 5 of the Act, personal information requiring consideration, which is personal data.
When receiving information.

(Ensuring the accuracy of data contents, etc.)
Article 19 of the Act A business operator handling personal information shall, to the extent necessary to achieve the purpose of use, personal information.
Keep the data accurate and up-to-date, and when it is no longer necessary to use it,
We must endeavor to erase personal data without delay.

[Matters to be observed according to the provisions of the law]
・ The National Health Insurance Association must not acquire personal information by deception or other fraudulent means.
・ Regarding the past medical history, etc. necessary for health guidance, etc., the person himself / herself regarding the range that is truly necessary.
In addition to obtaining directly from, a person who has obtained the consent of the person himself / herself regarding the provision to a third party (III5. (3))
Including those who are considered to have obtained the implied consent of the person in question. )
19

Page 24

In principle. However, it is possible to obtain it from a family member other than the person without obtaining the consent of the person.
This does not apply if it is unavoidable for health guidance.
・ Obtaining family personal information from a child who does not have sufficient judgment without the consent of the parent
Must not be.
・ When acquiring sensitive personal information, the consent of the person must be obtained in advance.
However, in the cases stipulated in each item of Article 17, Paragraph 2 of the Law, it is not necessary to obtain the consent of the person.
I.
(Example)
・ When a sudden illness or other situation occurs, the medical history of the person is reported to the doctor or nursing member of the National Health Insurance Association.
When the teacher hears from his family, it is considered to fall under Article 17, Paragraph 2, Item 2 of the Law.
・ The business operator submits personal information corresponding to sensitive personal information at the request of the police.
Therefore, when acquiring the personal information, there is a possibility that it falls under Article 17, Paragraph 2, Item 4 of the Law.
I think there is.
・ In addition, the personal information requiring consideration can be entrusted, business succession or joint interest as stipulated in each item of Article 23, Paragraph 5 of the Act.
It is not necessary to obtain the consent of the person in advance when acquiring it for use.

[Cases that violate Article 17, Paragraph 2 of the Law]
Persons specified in Article 17, Paragraph 2, Item 5 of the Law and Article 6 of the Regulations without obtaining the consent of the person
Information on the person's beliefs, criminal history, etc. from the information published on the Internet by the outside
Own database, etc. as part of the information about the person that has been acquired and already held
To register with.

・ The National Health Insurance Association is within the scope necessary to achieve the purpose of use of providing appropriate insurance benefits, etc.
We must strive to keep personal data accurate and up-to-date.

・ When the National Health Insurance Association no longer needs to use the personal data it holds, that is,
There is a reasonable reason to retain the personal data in relation to the purpose for which the purpose of use has been achieved.
If it no longer exists, or if the purpose of use is not achieved, it becomes a premise for that purpose.
If the business itself is canceled, we must try to delete the personal data without delay.
Must be (*). In addition, the place where the storage period etc. is set by the stipulations of laws and regulations
In that case, this is not the case.
(*) "Erase of personal data" means that the personal data cannot be used as personal data.
In addition to deleting the data, it is possible to identify a specific individual from the data.
Including things like avoiding it.
[Other matters]
・ When personal information is obtained from another National Health Insurance Association by providing it to a third party, the content of the personal information will be changed.
If in doubt, ask the person about the facts described.
・ The National Health Insurance Association will ensure the accuracy and up-to-dateness of the contents of personal data. (2) Shown in ②
In the committee, etc., formulate specific rules and improve the technical level of data management, etc.
20

Page 25

It is desirable to hold training for the purpose.
・ Provision to a third party (cases listed in each item of Article 23, Paragraph 1 of the Act, entrustment of handling of personal information, matters
Excludes cases where personal information is provided due to business succession and shared use. ) Due to personal information (decree
Excludes personal information obtained from the information stipulated in Article 2, item 2. )
Compliance with the law of the provider (for example, opt-out (see Article 23, Paragraphs 2 and 3 of the Law), use
Confirm the purpose, disclosure procedure, disclosure of the reception desk for inquiries and complaints, etc.), and personally
While selecting a person who manages information appropriately as a provider, we actually collect personal information
When obtaining, for example, inspection of documents such as contracts showing the process of acquisition or alternatives
After confirming the acquisition method of the personal information by a rational method, the personal information is legal.
If it cannot be confirmed that it was acquired, it may have been acquired by deception or other fraudulent means.
Since there is a possibility that it is, be careful, including refraining from acquiring it.
Is desirable.

21

Page 26

4. Safety management measures, supervision of employees and supervision of contractors (Articles 20 to 22 of the Act)

(Safety management measures)
Article 20 of the Act A business operator handling personal information may leak, lose or damage the personal data it handles.
If necessary and appropriate measures are taken for the prevention of personal data and other security management of personal data
It doesn't become.
(Employee supervision)
Article 21 of the Act A business operator handling personal information has its employees handle personal data.
Therefore, it is necessary and appropriate for the employee so that the personal data can be safely managed.
You have to give a serious supervision.
(Supervision of contractor)
Article 22 of the Act A business operator handling personal information entrusts all or part of the handling of personal data.
In that case, we will be entrusted to manage the security of the personal data entrusted to us.
Necessary and appropriate supervision must be given to those who have been.

(1) Safety management measures, etc. that the National Health Insurance Association should take
① Safety management measures
The National Health Insurance Association is responsible for preventing the leakage, loss or damage of the personal data it handles and other individuals.
Take organizational, human, physical, and technical security management measures for data security management
There must be. At that time, if the personal data of the person is leaked, lost or damaged, etc.
Considering the magnitude of infringement of rights and interests suffered by the person, the nature of the business and the handling of personal data
Necessary and appropriate measures shall be taken according to the risks caused by the situation. In addition, that
In that case, we will take safety management measures according to the nature of the medium on which personal data is recorded.
② Employee supervision
The National Health Insurance Union will supervise employees as necessary and appropriate to ensure that they comply with the safety management measures in (1).
I have to be the governor. An "employee" is a business under the direction and order of the business operator.
It includes all those who are engaged in employment, and not only those who have an employment relationship, but also directors and factions.
It also includes workers.
"Thorough protection of personal information by insurers" (March 14, 2003 National Health
In the notification of the insurance section chief), to the National Health Insurance Association, to the officers and employees of the National Health Insurance Association in the service regulations, etc.
Therefore, the duty of confidentiality of the staff will be imposed.
③ Supervision of consignor
When the National Health Insurance Association outsources all or part of the handling of personal data, the outsourcee
"Selection of appropriate contractor" and "Safety" so that the safety management measures for the personal data can be taken appropriately.
Concluding a consignment contract that includes compliance with all management measures "" Status of handling of personal data at the consignee
By "understanding", it is necessary to manage and supervise the contractor as necessary and appropriate.
(2) Matters that can be considered as safety management measures
22

Page 27

The National Health Insurance Association considers the importance of the personal data it handles, and leaks, loses, or loses personal data.
For the prevention of abrasion and other safety management, considering the scale, the condition of employees, etc., the following
Necessary measures shall be taken with reference to the efforts shown.
If the same National Health Insurance Association has multiple offices (branches), the offices (branches) are located between the offices (branches).
Information exchange does not correspond to provision to a third party, but safety management measures are taken for each office (branch).
We will manage the safety of personal information based on the purpose of use of personal information.
(1) Development and publication of regulations regarding personal information protection
・ The National Health Insurance Association has rules regarding disclosure procedures for retained personal data and other rules regarding the protection of personal information.
Posting on the National Health Insurance Association's homepage, including a system for responding to complaints, pamphlets
Distribute letters, post / install on bulletin boards, make public notices, etc. to inform insured persons
Thoroughly.
・ In addition, regarding the regulations regarding safety management measures for information systems that handle personal data.
Perform maintenance in the same way.
(2) Development of organizational structure, etc. to promote the protection of personal information
・ Individuals in the National Health Insurance Union to clarify the responsibility system of employees and promote concrete efforts
Persons with sufficient knowledge about personal information protection regarding the implementation and operation of security management of personal data
Person in charge of handling personal information who has the responsibility and authority to do so (for example, supervising across organizations such as officers)
A person who can supervise), a person in charge of personal information management, an information system audit manager, etc.
Establish departments, committees, etc. to promote the protection of personal information.
・ Regularly self-evaluate the personal data security management measures taken by the National Health Insurance Association.
Make appropriate improvements in matters that should be reviewed or improved.
・ Sufficient knowledge for personal information protection measures and information security measures based on the latest technological trends
Confirmation of correspondence in the office by a person who has
Including that. ) Is carried out.
(3) Establishing a reporting communication system in the event of problems such as leakage of personal data
・ 1) If an accident such as leakage of personal data occurs, or it is judged that there is a high possibility that it will occur.
2) If there is a fact that the rules regarding the handling of personal data are violated
Alternatively, establish a reporting and communication system to the person in charge when it is judged that the signs are high.
・ Information such as leakage of personal data may be reported from the outside as part of complaints, etc.
Since it will be fixed, we will also cooperate with the system for responding to complaints. (See III13.)
④ Establishing rules regarding the protection of personal information at the time of employment contract
・ In employment contracts and work regulations, confidentiality obligations are imposed not only during the working period but also after leaving the job.
We will establish and thoroughly implement rules regarding the protection of personal information of employees.
⑤ Implementation of education and training for employees
・ Implementation of education and training for employees to ensure the appropriate protection of personal data handled
23

