September 10, 2004,Vol. 15, No. 10-11 ISSN 1346-5317

Senior Vice-Minister TABATA also had a bilateral meeting with Mr. VirgilioL. Pena, Chairman of the Commission on Information and Communications Technology(CICT) of the Republic of the Philippines, during which they exchangedviews on strengthening the relationship between the two countries acrossthe entire ICT field, including the penetration of broadband access. At this meeting, notes on cooperation in the ICT field were exchanged bythe ministers.

[Outline]

1. To date, the ICT ministers from 10 Member Countries of ASEANhas been holding the "ASEAN Telecommunications and IT Ministers Meeting(ASEAN TELMIN)"; this time, the first "ASEAN + 3 Telecommunications andIT Ministers Meeting" has added to the ASEAN TELMIN framework.
2. At ASEAN TELMIN + 3, toward development of telecommunications andIT in the ASEAN region, discussions were made on measures, etc. for promotingpreparation of broadband platforms, capacity building, etc., subsequentlythe ministers reached a common recognition that cooperation between ASEANand China, Japan and Korea should be further strengthened.
3. At ASEAN TELMIN + 3, Senior Vice-Minister TABATA, in line with the"Asia Broadband Program," introduced Japan's cooperative efforts to developICT in the ASEAN region, and stressed the significance of strengthenedcollaborative ties between ASEAN and the three countries, Japan, Chinaand Korea.
4. Furthermore, Senior Vice-Minister TABATA had a separate meetingwith Mr. Virgilio L. Pena, Chairman of Philippine CICT, during which theyexchanged views on strengthening the relationship between the two countriesacross the entire ICT field, including the penetration of broadband accessand the digital divide.  At this meeting, notes on cooperation inthe ICT field were exchanged by the ministers.

Note: ASEAN (Association of Southeast Asian Nations) is a regional organizationfor development cooperation.  Its 10 Member Countries are Brunei Darussalam,Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailandand Vietnam.

2. Contents of the draft amendment to the CurrentGuidelines
It is appropriate that the Guidelines after the amendment shall employterms and definitions as consistent as may be with the "Law Concerningthe Protection of Personal Information" and include the following provisions:

i) Expressly defined security management measures to be takenby telecommunications carriers

a) Management of access to personal information
b) Restrictions on taking personal information out of the office
c) Measures for preventing illegal access

ii) To give a necessary training course to employees
iii) To designate a person in charge of handling personal information
iv) Development and disclosure of a privacy policy (a declaration ofa telecommunications carrier or ISP on guidelines for handling personalinformation)
v) To appropriately and swiftly process complaints concerning handlingof personal information
vi) Upon leakage, etc. of personal information, to take such measuresas a notice to the person concerned, release of facts thereof, etc.

3. Henceforth, MPHPT is, basedupon the interim report, requested to i) amend the Current Guidelines,ii) appropriately inform telecommunications carriers of the amended Guidelines,and iii) take measures necessary for ensuring proper handling of personalinformation in operations of telecommunications business.  Each telecommunicationscarrier is, in line with the amended Guidelines, expected to properly handlepersonal information so as to respond to higher expectations of Japanesenationals and users for proper handling of personal information.

1. The Study Group of MPHPT has compiled a "basic frameworkfor protecting personal information in the broadcasting field," describinga basic concept concerning protection of personal information, such asdesirable guidelines for protecting personal information in the broadcastingfield.

2. Furthermore, upon compilation of the "basic framework for protectingpersonal information in the broadcasting field," MPHPT invited public commentsconcerning a "basic framework (a draft) for protecting personal informationin the broadcasting field" from July 2 through 30, 2004, and received atotal of 56 comments from 12 persons. 

3. With specific characteristics and the reality of the broadcastingfield as a backdrop, the "basic framework for protecting personal informationin the broadcasting field" describes: i) basic concepts, considering usefulnessof personal information in the broadcasting field, concerning protectionof personal information, ii) "guidelines (draft) for protecting personalinformation of viewers/listeners" containing duties, etc. for broadcasters,etc. who handle personal information of a given scale of viewers/listeners,etc., including basic compliance requirements on handling of personal informationof viewers/listeners, etc., and iii) explanations, etc. on the Guidelinesand intentions of the provisions thereof.

The Study Group will continue to deliberate upon a security managementmeasure, procedures for processing complaints/individual access, rolesto be expected to play by organizations, etc. of relevant industries andcompliance with laws and regulations governing broadcasting.
Taking this framework into consideration, MPHPT disclosed guidelinesfor protecting personal information in the broadcasting field in August2004.
 

