課題Ⅱ 第２編① 組織的・人的セキュリティ ― 基本方針の策定からリスク管理・規程整備まで

The first step to organizationally promote personal information protection is formulating a basic policy (privacy policy). A basic policy is a document that externally declares how a business operator handles personal information, showing the organization's stance. The Personal Information Protection Act itself does not mandate its formulation, but guidelines and certification systems (Privacy Mark, ISMS) require it.

The items that should be stated in the basic policy are as follows. First, the name of the business operator and its representative. Second, a clause declaring compliance with related laws, regulations, and guidelines. Third, matters regarding safety management measures. Fourth, contact information for complaints and inquiries. Fifth, commitment to continuous improvement. After clearly describing these items, it must be publicly announced through the website, etc. For companies with the Privacy Mark, content in line with JIS Q 15001 requirements is needed; for ISMS, consistency with the information security policy is important.

After formulating the basic policy, the next step is to identify all personal information held by the organization and manage it centrally with a personal information management ledger. Items to record in the ledger are: data items (name, address, phone number, etc.), purpose of use, storage location (physical/electronic), authorized access persons, storage deadline, and the person in charge of management. The ledger enables accurately grasping which department stores what kind of personal information and where.

The Personal Information Protection Commission's General Rules Guidelines Part 10-3 (organizational safety management measures) explicitly requires the maintenance of a ledger (personal data management register) as a means of confirming handling status. The ledger may be paper-based or electronic, but practical requirements include: update history must be traceable, and only authorized persons may revise it. Data entrusted to external outsourcing destinations must also be recorded without omission, with the outsourcing destination name, contract period, and provision scope clearly specified.

Personal information has a lifecycle, and appropriate management is needed at each stage: acquisition, use, storage, provision, and disposal. At the acquisition stage, specifying the purpose of use and notifying/announcing it to the individual is required. At the use stage, prohibition of use beyond the stated purpose is enforced. At the storage stage, leakage is prevented through encryption and locked storage management. At the provision stage, restrictions on third-party provision and record-keeping obligations are complied with. At the disposal stage, information is reliably disposed of using irrecoverable methods (shredding, magnetic erasure, physical destruction).

Data inventory (棚卸し) is the task of periodically confirming whether the ledger content matches the actual situation. It inspects whether unregistered personal information has emerged due to new business operations or organizational changes, whether purposes of use have been modified, or whether data past its storage deadline remains. It is recommended to conduct an inventory at least once per year.

Risk recognition means identifying how leakage, loss, and damage can occur at each stage of the personal information lifecycle. For example, at the acquisition stage: unauthorized acquisition or consent deficiencies; at the storage stage: unauthorized access or loss of media; at the disposal stage: disposal in a recoverable state, and so on. Risks are identified from both the perspective of threats (external attacks, internal fraud, natural disasters) and vulnerabilities (insufficiency of countermeasures).

Risk assessment is systematized in the international standard ISO 31000, consisting of three stages: risk identification → risk analysis → risk evaluation. In the identification stage, threats and vulnerabilities are enumerated based on the information asset ledger; in the analysis stage, likelihood of occurrence and impact are estimated; in the evaluation stage, results are compared against acceptance criteria (risk acceptance level). Risks exceeding the criteria require treatment; risks below the criteria are documented as accepted (retained).

There are two methods for analyzing identified risks: qualitative analysis and quantitative analysis. Qualitative analysis evaluates risks in levels such as "high," "medium," and "low." Quantitative analysis calculates in monetary amounts. The representative formula is ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) × ARO (Annualized Rate of Occurrence). For example, if one leakage incident is estimated to cause 5 million yen in damage and occurs 0.1 times per year, ALE = 500,000 yen.

In risk evaluation, priorities are assigned based on the analysis results. Generally, risks are evaluated on two axes: impact (magnitude of damage) and likelihood (frequency of occurrence). Countermeasures are prioritized for risks with high impact and high likelihood. By creating a risk matrix and visually organizing it, it can also be utilized for explanations to management.

There are four risk treatment methods. First is avoidance: ceasing the activity that causes the risk. Example: abolishing unnecessary collection of personal information. Second is reduction (mitigation): making the risk smaller through technical and organizational countermeasures. Example: introducing encryption, strengthening access control. Third is transfer (shift): transferring the risk to others. Example: enrolling in liability insurance, outsourcing to specialist contractors. Fourth is acceptance (retention): accepting the risk as-is when, for example, the cost of countermeasures exceeds the potential damage amount. The optimal combination is selected considering cost-effectiveness.

To reliably execute personal information protection, regulation documents must be systematically developed. The document system is composed in a hierarchical structure. At the highest level: the basic policy (privacy policy); second layer: personal information protection regulations (management regulations); third layer: implementation procedure manuals; fourth layer: forms and records (application forms, checklists, ledgers).

The personal information protection regulations incorporate the following matters: the scope of personal information handling (target operations, target data), roles and authority of responsible persons, procedures for acquisition and use, specific content of safety management measures, contractor management criteria, and incident response procedures. These regulations must be disseminated to all workers and kept in a browsable state.

Regulation documents must clearly manage their revision history. Version number, revision date, revision content, and approver are stated at the beginning of the document. Old versions are stored for a fixed period, then marked as obsolete. To prevent coexistence of current and old versions, documents are managed centrally via a document management ledger, establishing a system where all workers can always reference the latest version. Centralized management via intranet or document management systems is considered desirable.

The PDCA cycle is applied to the operation of regulation documents. Plan: formulation and revision of regulations. Do: daily operation based on regulations. Check: confirmation of conformity through internal audits and self-inspections. Act: correction of deficiencies, review in response to legal amendments and changes in the social environment. By continuously turning this cycle, the standard of personal information protection is maintained and improved. In particular, it is indispensable to promptly revise regulations when laws are amended.

Merely developing regulations is insufficient; effectiveness is secured through internal audits and management-level reviews (management review). Internal audits are conducted by persons outside the audited department to maintain independence. Findings are compiled into corrective action reports, and improvements are completed within set deadlines. In management review, executives decide on resource allocation and policy changes in light of audit results, incident occurrence status, and legal amendments.