Terrie's Job Tips -- Information Security – Part Two: Commonly Asked Questions

Until recently, Japan has not been particularly serious about personal information and security of that information. Part of the reason was because people trusted each other, and another part was because even if someone did get their hands on a personal information list, the most they could do with it was to sell it to one of the underworld list brokers – something that the average person would never consider.

However, that was then. Nowadays, the existence of the Internet means that any misappropriated personal information can be quickly uploaded and seen by millions of people, or misused to impersonate or harass them. It was with this thought in mind that Japan initiated its now fairly strict personal information control laws in 2003, fully implemented in 2005, and which have caused most companies and employees to become much more aware of the need to protect such information.

In fact, I’d have to say that now that there has been some degree of over-reaction, and many employers and employees alike are worried that almost any information appears to be personal. If this is so, then how can one conduct database marketing and other consumer-sales business? Certainly it is true that the Protection of Personal Information act states that information is personal if it can identify a specific person – which might mean their name, email if sufficiently descriptive, or even online data patterns that might enable a third party to identify the person.

Therefore, employers need to take precautions, especially if they are handling more than 5,000 separate data records on any particular day for the previous 6 months, to make sure that they have relayed all the requisite rules and regulations over employee’s handling and respect of data. Further, they need to have proper security procedures in place to prevent the malicious removal or inadvertent leakage of data. Failure to address either of these areas will indeed open the employer up for possibly prosecution if things go wrong.

I thought it would be interesting to look at two typical examples of how people might run across the Personal Information act, and what the law seems to be saying. For employee-related information, I checked in with a “Sharoshi” (Labor Consultant). On the company side of things, the act has been translated into English on the Web, and there are some good legal overviews on the matter, such as the one at www.freshfields.com. In all cases, please remember that these comments are my own opinion and you should always get proper legal advice before acting.

My question to the Sharoshi was, “Does an employee have the right to take their ‘meishi’ (business card) file with them when they leave the company?”

The answer I got was “no”. Not because of the Private Information act, but rather because of the right to ownership of work output. Our Sharoshi informed me that any data accumulated by an employee while working for their company is property of the employer, NOT the employee. This means that employees do not have the right to walk off with their meishi files unless specifically authorized to do so. I suppose that some people may argue that at least some of their meishi would have been collected in their own time – and for this, I imagine it would be incumbent upon the employee to prove that they hadn’t used company time or money to acquire it. Possibly a difficult thing to prove?

As an employee, where the Personal Information act is relevant to you is:

• Where you are handling the personal information of other people, you need to keep the data secure. If a friend asks you to “check someone out” by accessing your company’s internal records, don’t do it. You could get into trouble.

• Another is the purpose of the data – meaning that when you ask someone for their details, you need to give the person a valid and adequate business reason as to why you are going to store and reuse their data – and, they have to approve.

• Further, if the person whose data you have wants you to subsequently remove it from your database, in most cases you must comply with this request – although since the data is most likely going to be on your employer’s computer system, it would be a good idea to get your boss’ permission first!

The second question we had is when one company takes over another, does the acquirer get the right to retain the acquired company’s customer data. The answer here, as we read the law, is that providing the data is used for the same specific purpose that the previous owner(s) used it for, then it is likely that you can go ahead with accessing the new data without having to seek authority.

NOTE, however, that if the original purpose of the data has changed, then you absolutely need to go back to the people in the database and get the permission from each and every one of them to continue maintaining their personal data.