Page 1

In medical / long-term care related businesses
Guidance for the proper handling of personal information

April 14, 2017
Personal Information Protection Commission
Ministry of Health, Labor and Welfare

Page 2

Page 3

table of contents
Ⅰ Purpose, purpose, and basic concept of this guidance .................................................. ................................. 1
1. 1. Purpose of this guidance ........................................................ ................................................................. ......... 1
2. 2. Structure and basic concept of this guidance ..................................... ................................. 1
3. 3. Scope of "medical / long-term care business operators" covered by this guidance .................................. ..... 1
4. Scope of "personal information" subject to this guidance ...................................... ....................... 2
5. Relationship with the exercise of authority of the Personal Information Protection Commission .................................................. ................................. 2
6. Ensuring transparency and external clarification of measures taken by medical / long-term care providers ..................... 3
7. Clarification of responsibility system and establishment of patient / user contact points, etc ..................................... ......................... 3
8. Handling of medical information provided to bereaved families ..................................... ................................................... 4
9. Handling when personal information is used for research .................................................. ............................. 4
10. Handling when using genetic information for medical treatment .................................................. ............................ 4
11. Relationship with other laws and regulations ..................................................... ................................................................. ........ 5
12. Efforts by an authorized personal information protection organization ..................................................... ................................ 5

Ⅱ Definition of terms, etc .................................................. ................................................................. ........................ 6
1. 1. Personal information (Article 2, Paragraph 1 of the Law) .................................................. ................................................................. .. 6
2. 2. Personal identification code (Article 2, Paragraph 2 of the Law) .............................................. 7
3. 3. Personal information requiring consideration (Article 2, Paragraph 3 of the Law) ..................................... ........................................... 9
4. Anonymization of personal information .................................................. ................................................................. ......... 10
5. Anonymously processed information (Article 2, Paragraph 9 of the Law) ...................................... .......................................... 11
6. Personal information database, etc. (Article 2, Paragraph 4 of the Act), personal data (Article 2, Paragraph 6 of the Act),
Retained personal data (Article 2, Paragraph 7 of the Law) ...................................... ...................................... 12
7. Consent of the person ..................................................... ................................................................. .................. 14
8. Explanation of medical conditions to family members, etc. ................................................................. ....... 15

Ⅲ Obligations of medical / nursing-related businesses, etc .................................................. .............................................. 16
1. 1. Identification of purpose of use, etc. (Articles 15 and 16 of the Act) ..................... .......................... 16
2. 2. Notification of purpose of use, etc. (Article 18 of the Act) .................................................. ................................................... 20
3. 3. Proper acquisition of personal information and ensuring the accuracy of personal data content (Articles 17 and 19 of the Act)
................................................................. ................................................................. ......................... 22
4. Safety management measures, supervision of employees and supervision of contractors (Articles 20 to 22 of the Act) .............. 25
5. Provision of personal data to a third party (Article 23 of the Act) ..................................... ................................ 31
6. Restrictions on provision to third parties in foreign countries (Article 24 of the Act) .................................. ..................... 38
7. Creation of records related to provision to a third party (Article 25 of the Act) .................................. ........................ 42
8. Confirmation when receiving provision to a third party (Article 26 of the Act) .................................. ........................ 47
9. Publication of matters related to retained personal data (Article 27 of the Act) ..................................... ........... 52
10. Disclosure of retained personal data at the request of the person (Article 28 of the Act) ..................... 54
11. Correction and suspension of use (Articles 29 and 30 of the Act) ..................................... ...................... 56

Page 4

12. Procedures and fees for responding to requests for disclosure, etc. (Articles 32 and 33 of the Act) ..................... 58
13. Explanation of reasons, prior request, response to complaints (Articles 31, 34 to 35 of the Act) ...... 61

Ⅳ Review of guidance, etc ........................................................ ................................................................. ...... 63
1. 1. Review as necessary ....................................................... ................................................................. ...... 63
2. 2. Creation and publication of casebooks that complement this guidance .................................................. ..................... 63

Appendix 1 Medical / nursing-related laws and regulations require medical / nursing-related businesses to create and store them.
Record example ..................................................... ................................................................. ...................... 64
Attached Table 2 Purpose of use expected in the normal business of medical / long-term care business operators ... 66
Appendix 3 Main cases assumed in the normal business of medical / long-term care-related businesses (when required by law) ... 6
8
Appendix 4 Medical qualifications, confidentiality obligations related to long-term care service employees, etc .................................. .... 71
Appendix 5 Related guidelines in the field of medical research ..................................... ..................................... 73
Appendix 6 UNESCO International Declaration, etc .................................................................. .............................................. 73

Page 5

Ⅰ Purpose, purpose, and basic concept of this guidance
1. 1. Purpose of this guidance
This guidance is based on the "Act on the Protection of Personal Information" (Act No. 57 of 2003, hereinafter referred to as the "Act".
That is. ), "Guidelines for the Law Concerning the Protection of Personal Information (General Rules)"
(2016 Personal Information Protection Commission Notification No. 6; hereinafter referred to as "General Guidelines")
As a foundation, based on the provisions of Articles 6 and 8 of the Law, hospitals, clinics, pharmacies, and institutions subject to the law
Appropriate collection of personal information performed by businesses such as those who carry out home service business stipulated in the Protective Insurance Law
It shows specific points to keep in mind and examples to support activities related to ensuring handling.
Since this guidance is based on actual examples from medical / long-term care businesses,
For matters not described in this guidance and related articles, please refer to the general guidelines, "Personal Information
Guidelines for Protection Law (Provision to Third Parties in Foreign Countries) "(2016)
Year Personal Information Protection Commission Notification No. 7), "Guideline for the Law Concerning the Protection of Personal Information"
Inn (Obligation to confirm and record when provided to a third party) "(2016 Personal Information Protection Commission Notification No. 8)
And "Guidelines for the Law Concerning the Protection of Personal Information (Anonymously Processed Information)" (Heisei
Please refer to the 2016 Personal Information Protection Commission Notification No. 9).
2. 2. Structure and basic concept of this guidance
Regarding the handling of personal information, in Article 3 of the Act, "Personal information is the principle of respect for an individual's personality.
Personal information should be treated with caution. "
Everyone who handles personal information is fully aware of the nature and importance of personal information, regardless of its purpose or mode.
It must be handled properly.
The medical field is particularly appropriate based on the provisions of Article 6 of the Act due to the nature and usage of personal information.
Since it is one of the fields where it is necessary to ensure strict handling, each medical institution etc.
Active efforts are required.
Also, in the field of long-term care, long-term care-related businesses are concerned with a large number of users and their families.
We are in a position to know in detail personal information that others cannot easily know, which is the same as in the medical field.
It is considered that this is a field where proper handling of personal information is required.
Based on this, in this guidance, based on the purpose of the law, medical / long-term care related businesses
Matters to be observed and hope to be observed so that the proper handling of personal information can be ensured.
It shows the best matters as concretely as possible, and in each medical / long-term care business, the law
Ordinance, "Basic Policy on Protection of Personal Information" (Cabinet decision on April 2, 2004.
It is called "needle". ) And the purpose of this guidance, it is necessary to work on the proper handling of personal information
There is a need.
Specifically, medical / long-term care providers should comply with the [Law provisions] of this guidance.
Matters, etc.], for matters that are stated as "must be done", etc., according to the provisions of the law.
Strict adherence is required. In addition, regarding [other matters], the righteousness based on the law
It is not a duty, but it is required to make efforts to achieve it.
3. 3. Scope of "medical / long-term care businesses" covered by this guidance
The scope of businesses covered by this guidance is (1) hospitals, clinics, maternity homes, pharmacies, and visits.
1

Page 6

Q. Businesses that provide medical care directly to patients such as nursing stations (hereinafter referred to as "medical institutions, etc."
Say. ), ② Home service business, long-term care prevention service business, community-based as stipulated in the Long-Term Care Insurance Law
Type service business, community-based long-term care prevention service business, home care support business, long-term care prevention support
Business, business that manages long-term care insurance facilities, business that supports living at home for the elderly as stipulated in the Act on Social Welfare for the Elderly
And those who run welfare facilities for the elderly and other businesses that provide welfare services for the elderly (hereinafter referred to as "nursing care")
It is called "related business operator". ), And in each case, other laws and regulations regarding the protection of personal information.
Excludes those established by the national government, local governments, incorporated administrative agencies, etc. to which the example applies. However,
Since the spirit of personal information protection in the medical / nursing field is the same, these businesses also
It is desirable to give due consideration to this guidance.
Specimen tests, provision of meals to patients and long-term care service users, facility cleaning, medical affairs
In the business that carries out the business entrusted by the medical / long-term care business, such as business
Is III.4 of this guidance. It is required to take appropriate safety management measures in line with
In addition, the medical / long-term care-related business operator that outsources the work should be entrusted with this guidance.
It is also possible to select a business operator who understands the purpose and responds in accordance with this guidance as a contractor.
We regularly check the handling of personal information by contractors and ensure proper operation.
It is necessary to take measures such as confirming that it is being done.
4. Scope of "personal information" covered by this guidance
By law, "personal information" is information about living individuals, and is used by businesses handling personal information.
Obligations are limited to information about living individuals. This guidance
Is a medical / long-term care related information among the information about living individuals held by medical / long-term care businesses.
It is intended for the information of the person in charge, and even if it is not organized in the form of medical records, etc.
Corresponds to personal information.
Even after the patient / user has died, the medical / long-term care provider will continue to use the patient / user.
If user information is stored, personal information will be provided to prevent leakage, loss or damage.
Safety management measures equivalent to the information shall be taken.
5. Relationship with the exercise of authority of the Personal Information Protection Commission
In this guidance, among the contents described in [Matters to be observed according to the provisions of the law], medical treatment
A doctor who is obliged as a business operator handling personal information about the contents that are obligatory for long-term care business operators
If the medical / long-term care business does not comply, the Personal Information Protection Commission will carry out Articles 40 to 42 of the Act.
Based on the provisions up to the article, "report collection", "on-site inspection", "guidance / advice", "recommendation" and "order"
May be done.
In addition, based on the provisions of Article 44, Paragraph 1 of the Law, the authority under the provisions of Article 40, Paragraph 1 of the Law is an individual.
When delegated by the Information Protection Commission to the minister in charge of business, the Minister of Health, Labor and Welfare collects reports and collects reports.
On-site inspection may be conducted.
Furthermore, Article 77 of the Law and "Law Enforcement Ordinance on the Protection of Personal Information" (December 1, 2003)
0th Cabinet Order No. 507. Hereinafter referred to as "decree". ) In Article 21, stipulated in Article 40, Paragraph 1 of the Law
Delegated to the minister in charge of the business pursuant to the authority of the Personal Information Protection Commission and the provisions of Article 44, Paragraph 1 of the Act
The office work that belongs to the authority given is the business performed by the business operator handling personal information and is carried out by the minister in charge of the business.
2

Page 7

All or part of the affairs that belong to the authority for collecting reports and on-site inspections
When the head of a local public body or other executive agency is required to do so by the provisions of other laws and regulations.
The head of the local public body, etc. may collect reports and conduct on-site inspections based on the law.
6. Ensuring transparency and external clarification of measures taken by medical / long-term care providers
Article 3 of the law points out that personal information should be handled carefully under the principle of respect for the personality of individuals.
It has been.
Medical / long-term care providers declare their ideas and policies regarding personal information protection (Iwayu)
, Privacy policy, privacy statement, etc.) and handling of personal information
It is required to formulate clear and appropriate rules regarding this and publicize them externally. Well
I also learned from patients, etc. how their personal information is handled.
If there is a request, necessary measures such as promptly providing information based on the relevant rules
Shall be performed.
The contents of the declaration regarding the way of thinking and policy regarding personal information protection are related to medical care and long-term care.
The trader handles personal information under the principle of respect for the individual's personality, and related laws and regulations and this guide.
In the rules regarding the handling of personal information, such as observing the information, etc., it is related to personal information.
Outline of safety management measures, procedures such as disclosure from the person, handling of provisions to third parties, response to complaints
It is conceivable to specify concretely.
It should be noted that the purpose of publicizing the purpose of use, etc. is limited to the following.
You should be willing.
(1) Understanding of the significance of personal information being used by medical / long-term care companies, etc.
To get.
(2) Medical / long-term care-related businesses comply with the law and actively work to protect personal information.
To clarify the posture of the person to the outside.

7. Clarification of responsibility system and establishment of patient / user contact points, etc.
Medical / long-term care providers promote the proper handling of personal information and deal with problems such as leaks.
It is necessary to establish a system to do so. Therefore, regarding the handling of personal information, expertise and guidance
Establish an organizational system and responsibility system that controls the entire business operator, formulate rules and manage safety
A system shall be established that can effectively implement the planning of measures.
In addition, the purpose of using personal information will be explained to patients and users at the time of reception and at the start of use.
It is necessary to give easy-to-understand explanations as necessary, but in addition, patients / users
It is possible to secure a window function that allows you to feel free to inquire about the contents that you have doubts about.
is important. In addition, consultations with patients and users are related to the content of medical and long-term care services.
In many cases, there are consultations and complaints from patients, users, etc. regarding the handling of personal information.
In addition to improving the window function, etc., which handles the above, the window is the phase related to the provision of services.
Standing in the position of patients, users, etc., such as establishing a system that can respond organically in cooperation with the conversation function
It is necessary to take appropriate measures.
In addition, a method of accepting requests for disclosure, maintenance of contact functions, etc., explanation of the purpose of use of personal information
It is necessary to consider patients with disabilities, users, etc. when stipulating.
3

Page 8

8. Handling of provision of medical information to bereaved families
Based on the purpose of the OECD8 principle, the law applies information on living individuals and personal information.
In principle, the consent of the person is obtained when using the information for purposes other than the intended purpose or providing it to a third party, resulting in death.
As a general rule, personal information is not subject to the law and this guidance.
Not. However, when a patient / user dies, the bereaved family will give medical care, medical information, and long-term care.
When an inquiry is made regarding the records of the person in charge, the medical / long-term care business operator is the patient / user himself / herself.
Special consideration is required while fully respecting the will and honor of his life. Therefore, the patient
Regarding the provision of medical information to the bereaved family when the user dies, "Providing medical information, etc."
Guidelines for related matters "(" Formulation of guidelines for provision of medical information, etc. "(September 12, 2003)
Medical care / long-term care in accordance with the handling stipulated in 9 of Medical Administration No. 0912001))
Related businesses provide medical information and long-term care-related records to bereaved families in accordance with the provisions of this guideline.
And Umono.
9. Handling when personal information is used for research
With the sophistication of science and technology in recent years, personal medical information, certification for long-term care, etc.
In addition to the increasing number of cases of using, research is progressing in parallel with medical care and long-term care for patients and users.
It may be found.
In Article 76, Paragraph 1 of the Law, to guarantee "academic freedom," which is a basic constitutional human right.
From consideration, the purpose of providing for academic research by universities and other institutions for academic research
When handling personal information as all or part of it, the provisions such as obligations by law are
It is not supposed to apply. Therefore, in this case, this guideline as an operational guideline of the law
Although it does not apply, even in these cases, according to Article 76, Paragraph 3 of the Act,
The institution, etc. may voluntarily take measures to ensure the proper handling of personal information.
It is required, and in doing so, along with related guidelines in the field of medical research (see Appendix 5).
It is expected that the content of this guidance will also be noted.
Regarding the handling of personal information in clinical trials and post-marketing clinical trials, please refer to this guide.
Law Concerning Quality, Effectiveness, and Safety of Pharmaceuticals, Medical Devices, etc.
Japanese 35th Law No. 145. Hereinafter referred to as the "Pharmaceuticals and Medical Devices Act". ) And related laws and regulations ("Pharmaceuticals"
Provisions of "Ministerial Ordinance on Standards for Conducting Clinical Trials of Products" (Ministry of Health and Welfare Ordinance No. 28, 1997), etc.
The guidelines set by related organizations shall be followed. Also, a place where medical institutions conduct their own research
In the case of contracting research from a company or research institution or jointly conducting research, or other research institutes
For the handling of personal information when providing information for research at the request of research institutions
Regarding this guidance, in addition to this guidance, related guidelines in the medical research field listed in Attached Table 5 and related guidelines, etc.
The guidelines set by the relevant organizations shall be followed.
10. Handling when using genetic information for medical treatment
For genetic information obtained by genetic testing, etc., refer to changes in the person's genes and chromosomes.
In addition to information on the underlying constitution, the onset of illness, etc., information on related relatives is also included.
Yes, and that information does not change for life, so if this is leaked, a book
4

Page 9

The damage and suffering suffered by people and relatives can be significant. Therefore, heredity
Regarding the handling of genetic information obtained by scientific tests, etc., UNESCO International Declaration, etc. (Appendix)
6), refer to the guidelines listed in Attached Table 5 and the guidelines set by related organizations, etc., and pay particular attention to them.
There is a need.
In addition, even if you agree to carry out the test, the meaning of the test result will be accurate.
How to deal with difficult-to-understand or future predictability of the disease
In many cases, the person and his / her family have great anxiety. Therefore, medical institutions, etc.
When performing genetic testing, genetic counseling is provided by a person with specialized knowledge of clinical genetics.
It is necessary to provide psychosocial support for the person and his / her family, such as by carrying out a ring.
11. Relationship with other laws and regulations
Medical / long-term care business operators handle personal information with laws, basic policies, and this guide.
In addition to the items shown in the above, other laws and regulations related to personal information protection or confidentiality (criminal law, related qualifications)
You must comply with the provisions of the Law, Long-Term Care Insurance Law, etc.).
In addition, the duty of supervision of hospital managers (Article 15 of the Medical Care Act) and business consignment (Article 15 of the Medical Care Act)
2 etc.), and the regulations related to the protection of personal information in long-term care businesses must be observed.
Must be.
In the medical field, "guidelines for providing medical information, etc." have already been established.
There is. This is based on the idea of ​informed consent, etc., for medical professionals, etc.
Build better relationships of trust between healthcare professionals and patients by proactively providing information
For this purpose, a medical examination that is personal information at the request of patients, etc.
When disclosing medical information, the contents of the guideline shall be followed.
12. Efforts in an authorized personal information protection organization
In Article 47 of the Act, ensuring the proper handling of personal information, etc. of businesses handling personal information, etc.
Corporations, etc. that carry out the intended business are certified by the Personal Information Protection Commission and certified by the Personal Information Protection Commission.
It is supposed to be a body. Medical / long-term care related organizations that are certified personal information protection organizations
Organizations, etc., disseminate and enlighten the protection of personal information for medical and long-term care related businesses under their umbrella.
In addition to promoting, we will set guidelines, etc. in line with the purpose of the law as voluntary rules, and personal information
Take proactive measures, such as opening a consultation desk for patients and users regarding handling
Is expected.

