Japanese Information Banks

MyData Global community webinar 19 July 2019

These slides: https://mydata-global.org/community-webinar-japan-data-banks

Konnichiwa!

Viivi Lähteenoja

Deputy General Manager, MyData Global

viivi@mydata.org, @viivilahteenoja, @mydataorg

​

2

Why Data Banks?

3

2011 Tōhoku earthquake and tsunami

4

CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=14641958

What Are They?

5

Nomenclature

6

• Data Bank
• Information Bank
• Personal Data Trust Bank
• “Trusted Personal Data Management Service” TPDMS

7

Who’s Involved?

8

Government & NGO Actors

9

• Ministry of Internal Affairs and Communication (MIC)
• Cabinet Secretariat
• Ministry of Economy, Trade and Industry (METI)
• Information Technology Federation of Japan (IT Renmei)

Legal landscape

10

The Act on the Protection of Personal Information (APPI, 2016）

11

Article 23

“(1) A personal information handling business operator shall, except in those cases set forth in the following, not provide personal data to a third party without obtaining in advance a principal's consent.

(i) cases based on laws and regulations

(ii) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a principal's consent

(iii) cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent

(iv) cases in which there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a principal's consent would interfere with the performance of the said affairs.”

The Basic Act on the Advancement of Utilizing Public and Private Sector Data (2018)

12

Article 12

“For the purpose of promoting the smooth circulation of public and private sector data concerning individuals, the State is to develop the foundations for enabling a wide variety of actors to utilize in an appropriate manner public and private sector data concerning individuals, with the participation of the relevant individuals, and to implement other necessary measures while giving consideration to the protection of the competitive position and other legitimate interests of companies.”

Certification

13

Guideline ver 1.0 on Certification of “Personal Data Trust Bank” by the Japanese Government

14

• The certification criteria is intended for a voluntary mechanism to certify business operators that meet a certain standard, where the certification serves as a criteria for individuals to choose a reliable/trusted service.

​

• The voluntary certification focuses on the flow of personal data under individual’s involvement (enhancement of controllable functions) and securing reliability/trust from individuals.

Guideline ver 1.0 on Certification of “Personal Data Trust Bank” by the Japanese Government

15

CERTIFICATION CRITERIA

• Management system
• Information security
• Governance system such as “Data Ethics Board”
• Specification of acquisition method and purpose of utilization on personal data
• Functions for individuals’ controllability
• First stop liability for damages against individuals

Certification Issuers

16

• The Japanese government considered becoming the trusted party which would issue certifications but decided against it
• In principle, there can (and will) be multiple trusted parties issuing certifications
• At the moment, the only authorised certification issuer is the Information Technology Federation of Japan, IT Renmei

17

Two Types of Certificates by IT Renmei

18

• "Normal accreditation" provides safe and secure services by ensuring that the plan, operation and execution system conform to the accreditation criteria, and review is continued, targeting the business under which the "Information Bank" service is in progress.
• "P certification" is a preliminary certification to certify that the plan, operation and execution system meet the certification criteria prior to the start of the "Information Bank" service. After starting the service, the organisation will aim to obtain "normal certification" by planning, operation, improvement and improvement.

Cost and Duration of IT Renmei certification

19

• Examination fee: 700,000 yen (estimate)

※ Changes according to the presence or absence of privacy mark, ISMS certification acquisition, business scale.

• Accreditation fee: 500,000 yen / case, valid for 2 years
• Duration of certification process: about 4 months

※ Fluctuates by the existence of local examination, questions and answers, excess of application acceptance, etc.

Existing Banks

20

Two “P” Authorised TPDMS

21

• Felica Pocket Marketing Co., Ltd. https://felicapocketmk.co.jp/
• Sumitomo Mitsui Trust Bank, Ltd. https://www.smtb.jp/tools/english/

Companies and Products Planning to Become Data Banks

22

• Fujitsu / Personium https://personium.io/
• My Data Intelligence / MEY https://www.meyportal.com/lp/app/index.html
• DataSign / paspit https://paspit.com/
• NTT Data / in development

Political will

23

The “Osaka Track”

by Prime Minister Abe

24

“An overarching framework promoting cross-border data flow with enhanced protections … “Data Free Flow with Trust” concept, a move spearheaded by Japan that calls for the creation of a set of international rules enabling the free movement of data across borders. … seeks to standardize rules in global movement of data flows with better protection in personal information, intellectual property and cybersecurity.”

• Announced at the WEF Annual Meeting in 2019
• Promoted at the G20 Summit in Osaka in 2019