課題Ⅰ 第７編 仮名加工情報（法41条・42条）

Pseudonymized information is a concept defined in Article 2, Paragraph 5 of the Act on the Protection of Personal Information. It refers to personal information processed by deleting part of the descriptions contained therein (including replacing them with other descriptions using methods that do not have the regularity to restore the original descriptions), so that specific individuals cannot be identified unless cross-referenced with other information. In other words, the data has been processed so that individuals cannot be identified without combining it with additional information (deletion information, etc.), and the decisive difference from anonymized information is that technically it CAN be reverted to the original.

This system was newly established by the 2020 (Reiwa 2) amendment to the Act on the Protection of Personal Information. Before the amendment, when business operators performed in-house data analysis, they either had to comply with strict regulations as personal information, or apply irreversible processing to create anonymized information. Pseudonymized information was designed as a system positioned between these two. By filling the gap between personal information (strict) and anonymized information (difficult to create), it aims to promote safe internal data utilization.

The creation standards for pseudonymized information are stipulated in the Personal Information Protection Commission Rules (Enforcement Rules, Article 31). The first standard is the deletion of descriptions that can identify specific individuals. For example, deleting names and replacing them with temporary IDs, deleting detailed portions of addresses (house numbers and below), or rounding dates of birth to only birth year and month. Importantly, the method used for replacement must not have regularity (because it would then be easily reversible).

The second standard is the deletion of individual identification codes. All individual identification codes — such as My Number, passport numbers, driver's license numbers, basic pension numbers, and fingerprint authentication data — must be deleted or replaced with other codes. The third standard is the deletion of descriptions that could cause financial damage if used without authorization. Typical examples include credit card numbers and remittance account numbers. Because leakage of these leads to direct monetary damage, their deletion is always required.

The deletion information (deleted descriptions and information about processing methods) generated during the creation of pseudonymized information must be managed with extreme care. This is because if this deletion information is matched against the pseudonymized information, the original personal information can be restored. Specifically, it must be stored physically and logically separate from the pseudonymized information itself, with separated access privileges and other measures to prevent easy cross-referencing. There is also a duty to delete it without delay once it is no longer needed.

Article 41 stipulates the obligations of personal information handling business operators that have created pseudonymized information. The most noteworthy point is that the restriction on purpose of use is greatly relaxed. For ordinary personal information, changes to the purpose of use are limited to "a scope reasonably recognized as related to the purpose of use before the change" (Article 17). However, pseudonymized information can be used for purposes different from the initial purpose of use as long as it is internal use. This is the core benefit of the pseudonymized information system.

Under Article 41, Paragraph 6, third-party provision of pseudonymized information is prohibited in principle. This contrasts with anonymized information, which can be provided to third parties under certain conditions. This prohibition is strict, and even the exception for obtaining the person's consent under Article 23 does not apply. In other words, pseudonymized information is a system specialized exclusively for use within one's own company. On the exam, the question "Can pseudonymized information be provided to third parties?" appears frequently. The answer is clearly "prohibited."

Article 41, Paragraph 7 stipulates the prohibition of re-identification. The act of cross-referencing pseudonymized information with other information (including deletion information) to identify the original individual is prohibited. This applies not only to cases where identification occurs as a result, but the very act of attempting identification constitutes a violation. For example, matching against a separate in-house database to investigate "who is this customer" also falls under this prohibition.

Article 41, Paragraph 8 prohibits the act of using contact information contained in pseudonymized information to contact the individual. Although email addresses and phone numbers may remain in pseudonymized information, using them to send direct mail or make phone calls to the individual is not permitted. This provision makes clear that pseudonymized information is exclusively for data analysis and must not be used for direct approaches to individuals.

When pseudonymized information is created, the business operator must publish the "items of information about individuals" contained in it. Importantly, what is published is the "items" (e.g., name, age, gender, purchase history) — not the actual data content. Also, unlike anonymized information, publication of the processing method is not required. This is because publishing the processing method would increase the risk of re-identification.

Article 41, Paragraph 6 is a prohibition in principle, but exceptions are recognized through the proviso. Specifically, three categories permit provision under certain requirements: (1) provision accompanying consignment (Article 27, Paragraph 5, Item 1), (2) provision accompanying business succession (same Item 2), and (3) joint use (same Item 3). Note that the general principle of consent (Article 27, Paragraph 1) does NOT apply. On the exam, the option "third-party provision is allowed if the individual consents" is incorrect.

Under Article 41, Paragraph 9, various rights of request from the individual do not apply to pseudonymized information. Specifically, disclosure requests (Article 33), correction requests (Article 34), and cessation of use requests (Article 35) are exempt. For ordinary personal information, the business operator must respond when the individual exercises these rights, but for pseudonymized information this is not necessary. This greatly reduces the operational burden on business operators.

Another major benefit of pseudonymized information is that the obligation to erase personal data that is no longer needed for use, as stipulated in Article 22, does not apply. Normally, personal data has a duty to be erased without delay after the purpose of use has been achieved, but pseudonymized information can be retained indefinitely for future analysis purposes. This makes long-term data accumulation and analysis possible.

Article 42 stipulates the obligations of pseudonymized information handling business operators (those who did not create the pseudonymized information but obtained it through legitimate means before the law amendment). The same obligations apply to them: prohibition of third-party provision, prohibition of re-identification, prohibition of contacting the individual, and duty of safety management measures. In other words, anyone who holds pseudonymized information receives the same restrictions regardless of whether they are the creator.

Whether pseudonymized information "qualifies as personal information" depends on the holder's position. When the creator holds the deletion information, easy cross-reference is possible, so internal pseudonymized information continues to qualify as "personal information" (Article 41). On the other hand, if a recipient through consignment or joint use does not hold the deletion information, it does not qualify as personal information for that recipient, and Article 42 governance applies instead.

Organizing the main benefits of the pseudonymized information system: first, it can be used flexibly beyond the initial purpose of use as long as it is for internal use; second, it can be retained indefinitely even after the purpose of use has been achieved for future analysis; and third, there is no need to respond to disclosure, correction, or cessation-of-use requests from individuals. These three points enable business operators to maximize data utilization for internal purposes such as statistical analysis, AI training, and research and development.

Practical use cases include deleting names and addresses from customer purchasing data to analyze purchasing trends. Medical data can have patient names removed for statistical analysis of treatment effectiveness, and employee data can have names excluded for measuring the effectiveness of HR policies. All these cases share the common feature of being limited to internal use.