課題Ⅰ 第３編② 適正な取得・要配慮個人情報・利用目的の通知

Article 20, Paragraph 1 of the Personal Information Protection Act stipulates that business operators handling personal information must not acquire personal information through "deception or other improper means." This is the provision known as the "proper acquisition" obligation, and it is the most fundamental obligation at the acquisition stage of personal information. "Deception" here means deceiving the individual to obtain information, and "other improper means" is not limited to deception but includes any means that would be judged improper by common social standards.

Specific examples of "deception or other improper means" include the following. First, impersonating someone else to extract information from the individual (e.g., pretending to be a contact person from a business partner). Second, stealing documents (e.g., stealing another company's customer list). Third, secret audio or video recording using hidden cameras or wiretapping devices. Fourth, purchasing lists or registers that were illegally obtained. Fifth, unauthorized scraping from websites (large-scale collection in violation of terms of use). All of these constitute violations of Article 20, Paragraph 1.

The guidelines interpret that receiving personal information while knowing that the provider acquired it improperly also constitutes improper acquisition. In other words, even if one does not directly commit an improper act oneself, accepting data with the awareness that it was improperly obtained means that the recipient themselves violates Article 20, Paragraph 1. Furthermore, in the context of third-party provision, if the provider violated Article 27 (restrictions on third-party provision) by providing data without the individual's consent, and the recipient received it knowing that fact, the recipient may also be held accountable for violating Article 20.

Article 20, Paragraph 2 stipulates that prior consent of the individual must be obtained before acquiring "sensitive personal information" (requiring special care). Sensitive personal information is personal information that contains descriptions requiring special care in handling, to prevent unjust discrimination, prejudice, or other disadvantage against the individual. Unlike ordinary personal information, its distinguishing feature is that the individual's consent is mandatory in principle at the acquisition stage.

The specific categories of sensitive personal information are as follows. (1) Race: information indicating ethnic origin. However, "nationality" or "foreigner" does not fall under race. (2) Creed: religious faith or political conviction (e.g., which religious sect one belongs to, which political party one supports). (3) Social status: status held from birth that cannot be changed by one's own will. Mere occupation or position is not included. (4) Medical history: records of past illnesses. (5) Criminal record: the fact of having received a guilty verdict (prior conviction). (6) Fact of being a crime victim: information about being a victim of crime.

(7) Physical, intellectual, mental disabilities, etc.: applies regardless of whether the person has been issued a disability certificate — the fact of having a disability itself qualifies. (8) Results of health examinations, etc.: results of regular health checkups, stress checks, etc. (9) Guidance, medical treatment, and dispensing by doctors, etc.: medical treatment records at healthcare institutions and dispensing records at pharmacies. (10) Criminal procedures such as arrest and search: the fact of being arrested as a suspect or being subject to a search. (11) Juvenile protection case procedures: information relating to juvenile hearings at family courts.

Article 20, Paragraph 2, each item enumerates exceptions where consent is not required for acquiring sensitive personal information. Item 1: Cases based on laws and regulations (e.g., responding to investigative agencies based on a court warrant, implementing health examinations based on the Industrial Safety and Health Act). Item 2: Cases necessary for the protection of a person's life, body, or property, and where obtaining the individual's consent is difficult (e.g., conveying a suddenly ill person's blood type or medical history to a doctor).

Item 3: Cases especially necessary for the improvement of public health or the promotion of sound development of children, and where obtaining consent is difficult (e.g., epidemiological investigation of infectious diseases, sharing information related to child abuse). Item 4: Cases where cooperation is necessary for the performance of duties stipulated by law by national or local government agencies or persons entrusted by them (e.g., cooperation with tax investigations).

Item 5: Sensitive personal information that the individual has made public themselves (e.g., when the person publicly announced their illness on social media). Item 6: Cases where it is visually obvious from outward appearance (e.g., when it is apparent from appearance that a person uses a wheelchair. However, internal disabilities that cannot be discerned from appearance are not included). Item 7: Cases where acquisition is for the purpose of news reporting, writing, academic research, religious activities, or political activities (scope of application exclusion).

Article 21 stipulates obligations regarding the purpose of use when personal information has been acquired. Paragraph 1 provides that when personal information is acquired, the purpose of use must be promptly notified to the individual or publicly announced. "Notification" here means directly informing the individual, while "public announcement" means placing the information in a state where an unspecified large number of people can know about it. The business operator can choose between notification and public announcement.

Specific recognized methods of notification and public announcement include the following. Notification methods: delivery of written documents, oral explanation, sending emails, etc. Public announcement methods: posting on websites (privacy policy), storefront display (posters, signboards), explicit notation in terms of use, etc. Note that public announcement can also be done before acquisition — if the purpose of use is publicly announced in advance through a privacy policy, individual notification becomes unnecessary.

Article 21, Paragraph 2 stipulates that when acquiring personal information directly from the individual via written documents (including website input forms), the purpose of use must be "clearly indicated" to the individual in advance. "Clear indication" here is a stricter requirement than the "notification or public announcement" of Paragraph 1. Simply posting it somewhere on a website is insufficient — the purpose of use must be in a state where the individual can reliably recognize it at the point when they provide their information. Specifically, methods include displaying the purpose of use on contract documents, questionnaire forms, or near the submit button of web forms.

Article 21, Paragraph 4 stipulates exceptions where notification or public announcement of the purpose of use is not required. Item 1: Cases where notification or public announcement of the purpose of use could harm the rights and interests of the individual or a third party (e.g., when publicly announcing the purpose of monitoring for fraud detection would inform perpetrators of the methods being used).

Item 2: Cases where notification or public announcement could hinder the performance of duties stipulated by law by national or local government agencies (e.g., when publicly announcing the purpose of information collection related to criminal investigations would hinder the investigation). Item 3: Cases where the purpose of use is recognized as obvious from the circumstances of acquisition (e.g., when exchanging business cards at a business meeting, it is obvious that the purpose is for making contact).

To summarize, there are three pillars regarding the acquisition of personal information. First, proper acquisition under Article 20, Paragraph 1: acquisition through deception or other improper means is prohibited. Second, sensitive personal information under Article 20, Paragraph 2: prior consent is required in principle (with 7 exceptions). Third, notification of purpose of use under Article 21: prompt notification or public announcement after acquisition (Paragraph 1), and clear indication in advance for acquisition via written documents (Paragraph 2). Violating these three obligations may result in recommendations or orders from the Personal Information Protection Commission, and penalties are imposed for violating such orders.