1. Increase in the number of personal informationhandled in the broadcasting field
 

Number of reception contracts of NHK: 38.16 million

Number of household subscription to cable TV: 24.68 million

Number of total subscribers to SKY PerfecTV! and SKY PerfecTV! 110: 3.69million

Number of reception contracts of WOWOW: 2.52 million

Number of registrations for interactive services: 1.87 million

Number of color TV units: approx. 80 million

2. Increase in number of criminal casesof personal information leakage
 

BS-i Inc. case: announced in June 2004

JAPANET TAKATA Co., Ltd. case: announced in March 2004

Number of inquiries concerning malicious fictional bills (fraudulent anddeceptive bills) (National Consumer Affairs Center of Japan): from 2,505(during April 2000 through April 2002) to 162,391 (during April 2002 throughApril 2004)

3. Enactment of the "Law Concerning theProtection of Personal Information"
 

Promulgation of the "Law Concerning the Protection of Personal Information"and partial enforcement thereof (May 2003)

Additional resolutions (May 2003)

House of Representatives: "....with respect to areas,including information and communications, where Japanese nationals arerequesting the protection of personal information at a higher level, theGovernment shall consider an individual law as soon as possible in orderto protect personal information which is especially required that appropriatehandling of personal information be strictly implemented."

House of Councillors: "....with respect to areas, including informationand communications, where Japanese nationals are requesting the protectionof personal information at a higher level, the Government shall consideran individual law as soon as possible in order to protect personal informationwhich is especially required that appropriate handling of personal informationbe strictly implemented.  Upon full-scale enforcement of this Law,a concrete conclusion at least to some extent shall be reached."

Measures to be taken by MPHPTfor protecting personal information in the broadcasting field
 

• Development of guidelines for protecting personal information in the broadcastingfield
•  (Guidelines stipulating matters for i) defining details of the "LawConcerning the Protection of Personal Information" and relevant regulationsand ii) ensuring effectiveness of protection of personal information basedon characteristics of the broadcasting field)
• Explanation on those guidelines
• Indication of security management measures, practical examples of variousprocedures for broadcasters, etc. (To be continued to be deliberated upon)
• Measures concerning roles to be expected to play by organizations, etc.of relevant industries (To be continued to be deliberated upon) 
• Response in compliance with laws and regulations governing broadcasting(To be continued to be deliberated upon) 
• Others (To be continued to be deliberated upon) 

Characteristics of the broadcastingfield to be considered upon development of the guidelines

1. Enormity of data volume of personal informationhandled
 

• Penetration of broadcasting under the Broadcast Law
• Obligation of a person installing a receiving unit to conclude a receptioncontract (personal information of a person who concluded a reception contract,personal information of a person who has not concluded a reception contract)
• Expansion of broadcasting services and interactive services, accompaniedby contracts (personal information of persons who concluded reception contracts,registered persons of interactive services)

2. Penetration of broadcasting into nationallives
 

• Information obtained through broadcasting penetrating into national livesincluding those of households and individuals (information obtained throughtwo-way services and tele-shopping interacting with broadcasting)
• High-performance receiving units interconnected to networks   information obtained through functions of TV units that have already penetratedinto Japanese nationals including households and individuals (informationobtained through the use of IC cards, etc. without being recognized byviewers)

3. Handling of information individuallyand directly relating to personal tastes and assets
 

• Information relating to personal and individual tastes:.. Records on broadcastprogramming watched by individual viewers
• Information directly relating to personal assets:.. Account numbers, creditcard numbers, etc.

4. Drastic development in technologicalinnovations
 

• High-performance and multiple functions of receiving units utilizing resultsof technological innovations including digitalization
• Advanced methods for threatening security of personal information accompaniedby development in ICT

Note: With respect to press, authorship, etc., in accordance with theprovisions of Article 50 of the Law Concerning the Protection of PersonalInformation, the provisions pertaining to business activities on companieshandling personal information are waived.

Outline of the "guidelinesfor protecting personal information of viewers/listeners (draft)"

1. By clarifying duties, etc. for broadcasters, etc. who handle personalinformation of viewers/listeners, etc., including basic compliance requirements,the "guidelines for protecting personal information of viewers/listeners(draft)" aim at:

1) Protecting personal rights and interests while consideringutility of personal information (the Law Concerning the Protection of PersonalInformation); and
2) Contributing to the sound development of broadcasting (the BroadcastLaw, etc.).

2. Basic matters to be considered
According to the following matters, broadcasters, etc. shall make efforts to appropriately handle personal information of viewers/listeners, etc.
 

i) Specification of purposes to use such information and Restrictions on the use for purposes other than the purposes for which the information was collected ii) Appropriate collection iii) Ensuring accuracy iv) Considering security management measures v) Considering individual access		Companies handling information on viewers/listeners, etc. Note: Referring to Companies handling personal information who provide personal information databases, etc. on viewers/listeners, etc. for the use of their business
		Persons who provide small-scale personal information databases, etc. for the use of their business

3. Obligations, etc. of companies handling information on viewers/listeners,etc.

1) Provisions on handling of personal information (except thoserelated to complaint processing) (Articles 4 through 8)
2) Provisions on handling of personal information in possession (Articles9 through 19)
3) Provisions on processing of complaints on personal information (Articles20 through 26)
4) Provisions on handling of personal information (Article 27)
5) Provisions on development and announcement of basic guidelines (Article28)
6) Provisions on announcement, etc. of facts, etc. concerning leakage,etc. (Article 29)

   Tothe extent necessary for enforcing the provisions of Chapter IV of theLaw Concerning the Protection of Personal Information, there may be caseswhere the following measures are taken:

