With the rapid development of information technology, use of personal information about individuals is increasing. In order to help to protect the rights and welfare of individuals, the Law Concerning Protection of Personal Information was promulgated on May 30 2003. The new law harmonizes protection of personal information (as defined in the law) and the use of personal information. The law sets out not only basic policies for the protection of personal information but also basic obligations for any enterprise that uses a personal information database for business. Similar obligations for the public sector are also prescribed by separate laws.
Under the new law, any enterprise that uses a personal information database for business must generally fulfill certain obligations, such as:
- it must specify the purpose for which the personal information will be used and not use the personal information beyond what is necessary to achieve that purpose without the prior consent of the individual to whom the personal information relates;
- it must disclose the purpose at the time the personal information is obtained and not obtain personal information by unfair means;
- it must maintain the personal information correctly and update the personal information to the extent necessary to achieve its intended purpose;
- it must control the security of the personal information;
- if requested, it must disclose the personal information to the individual to whom information relates, correct the personal information unless the information is true, and cease to use or delete the personal information if it is obtained or used illegally; and
- it must treat the claims of the individual appropriately and swiftly.
In addition, the new law generally provides that an enterprise may not disclose an individual's personal information to a third party without the individual's prior consent. However, there are two main exceptions to this rule where prior consent is not required. First, an enterprise may disclose an individual's personal information to a third party provided that the enterprise ceases disclosing such information if requested by the individual and the individual has been informed of this right. Second, the law provides the following three specific circumstances where prior consent is not required:
- when the enterprise delegates the handling of personal information to another enterprise to the extent necessary to achieve the intended purpose of such information;
- when the personal information is provided in accordance with succession to business operations for a reason such as a merger; and
- when the personal information is used jointly among specified persons and the individual is given information concerning the joint use.
Accordingly, it is possible under the law, for example, for financial institutions to exchange default information if individuals are informed about the joint use.
Special measures to protect personal information at a higher level - on sensitive subjects such as credit information - are expected to be promulgated in the future.