Page 28

By enlightening employees who will handle personal data in actual business, etc.
Thorough awareness of personal information protection of people.
⑥ Physical safety management measures
-To prevent theft or loss of personal data, take the following physical security management measures.
-Implementation of entrance / exit (room) management (recording or supervision by shooting with a camera or witnessing work, etc.)
Implementation of vision)
-Implementation of preventive measures against theft, etc.
-Physical protection such as fixing equipment and devices
-Prohibition of bringing in / out of media with recording function or implementation of inspection
-Prohibition or restriction of connection of media with recording function
-Implementation of password lock for personal computers, etc. when leaving the desk
⑦ Technical safety management measures
・ In order to prevent theft or loss of personal data, "Core system related to proper handling of personal information"
About strengthening security measures of the system (re-request) "(Notified on December 18, 2015)
Regarding the information system that handles personal data in accordance with the purpose of
Take control measures.
-Access management for personal data (authentication by ID, password, etc., work of each staff member
Adopting a system configuration that allows access only to the range necessary for business according to the content)
-Saving access records for personal data
-Installing a firewall for personal data
-Encryption and password setting for personal data
-Periodical records of access to personal data and operations, and the existence of abnormal records suspected of being fraudulent
Confirmation
-Networks connected to mission-critical systems and networks connected to the Internet
Physical or logical separation of
-Software-related vulnerability countermeasures (application of security patches, relevant information system)
Discovery of unique vulnerabilities and their correction, etc.)
-Update software and hardware at the necessary and appropriate time
⑧ Saving personal data
・ When storing personal data for a long period of time, personal data such as prevention of deterioration of storage media
Store properly so that it does not disappear.
・ When it is necessary to save personal data, such as when responding to inquiries from the person himself / herself.
Save it in a searchable state such as index maintenance so that you can respond quickly.
⑨ Disposal and deletion of unnecessary personal data
・ When disposing of personal data that is no longer needed, personal data cannot be restored, such as by incineration or dissolution.
Dispose of in a possible form.
24

Page 29

・ When disposing of information devices that handle personal data, restore the personal data in the storage device.
Erase it into an impossible form and discard it.
・ When outsourcing these disposal operations, the handling of personal data is also included in the outsourcing contract.
And clearly define.
(3) Handling when outsourcing business
① Supervision of contractors
The National Health Insurance Association provides receipt input / inspection work, creation of insured person's card, medical examination of human dock, etc.
When entrusting all or part of the handling of personal data such as health guidance, based on Article 20 of the Act
The trustee must be supervised as necessary and appropriate to ensure compliance with safety management measures.
Absent.
"Necessary and appropriate supervision" includes safety specified by the business operator who is the consignor in the consignment contract.
In addition to incorporating the details of management measures into the contract and making it an obligation of the trustee, the business is being carried out appropriately.
It also includes checking things regularly.
In addition, when the business is subcontracted, the subcontractor has improperly handled it.
In the event of a problem, the National Health Insurance Union or the subcontractor may be liable.
② Precautions when outsourcing business
When a business operator related to the National Health Insurance Association, etc. outsources all or part of the handling of personal data,
The following matters should be noted.
-Select a business operator that handles personal information appropriately as a contractor (trustee).
When selecting an outsourcer, safety management measures for the outsourcer are required at least under Article 20 of the Act.
Confirmation of the contractor's system, regulations, etc. to confirm that it is the same as the one
In addition, if necessary, go to a place where personal data is handled or a reasonable alternative
It is hoped that the person in charge of handling personal information will make an appropriate evaluation after confirming by the method.
Good.
・ Appropriate handling of outsourced business, outsourced business, and personal information in the contract
Includes content related to (In addition to during the consignment period, handling of personal data after the consignment is completed
Including. ), Publicize the contract details.
-Regularly confirm that the trustee handles personal information appropriately.
・ If there is any doubt about the handling of personal information by the trustee (request from the insured, etc.)
Including cases where confirmation is considered necessary. ) Asks the trustee for an explanation
Take appropriate measures such as requesting improvement as necessary.
・ From the viewpoint of personal information protection, mask personal information as much as possible.
Therefore, make an effort to entrust the personal information after anonymizing it.
-In addition, when entrusting, you should provide only the range of information that is originally required.
Providing to other businesses even matters that are not required to provide information
Try not to get angry.
* Notice regarding contractor consignment in the National Health Insurance Association
25

Page 30

In addition to the above precautions, we will comply with the notice regarding outsourcing of contractors.
・ "Thorough protection of personal information" (December 25, 2002, No. 122,50003)
・ "Thorough protection of personal information by insurers" (March 14, 2003, No. 0 from Hokoku
314001) Attachment 2 "4. Measures for outsourcing regarding the processing of personal information"
③ Precautions when subcontracting business
When the National Health Insurance Association subcontracts all or part of the processing related to personal information, the following matters
Should be noted.
・ Although it is not prohibited to subcontract business including personal information, with the National Health Insurance Association
Do not subcontract the processing of personal information that does not involve a direct contractual relationship. ("insurance
Thorough protection of personal information in persons "(March 14, 2003, Hokoku No. 0314"
001) Attachment 2 "4. Measures for outsourcing regarding the processing of personal information")
・ When subcontracting business including personal information or subcontracting processing related to personal information
By masking personal information as much as possible from the viewpoint of personal information protection
After anonymizing the personal information, the contractor will not provide the personal information to the subcontractor.
Strive.
In this case, the National Health Insurance Association shall, in concluding a consignment contract with the primary consignee,
The primary contractor clearly states in the consignment contract that it will comply with the matters listed in the above notification criteria.
Of course, in addition to this, the possibility of subcontracting and the consignment for subcontracting
Prior written report or approval to the original, or to the subcontractor under the subcontracting contract
The first consignment contract clearly states that the matters set forth in the criteria of the notification will be observed.
To note.
In addition, when the primary contractor intends to subcontract, the National Health Insurance Association may consign.
Similarly, the subcontractor, the content of the subcontracted business, and the handling method of personal data of the subcontractor, etc.
Directly or primary contractor requesting prior reporting or approval procedure from the primary contractor
Through regular audits, etc., the primary subcontractor will give the subcontractor the item of this article.
Appropriately supervise the primary contractor, and the subcontractor takes safety management measures based on Article 20 of the Act.
It is desirable to fully confirm that the measures will be taken.
(4) Handling when storing the receipt in a medium other than paper, etc. or outsourcing them
In the National Health Insurance Association, storage of the receipt in a medium other than paper or computer processing of the receipt and
When outsourcing them, the National Health Insurance Association handles the operation and outsourcing.
Regulations shall be established and implemented to ensure safety.
(5) Prevention of secondary damage in the event of problems such as leakage of personal information
When problems such as leakage of personal information occur, prevention of secondary damage and occurrence of similar cases
From the viewpoint of avoidance, etc., while giving consideration to the protection of personal information, the facts will be disclosed as much as possible.
In addition, promptly report to the local welfare bureau under the jurisdiction.
In addition, if a problem such as leakage of personal data occurs, "leakage of personal data, etc."
26

Page 31

Regarding measures to be taken when a proposal occurs ”(2017 Personal Information Protection Commission Notification No. 1)
Next, (1) reporting inside the business operator and preventing the spread of damage, (2) investigating the facts and investigating the cause.
Ming, (3) Identification of the scope of impact, (4) Examination and implementation of recurrence prevention measures, (5) Books that may be affected
It is desirable to take necessary measures such as contacting people, ⑥ facts and measures to prevent recurrence.
I. In addition, if a case such as a leak is discovered, the facts and measures to prevent recurrence will be discussed.
We shall endeavor to promptly report to the Personal Information Protection Commission.
However, the National Health Insurance, which is the target business operator of the authorized personal information protection organization stipulated in Article 47, Paragraph 1 of the Law.
The union shall endeavor to promptly report to the authorized personal information protection organization to which it belongs.
[Matters to be observed according to the provisions of the law]
・ The National Health Insurance Association will prevent the leakage, loss or damage of the personal data it handles, and other personal days.
Necessary and appropriate measures must be taken for the safety management of the data.
・ The National Health Insurance Association will, when making its employees handle personal data, the personal data.
Necessary and appropriate supervision of the employee must be carried out so that safety management can be achieved.
It doesn't become.
・ When the National Health Insurance Association entrusts all or part of the handling of personal data, it entrusts the handling.
Necessary and appropriate for the entrusted person so that the entrusted personal data can be safely managed.
You have to give a serious supervision.
[Other matters]
・ The National Health Insurance Association has appropriate safety management measures in order to further promote efforts related to safety management measures.
In addition to verifying whether or not it exists at regular intervals, it also undergoes verification by an external organization as necessary.
It is desirable to improve by making a mistake.

27

Page 32

5. Provision of personal data to a third party (Article 23 of the Act)

(Restrictions on provision to third parties)
Article 23 of the Act A business operator handling personal information shall be a business operator handling personal information in advance, except in the following cases.
Do not provide personal data to third parties without your consent.
When required by law
When it is necessary to protect the life, body or property of two people, with the consent of the person
When it is difficult to get.
(Iii) When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person.
Shikoku organizations or local public bodies or those entrusted with them carry out the affairs stipulated by laws and regulations.
To obtain the consent of the person when it is necessary to cooperate in carrying out
When there is a risk of hindering the performance of the relevant affairs.
2 Businesses handling personal information are personal data provided to third parties (excluding sensitive personal information.
The same shall apply hereinafter in this section. ), An individual whose person is identified at the request of the person
When it is decided to suspend the provision of personal data to a third party, the following matters
Notify the person in advance as stipulated by the rules of the Personal Information Protection Commission.
Or put it in a state that the person can easily know, and notified the Personal Information Protection Commission.
In that case, regardless of the provisions of the preceding paragraph, the personal data may be provided to a third party.
(I) The purpose of use is to provide it to a third party.
(Ii) Items of personal data provided to a third party
(3) Method of providing to a third party
(Iv) Suspension of provision of personal data that identifies the person to a third party at the request of the person
To do.
5 How to accept the request of the person
3 The business operator handling personal information is a place to change the matters listed in item 2, item 3 or item 5 of the preceding paragraph.
In that case, the content to be changed shall be determined by the rules of the Personal Information Protection Commission.
Ecklonia cava, notify the person, or put it in a state that the person can easily know, and protect personal information
Must be notified to the protection committee.
4 The Personal Information Protection Commission shall, when notified pursuant to the provisions of paragraph 2, the Personal Information Protection Commission.
Matters pertaining to the notification shall be published pursuant to the rules of the member committee. Before
The same shall apply when there is a notification pursuant to the provisions of paragraph.
5 In the following cases, the person who receives the provision of the personal data is suitable for the provisions of the preceding items.
For use, it shall not correspond to a third party.
(I) Collection of personal data to the extent necessary for the business operator handling personal information to achieve the purpose of use
When the personal data is provided by entrusting all or part of the handling
(Ii) When personal data is provided due to business succession due to a merger or other reasons
(Iii) Personal data shared with a specific person will be provided to that specific person.
In some cases, to that effect and items of personal data to be shared, shared use
Responsible for the scope of the person who does it, the purpose of use of the person who uses it, and the management of the personal data.
28

Page 33

Notify the person in advance of the name or name of the person who does the work, or the person can easily know
When it is in a ready state.
6 The business operator handling personal information shall be the purpose of use or personal day of the user prescribed in item 3 of the preceding paragraph.
When changing the name or name of the person who is responsible for the management of data,
You must notify the person in advance about the condition or put it in a state that the person can easily know.
Must be.