- Collection of reports by the Minister for Public Management,Public Affairs, Posts and Telecommunications (Article 32 of the Law Concerningthe Protection of Personal Information)
- Advice from the Minister (Article 33 of the Law Concerning the Protectionof Personal Information)

   Uponviolation, there are the penal provisions that may apply to such cases:

- Recommendation from the Minister (Article 34 paragraph (1)of the Law Concerning the Protection of Personal Information)
- Order from the Minister (Article 34 paragraph (2) or (3) of the LawConcerning the Protection of Personal Information)

4. Others

1) Provisions on waiver of press, authorship, etc. (Article30)
2) Provisions on effective date (April 1, 2005) (Supplementary ProvisionsArticle 1)
3) Provisions on transitional measures (Supplementary Provisions Articles2 through 5)
4) Provisions on consideration, etc. on review of the guidelines afterone year from the effective day (Supplementary Provisions Article 6)

Obligations, etc. of companieshandling information on viewers/listeners, etc.
1) Provisions on handling of personal information (except thoserelated to complaint processing) (Articles 4 through 8)

i) Specification of purposes to use such information and restrictionson the use for purposes other than the purposes for which the informationwas collected (Articles 4 and 5)
Upon handling of personal information, companies handling informationon viewers/listeners, etc. shall clearly specify the purpose for use, and,in principle, shall not use the information, without consent from the personconcerned, beyond the scope necessary for achieving the purpose.

[Examples of specified purposes for the use]

Allowed: Collection of charges for paid broadcasting services
Not allowed: Improvement of paid broadcasting services
Allowed: Provision of information on Internet access services
Not allowed: Provision of information on various services

ii) Restrictions on collection (Articles 6 and 7)
Ban on collection of personal information beyond the scope necessaryfor business activities (records on broadcast programming watched by specificindividuals, account numbers, etc. shall not be collected beyond the scopenecessary for collecting charges, et6c.).  Ban on information collectionthrough unlawful measures.

iii) Upon collection of personal information, the purpose for whichthe information is being collected shall, in principle, be informed tothe person concerned.

2) Provisions on handling of personal information in possession(Articles 9 through 19)

i) Ensuring accuracy of data (Article 9)
Personal data (personal information comprising databases, etc.) shallbe kept accurate and up to date.

ii) Security management measures (Articles 10 through 17)

(i) Establishment of a security management director
(ii) Development of security management rules
(iii) Review of security management rules
(iv) Control of entrance and exit of a place where records are kept(including limitations on persons who are allowed to enter the place)
(v) Control of the use of computers for access
(vi) Control of taking out data from the place (including limitationson methods to take out)
(vii) Access control (including i. limitations on persons entitledto have access, ii. authentication, and iii. maintenance of access records)
(viii) Prevention of losses, theft, etc.
(ix) Measures for protecting unauthorized access
(x) Encryption, etc. of records on broadcast programming watched byspecific individuals, account numbers, etc.
(xi) Supervision of workers
(xii) Education, etc. of workers on sharing of responsibilities
(xiii) Education, etc. of workers on appropriate handling of personaldata
(xiv) Establishment of standards for selecting consignors
(xv) Appropriate selection of consignors
(xvi) Supervision of consignors
(xvii) Ensuring confidentiality at consignors through consignment contracts
(xviii) Ensuring security management measures consignors through consignmentcontracts
(xix) Ensuring standards for selecting re-consignors at consignorsthrough consignment contracts
(xx) Ensuring appropriate selection of re-consignors at consignorsthrough consignment contracts
(xxi) Ensuring supervision of re-consignors through consignment contracts
(xxii) Review of consignment contracts

iii) Limitations on provision of personal data to a third party(Article 18)
Upon provision of personal data to a third party, in principle, consentfrom the person concerned shall be given.
[Exceptions]

(i) Cases where required by law, including cases where theMinister request reports, etc.
(ii) Cases where necessary for safeguarding a person's life, limb andproperty (when it is difficult to obtain consent from the person concerned)
(iii) Cases where especially necessary for improvement of public healthand sound nurturing of children (when it is difficult to obtain consentfrom the person concerned)
(iv) Cases where requiring cooperation from the government, includingadministrative instructions, etc.
(v) Cases where the provision of information to a third party has suspendedby a request from the person concerned, after a prior notice to said personof the personal information to a certain level
(vi) Cases where handling of personal data is to be consigned
(vii) Cases where a business is succeeded to through merger, etc.
(viii) Cases of shared use of personal data after a prior notice tothe person concerned of the personal information to a certain level

iv) Setting forth the period for which personal data are kept anddeletion after the period (Article 19)
The period for which personal data are kept shall be set forth andthe personal data shall be deleted after the period has elapsed.
(The period of keeping records on broadcast programming watched byspecific individuals, account numbers, etc. shall be minimal necessaryfor collecting charges, etc.)

3) Provisions on handling of personal information being kept(Articles 20 through 26)
When the person concerned has requested the disclosure, correctionof personal information being kept, suspension of use thereof, etc., itis vital to meet the request by following given procedures, etc.

4) Provisions on processing of complaints on personal information(Article 27)