5

Page 10

Ⅱ Definition of terms, etc.
1. 1. Personal information (Article 2, Paragraph 1 of the Law)

(Definition)
Article 2 of the Act "Personal information" in this Act is information about living individuals.
Anything that falls under any of the following items.
(I) Name, date of birth and other descriptions contained in the information (documents, drawings or electromagnetic)
Recording (Electromagnetic method (electronic method, electromagnetic method, etc.) Recognized by human perception
It is a method that cannot be done. The same shall apply in item 2 of the next section. ) Is a record made. Tenth
The same applies in Article 8, paragraph 2. ), Or voice, action, etc.
It means all matters (excluding personal identification code) expressed by the method of. same as below. )
What can identify a specific individual by (easily collated with other information)
Includes those that can, and thereby identify a particular individual. )
(Ii) Those containing a personal identification code

"Personal information" is information about a living individual, and the name included in the information,
Items that can identify a specific individual by date of birth, other description, etc. (with other information)
Includes those that can be easily matched and thereby identify a particular individual
Mu. ), Or those that include a personal identification code. "Personal information" includes name, gender,
Not limited to personally identifiable information such as date of birth and facial image, personal body, property, occupation, title, etc.
All information that represents facts, judgments, and evaluations regarding the attributes of
Information that is made public, video and audio information is also included, and it is kept secret by encryption etc.
It doesn't matter if it is done or not.
Also, for example, if there is data in the medical record that objectively examined the patient,
Judgments and evaluations made by doctors are also written. All of this is information about the individual patient
This is true, but from the perspective of the doctor who created the medical record, I was the one who did it.
Since it is a statement of judgments and evaluations, it can also be called information about individual doctors.
Wear. Therefore, some of the information contained in medical records, etc., includes individuals such as patients and doctors.
It should be noted that some parts have the duality of information.
In addition, the place where the information about the dead is also the information about the surviving individuals such as the bereaved family.
In that case, it becomes information about the living individual.
This guidance targets medical / long-term care-related personal information held by medical / long-term care-related businesses.
It corresponds to personal information even if it is not organized in the form of medical records.
(Example) Regarding the following, a specific individual based on the stated name, date of birth, other description, etc.
It corresponds to personal information because it can identify.
(Medical / long-term care related laws require medical / long-term care businesses to create and store
See Appendix 1 for examples of recordings.
○ Examples of personal information at medical institutions, etc.
6

Page 11

Medical records, prescriptions, surgery records, midwifery records, nursing records, laboratory findings records, X-rays
True, referral letter, summary of medical treatment progress during hospitalization for discharged patients, dispensing record, etc.
○ Examples of personal information in long-term care businesses
Care plans, plans for providing long-term care services, records of services provided, etc.
Records of accident situation, etc.
2. 2. Personal identification code (Article 2, Paragraph 2 of the Law)

(Definition)
Article 2 of the law
2 In this Act, "personal identification code" means a character or number that falls under any of the following items.
No., symbol, or other code specified by a Cabinet Order.
Characters converted to use the characteristics of a part of the body of a specific individual for use in a computer,
Numbers, symbols and other codes that can identify the particular individual
(Ii) Allocation regarding the use of services provided to individuals or the purchase of products sold to individuals
Cards or other documents issued to individuals, or electromagnetic
Characters, numbers, symbols or other codes recorded by the formula and the user or
Assigned or described to be different for each purchaser or issuer
Received a specific user or purchaser or issuance by being or recorded
Things that can identify the person
Article 1 of the Ordinance Law Concerning the Protection of Personal Information (hereinafter referred to as the "Law") stipulated by the Cabinet Order of Article 2, Paragraph 2
The characters, numbers, symbols and other codes to be used shall be as follows.
(I) A sentence converted to use any of the following physical characteristics for use in a computer.
Letters, numbers, symbols and other codes that are sufficient to identify a particular individual
Those that meet the standards stipulated by the rules of the Personal Information Protection Commission
B. Sequence of bases constituting deoxyribonucleic acid (also known as DNA) collected from cells
Lot (omitted)
2 to 6 (omitted)
(Vii) It is stated in the following certificates that it will be different for each person who receives the issuance.
Characters, numbers, symbols and other codes specified by the rules of the Personal Information Protection Commission
B. Insured person's certificate under Article 9, Paragraph 2 of the National Health Insurance Act (Act No. 192 of 1958)
(B) Law Concerning Ensuring Medical Care for the Elderly (Law No. 80 of 1982) Article 54, 3
Insured person's card
C. Insured person's certificate under Article 12, Paragraph 3 of the Long-Term Care Insurance Act (Act No. 123 of 1997)
(Viii) Other characters, numbers, etc. specified by the rules of the Personal Information Protection Commission as equivalent to the preceding items
Symbols and other signs
Rule Article 2 Law Enforcement Ordinance on the Protection of Personal Information (hereinafter referred to as "Cabinet Order") Article 1 Item 1
7

Page 12

The standard stipulated by the rules of the Personal Information Protection Commission is the level at which a specific individual can be identified.
Convert the right range for use in computers by the right method to ensure
I decided to.
Rules Article 3 Characters, numbers, symbols specified by the rules of the Personal Information Protection Commission, Article 1, Item 7 of the Ordinance
Other codes shall be specified in each of the following items for each certificate.
(I) Certificate listed in Article 1, item 7 (a) of the Ordinance Symbol, number and insurance of the certificate listed in item (a) of the same item
Person number

(Ii) Certificates listed in Article 1, item 7 (b) and (c) of the Ordinance
And insurer number
Rules Article 4 Characters, numbers, symbols specified by the rules of the Personal Information Protection Commission, Article 1, Item 8 of the Ordinance
Other codes shall be listed below.
(I) Health Insurance Law Enforcement Regulations (Ministry of Interior Ordinance No. 36 of 1918), Article 47, Paragraphs 1 and 2.
Insured card symbol, number and insurer number
(Ii) Symbol, number and insurer number of the elderly beneficiary certificate set forth in Article 52, Paragraph 1 of the Health Insurance Law Enforcement Regulations
issue
(Iii) Insured person under Article 35, Paragraph 1 of the Seafarers' Insurance Law Enforcement Regulations (Ministry of Health and Welfare Ordinance No. 5 of 1945)
Certificate symbol, number and insurer number
(Iv) Symbol, number and insurer number of the elderly beneficiary certificate set forth in Article 41, Paragraph 1 of the Enforcement Regulations of the Seafarers' Insurance Law
issue
Five to six (omitted)
(Vii) Private School Faculty and Staff Mutual Aid Law Enforcement Regulations (Ministry of Education Ordinance No. 28, 1958) Article 1-7
Enrollment card subscriber number
(Viii) Participant number of dependents of the member of Article 3, Paragraph 1 of the Enforcement Regulations of the Private School Faculty and Staff Mutual Aid Law
(9) Participant number of the elderly beneficiary certificate set forth in Article 3-2, Paragraph 1 of the Enforcement Regulations of the Private School Faculty and Staff Mutual Aid Law
(X) National Health Insurance Law Enforcement Regulations (Ministry of Health and Welfare Ordinance No. 53, 1958) Article 7-4, Paragraph 1
The symbol, number and insurer number of the elderly beneficiary certificate to be determined
11 National Public Employee Mutual Aid Association Law Enforcement Regulations (Ministry of Finance Ordinance No. 54, 1958) Article 89
Membership card symbol, number and insurer number
Twelve National Public Employee Mutual Aid Association Law Enforcement Regulations Article 95, Paragraph 1 of the Membership Dependent Certificate Symbol,
Number and insurer number
13 National Public Employee Mutual Aid Association Law Enforcement Regulations Article 95-2, Paragraph 1 of the Elderly Recipient Certificate Symbol,
Number and insurer number
14 National Civil Service Mutual Aid Association Law Enforcement Regulations Article 127-2, Paragraph 1 Seamen's Union Membership Certificate and Ship
Member union member dependent certificate symbol, number and insurer number
Fifteen Local Public Employees Mutual Aid Association Law Enforcement Regulations (Prime Minister's Office, Ministry of Education, Ministry of Home Affairs Ordinance No. 1 of 1958
No.) The symbol, number and insurer number of the membership card set forth in Article 93, paragraph 2.
16 Local government employees, etc. Mutual Aid Association Law Enforcement Regulations, Article 100, Paragraph 1 of the Membership Dependent Certificate Symbol, Number
No. and insurer number
8

Page 13

17 Local government employees, etc. Mutual Aid Association Law Enforcement Regulations Article 100-2, Paragraph 1 of the symbol and number of the elderly beneficiary certificate
No. and insurer number
18 Local government employees, etc. Mutual Aid Association Law Enforcement Regulations Article 176, Paragraph 2 Seamen's Union Membership Certificate and Seamen
Member Dependent Certificate Symbol, Number and Insurer Number
Nineteen to twenty (omitted)

"Personal identification code" is stipulated in the Ordinance as being able to identify a specific individual from the information alone.
The information that includes the letters, numbers, symbols, and other codes that correspond to them.
It becomes personal information.
The specific contents are Article 1 of the Ordinance and the Law Enforcement Regulations on the Protection of Personal Information (2016).
Personal Information Protection Commission Rule No. 3. Hereinafter referred to as "rules". ) Established in Articles 2 to 4
For example, the bases that make up deoxyribonucleic acid (also known as DNA) collected from cells
Arrangement, symbols, numbers and insurer numbers of insured person's card and elderly beneficiary's card based on the Health Insurance Law, etc.
Is applicable.
Therefore, the information including all of the symbol, number and insurer number is personal information.
It becomes.

3. 3. Personal information requiring consideration (Article 2, Paragraph 3 of the Law)
(Definition)
Article 2 of the law
3 In this law, "sensitive personal information" means the person's race, beliefs, social status, medical history, etc.
Criminal history, facts of being harmed by a crime, or other unfair discrimination against the person, prejudice, etc.
It is stipulated by a Cabinet Order that special consideration should be given to its handling so as not to cause any disadvantages.
Personal information that includes descriptions, etc.
Article 2 of the Ordinance The description, etc. specified by the Cabinet Order under Article 2, Paragraph 3 of the Act contains any of the following matters.
(Excluding those that correspond to the medical history or criminal history of the person).
(I) Physical disability, intellectual disability, mental disability (including developmental disability) and other personal information protection commissions
There is a physical or mental disability specified in the rules.
(Ii) A person who engages in medical-related duties such as a doctor for the person (in the next issue, "Doctor"
Etc. " ) Health checkups and other tests for prevention and early detection of illness
Results of inspection (referred to as "health diagnosis, etc." in the same issue)
(Iii) Based on the results of a medical examination, etc., or because of illness, injury, or other physical or mental changes.
Guidance, medical treatment, or dispensing for improving the physical and mental condition of the person by a doctor, etc.
What was done.
(Iv) Arrest, search, seizure, detention, prosecution, etc.
The procedure for the criminal case was carried out.
(V) The juvenile or the juvenile stipulated in Article 3, Paragraph 1 of the Juvenile Law (Law No. 168 of 1948)

9

Page 14

As a suspected person, investigation, guardianship measures, referees, protective measures and other juvenile protection matters
The procedure for the matter has been carried out.
Regulations Article 5 Disorders of mental and physical functions stipulated by the rules of the Personal Information Protection Commission, Article 2, Item 1 of the Ordinance
The following obstacles are considered.
(I) Physical disabilities listed in the attached table of the Welfare Law for Persons with Disabilities (Law No. 283 of 1945)
(Ii) Intellectual disabilities referred to in the Welfare Law for Persons with Intellectual Disabilities (Law No. 37 of 1960)
(Iii) Refers to the Act on Mental Health and Welfare for Persons with Mental Illness (Act No. 123 of 1950)
Mental disorders (prescribed in Article 2, Paragraph 1 of the Developmental Disability Support Act (Act No. 167 of 2004)
Including developmental disabilities, excluding those listed in the previous item. )
(Iv) Diseases for which treatment methods have not been established and other special diseases that affect the daily lives of persons with disabilities.
Article 4 of the Act for Comprehensive Support for Social Life (Act No. 123 of 2005)
The degree of disability due to what is specified by the Cabinet Order in paragraph 1 is the degree specified by the Minister of Health, Labor and Welfare in the same paragraph.
Things

"Personal information requiring consideration" is taken so as not to cause unfair discrimination, prejudice or other disadvantages.
It is stipulated in Article 2, Paragraph 3 of the Law, Article 2 of the Ordinance, and Article 5 of the Regulations that special consideration is required for handling.
Personal information that includes descriptions, etc. Assumed by medical institutions and long-term care-related businesses
Information corresponding to personal information requiring consideration is described in medical records such as medical records and long-term care-related records.
Medical history, medical treatment, medical treatment, medical treatment, medical treatment, etc.
Medical information and dispensing information that the person could know, the result of the medical examination, the content of the health guidance, the disability (physical disability)
Facts of harm, intellectual disability, mental illness, etc.), facts of being harmed by a crime, etc. can be mentioned.
In principle, the consent of the individual is required to obtain sensitive personal information and provide it to a third party.
Third-party provision under the provisions of Article 23, Paragraph 2 of the Act (third-party provision by opt-out) is permitted.
It is not, so be careful.
4. Anonymization of personal information
From the personal information, the name, date of birth, address, personal identification code, etc. included in the information, etc.
It refers to making it impossible to identify a specific individual by removing the information that identifies the person.
For facial photographs, it is generally possible to identify a specific individual by masking the area of ​the eyes.
It is considered that there is no such thing. If necessary, add a code or number that is not related to the person.
Sometimes.
Even if such processing is performed, if the medical / long-term care related personal information is used within the business operator,
Pair of personal information with other information obtained within the business or the code or number attached at the time of anonymization
It is conceivable that a specific patient, user, etc. can be identified by collating with the response table. To the law
It says, "It can be easily matched with other information to identify a specific individual.
"What you can do" is also included in the personal information, and it is anonymized.
In doing so, it is necessary to take into consideration the purpose of use of the information and the users, etc.
Therefore, it is necessary to consider measures such as obtaining the consent of the person.
In addition, we present cases and cases of specific patients / users at academic conferences and report them in academic journals.
10

Page 15

In such cases, it will be anonymized by deleting the name, date of birth, address, personal identification code, etc.
It is possible, but if it is difficult to anonymize sufficiently due to the case or case, obtain the consent of the person.
Must be.
In addition, anonymization of cases of specific patients used for presentations at such academic conferences, etc.
It should be noted that the definition and handling rules are different from the anonymously processed information (see II5).
Furthermore, if the presentation is made as part of the research, I9. Also by the handling shown in
Therefore, the guidelines set by related organizations such as academic societies shall be followed.

5. Anonymously processed information (Article 2, Paragraph 9 of the Law)

(Definition)
Article 2 of the law
9 In this law, "anonymously processed information" means according to the classification of personal information listed in each of the following items.
Individuals so that they cannot identify a specific individual by taking the measures specified in each item.
Information about an individual obtained by processing the information, and it is possible to restore the personal information.
It means something that cannot be done.
(I) Personal information corresponding to paragraph (1), item (i) Delete some of the descriptions, etc. contained in the personal information.
To do (by a method that does not have regularity that can restore the part of the description, etc.
Includes replacement with other descriptions. ).
(Ii) Personal information corresponding to paragraph (1), item (ii) All personal identification codes included in the personal information
(A method without regularity that can restore the personal identification code)
Including replacing with other description etc. ).
10 In this Act, "anonymously processed information handling business operator" means information including anonymously processed information.
It is an aggregate, and you can search for specific anonymously processed information using a computer.
You can easily search for information that is systematically configured and other specific anonymously processed information.
What is specified by a Cabinet Order as being systematically constructed so as to be (in Article 36, paragraph 1)
It is called "anonymous processing information database, etc." ) Is used for business purposes. However,
Excludes the persons listed in each item of paragraph 5.
Article 6 of the Ordinance The information specified by the Cabinet Order under Article 2, Paragraph 10 of the Act contains certain anonymously processed information.
By organizing according to the rules of, you can easily search for specific anonymously processed information.
A collection of information systematically organized so that it can be easily searched for a table of contents, index, etc.
It means something that has something to do.

"Anonymously processed information" means taking measures that determine personal information according to the classification of personal information.
Information about an individual obtained by processing it so that a specific individual cannot be identified.
The personal information is restored so that a specific individual cannot be re-identified.
Say.
When creating anonymously processed information from personal information, process it according to the standards stipulated in the rules.
It will be subject to certain restrictions.
11

Page 16

Processing standards for anonymously processed information and definitions of businesses handling anonymously processed information are separately defined.
"Guidelines for the Law Concerning the Protection of Personal Information (Anonymously Processed Information)" (Heisei 2)
Please refer to the 8th year Personal Information Protection Commission Notification No. 9).
6. Personal information database, etc. (Article 2, Paragraph 4 of the Act), personal data (Article 2, Paragraph 6 of the Act),
Retained personal data (Article 2, Paragraph 7 of the Law)

(Definition)
Article 2 of the law
4 In this law, "personal information database, etc." is a collection of information including personal information.
However, the following items (there is little risk of harming the rights and interests of individuals in terms of usage)
Excludes those specified by Cabinet Order. ).
Systematically configured so that specific personal information can be searched using a computer
What you did
(Ii) In addition to the items listed in the previous item, so that specific personal information can be easily searched.
What is specified by a Cabinet Order as a systematic structure
Article 3 of the Ordinance There is little risk of harming the rights and interests of individuals from the viewpoint of how to use Article 2, Paragraph 4 of the Act.
Those specified by Cabinet Order shall fall under any of the following items.
(I) It was issued for the purpose of selling to an unspecified number of people, and
The issuance was not made in violation of the law or the provisions of an order based on the law.
(Ii) It can be purchased or made at any time by an unspecified number of people.
When.
(Iii) It is used for its original purpose without adding other information about the living individual.
That is.
2 What is specified by a Cabinet Order under Article 2, Paragraph 4, Item 2 of the Act is a certain rule regarding the personal information contained therein.
To make it easier to search for specific personal information by organizing according to the rules
A collection of information systematically organized in the table of contents, index, and other information to facilitate searching.
Those that have things.

"Personal information database, etc." is to search for specific personal information using a computer.
A collection of information, including personal information, systematically structured so that it can be done, or a computer
Even if you do not use, there are certain rules (for example, fifty) for personal information processed on paper.
Organize and classify according to syllabary, date of birth, etc.) and easily search for specific personal information.
Add a table of contents, index, code, etc. so that it can be easily searched by others.
It means what you are saying. In addition, as a personal information database, etc., it is commercially available.
For details, please refer to the "General Guidelines".

12

Page 17

(Definition)
Article 2 of the law
6 In this law, "personal data" means personal information that constitutes a personal information database, etc.
Tell the news.

"Personal data" refers to personal information that constitutes a "personal information database, etc."

(Definition)
Article 2 of the law
7 In this law, "retained personal data" is disclosed and revised by the business operator handling personal information.
It is possible to correct, add or delete, suspend the use, delete and suspend the provision to a third party.
It is personal data with authority, and it is public interest and other things by clarifying its existence.
Those specified by Cabinet Order as being harmful to profits or within the period specified by Cabinet Order within one year
It means something other than the one that will be erased.
Article 4 of the Ordinance The items specified by Cabinet Order under Article 2, Paragraph 7 of the Act shall be as follows.
(I) By clarifying the existence or nonexistence of the personal data, the life and body of the person or a third party
Or something that could harm your property
(Ii) By clarifying the existence or nonexistence of the personal data, it promotes illegal or unjust acts.
Or something that may induce
(Iii) There is a risk that the security of the country will be impaired by clarifying the existence of the personal data.
There is a risk that the relationship of trust with other countries or international organizations will be damaged, or other countries or international organizations
Those that may suffer disadvantages in negotiations with
(Iv) By clarifying the existence or nonexistence of the personal data, crime prevention, suppression or investigation
Others that may interfere with the maintenance of public safety and order
Article 5 of the Ordinance The period specified by a Cabinet Order under Article 2, Paragraph 7 of the Act shall be June.

"Retained personal data" is the content of personal data disclosed by the business operator handling personal information.
Corrections, additions or deletions, suspension of use, erasure and suspension of provision to third parties can be made.
Those who have authority. However, (1) the public interest and others will be clarified as to whether or not it exists.
(2) It will be deleted within 6 months (excluding renewal).
Excludes.
Regarding medical records such as medical records and long-term care related records, personal data regardless of the medium
Corresponds to.
In addition, when samples such as blood are collected from patients for the purpose of testing, etc., they will be included in personal information.
Applicable, such as identification of purpose of use (see III1), notification of purpose of use, etc. (see III2), etc.
Therefore, without the consent of the patient, beyond the scope necessary to achieve the specified purpose of use.
Do not handle specimens. In addition, regarding these test results, the same as for medical records, etc.
Since it is saved as a searchable state, it corresponds to personal data and is provided by a third party (III5.
13

Page 18

(See) and disclosure (see III10).
7. Consent of the person
"Personal consent" means the handling of personal information of the person indicated by the business operator handling personal information.
A manifestation of the person's intention to consent to be handled by the method (the person concerned)
It is assumed that you can confirm that. ).
In addition, "obtaining the consent of the person" means taking the personal information to indicate the intention of the person's consent.
It means that the handling business operator recognizes it, and the person himself / herself is the same depending on the nature of the business and the handling status of personal information.
You must use reasonable and appropriate methods that you consider necessary to make your judgment.
Absent.
In addition, regarding the result caused by agreeing to the handling of personal information, minors
Persons, adult guardians, guardians and assisted persons do not have the ability to judge
Needs to obtain consent from a parent or legal representative.
[Case with the consent of the person]
Case 1) Oral manifestation of consent from the person
Case 2) Receipt of a written consent (including electromagnetic records) from the person
Case 3) Receiving an email from the person to the effect that he / she agrees
Case 4) Checking the confirmation column to the effect that the person agrees
Case 5) Click the button on the homepage to the effect that the person agrees
Case 6) Voice input to the effect that the person agrees, touch to the touch panel, buttons and screens
Input by switch etc.
The law is, in principle, the person himself / herself in the case of unintended use of personal information or provision of personal data to a third party.
I am seeking the consent of. This is one of the eight OECD principles that form the basis of the law.
This is a manifestation of the principle of restriction, but for medical institutions, etc., medical services appropriate for patients
Personal information that is usually considered necessary at the medical institution, etc. for the purpose of providing information
Clarify the range of use by posting in the facility (posting in the hospital), and make a special statement from the patient side.
If there is no definite manifestation of opposition or reservation, we will use personal information within these ranges.
It is probable that consent has been obtained. (See III5. (3) (4))
In addition, although the patient / user is not unconscious, he / she cannot clearly confirm his / her intention.
In the case of a state, as the consciousness is restored, the person is promptly explained to the person and the person is the same.
Shall be motivated.
In these cases, as much as possible, depending on the understanding and judgment of the patient / user.
It is important to notify the patient / user himself / herself and try to obtain their consent.
Medical / long-term care business operators properly provide sensitive personal information directly from the person in writing or verbally
In the case of acquisition, the medical / nursing-related business operator concerned has provided the relevant information.
Is understood to have consented to the acquisition of the information. (See III3.)