(1) Handling provided by a third party
The National Health Insurance Association must not provide personal data to a third party without obtaining the consent of the person in advance.
It is said that this is not the case, and in the following cases, it is necessary to obtain the consent of the person.
(Example)
・ Inquiries from private insurance companies
If the insured wants to take out private life insurance, the health insurance company will tell you about their health.
If you receive an inquiry about your condition, do not answer your health condition without your consent.
Not.
Non-life insurance company for insured persons who are being treated for injuries due to a traffic accident
There was an inquiry about the symptomatology as necessary for the examination of non-life insurance payment payment
In that case, the name of the injury or illness must not be answered without the consent of the person.

・ Inquiries from business establishments
Consent of the person when there is an inquiry about the name of injury or illness of the union member from the business owner, etc.
Do not answer the name of the injury or illness without obtaining the information.

・ Inquiries from the school
When there is an inquiry about the health condition of children / students from school staff, etc.
Do not answer the health condition etc. without obtaining the consent of the person.

・ Inquiries from companies for marketing purposes
Regarding the existence of insured persons with high blood pressure from companies aiming to sell health foods
If you are inquired about the existence of the product, its name, address, etc. without the consent of the person.
Do not answer.

* Definition of "person" and "third party" in this article
・ "Person": An individual identified by personal data.
・ "Third party": A person other than the person and the business operator handling personal information, a natural person or a corporation.
It doesn't matter if it is another organization.
(2) Exceptions provided by a third party
However, in the following cases, it is not necessary to obtain the consent of the person.
① When required by law
29

Page 34

Use personal information based on laws and regulations, such as collecting reports based on Article 106 of the National Health Insurance Law
When using (see III1. (2) ①)
(2) Obtain the consent of the person when it is necessary to protect the life, body or property of the person.
When it is difficult to
(Example)
・ For insured persons who have become unconscious, medical institutions, etc. can provide information on family contact information, etc.
When providing to
* If it is difficult to obtain the consent of the person, it is the same even if the consent of the person is requested.
If you do not intend to, obtain the consent of the person without going through the procedure to ask for the consent of the person.
This includes cases where
③ When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person
(Example)
・ For epidemiological investigations and research, use personal names for information obtained from health examinations and cancer examinations.
When providing to researchers face down
・ Medical matters that occurred at medical institutions that submit receipts to the National Health Insurance Association to improve medical safety.
Of the information provided to the national government, local governments, third-party organizations, etc. regarding the deceased, information such as name, etc.
If you need special information
④ A national institution or a local public body or a person entrusted with it carries out the affairs stipulated by laws and regulations.
If you need to cooperate in doing something, with your consent
When there is a risk of hindering the performance of the relevant office work

(3) When it is considered that the consent of the person has been obtained
Comprehensive implicit consent has been obtained for the following cases of provision of information to third parties:
It is thought that.
・ For insured persons, etc., among the purposes of use that are normally necessary for insurance benefits to insured persons, etc.
The burden on the National Health Insurance Association is enormous, such as profitable things or medical expense notifications.
Although it is not always rational for the insured to get the intention every time
Regarding the scope of use, posting on the homepage, distributing pamphlets, posting on bulletin boards,
Clarify by equipment or public notice, and the insured will have a particularly clear intention to oppose or reserve.
If there is no display
In addition, on the homepage, bulletin board, etc.
(ｧ) The insured person may not agree with the purpose of use indicated by the National Health Insurance Association.
Ask the National Health Insurance Association to obtain the clear consent of the person in advance regarding the matter.
What you can do.
(I) If the insured does not express his / her intention in (ｧ), he / she will be insured for the announced purpose of use.
30

Page 35

It is assumed that the consent of the rugged person has been obtained.
(ｩ) Consent and reservation may be changed at any time afterwards at the request of the insured.
Being possible.
Should also be posted.
* Examples where comprehensive consent by impliedness is considered acceptable

・ Notification of medical expenses for each household
(4) When it does not correspond to "third party"
(1) When information is provided to other businesses, but does not fall under the category of "third party"
For those who receive the personal data in the cases listed in each item of Article 23, Paragraph 5 of the Act,
It does not correspond to a third party, and information can be provided without the consent of the person. To the National Health Insurance Union
Specific examples in this are as follows.

・ When outsourcing operations such as receipt inspection and health guidance
・ Notify the person in advance that personal data will be shared with a specific person.
If you are
* Notes on shared use of personal data
When the National Health Insurance Association and the business operator stipulated in the Industrial Safety and Health Act jointly carry out a medical examination
Personal data in advance, such as when post-instruction is provided jointly using the results of medical examinations
If it is planned to be used jointly with a specific person, (a) it will be used jointly.
Items of personal data, (a) Scope of joint users (whether they are listed individually or the range from the perspective of the person)
It is necessary to specify so that the enclosure is clear), (c) purpose of use of the user, (e) relevant
Notify the person in advance of the name or name of the person responsible for the management of personal data,
Or, keep it in a state that the person can easily know and make it clear that it will be used jointly.
If so, the joint user does not fall under the category of a third party.
In this case, (a) and (b) cannot be changed, and (c) and (e) are thought by the person himself / herself.
It can be changed within the range that is not difficult to determine, and before the change, notify the person or the person
It must be in a state that can be easily known.
If it is not for shared use, the National Health Insurance Association and the business operator stipulated in the Industrial Safety and Health Act are different.
Insured person's consent is required for them to share the medical examination results.
The Rukoto.
(2) When the information is provided within the same business operator and does not correspond to a third party
When providing information within the same business operator, it does not mean that the personal data was provided to a third party.
Therefore, information can be provided without the consent of the person. Ingredients in the National Health Insurance Association
The physical examples are as follows.

31

Page 36

・ Exchange of information within the National Health Insurance Association, such as cooperation with other departments within the National Health Insurance Association
・ Exchange of information with multiple offices (branches) within the National Health Insurance Association and between offices (branches)
Information exchange in
・ Use in training for National Health Insurance Association staff (in relation to the purpose of use specified and announced)
It may be necessary to take necessary measures for unintended use)
・ Exchange of information for business analysis within the National Health Insurance Association
Of these, when using the receipt or medical examination record for training inside the National Health Insurance Association, be specific.
Obtain the consent of the person again, including how to use it, or anonymize it so that no individual is identified.
To
(5) Other points to note
・ Notes on providing information to other businesses
In addition to providing information to third parties, even if information is provided to other businesses, (1) based on laws and regulations
If there is an exception provided by a third party, such as in the case of a case, (2) if it does not correspond to "third party", (3)
It is essentially necessary when providing information by anonymizing so that no one is identified.
It should be provided only to the extent of the information that can be provided, and it is not required to provide the information.
It should not be provided to other businesses even for the item.
In addition, in providing personal information that has the duality of both the insured person and the doctor, etc. to a third party.
In some cases, the consent of both parties is required, but if only one consent is provided to a third party, the other
Perform after masking the part related to your personal information.
[Matters to be observed according to the provisions of the law]
・ The National Health Insurance Association provides personal data to a third party without obtaining the consent of the person in advance.
should not be done. Regarding the National Health Insurance Association, it is not necessary to obtain the consent of the person in (2).
If applicable, it is not necessary to obtain the consent of the person.
・ If the person consents to the provision of personal data to a third party, then the person himself / herself will give a third party.
If there is a request to revoke the consent for a part of the scope of provision by the person, the subsequent individual
Regarding the handling of personal data, we shall handle it only within the scope of the consent of the person.
To

[Other matters]
・ Even if information that does not fall under the provision of a third party is provided, the home page of the National Health Insurance Association
Information is provided by posting on the website, distributing pamphlets, posting / installing on bulletin boards, public notices, etc.
Inquiries from the insured about this while clarifying the destination as much as possible
Securing a system that can respond in case of emergency.
・ For example, in the case of business consignment, the content of the business consigned by the National Health Insurance Association and the consignee
Regarding the contents of consignment such as agreements on the handling of personal information with contractors and contractors
And announce it.

32

Page 37

6. Restrictions on provision to third parties in foreign countries (Article 24 of the Act)
For details, see "Guidelines for the Law Concerning the Protection of Personal Information (Foreign countries)"
(Provision to a third party) ”(2016 Personal Information Protection Commission Notification No. 7).
(reference)
(Restrictions on provision to third parties in foreign countries)
Article 24 of the Act A business operator handling personal information means a foreign country (a country or region outside the region of Japan).
Same as below. ) (Individuals recognized as being at the same level as Japan in protecting the rights and interests of individuals
Established by the rules of the Personal Information Protection Commission as a foreign country that has a system for protecting personal information
Excludes those. The same shall apply hereinafter in this article. ) Is a third party (handling of personal data)
This is in line with the measures that the business operator handling personal information should take according to the provisions of this section.
The rules of the Personal Information Protection Commission stipulate that it is necessary to take the appropriate measures continuously.
Excludes those who have a system that meets the standards. The same shall apply hereinafter in this article. )
When providing personal data, except for the cases listed in each item of paragraph 1 of the preceding article, in advance
You must obtain the consent of the person to allow the provision to a third party in a foreign country. in this case
In, the provisions of the same Article do not apply.
Regulations Article 11 The criteria stipulated by the rules of the Personal Information Protection Commission under Article 24 of the Act are as follows.
It shall correspond to the deviation.
(I) Receive the provision between the business operator handling personal information and the person who receives the provision of personal data.
Regarding the handling of the personal data by the person, by an appropriate and rational method, the law
Implementation of measures in line with the purpose of the provisions of Chapter 4, Section 1 is ensured.
(Ii) The person who receives the personal data is based on the international framework for handling personal information.
Must be certified.

