Privacy Law and Policy Reporter
Guidelines concerning the protection of computer processed personal data in the private sector (draft)
Ministry of International Trade and Industry (MITI), Notification No 98, 4 March 1997
Japan’s MITI released draft privacy guidelines for the private sector in March 1997. It is now consulting with industry associations and hopes to finalise the guidelines by April 1998. Article 1 states that their purpose is to ‘help business organisations to establish guidelines for each industry sector’, so they seem to be intended as a framework from which sector-specific guidelines may be derived. Article 4 states that provisions to the guidelines may be ‘added or revised’ at the industry sector or enterprise level
The guidelines do not contain any method of enforcement other than requirements that each enterprise designate a person as ‘the manager of personal data’ (Art 22), and this manager is then responsible ‘for causing employees to understand and observe these guidelines’, through training, implementing security measures and a compliance program (Art 24). There is no provision for independent investigation or consumer complaints or any remedies.
The twenty four Articles in the guidelines follow the standard pattern that has developed since the OECD Guidelines (1980) to the EU Directive (1995), but are weakened at a few key points to accommodate business interests. For example, while Art 10 incorporates the finality principle, stating that ‘The use of personal data shall, in principle, be limited within the scope of the purpose of collection’, Art 11(6) provides an exception where ‘the use is necessary for the legitimate interests of enterprise, or a third party or other parties that the personal data are disclosed to, in so far as the interests of the data subject are not infringed’. A ‘business interests’ clause not usually found in such formulations. There is also a further blanket device by which enterprises can change the original purposes of collection through ‘giving the data subject an opportunity to refuse prior to use’ (which requires written notification). In other words, a right to use personal data for any purpose, subject to an ‘opt out’ right for the data subject.
Special protection is given to certain categories of ‘sensitive’ data (using the European terminology), which may not be ‘collected, used or disclosed’ without the data subject’s explicit consent, special laws or for judicial procedures (Art 7). These categories are (i) race or ethnicity; (ii) family origin or legal domicile; (iii) religion, political opinions or trade union membership; and (iv) health, medical treatment or sex life.
The MITI guidelines seem to do little in themselves to meet the requirements of the European Union in relation to ‘adequate’ privacy protection. They probably fail on all criteria: insufficient fidelity to principles (the blanket ‘opt out’ approach to finality is close to the weakest possible implementation); no independent supervisory or enforcement mechanisms; and no prohibition on on-transfer to jurisdictions without adequate protection.
Graham Greenleaf, General Editor.
Privacy Commissioner for Personal Data, Hong Kong Draft Code of Practice on Personal Identifiers 29 August, 1997
Hong Kong’s Privacy Commissioner has issued for public consultation a Draft Code of Practice on Personal Identifiers for protecting personal data privacy in relation to personal identifiers (including the identity card number, the most common personal identifier in Hong Kong). The Personal Data (Privacy) Ordinance requires the Privacy Commissioner to issue and approve such a code. Under the Ordinance, personal identifiers are identifiers (usually a set of numbers and/or letters) that are assigned by an organisation to an individual which identify the individual uniquely.
Stephen Lau, Privacy Commissioner for Personal Data, said that the widespread use of the identity card number in Hong Kong had raised concerns that it may be misused for fraudulent purposes, assisted by the public display and disclosure of identity card numbers with the names of the identity card holders and the widespread practice of collecting and holding copies of the identity card. Also, it ‘is sometimes collected for unnecessary or trivial purposes’, and there is also a danger that it can be used to combine personal data held by different organisations.
The following major recommendations are contained in the draft code:
To allow time for organisations to make changes to their current practices and systems, the draft code provides for the requirements with regard to the collection and use of personal identifiers to come into force one year after the final version of the code is approved.
Edited from the Commissioner’s press release. The consultation paper is on the Commissioner’s web site at http://www.pco.org.hk (General Editor)