14

Page 19

8. Explanation of medical conditions to family members, etc.
Under the law, when providing personal data to a third party, obtain the consent of the person in advance.
In principle. On the other hand, depending on the condition of the disease, the person himself / herself can proceed with the treatment.
In some cases, it may be necessary to obtain the consent of the family. For explanation of medical conditions to family members, see "Patients.
It can be considered as the purpose of use (see III1. (1)) necessary for providing medical care (nursing care) to (users).
However, when explaining the medical condition to a person other than the person, the house that explains the medical condition to the person in advance
It is desirable to confirm the target person such as a tribe and obtain their consent. At this time, if there is a request from the person
Actually take care of the patient (user) as long as it does not interfere with the implementation of treatment.
Add relatives and similar persons to the subject of explanation, or limit specific members of the family
It can be handled as such.
On the other hand, when explaining the medical condition of an unconscious patient or the situation of an elderly person with severe dementia to family members, etc.
Is considered to be a case where it can be provided to a third party without the consent of the person (see III5. (2) ②). This
In the case of, the medical / long-term care business operator confirms that it is the person's family, etc., and then cures.
In addition to providing information to the extent necessary for medical treatment, the person's past medical history and treatment
Obtain information about history, etc. When the person's consciousness is restored, promptly provide and take
In addition to explaining the content of the personal information obtained and the other party to the person, the request from the person
If there is, there is a change in the target person such as a family member who explains the medical condition, such as correcting the contents of the acquired personal information.
Make changes.
If there is any doubt about the patient's judgment ability, he / she should take the same measures as for an unconscious patient.
In addition, as the judgment ability is restored, promptly explain to the person and obtain the consent of the person.
And.

15

Page 20

Ⅲ Obligations of medical / nursing-related businesses, etc.
1. 1. Identification of purpose of use, etc. (Articles 15 and 16 of the Act)

(Specification of purpose of use)
Article 15 of the Act When a business operator handling personal information handles personal information, the purpose of its use
(Hereinafter referred to as "purpose of use") must be specified as much as possible.
2 When changing the purpose of use, the business operator handling personal information shall change the purpose of use before the change and its relevance.
Do not go beyond what is reasonably acceptable to have.
(Restrictions depending on the purpose of use)
Article 16 of the Act A business operator handling personal information shall comply with the provisions of the preceding Article without obtaining the consent of the person in advance.
Personal information must not be handled beyond the scope necessary to achieve the specified purpose of use.
2 A business operator handling personal information may start a business from another business operator handling personal information due to a merger or other reasons.
If personal information is acquired in connection with the succession, without obtaining the consent of the person in advance,
Beyond the scope necessary to achieve the purpose of use of the personal information before the succession, the personal information
Do not handle.
(3) The provisions of the preceding two paragraphs shall not apply in the following cases.
When required by law
When it is necessary to protect the life, body or property of two people, and obtain the consent of the person
When it is difficult to do.
(Iii) When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person.
Shikoku organizations or local public bodies or those entrusted with them carry out the affairs stipulated by laws and regulations.
When it is necessary to cooperate with what you do, and by obtaining the consent of the person
When there is a risk of hindering the performance of the office work.

(1) Identification and restriction of purpose of use
Personal information from patients / users who wish for medical / long-term care services by medical / long-term care providers
When acquiring the personal information, provide medical / long-term care services to patients / users, medical care /
It is clear to patients and users that it will be used for long-term care insurance office work, ward management such as hospitalization and discharge.
I can think of it.
When personal information is used other than these, it is not always obvious for the patient / user.
It cannot be said that it is intended for use. In this case, the purpose of use is clearly stated when acquiring personal information.
Measures such as publication must be taken. (See III2.)
The intended use of medical / long-term care business operators in normal business is illustrated in Appendix 2.
Therefore, medical / long-term care-related businesses are usually required in light of their own work, referring to these.
You must identify what is needed and publish it (posting in the hospital, etc.). (See III2.)

In addition, regarding the scope of the purpose of use listed in Attached Table 2, the items of use stipulated in Article 15, Paragraph 2 of the Act
It is thought that the target can be changed. However, for the changed purpose of use,

16

Page 21

You must notify or publish to the person. (See III2.)
(2) Exceptions to restrictions depending on the purpose of use
Medical / long-term care business operators shall comply with the provisions of Article 15 of the Act without obtaining the consent of the person in advance.
Although personal information must not be handled beyond the scope necessary to achieve the specified purpose of use,
(Article 16, Paragraph 1 of the Law), in the cases listed in Paragraph 3 of the same Article, it is not necessary to obtain the consent of the person.
I. Specific examples are as follows.
① When required by law
On-site inspection based on the Medical Care Act, notification to municipalities regarding fraudulent beneficiaries based on the Long-Term Care Insurance Act,
Individuals based on laws and regulations, such as notifications related to child abuse based on the Act on Prevention of Child Abuse, etc.
When using information, the main things that can be expected in the normal business of medical / long-term care related businesses
An example is shown in Appendix 3.
As the provisions of the laws and regulations that form the basis, inquiries based on Article 197, Paragraph 2 of the Code of Criminal Procedure, local governments
Article 72-63 of the Tax Law (Question inspection right related to investigation of individual business tax, similar to various tax laws
There is a provision of) etc.
Inquiries based on Article 197, Paragraph 2 of the Code of Criminal Procedure conducted by investigative agencies such as police and prosecutors (No. 1 of the same law)
(Similar to inquiries under Article 507) is understood to impose an obligation to report to the other party.
In addition, voluntary investigations conducted by police and prosecutors are also voluntary, although cooperation with them is voluntary.
It is carried out based on specific statutory grounds, and both are "when based on decree".
It is understood that it corresponds to.
(2) Obtain the consent of the person when it is necessary to protect the life, body or property of the person.
When it is difficult
(Example)
・ For unconscious and unidentified patients, refer to related organizations, family members or related persons, etc.
When providing necessary information for safety confirmation from
・ When explaining the medical condition of an unconscious patient or the situation of an elderly person with severe dementia to family members, etc.
・ A large number of injured and sick people are temporarily transported to medical institutions due to large-scale disasters, etc., and from their families, etc.
In order to respond to inquiries promptly, it is important to work to obtain the consent of the person.
If it is unreasonable
③ When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person
(Example)
・ Providing information to the national or local governments through regional cancer registration projects based on the Health Promotion Law
・ Inspection commissioned by a local public body or a local public body for quality control of cancer screening
Providing information on detailed test results to medical institutions
・ Exchange of information with related organizations regarding cases of child abuse

17

Page 22

・ To improve medical safety, the national and local governments regarding medical accidents that occurred in the hospital
Is the case where information such as name is included in the information provided to third parties, etc.
④ A national institution, a local public body, or a person entrusted with it carries out the affairs stipulated by laws and regulations.
When it is necessary to cooperate with the matter, and by obtaining the consent of the person concerned
When there is a risk of hindering the performance of office work
(Example)
・ When cooperating with the general statistical survey stipulated in Article 2, Paragraph 7 of the Statistics Act
・ Public safety, such as when the police inquire about the injured person's address, name, degree of injury, etc. in the event of a disaster.
When making inquiries from the perspective of maintaining wholeness and order
[Matters to be observed according to the provisions of the law]
・ Medical / long-term care business operators can use as much personal information as possible when handling personal information.
Must be identified.
・ When the medical / long-term care business operator changes the purpose of use, it is related to the purpose of use before the change.
Do not go beyond the range reasonably recognized as having.
・ Medical / long-term care business operators do not obtain the consent of the person in advance for the specified purpose of use.
Do not handle personal information beyond the scope necessary to achieve it. In addition, with the consent of the person
Use personal information for (use patient / user contact information to obtain consent
To process personal information in order to anonymize it (such as when making a phone call)
Is fine.
・ Although the consent of the person was obtained at the time of acquiring the personal information, after that, the person himself / herself
If there is a request to revoke the consent for a part of the purpose of use, personal information after that
Regarding the handling of information, we will handle it only to the extent that the consent of the person has not been revoked.
・ Medical / long-term care related businesses should take over the business from other businesses due to merger or other reasons.
If personal information is acquired in connection with the above, without obtaining the consent of the person in advance, before the succession
Handling of personal information beyond the scope necessary to achieve the purpose of use of personal information
It should not be.
・ If you fall under the exception of restrictions on the purpose of use (Article 16, Paragraph 3 of the Law), without obtaining the consent of the person.
Can handle personal information.
(Refer to III2. For the handling when changing the purpose of use)
[Other matters]
・ Even if it is based on the law, which is an exception to the restriction on the purpose of use, it is not the purpose of use.
When handling personal information for the purpose of, based on the purpose of the relevant law, etc., the scope of handling
Is required to be limited to the range that is truly necessary.
・ If the patient is a minor, etc., it is sufficient to obtain the consent of a legal representative, etc., but certain judgment ability
For minors who have power, obtain the consent of the person in accordance with the consent of the legal representative.
・ Urgent medical examination for unconscious patients or elderly people with severe dementia who do not have a legal representative
If medical treatment is required, it corresponds to (2) ② above and handles the personal information of the person concerned.
18

Page 23

be able to.

19

Page 24

2. 2. Notification of purpose of use, etc. (Article 18 of the Act)

(Notification of purpose of use at the time of acquisition, etc.)
Article 18 of the Act When a business operator handling personal information acquires personal information, it uses it in advance.
Unless the purpose is announced, promptly notify the person of the purpose of use or publicly.
Must be represented.
2 The business operator handling personal information shall conclude a contract with the person regardless of the provisions of the preceding paragraph.
Along with this, it is stated in the contract and other documents (including electromagnetic records. The same shall apply hereinafter in this section).
When acquiring the personal information of the person listed, etc. Others directly stated in writing from the person
When acquiring the personal information of the person concerned, clarify the purpose of use to the person in advance.
Must be shown. However, it is urgently needed to protect human life, body or property
If there is, this does not apply.
3 When the business operator handling personal information changes the purpose of use, the changed purpose of use will be discussed.
The person must be notified or made public.
4. The provisions of the preceding three paragraphs shall not apply in the following cases.
(I) By notifying or disclosing the purpose of use to the person, the life, body, of the person or a third party,
When there is a risk of harming property or other rights and interests
(Ii) The right of the business operator handling personal information by notifying or publicizing the purpose of use.
When there is a risk of harming profits or legitimate interests
Cooperate with national organizations or local public bodies to carry out the affairs stipulated by law
When it is necessary, the purpose of use is notified or announced to the person concerned.
When there is a risk of hindering the performance of office work.
(Iv) When it is recognized that the purpose of use is clear from the status of acquisition

[Matters to be observed according to the provisions of the law]
・ Medical / long-term care business operators use the personal information in advance when acquiring it.
If you disclose the information or obtain personal information, promptly inform the person of the purpose of use.
Must be known or published.
・ As a method of disclosing the purpose of use, post it in the hospital or office, and if possible
Should be published as widely as possible by posting it on the website.
・ Medical / long-term care providers should ask the patient to submit their health insurance card at the reception desk or fill out a questionnaire.
A place to obtain personal information of the person in writing directly from the person, such as when requesting
In that case, the purpose of use must be clearly stated to the person in advance by posting in the hospital, etc.
Not. However, this does not apply to emergency patients who require urgent treatment.
・ If the medical / long-term care business operator changes the purpose of use, the changed purpose of use will be discussed.
The person must be notified or made public.
・ Notification of purpose of use, etc. when it is recognized that the purpose of use is clear from the status of acquisition, etc.
If the exception is applicable, the above contents do not apply. (When "the purpose of use is clear"
Ⅲ1. (Refer to (1))
20

Page 25

[Other matters]
・ The purpose of use is an exception to this regulation. "It is recognized that the purpose of use is clear from the status of acquisition.
Easy to understand the purpose of use for patients, users, etc.
From the point of view shown above, when announcing the purpose of use, the purpose of use should also be stated.
To do.
・ When posting in the hospital or in the business, a display explaining the contents will be displayed near the reception.
For first-time patients / users, etc., the notice will be posted at the time of reception or at the start of use.
Call attention.
・ You can fully understand personal information only by explaining at the time of the first medical examination, hospitalization, admission, etc.
Since it is assumed that there will be no patients / users, it will be explained again when the patients / users are calm.
Responsible for providing services such as Ming dynasty, medical treatment plan, medical treatment life guide, home-visit care plan, etc.
Use of personal information by patients / users, such as describing the handling of personal information in plans, etc.
Be careful so that you can understand the purpose.
・ If there is a request from the patient / user, etc., a detailed explanation and a document describing the contents will be delivered.
U.

21

Page 26

3. 3. Proper acquisition of personal information and ensuring the accuracy of personal data content (Articles 17 and 19 of the Act)

(Proper acquisition)
Article 17 of the Act A business operator handling personal information acquires personal information by deception or other improper means.
Must not be.
2 Businesses handling personal information obtain the consent of the person in advance, except in the following cases.
Therefore, you must not obtain sensitive personal information.
When required by law
When it is necessary to protect the life, body or property of two people, with the consent of the person
When it is difficult to get
(Iii) If there is a particular need for improving public health or for the sound development of children, this book
When it is difficult to obtain the consent of a person
Shikoku organizations or local public bodies or those entrusted with them complete the affairs stipulated by laws and regulations.
If you need to cooperate in doing something, by getting your consent
When there is a risk of hindering the performance of the relevant affairs.
(V) The personal information requiring consideration is the person, national institution, local public body, each item of Article 76, paragraph 1.
When it is disclosed by the person listed in the above or other person specified by the rules of the Personal Information Protection Commission
(Vi) Other cases specified by Cabinet Order as equivalent to the cases listed in the preceding items
Rule Article 6 Persons stipulated by the rules of the Personal Information Protection Commission, Article 17, Paragraph 2, Item 5 of the Act shall be as follows:
A person who falls under any of the items.
(I) Foreign governments, foreign government agencies, foreign local governments or international organizations
(Ii) A person equivalent to a person listed in each item of Article 76, paragraph 1 of the Act in a foreign country.
Article 7 of the Ordinance When specified by a Cabinet Order under Article 17, Paragraph 2, Item 6 of the Act, the following cases shall apply.
By visually observing or photographing the person, personal information requiring consideration that is clear in appearance can be obtained.
When to get
(Ii) In the cases listed in each item of Article 23, Paragraph 5 of the Act, personal information requiring consideration, which is personal data.
When receiving information.
(Ensuring the accuracy of data contents, etc.)
Article 19 of the Act A business operator handling personal information shall, to the extent necessary to achieve the purpose of use, personal information.
Keep the data accurate and up-to-date, and when it is no longer necessary to use it,
We must endeavor to erase personal data without delay.

[Matters to be observed according to the provisions of the law]
・ Medical / long-term care business operators must not acquire personal information by deception or other fraudulent means.
Absent.
・ Regarding the past medical examination history, etc. necessary for medical treatment, etc., is it the person himself / herself regarding the range that is truly necessary?
In addition to obtaining the book directly from the website, a person who has obtained the consent of the person to provide it to a third party (III5. (3))
22

Page 27

Includes those who are believed to have the implied consent of a person. ) In principle
To do. However, it is a medical or appropriate long-term care service to obtain from a family member other than the person.
This does not apply if it is unavoidable to provide.
・ Obtaining family personal information from a child who does not have sufficient judgment without the consent of the parent
Must not be. However, if it is necessary to obtain personal information such as family members for medical treatment of the child,
This does not apply if it is difficult to obtain personal information from the family member.
[About the consent of the person when acquiring sensitive personal information]
Patients who wish to receive medical treatment at the reception desk of a medical institution aim to recover from injury or illness. on the other hand,
Medical institutions, etc. are cured so that more appropriate medical care can be provided for the purpose of recovery of patients' injuries and illnesses.
It will be necessary to work on medical treatment and claim the cost from public medical insurance. Good quality and proper
Medical institutions to receive medical care and to receive public medical insurance assistance
It is indispensable for the patient to acquire personal information including the patient's sensitive personal information.
For this reason, for example, when the patient is at the reception desk of a medical institution, the patient's own physical condition and medical condition are displayed on the questionnaire.
It is important for the patient to apply for a medical examination together with his / her health insurance card.
Since it is considered that it is assumed that personal information including information will be obtained by medical institutions, etc.
When a medical institution, etc. properly obtains sensitive personal information directly from the person in writing or verbally, etc.
Is about the fact that the medical institution, etc. obtains the information by the patient's act.
It is understood that there was consent of.
In addition, if a medical institution obtains sensitive personal information by a method provided by a third party, the provider
However, the consent required by the person based on the provisions of Article 17, Paragraph 2 and Article 23, Paragraph 1 of the Act (delivery required)
Consideration Since it is premised that you have obtained consent for acquisition of personal information and provision to a third party)
The medical institution, etc. provided by the medical institution once again gave consent based on the provisions of Article 17, Paragraph 2 of the Act.
It is understood that there is no need to obtain.

・ When acquiring sensitive personal information, the consent of the person must be obtained in advance.
However, in the cases stipulated in each item of Article 17, Paragraph 2 of the Law, it is not necessary to obtain the consent of the person.
I.
(Example)
・ When a sudden illness or other situation occurs, the medical history of the person is covered by medical staff such as doctors and nurses.
When a person hears from a family member, it falls under Article 17, Paragraph 2, Item 2 of the Act.
・ Relationship between child guidance centers, schools, medical institutions, etc. regarding school refusal and bad behavior of children
In order for the institutions to cooperate and respond, the child from other related organizations at medical institutions, etc.
When obtaining information on the procedure for the protection of children, Article 17, Paragraph 2 of the Act
It corresponds to item 3.
・ Of the household information that may cause child abuse, the information related to the fact that the child was damaged is provided by the child minister.
When related organizations such as talk offices, police, schools, hospitals, etc. obtain from other related organizations, the law
It corresponds to Article 17, Paragraph 2, Item 3.
・ Medical institutions and long-term care providers correspond to sensitive personal information at the request of the police.
When acquiring the personal information in order to submit the personal information to be done, Article 17, Paragraph 2 of the Act
23

Page 28

It corresponds to item 4.
・ For people with disabilities to see a medical institution and share information in the hospital
When recorded on a te etc. (obtained visually) or the state of a physically handicapped person is set up in the store
If it is reflected in the security camera installed (acquired by shooting), Article 17, Paragraph 2, Paragraph 6 of the Law
No., corresponds to Article 7, Paragraph 1 of the Ordinance.

・ In addition, the personal information requiring consideration can be entrusted, business succession or joint interest as stipulated in each item of Article 23, Paragraph 5 of the Act.
It is not necessary to obtain the consent of the person in advance when acquiring it for use.
[Cases that violate Article 17, Paragraph 2 of the Law]
Persons specified in Article 17, Paragraph 2, Item 5 of the Law and Article 6 of the Regulations without obtaining the consent of the person
Information on the person's beliefs, criminal history, etc. from the information published on the Internet by the outside
Own database, etc. as part of the information about the person that has been acquired and already held
To register with.

・ Medical / long-term care businesses have the purpose of providing appropriate medical / long-term care services.
Try to keep your personal data accurate and up-to-date to the extent necessary for its production.
Must be.
[Other matters]
・ When acquiring personal information by providing it to a third party, check the compliance status of the provider's law.
In both cases, when actually acquiring personal information, check the acquisition method of the personal information, etc.
I have to try. In addition, it cannot be confirmed that the personal information has been legally acquired.
If not, it may have been obtained by deception or other improper means.
It is desirable to take careful measures, including refraining from acquiring it.
・ When personal information is obtained from another medical / long-term care business operator by providing it to a third party, the individual concerned
If there is any doubt about the content of the information, please provide the person or the information regarding the facts of the content.
Check with the person who went.
・ Medical / long-term care providers should ensure the accuracy and up-to-dateness of the contents of personal data III 4.
(2) The committees shown in (2) formulate specific rules and improve the technical level.
It is desirable to hold research for this purpose.

24

Page 29

4. Safety management measures, supervision of employees and supervision of contractors (Articles 20 to 22 of the Act)

(Safety management measures)
Article 20 of the Act A business operator handling personal information may leak, lose or damage the personal data it handles.
If necessary and appropriate measures are taken for the prevention of personal data and other security management of personal data
It doesn't become.
(Employee supervision)
Article 21 of the Act A business operator handling personal information has its employees handle personal data.
Therefore, it is necessary and appropriate for the employee so that the personal data can be safely managed.
You have to give a serious supervision.
(Supervision of contractor)
Article 22 of the Act A business operator handling personal information entrusts all or part of the handling of personal data.
In that case, we will be entrusted to manage the security of the personal data entrusted to us.
Necessary and appropriate supervision must be given to those who have been.

