課題Ⅰ 第８編 匿名加工情報に関する義務等（法43条〜46条）

Anonymized processed information is a concept defined in Article 2, Paragraph 6 of the Act on the Protection of Personal Information. It refers to personal information that has been processed so that a specific individual cannot be identified and the original personal information cannot be restored. The important point here is that two requirements — "inability to identify" and "inability to restore" — must be satisfied simultaneously. Simply deleting names is insufficient; the data must be in a state where even cross-referencing with other information cannot identify the original individual.

The greatest difference between anonymized processed information and pseudonymized information is irreversibility. Pseudonymized information can technically be returned to the original personal information if the deleted information or processing method information is used (although this is prohibited). On the other hand, the processing of anonymized processed information is itself irreversible, and restoration to original personal information is impossible by any means. This irreversibility is precisely the basis that makes third-party provision possible.

The anonymized processed information system was introduced in the 2015 amendment to the Act on the Protection of Personal Information. The background was the challenge of achieving both the promotion of personal information utilization and privacy protection in the big data era. It was established as a legal framework for business operators to safely share externally the large volumes of personal information they hold, for use in statistical analysis and research and development. Note that pseudonymized information was introduced later in the 2020 amendment, and the difference in introduction timing may be tested on the exam.

When creating anonymized processed information, the five processing standards stipulated in the rules of the Personal Information Protection Commission (Enforcement Rules, Article 34) must be followed. All of these standards must be satisfied, and if even one is lacking, the result will not be recognized as lawful anonymized processed information. Each standard is explained in detail below.

The first standard is the deletion of descriptions that can identify a specific individual. Specifically, this includes full names, dates of birth, addresses, facial photographs, and the like. However, "deletion" includes not only complete erasure but also replacement. For example, methods such as replacing a date of birth with only the birth year and month, or rounding an address to the prefecture level, are permitted.

The second standard is the deletion of all individual identification codes. Individual identification codes refer to My Number, passport numbers, basic pension numbers, driver's license numbers, biometric authentication data such as fingerprints and irises, and the like. Since even one remaining code is directly connected to identifying an individual, deletion of "all" codes is required.

The third standard is the deletion of codes that mutually link information. This refers to internal IDs that tie together records of the same person across multiple databases within a company. For example, if a purchasing database and a member database can be linked by a common customer ID, that customer ID must be deleted or replaced. If linking codes remain, there is a danger that multiple data sources could be matched to identify an individual.

The fourth standard is the deletion of unique descriptions. Unique descriptions refer to extremely rare values within the data. For example, values such as age 116, annual income of 5 billion yen, or height of 210 cm can themselves become clues to guessing an individual. As countermeasures, generalization methods such as setting upper limits (e.g., grouping into "80 years or older") or replacing with ranges (e.g., grouping into "annual income of 100 million yen or more") are performed.

The fifth standard is other appropriate measures considering the nature of the personal information database. This is a comprehensive provision that is judged individually according to the content, scale, and use purpose of the database. For example, if the population of a region is extremely small, even prefecture-level addresses may identify an individual, so additional measures such as aggregating to broader regions are necessary. Because it is a context-dependent standard, the exam may test this through specific case examples.

Article 43 stipulates the obligations of anonymized processed information handling business operators when creating anonymized processed information. First, they must perform processing that conforms to the processing standards in the above-mentioned Enforcement Rules Article 34. Next, they must take safety management measures to prevent leakage of processing method information. Because there is a risk that the original personal information could be restored if processing methods leak, this obligation is extremely important.

Furthermore, Article 43 imposes public announcement obligations at the time of creation. Specifically, the items of information relating to individuals contained in the anonymized processed information must be publicly announced. For example, this means clarifying what types of information are contained, such as "age, gender, purchasing history." Additionally, the fact that anonymized processed information was created must also be publicly announced. Note that the specific processing method itself does not need to be publicly announced — it is limited to the announcement of "items" and "the fact of creation."

Article 44 stipulates the obligations when providing anonymized processed information to third parties. Business operators must publicly announce the items of information relating to individuals contained in the anonymized processed information to be provided to third parties, as well as the method of provision. Whereas the announcement at the time of creation is only "items," at the time of provision the scope expands to "items + method of provision" — this is a frequently tested point on the exam.

Furthermore, the recipient must be explicitly informed that the data is anonymized processed information. This explicit indication is indispensable for making the recipient recognize that they bear appropriate handling obligations. The most important point is that consent of the individual is NOT required for third-party provision of anonymized processed information. This is the greatest difference from third-party provision of ordinary personal information, and the greatest advantage of the anonymized processed information system.

Article 45 stipulates the obligations of the recipient (the party that received the provision) of anonymized processed information. The most core obligation is the prohibition of cross-referencing. Recipients are prohibited from cross-referencing the received anonymized processed information with other information to attempt to identify the original individual. This is because even though anonymized processed information is technically non-restorable, the risk of re-identification theoretically exists through combination with external data.

Recipients must also take necessary and appropriate measures for the safety management of anonymized processed information. Specifically, this includes access control, training for employees, and establishment of handling regulations. Since recipients do not know the processing method, the obligation to prevent leakage of processing method information is borne only by the creator.

Article 46 imposes obligations for safety management measures to ensure appropriate handling of anonymized processed information on all business operators that handle it (both creators and recipients). It is a comprehensive provision for maintaining societal trust in anonymized processed information, including handling of complaints and announcement of safety management measures.

Let us organize the key points for exam preparation. First, memorize the five requirements of the processing standards in Enforcement Rules Article 34. Remember them in order: deletion of descriptions, deletion of individual identification codes, deletion of linking codes, deletion of unique descriptions, and measures according to the nature of the database.

Second, accurately understand the difference in public announcement obligations at the time of creation versus provision. At creation time: "items" and "the fact of creation." At provision time: "items" and "method." Third, be sure to master the differences from pseudonymized information, especially the difference in whether third-party provision is possible and the difference in irreversibility.