[Matters to be observed according to the provisions of the law]
・ The National Health Insurance Association provides personal data to a third party in a foreign country based on the provisions of Article 24 of the Act.
In some cases, it will be submitted to a third party in a foreign country, except as provided in each item (*) of Article 23, Paragraph 1 of the Act.
You must obtain the consent of the person to provide.
・ However, if any of the following (1) or (2) applies, Article 23, Paragraph 1 of the Law, as in Japan.
Provision to a third party with the consent of the person based on the provisions of the pillar, or consignment or joint use based on paragraph 5 of the same Article
It can be provided by use.
(1) Has a personal information protection system in which a third party in a foreign country is recognized to be at the same level as Japan
As a country, the Law Enforcement Regulations on the Protection of Personal Information (2016 Personal Information Protection)
Protection Committee Rule No. 3. Hereinafter referred to as "rules". ) In the country specified
(2) A third party in a foreign country continues to take measures equivalent to the measures that a business operator handling personal information should take.
We have established a system that conforms to the standards stipulated in the rules as a system necessary to take such measures.
If
(*) Each item of Article 23, Paragraph 1 of the Law
・ When providing personal data in accordance with laws and regulations (related to No. 1)
33

Page 38

・ Specific rights and interests such as the life, body or property of a person (including a corporation) are infringed.
It is necessary to provide personal data to protect this,
And when it is difficult to obtain the consent of the person (related to No. 2)
・ Especially necessary for improving public health or for the sound development of children who are developing physically and mentally
When it is necessary and it is difficult to obtain the consent of the person (No. 3 Seki)
Person in charge)
・ It is necessary to obtain the cooperation of private companies, etc. in order for national organizations to carry out the affairs stipulated by laws and regulations.
When there is a need, a cooperating private company, etc. will send personal data to an institution, etc. in the country concerned.
Obtaining the consent of the person himself / herself will hinder the performance of the relevant affairs.
When there is a risk of affecting (related to No. 4)

34

Page 39

7. Creation of records related to provision to a third party (Article 25 of the Act)
For details, see "Guidelines for the Law Concerning the Protection of Personal Information (Provided by a Third Party)"
(Obligation to confirm and record at the time) ”(2016 Personal Information Protection Commission Notification No. 8).

(Creation of records related to provision to a third party, etc.)
Article 25 of the Act A business operator handling personal information lists personal data as a third party (listed in each item of Article 2, Paragraph 5).
Excludes those who When provided to (omitted), a record must be created (omitted). However,
The provision of the personal data is to either item of Article 23, paragraph 1 or item of paragraph 5 (omitted).
If applicable, this does not apply.
2 The business operator handling personal information keeps the record set forth in the preceding paragraph from the date when the record is created by the Personal Information Protection Committee.
It must be retained for the period specified by the rules of the committee.
(Creation of records related to provision to a third party)
Rule Article 12 The method of making a record of the same paragraph pursuant to the provision of Article 25, paragraph 1 of the Act is a document,
It shall be a method of making using electromagnetic recording or microfilm.
2 The record set forth in Article 25, Paragraph 1 of the Act shall be promptly provided each time personal data is provided to a third party (omitted).
Must be created in. However, personal data will continue to be younger for the third party.
Repetitively provide (omitted) personal data to the third party continuously
Make a batch of records when it is expected to be provided repeatedly
be able to.
3 Notwithstanding the provisions of the preceding paragraph, pursuant to the provisions of Article 23, Paragraph 1 of the Act or Article 24 of the Act, this
Providing personal data related to a person to a third party in connection with the provision of goods or services to the person
In the case of provision, the contract and other documents prepared for the provision shall be included in paragraph 1 of the next article.
When the matters specified in each item are stated, the relevant document shall be used in Article 25, paragraph 1 of the Act.
It can be replaced with a record of the matter.
(Recorded items related to provision to a third party)
Regulations Article 13 Matters stipulated by the Personal Information Protection Commission Regulations in Article 25, Paragraph 1 of the Act are as follows:
The matters specified in each item shall be applied according to the classification of the cases listed in each item.
(I) When personal data is provided to a third party pursuant to the provisions of Article 23, paragraph 2 of the Act
Matters listed up to
B. Date when the personal data was provided
(B) The name or name of the third party and other matters sufficient to identify the third party (non-special)
When it is provided to a fixed number of people, that fact)
C. To identify the person's name and other personal information identified by the personal data.
Sufficient matters
D. Items of the personal data
(Ii) Providing personal data to a third party pursuant to the provisions of Article 23, Paragraph 1 of the Act or Article 24 of the Act.
In the case of the following matters listed in a and b
B. The fact that the consent of the person in question, Article 23, Paragraph 1 of the Act or Article 24 of the Act has been obtained.
(B) Matters listed in the previous item (b) to (d)
35

Page 40

2 Of the matters specified in each item of the preceding paragraph, Article 25 of the Act already created by the method specified in the preceding article.
It is recorded in the record of paragraph 1 (limited to the case where the record is kept)
If the content is the same as the item, the record of the item in Article 25, Paragraph 1 of the Act is omitted.
Can be abbreviated.
(Retention period of records related to provision to a third party)
Rule Article 14 The period specified by the rules of the Personal Information Protection Commission set forth in Article 25, Paragraph 2 of the Act is as follows.
Depending on the classification of the cases listed in each item, the period shall be the period specified in each item.
(I) When a record is created by the method prescribed in Article 12, paragraph (3) Finally, the relevant record is involved.
From the day when the personal data is provided to the day when one year has passed
(Ii) When a record is created by the method prescribed in the proviso of Article 12, paragraph (2) Finally
From the date when the personal data related to the record is provided to the date when three years have passed since the date of provision.
(3) In cases other than the previous two items, three years

(1) When the recording obligation does not apply
Recording obligations do not apply in the following cases:
(1) When a third party is a person listed in each item of Article 2, Paragraph 5 of the Law
When exchanging personal data with the persons listed in 1) to 4) below, record
Obligations do not apply.
1) National institution (related to Article 2, Paragraph 5, Item 1 of the Law)
2) Local public bodies (related to Article 2, Paragraph 5, Item 2 of the Law)
3) Incorporated Administrative Agencies, etc. (Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc.
(Act No. 59 of 2003) Incorporated administrative agencies, etc. prescribed in Article 2, Paragraph 1
Say. ) (Regarding Article 2, Paragraph 5, Item 3 of the Law)
4) Local Incorporated Administrative Agency (Local Incorporated Administrative Agency Law (2003 Law No. 118) No.
Refers to a local incorporated administrative agency specified in Article 2, Paragraph 1. ) (Article 2, Paragraph 5, Paragraph 4 of the Law)
No. related)
(2) When each item of Article 23, Paragraph 1 of the Act is applicable (see III5. (2))
Considering that it is unlikely that personal data will be circulated from time to time, the obligation to record is applied.
I can't.
1) When providing personal data in accordance with laws and regulations (related to No. 1)
(Example)
・ Reimbursement to non-life insurance companies, etc. related to third-party acts
2) Infringement of specific rights and interests such as life, body or property of a person (including a corporation)
It is necessary to provide personal data to protect this
And when it is difficult to obtain the consent of the person (related to No. 2)
3) Especially for the improvement of public health or the sound upbringing of children who are developing physically and mentally.
When it is necessary and it is difficult to obtain the consent of the person (3rd)
No. related)
36

Page 41

4) Obtain the cooperation of private companies, etc. in carrying out the affairs stipulated by laws and regulations by national organizations, etc.
When it is necessary, a cooperating private company, etc. will personally contact an institution, etc. in the country concerned.
Obtaining the consent of the person himself / herself regarding the provision of data is necessary for the performance of the relevant affairs.
When there is a risk of hindrance (related to No. 4)
(3) When each item of Article 23, Paragraph 5 of the Act is applicable (see III.5. (4))
The obligation to record applies in view of the fact that it does not fall under the category of a third party.
I can't.
1) Personal data within the range necessary for the business operator handling personal information to achieve the purpose of use
The personal data is provided by entrusting all or part of the handling of
(Regarding Article 23, Paragraph 5, Item 1 of the Law)
(Example)
・ Outsourcing for translation related to overseas medical expenses
・ Outsourcing of data processing such as qualifications of insured persons
・ Outsourcing to industrial physicians related to health guidance and health consultation
・ Outsourcing of medical examinations to medical institutions
・ Consignment of operation of health promotion facilities (recreation centers, etc.)
・ Providing medical examination results to businesses
・ Consignment of inspection / examination of the contents of the receipt data
・ Punch input for computer processing of receipt data, entrustment of image capture processing
・ Outsourcing of data processing related to medical expense analysis and medical expense notification
2) When personal data is provided due to business succession due to merger or other reasons
(Regarding Article 23, Paragraph 5, Item 2 of the Law)
3) Personal data shared with a specific person is provided to that specific person.
If so, and the items of personal data used jointly,
Scope of joint users, purpose of use of users and personal data
Regarding the name or name of the person responsible for management, the person himself / herself in advance
When the person is in a state where he / she can easily know (Article 23 of the Act).
Paragraph 5, Item 3)
④ When providing on behalf of the person
The National Health Insurance Association provides the personal data of the insured person to a third party based on the consignment from the insured person.
When providing, the business operator handling personal information will provide personal data "on behalf of the person".
Is what you are doing.
Therefore, the obligation to record does not apply to the provision to a third party in this case.
(Example)
・ Consultation or notification to insurance companies, medical institutions, etc. in third-party reimbursement work
⑤ When providing to a person who has a relationship that can be evaluated as one with the person
When providing to a person who has a relationship that can be evaluated as one with the person, such as the person's agent or family
37

Page 42

It is considered to be provided to the person himself / herself, and the obligation to record does not apply.
(Example)
・ Personal data for family members is used as a book when notifying medical expenses for each household.
When provided to people on the WEB etc.
[Matters to be observed according to the provisions of the law]
(2) Application of recording obligation
In cases where none of the cases described in (1) apply, the National Health Insurance Association will collect personal data.
When provided to three parties, a record stipulated by law must be created and the record must be retained.
Absent.
① How to make a record, etc.
1) Medium for creating records
The National Health Insurance Union creates records using documents, electromagnetic records or microfilm.
There must be.