(1) Safety management measures, etc. that medical / nursing-related businesses should take
① Safety management measures
Medical / long-term care business operators prevent leakage, loss or damage of the personal data they handle.
Organizational, human, physical, and technical security management for the security management of other personal data
Measures must be taken. At that time, the personal data of the person is leaked, lost or damaged.
Considering the magnitude of infringement of rights and interests that the person incurs in the event of doing such things, the nature of the business and personal information
Necessary and appropriate measures shall be taken according to the risks caused by the handling status of data, etc.
To In that case, take safety management measures according to the nature of the medium that stores personal data.
Sly.
② Employee supervision
Medical / long-term care companies need employees to comply with the safety management measures in (1)
And proper supervision must be done. "Employees" are not limited to medically qualified personnel.
It includes all persons engaged in business under the direction and order of the business operator, and is also employed.
It includes not only related persons but also directors, dispatched workers, etc.
According to Article 15 of the Medical Care Act, the manager of a hospital, etc. is the employee of a doctor, etc. who works at the hospital, etc.
Supervision obligations are imposed. (For pharmacies and long-term care-related businesses, the Pharmaceuticals and Medical Devices Act
Based on the Long-Term Care Insurance Law and "Basics related to personnel, equipment and operation of businesses such as designated home services"
Associate ”,“ Personnel, equipment and operation of businesses such as designated care prevention services, and designated care prevention services
"Standards for effective support methods for prevention of care related to screws, etc.", "Designated community-based type"
"Standards for personnel, equipment and operation of service business", "Designated community-based long-term care prevention service"
Nursing care related to personnel, equipment and operation of the bis business and designated community-based long-term care preventive services
"Standards for effective support methods for prevention", "Personnel of businesses such as designated home care support"
25

Page 30

"Standards for operation", "Standards for personnel, equipment and operation of designated long-term care welfare facilities for the elderly",
"Standards for personnel, facilities and equipment and operation of Long-Term Care Health Facility", "Designated long-term care medical treatment"
Standards for personnel, equipment and operation of type medical facilities ”and“ designated care prevention support, etc.
Effective support method for care prevention related to personnel and management and designated care prevention support, etc.
There are similar provisions in "Standards for" (hereinafter referred to as "Designated Standards"). )
(2) Matters that can be considered as safety management measures
Medical / long-term care companies leak personal data in view of the importance of the personal data they handle.
Considering the scale, the condition of employees, etc. for the prevention of loss, loss or damage and other safety management
Then, necessary measures shall be taken with reference to the following efforts.
In addition, when the same business operator opens multiple facilities, the information exchange between the facilities is the first.
Although it does not fall under the provision of three parties, the use of personal information such as taking safety management measures for each facility
We will manage the safety of personal information based on the target.
(1) Development and publication of regulations regarding personal information protection
・ Medical / long-term care-related businesses are responsible for the rules and other personal information protection that stipulate the disclosure procedure for retained personal data.
Establishing rules regarding protection and responding to complaints, including in-hospital and business establishments
Thoroughly inform patients and users by posting them on the website and posting them on the website.
・ In addition, regarding the regulations regarding safety management measures for information systems that handle personal data.
Perform maintenance in the same way.
(2) Development of organizational structure, etc. to promote the protection of personal information
・ Personal sentiment in medical care to clarify the responsibility system of employees and promote concrete efforts
Managers, supervisors, etc. who have sufficient knowledge about information protection (for example, cross-organizational such as officers)
(A person who can supervise) is determined. Or a department to promote the protection of personal information, or
Establish a committee, etc.
・ Regularly self-registration of personal data safety management measures taken at medical / nursing-related business establishments
Evaluate and make appropriate improvements on matters that should be reviewed or improved.
(3) Establishing a reporting communication system in the event of problems such as leakage of personal data
・ 1) If an accident such as leakage of personal data occurs, or it is judged that there is a high possibility that it will occur.
2) If there is a fact that the rules regarding the handling of personal data are violated
Alternatively, establish a reporting and communication system to the person in charge when it is judged that the signs are high.
・ Information such as leakage of personal data may be reported from the outside as part of complaints, etc.
Since it will be fixed, we will also cooperate with a system to respond to complaints. (See III13.)
④ Establishing rules regarding the protection of personal information at the time of employment contract
・ In employment contracts and work regulations, confidentiality obligations are imposed not only during the working period but also after leaving the job.
We will establish and thoroughly implement rules regarding the protection of personal information of employees. In particular, doctors, etc.
For medical qualifications and long-term care service workers, the Criminal Code, Related Qualification Law or Long-term Care Insurance Law
26

Page 31

Confidentiality provisions, etc. have been established based on the designated standards based on (Appendix 4), and thorough compliance with them has been established.
To do.
⑤ Implementation of education and training for employees
・ Implementation of education and training for employees to ensure the appropriate protection of personal data handled
By enlightening employees who will handle personal data in actual business, etc.
Thorough awareness of personal information protection of people.
・ At this time, for dispatched workers, "Guidelines for measures to be taken by dispatched workers" (1999)
In the Ministry of Labor Notification No. 138), "We strive to provide convenience for education and training as necessary.
Based on the fact that it must be done, the education and training related to the handling of personal information
It is necessary to consider the implementation.
⑥ Physical safety management measures
-To prevent theft or loss of personal data, take the following physical security management measures.
-Implementation of entrance / exit (room) management
-Implementation of preventive measures against theft (for example, shooting with a camera or witnessing work, etc.)
Recording or monitoring by, prohibition of bringing in / out of media with recording function
(Stopping or conducting inspections, etc.)
-Physical protection such as fixing equipment and devices
・ In order to prevent unauthorized operations, we will collect personal data as follows based on business needs.
Limit the functions given to the terminals to be handled.
-Restrictions on the connection of devices with recording functions such as smartphones and personal computers, and renewal of devices
Correspondence to new
⑦ Technical safety management measures
・ An information system that handles personal data to prevent theft or loss of personal data
Therefore, the following technical safety management measures will be taken.
-Access management for personal data (authentication by ID and password, work of each staff member)
Adopting a system configuration that allows access only to the range necessary for business according to the business content
For etc.)
-Saving access records for personal data
-Regular confirmation of the existence of abnormal records suspected of being fraudulent
-Installing a firewall for personal data
-Monitoring the status of access to the information system from the outside and the operation of the monitoring system
Regular confirmation
-Software-related vulnerability countermeasures (application of security patches, relevant information system)
Discovery of vulnerabilities specific to the website and its correction, etc.)
⑧ Saving personal data
・ When storing personal data for a long period of time, personal data such as prevention of deterioration of storage media
27

Page 32

Store properly so that it does not disappear.
・ When it is necessary to save personal data, such as when responding to inquiries from the person himself / herself.
Save it in a searchable state such as index maintenance so that you can respond quickly.
⑨ Disposal and deletion of unnecessary personal data
・ When disposing of personal data that is no longer needed, personal data cannot be restored, such as by incineration or dissolution.
Dispose of in a possible form.
・ When disposing of information devices that handle personal data, restore the personal data in the storage device.
Erase it into an impossible form and discard it.
・ When outsourcing these disposal operations, the handling of personal data is also included in the outsourcing contract.
And clearly define.
(3) Handling when outsourcing business
① Supervision of contractors
Medical / long-term care-related businesses are personally responsible for administrative work related to examinations, medical fees, or claims for long-term care fees.
When entrusting all or part of the handling of data, comply with safety management measures based on Article 20 of the Act.
The trustee must be supervised as necessary and appropriate to ensure that it is protected.
"Necessary and appropriate supervision" includes safety specified by the business operator who is the consignor in the consignment contract.
In addition to incorporating the details of management measures into the contract and making it an obligation of the trustee, the business is being carried out appropriately.
It also includes checking things regularly.
In addition, when the business is subcontracted, the subcontractor has improperly handled it.
If a problem arises, the medical / long-term care business operator or the subcontracted business operator may be liable.
possible.
② Precautions when outsourcing business
When a medical / long-term care business operator outsources all or part of the handling of personal data,
The following matters should be noted.
-Select a business operator that handles personal information appropriately as a contractor (trustee) (consignment)
That the safety management measures of the person are at least equivalent to those required by Article 20 of the Act.
In order to confirm, the items in III4. (2) are surely implemented according to the contents of the outsourced work.
In addition to confirming the trustee's system, regulations, etc., personal data will be collected as necessary.
After going to the place to handle or confirming by a reasonable alternative method, the individual
It is desirable that managers, supervisors, etc. regarding information protection make appropriate evaluations. ).
・ Incorporate the content regarding the proper handling of personal information in the contract (during the consignment period)
Or, it also includes the handling of personal data after the end of consignment. ).
・ If the trustee plans to subcontract a part of the entrusted business, re-delegation
A business operator that handles personal information appropriately is selected when selecting a business operator to be entrusted.
At the same time, it can be confirmed that the subcontractor company handles personal information appropriately.
Consideration in the contract (whether subcontracting is possible and documents to medical / long-term care related businesses
It is desirable to establish matters such as requesting prior reporting or approval procedures. ).
28

Page 33

・ Regularly confirm that the trustee handles personal information appropriately.
・ When the trustee intends to subcontract, the medical / long-term care business operator may consign.
Similarly, the subcontractor, the business content to be subcontracted, and the handling method of personal data of the subcontractor
Requesting prior reporting or approval procedures from the trustee, directly or through the trustee
By conducting regular audits, etc., the trustee will be subject to Article 22 of the Act against the subcontractor.
Appropriately supervise the subcontractor based on, and the subcontractor manages safety based on Article 20 of the Act
It is advisable to fully confirm that measures will be taken. A place where the subcontractor re-consigns
After that, the same applies to the case of subcontracting.
・ If there is any doubt about the handling of personal information by the trustee (request from patients, users, etc.)
Including cases where there is a need for confirmation. ), Explain to the trustee
Take appropriate measures such as requesting and requesting improvement as necessary.
* Related notifications regarding outsourcing to medical institutions, etc.
In addition to the above points, we will comply with related notices, etc., depending on the outsourced work.
・ "Regarding the enforcement of a part of the law to partially revise the medical law" (February 15, 1993, Kensei
No. 98) "Matters related to the third business consignment"
・ "About outsourcing of hospitals, clinics, etc." (February 15, 1993, No. 14)
(4) Handling when introducing a medical information system and storing information externally
Guide medical information systems at medical institutions and long-term care providers that handle medical information
When entering or storing medical information externally, "Safety management of medical information system"
Guidelines ”(March 31, 2005, Medical Administration No. 0331090, Yaksik No. 03310
No. 20, Hosho No. 0331005), operated and commissioned by each medical institution, etc.
Regulations shall be established and implemented to ensure the safety of handling of consignment, etc.

(5) Prevention of secondary damage in the event of problems such as leakage of personal data
If a problem such as leakage of personal data occurs in a medical / long-term care business,
From the viewpoint of preventing secondary damage and avoiding the occurrence of similar cases, "cases such as leakage of personal data have occurred.
About correspondence in case of occurrence, etc. ”(Personal Information Protection Commission Notification No. 1 of 2017)
(1) Report within the business operator and prevent the spread of damage, (2) Investigate the facts and investigate the cause, (3)
Identification of the range of influence, (4) Examination and implementation of recurrence prevention measures, (5) To the person who may be affected
It is desirable to take necessary measures such as communication, etc. (6) Facts and measures to prevent recurrence.
In addition, if a case such as a leak is discovered, the facts and measures to prevent recurrence will be discussed.
We shall endeavor to promptly report to the Personal Information Protection Commission.
However, medical care, which is the target business operator of the certified personal information protection organization stipulated in Article 47, Paragraph 1 of the Law.
The long-term care business operator shall endeavor to promptly report to the authorized personal information protection organization to which it belongs.
To do.
(6) Others
Patients make mistakes when calling at the reception desk or posting the patient's name tag in the hospital room.
29

Page 34

It is considered necessary to properly carry out operations such as prevention of medical care, but privacy in medical care
Considering the importance of protection, it is desirable to give some consideration according to the wishes of the patient.
[Matters to be observed according to the provisions of the law]
・ Medical / long-term care business operators prevent leakage, loss or damage of the personal data they handle.
Other necessary and appropriate measures must be taken for the security management of personal data.
・ Medical / long-term care business operators should take care of their employees when handling personal data.
Necessary and appropriate supervision of the employee so that the personal data can be safely managed.
It must be made.
・ When a medical / long-term care business operator outsources all or part of the handling of personal data,
For those who have been entrusted with the handling of personal data so that the security management of the entrusted personal data can be achieved.
Necessary and appropriate supervision must be provided.
[Other matters]
・ Medical / long-term care companies should manage safety in order to further promote efforts related to safety management measures.
Whether the measures are appropriate or not at regular intervals Personal information protection measures and the latest technological trends
Have a person who has sufficient knowledge of information security measures based on this confirm the response within the business operator.
In addition, we will make improvements by receiving confirmation from persons with external knowledge as necessary.
Is desirable.

30

Page 35

5. Provision of personal data to a third party (Article 23 of the Act)

(Restrictions on provision to third parties)
Article 23 of the Act A business operator handling personal information shall be a business operator handling personal information in advance, except in the following cases.
Do not provide personal data to third parties without your consent.
When required by law
When it is necessary to protect the life, body or property of two people, with the consent of the person
When it is difficult to get.
(Iii) When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person.
Shikoku organizations or local public bodies or those entrusted with them carry out the affairs stipulated by laws and regulations.
To obtain the consent of the person when it is necessary to cooperate in carrying out
When there is a risk of hindering the performance of the relevant affairs.
2 Businesses handling personal information are personal data provided to third parties (excluding sensitive personal information.
The same shall apply hereinafter in this section. ), An individual whose person is identified at the request of the person
In the case where it is decided to suspend the provision of data to a third party, the following matters
Therefore, in accordance with the rules of the Personal Information Protection Commission, notify the person in advance.
Or when the person is placed in a state that can be easily known and notified to the Personal Information Protection Commission.
May provide the personal data to a third party notwithstanding the provisions of the preceding paragraph.
(I) The purpose of use is to provide it to a third party.
(Ii) Items of personal data provided to a third party
(3) Method of providing to a third party
(Iv) Suspension of provision of personal data that identifies the person to a third party at the request of the person
To do.
5 How to accept the request of the person
3 The business operator handling personal information is a place to change the matters listed in item 2, item 3 or item 5 of the preceding paragraph.
In that case, the content to be changed shall be determined by the rules of the Personal Information Protection Commission.
Ecklonia cava, notify the person, or put it in a state that the person can easily know, and protect personal information
Must be notified to the protection committee.
4 The Personal Information Protection Commission shall, when notified pursuant to the provisions of paragraph 2, the Personal Information Protection Commission.
Matters pertaining to the notification shall be published pursuant to the rules of the member committee. Before
The same shall apply when there is a notification pursuant to the provisions of paragraph.
5 In the following cases, the person who receives the provision of the personal data is suitable for the provisions of the preceding items.
For use, it shall not correspond to a third party.
(I) Collection of personal data to the extent necessary for the business operator handling personal information to achieve the purpose of use
When the personal data is provided by entrusting all or part of the handling
(Ii) When personal data is provided due to business succession due to a merger or other reasons
(Iii) Personal data shared with a specific person will be provided to that specific person.
In some cases, to that effect and items of personal data to be shared, shared use
Responsible for the scope of the person who does it, the purpose of use of the person who uses it, and the management of the personal data.
31

Page 36

Notify the person in advance of the name or name of the person who does the work, or the person can easily know
When it is in a ready state.
6 The business operator handling personal information shall be the purpose of use or personal day of the user prescribed in item 3 of the preceding paragraph.
When changing the name or name of the person who is responsible for the management of data,
You must notify the person in advance about the condition or put it in a state that the person can easily know.
Must be.

(1) Handling provided by a third party
Medical / long-term care business operators can transfer personal data to a third party without obtaining the consent of the person in advance.
It is said that it should not be provided to, and in the following cases, it is necessary to obtain the consent of the person
is there.
(Example)
・ Inquiries from private insurance companies
If the patient wants to take out private life insurance, the patient's health from the life insurance company
When inquired about the condition etc., the patient's current health condition and the patient's current health condition without obtaining the patient's consent
Do not answer medical history.
Non-life insurance from an insurance company for patients who are being treated for injuries caused by traffic accidents
If there is an inquiry about the symptomatology as necessary for the examination of payment of money, the patient
The patient's symptoms, etc. must not be answered without the consent of the person.

・ Inquiries from the workplace
Inquiries about the medical condition of employees from the bosses of the workplace, or the jobs of employees who are on leave
If there is an inquiry about the prospect of returning to the field, the patient's medical condition or the patient's medical condition without the consent of the patient
Do not answer the prospect of recovery.

・ Inquiries from the school
School faculty and staff inquire about the health status of children and students, or take a leave of absence
If there is an inquiry about the prospect of returning to school for the children / students inside, the consent of the patient will not be obtained.
Do not answer the patient's health condition or prospect of recovery.

・ Inquiries from companies for marketing purposes
Check the existence of hypertensive patients from a company that sells health foods
Patients who are met or requested to be referred to a patient who meets the requirements
Presence or absence of a patient and the name of the relevant patient without the consent of the person
Do not answer the address etc.
(2) Exceptions provided by a third party
However, in the following cases, it is not necessary to obtain the consent of the person.

32

Page 37

① When required by law
On-site inspection based on the Medical Care Act, notification to municipalities regarding fraudulent beneficiaries based on the Long-Term Care Insurance Act,
Individuals based on laws and regulations, such as notifications related to child abuse based on the Act on Prevention of Child Abuse, etc.
This is the case when personal information is used, and the main cases assumed in normal business such as medical institutions are different.
It is as shown in Table 3. (See III1. (2) ①)
(2) Obtain the consent of the person when it is necessary to protect the life, body or property of the person.
When it is difficult to
(Example)
・ For unconscious and unidentified patients, refer to related organizations, family members or related persons, etc.
When providing necessary information for safety confirmation from
・ When explaining the medical condition of an unconscious patient or the situation of an elderly person with severe dementia to family members, etc.
・ A large number of injured and sick people are temporarily transported to medical institutions due to large-scale disasters, etc., and from their families, etc.
In order to respond to inquiries promptly, it is important to work to obtain the consent of the person.
If it is unreasonable
* If it is difficult to obtain the consent of the person, it is the same even if the consent of the person is requested.
If you do not intend to, obtain the consent of the person without going through the procedure for asking the person for consent.
This includes cases where it is not possible.
③ When it is particularly necessary to improve public health or promote the sound development of children.
When it is difficult to obtain the consent of the person
(Example)
・ Providing information to the national or local governments through regional cancer registration projects based on the Health Promotion Law
・ Inspection commissioned by a local public body or a local public body for quality control of cancer screening
Providing information on detailed test results to medical institutions
・ Exchange of information with related organizations regarding cases of child abuse
・ To improve medical safety, the national and local governments regarding medical accidents that occurred in the hospital
Is the case where information such as name is included in the information provided to third parties, etc.
④ A national institution or a local public body or a person entrusted with it carries out the affairs stipulated by laws and regulations.
If you need to cooperate in doing something, with your consent
When there is a risk of hindering the performance of the relevant office work
(Example)
・ When cooperating with the general statistical survey stipulated in Article 2, Paragraph 7 of the Statistics Act
・ When the police inquire about the injured person's address, name, degree of injury, etc. in the event of a disaster, the public
When making inquiries from the perspective of maintaining safety and order
(3) When it is considered that the consent of the person has been obtained
Patients who wish to receive medical treatment at the reception desk of a medical institution aim to recover from injury or illness. on the other hand,
33

Page 38

Medical institutions, etc. can provide more appropriate medical care for the purpose of recovery of patients' injuries and illnesses.
While working on treatment, collaborate with other medical institutions as necessary, and treat the injury or illness
It is also routine to seek guidance and advice from doctors at other specialized medical institutions.
In addition, when claiming the cost to public medical insurance, the recovery of the patient's injury or illness is the eye.
Although it is not intended, it may be provided as a purpose of use necessary for providing medical care. For this reason,
Of the information provided to third parties, it is essential to provide medical care to patients, including recovery from their injuries and illnesses.
If it is necessary and it is clearly stated in the in-hospital notice as the purpose of use of personal information,
In principle, it is considered that implicit consent has been obtained.
Depending on the content of the injury or illness, even if the purpose is to recover the injury or illness of the patient,
When providing personal data to a third party, it is required to obtain the clear consent of the person in advance.
In some cases, medical institutions, etc. need to take action according to their own will.
There is.

