Japan: Protecting personal information

Author: | Published: 22 Feb 2016
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

Nagashima Ohno & Tsunematsu


JP Tower, 2-7-2 Marunouchi
Chiyoda-ku, Tokyo 100-7036


+81 3 6889 7000


+81 3 6889 8000 Visit Website
Takahiro Kitagawa

On January 1 2016, the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (the so-called My Number Act) came into full force. Under this legislation, each resident in Japan has received their own 12-digit individual number (known as their My Number). This unique identifier will be used for administrative procedures relating to social security, taxation and disaster response.

Private businesses must deal with their employees' individual numbers for tax and social insurance purposes. In addition, financial institutions such as banks, security companies and insurance companies will also need to obtain the individual numbers of customers and note them on documentation to be submitted to tax offices.

Private businesses must implement appropriate safety management measures when handling these numbers. These include systematic, personnel, physical and technical measures to prevent leakage, loss or impairment of the individual codes in accordance with the legislation and the official guidelines. These guidelines include an exception to reduce the administrative burden of small and medium companies with less than 100 employees. However, this special rule does not apply to financial institutions since they handle substantive customers' My Numbers. Therefore, regardless of their scale, companies must implement high-standard safety management measures as required under the guidelines.

On September 9 2015, an act for the partial amendment to the Act on the Protection of Personal Information (the Amendment Act) was promulgated. This will become effective by September 9 2017.

The current Act on the Protection of Personal Information applies only to private businesses handling substantive personal information (more than 5,000 persons). However, the Amendment Act eliminates this requirement. This means that all entities handling personal information must comply with the Act on the Protection of Personal Information. This includes: providing notice, at the time of acquisition, of how the personal information will be used; restricting the sharing of this data with third parties; and implementing safety management measures.

Takahiro Kitagawa