2 of 16

Whether or not there are black box data intermediaries, information asymmetry abounds and not enough trust was formed for data to freely flow per DFFT.

Individuals

- -

Personal

Data A

Personal

Data B

Personal

Data C

Company A

Company B

Company C

- -

Company Y

Company Z

- -

Company X

※ individual’s consent on conditions for provision to a 3^rd party

※※ controllability by individuals

Personal

Data

TPDMS Certification

by IT renmei

Black Box

Are not my data being mis-used?

I cannot know if receivers are good.

Has the data been give lawfully?

3 of 16

TPDMS aka “Information bank” is a mechanism that �reduces the information asymmetry.

Individuals

- -

Personal

Data A

Personal

Data B

Personal

Data C

Company A

Company B

Company C

- -

Company Y

Company Z

- -

Company X

※ individual’s consent on conditions for provision to a 3^rd party

※※ controllability by individuals

Personal

Data

TPDMS Certification

by IT renmei

Transparecy and control rocks!

Now I know the receiver follows good practice.

We can now used the data as it was collected and released lgitimately.

Transparency

Accountability

Participation

Control

4 of 16

Requires “Data Ethics Board”

Individuals

TPDMS

“Data Ethics Board”

　・・

■ ■ ■

・

●To report regularly

●To ask advice

●To review

i) data collection method,

ii) purpose/utilization of data,

iii) examination for third parties which will be provided etc.

●To suspend usage of data

Multi-stakeholders from

data/info system engineers,
security experts, lawyers, �data ethics specialists,
consumer representatives,
privacy specialists etc

TPDMS Certification

- IT renmei -

ITrenmei

Third Parties

●To provide benefit●

Agreement for Data Provision

Agreement for Data Entrustment

- -

5 of 16

TPDMS Certification Scheme

TPDMS Certification Scheme ensures that

handling of data at Personal Data (Trust) �Banks are following standard and ethical; and
proper oversite of its processing as well as �that of the source and destination of the data �is implemented.

Individuals

- -

Personal

Data B

Company B

- -

Company Y

Transparecy and control rocks!

Contractual relationship

Based on a model contract

　・・

■ ■ ■

・

Personal Data（Trust）Bank

Contractual relationship

Based on a model contract

Data is lent, not sold. Just like when Banks give loans, Company Y will be scrutinized on its business model, management system, etc.

6 of 16

The data handled by "Personal Data（Trust）Bank"

The handling restrictions set for "personal information" do not apply to Statistical Data and Anonymously Processed Information.
However, if thePersonal Data（Trust）Bank processes personal information and provides the Processed Information, regarding that fact and the benefits (including the presence or absence of benefits) to the individual due to the provision. It is necessary to disclose necessary information to individuals.

The business handles Personal Data.

The business handles Statistical Data and Anonymously Processed Information.

The business handles Personal Data, Statistical Data and Anonymously Processed Information.

7 of 16

Soft Law (Co-regulation) by Public-private Initiative

①Basic Act on Advancement of Utilizing Public and Private Sector Data, enacted in Dec. 2016

②Interim Report by WG for Data Utilization in AI/IoT era (National ICT Strategy Office, Cabinet Secretariat), (Feb. 2017)

④ Guideline on Certification of Personal Data (Trust) Bank, ver.1.0 (MIC & METI^*3), (June 2018)

③ Interim Report (ICC^*1 at MIC^*2), (July 2017)

Promote Appropriate Utilization of Personal Data by Multi-stakeholder Under Participation of Individuals

Personal Data (Trust) Bank as Effective Framework to Promote Personal Data Utilization under Participation of Individuals

Voluntary Certification Scheme by Private Body to Socially Acknowledge Qualified Personal Data（Trust）Bank

1) Qualification, 2) Model Terms and Conditions, 3) Governance, �for Individuals’ Controllability and Trust

*1 ICC：Information and Communications Council

*3 METI：Ministry of Economy, Trade and Industry

*2 MIC：Ministry of Internal Affairs and Communications

⑤ Policy Recommendation for TPDMS^*4Certification at WG of ICC, in April 2017

“Data Ethics Board”, Privacy Notices as Binding Standard Contracts and others as requirement for operators

⑥ Guidebook ver.1.0 for TPDMS Certification Application, (Dec. 2018)

Based on the Guideline, Starting TPDMS Certification Programme for a safe and secure services/operators

*4 TPDMS：Trusted Personal Data Management Service

8 of 16

TPDMS Mark as the indicator of the trustworthiness

【P-Certification】

【Certification】

●Plan, Preparation, Possible

●Privacy by Design

●Security by Design

●PDCA（Plan, Do, Check, Action）

cycle

TPDMS Mark could show to individuals that Personal Data (Trust) Bank which they use is safe and secure, which is based on international standards for privacy protection and information security such as ISO/IEC 29100 and 27001