(1) Public notices, etc. in the hospital about the purpose of use within the range normally necessary for providing medical care to patients
When obtaining implied consent in advance by expressing
When personal information is obtained from a patient who wishes to receive medical treatment at the reception desk of a medical institution, etc.
Is clearly used to provide the patient's own medical services. others
Therefore, it will be announced on the in-hospital bulletin board, etc. for the purpose of use regarding medical services provided to patients.
If there is no explicit manifestation of reservation from the patient, there is an implied consent of the patient.
It is thought that it was. (See III2.)
Also,
(A) Cooperate with other medical institutions to provide medical care to patients
(B) To seek the opinions and advice of outside doctors in order to provide medical care to patients.
(C) When there is an inquiry from another medical institution, etc. to provide medical care to the patient
Respond
(E) When providing medical care to patients, explain the medical condition to family members, etc.
If the purpose of use is specified, the patient's consent was also obtained for these.
It is considered to be.
(2) Even in this case, the range that is considered to have been implied consent is medical treatment for patients.
This is the range of use required to provide services, and is required to provide medical care to patients in Appendix 2.
It shall be limited to the purpose of use indicated by each medical institution, etc. with reference to "Purpose of use".
In addition, in the in-hospital notice, etc.
(A) If the patient has any difficulty in agreeing with the purpose of use indicated by the medical institution, etc.,
Ask medical institutions, etc. to obtain the clear consent of the person in advance regarding the above matters.
What you can do.
(B) If the patient does not manifest the intention of (a), the patient's same purpose of use will be announced.
Make sure that you are willing to do so.
(C) Consent and reservation can be changed at any time afterwards at the request of the patient.
To be.
34

Page 39

Should also be posted.
* Specific examples of (a) to (e) in ① above
(Example)
・ When the person brings a letter of introduction issued to another medical institution
Medical institutions issue referral letters, prescriptions, etc. to other medical institutions, and the relevant documents
If the person brings the item to another medical institution, etc., the person consents to the provision to the third party.
It is probable that there was an exchange of information with medical institutions regarding the contents of the document.
It is probable that consent was obtained for doing so.

・ When responding to inquiries from other medical institutions, etc.
When a patient who has visited clinic A in the past is currently undergoing consultation at hospital B
Then, when hospital B inquires about past medical examination results to clinic A, the hospital
If it can be confirmed that the doctor in charge of B has obtained the consent of the patient undergoing medical examination, then Clinic A
Has obtained the consent of the patient regarding the provision of medical information held by the patient to Hospital B.
it is conceivable that.

・ Explanation of medical conditions to family members
When explaining the pathological condition, etc. to the person and his / her family at the same time, explicitly the person himself / herself.
Providing medical information to family members who receive explanations at the same time as the person without the consent of
It is probable that the consent of the person was obtained for the service.
Similarly, when a faculty member accompanies the treatment of a child / student, the child / student
If the person himself / herself does not refuse to attend the faculty member, he / she and the faculty member should be present and within the treatment.
It is thought that it is possible to explain the contents.

(3) Medical institutions, etc., have Article 66 of the Industrial Safety and Health Act, Article 150 of the Health Insurance Act, and the National Health Insurance Act.
Article 82 or Article 20, Article 24 or Article 12 of the Act on Assurance of Medical Care for the Elderly
If you are entrusted with a medical examination, etc. conducted by a business operator or an insurer pursuant to Article 5, this is the result.
Providing personal data of workers, etc. to the business operator or insurer who is the consignor
It is considered that the consent of the person has been obtained.
(4) For long-term care-related businesses, in charge of services under the designated standards based on the Long-term Care Insurance Law
When using the user's personal information at a personal meeting, etc., the user's consent is required, and the individual of the user's family
When using personal information, the consent of the family must be obtained in advance in writing.
Based on the fact that it is not supposed to be, the service is not posted on the office
It is necessary to properly obtain written consent from the user at the start of use.
(4) When it does not correspond to "third party"
(1) When information is provided to other businesses, but does not fall under the category of "third party"
About the person who receives the provision of the personal data in the cases listed in each item of Article 23, Paragraph 5 of the Law
35

Page 40

Does not correspond to a third party and can provide information without obtaining the consent of the person. Medical /
Specific examples of long-term care-related businesses are as follows.

・ When outsourcing operations such as inspection
・ Providing information to external auditing organizations ((public interest incorporated foundation) Hospital machine operated by Japan Council for Quality Health Care
Performance evaluation, etc.)
・ Notify the person in advance that personal data will be shared with a specific person.
If
* Notes on shared use of personal data
For example, when a hospital and a home-visit nursing station jointly provide medical services,
It is planned to share personal data with a specific person in advance.
If so, (a) items of personal data used jointly, (b) range of joint users (individuals)
It is listed separately or specified so that the range is clear from the perspective of the person.
(C), (c) Purpose of use of the user, (e) Management of the personal data
Notify the person in advance of the name or name of the person in charge, or the person can easily
Make it clear that it will be used jointly while keeping it in a state where it can be known to
If so, the joint user does not fall under the category of a third party.
In this case, (a) and (b) cannot be changed, and (c) and (e) cannot be changed.
If you can change it within the range that is not difficult for you to assume
Must be in a state where the person can be notified or easily known by the person.
(2) When the information is provided within the same business operator and does not correspond to a third party
When providing information within the same business operator, the personal data is provided to a third party.
Therefore, information can be provided without the consent of the person. Medical / long-term care
Specific examples of related businesses are as follows.

・ Information within the medical / long-term care business operator, such as cooperation with other clinical departments in the hospital
Exchange
・ Exchange of information between multiple facilities established by the same company
-Use for training for the staff of the business operator (however, it does not correspond to provision to a third party)
Even in some cases, if the purpose of use is not announced by posting in the hospital, etc.
Whether the consent of the person is obtained for the specific usage method (see III1.), Or the individual is not identified.
It is necessary to anonymize (see II4.))
・ Exchange of information for conducting management analysis within the business operator
(5) Other points to note
・ Notes on providing information to other businesses
In addition to providing information to third parties, even if information is provided to other businesses, (1) based on laws and regulations
If there is an exception provided by a third party, such as in the case of a case, (2) if it does not correspond to "third party", (3)
It is essentially necessary when providing information by anonymizing so that no one is identified.
36

Page 41

It should be provided only to the extent of the information that can be provided, and it is not required to provide the information.
It should not be provided to other businesses even for the item.
In particular, the intentions of patients / users and their families when providing information on medical accidents, etc.
Based on the above, anonymize (see II4) unless the name etc. is required in the report.
U. In addition, anonymize the case of making a public announcement to the media immediately after a medical accident occurs.
Even in such cases, we shall endeavor to obtain the consent of the person or his / her family.
(Inappropriate example)
・ Doctors and pharmacists are MRs (medical representatives) of pharmaceutical companies and MSs (pharmaceuticals) of pharmaceutical wholesalers.
When exchanging information about the effects of drug medication with the person in charge of product sales), etc.
Provide information such as names that are not needed without deleting them.
[Matters to be observed according to the provisions of the law]
・ Personal data for medical / long-term care providers without the prior consent of the individual
Must not be provided to a third party. In addition, when it is not necessary to obtain the consent of the person in (2)
If applicable, it is not necessary to obtain the consent of the person.
・ If the person consents to the provision of personal data to a third party, then the person will give the first
If there is a request to revoke consent for a part of the scope of provision by the three parties, then
Regarding the handling of personal data, we will handle it only within the scope of the consent of the person.
To be.
[Other matters]
・ Even if information that does not correspond to provision to a third party is provided, to the hospital or business office, etc.
As much as possible, clarify the information provider on the bulletin board, homepage, etc.
We will secure a system that can respond to inquiries from people and users.
・ For example, in the case of business consignment, the business outsourced by the medical / long-term care business operator
Arrangements regarding the handling of personal information with the content, contractors, and contractors
It is conceivable to disclose the contents of.

37

Page 42

6. Restrictions on provision to third parties in foreign countries (Article 24 of the Act)
For details, see "Guidelines for the Law Concerning the Protection of Personal Information (Foreign countries)"
(Provision to a third party) ”(2016 Personal Information Protection Commission Notification No. 7).

(Restrictions on provision to third parties in foreign countries)
Article 24 of the Act A business operator handling personal information means a foreign country (a country or region outside the region of Japan).
Same as below. ) (Individuals recognized as being at the same level as Japan in protecting the rights and interests of individuals
Established by the rules of the Personal Information Protection Commission as a foreign country that has a system for protecting personal information
Excludes those. The same shall apply hereinafter in this article. ) Is a third party (about the handling of personal data)
Corresponds to the measures that the business operator handling personal information should take according to the provisions of this section.
It is stipulated in the rules of the Personal Information Protection Commission as necessary to continuously take measures to be taken.
Excludes those who have a system that meets these standards. The same shall apply hereinafter in this article. ) To personal
When providing data, in addition to the cases listed in each item of paragraph 1 of the preceding article, foreign countries in advance
You must obtain the consent of the person to approve the provision to a third party in. In this case
However, the provisions of the same Article do not apply.
Regulations Article 11 The criteria stipulated by the rules of the Personal Information Protection Commission under Article 24 of the Act are as follows.
It shall correspond to the deviation.
(I) Receive the provision between the business operator handling personal information and the person who receives the provision of personal data.
Regarding the handling of the personal data by the person, by an appropriate and rational method, the law
Implementation of measures in line with the purpose of the provisions of Chapter 4, Section 1 is ensured.
(Ii) The person who receives the personal data is based on the international framework for handling personal information.
Must be certified.

[Matters to be observed according to the provisions of the law]
・ Medical / long-term care business operators give personal days to third parties in foreign countries based on the provisions of Article 24 of the Act.
When providing data, except as provided in each item (*) of Article 23, Paragraph 1 of the Law, to a foreign country.
You must obtain the consent of the person to provide it to a third party.
・ However, if any of the following (1) or (2) applies, Article 23, Paragraph 1 of the Law, as in Japan.
Provision to a third party with the consent of the person based on the provisions of the pillar, or consignment or joint use based on paragraph 5 of the same Article
It can be provided by use.
(1) A personal information protection system in which a third party in a foreign country is recognized as being at the same level as Japan
As a country that owns it, the Law Enforcement Regulations on the Protection of Personal Information (2016 Personal Information)
Protection Commission Regulation No. 3. Hereinafter referred to as "rules". ) In the country specified
(2) A third party in a foreign country continues to take measures equivalent to the measures that a business operator handling personal information should take.
Establish a system that meets the standards stipulated in the rules as a system necessary for taking measures
If you have

(*) Each item of Article 23, Paragraph 1 of the Law
・ When providing personal data in accordance with laws and regulations (related to No. 1)

38

Page 43

・ Specific rights and interests such as the life, body or property of a person (including a corporation) are infringed.
There is a risk, it is necessary to provide personal data to protect this, and the book
When it is difficult to obtain the consent of a person (related to No. 2)
・ Especially necessary for improving public health or for the sound development of children who are developing physically and mentally
In this case, and it is difficult to obtain the consent of the person (related to No. 3)
・ It is necessary to obtain the cooperation of private companies, etc. in order for national organizations to carry out the affairs stipulated by laws and regulations.
In some cases, cooperating private companies, etc. provide personal data to institutions, etc. in the country concerned.
There is a risk that obtaining the consent of the person will hinder the performance of the relevant affairs.
If there is (related to No. 4)

・ Any of the methods stipulated in Article 23 of the Act for providing personal data to a third party in a foreign country
The application of Article 24 of the Act is determined by whether or not it is carried out by.
(1) Method of providing based on the consent of the person (Article 23, Paragraph 1 of the Law)
In the medical / long-term care business, "the same person who permits the provision to a third party in a foreign country"
If "will" is obtained, it can be provided to a third party in a foreign country. On the other hand, medical care
When the long-term care business operator has obtained "the consent of the person to allow the provision to a third party"
And if it falls under (1) or (2), the personal information protection level equivalent to that in Japan is guaranteed.
Because it is made, it can be provided to a third party in a foreign country.
(2) Method of providing with consignment, business succession or shared use (Article 23, Paragraph 5 of the Law)
If "the consent of the person to approve the provision to a third party in a foreign country" has been obtained, or
If it falls under (1) or (2), it will be outsourced, business succession, or shared use to a third party in a foreign country.
Personal data can be provided accordingly.
(3) Method to provide in some cases listed in each item of Article 23, Paragraph 1 of the Law
Providing personal data to a third party in a foreign country in the cases listed in each item of Article 23, Paragraph 1 of the Law
In that case, it is not necessary to obtain the consent of the person.

・ It is necessary to continuously take measures equivalent to the measures that the above ② personal information handling business operator should take.
The necessary system standards are stipulated in Article 11 of the Regulations.
-The "appropriate and rational method" should be judged on a case-by-case basis, but personal data
What a third party in a foreign country, to which the information is provided, should be taken by a business operator handling personal information in Japan.
In a way that can ensure that you continue to take measures that correspond to the measures that have been taken.
There must be. For example, the following cases apply.
(Example)
・ When entrusting the handling of personal data to a business operator in a foreign country
Contracts, confirmations, memorandums, etc. between providers and recipients

・ It is not necessary to stipulate all matters related to Chapter 4, Section 1 of the Act in contracts, etc.
39

Page 44

It suffices if the implementation of the measures is ensured by a substantially appropriate and rational method. In addition, it should be noted.
As a typical example, a business operator in Japan handles personal data for a business operator in a foreign country.
In the case of outsourcing, a third party in a foreign country or a business operator in Japan, which is the provider, should take the course.
Specific examples of such measures will be shown.
・ Identification of purpose of use (measures in line with the purpose of Article 15 of the Act)
(Example) In the consignment contract, specify the purpose of use by a business operator in a foreign country.
・ Restrictions based on the purpose of use (measures in line with the purpose of Article 16 of the Act)
(Example) In the consignment contract, the content of the consignment is the purpose of use by a business operator in a foreign country.
The paperwork within the scope of
・ Appropriate acquisition (measures in line with the purpose of Article 17, Paragraph 1 of the Act)
(Example) A business operator in a foreign country appropriately acquires personal data based on a consignment contract.
If it is self-evident, it is not an acquisition by fraudulent means.
・ Notification of purpose of use at the time of acquisition (measures in line with the purpose of Article 18 of the Act)
(Example) A business operator in Japan notifies the patient of the purpose of use. (Purpose of use
The range is shown in Appendix 2 and may be published on the in-hospital bulletin board, etc.)
・ Ensuring the accuracy of data contents (measures in line with the purpose of Article 19 of the Act)
(Example) Entrustment contracts stipulate ensuring the accuracy of data contents, or
The business operator that provides personal data bears the responsibility for ensuring the accuracy of the data content.
I will do it.
・ Safety management measures (measures in line with the purpose of Article 20 of the Act)
(Example) It is stipulated that a business operator in a foreign country will take safety management measures by a consignment contract.
・ Employee supervision (measures in line with the purpose of Article 21 of the Act)
(Example) The consignment contract stipulates measures related to the supervision of employees of businesses located in foreign countries.
・ Supervision of contractors (measures in line with the purpose of Article 22 of the Act)
(Example) The consignment contract stipulates measures for supervising the subcontractor of a foreign business operator.
・ Restrictions on provision to third parties (measures in line with the purpose of Article 23 of the Act)
(Example) Prohibit the provision of personal data to a third party from a business operator in a foreign country by a consignment contract
To
・ Restrictions on provision to third parties in foreign countries (measures in line with the purpose of Article 24 of the Act)
(Example) Prohibit the provision of personal data to a third party from a business operator in a foreign country by a consignment contract
To
・ Publication of matters related to retained personal data (measures in line with the purpose of Article 27 of the Act)
(Example) The personal data to be provided is referred to as "retained personal data" for businesses located in foreign countries.
In this case, according to the consignment contract, the consignor publishes the matters related to the retained personal data.
Clarify the fulfillment of obligations related to tables, etc. In addition, personal day to be provided
If the data does not correspond to "retained personal data" for a business operator in a foreign country, it will be concluded.
As a result, it is not necessary to take measures as "measures".
・ Disclosure (measures in line with the purpose of Article 28 of the Act)
(Example) The personal data to be provided is referred to as "retained personal data" for businesses located in foreign countries.
In this case, the consignor will fulfill the obligation to disclose by the consignment contract.
40

Page 45

Clarify about. In addition, for businesses whose personal data to be provided is in a foreign country, "protection"
If it does not correspond to "Yes personal data", as a result, it is not possible to take measures as "measures".
It is important.
・ Correction, etc. (Measures in line with the purpose of Article 29 of the Act)
(Example) The personal data to be provided is referred to as "retained personal data" for businesses located in foreign countries.
In this case, the consignor shall fulfill the obligations related to correction, etc. by the consignment contract.
Clarify about. For businesses whose personal data to be provided is in a foreign country
If it does not correspond to "retained personal data", as a result, it will be dealt with as "measure".
Is unnecessary.
・ Suspension of use, etc. (Measures in line with the purpose of Article 30 of the Act)
(Example) The personal data to be provided is referred to as "retained personal data" for businesses located in foreign countries.
In this case, the consignor will fulfill the obligations related to suspension of use, etc. by the consignment contract.
Be clear about that. In addition, personal data to be provided to businesses in foreign countries
If it does not correspond to "retained personal data", as a result, it will be treated as "measure".
No action is required.
・ Explanation of the reason (measures in line with the purpose of Article 31 of the Act)
(Example) The personal data to be provided is referred to as "retained personal data" for businesses located in foreign countries.
If this is the case, the consignor will fulfill its obligation to explain the reason under the consignment contract.
Be clear about that. In addition, personal data to be provided to businesses in foreign countries
If it does not correspond to "retained personal data", as a result, it will be treated as "measure".
No action is required.
・ Procedures for responding to requests for disclosure, etc. (Measures in line with the purpose of Article 32 of the Act)
(Example) The personal data to be provided is referred to as "retained personal data" for businesses located in foreign countries.
If this is the case, the consignor will take steps to respond to requests for disclosure, etc. under the consignment contract.
Be clear about what to do. Businesses where the personal data provided is in a foreign country
If it does not correspond to "retained personal data" for the person, as a result, "measure"
There is no need to take any action.
・ Fee (Measures in line with the purpose of Article 33 of the Act)
(Example) The personal data to be provided is referred to as "retained personal data" for businesses located in foreign countries.
In this case, the consignor shall implement the measures related to the commission by the consignment contract.
Clarify about. For businesses whose personal data to be provided is in a foreign country
If it does not correspond to "retained personal data", as a result, it will be dealt with as "measure".
Is unnecessary.
・ Handling of complaints by businesses handling personal information (measures in line with the purpose of Article 35 of the Act)
(Example) The personal data to be provided is referred to as "retained personal data" for businesses located in foreign countries.
In this case, the consignor fulfills the obligations pertaining to Article 35 of the Act by the consignment contract.
Be clear about that. In addition, personal data to be provided to businesses in foreign countries
If it does not correspond to "retained personal data", as a result, it will be treated as "measure".
No action is required.

41

Page 46

7. Creation of records related to provision to a third party (Article 25 of the Act)
For details, see "Guidelines for the Law Concerning the Protection of Personal Information (Provided by a Third Party)"
(Obligation to confirm and record at the time) ”(2016 Personal Information Protection Commission Notification No. 8).

