Japan's Privacy Laws and 9ine's Japan Handbook

During 2020, Japan’s Act on the Protection of Personal Information (“APPI”) underwent amendments resulting in the expansion of data protection requirements for schools. The amendments, which will come into full effect in spring 2022, require schools to be more transparent, to account for the security of personal data, and bring higher penalties should these obligations be neglected. Although the updated provisions will not be in place for a short while, schools residing in Japan should be educating and informing themselves on how these amendments will affect the way they handle their privacy compliance programme.

Every three years, Japan reviews the APPI to ensure that it is at a sufficient standard taking into consideration new technologies and practices that affect the way that data is processed, used and shared. This sometimes translates into major regulatory changes to which organisations must adapt.

Personal Information Processing under the APPI

In general, the APPI requires business operators, such as independent schools, to:

• Inform individuals, in a readily accessible manner and prior to the collection of information, about the purposes for using their personal information;
• obtain individuals’ consent for the processing of sensitive data;
• use personal information only to the extent necessary to achieve the purposes for which it was collected;
• delete the information that is no longer needed;
• keep personal data accurate and up to date;
• protect the information from loss or unauthorised access; and
• supervise employees and contracted third parties handling personal information.

Expanded Individual Rights

The APPI will be introducing more rights for data subjects (such as staff, students, and parents), protecting them further and leaving them with more autonomy over what happens with their data. Under APPI’s expanded rights, individuals may request their information held by a school, which has to be provided in writing and without delay (certain exceptions apply). The right of deletion and cessation of use will allow data subjects to either request for their data to be erased by the school processing that data, or suspend the processing activities. This can be requested if a data subject feels that the processing of their data is unnecessary, and when it could harm their rights or legitimate interests.

Will Appointing a Data Protection Officer be Mandatory?

The APPI does not require appointing a data protection officer in your school, however, it has been recommended by the Personal Information Protection Commission as an example of a security measure that could be put in place to protect the information entrusted to the organisation. The data protection officer ensures that data protection responsibilities are shared between departments in a fair and attainable manner, and tasks are delegated in an appropriate way. Having a dedicated member of staff or team that can work towards APPI compliance advances a compliance programme exponentially. Read what Catriona Thompson, Bursar at Kingham Hill School in the UK, had to say on her journey towards compliance, and the lessons that your school can learn from Europe in our Education Privacy Magazine.

9ine’s Japan Handbook

In light of the amendments to the APPI, 9ine has taken to action and created the Japan Handbook to discuss the changes to the APPI and the ways in which your school can act so that your privacy compliance programme meets the new compliance requirements. Within the Handbook, you will be informed on:

• The timeline of selected privacy laws in Japan
• The current legal framework of the Protection of Personal Information
• An overview of selected privacy laws
• The 2020 Amendments to the APPI
• The extraterritorial scope of certain international laws
• The European Commission’s adequacy decisions and Japan’s whitelist
• Vendor Management
• Information & cyber security
• Operationalising data protection with 9ine

The Handbook provides schools with an in-depth insight into how the amendments to Japanese data protection laws will affect them, and how they can act off the back of the changes. In understanding this, schools that reside in Japan will be better equipped to alter and advance their privacy compliance programme.

Understanding the current legal framework and the changing legal landscape in Japan will allow your school to keep informed, promoting best practices within your privacy compliance programme.

Vendor management and international data transfers are weaving their way into a copious amount of countries’ data protection laws. Understanding how and when it is safe to transfer personal data to vendors located outside the country is imperative to protect your data subjects and your school, thus helping you to keep in line with your obligations as a business operator.

What else is 9ine doing?

Through our experience, 9ine has found that there is a lack of formal, structured training for school IT professionals, that is why we created the 9ine Technical Academy which focuses on security hardening, reducing vulnerabilities in school systems. This training programme will provide instructional, methodical, and applicable training on how IT teams can improve cyber security and IT systems operational performance at their school.

Alongside the 9ine Technical Academy, there is also the 9ine Privacy Academy. A series of training sessions in which 9ine data privacy experts will give members of your staff applicable resources and information to advance your data privacy compliance programme. Each course workshop will feature examples and case studies using the 9ine App as a resource. For example, how to perform data mapping and Records of Processing, and the process of a DPIA. In attending the 9ine Privacy Academy, your school will be well equipped to advance your privacy compliance programme.

If you would like to learn more about how 9ine can help your school with your privacy compliance programme, and ensure that the data of your students, staff, and parents is protected