9 of 16

Relationships to ISO Standards

Current certificaiton scheme is based on:

Security Management

ISO/IEC 27001 Information security management systems — Requirements
ISO/IEC 27002 Code of practice for information security controls

Privacy Enhancement

ISO/IEC 29100 Privacy framework
ISO/IEC 29134 Privacy Impact Assesment Guideline
ISO/IEC 29184 Online privacy notice and consent^*1 (2020)
ISO/IEC 27701 Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines^*2 (2019)

But they do not cover what are required to run the scheme in its entirety as the scheme incorporate local standards, experts & public consultation results, as well.

*1 Current certification scheme is based on the precursor of the standard, a METI guideline on Notice and consent, and to be aligned.

*2 To be aligned.

Certification Scheme

10 of 16

However, such gaps are yet to be identified

IT Renmei is currently undergoing the study to identify gaps between TPDMS scheme and international standards.

E.g., �1) Good practice guidance on the composition and operation of Data Ethics Board, �2) Code of practice for communicating consent record, �3) Protocol for communicating change in consent, 4) Protocol for secure transfer of personal data, etc.

Implementation Experiences

TPDMS Scheme

ISO/IEC 27001

ISO/IEC 27002

ISO/IEC 29100

ISO/IEC 27701

ISO/IEC 29134

ISO/IEC 29184

ISO/IEC TS 27560

OIDF FAPI

IETF OAuth

GPG Data Ethics Board

GPG Privacy Control Hub

Once properly identified, plan is to start a PWI^*1 at ISO/IEC JTC 1 SC27 -- Please join the effort

*1 Pleriminary Work Item

11 of 16

Potential Work Items

1) Good practice guidance on the composition and operation of Data Ethics Board (DEB)

Provides guidance on how to compose the DEB, what DEB should consider for the oversight, etc.

2) Code of practice for communicating consent record

Provides guidance on how to communicate the basis of the processing to the data subject so that they can search and excercise their rights at a later date.

3) Protocol for communicating change in consent

When data subject changes his preference at the Information Bank, it should propagate to the receivers.

4) Protocol for secure transfer of personal data

Standardized security profile and the payload format for the transfer of the data.
Bindings of data at the source and identities at the intermediary.

ISO/IEC WD TS 27560 Consent record information structure

Perhaps starting PWI (Preliminary Work Item) later at ISO/IEC JTC 1/SC 27/WG 5?

Under investigation. e.g.

OIDC Claims Aggregation (OIDF)
FAPI (used by UKOB, ACDS, etc.) (OIDF)
OIDC4IDA (OIDF)
Consumer Data Standard (AU Data61)

Under investigation.

12 of 16

Relationship with proposed Data Governance Act

ITRenmei understands that TPDMS can be closely related to the proposed Data Governance Act
It has started the investigation on the relationship but it is yet to be completed.
ITRenmei appreicates if there are organizations and occations that allows us to compare the notes to further the understandings.

13 of 16

Summary

TPDMS is a mechanism that helps reduce the information asymmetry among the data economy participants by implementing transparency, accountability, and controllability by individuals.
TPDMS Certification Scheme formed by Public-Private partnership will help the trust formation by removing the need to verify by each participants.
Some gaps are being identified between what we have learned and what we have as standards.
Some of the items are expected to be ready to be studied internationally at international standardization forums (e.g., ISO) later this year.

14 of 16

Backup Slides

15 of 16

Information Technology Federation of Japan

■ Established in July 2016

■ President: Mr. KAWABE, Kentaro

　　　　　　　　　（CEO, Yahoo! Japan/Z Holdings）

■ One of the largest federation

　　of IT industry in Japan

- Over 60 Associations

- Around 5,000 Companies

- Around 4,000,000 Employees

Assoc.

Company

Assoc.

Company

Assoc.

Company

・・・

IT renmei

16 of 16

Multi-stakeholder Governance for TPDMS Certification

Board of Directors

Senior

Executive Director

Committee for TPDMS Promotion

Subcommittee for TPDMS Certification

Subcommittee for Promotion

Audit and Advisory Committee

Certification Board

Support Desk

Publicity WG

Govt Observer

MIC, METI,

National ICT Strategy Office, Cabinet Secretariat

● Appoint the chairman of committee for TPDMS Promotion

● Approve the budget for promotion of TPDMS such as certification, etc.

● Check TPDMS certification in order for fairness

● Report audit result to the board of directors etc.

ITrenmei

Members are experts from law, consumer protection, security, privacy, information system, data ethics etc.