(Creation of records related to provision to a third party, etc.)
Article 25 of the Act A business operator handling personal information lists personal data as a third party (listed in each item of Article 2, Paragraph 5).
Excludes those who When provided to), as stipulated by the rules of the Personal Information Protection Commission,
Date of provision of the personal data, name or name of the third party and other personal information protection
A record of the matters stipulated in the Commission Regulations shall be made. However, the individual concerned
Places where the provision of data falls under any of the items of Article 23, paragraph 1 or each item of paragraph 5 (omitted)
In that case, this is not the case.
2 The business operator handling personal information keeps the record set forth in the preceding paragraph from the date when the record is created by the Personal Information Protection Committee.
It must be retained for the period specified by the rules of the committee.
(Creation of records related to provision to a third party)
Rule Article 12 The method of making a record of the same paragraph pursuant to the provision of Article 25, paragraph 1 of the Act is a document,
It shall be a method of making using electromagnetic recording or microfilm.
2 The record set forth in Article 25, Paragraph 1 of the Act shall be promptly recorded each time personal data is provided to a third party (omitted).
Must be created. However, personal data will be continuously provided to the third party or
When repeatedly provided (omitted), or continuously or continuously providing personal data to the third party

Make a batch of records when it is expected to be provided repeatedly
Can be done.
3 Notwithstanding the provisions of the preceding paragraph, pursuant to the provisions of Article 23, Paragraph 1 of the Act or Article 24 of the Act, this
Providing personal data related to a person to a third party in connection with the provision of goods or services to the person
In the case of provision, the contract and other documents prepared for the provision shall be included in paragraph 1 of the next article.
When the matters specified in each item are stated, the relevant document shall be used in Article 25, paragraph 1 of the Act.
It can be replaced with a record of the matter.
(Recorded items related to provision to a third party)
Regulations Article 13 Matters stipulated by the Personal Information Protection Commission Regulations in Article 25, Paragraph 1 of the Act are as follows:
The matters specified in each item shall be applied according to the classification of the cases listed in each item.
(I) When personal data is provided to a third party pursuant to the provisions of Article 23, paragraph 2 of the Act
Matters listed up to
B. Date when the personal data was provided
(B) The name or name of the third party and other matters sufficient to identify the third party (non-special)
When it is provided to a fixed number of people, that fact)
C. To identify the person's name and other personal information identified by the personal data.
Sufficient matters
D. Items of the personal data
(Ii) Providing personal data to a third party pursuant to the provisions of Article 23, Paragraph 1 of the Act or Article 24 of the Act.
42

Page 47

In the case of the following matters listed in a and b
B. The fact that the consent of the person in question, Article 23, Paragraph 1 of the Act or Article 24 of the Act has been obtained.
(B) Matters listed in the previous item (b) to (d)
2 Of the matters specified in each item of the preceding paragraph, Article 25 of the Act already created by the method specified in the preceding article.
It is recorded in the record of paragraph 1 (limited to the case where the record is kept).
If the matter and content are the same, the record of the matter in Article 25, Paragraph 1 of the Act is omitted.
can do.
(Retention period of records related to provision to a third party)
Rule Article 14 The period specified by the rules of the Personal Information Protection Commission set forth in Article 25, Paragraph 2 of the Act is as follows.
Depending on the classification of the cases listed in each item, the period shall be the period specified in each item.
(I) When a record is created by the method prescribed in Article 12, paragraph (3) Finally, the relevant record is involved.
From the day when the personal data is provided to the day when one year has passed
(Ii) When a record is created by the method prescribed in the proviso of Article 12, paragraph (2) Finally
From the date when the personal data related to the record is provided to the date when three years have passed since the date of provision.
(3) In cases other than the previous two items, three years

(1) When the recording obligation does not apply
Recording obligations do not apply in the following cases:
(1) When a third party is a person listed in each item of Article 2, Paragraph 5 of the Law
When exchanging personal data with the persons listed in 1) to 4) below, record
Obligations do not apply.
1) National institution (related to Article 2, Paragraph 5, Item 1 of the Law)
2) Local public bodies (related to Article 2, Paragraph 5, Item 2 of the Law)
3) Incorporated Administrative Agencies, etc. (Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc.
(Act No. 59 of 2003) Incorporated administrative agencies, etc. prescribed in Article 2, Paragraph 1
Say. ) (Regarding Article 2, Paragraph 5, Item 3 of the Law)
4) Local Incorporated Administrative Agency (Local Incorporated Administrative Agency Law (2003 Law No. 118) No. 2
Refers to a local incorporated administrative agency specified in Article 1, Paragraph 1. ) (Article 2, Paragraph 5, Item 4 of the Law)
Relationship)

(2) When each item of Article 23, Paragraph 1 of the Act is applicable (see III.5. (2))
Considering that it is unlikely that personal data will be circulated from time to time, the obligation to record is applied.
I can't.
1) When providing personal data in accordance with laws and regulations (related to No. 1)
(Example)
・ Submission of receipt to examination and payment institution
2) Infringement of specific rights and interests such as life, body or property of a person (including a corporation)
It is necessary to provide personal data to protect this
43

Page 48

And when it is difficult to obtain the consent of the person (related to No. 2)
3) Especially for the improvement of public health or the sound upbringing of children who are developing physically and mentally.
When it is necessary and it is difficult to obtain the consent of the person (3rd)
No. related)
4) Obtain the cooperation of private companies, etc. in carrying out the affairs stipulated by laws and regulations by national organizations, etc.
When it is necessary, a cooperating private company, etc. will personally contact an institution, etc. in the country concerned.
Obtaining the consent of the person himself / herself regarding the provision of data is necessary for the performance of the relevant affairs.
When there is a risk of hindrance (related to No. 4)
(3) When each item of Article 23, Paragraph 5 of the Act is applicable (see III.5. (4))
The obligation to record applies in view of the fact that it does not fall under the category of a third party.
I can't.
1) Personal data within the range necessary for the business operator handling personal information to achieve the purpose of use
The personal data is provided by entrusting all or part of the handling of
(Regarding Article 23, Paragraph 5, Item 1 of the Law)
(Example)
・ Specimen testing business consignment and other business consignment
・ Outsourcing of insurance affairs
・ A business operator when a medical examination, etc. is conducted on behalf of the business operator, etc.
Notification of the result to etc.
・ Providing information to external auditing organizations in the management and operation of medical institutions, etc.
2) When personal data is provided due to business succession due to merger or other reasons
(Regarding Article 23, Paragraph 5, Item 2 of the Law)
3) Personal data shared with a specific person is provided to that specific person.
If so, and the items of personal data used jointly,
Scope of joint users, purpose of use of users and personal data
Regarding the name or name of the person responsible for management, the person himself / herself in advance
When the person is in a state where he / she can easily know (Article 23 of the Act).
Paragraph 5, Item 3)
④ When providing on behalf of the person
The medical / long-term care business operator is the individual of the patient / user based on the consignment from the patient / user.
When providing data to a third party, the business operator handling personal information is "on behalf of the person".
It provides human data.
Therefore, the obligation to record does not apply to the provision to a third party in this case.
(Example)
Of the medical services provided by medical institutions to patients, etc.
・ Other hospitals, clinics, maternity homes, pharmacies, home-visit nursing stations, long-term care service business
Cooperation with people, etc.
・ Answer to inquiries from other medical institutions
44

Page 49

・ When seeking the opinions and advice of outside doctors when treating patients
・ Answer to inquiries from examination and payment institutions or insurers
・ Phase to medical organizations, insurance companies, etc. related to medical liability insurance
Talk or notification, etc.
⑤ When providing to a person who has a relationship that can be evaluated as one with the person
When providing to a person who has a relationship that can be evaluated as one with the person, such as the person's agent or family
It is considered to be provided to the person himself / herself, and the obligation to record does not apply.
(Example)
・ Explanation of medical conditions to family members
[Matters to be observed according to the provisions of the law]
(2) Application of recording obligation
If none of the cases described in (1) apply, the medical / long-term care business operator is individual.
When providing personal data to a third party, create a record stipulated by law and save the record.
There must be.
① How to make a record, etc.
1) Medium for creating records
Medical / long-term care providers use documents, electromagnetic records, or microfilm for records.
Must be created.
2) How to make a record
As a general rule, medical / long-term care providers record personal data promptly each time they are sent or received.
Must be created.
3) How to create records in a batch
Sending and receiving personal data continuously or repeatedly with a specific business within a certain period of time
If you do, instead of creating records for individual transfers, create records in bulk
Can be
4) Method by alternative means such as contract
Medical / long-term care business operator concludes a contract to provide goods or services to the person
However, as the contract is fulfilled, personal data with the other party of the contract as the person is medically provided.
When providing to a third party from a protection-related business, the contract created at the time of provision
Since it is possible to track the distribution of personal data in other documents, the contract
Other documents may be recorded.
5) How to create a record on your behalf
Considering that both the provider and the recipient have the same record creation method and retention period
45

Page 50

The recipient may substitute all or part of the provider's obligation to record (provide).
It should be noted that there are differences in the records of the person and the recipient. ). In this case
Even so, the provider and the recipient are not exempt from their obligations.
You have to build a system that is practically equivalent to the one that fulfills the obligation to create records by itself.
Not.
② Recorded items
1) Recorded items of the provider
Medical / long-term care business operators provide personal data to third parties based on their consent
If so, the following items shall be recorded:
・ The fact that the consent of the person has been obtained
・ Name or name of a third party and other matters that can identify the third party
・ Being able to identify the person's name and other persons identified by personal data
Term
・ Personal data items
③ Omission of recorded items
When the same "person"'s personal data is exchanged multiple times, the same
It is not necessary to record the contents in duplicate. Already "7. (2) Application of recording obligation"
It was recorded in the record created by the method specified in (only when it is actually saved).
If the item and the content are the same, the recording of the item may be omitted.
④ Storage period
Medical / long-term care providers must retain the created records for the period specified by the regulations.
Absent. It should be noted that the retention period differs depending on the method of creating the record.

Another way to create a record

Retention period

By alternative means such as contracts

Finally, the provision of personal data related to the record

If you make more records

One year has passed since the day of the event
Until the day

By the method of creating records in a batch

Finally, the provision of personal data related to the record

When creating a record

Three years have passed since the day of the event
Until the day

Other than the above

3 years

46

Page 51

8. Confirmation, etc. when receiving provision to a third party (Article 26 of the Act)
For details, see "Guidelines for the Law Concerning the Protection of Personal Information (Provided by a Third Party)"
(Obligation to confirm and record at the time) ”(2016 Personal Information Protection Commission Notification No. 8).

(Confirmation when receiving a third party offer, etc.)
Article 26 of the Act When a business operator handling personal information receives personal data from a third party
Do not confirm the following matters in accordance with the rules of the Personal Information Protection Commission.
Must be. However, the provision of the personal data is provided in each item of Article 23, paragraph 1 or paragraph 5.
This does not apply if any of the items apply.
(I) In the case of the name or name and address of the third party and the corporation, its representative (in the corporation)
If there is no organization with a representative or manager, the representative or manager)
Name
(Ii) Background of acquisition of the personal data by the third party
2 The third party in the preceding paragraph is when the business operator handling personal information confirms according to the provisions of the same paragraph.
Therefore, the matters related to the confirmation must not be deceived to the business operator handling personal information.
3 When the business operator handling personal information confirms according to the provisions of paragraph 1, the personal information protection committee
According to the rules of the committee, the date of receipt of the personal data and the confirmation
You must make a record of such matters and other matters stipulated by the rules of the Personal Information Protection Commission.
Must be.
4 The business operator handling personal information keeps the record set forth in the preceding paragraph from the date when the record is created by the Personal Information Protection Committee.
It must be retained for the period specified by the rules of the committee.
(Confirmation when receiving a third party offer)
Rule Article 15 Confirmation of the matters listed in item 1 of the same paragraph pursuant to the provisions of Article 26, paragraph 1 of the Act.
The method is to receive a declaration from a third party who provides personal data and other appropriate methods.
To do.
2 The method for confirming the matters listed in item 2 of the same paragraph pursuant to the provisions of Article 26, paragraph 1 of the Act is individual.
Shows the process of acquisition of the personal data by the third party from the third party who provides the personal data
It shall be a method of receiving a contract or other written presentation, or any other appropriate method.
3 Notwithstanding the provisions of the preceding two paragraphs, when receiving other personal data from a third party, it has already been done.
Confirmation by the method prescribed in the preceding two paragraphs (Notes regarding the confirmation by the method prescribed in the next article)
Only when creating and saving records. ) Confirmation of matters
The method to be carried out is the content of the matter and the matters listed in each item of Article 26, paragraph 1 of the Act pertaining to the provision.
It is a method of confirming that the contents of are the same.

(Creation of records related to confirmation when receiving a third party offer)
Rule Article 16 The method of making a record of the same paragraph pursuant to the provision of Article 26, paragraph 3 of the Act is a document,
It shall be a method of making using electromagnetic recording or microfilm.
2 The record set forth in Article 26, Paragraph 3 of the Act shall be promptly recorded each time personal data is provided by a third party.
Must be created in. However, individuals from the third party continuously or repeatedly
47

Page 52

Provision of data (excluding provision pursuant to the provisions of Article 23, Paragraph 2 of the Act. The same shall apply hereinafter in this Article.
Ji. ), Or continuously or repeatedly providing personal data from the third party.
Records can be created in bulk when it is expected that you will receive
To
3 Notwithstanding the provisions of the preceding paragraph, from a third party in connection with the provision of goods or services to the person
When personal data related to the person is provided, it is created for the provision.
If the contract or other document contains the matters specified in each item of paragraph 1 of the next article, the relevant matter
In writing, it may be replaced with a record relating to the relevant matter set forth in Article 26, paragraph 3 of the Act.
(Recorded items when receiving a third party offer)
Regulations Article 17 Matters stipulated by the Personal Information Protection Commission Regulations in Article 26, Paragraph 3 of the Act are as follows:
The matters specified in each item shall be applied according to the classification of the cases listed in each item.
(I) Received the provision of personal data pursuant to the provisions of Article 23, paragraph 2 of the Act from a business operator handling personal information.
In case of digits Items listed in the following a to e
B. Date of receiving personal data
(B) Matters listed in each item of Article 26, Paragraph 1 of the Act
C. To identify the person's name and other personal information identified by the personal data.
Sufficient matters
D. Items of the personal data
(E) The fact that it has been announced pursuant to the provisions of Article 23, Paragraph 4 of the Act
(Ii) Individuals from businesses handling personal information pursuant to the provisions of Article 23, Paragraph 1 of the Act or Article 24 of the Act.
When data is provided Matters listed in the following a and b
B. The fact that the consent of the person in question, Article 23, Paragraph 1 of the Act or Article 24 of the Act has been obtained.
(B) Matters listed in the previous item (b) to (d)
(Iii) Received personal data provided by a third party (excluding those who fall under the category of business operators handling personal information)
In the case of the first item (b) to (d)
(2) Of the matters specified in each item of the preceding paragraph, the Act 26, which has already been prepared by the method specified in the preceding article.
Recorded in the record set forth in Article 3 (limited to the case where the record is retained)
For items that have the same content as the item, the record of the item in Article 26, paragraph 3 of the Act is omitted.
can do.
(Retention period of records when receiving a third party offer)
Regulations Article 18 The period specified by the rules of the Personal Information Protection Commission in Article 26, Paragraph 4 of the Act is as follows.
Depending on the classification of the cases listed in each item, the period shall be the period specified in each item.
(I) When a record is created by the method prescribed in Article 16, paragraph (3) Finally, the relevant record is involved.
From the day when the personal data is provided to the day when one year has passed
(Ii) When a record is created by the method prescribed in the proviso of Article 16, paragraph (2) Finally
From the date when the personal data related to the record is provided to the date when three years have passed since the date of receipt.
(3) In cases other than the previous two items, three years

48

Page 53

(1) When the confirmation / recording obligation does not apply
7. As in the case of creating records related to provision to a third party (Article 25 of the Act), (1) a third party is the second party of the Act.
If you are a person listed in each item of Article 5, Paragraph 5, or if you fall under any of the items of Article 23, Paragraph 1 of the Act (III5.
(Refer to (2)), ③ If any of the items in Article 23, Paragraph 5 of the Act is applicable (Refer to III.5.
When receiving personal data provided in the meantime, ⑤ To a person who has a relationship that can be evaluated as one with the person
If applicable, the confirmation / recording obligation does not apply. Specific examples are as follows: 7. See (1)
Teru.
In addition, the confirmation / recording obligation does not apply in the following cases.
⑥ When it does not correspond to personal data for the recipient
It corresponds to personal data for the provider but not for the recipient
If you receive the information, the confirmation / recording obligation does not apply.
⑦ When it does not correspond to personal information for the recipient
Receipt even if it corresponds to personal data for the provider, as in the following case
Information that does not correspond to "personal information" for a person (naturally does not correspond to personal data)
If you receive, the confirmation / recording obligation does not apply.
[Cases that do not correspond to personal information for the recipient]
(Example)
・ Providing data that prevents the provider from identifying an individual by deleting the name
When receiving a companion
・ When data is provided with only the ID number managed by the provider
[Matters to be observed according to the provisions of the law]
(2) Application of confirmation obligation
When a medical / long-term care business operator receives personal data from a third party, the third party is informed.
On the other hand, the following confirmation must be made.
① Confirmation method
1) The name and address of a third party and, in the case of a corporation, the name of its representative
2) Background of acquisition of personal data by a third party
3) Compliance with the law [Other matters]
When a medical / long-term care business operator receives personal data from another business operator,
Compliance with the law of the business operator (for example, purpose of use, discovery procedure, reception desk for inquiries / complaints)
When receiving personal data provided by publication or opt-out to a third party
(The fact that the notification items of the business operator have been announced by the Personal Information Protection Commission, etc.)
It is also desirable to confirm.
(2) Confirmation method for third parties who have already confirmed
When the same "person"'s personal data is exchanged multiple times, the same
49

Page 54

Since it is not rational to confirm the contents in duplicate, it is already specified in "(1) Confirmation method".
Confirm by the method, create by the method specified in "8. (3) Obligation to record", and
For items that have the same contents as those recorded in the records stored at that time
Therefore, the confirmation of the matter can be omitted.
(3) Application of recording obligation
In addition, medical / long-term care providers are required to comply with laws and regulations when they receive personal data from a third party.
The record specified in (1) shall be created and the record shall be retained.
① How to make a record, etc.
1) Medium for creating records
Medical / long-term care providers use documents, electromagnetic records, or microfilm for records.
Must be created.
2) How to make a record
As a general rule, medical / long-term care providers record personal data promptly each time they are sent or received.
Must be created.

3) How to create records in a batch
Sending and receiving personal data continuously or repeatedly with a specific business within a certain period of time
If you do, instead of creating records for individual transfers, create records in bulk
Can be

4) Method by alternative means such as contract
Medical / long-term care business operator concludes a contract to provide goods or services to the person
However, when the contract is fulfilled, is the personal data of the other party of the contract a third party?
If you receive the offer, please use the contract and other documents created at the time of the offer.
Since it is possible to track the distribution of human data, we have the contract and other documents.
Can be recorded.
5) How to create a record on your behalf
Considering that both the provider and the recipient have the same record creation method and retention period
The provider may substitute all or part of the recipient's obligation to record (provide).
It should be noted that there are differences in the records of the person and the recipient. ). In this case
Even so, the provider and the recipient are not exempt from their obligations.
You have to build a system that is practically equivalent to the one that fulfills the obligation to create records by itself.
Not.
② Recorded items
1) Recipient's record items
50

Page 55

Medical / long-term care business operators receive personal data provided by a third party based on their consent
If so, the following items shall be recorded.
・ The fact that the consent of the person has been obtained
・ The name or name and address of a third party, and in the case of a corporation, the name of its representative
・ Background of acquisition of the personal data by a third party
・ Being able to identify the person's name and other persons identified by personal data
Term
・ Personal data items
③ Omission of recorded items
When the same "person"'s personal data is exchanged multiple times, the same
It is not necessary to record the contents in duplicate. Already "8. (3) Application of recording obligation"
It was recorded in the record created by the method specified in (only when it is actually saved).
If the item and the content are the same, the recording of the item may be omitted.
④ Storage period
Medical / long-term care providers must retain the created records for the period specified by the regulations.
Absent. It should be noted that the retention period differs depending on the method of creating the record.

Another way to create a record

Retention period

By alternative means such as contracts

Finally, the provision of personal data related to the record

If you make more records

One year has passed since the day of the event
Until the day

By the method of creating records in a batch

Finally, the provision of personal data related to the record

When creating a record

Three years have passed since the day of the event
Until the day

Other than the above

3 years

51

Page 56

9. Publication of matters related to retained personal data (Article 27 of the Act)

(Publication of matters related to retained personal data, etc.)
Article 27 of the Act The business operator handling personal information shall be concerned with the following matters regarding retained personal data.
And put it in a state that the person can know (including the case of replying without delay at the request of the person)
There must be.
(I) Name or name of the business operator handling personal information
(Ii) Purpose of use of all retained personal data (corresponding to Article 18, Paragraph 4, Items 1 to 3)
Except when )
(Iii) Request pursuant to the provisions of the following paragraph or Article 29, paragraph 1 or Article 30, paragraph 1 of the next article
Procedures for responding to requests pursuant to the provisions of paragraph (3) or paragraph (3) (according to the provisions of Article 33, paragraph (2))
When the amount of the fee is set, the amount of the fee is included. )
(Iv) In addition to the items listed in the preceding three items, it is necessary to ensure the proper handling of retained personal data.
Items specified by Cabinet Order
2 The business operator handling personal information uses the retained personal data that identifies the person concerned.
When requested to notify the target, the person must be notified without delay.
I. However, this does not apply if any of the following items apply.
(I) The purpose of use of the retained personal data that identifies the person concerned is clear according to the provisions of the preceding paragraph.
If
(Ii) When it falls under Article 18, paragraph 4, items 1 to 3
3 The business operator handling personal information is the purpose of use of the retained personal data requested based on the provisions of the preceding paragraph.
If you decide not to notify the person, you must notify the person without delay.
Must be.
(Necessary matters regarding ensuring proper handling of retained personal data)
Article 8 of the Ordinance The items specified by Cabinet Order under Article 27, Paragraph 1, Item 4 of the Act shall be as follows.
(I) To file a complaint regarding the handling of retained personal data by the business operator handling personal information.
(Ii) When the business operator handling personal information is a business operator subject to an authorized personal information protection organization
The name of the authorized personal information protection organization and the address to which the complaint can be resolved

[Matters to be observed according to the provisions of the law]
・ Medical / long-term care business operators are concerned with (a) the name of the business operator handling personal information regarding the retained personal data.
Or name, (a) Purpose of use of all retained personal data (Article 18, Paragraph 4, Items 1 to 3 of the Act)
Except for the exceptions specified above. ), (C) Notification and disclosure of the purpose of use of retained personal data,
Responsible for the method of procedures such as correction and suspension of use, and notification or disclosure of the purpose of use of retained personal data
The amount of the fee, (e) the person to whom the complaint is filed, etc., can be known by the person (in response to the person's request)
Including the case of replying without delay. ) Must be placed.
・ Medical / long-term care business operators use the retained personal data that identifies the individual.
When the target notification is requested, if the purpose of use is clarified by the above measures
And without delay, except for the exceptions to Article 18, Paragraph 4, Items 1 to 3 of the Act.
52

Page 57

Must be notified.
・ When a medical / long-term care business operator decides not to notify the purpose of use, it will contact the person himself / herself.
However, you must notify us without delay.
・ Personal information held before the enforcement of the law will be handled in the same way.
[Other matters]
・ Medical / long-term care business operators use, disclose, correct, and interest their personal data.
Method of procedures such as suspension of use, amount of fee related to notification or disclosure of purpose of use, destination of complaint
Etc., at least by posting in the hospital, in the business, etc., and on the homepage etc.
In addition to clarifying as much as possible, we will issue documents at the request of patients, users, etc.
Ensure a system that can respond to specific details when inquiries are received.

