課題Ⅰ 第11編② マイナンバー法 ― 特定個人情報の提供制限・保護・監督・罰則（法19条〜57条）

Restrictions on the provision of specific personal information are set forth in Article 19 of the My Number Act and are one of the most important provisions in the law. As a general rule, no one may provide specific personal information. The critically important point here is that, unlike the Personal Information Protection Act, provision is not permitted even with the individual's consent. Under the Personal Information Protection Act, third-party provision is possible if the individual's consent is obtained, but under the My Number Act, all provision is prohibited unless it falls under the exceptions enumerated in the items of Article 19.

The exceptions in Article 19 are exhaustively enumerated from Item 1 through Item 17. Item 1 covers cases where an implementer of individual number use affairs provides information to the extent necessary for processing said affairs. Item 2 covers cases where an implementer of individual number-related affairs provides for processing those related affairs. Item 3 covers cases where the individual or their agent provides for individual number-related affairs. For example, an employee submitting their My Number to the company for withholding tax purposes corresponds to this.

Item 4 covers provision for the creation of statistics. Item 5 covers provision through the information provision network system (Article 21, discussed later). Item 6 covers notifications related to national and local taxes. Item 7 covers cases stipulated by ordinance of local public bodies. Item 8 covers cases based on court commissions. Item 9 covers cases based on laws and ordinances.

Item 10 covers cases where it is necessary for the protection of a person's life, body, or property and obtaining the individual's consent is difficult. Item 11 covers cases stipulated by Personal Information Protection Commission rules. Item 12 covers cases carried out by persons who have notified the Minister of Internal Affairs. Items 13 through 17 cover various administrative procedures, transaction verification by financial institutions, monetary lending during severe disasters, and cases where there is a public interest necessity.

Article 20 stipulates restrictions on the collection and storage of specific personal information. When a case does not fall under the items of Article 19, one must not collect or store specific personal information. In other words, the receiving side of information that is not permitted to be provided is also subject to the prohibition on collection.

The individual number of a retired employee must be promptly disposed of after the statutory retention period stipulated in the Income Tax Act (generally 7 years) has elapsed. Continuing to store it constitutes a violation of Article 20. In practice, this applies to My Numbers recorded on dependent deduction declaration forms and salary payment reports.

The information provision network system (Article 21) is a common government platform for safely exchanging specific personal information between government agencies. It is a mechanism where an information inquirer requests specific personal information from an information provider, and the provider responds accordingly. Since matching is performed using institution-specific codes rather than the My Number itself, the risk of My Number leakage is reduced.

Article 22 stipulates the obligation to record information provisions. The information inquirer and provider must record and preserve the date/time, counterparty, and content of provisions. Article 23 imposes an obligation for secrecy management, requiring appropriate management of secrets related to the information provision network system.

Articles 24-25 are provisions regarding the installation and management of the information provision network system. The Minister of Internal Affairs and Communications carries out the installation and management. Article 26 imposes a confidentiality obligation on persons engaged in the work of this system. This obligation continues even after retirement.

My Number Portal (Myna Portal) is an online service where citizens can check the exchange history regarding their specific personal information. Specifically, its main functions are: (1) confirmation of self-information (viewing one's own information held by government agencies), and (2) confirmation of exchange history (records of which institution queried or provided information and when). It contributes to ensuring transparency.

The Specific Personal Information Protection Assessment (PIA: Privacy Impact Assessment) is a system based on Article 27. Before a government agency holds a specific personal information file, it imposes an obligation to assess the impact on privacy in advance and publish the results. This system does not exist in the Personal Information Protection Act and is a protection measure unique to the My Number Act.

The PIA has three stages. The first stage is the "basic items assessment." It is a simplified assessment that must be conducted for all specific personal information files.

The second stage is the "threshold judgment." It determines whether a full items assessment is necessary based on criteria such as whether the target population exceeds 1,000 persons, whether the information includes information requiring special care, or whether a serious incident has occurred in the past.

The third stage is the "full items assessment." It is a comprehensive assessment that goes through third-party inspection and public comment (solicitation of opinions). Under Article 28, the full items assessment report must be published, and periodic review is also required.

Articles 29-30 stipulate restrictions on the creation of specific personal information files. Government agency staff must not create specific personal information files except when based on laws and ordinances. Article 31 stipulates the management of records of information provision, and Article 32 stipulates the obligation to ensure the safety of specific personal information. The safety obligation includes the prevention of leakage, loss, and damage.

The Personal Information Protection Commission (PPC) possesses powerful supervisory authority under the My Number Act. Article 33 establishes the authority for guidance and advice. Article 34 allows recommendations when there are violations in the handling of specific personal information. Article 35 allows orders to be issued when recommendations are not followed. Violation of these orders is subject to penalties.

Article 36 establishes the PPC's authority to demand reports and conduct on-site inspections of business operators. Article 37 stipulates exclusions, where news organizations, academic research institutions, religious organizations, and political organizations are excluded when using information for their respective purposes. Article 38 mandates the publication of the status of enforcement.

Corporate numbers are 13-digit numbers stipulated in Articles 39-42. The Commissioner of the National Tax Agency designates and notifies them to corporations. Targets include corporations that have made establishment registrations, national institutions, local public bodies, and others.

Under Article 39, Paragraph 4, corporate numbers are publicly announced as a general rule. Anyone can search and view them on the National Tax Agency's corporate number publication site. This is the decisive difference from individual numbers. There are no restrictions on the collection, use, or provision of corporate numbers, and they can be freely used regardless of whether the user is in the public or private sector. Articles 40-42 stipulate the procedures for changes and notification of corporate numbers.

Article 43 stipulates that local public bodies may establish their own provisions regarding the handling of specific personal information by ordinance. However, these must not contradict the intent of the My Number Act. Articles 44-47 contain provisions regarding delegation of authority of the competent minister, transitional measures, delegation to cabinet orders, and other matters.

Penalties under the My Number Act (Articles 48-57) are set significantly heavier than those under the Personal Information Protection Act. This is because My Numbers are important information directly connected to social security, taxation, and disaster countermeasures, and the intent is to heighten the deterrent effect.

Article 48: Providing a specific personal information file without legitimate reason → imprisonment of up to 4 years or a fine of up to 2 million yen (or both may be imposed concurrently). This is the heaviest penalty under the My Number Act.

Article 49: Providing or misappropriating specific personal information for fraudulent profit → imprisonment of up to 3 years or a fine of up to 1.5 million yen (or both). Article 50: Acquiring an individual number through fraud → imprisonment of up to 3 years or a fine of up to 1.5 million yen.

Article 51: Violation of a Personal Information Protection Commission order → imprisonment of up to 2 years or a fine of up to 500,000 yen. Article 52: Evasion of inspection → imprisonment of up to 1 year or a fine of up to 500,000 yen.

Articles 53-57 stipulate dual punishment provisions and other matters. Dual punishment provisions impose fines not only on the individual who committed the violation but also on the corporation (employer). The intent is to hold corporations accountable for their supervisory responsibility.