2) How to make a record
As a general rule, the National Health Insurance Association should not promptly create a record each time personal data is exchanged.
Must be.
3) How to create records in a batch
Sending and receiving personal data continuously or repeatedly with a specific business within a certain period of time
If you do, instead of creating records for individual transfers, create records in bulk
Can be
4) Method by alternative means such as contract
The National Health Insurance Association concludes a contract regarding the provision of goods or services to the person, and the contract
From the National Health Insurance Association to a third party, personal data with the other party of the contract as the principal
If you provide it, please use the contract and other documents created at the time of provision for your personal day.
Since it is possible to track the distribution of data, record it in the contract or other documents.
Can be.
5) How to create a record on your behalf
Considering that both the provider and the recipient have the same record creation method and retention period
The recipient may substitute all or part of the provider's obligation to record (provide).
It should be noted that there are differences in the records of the person and the recipient. ). In this case
Even so, the provider and the recipient are not exempt from their obligations.
You have to build a system that is practically equivalent to the one that fulfills the obligation to create records by itself.
Not.

38

Page 43

② Recorded items
1) Recorded items of the provider
When the National Health Insurance Association provides personal data to a third party based on the consent of the person, the following
The item must be recorded.
・ The fact that the consent of the person has been obtained
・ Name or name of a third party and other matters that can identify the third party
・ Name of the person identified by personal data and other matters that can identify the person
・ Personal data items
③ Omission of recorded items
When the same "person"'s personal data is exchanged multiple times, the same
It is not necessary to record the contents in duplicate. Already "7. (2) Application of recording obligation"
It was recorded in the record created by the method specified in (only when it is actually saved).
If the item and the content are the same, the recording of the item may be omitted.
④ Storage period
The National Health Insurance Union must retain the records it has created for the period specified by the regulations. Preservation period
It should be noted that the interval differs depending on the method of creating the record.

Another way to create a record

Retention period

By alternative means such as contracts

Finally, the provision of personal data related to the record

If you make more records

One year has passed since the day of the event
Until the day

By the method of creating records in a batch

Finally, the provision of personal data related to the record

When creating a record

Three years have passed since the day of the event
Until the day

Other than the above

3 years

39

Page 44

8. Confirmation, etc. when receiving provision to a third party (Article 26 of the Act)
For details, see "Guidelines for the Law Concerning the Protection of Personal Information (Provided by a Third Party)"
(Obligation to confirm and record at the time) ”(2016 Personal Information Protection Commission Notification No. 8).

(Confirmation when receiving a third party offer, etc.)
Article 26 of the Act When a business operator handling personal information receives personal data from a third party
(Omitted) must confirm the following matters. However, the personal data
If the provision of is applicable to any of the items of Article 23, paragraph 1 or each item of paragraph 5, this limit
Not.
(I) In the case of the name or name and address of the third party and the corporation, its representative (in the corporation)
If there is no organization with a representative or manager, the representative or manager)
Name
(Ii) Background of acquisition of the personal data by the third party
2 The third party in the preceding paragraph is when the business operator handling personal information confirms according to the provisions of the same paragraph.
Therefore, the matters related to the confirmation must not be deceived to the business operator handling personal information.
3 When the business operator handling personal information confirms according to the provisions of paragraph 1, the personal information protection committee
According to the rules of the committee, the date of receipt of the personal data and the confirmation
You must make a record of such matters and other matters stipulated by the rules of the Personal Information Protection Commission.
Must be.
4 The business operator handling personal information keeps the record set forth in the preceding paragraph from the date when the record is created by the Personal Information Protection Committee.
It must be retained for the period specified by the rules of the committee.
(Confirmation when receiving a third party offer)
Rule Article 15 Confirmation of the matters listed in item 1 of the same paragraph pursuant to the provisions of Article 26, paragraph 1 of the Act.
The method is to receive a declaration from a third party who provides personal data and other appropriate methods.
To do.
2 The method for confirming the matters listed in item 2 of the same paragraph pursuant to the provisions of Article 26, paragraph 1 of the Act is individual.
Shows the process of acquisition of the personal data by the third party from the third party who provides the personal data
It shall be a method of receiving a contract or other written presentation, or any other appropriate method.
3 (omitted)
(Creation of records related to confirmation when receiving a third party offer)
Rule Article 16 The method of making a record of the same paragraph pursuant to the provision of Article 26, paragraph 3 of the Act is a document,
It shall be a method of making using electromagnetic recording or microfilm.
2 The record set forth in Article 26, Paragraph 3 of the Act shall be promptly recorded each time personal data is provided by a third party.
Must be created in. However, individuals from the third party continuously or repeatedly
Provision of data (excluding provision pursuant to the provisions of Article 23, Paragraph 2 of the Act. The same shall apply hereinafter in this Article.
Ji. ), Or continuously or repeatedly from the third party
Records when it is expected that you will be offered can be created in a batch.
Wear.
3 Notwithstanding the provisions of the preceding paragraph, from a third party in connection with the provision of goods or services to the person
When personal data related to the person is provided, it is created for the provision.
40

Page 45

If the contract or other document contains the matters specified in each item of paragraph 1 of the next article, the relevant matter
In writing, it may be replaced with a record relating to the relevant matter set forth in Article 26, paragraph 3 of the Act.
(Recorded items when receiving a third party offer)
Regulations Article 17 Matters stipulated by the Personal Information Protection Commission Regulations in Article 26, Paragraph 3 of the Act are as follows:
The matters specified in each item shall be applied according to the classification of the cases listed in each item.
(I) Received the provision of personal data pursuant to the provisions of Article 23, paragraph 2 of the Act from a business operator handling personal information.
In case of digits Items listed in the following a to e
B. Date of receiving personal data
(B) Matters listed in each item of Article 26, Paragraph 1 of the Act
C. To identify the person's name and other personal information identified by the personal data.
Sufficient matters
D. Items of the personal data
(E) The fact that it has been announced pursuant to the provisions of Article 23, Paragraph 4 of the Act
(Ii) Individuals from businesses handling personal information pursuant to the provisions of Article 23, Paragraph 1 of the Act or Article 24 of the Act.
When data is provided Matters listed in the following a and b
B. The fact that the consent of the person in question, Article 23, Paragraph 1 of the Act or Article 24 of the Act has been obtained.
(B) Matters listed in the previous item (b) to (d)
(Iii) Received personal data provided by a third party (excluding those who fall under the category of business operators handling personal information)
In the case of the first item (b) to (d)
2 (Omitted)
(Retention period of records when receiving a third party offer)
Regulations Article 18 The period specified by the rules of the Personal Information Protection Commission in Article 26, Paragraph 4 of the Act is as follows.
Depending on the classification of the cases listed in each item, the period shall be the period specified in each item.
(I) When a record is created by the method prescribed in Article 16, paragraph (3) Finally, the relevant record is involved.
From the day when the personal data is provided to the day when one year has passed
(Ii) When a record is created by the method prescribed in the proviso of Article 16, paragraph (2) Finally
From the date when the personal data related to the record is provided to the date when three years have passed since the date of receipt.
(3) In cases other than the previous two items, three years

(1) When the confirmation / recording obligation does not apply
7. As in the case of creating records related to provision to a third party (Article 25 of the Act), (1) a third party is the second party of the Act.
If you are a person listed in each item of Article 5, Paragraph 5, or if you fall under any of the items of Article 23, Paragraph 1 of the Act (III5.
(See (2)), ③ If any of the items in Article 23, Paragraph 5 of the Act is applicable (see III.5. (4)), ④ To the person
When receiving personal data provided on behalf of the person, ⑤ A person who has a relationship that can be evaluated as one with the person
If the above applies, the confirmation / recording obligation does not apply. Specific examples are as follows: 7. (1)
See.
In addition, the confirmation / recording obligation does not apply in the following cases.
⑥ When it does not correspond to personal data for the recipient
It corresponds to personal data for the provider but not for the recipient
41

Page 46

If you receive the information, the confirmation / recording obligation does not apply.
⑦ When it does not correspond to personal information for the recipient
Receipt even if it corresponds to personal data for the provider, as in the following case
Information that does not correspond to "personal information" for a person (naturally does not correspond to personal data)
If you receive, the confirmation / recording obligation does not apply.
[Cases that do not correspond to personal information for the recipient]
(Example)
・ Providing data that prevents the provider from identifying an individual by deleting the name
When receiving a companion
・ When data is provided with only the ID number managed by the provider
[Matters to be observed according to the provisions of the law]
(2) Application of confirmation obligation
When receiving personal data from a third party, the National Health Insurance Association will contact the third party as follows.
Must be confirmed as per.
① Confirmation method
1) The name and address of a third party and, in the case of a corporation, the name of its representative
2) Background of acquisition of personal data by a third party

3) Compliance with the law [Other matters]
When the National Health Insurance Association receives personal data from another business operator, the law of that business operator
Compliance status (for example, purpose of use, disclosure procedure, publication of inquiry / complaint reception desk, option
Notification of the business operator when receiving personal data provided by a third party provided by Toout
Also check that the items have been announced by the Personal Information Protection Commission)
Is desirable.
(2) Confirmation method for third parties who have already confirmed
When the same "person"'s personal data is exchanged multiple times, the same
Since it is not rational to confirm the contents in duplicate, it is already specified in "(1) Confirmation method".
Confirm by the method, create by the method specified in "8. (3) Obligation to record", and
For items that have the same contents as those recorded in the records stored at that time
Therefore, the confirmation of the matter can be omitted.
(3) Application of recording obligation
In addition, when the National Health Insurance Association receives personal data from a third party, it records the records stipulated by law.
Must be created and its record kept.
① How to make a record, etc.
1) Medium for creating records
42

Page 47

The National Health Insurance Union creates records using documents, electromagnetic records or microfilm.
There must be.
2) How to make a record
As a general rule, the National Health Insurance Association should not promptly create a record each time personal data is exchanged.
Must be.
3) How to create records in a batch
Sending and receiving personal data continuously or repeatedly with a specific business within a certain period of time
If you do, instead of creating records for individual transfers, create records in bulk
Can be
4) Method by alternative means such as contract
The National Health Insurance Association concludes a contract regarding the provision of goods or services to the person, and the contract
In accordance with the performance of, personal data with the other party of the contract as the principal is provided by a third party
If so, please use the contract or other document created at the time of provision of the personal data.
Since it is possible to track the communication, record the contract and other documents.
be able to.
5) How to create a record on your behalf
Considering that both the provider and the recipient have the same record creation method and retention period
The provider may substitute all or part of the recipient's obligation to record (provide).
It should be noted that there are differences in the records of the person and the recipient. ). In this case
Even so, the provider and the recipient are not exempt from their obligations.
You have to build a system that is practically equivalent to the one that fulfills the obligation to create records by itself.
Not.
② Recorded items
1) Recipient's record items
If the National Health Insurance Association receives the personal data provided by a third party based on the consent of the person, the following
Items must be recorded.
・ The fact that the consent of the person has been obtained
・ The name or name and address of a third party, and in the case of a corporation, the name of its representative
・ Background of acquisition of the personal data by a third party
・ Name of the person identified by personal data and other matters that can identify the person
・ Personal data items
③ Omission of recorded items
When the same "person"'s personal data is exchanged multiple times, the same
It is not necessary to record the contents in duplicate. Already "8. (3) Application of recording obligation"
43

Page 48

It was recorded in the record created by the method specified in (only when it is actually saved).
If the item and the content are the same, the recording of the item may be omitted.
④ Storage period
The National Health Insurance Union must retain the records it has created for the period specified by the regulations. Preservation period
It should be noted that the interval differs depending on the method of creating the record.