53

Page 58

10. Disclosure of retained personal data upon request from the person (Article 28 of the Act)

(Disclosure)
Article 28 of the Act The person is a retained individual who can identify the person to the business operator handling personal information.
Disclosure of data can be requested.
(2) When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, it shall give a Cabinet Order to the person himself / herself.
The retained personal data must be disclosed without delay by the method specified in. Ta
However, if the disclosure falls under any of the following items, all or part of it
Can not be disclosed.
When there is a risk of harming the life, body, property or other rights and interests of the person or a third party
(Ii) There is a risk of significantly hindering the proper implementation of the business of the business operator handling personal information.
If
(Iii) When it violates other laws and regulations
3 The business operator handling personal information shall have all or all of the retained personal data pertaining to the request pursuant to the provisions of paragraph 1.
When it is decided not to disclose a part or the retained personal data does not exist
In that case, the person must be notified to that effect without delay.
4 According to the provisions of other laws and regulations, the method equivalent to the method prescribed in the main text of paragraph 2 for the person
It is supposed to disclose all or part of the retained personal data that identifies the person concerned.
In such cases, the provisions of paragraphs 1 and 2 shall apply to all or part of the retained personal data.
The fixed does not apply.
(How a business operator handling personal information discloses retained personal data)
Article 9 of the Ordinance The method specified by the Cabinet Order under Article 28, Paragraph 2 of the Act shall be the method of delivery of documents (disclosure).
If there is a method agreed by the person who made the request, the method) shall be applied.

(1) Principle of disclosure
The medical / long-term care business operator discloses the retained personal data that identifies the person from the person.
When a request is received, the insurance will be provided to the person without delay by means of delivery of a document, etc.
Yes Personal data must be disclosed.
(2) Disclosure exception
If the disclosure falls under any of the items of Article 28, Paragraph 2 of the Act, all or all of them
Some may not be disclosed. Specific examples are as follows.
(Example)
・ Regarding the situation of patients / users, family members and related persons of patients / users provide medical / long-term care services.
Patients / users without the consent of these persons when providing information to the workers
Relationship between patient / user and family / patient / user by providing the information to himself / herself
When there is a risk of harming the interests of these persons, such as deterioration of human relationships with them

54

Page 59

・ Even if the patient is fully informed about the symptoms, prognosis, treatment course, etc., the patient's book
When it has a serious psychological effect on a person and adversely affects the subsequent therapeutic effect, etc.

* It is necessary to make a specific and careful judgment regarding the application to individual cases. Well
In addition, when disclosing medical information, which is retained personal data, "related to the provision of medical information, etc."
It is also necessary to consider the contents of the "Guidelines".
[Matters to be observed according to the provisions of the law]
・ Medical / long-term care business operators disclose retained personal data that identifies the individual.
When you receive a request, you must disclose the retained personal data to the person without delay.
It doesn't become. In addition, when there is no retained personal data that identifies the person concerned, that fact is known.
I will let you. However, by disclosing it, any of the items of Article 28, Paragraph 2 of the Act
If this is the case, all or part of it may not be disclosed.
・ II1. As described in, for example, some of the medical record information includes personal data held by the patient.
The part that has the duality of being the personal data held by the doctor who created the medical record
Although it is included, since the entire medical record is the patient's personal data in the first place, the patient
When there is a request for disclosure from the person, open all or part because of the duality
It cannot be shown. However, if any of the items in Article 28, Paragraph 2 of the Act applies
May not disclose all or part of it in accordance with the law.
-The method of disclosure shall be the method agreed by the person who issued the document or made the request.
・ Medical / long-term care business operators disclose all or part of the requested personal data.
If you decide not to do so, you must notify the person without delay.
I.
In addition, when notifying the person, he / she must try to explain the reason to the person.
It does not (see III13.).
・ If the provisions of other laws and regulations stipulate the disclosure of retained personal data, the relevant law
It shall be in accordance with the provisions of the Ordinance.

[Other matters]
・ If there is a request for disclosure from a person who can request disclosure, such as a legal representative, in principle, the patient will be affected.
After explaining to the person / user that the retained personal data will be disclosed, the legal representative
Etc. shall be disclosed.
・ Medical / long-term care business operators decide not to disclose all or part of their personal data
In that case, when explaining the reason to the person, it is basically shown in writing.
To do. It is also desirable to explain the system for responding to complaints.

55

Page 60

11. Correction and suspension of use (Articles 29 and 30 of the Act)

(Correction, etc.)
Article 29 of the Act The person is a retained individual who can identify the person to the business operator handling personal information.
If the content of the data is not true, correct, add or delete the content of the retained personal data (hereinafter
Below, in this article, it is referred to as "correction, etc." ) Can be requested.
2 When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, it corrects the content.
Purpose of use, unless special procedures are stipulated by the provisions of other laws and regulations.
To the extent necessary to achieve the above, we will conduct the necessary investigation without delay, and based on the results, we will
The contents of the retained personal data must be corrected.
3 The business operator handling personal information shall have all the contents of the retained personal data pertaining to the request pursuant to the provisions of paragraph 1.
When making corrections, etc. for a part or part, or making a decision not to make corrections, etc.
In some cases, to that effect without delay to the person (when corrections are made, the contents are included).
Must be notified.

(Suspension of use, etc.)
Article 30 of the Act The person shall be able to identify the person himself / herself to the business operator handling personal information.
When the data is handled in violation of the provisions of Article 16 or in violation of the provisions of Article 17
If it was acquired, the use of the retained personal data will be suspended or deleted (hereinafter referred to as this).
In the article, it is called "suspension of use, etc." ) Can be requested.
2 When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, the request shall be made.
When it turns out that there is a reason, to the extent necessary to correct the breach, without delay,
The use of the retained personal data must be suspended. However, the relevant individual de
If it costs a lot of money to suspend the use of data, it is difficult to suspend the use of other data.
In such cases, take necessary alternative measures to protect the rights and interests of the person.
At times, this is not the case.
3 The person is the second person to have the retained personal data that identifies the person to the business operator handling personal information.
If it is provided to a third party in violation of the provisions of Article 13, paragraph 1 or Article 24, the said
You can request the suspension of provision of retained personal data to a third party.
4 When a business operator handling personal information receives a request pursuant to the provisions of the preceding paragraph, the request shall be made.
When it becomes clear that there is a reason, we will provide the retained personal data to a third party without delay.
Must be stopped. However, due to the suspension of provision of the retained personal data to a third party
When it costs a lot of money and it is difficult to stop providing it to other third parties
Therefore, when taking necessary alternative measures to protect the rights and interests of the person, this is the case.
Not limited to.
5 The business operator handling personal information is not sure of all the retained personal data related to the request pursuant to the provisions of paragraph 1.
Or when the use of some parts is suspended or the decision not to suspend the use
Or all or part of the retained personal data pertaining to the request pursuant to the provisions of paragraph 3.
When the provision to a third party is stopped or the provision to a third party is not stopped
When a decision is made, the person must be notified without delay.
56

Page 61

[Matters to be observed according to the provisions of the law]
・ Medical / long-term care business operators are subject to the provisions of Article 29, Paragraph 2 or Article 30, Paragraph 2 or Paragraph 4 of the Act.
Suspension of provision to third parties, such as correction of retained personal data, suspension of use, etc.
If you receive a request for suspension and it is deemed appropriate, these requests
Measures must be taken.
・ However, for suspension of use, etc. and suspension of provision to third parties, a large amount of cost will be charged for suspension of use, etc.
In cases where it is difficult to take such measures, such as when it is necessary to do so, the rights and interests of the person are protected.
This shall not apply when taking necessary alternative measures to do so.
・ In the following cases, it is not necessary to take these measures.
(1) Even if there is a request for correction, etc., (a) A place where correction, etc. is not necessary from the viewpoint of the purpose of use
If (a) the indication that is incorrect is incorrect, or (c) the object of correction, etc. is not a fact and is related to the evaluation.
If the information is
(2) Even if there is a request to suspend the provision to a third party such as suspension of use, procedure violation etc.
If the indication is incorrect
・ When the medical / long-term care business operator takes the above measures or decides not to take them.
Must notify the person without delay. Also, notify the person
If so, you must try to explain the reason to the person (III13.
reference).
[Other matters]
・ Medical / long-term care business operators receive requests for corrections, suspension of use, etc., or suspension of provision to third parties.
When it is decided not to take these measures for all or part of the retained personal data
In that case, when explaining the reason to the person, it is basically shown in writing.
At that time, it is desirable to also explain the system for responding to complaints.
・ When correcting retained personal data, make sure that the person who made the correction, the content, the date and time, etc. are known.
Must be done.
-Do not falsify the words and phrases of the retained personal data.

57

Page 62

12. Procedures and fees for responding to requests for disclosure, etc. (Articles 32 and 33 of the Act)

(Procedures for responding to requests for disclosure, etc.)
Article 32 of the Act A business operator handling personal information shall make a request pursuant to the provisions of Article 27, paragraph 2 or 20.
According to the provisions of Article 8, Paragraph 1, Article 29, Paragraph 1 or Article 30, Paragraph 1 or Paragraph 3.
Regarding requests (hereinafter referred to as "requests for disclosure, etc." in this Article and Article 53, Paragraph 1)
The method of accepting the request or request can be determined by the provisions of a Cabinet Order.
To In this case, the person must make a request for disclosure, etc. in accordance with the method.
It doesn't become.
2 The business operator handling personal information is the subject of the request for disclosure, etc. to the person.
It is possible to request the presentation of matters sufficient to identify personal data. Smell in this case
Therefore, the business operator handling personal information can easily and accurately request disclosure, etc.
In consideration of the convenience of the person, such as the provision of information that contributes to the identification of the retained personal data.
Appropriate measures must be taken.
(3) Requests for disclosure, etc. may be made by an agent pursuant to the provisions of a Cabinet Order.
4 The business operator handling personal information establishes procedures for responding to requests for disclosure, etc. based on the provisions of the preceding three paragraphs.
In doing so, care must be taken not to impose an excessive burden on the person.
Absent.
(Commission)
Article 33 of the Act A business operator handling personal information shall notify the purpose of use pursuant to the provisions of Article 27, paragraph 2.
Or when a request for disclosure pursuant to the provisions of Article 28, paragraph 1 is received.
Fees may be collected for the implementation of such measures.
2 When collecting a fee pursuant to the provisions of the preceding paragraph, the business operator handling personal information shall take the actual cost into consideration.
The amount of the fee must be set within the range that is considered reasonable.
I.
(Method of accepting requests for disclosure, etc.)
Article 10 of the Ordinance A business operator handling personal information requests disclosure, etc. pursuant to the provisions of Article 32, Paragraph 1 of the Act.
Matters that can be determined as the method of acceptance shall be as follows.
(I) Request for disclosure, etc.
(Ii) Documents to be submitted when requesting disclosure, etc. (including electromagnetic records; Article 14, paragraph 1)
And the same shall apply in Article 21, paragraph 3. ) Form and other methods for requesting disclosure, etc.
(Iii) Confirmation that the person making the request for disclosure, etc. is the person himself / herself or the agent prescribed in the next article.
Law
(Iv) Method of collecting fees set forth in Article 33, paragraph 1 of the Act
(An agent who can request disclosure, etc.)
Article 11 of the Ordinance A fee for requesting disclosure, etc. pursuant to the provisions of Article 32, Paragraph 3 of the Act
The person in charge shall be the following agent.
58

Page 63

(I) Legal representative of a minor or an adult guardian
(Ii) An agent delegated by the principal to request disclosure, etc.

(1) Identification of information to be disclosed, etc.
Medical / long-term care-related businesses are subject to insurance for requests for disclosure, etc. to the person.
It is possible to request the presentation of matters sufficient to identify personal data, but in this case,
The retained personal data of the retained personal data so that the person can easily and accurately request disclosure, etc.
Provision of information that contributes to identification and other measures that take into consideration the convenience of the individual must be taken.
In addition, regarding the disclosure of retained personal data, etc., at the request of the person, etc., the retained personal data will be disclosed.
All or part of the data is covered, but the amount of personal data held by the person concerned is diverse and the amount of data is large.
If it is difficult or inefficient to disclose the entire book, such as when it is huge, medical / long-term care providers
Information that can be used as a reference to identify the range of information that a person requests for disclosure, etc. (state of past consultation)
We shall provide support in consideration of the convenience of the person, such as providing (changes in conditions, pathological conditions, etc.).

(2) Request for disclosure, etc. by an agent
Regarding disclosure of retained personal data, in addition to the person himself / herself, (1) the law of minors or adult guardians
Legal representative, (2) Requests for disclosure, etc. can be made by an agent entrusted by the principal.
it can.
[Matters to be observed according to the provisions of the law]
・ Medical / long-term care-related businesses have an excessive negative impact on the individual regarding requests for disclosure of retained personal data, etc.
We accept requests for the following matters to the extent that they do not impose a burden.
The method can be determined.
(A) Reception desk for requests for disclosure, etc.
(B) Acceptance of documents to be submitted when requesting disclosure, etc., and other requests for disclosure, etc.
Method
(C) Method of confirming that the person requesting disclosure, etc. is the person or his / her agent
(E) Collected when notifying the purpose of use of retained personal data or disclosing retained personal data
How to collect fees
・ Medical / long-term care-related businesses are subject to insurance for requests for disclosure, etc. to the person.
It is possible to request the presentation of matters sufficient to identify personal data, but in this case,
The retained personal data so that the person can easily and accurately request disclosure, etc.
It is necessary to take measures in consideration of the convenience of the person, such as providing information that contributes to the identification of the person.
・ Requests for disclosure of retained personal data, etc. are statutory for minors or adult guardians in addition to the person himself / herself.
It can be done by an agent, an agent delegated by the person to make the request, etc.
To
・ Medical / long-term care business operators are requested to notify the purpose of use of retained personal data, or
When requested to disclose retained personal data, a fee will be collected for the implementation of the measures.
In that case, within the range that is considered reasonable in consideration of the actual cost
The amount of the fee must be set.
59

Page 64

[Other matters]
・ Medical / long-term care business operators should take steps such as disclosure of retained personal data while paying attention to the following points.
It is desirable to determine.
(I) It is desirable that the method of requesting disclosure, etc. be in writing, but patients, users, etc. are free to request.
In order not to hinder the request, by providing a reason column in the document related to the request for disclosure etc.
Request a statement of the reason for requesting disclosure, etc. and ask the reason for requesting disclosure, etc.
Is inappropriate.
(I) Confirm that the person requesting disclosure, etc. is the person (or his / her agent).
(I) When there is a request for disclosure, etc., after listening to the opinions of the staff in charge such as the attending physician, promptly
Decide whether or not to disclose the retained personal data, etc., and request disclosure of this, etc.
Notify the person.
(I) When disclosing retained personal data, there is a possibility that each item of Article 28, Paragraph 2 of the Act may be applicable.
In that case, it will be examined by a review committee, etc. established to consider whether or not disclosure is possible.
After that, it is desirable to promptly decide whether or not to disclose.
(I) When disclosing retained personal data, the impact on daily medical / nursing care service provision, etc.
In consideration of the above, the date, time, place, method, etc. should be set within the range that does not impose an excessive burden on the person.
Can be specified.
・ If there is a request for disclosure, etc. from a person who can request disclosure, etc., such as an agent, in principle, the patient will be affected.
Request for disclosure after explaining to the person / user that the retained personal data will be disclosed.
Etc. shall be disclosed to the person who performed the above.
・ When there is a request from an agent, etc., ① Comprehensive that cannot grasp the specific intention of the person
Based on delegation made long before the request for disclosure, etc. is made
When a request is made, the person who made the request for disclosure, etc. and the person who made the disclosure when explaining to the person
Fully explain the contents of the retained personal data, confirm the intention of the person, and act as an agent
The appropriateness of the request, the scope of disclosure, etc. shall be dealt with based on the intention of the person.

60

Page 65

13. Explanation of reasons, prior request, response to complaints (Articles 31, 34 to 35 of the Act)

(Explanation of reason)
Article 31 of the Act The business operator handling personal information shall be Article 27, Paragraph 3, Article 28, Paragraph 3, and 20.
Measures requested or requested by the person pursuant to the provisions of Article 9, paragraph 3 or the preceding Article, paragraph 5.
When notifying that the measures will not be taken for all or part, or different from the measures
If you notify the person that you will take action, you must try to explain the reason to the person.
It doesn't become.
(Advance billing)
Article 34 of the Act The person himself / herself is Article 28, Paragraph 1, Article 29, Paragraph 1 or Article 30, Paragraph 1
Or, when attempting to file an action relating to a request pursuant to the provisions of paragraph 3, the defendant in that action
Make the request in advance to the person who should be, and two weeks from the date of arrival
Only after a lapse of time can the complaint be filed. However, the complaint
This shall not apply when the person who should be the defendant of the above refuses the request.
(2) The request set forth in the preceding paragraph shall be deemed to have arrived when the request should normally have arrived.
(3) The provisions of the preceding two paragraphs shall be Article 28, paragraph 1, Article 29, paragraph 1 or Article 30, paragraph 1.
Applies mutatis mutandis to the petition for provisional disposition order pertaining to the request pursuant to the provision of paragraph 3.
(Handling of complaints by business operators handling personal information)
Article 35 of the Act The business operator handling personal information shall appropriately and promptly make complaints regarding the handling of personal information.
You have to make an effort for proper processing.
2 Businesses handling personal information must endeavor to establish the system necessary to achieve the purpose set forth in the preceding paragraph.
Must be.

[Matters to be observed according to the provisions of the law]
・ Medical / long-term care business operators should be notified of the purpose of use of the retained personal data requested by the person, or
Will not take any measures for disclosure, correction, suspension of use, etc. requested by the person.
If you notify the person that you will take a measure different from that measure, tell the person the reason.
You must try to explain.
・ Medical / long-term care providers strive to respond appropriately and promptly to complaints regarding the handling of personal information.
I have to get it. In addition, medical / long-term care providers should respond appropriately and promptly to complaints.
In doing so, we will establish a window function for responding to complaints and establish procedures for responding to complaints.
We must make efforts to establish the necessary system.
[Other matters]
・ Medical / long-term care business operators should indicate in writing when explaining the reason to the person.
Is the basis. At that time, it is also necessary to explain the system for responding to complaints.
desirable.
・ Medical / long-term care providers set up a dedicated window when responding to complaints from patients / users.
61

Page 66

Patients and use, such as ensuring a consultation system by staff other than the staff in charge such as the staff and the attending physician
Strive to create an environment where people can easily consult.
・ Medical / long-term care providers respond to complaints from patients / users at the facility.
By posting on the hospital or office, or on the website, etc.
In addition to disseminating information to patients and users, local public organizations, local medical associations and national health
Patients and use of consultation counters for medical care and long-term care established by the Federation of Health Insurance Organizations, etc.
It is desirable to inform people.

