Basics of the Personal Information Protection Law｜IT Passport Exam Prep

What is the Personal Information Protection Law

The Personal Information Protection Law was enacted in 2003 and fully enforced in 2005. Since then, it has been revised every three years, so it's important to keep up with the latest developments. This law applies to all business operators handling personal information, and the exemption for small-scale operators was abolished in the 2017 revision. The supervisory authority is the Personal Information Protection Commission (PPC).

Definition of Personal Information

Personal information refers to information about a living individual that can identify a specific person. Typical examples include name, date of birth, address, facial photograph, and email address. Additionally, personal identification codes—such as My Number, driver's license number, and passport number—that can identify an individual on their own are also included as personal information.

Special Care-Required Personal Information

Special care-required personal information is personal information that requires particular care in handling. Specific examples include race, creed, social status, medical history, criminal record, and facts about being a crime victim. To obtain this information, the individual's consent is generally required.

Anonymized Processed Information

Anonymized processed information is information that has been processed so that specific individuals cannot be identified and cannot be restored. It was introduced in the 2017 revision to enable the use of big data. As long as certain rules are followed, it can be provided to third parties without the individual's consent.

Main Obligations of Business Operators

Business operators have several important obligations. First, they must specify the purpose of use and notify the individual. They must also implement safety management measures to prevent leaks. Providing information to third parties generally requires the individual's consent, and requests for disclosure, correction, or suspension of use must be handled appropriately. Furthermore, if a leak occurs, reporting to the Personal Information Protection Commission and notifying the affected individual is mandatory.

Penalties

Violations of orders can result in imprisonment of up to one year or a fine of up to 1 million yen. For corporations, the 2020 revision introduced a heavy fine of up to 100 million yen.

Key Points for the IT Passport Exam

In this area, distinguishing between personal information, special care-required personal information, and anonymized processed information is frequently tested. Questions also cover the rules for third-party provision and the obligation to report leaks.

Typical Past Exam Question Patterns

• "Which of the following qualifies as special care-required personal information?" type
• "Which is a correct characteristic of anonymized processed information?" type

Related Terms

• Comparison with GDPR (What is GDPR)
• Encryption and leak countermeasures (Basics of Encryption)

Study Tips

Be able to state the definition of each of the three types of information in one line. It's important to memorize the principle of third-party provision (consent required) together with its exceptions (such as anonymized processed information). Also, memorizing the penalty amount of 100 million yen will help on the exam.

Summary

The scope of questions on the Personal Information Protection Law is limited to three areas: the three types of information, business operator obligations, and penalties. Mastering these will ensure you can score points. For comprehensive practice on the Strategy domain, check out the Strategy Summary, and for a full-length simulation, head to the Practice Exam.