The Social Security and Tax Number (“My Number”) System1 (the “System”) will go into effect in January 2016, and the government will start distributing My Numbers to all citizens in October 2015. The Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (the “My Number Act”)2 imposes many obligations and limitations on businesses, so companies should start preparing now for the upcoming initiation of the System.
MAJOR OBLIGATIONS OF BUSINESS ENTITIES
My Number is considered personal information under Japanese law; therefore, an entity that obtains My Number from an individual must comply with the Japanese Personal Information Protection Law (“PIPL”)3 in handling My Number information. Under the PIPL, business entities are obligated to:
- Specify the purpose of use of personal information in any handling of personal information (Article 15(1)).
- May not use personal information beyond the specified scope of purpose without the individual’s prior consent (Article 16(1)).
- Promptly notify an individual of, or publicly announce, the purpose of use for acquiring personal information, except where that purpose of use has already been publicly announced (Article 18(1)).
- Take necessary and proper measures to prevent leakage, loss, or damage to secure personal data (Article 20).
- When outsourcing to a third-party vendor, exercise necessary and appropriate supervision over the vendor to ensure the security control of the entrusted personal data (Article 22).
Further, the My Number Act imposes additional restrictions and obligations on the handling of My Number information. Specifically, an organization must:
- Limit the use to administrative purposes specified in the My Number Act (e.g., payroll, withholding tax, social insurance) and only to those purposes specified in the notice given to individuals (consent from individuals will not be a justification for using the information more broadly (Article 9);
- Verify the individual’s identification when acquiring My Number information (Article 16);
- Not collect or store My Number or keep files that contain My Number except for the cases specified in Article 19 (Articles 20 and 28). Therefore, business entities must dispose of My Number information as soon as possible when it is no longer necessary (e.g., such as when an employee retires or leaves employment.); and
- Not provide My Number information to third parties (other than service providers) except the case where one can provide My Number to a third party under Article 19, even if the individual consents (Article 19). In addition, a business entity may not request any individual to provide My Number information except the case where one can provide My Number to a third party under Article 19 (Article 15).
Note that, similarly to the PIPL, outsourcing is possible without individual’s consent but business entities must exercise necessary and appropriate supervision over the vendor (Article 11).
A company that violates the My Number Act (such as unlawful disclosure or provision of My Number or My Number file to a third party) may be subject to criminal liability. There is also a provision of individual liability for employees who violate the My Number Act (which includes imprisonment).
- Action items before the System starts
In order to prepare for the initiation of the System, and if you have not taken any action yet, here are action items to be followed immediately:
- Identify work operations and staff that will be involved in handling My Number information.
- Decide new workflows involving My Number information.
- Prepare basic policy and guidelines/procedural manuals on how to handle My Number information, including the revision of work rules.
- Revise computer system, if necessary, to capture and process My Number information and to prepare the appropriate security system required by the My Number Act and its administrative guidelines.
- Establish organizational systems: (i) basic policy, (ii) guidelines/procedural manuals, (iii) organizational measures, (iv) physical measures, and (v) technical measures, to safely manage My Number information.
- Implement training of employees before My Number is distributed this October.
- Consider whether the foreign parent company can process information of Japanese subsidiary employees According to the My Number Act, it is acceptable to share My Number information within a single legal entity,
even if it contains multiple offices or branches. However, as the general rule, it is not allowed to share My Number information with different legal entities including parent companies, subsidiaries or affiliates because it will be construed as “provision of My Number” with a third party, which is prohibited under the Act. While it is a common practice, especially for global companies, to set up a centralized human resource (HR) system to handle employee information of group companies (e.g., the U.S. parent company collects and processes personal information of Japanese subsidiary employees), such a practice in the context of My Number Information may cause a problem. There are some solutions that are possible, however.
The guidelines and FAQ are posted on the Specific Personal Information Protection Commission’s web site http://www.ppc.go.jp/en/legal/ or Japanese Cabinet Secretariat’s web site http://www.cas.go.jp/jp/seisaku/bangoseido/english.html.