62

Page 67

Ⅳ Review of guidance, etc.
1. 1. Review as needed
The way of thinking about the protection of personal information changes in response to changes in social conditions and public awareness.
It is thought that it will go. For this reason, the law, this guidance, and "Provision of medical information, etc."
Considering and reviewing this guidance as necessary, taking into account the operational status of the "Guidelines"
Shall be done.
2. 2. Creation and publication of casebooks that complement this guidance
The Personal Information Protection Commission and the Ministry of Health, Labor and Welfare are responsible for the protection of personal information in medical and long-term care businesses.
This guidance is to promote protection and ensure smooth response by medical / long-term care businesses.
Create a casebook that complements the above, and visit the website of the Personal Information Protection Commission and the Ministry of Health, Labor and Welfare.
To be announced.
* Regarding "guidance for the proper handling of personal information by medical / nursing-related businesses"
Q&A

63

Page 68

Appendix 1 Medical / nursing-related laws and regulations require medical / nursing-related businesses to create and store
Recording example

(Medical institutions, etc. (including medical staff))
1 Hospital / Clinic
・ Medical records [Article 24 of the Medical Practitioners Act, Article 23 of the Dental Practitioners Act]
・ Prescription [Medical Practitioners Law Article 22, Dental Practitioners Law Article 21, Medical Law Enforcement Regulations Article 20, Article 2
Article 1-5, Article 22-3, Article 22-7]
・ Anesthesia record [Medical Law Enforcement Regulations Article 1-10]
・ Midwifery record [Health nurse, midwife, nurse law, Article 42]
・ Irradiation record [Article 28 of the Radiological Technicians Act]
・ Records related to medical treatment
① In the case of hospital Prescription (repost), surgery record, nursing record, laboratory finding record,
Photograph of Kusu line, hospitalization medical plan [Medical Law Enforcement Regulations Article 20]
(2) In the case of regional medical support hospitals and special function hospitals In addition to (1) above, a letter of introduction and discharge
Summary of medical treatment progress during hospitalization for patients with medical care [Medical Law Enforcement Regulations Article 21-5,
Article 22-3]
(3) In the case of a core hospital for clinical research In addition to (1) above, the investment of medicines, etc. to the research subjects
Data and other records obtained from medical treatment [Medical Law Enforcement Regulations Article 22
7]
・ Dental hygienist business record [Article 18 of the Dental Hygienist Law Enforcement Regulations]
・ Dental Technician Instructions [Articles 18 and 19 of the Dental Technician Law]
2 Midwifery home
・ Midwifery record [Health nurse, midwife, nurse law, Article 42]
3 pharmacy
・ Prescription (fill in the fact that the drug was dispensed) [Pharmacist Law, Articles 26 and 27]
・ Dispensing record [Article 28 of the Pharmacists Act]
4 Sanitary inspection station
・ Consignment test management ledger, test result report ledger, grievance handling ledger [Law concerning clinical laboratory technicians, etc.
Law Enforcement Regulations Article 12, Paragraph 1, Item 15, Article 12-3]
5 Designated home-visit nursing care provider
・ Home-visit nursing care plan [Standards for personnel and operation of designated home-visit nursing business Article 17 Article 1
Item]
・ Home-visit nursing report [Standards for personnel and operation of designated home-visit nursing business Article 17 No. 3
Item]
6 Dental laboratory

64

Page 69

・ Dental Technician Instructions [Articles 18 and 19 of the Dental Technician Law]
(Long-term care business operators) * Including records that are expected to be preserved
1 Designated home-visit care provider
・ Home service plan (commonly known as care plan) [Personnel and equipment for designated home service and other businesses
And management standards Article 16]
・ Records of service provision (commonly known as care records, long-term care diary, business diary) [Designated home service
Article 19 of the standards for personnel, equipment and operation of businesses such as
・ Home-visit care plan [Standards for personnel, equipment and operation of businesses such as designated home services]
Article 24, Paragraph 1]

・ Records of complaints, etc. [Regarding personnel, equipment, and operation of businesses such as designated home services]
Standard Article 36, Paragraph 2]

2 Designated day care provider
・ Home service plan (commonly known as care plan) [Personnel and equipment for designated home service and other businesses
And management standards Article 105 (mutatis mutandis: Article 16)]
・ Records of service provision (commonly known as care records, long-term care diary, business diary) [Designated home service
Standards for personnel, equipment and operation of businesses such as S, etc. Article 105 (mutatis mutandis: Article 19)]
・ Outpatient long-term care plan [Standards for personnel, equipment and operation of businesses such as designated home services]
Article 99, Paragraph 1]
・ Records of complaints, etc. [Regarding personnel, equipment, and operation of businesses such as designated home services]
Standard Article 105 (mutatis mutandis: Article 36, Paragraph 2)]
3 Special elderly nursing home
・ Records of specific treatments, etc. [Regarding the equipment and operation of special nursing homes for the elderly]
Standards Article 9, Paragraph 2, Item 2]
・ Plan for treatment of residents [Standards for facilities and operation of special nursing homes for the elderly]
Article 14, Paragraph 1]
・ Records related to physical restraint, etc. [Standards for equipment and operation of special nursing homes for the elderly No. 1
Article 5, Paragraph 5]
・ Records of complaints, etc. [Standards for equipment and operation of special nursing homes for the elderly Article 29
Item 2]

65

Page 70

Appendix 2 Purpose of use expected in the normal business of medical / nursing-related businesses
(In the case of medical institutions, etc.)
[Purpose of use necessary to provide medical care to patients]
[Cases related to internal use in medical institutions, etc.]
・ Medical services provided by the medical institution to patients, etc.
・ Medical insurance office work
・ Of the management and operation work of medical institutions related to patients
-Ward management such as hospitalization and discharge
-Accounting / Accounting
-Report of medical accidents, etc.
-Improvement of medical services for the patient
[Cases involving the provision of information to other businesses]
・ Of the medical services provided by the medical institution to patients, etc.
-With other hospitals, clinics, maternity homes, pharmacies, home-visit nursing stations, nursing care service providers, etc.
Cooperation
-Answer to inquiries from other medical institutions, etc.
-When seeking the opinions and advice of outside doctors when treating patients
-Consignment of sample testing business and other business consignment
-Explanation of medical conditions to family members
・ Of the medical insurance affairs
-Consignment of insurance affairs
-Submission of receipt to examination and payment institution
-Answer to inquiries from examination and payment institutions or insurers
・ Results to the business operator, etc. when a medical examination, etc. is conducted on behalf of the business operator, etc.
Notification of
・ Consultation or notification to medical organizations, insurance companies, etc. related to medical liability insurance, etc.
etc
[Purpose of use other than the above]
[Cases related to internal use in medical institutions, etc.]
・ Of the management and operation work of medical institutions, etc.
-Basic materials for maintaining and improving medical / nursing services and operations
-Cooperation for student training conducted inside medical institutions, etc.
-Case studies conducted inside medical institutions, etc.
[Cases involving the provision of information to other businesses]
・ Of the management and operation work of medical institutions, etc.
-Providing information to external auditing organizations

66

Page 71

(For long-term care providers)
[Purpose of use required to provide long-term care to users of long-term care services]
[Cases related to internal use by long-term care providers]
・ Nursing care services provided by the company to users of nursing care services, etc.
・ Long-term care insurance office work
・ Of the management and operation work of business establishments related to users of long-term care services
-Management of entrance and exit, etc.
-Accounting / Accounting
-Report of accidents, etc.
-Improvement of long-term care services for the user
[Cases involving the provision of information to other businesses]
・ Of the long-term care services provided by the business operator to users, etc.
-Other home service providers that provide home services to the user and home care support services
Cooperation with business establishments (service staff meetings, etc.), response to inquiries
-Other business consignment
-Explanation of physical and mental conditions to family members
・ Of the long-term care insurance office work
-Consignment of insurance affairs
-Submission of receipt to examination and payment institution
-Answer to inquiries from examination and payment institutions or insurers
・ Consultation or notification to insurance companies related to liability insurance, etc.
[Purpose of use other than the above]
[Cases related to internal use by long-term care providers]
・ Of the management and operation work of long-term care-related businesses
-Basic materials for maintaining and improving long-term care services and operations
-Cooperation for student training at long-term care insurance facilities, etc.

67

Page 72

Appendix 3 Main cases assumed in the normal business of medical / long-term care-related businesses (when required by law)
(In the case of medical institutions, etc.)
○ By law, what is specified as an obligation that medical institutions (including medical staff) should do
・ Notification to the prefectural governor, etc. when a doctor diagnoses a patient with an infectious disease (prevention of infectious diseases)
Article 12 of the Medical Care for Patients with Infectious Diseases)
・ Performed by the manager of a hospital, etc. based on a request from a person who has obtained manufacturing and marketing approval for a product derived from a specific organism.
Providing records of patients using the product (Article 68-22, Paragraph 4 of the Pharmaceuticals and Medical Devices Act)
・ Proper use of pharmaceutical products by pharmaceutical manufacturers, distributors, etc. by medical personnel such as doctors and pharmacists
Cooperation in collecting information necessary for this purpose (Article 68-2, Paragraph 2 of the Pharmaceuticals and Medical Devices Act)
・ Reports of side effects and infectious diseases of pharmaceutical products to the Minister of Health, Labor and Welfare conducted by medical personnel such as doctors and pharmacists (medical doctors)
Article 68-10, Paragraph 2 of the Pharmaceutical and Medical Devices Act)
・ Involved with the specified medical device user to the person who obtained the manufacturing and sales approval of the specified medical device by a doctor, etc.
Provision of information (Article 68-5, Paragraph 2 of the Pharmaceuticals and Medical Devices Act)
・ Report of side effects and infectious diseases of the drug under investigation to the Minister of Health, Labor and Welfare conducted by the person conducting the clinical trial (pharmaceutical doctor)
Medical Equipment Law, Article 80-2, Paragraph 6)
・ If there is any doubt during the prescription, the pharmacist will make a question inquiry to the doctor (drug).
Master Law Article 24)
・ Information provided by the pharmacist to the patient or the person who is actually nursing at the time of dispensing (medicine)
Article 25-2 of the Yakushi Law)
・ Notification to the prefectural governor when a doctor diagnoses a drug addict (Narcotics and psychotropic drug control)
Law Article 58-2)
・ When an insurance medical institution or an insurance pharmacy intends to claim expenses for medical treatment benefits, etc.
Submission of medical fee bills, statements, etc. to examination and payment institutions (Health Insurance Law, Article 76, etc.)
・ When the patient meets certain requirements, such as when it is deemed difficult to leave the hospital due to family circumstances, etc.
Notification to health insurance associations, etc. by insurance medical institutions (insurance medical institutions and insurance medical care)
Article 10 of this rule, etc.)
・ When there is an inquiry from another medical institution to an insurance doctor regarding the illness of the patient who has been treated
Response (Insurance medical institution and insurance medical care regulations Article 16-2, etc.)
・ Providing information between insurance doctors and long-term care health facility doctors regarding medical care for facility residents (Geriatric Health Insurance)
Medical treatment according to the provisions of the Health Law, handling of medical treatment related to dietary medical expenses and specific medical expenses at the time of admission, and
Criteria for charge Article 19-4)
・ When a patient requests the issuance of a home-visit nursing instruction, the home-visit nursing selected by the patient
Delivery to stations and guidance in response to consultations from home-visit nursing stations, etc. (insurance medical care)
Institutions and insurance medical care regulations Article 19-4, etc.)
・ Health insurance association conducted by insurance pharmacies when patients receive medical treatment benefits due to fraudulent activities
(Article 7 of the rules for medical treatment of insurance pharmacies and pharmacists)
・ Notification of sterilization surgery or abortion surgery results to the prefectural governor by doctors (maternal insurance)
Article 25 of the Dharmapala)
・ Notification to child guidance centers, etc. by a person who finds a child who seems to have been abused (child abuse

68

Page 73

Law on Prevention, etc. Article 6)
・ Notification to child guidance centers, etc. by persons who find children requiring protection (Article 25 of the Child Welfare Act)
・ Provision of materials to the court when the administrator of the designated hospitalized medical institution makes a petition (state of mental and physical loss, etc.)
Law Concerning Medical Care and Observation, etc. of Persons Who Have Performed Serious Other Harmful Acts (Article 25 of the Medical Observation Law)
・ Providing information such as appraisal results by mental health judgment doctors ordered by the court (Medical Observation Law)
Article 37, etc.)
・ Provision of information on unauthorized evictions to the police chief by the manager of a designated hospitalized medical institution (medical observation)
Law Article 99)
・ Notification to the director of the protection observation center by the administrator of the designated outpatient medical institution (Article 110 of the Medical Observation Law)
Article 111)
・ Measures for prefectural governors by the manager of a mental hospital Regular medical condition reports related to hospitalization (mental health)
Welfare Law Article 38-2)
・ Report of medical condition of protected person to prefectures / municipalities by designated medical institution (Public Assistance Act Article 50,
Designated medical institution medical care regulations Article 7, Article 10)
・ The first diagnosis of primary cancer at the hospital, etc. is performed by the administrator of the hospital, etc.
Notification to the prefectural governor in such cases (Article 6 of the Act on Promotion of Cancer Registration, etc.)
・ Important for securing cancer medical care in hospitals and other areas that provide specialized cancer medical care
Providing information to the national government in the in-hospital cancer registration business by the founders and managers of hospitals that play a role
(Article 44 of the Act on Promotion of Cancer Registration, etc.)
○ By law, it is clearly stated as a matter that medical institutions (including medical staff) can voluntarily do.
What is
・ Spouse violence counseling support center by a person who finds a person injured or sick due to violence from a spouse
Report to the police or the police (Article 6 of the Act on Prevention of Violence from Spouses and Protection of Victims)
○ Those who are indirectly obliged to respond to the collection of reports and on-site inspections by government agencies, etc.
・ Correspondence to on-site inspections by medical observers, pharmaceutical affairs observers, prefectural staff, etc. (Article 25 of the Medical Care Act)
And Article 63, Article 69 of the Pharmaceuticals and Medical Devices Act, Article 20-5 of the Act on Clinical Laboratory Engineers, etc.)
・ Response to reporting orders issued by the Minister of Health, Labor and Welfare, prefectural governors, etc. (Articles 25 and 63 of the Medical Care Act,
Article 69 of the Pharmaceuticals and Medical Devices Act, Articles 60, 78 and 94 of the Health Insurance Act)
・ Responding to information provision requests from managers of designated medical institutions (Article 90 of the Medical Observation Law)
・ Responding to requests for cooperation from the director of the protection observation station (Article 101 of the Medical Observation Law)
・ Cooperation between related organizations by exchanging information with the director of the protection observation station (Article 108 of the Medical Observation Law)
・ Report of core statistical survey (Article 13 of the Statistical Law)
・ Correspondence to report collection performed by the examination committee of the Social Insurance Medical Fee Payment Fund (Payment of Social Insurance Medical Fee)
Fund Law Article 18)
・ Cooperation in viewing the original medical records by monitors, auditors, clinical trial review committees, etc. (for pharmaceutical products)
Ministerial Ordinance on Standards for Conducting Clinical Trials, Article 37)

69

Page 74

(For long-term care providers)
○ By law, it is clearly stated as an obligation that long-term care providers (including long-term care service workers) should do.
What is
・ Communication, introduction, etc. between businesses when it is difficult to provide services (designated criteria, "equipment of special nursing home for the elderly"
And management standards "(hereinafter referred to as" minimum standards "))
・ Cooperation with home care support companies (designated standard, minimum standard)
・ Notification to municipalities when the user is receiving insurance benefits due to deception or other wrongful acts
(Designation standard)
・ Contact the doctor in charge when a sudden change in the medical condition of the user occurs (designation standard)
○ Those who are indirectly obliged to respond to the collection of reports and on-site inspections by government agencies, etc.
・ Responding to requests from municipalities for submission of documents, etc. (Article 23 of the Long-Term Care Insurance Law)
・ Response to reporting orders, presentation orders for books and documents, etc. by the Minister of Health, Labor and Welfare or the prefectural governor (nursing care)
Insurance Law Article 24)
・ Response to on-site inspections by the prefectural governor or the mayor of the municipality (Articles 76 and 78 of the Long-Term Care Insurance Law)
7, Article 83, Article 90, Article 100, Article 115-7, Article 115-17, Article 115
27, Article 115-33, Article 115-45-7, Old Nursing Care Insurance Law (part of Health Insurance Law, etc.)
(Act No. 83 of 2006) Supplementary Provisions Article 130-2, Paragraph 1
It refers to the Long-Term Care Insurance Law before amendment pursuant to the provisions of Article 26 of the same law, which is deemed to have its effect. )
Article 112, Act on Social Welfare for the Elderly Article 18)
・ Cooperation with municipalities to investigate complaints from users (designated standards, minimum standards)
・ Contact the municipalities in the event of an accident (designated standards, minimum standards)

70

Page 75

Appendix 4 Medical qualifications, confidentiality obligations related to long-term care service employees, etc.
(Medical qualification)
Qualification name

Basis law

Doctor

Article 134, Paragraph 1 of the Criminal Code

Dentist

Article 134, Paragraph 1 of the Criminal Code

pharmacist

Article 134, Paragraph 1 of the Criminal Code

Public health nurse

Public Health Nurse Midwifery Nurse Law Article 42-2

Midwife

Article 134, Paragraph 1 of the Criminal Code

nurse

Public Health Nurse Midwifery Nurse Law Article 42-2

Associate nurse

Public Health Nurse Midwifery Nurse Law Article 42-2

Radiological technologist

Article 29 of the Radiological Technicians Act

Clinical laboratory technician Article 19 of the Law Concerning Clinical Laboratory Engineers, etc.
Public health laboratory technologist
Article 19 of the Law Concerning Clinical Laboratory Engineers, etc.
physical therapist

Physical Therapist and Occupational Therapist Law Article 16

Occupational therapist

Physical Therapist and Occupational Therapist Law Article 16

Orthoptist

Article 19 of the Orthoptist Law

Clinical engineer

Article 40 of the Clinical Engineering Engineer Law

Prosthetist

Article 40 of the Prosthetics and Orthotics Law

Paramedic

Paramedic Law Article 47

Speech therapist

Article 44 of the Speech and Language Therapist Law

Dental hygienist

Article 13-6 of the Dental Hygienist Law

Dental technician

Dental Technician Law Article 20-2

Anma Massage Shiatsushi

Anma Matsusurge Shiatsushi, Acupuncturist, Moxibutionist, etc.
Article 7-2

Acupuncturist

Anma Matsusurge Shiatsushi, Acupuncturist, Moxibutionist, etc.
Article 7-2

Moxibutionist

Anma Matsusurge Shiatsushi, Acupuncturist, Moxibutionist, etc.
Article 7-2

Judo rehabilitation teacher

Judo Rehabilitation Law Article 17-2

Mental health social worker

Article 40 of the Psychiatric Social Worker Law

[Examples of laws and regulations related to confidentiality]
○ Article 134 of the Criminal Code
For doctors, pharmacists, drug distributors, midwives, lawyers, lawyers, notaries or these positions
Someone who knew what he had done in the business without a good reason
If the secret is leaked, it shall be punished by imprisonment with work for not more than 6 months or a fine of not more than 100,000 yen.
○ Public Health Nurse Midwifery Nurse Law Article 42-2
71

Page 76

A public health nurse, a nurse or an associate nurse may keep the secret of a person who has learned in the course of his / her work without a justifiable reason.
Do not leak. The same applies even after you are no longer a public health nurse, nurse or associate nurse.
To do.
(Nursing care service providers, etc.)
Businesses, etc.

Basis law

Needs long-term care under the consignment
Long-Term
of the municipality
Care Insurance Law Article 27 Paragraph 4
Person who certifies
Employees / jobs of each service establishment
・ For personnel, equipment and operation of businesses such as designated home services
Member

Criteria for
・ Personnel, equipment and luck of businesses such as designated care prevention services
Care prevention related to business and designated care prevention services, etc.
Criteria for effective support methods for
・ Personnel, equipment and luck of designated community-based service business
Standards for business
・ Personnel and installation of designated community-based care prevention service business
Responsible for equipment and operation and designated community-based preventive services
Basics on effective support methods for preventive care
Semi
・ Regarding personnel and management of businesses such as designated home care support
Criteria
・ Personnel and management of businesses such as designated care prevention support and fingers
Effective for preventive care related to regular care preventive support, etc.
Criteria for support methods
・ Regarding personnel, equipment and operation of designated long-term care welfare facilities for the elderly
Criteria
・ Personnel, facilities and equipment and operation of Long-Term Care Health Facility
Criteria for
・ Regarding personnel, equipment and operation of designated nursing care type medical facilities
Criteria to do
・ Standards for equipment and operation of special nursing homes for the elderly

[Examples of laws and regulations related to confidentiality]
○ Standards for personnel, equipment and operation of businesses such as designated home services
Article 33 Employees of designated home-visit nursing care establishments have no justifiable reason, and the profits they have learned in the course of their work
Do not divulge the secrets of the user or his family.
2 The designated home-visit care business operator is a person who was an employee of the designated home-visit care business operator.
Do not divulge the secrets of users or their families that you have learned in the course of your business.
The necessary measures must be taken.

72

Page 77

Appendix 5 Related guidelines in the field of medical research
○ "Ethical Guidelines for Human Genome / Gene Analysis Research" (December 28, 2004, Ministry of Education, Culture, Sports, Science and Technology)
Ministry of Health, Labor and Welfare / Ministry of Economy, Trade and Industry Notification No. 1)
○ "Guidelines for clinical research such as gene therapy" (December 28, 2004, Ministry of Education, Culture, Sports, Science and Technology, Ministry of Health, Labor and Welfare)
Ministry Notification No. 2)
○ "Ethical Guidelines for Medical Research for Humans" (2014 Ministry of Education, Culture, Sports, Science and Technology / Ministry of Health, Labor and Welfare notification)
Show No. 3)

Appendix 6 UNESCO International Declaration, etc.
○ "International Declaration on Human Genetic Information" (UNESCO October 16, 2003)
○ "Guidelines for genetic testing and diagnosis in medical care" (February 2011, Japanese Medicine)
Meeting)

73