Another way to create a record

Retention period

By alternative means such as contracts

Finally, the provision of personal data related to the record

If you make more records

One year has passed since the day of the event
Until the day

By the method of creating records in a batch

Finally, the provision of personal data related to the record

When creating a record

Three years have passed since the day of the event
Until the day

Other than the above

3 years

44

Page 49

9. Publication of matters related to retained personal data (Article 27 of the Act)

(Publication of matters related to retained personal data, etc.)
Article 27 of the Act The business operator handling personal information shall be concerned with the following matters regarding retained personal data.
And put it in a state that the person can know (including the case of replying without delay at the request of the person)
Must be done.
(I) Name or name of the business operator handling personal information
(Ii) Purpose of use of all retained personal data (corresponding to Article 18, Paragraph 4, Items 1 to 3)
Except when )
(Iii) Request pursuant to the provisions of the following paragraph or Article 29, paragraph 1 or Article 30, paragraph 1 of the next article
Procedures for responding to requests pursuant to the provisions of paragraph (3) or paragraph (3) (according to the provisions of Article 33, paragraph (2))
When the amount of the fee is set, the amount of the fee is included. )
(Iv) In addition to the items listed in the preceding three items, it is necessary to ensure the proper handling of retained personal data.
Items specified by Cabinet Order
2 The business operator handling personal information uses the retained personal data that identifies the person concerned.
When requested to notify the target, the person must be notified without delay.
I. However, this does not apply if any of the following items apply.
(I) The purpose of use of the retained personal data that identifies the person concerned is clear according to the provisions of the preceding paragraph.
If
(Ii) When it falls under Article 18, paragraph 4, items 1 to 3
3 The business operator handling personal information is the purpose of use of the retained personal data requested based on the provisions of the preceding paragraph.
If you decide not to notify the person, you must notify the person without delay.
Must be.
(Necessary matters regarding ensuring proper handling of retained personal data)
Article 8 of the Ordinance The items specified by Cabinet Order under Article 27, Paragraph 1, Item 4 of the Act shall be as follows.
(I) To file a complaint regarding the handling of retained personal data by the business operator handling personal information.
(Ii) When the business operator handling personal information is a business operator subject to an authorized personal information protection organization
The name of the authorized personal information protection organization and the address to which the complaint can be resolved
[Matters to be observed according to the provisions of the law]
・ Regarding the retained personal data, the National Health Insurance Association (a) the name or name of the business operator handling the personal information, (b)
Purpose of use of all retained personal data (specified in Article 18, Paragraph 4, Items 1 to 3 of the Act)
Except in the case of exceptions. ), (C) Notification, disclosure, correction, suspension of use of retained personal data
The method of procedures such as suspension, and the amount of fees related to notification or disclosure of the purpose of use of retained personal data,
(E) Regarding the destination of the complaint, the state that the person can know (answer without delay at the request of the person)
Including the case of ) Must be placed.
・ The National Health Insurance Association requests notification from the person of the purpose of use of the retained personal data that identifies the person.
When it is found, if the purpose of use is clarified by the above measures and Law No. 18
Notification must be made without delay, except in cases corresponding to the exceptions to Article 4, Paragraph 4, Items 1 to 3.
45

Page 50

Must be.
・ When the National Health Insurance Association decides not to notify the purpose of use, it will not delay the person.
You must notify that.
・ Personal information held before the enforcement of the law will be handled in the same way.
[Other matters]
・ The National Health Insurance Association is responsible for the purpose of use, disclosure, correction, suspension of use, etc. of the retained personal data.
Regarding the method of continuation, the amount of fees related to notification or disclosure of the purpose of use, the destination of complaints, etc.
At least posted on the National Health Insurance Association website, distributed pamphlets, and posted on bulletin boards
Information will be provided as much as possible by posting / installing, public notice, etc., and insured.
About specific contents when a document is delivered or an inquiry is made at the request of a rugged person
Secure a system that can answer.

46

Page 51

10. Disclosure of retained personal data upon request from the person (Article 28 of the Act)

(Disclosure)
Article 28 of the Act The person is a retained individual who can identify the person to the business operator handling personal information.
Disclosure of data can be requested.
(2) When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, it shall give a Cabinet Order to the person himself / herself.
The retained personal data must be disclosed without delay by the method specified in. Ta
However, if the disclosure falls under any of the following items, all or part of it
Can not be disclosed.
When there is a risk of harming the life, body, property or other rights and interests of the person or a third party
(Ii) There is a risk of significantly hindering the proper implementation of the business of the business operator handling personal information.
If
(Iii) When it violates other laws and regulations
3 The business operator handling personal information shall have all or all of the retained personal data pertaining to the request pursuant to the provisions of paragraph 1.
When it is decided not to disclose a part or the retained personal data does not exist
In that case, the person must be notified to that effect without delay.
4 According to the provisions of other laws and regulations, the method equivalent to the method prescribed in the main text of paragraph 2 for the person
It is supposed to disclose all or part of the retained personal data that identifies the person concerned.
In such cases, the provisions of paragraphs 1 and 2 shall apply to all or part of the retained personal data.
The fixed does not apply.
(How a business operator handling personal information discloses retained personal data)
Article 9 of the Ordinance The method specified by the Cabinet Order under Article 28, Paragraph 2 of the Act shall be the method of delivery of documents (disclosure).
If there is a method agreed by the person who made the request, the method) shall be applied.

(1) Principle of disclosure
The National Health Insurance Union received a request from the person to disclose the retained personal data that identifies the person.
In some cases, the retained personal data will be delivered to the person in writing without delay.
Must be disclosed.
(2) Disclosure exception
If the disclosure falls under any of the items of Article 28, Paragraph 2 of the Act, all or all of them
Some may not be disclosed.
By disclosing the receipt information, "Person" in Article 28, Paragraph 2, Item 1 of the Act
Or there is a risk of harming the rights and interests of a third party. "
Since it is not easy, a guideline to be set separately ("Disclosure of medical fee statement, etc. to insured persons, etc."
Based on (Notice of contents of Insurance Bureau Director No. 0331090 issued on March 31, 2005)
Therefore, the judgment of the attending physician shall be required for disclosure.

47

Page 52

[Matters to be observed according to the provisions of the law]
・ The National Health Insurance Association received a request from the person to disclose the retained personal data that identifies the person.
In that case, the retained personal data must be disclosed to the person without delay. Well
In addition, when there is no retained personal data that identifies the person concerned, that fact will be notified.
To do. However, if it is disclosed, it falls under any of the items of Article 28, Paragraph 2 of the Act.
In that case, all or part of it may not be disclosed.
・ II1. As mentioned in, for example, some of the receipt information includes personal data held by the insured.
However, it is also the personal data held by the doctor who examined the receipt.
Although the part with sex is included, the entire receipt is the personal day held by the insured etc.
Because it is a data, there are two sides to it when the insured person requests disclosure.
It is not possible not to disclose all or part of it for that reason. However, Article 28, Paragraph 2 of the Law
If any of the items apply, do not disclose all or part of it in accordance with the law.
Can be done.
-The method of disclosure shall be the method agreed by the person who issued the document or made the request.
・ The National Health Insurance Association has decided not to disclose all or part of the requested personal data.
When it is decided, the person must be notified to that effect without delay. Also a book
When notifying a person, you must try to explain the reason to the person.
(See III13.).
・ If the provisions of other laws and regulations stipulate the disclosure of retained personal data, the relevant law
It shall be in accordance with the provisions of the Ordinance.

[Other matters]
・ In principle, if there is a request for disclosure from a person who can request disclosure, such as a legal representative,
After explaining to the insurer that the retained personal data will be disclosed, to the legal representative, etc.
It shall be disclosed.
・ If the National Health Insurance Association decides not to disclose all or part of the retained personal data, this
When explaining the reason to a person, it is basically shown in writing. Also,
It is desirable to also explain the response system for complaints.

48

Page 53

11. Correction and suspension of use (Articles 29 and 30 of the Act)

(Correction, etc.)
Article 29 of the Act The person is a retained individual who can identify the person to the business operator handling personal information.
If the content of the data is not true, correct, add or delete the content of the retained personal data (hereinafter
Below, in this article, it is referred to as "correction, etc." ) Can be requested.
2 When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, it corrects the content.
Purpose of use, unless special procedures are stipulated by the provisions of other laws and regulations.
To the extent necessary to achieve the above, we will conduct the necessary investigation without delay, and based on the results, we will
The contents of the retained personal data must be corrected.
3 The business operator handling personal information shall have all the contents of the retained personal data pertaining to the request pursuant to the provisions of paragraph 1.
When making corrections, etc. for a part or part, or making a decision not to make corrections, etc.
In some cases, to that effect without delay to the person (when corrections are made, the contents are included).
Must be notified.
(Suspension of use, etc.)
Article 30 of the Act The person shall be able to identify the person himself / herself to the business operator handling personal information.
When the data is handled in violation of the provisions of Article 16 or in violation of the provisions of Article 17
If it was acquired, the use of the retained personal data will be suspended or deleted (hereinafter referred to as this).
In the article, it is called "suspension of use, etc." ) Can be requested.
2 When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, the request shall be made.
When it turns out that there is a reason, to the extent necessary to correct the breach, without delay,
The use of the retained personal data must be suspended. However, the relevant individual de
If it costs a lot of money to suspend the use of data, it is difficult to suspend the use of other data.
In such cases, take necessary alternative measures to protect the rights and interests of the person.
At times, this is not the case.
3 The person is the second person to have the retained personal data that identifies the person to the business operator handling personal information.
If it is provided to a third party in violation of the provisions of Article 13, paragraph 1 or Article 24, the said
You can request the suspension of provision of retained personal data to a third party.
4 When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, the request shall be made.
When it becomes clear that there is a reason, we will provide the retained personal data to a third party without delay.
Must be stopped. However, due to the suspension of provision of the retained personal data to a third party
When it costs a lot of money and it is difficult to stop providing it to other third parties
Therefore, when taking necessary alternative measures to protect the rights and interests of the person, this is the case.
Not limited to.
5 The business operator handling personal information is not sure of all the retained personal data related to the request pursuant to the provisions of paragraph 1.
Or when the use of some parts is suspended or the decision not to suspend the use
Or all or part of the retained personal data pertaining to the request pursuant to the provisions of paragraph 3.
When the provision to a third party is stopped or the provision to a third party is not stopped
When a decision is made, the person must be notified without delay.

