課題Ⅰ 第10編 行政機関等における個人情報等の取扱い

The 2021 amendment to the Act on the Protection of Personal Information was an epoch-making reform that fundamentally changed Japan's personal information protection system. The greatest highlight of this amendment was the "Three-Law Integration," which realized unified personal information protection rules across both public and private sectors. This part comprehensively explains the important issues tested on the exam regarding the handling of personal information by administrative agencies.

Before the Three-Law Integration, three laws concerning personal information protection coexisted in Japan. First, the Personal Information Protection Act targeting the private sector. Second, the Administrative Organs Personal Information Protection Act targeting national administrative agencies. Third, the Independent Administrative Agencies Personal Information Protection Act targeting independent administrative agencies. Furthermore, more than 1,700 local public bodies across the country had each enacted their own personal information protection ordinances, creating a state of confusion known as the "2,000 ordinances problem."

Through the 2021 amendment, these three laws were integrated into a single Personal Information Protection Act. Local public bodies were also included as subjects of the same law. Full enforcement was in April 2023. The purposes of integration were threefold: first, promotion of data coordination between public and private sectors; second, resolution of imbalances in personal information protection; third, response to the digital society.

Under the integrated Personal Information Protection Act, "administrative agencies etc." refers to the following four categories: (1) National administrative agencies (ministries and agencies). (2) Independent administrative agencies (such as the National Hospital Organization and the Japan Pension Service). (3) Agencies of local public bodies (prefectures and municipalities). (4) Local independent administrative agencies (such as public university corporations). An important point to note: the Diet and courts are NOT included. These are handled separately by their own rules.

The most fundamental difference between the private sector and administrative agencies lies in the basis for acquiring and using personal information. Private sector business operators handle personal information based in principle on individual consent. However, administrative agencies may hold personal information when necessary for performing affairs under their jurisdiction as stipulated by laws and regulations. In other words, the basis is legal authority rather than consent. This derives from the nature of government acting in the public interest.

The standards for changing the purpose of use also differ between private and administrative sectors. Private sector operators can only change the purpose within a "scope reasonably recognized as relevant" to the original purpose. On the other hand, administrative agencies can change the purpose of use "when there is a reasonable justification." This "reasonable justification" is a broader concept than the private sector standard, and is a provision to ensure administrative flexibility.

Use and provision outside the stated purpose are prohibited in principle, but exceptions are stipulated in Article 69, Paragraph 2. Specifically: when there is individual consent; when based on laws and regulations; when necessary for protecting life, body, or property of the individual or a third party; and when providing to other administrative agencies with "reasonable justification." In particular, the fact that information sharing between administrative agencies is permitted under "reasonable justification" is a feature not found in the private sector. Furthermore, the opt-out mechanism available in the private sector does not apply to administrative agencies.

The personal information file register is a system unique to administrative agencies based on Article 75. The head of an administrative agency (minister, etc.) must create and publish a personal information file register for held personal information files.

The personal information file register includes the following items: file name, purpose of use, recorded items, scope of records (subjects), collection method, provision destination, etc. While private sector operators also have a publication obligation for held personal data, the administrative personal information file register is more detailed and mandatory. Its purpose is to ensure citizens' right to know and administrative transparency.

Individuals can request disclosure of held personal information from administrative agencies (Article 76). However, there are government-specific non-disclosure reasons not found in the private sector: information related to national security, information that would hinder diplomatic relations, information that would hinder criminal investigations, and information that would hinder proper administrative operations.

In addition to disclosure requests, individuals have the right to make correction requests (Article 90) and use suspension requests (Article 98). Correction requests are made when there are factual errors. Use suspension requests are made when information was illegally obtained or used outside its purpose. A fee is required to make these requests.

When dissatisfied with a disclosure decision, the individual can make a review request based on the Administrative Appeal Act. In this case, the head of the administrative agency must consult the Information Disclosure and Personal Information Protection Review Board. The review board, as a third-party body, makes fair judgments and ensures remedy of citizens' rights. This is an administrative-specific remedy mechanism different from lawsuit procedures in the private sector.

Anonymized processed information from administrative agencies, stipulated in Article 109 onwards, is a system where personal information held by the government is processed so that specific individuals cannot be identified and provided to private sector operators. The purpose is to utilize the vast data accumulated by the government for private sector research, analysis, and new service development.

A distinguishing feature of this system is the proposal solicitation mechanism. The administrative agency publishes an outline of available data, and private sector operators propose how they want to use it. After passing examination, a usage contract is concluded and the data is provided upon payment of a fee. Unlike private sector anonymized processed information, the government case requires a mandatory proposal solicitation process and cannot arbitrarily provide data.

Before the 2021 amendment, the Minister for Internal Affairs and Communications bore the supervision of administrative agencies. After the amendment, the Personal Information Protection Commission (PPC) carries out centralized monitoring and supervision across public and private sectors. The PPC can demand submission of materials, conduct on-site investigations, provide guidance and advice, and issue recommendations to administrative agencies. However, unlike the order authority toward the private sector, the PPC can only issue recommendations to administrative agencies and cannot issue orders.

Before the Three-Law Integration, local public bodies operated under their own personal information protection ordinances. Some municipalities had advanced ordinances while others were insufficient, creating major disparities in protection levels. After the amendment, they were placed under a nationally unified law.

However, even under the unified law, there are matters that local public bodies are permitted to stipulate independently by ordinance. For example, setting disclosure request fees by ordinance, establishing personal information protection review boards, and ordinance-specific provisions regarding the handling of personal information requiring special consideration. The Personal Information Protection Commission provides technical advice and guidance to local public bodies.