Event Report: NCCJ Luncheon Seminar - "MyNumber" and Data Protection | The Netherlands Chamber of Commerce in Japan (NCCJ)
Event Report: NCCJ Luncheon Seminar - "MyNumber" and Data Protection
On February 24, Takashi Yoneyama, a lawyer with TMI Associates, and his colleagues from ARQIS Foreign Law Office, Dr. Tobias Schiebe and Ulrich Kirchhoff, discussed the new Japanese individual numbering system (“My Number “ or “MN”) and the amendment of the Personal Data Protection Act in Japan.
Hans van der Tang introduced the speakers to the approximately 25 attendees at the ARQIS/TMI offices on the 23rd floor of the Roppongi Hills Mori Tower.
The talk opened with a brief history of the MN system (introduced in October 2015, and effective from 1 January 2016) and its current scope of application: to enhance administration, coordination and exchange of information in the areas of social security and tax, and to provide identification in the case of a natural disaster. The use of MN may be expanded in the future to other, as yet undefined, uses, such as banking and health records, but “cross-border” leaks between agencies may prove to be a worry.
Currently, the population has received MN, and recipients have been invited to apply for an IC card including the number, but Schiebe recommends that this currently involves too much risk concerning loss and data protection, and to avoid applying for the card at present. “No-one knows where it is going,” he said.
As far as the use of MN is concerned, it was pointed out that there are currently only two occasions on which the MN can be demanded from the employer, and the holder of the number is obliged to provide it. The first is for administrative matters related to the deduction of withholding tax from the salary, and the second is for administrative matters related to health insurance and national pension insurance, for example, there are now places on tax forms for the MN to be entered. MNs should not be transferred to third parties, other than in the case of the provision of subcontracted services for the handling of MN.
For administration of MN, ARQIS points out four areas of concern: acquisition; administration; use; and deletion. Acquisition should always be done for a reason, and with the full written consent of the employee.
In the storage phase, one major area of concern is with subcontractors and outsourced services such as payroll providers, and it was emphasised throughout the talk that the scope of due diligence when selecting and retaining such a service should be expanded to cover the MNs of the employees as should the terms and conditions under which the service is provided. It is the responsibility of the company hiring the subcontractors to ensure that the MN and personal data are retained and used securely.
Access within the company should be limited to those who have need to know, and there should be training on the retention and use of the data (as there should currently be for personal data) as well as clearly written rules and assigned responsibilities. Transfer of the MN material to a third party, other than service providers for handling of MN, (including the organisational HQ!) is prohibited, even if the owner of MN consents to the transfer.
When the data is finally deleted (when an employee leaves), the deletion must be carried out diligently in the same way as for other confidential material (shredded or securely deleted from the media on which it has been stored).
Failure to carry out these guidelines and those suggested by the appropriate authority (e.g., FSA, METI or MHLW) may result in administrative sanctions being taken, and possible criminal charges being filed, in case of leakage.
In addition to the MN legislation, the rules governing the use and protection of personal data in Japan will change in 2017.
For those doing business in Japan, transfer of personal data from Japan to a recipient outside of Japan may only be made under the following circumstances: when the recipient is located in a country which has laws that comply with the standards set by the new Japanese data protection laws (“adequate” level of data protection); or when the receiving party agrees to abide by such standards through contractual agreements; or when prior written permission has been given by the owner of the information.
The talk, which was interspersed throughout by questions from the audience, finished with a summary of the reputational and legal/compliance risks faced by companies with regard to these new privacy acts, especially with regard to functions outsourced to smaller third-party providers, and a reminder to be aware of the need to keep abreast of the developments in privacy legislation and its implementation.