49

Page 54

[Matters to be observed according to the provisions of the law]
・ The National Health Insurance Union shall be based on the provisions of Article 29, Paragraph 2 or Article 30, Paragraph 2 or 4 of the Act.
Received a request from the person to suspend the provision of retained personal data to a third party, such as correction of retained personal data or suspension of use.
In the case of digits, if those claims are found to be appropriate, do not take these measures.
Must be.
・ However, for suspension of use, etc. and suspension of provision to third parties, a large amount of cost will be charged for suspension of use, etc.
In cases where it is difficult to take such measures, such as when it is necessary to do so, the rights and interests of the person are protected.
This shall not apply when taking necessary alternative measures to do so.
・ In the following cases, it is not necessary to take these measures.
(1) Even if there is a request for correction, etc., (a) A place where correction, etc. is not necessary from the viewpoint of the purpose of use
If (a) the indication that is incorrect is incorrect, or (c) the object of correction, etc. is not a fact and is related to the evaluation.
If the information is
(2) Even if there is a request to suspend the provision to a third party such as suspension of use, procedure violation etc.
If the indication is incorrect
・ When the National Health Insurance Union takes the above measures or decides not to take them, it will deal with the person.
However, you must notify that fact (including the content of the correction) without delay. Also, the person himself
When notifying the person, he / she must try to explain the reason to the person (III).
13. reference).
[Other matters]
・ The National Health Insurance Association is a holding individual who has received a request for correction, suspension of use, etc. or suspension of provision to a third party.
If you decide not to take these measures for all or part of the data, you will be asked.
In explaining the reason for doing so, it is basically shown in writing. In that case, it is painful
It is desirable to also explain the system for responding to emotions.
・ When correcting retained personal data, make sure that the person who made the correction, the content, the date and time, etc. are known.
Must be done.
-Do not falsify the words and phrases of the retained personal data.

50

Page 55

12. Procedures and fees for responding to requests for disclosure, etc. (Articles 32 and 33 of the Act)

(Procedures for responding to requests for disclosure, etc.)
Article 32 of the Act A business operator handling personal information shall make a request pursuant to the provisions of Article 27, paragraph 2 or 20.
According to the provisions of Article 8, Paragraph 1, Article 29, Paragraph 1 or Article 30, Paragraph 1 or Paragraph 3.
Regarding requests (hereinafter referred to as "requests for disclosure, etc." in this Article and Article 53, Paragraph 1)
However, the method of accepting the request or request may be determined pursuant to the provisions of a Cabinet Order.
it can. In this case, the person must make a request for disclosure, etc. in accordance with the method.
Must be.
2 The business operator handling personal information is the subject of the request for disclosure, etc. to the person.
It is possible to request the presentation of matters sufficient to identify personal data. Smell in this case
Therefore, the business operator handling personal information can easily and accurately request disclosure, etc.
In consideration of the convenience of the person, such as the provision of information that contributes to the identification of the retained personal data.
Appropriate measures must be taken.
(3) Requests for disclosure, etc. may be made by an agent pursuant to the provisions of a Cabinet Order.
4 The business operator handling personal information establishes procedures for responding to requests for disclosure, etc. based on the provisions of the preceding three paragraphs.
In doing so, care must be taken not to impose an excessive burden on the person.
Absent.
(Commission)
Article 33 of the Act A business operator handling personal information shall notify the purpose of use pursuant to the provisions of Article 27, paragraph 2.
Or when a request for disclosure pursuant to the provisions of Article 28, paragraph 1 is received.
Fees may be collected for the implementation of such measures.
2 When collecting a fee pursuant to the provisions of the preceding paragraph, the business operator handling personal information shall take the actual cost into consideration.
The amount of the fee must be set within the range that is considered reasonable.
I.
(Method of accepting requests for disclosure, etc.)
Article 10 of the Ordinance A business operator handling personal information requests disclosure, etc. pursuant to the provisions of Article 32, Paragraph 1 of the Act.
Matters that can be determined as the method of acceptance shall be as follows.
(I) Request for disclosure, etc.
(Ii) Documents to be submitted when requesting disclosure, etc. (including electromagnetic records; Article 14, paragraph 1)
And the same shall apply in Article 21, paragraph 3. ) Form and other methods for requesting disclosure, etc.
(Iii) Confirmation that the person making the request for disclosure, etc. is the person himself / herself or the agent prescribed in the next article.
Law
(Iv) Method of collecting fees set forth in Article 33, paragraph 1 of the Act
(An agent who can request disclosure, etc.)
Article 11 of the Ordinance A fee for requesting disclosure, etc. pursuant to the provisions of Article 32, Paragraph 3 of the Act
The person in charge shall be the following agent.
(I) Legal representative of a minor or an adult guardian
(Ii) An agent delegated by the principal to request disclosure, etc.
51

Page 56

(1) Identification of information to be disclosed, etc.
The National Health Insurance Association will request the person to disclose, etc., the retained personal data that is the subject of the request.
It is possible to request the presentation of matters sufficient to identify, but in this case, is it easy for the person himself / herself?
Contribute to the identification of the retained personal data so that disclosure, etc. can be requested accurately.
Information provision and other measures must be taken in consideration of the convenience of the person.
In addition, regarding the disclosure of retained personal data, etc., at the request of the person, etc., the retained personal data will be disclosed.
All or part of the data is covered, but the amount of personal data held by the person concerned is diverse and the amount of data is large.
If it is difficult or inefficient to disclose the whole information, such as when it is huge, the National Health Insurance Association will disclose it by the person himself / herself.
For the convenience of the person, such as providing information that can be used as a reference to identify the range of information for making a request, etc.
We shall provide support in consideration.
(2) Request for disclosure, etc. by an agent
Regarding disclosure of retained personal data, in addition to the person himself / herself, (1) the law of minors or adult guardians
Legal representative, (2) Requests for disclosure, etc. may be performed by a representative delegated by the principal.
it can.
[Matters to be observed according to the provisions of the law]
・ The National Health Insurance Association imposes an excessive burden on the individual regarding requests for disclosure of retained personal data, etc.
To the extent that it does not, determine the method of accepting the request for the following matters
be able to.
(A) Reception desk for requests for disclosure, etc.
(B) Document format to be submitted when requesting disclosure, etc., and how to accept other requests for disclosure, etc.
Law
(C) Method of confirming that the person requesting disclosure, etc. is the person or his / her agent
(E) Collected when notifying the purpose of use of retained personal data or disclosing retained personal data
How to collect fees
・ The National Health Insurance Association will request the person to disclose, etc., the retained personal data that is the subject of the request.
It is possible to request the presentation of matters sufficient to identify, but in this case, it is easy for the person himself / herself.
It also contributes to the identification of the retained personal data so that disclosure, etc. can be requested accurately.
It is necessary to take other measures in consideration of the convenience of the person himself / herself.
・ Requests for disclosure of retained personal data, etc. are statutory for minors or adult guardians in addition to the person himself / herself.
It can be done by an agent, an agent delegated by the person to make the request, etc.
To
・ When the National Health Insurance Association, etc. is requested to notify the purpose of use of the retained personal data, or the retained personal data
When requested to disclose data, a fee may be collected for the implementation of the measures.
In that case, the fee will be charged within the range that is considered reasonable in consideration of the actual cost.
You have to set the amount.
[Other matters]
52

Page 57

・ The National Health Insurance Association hopes to establish procedures for disclosure of retained personal data, keeping in mind the following points.
Good.
-It is desirable that the method of requesting disclosure, etc. be in writing, but the insured can freely request, etc.
It is inappropriate to request a reason for requesting disclosure, etc., because it does not hinder it.
-Confirm that the person requesting disclosure, etc. is the person (or his / her agent).
-If there is a request for disclosure of the receipt information, etc., check with the medical institution and then speed up.
We will promptly decide to disclose the retained personal data and notify the person who requested the disclosure of this.
To
-When disclosing retained personal data, there is a possibility that each item of Article 28, Paragraph 2 of the Act may be applicable.
In that case, it will be examined by a review committee, etc. established to consider whether or not disclosure is possible.
After that, it is desirable to promptly decide whether or not to disclose.
-When disclosing retained personal data, it does not impose an excessive burden on the person.
You can specify the date, time, place, method, etc. in the box.
・ In principle, if there is a request for disclosure from a person who can request disclosure, such as an agent,
After explaining to the insurer that the retained personal data will be disclosed, a request for disclosure, etc. will be made.
Disclosure shall be made to the person.
・ When there is a request from an agent, etc., ① Comprehensive that cannot grasp the specific intention of the person
Based on delegation made long before the request for disclosure, etc. is made
When a request is made, the person who made the request for disclosure, etc. and the person who made the disclosure when explaining to the person
Fully explain the contents of personal data, confirm the intention of the person, and request an agent
We will take measures based on the intention of the person regarding the appropriateness, scope of disclosure, etc.

