課題Ⅱ 第２編② 組織的・人的セキュリティ ― 安全管理措置・委託先監督・事故対応

Organizational safety management measures are stipulated in Guideline General Rules 10-3 and consist of five items. First is the development of an organizational structure. At the top, a Chief Privacy Officer (CPO) is placed to oversee the entire organization's personal information protection system. Below that, a personal information protection audit officer is assigned, conducting audits from a position independent of the CPO. Furthermore, division managers are assigned to each department to supervise personal information handling at the field level. At the lowest level are handling staff — the workers who actually operate on personal information.

The second item is operation in accordance with rules concerning personal data handling — daily confirmation that operations follow formulated regulations. Third is developing means to confirm handling status. Specifically, this includes developing and updating the personal information management ledger, recording and retaining access logs for information systems that handle personal information, and managing entry/exit records. This creates a mechanism that can trace "when," "who," and "which" personal information was accessed.

Fourth is developing a system for responding to incidents such as leaks. A reporting and communication system from the discoverer to the person in charge and management level is established in advance. When an incident occurs, cause investigation, confirmation of the scope of impact, and formulation of recurrence prevention measures are carried out swiftly. Not only reporting routes, but initial response procedures (preventing damage expansion, evidence preservation) must also be formulated in advance.

Fifth is grasping the handling status and reviewing safety management measures. Periodic internal audits are conducted to objectively verify whether operations follow regulations. Audit results are reported to management, and necessary corrective measures are taken. This corresponds to "Check" and "Act" in the PDCA cycle, and audits should be conducted at least once per year. Reviews are also carried out in response to changes in the external environment (legal amendments, emergence of new threats).

Human safety management measures (Guideline General Rules 10-4) center on education and awareness-raising for workers. What is important here is the definition of "worker" (従業者). Workers include not only permanent employees but also contract employees, part-time/temporary workers, dispatched workers, and directors/executives — a broad concept. All persons who engage in operations under the command of the business operator are subject to these measures.

Education and training are conducted on multiple occasions. At the time of joining the company, basic knowledge of personal information protection and internal regulations are taught. Regular training is conducted at least once a year, sharing legal amendments and the latest incident cases. E-learning is also an effective means, and leaving attendance records serves as evidence of education implementation. After training, it is desirable to conduct tests to confirm the level of understanding.

Non-disclosure agreements (NDAs) are concluded and confirmed at multiple points in time. At the time of joining, a written pledge is submitted; at the time of department transfer, it is re-confirmed according to the new scope of handling. At the time of resignation, the continuing obligation of confidentiality even after leaving is confirmed in writing. Provisions regarding personal information protection are also established in employment rules, and by clearly stating disciplinary action for violations, the deterrent effect is heightened.

When outsourcing the handling of personal information to an external party, the outsourcer bears supervisory responsibility over the contractor (Article 25). As selection criteria, the contractor's level of safety management measures, track record of personal information protection, and financial status are evaluated in advance. Whether they have obtained the Privacy Mark or ISMS certification also serves as judgment material.

The outsourcing contract incorporates the following matters: confidentiality obligations, prohibition of use beyond the stated purpose, restrictions on subcontracting (advance approval system), obligation for prompt reporting when incidents occur, securing audit rights for the outsourcer, and the obligation to return or dispose of personal information at contract termination. Even after the contract is concluded, the actual situation is grasped through requesting periodic reports, on-site investigations, and conducting audits.

Regarding subcontracting, permission from the original outsourcer is required. The subcontractor must also be required to implement safety management measures equivalent to those of the contractor. Chains of subcontracting (sub-sub-contracting) can also occur, and it is important to note that the original outsourcer bears ultimate supervisory responsibility.

The response flow when a personal information leakage incident occurs is as follows. First, the discoverer promptly reports to the person in charge. Next, as an initial response, prevention of damage expansion and evidence preservation are carried out. After that, cause investigation is conducted and the scope of impact is confirmed. Recurrence prevention measures are formulated, and notification to the individual and reporting to the Personal Information Protection Commission (PPC) are carried out.

Under Article 26 of the amended law enforced in April 2022, reporting to PPC and notification to the individual became mandatory when certain qualifying leaks occur. The criteria for incidents requiring reporting are: leakage of specially-care-required personal information, leakage that may cause property damage through unauthorized use, leakage suspected of being carried out for unauthorized purposes, and leakage exceeding 1,000 persons. Reporting is in two stages: a preliminary report (roughly within 3-5 days of discovery) and a definitive report (within 30 days; within 60 days for cases of unauthorized purpose).

For complaint handling, a reception contact point is clearly established, and the content of complaints, response progress, and results are recorded. Sincere and swift responses are required, and follow-up after responses (communicating results to the individual, confirming recurrence prevention) is also important. Complaint records are accumulated and trend analysis is performed, using them as material for improving organizational weaknesses.