Personal Information Leaks are Not Someone Else’s Problem! Explanation of Penalties and Examples
Personal information is highly sensitive, yet used frequently, making it easy to unintentionally contribute to information leaks. In spring 2022, Japan’s Personal Information Protection Act was revised, increasing the responsibility of businesses handling personal information and strengthening penalties for contributing to leaks.
This article explains the penalties for leaking personal information, common leak scenarios, and preventative measures, based on the revised Personal Information Protection Act.
Table of Contents
- Main Features of the Revised Personal Information Protection Act
- Penalties for Leaking Personal Information
- Examples of Potential Legal Violations
- Measures to Prevent Personal Information Leaks
- Summary
1. Main Features of the Revised Personal Information Protection Act
In spring 2022, Japan revised the Personal Information Protection Act, requiring companies and individuals to be more conscious of protecting personal information. The main points of the revision are:
1-1. Enhanced Rights Protection
The revised Personal Information Protection Act seeks to protect the rights of individuals owning personal information at a higher level.
For example, personal information held for short periods must be treated the same as long-term stored information. Owners of personal information can now request its deletion from companies more easily.
1-2. Increased Responsibility for Businesses
Businesses are now obligated to fulfill more responsibilities regarding personal information protection.
For example, reporting information leaks to the Personal Information Protection Commission is now mandatory. Inappropriate use of personal information is strictly prohibited, and using it for purposes other than the original is legally prohibited.
1-3. Strengthened Penalties
Strengthened penalties were also introduced in the revised Personal Information Protection Act. Failure to comply with the law may result in fines or imprisonment, so caution is required.
2. Penalties for Leaking Personal Information
Simply leaking personal information does not automatically trigger penalties. However, the context of the leak and the subsequent response can lead to penalties.
Reference: https://www.ppc.go.jp/all_faq_index/faq1-q11-1/
2-1. Failure to Comply with Committee Reporting/Inspection
One case where penalties apply is the **failure to comply with reporting requests or on-site inspections conducted by the Personal Information Protection Commission when an information leak occurs, or providing false reports.**
In this case, a fine of up to 500,000 yen may be imposed. The violating business may also be publicly named by the Personal Information Protection Commission, leading to social sanctions beyond just the fine.
2-2. Providing/Stealing Personal Information for Illicit Profit
Another case involves businesses or employees who **provide or steal personal information for their own or a third party’s illicit profit.** In this case, the perpetrator may be sentenced to imprisonment of up to one year or a fine of up to 500,000 yen. Penalties may also apply to the corporation.
In any case, dealing with personal information or a leak incident dishonestly can result in penalties.
3. Examples of Potential Legal Violations
What specific situations pose a risk of personal information leaks? Here are some key cases from the Personal Information Protection Commission’s near-miss examples.
Reference: https://www.ppc.go.jp/files/pdf/pd_hiyari.pdf
3-1. Case at a Cram School
- Let’s look at an information leak case at a cram school that could develop from a dispute between students. If student B’s guardian asks the cram school for student B’s contact information so they can apologize to student A (whom student B injured), how should the school respond?
The problem here is that **the cram school could provide student B’s information to student A’s guardian without permission.** When providing contact information, always obtain permission from the individual or their guardian before sharing the information or acting as an intermediary.
3-2. Case at a Sales Company
Next, let’s look at a case at a sales company. Suppose a product sold by the company to a consumer contains a foreign object, and the company needs to address the consumer’s request for an exchange. If the sales company handles the response, and the manufacturer directly delivers a replacement product to the consumer, the sales company must not share the consumer’s address without permission.
**Always inform the consumer that you will be sharing their address with the manufacturer and have the manufacturer ship the product.**
3-3. Case Involving a Relative of an Employee
Next, consider a case where someone claiming to be an employee’s parent contacts you, saying they are unable to reach the employee and need their phone number. Providing the employee’s contact information without their permission contributes to an information leak.
Even if the employee is unavailable and consent cannot be obtained, **remember that contact information should only be shared after obtaining permission from the individual.**
4. Measures to Prevent Personal Information Leaks
As mentioned above, the risk of unintentionally contributing to personal information leaks exists everywhere. To prevent leaks, it is important to thoroughly implement the following measures:
4-1. Deepen Understanding of the Personal Information Protection Act
First, deepen your understanding of the revised Personal Information Protection Act. By understanding your specific obligations and the penalties for violating the law, you can be aware of the risks that arise in your daily work.
**By knowing the rules well, necessary in-house measures will naturally emerge.**
4-2. Conduct Thorough In-House Training
Even if only some employees (such as information security staff) understand the risk of information leaks, it will not be possible to avoid risks without company-wide understanding. **Conduct regular training on information leak risks** and encourage employees to work with a high level of security awareness.
4-3. Don’t Neglect Cyber Attack Prevention (Antivirus Software, etc.)
Information leaks are not only caused by human error, but also by cyber attacks from third parties. **I
t is important to focus on basic cyber attack countermeasures such as installing antivirus software on a regular basis.**
Summary
This article explained how penalties for personal information leaks are defined by the revised Personal Information Protection Act. Because the risk of information leaks is always present, you must understand the risks and act accordingly on a daily basis.
We recommend reviewing your company’s security system to see if leaks can be avoided and if there are any problems with the response when a leak occurs.
For EXO Security pricing, please contact: globalsupport@jiran.com