53

Page 58

13. Explanation of reasons, prior request, handling of complaints (Articles 31, 34 to 35 of the Act)

(Explanation of reason)
Article 31 of the Act The business operator handling personal information shall be Article 27, Paragraph 3, Article 28, Paragraph 3, and 20.
Measures requested or requested by the person pursuant to the provisions of Article 9, paragraph 3 or the preceding Article, paragraph 5.
When notifying that the measures will not be taken for all or part, or different from the measures
If you notify the person that you will take action, you must try to explain the reason to the person.
It doesn't become.
(Advance billing)
Article 34 of the Act The person himself / herself is Article 28, Paragraph 1, Article 29, Paragraph 1 or Article 30, Paragraph 1
Or, when attempting to file an action relating to a request pursuant to the provisions of paragraph 3, the defendant in that action
Make the request in advance to the person who should be, and two weeks from the date of arrival
Only after a lapse of time can the complaint be filed. However, the complaint
This shall not apply when the person who should be the defendant of the above refuses the request.
(2) The request set forth in the preceding paragraph shall be deemed to have arrived when the request should normally have arrived.
(3) The provisions of the preceding two paragraphs shall be Article 28, paragraph 1, Article 29, paragraph 1 or Article 30, paragraph 1.
Applies mutatis mutandis to the petition for provisional disposition order pertaining to the request pursuant to the provision of paragraph 3.
(Handling of complaints by business operators handling personal information)
Article 35 of the Act The business operator handling personal information shall appropriately and promptly make complaints regarding the handling of personal information.
You have to make an effort for proper processing.
2 Businesses handling personal information must endeavor to establish the system necessary to achieve the purpose set forth in the preceding paragraph.
Must be.

[Matters to be observed according to the provisions of the law]
・ The National Health Insurance Association will notify the purpose of use of the retained personal data requested by the person, or request from the person.
In the requested disclosure, correction, suspension of use, etc., the fact that the measures will not be taken or the measures
If you notify the person that you will take different measures, explain to the person the reason.
I have to make an effort. In addition, we must also explain the response system for complaints.
Not.
・ The National Health Insurance Association must endeavor to respond appropriately and promptly to complaints regarding the handling of personal information.
Not. In addition, the National Health Insurance Union responds to complaints in responding appropriately and promptly.
We must strive to establish the necessary system, such as setting up a reception desk and establishing procedures for responding to complaints.
Not.
[Other matters]
・ When explaining the reason to the person, the National Health Insurance Association basically shows it in writing.
At that time, it is desirable to also explain the system for responding to complaints.
・ The National Health Insurance Association is insured by setting up a dedicated window when responding to complaints from insured persons.
Strive to create an environment where people can easily consult.
・ The National Health Insurance Association should visit the National Health Insurance Association's website regarding the system for responding to complaints from insured persons.
54

Page 59

Insured by posting, distributing pamphlets, posting / installing on bulletin boards, public notices, etc.
It is desirable to inform the person.

55

Page 60

Ⅳ Review of guidance, etc.
1. 1. Review as needed
The way of thinking about the protection of personal information changes in response to changes in social conditions and public awareness.
It is thought that it will go.
Therefore, this guidance shall be examined and reviewed as necessary.

56

Page 61

Appendix 1 Examples of personal information held by the National Health Insurance Association
Types of personal information
Contents of personal information
Insured person application information
Symbol / number, name, date of birth, gender, address, telephone number, occupation, subject
Insurer's member number, insured's reference number, qualification classification, qualification acquisition date, funds
Reason for acquisition, date of disqualification, reason for disqualification, reason for change of qualification, before acquisition
Post-loss insurer name, pre-acquisition / post-loss insurer code number, union member
Relationships of people (family members) belonging to the household, Maru Gaku (school name, graduation date),
Information related to Maruen (reason / address), family occupation, family use
Business name, family medical insurance coverage, information about affiliated organizations, branch
And group information, status of residence / period of stay of foreigners, labor insurance application information,
Employment form (employer / number of employees), employees (employed workers / full-time employees / family members)
Employees), one-person master (handling / outsourcing), status of business establishments (business establishments)
Form = Co., Ltd., limited liability company, limited partnership company, partnership company, sole proprietorship,
(One-person master), office number, office name / location / telephone number, business
Name of the owner, information on the date of change related to the office, information on the reason for the change related to the office, Ken
Kang insurance exemption approval date, welfare annuity insurance qualification acquisition date, welfare annuity insurance
Date of disqualification, date of union specific insured person, date of union specific insured person cancellation,
Reasons for transfer of union specific insured persons, insurance premium reduction / exemption measures, reasons for insurance premium reduction / exemption,
Specific illness treatment (certified disease name, certified medical institution name, certified doctor name), mark
Quasi-burden reduction certification, long-term hospitalization applicable date, limit application certification (places above a certain level)
Identify the beneficiary), low-income category (class I or II of tax-exempt households), early-stage elderly
Applicable to persons, applicable to geriatric health, applicable to bedridden elderly, application of welfare medical care (infants /
(Disability, mother and child, war-injured, etc.) information, long-term care No. 2 exemption, individual number,
Insured branch number
Insured person's receipt information
Medical treatment category, insurer number, symbol / number, benefit ratio, medical treatment date, prefecture
Information

Code, medical institution code, name, gender, date of birth, special notes,
Job reasons, location and name of medical institution, clinical department, name of injury or illness,
Medical treatment start date, outcome, actual number of medical treatment days, number of decisions, points of public expense, partial burden
Amount, patient burden, outpatient burden, hospitalization burden, Marco amount,
Prescription drug pharmacy name, prescription date, quantity, dispensing fee, dispensing fee, dispensing score,
Dispensing billing points, drug burden amount, drug burden amount public expense, dietary treatment date
Number, number of meal treatment days public expense, dietary treatment decision amount, dietary treatment decision amount public expense
Minutes, standard dietary burden, standard dietary burden, public expenditure, medical treatment,
Image (receipt image), welfare medical care (infants, disabilities, mothers and children, war-injured persons, etc.),
Public expense number, municipal number

Benefit adjustment office information
Symbol / number, insured name, gender, address, date of birth, telephone number,
Occupation, relationship with union members, work name / address / telephone number, labor insurance

57

Page 62

Information on application of ruggedness, name, gender, and residence of the perpetrator or the person who is obliged to compensate for damages.
Place, date of birth, telephone number, occupation, work name / location / telephone number,
Date and time of the accident, location of the accident, reason for the accident, situation of the accident
Situation, degree of damage, whether or not the settlement was established, date of settlement, date of receipt of settlement fee,
Received amount, reason for settlement failure, medical institution that received medical treatment, doctor's name,
Medical treatment (expected) period, negligence rate, symptomatology fixed date, compulsory automobile liability insurance (mutual insurance)
And whether or not you have voluntary insurance (mutual insurance), insurance company name, location, telephone number
No., name of person in charge, certificate number, contractor's name, contractor's address, contractor's telephone
Story number, contract period, vehicle type, vehicle registration number, chassis number, witness
Address / name / phone number, reason for not being able to obtain personal injury certificate, payment in installments
Reason, installment payment period, number of installment payments
Insured person health examination
Symbol
information
/ number, insured person (member and family member) name and address,
Information

Date of birth, telephone number, consultation fee, salary code for each medical examination, items not implemented for medical examination
Eyes, medical examination item name, medical examination consultation date, medical examination institution name, medical examination institution location, picture
Statue (X-ray), consultation / guidance content, findings, public health nurse / nurse
Name, emergency / regular medicine purchase record, illness history, family history, electrocardiogram,
Fundus photo, taste (tobacco / liquor)

Insured cash benefits

Symbol / number, name, date of birth, address, telephone number, transfer account, consultation

Information

Medical institution name, consultation date, injury / illness name, medical expenses, orthosis wearing date, orthosis purchase
Expenses, previous year's income (tax-exempt only), transfer costs, transfer destination, transfer method
Law, name of medical institution to be certified, period of incapacity to work, salary received during period of incapacity to work
Giving, attendance status during the period of incapacity to work, date of delivery (planned), type of delivery, delivery
Number of babies, birth name, relationship, date of death, cause of death (disease name), expulsion
Transcript contents, burial costs, funeral execution date, claimant's name and residence
Place / phone number / transfer account

Insured Judo Rehabilitation, Symbol / number, name, address, date of birth, practitioner's name, date of treatment, treatment
Hari / Kyu, Matt

Amount, name of injury or illness, site, name / location / telephone number of the practitioner's organization

Surge treatment information No. / Group representative, transfer account

58

Page 63

Appendix 2 Main purposes of use expected in the normal business of the National Health Insurance Association
1. 1. Purpose of use required for insurance benefits for the insured
[Cases related to internal use of the National Health Insurance Association]
・ Implementation of insurance benefits and additional benefits
[Cases involving the provision of information to other businesses]
・ Automatic payment of high medical expenses and partial contribution refunds
・ Outsourcing for translation related to overseas medical expenses
・ Reimbursement to non-life insurance companies, etc. related to third-party acts
2. 2. Purpose of use required for collecting insurance premiums, etc.
[Cases related to internal use of the National Health Insurance Association]
・ Confirmation of insured status ・ Collection of insurance premiums
・ Certification of persons (family members) belonging to the union member's household
・ Issuance of insured person's card
[Cases involving the provision of information to other businesses]
・ Outsourcing of data processing such as insured qualifications
3. 3. Purpose of use necessary for health business
[Cases related to internal use of the National Health Insurance Association]
・ Health checkups, health guidance and health consultations for maintaining and improving health
・ Operation of health promotion facilities (recreation centers, etc.)
[Cases involving the provision of information to other businesses]
・ Outsourcing to industrial physicians related to health guidance and health consultation
・ Outsourcing of medical examinations to medical institutions
・ Consignment of operation of health promotion facilities (recreation centers, etc.)
・ Providing medical examination results to businesses
・ Notification of medical expenses to the insured
4. Purpose of use required for examination and payment of medical fees
[Cases related to internal use of the National Health Insurance Association]
・ Inspection and examination of medical fee statement (receipt), etc.
[Cases involving the provision of information to other businesses]
・ Consignment of inspection / examination of the contents of the receipt data
・ Input for computer processing of receipt data, entrustment of image capture processing
5. Purpose of use necessary for stabilizing the operation of the National Health Insurance Association
[Cases related to internal use of the National Health Insurance Association]
・ Medical cost analysis ・ Disease analysis
[Cases involving the provision of information to other businesses]
・ Outsourcing of data processing related to medical expense analysis and medical expense notification
6. Other
[Cases related to internal use of the National Health Insurance Association]
59

Page 64

・ Basic materials for maintaining and improving the management and operation of the National Health Insurance Association
[Cases involving the provision of information to other businesses]
・ Consultation or notification to insurance companies, medical institutions, etc. in third-party reimbursement work

60

