Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Privacy Law & Policy Reporter --- "Legislation and guidelines" [1997] PrivLawPRpr 51; (1997) 4(5) Privacy Law & Policy Reporter 93

• JAPAN’S PRIVATE SECTOR GUIDELINES
  
  • Comment
    
• DRAFT CODE ON PERSONAL IDENTIFIERS (HK)
  

Legislation & guidelines

JAPAN’S PRIVATE SECTOR GUIDELINES

Guidelines concerning the protection of computer processed personal data in the private sector (draft)

Ministry of International Trade and Industry (MITI), Notification No 98, 4 March 1997

Japan’s MITI released draft privacy guidelines for the private sector in March 1997. It is now consulting with industry associations and hopes to finalise the guidelines by April 1998. Article 1 states that their purpose is to ‘help business organisations to establish guidelines for each industry sector’, so they seem to be intended as a framework from which sector-specific guidelines may be derived. Article 4 states that provisions to the guidelines may be ‘added or revised’ at the industry sector or enterprise level

The guidelines do not contain any method of enforcement other than requirements that each enterprise designate a person as ‘the manager of personal data’ (Art 22), and this manager is then responsible ‘for causing employees to understand and observe these guidelines’, through training, implementing security measures and a compliance program (Art 24). There is no provision for independent investigation or consumer complaints or any remedies.

The twenty four Articles in the guidelines follow the standard pattern that has developed since the OECD Guidelines (1980) to the EU Directive (1995), but are weakened at a few key points to accommodate business interests. For example, while Art 10 incorporates the finality principle, stating that ‘The use of personal data shall, in principle, be limited within the scope of the purpose of collection’, Art 11(6) provides an exception where ‘the use is necessary for the legitimate interests of enterprise, or a third party or other parties that the personal data are disclosed to, in so far as the interests of the data subject are not infringed’. A ‘business interests’ clause not usually found in such formulations. There is also a further blanket device by which enterprises can change the original purposes of collection through ‘giving the data subject an opportunity to refuse prior to use’ (which requires written notification). In other words, a right to use personal data for any purpose, subject to an ‘opt out’ right for the data subject.

Special protection is given to certain categories of ‘sensitive’ data (using the European terminology), which may not be ‘collected, used or disclosed’ without the data subject’s explicit consent, special laws or for judicial procedures (Art 7). These categories are (i) race or ethnicity; (ii) family origin or legal domicile; (iii) religion, political opinions or trade union membership; and (iv) health, medical treatment or sex life.

Comment

The MITI guidelines seem to do little in themselves to meet the requirements of the European Union in relation to ‘adequate’ privacy protection. They probably fail on all criteria: insufficient fidelity to principles (the blanket ‘opt out’ approach to finality is close to the weakest possible implementation); no independent supervisory or enforcement mechanisms; and no prohibition on on-transfer to jurisdictions without adequate protection.

Graham Greenleaf, General Editor.

DRAFT CODE ON PERSONAL IDENTIFIERS (HK)

Privacy Commissioner for Personal Data, Hong Kong Draft Code of Practice on Personal Identifiers 29 August, 1997

Hong Kong’s Privacy Commissioner has issued for public consultation a Draft Code of Practice on Personal Identifiers for protecting personal data privacy in relation to personal identifiers (including the identity card number, the most common personal identifier in Hong Kong). The Personal Data (Privacy) Ordinance requires the Privacy Commissioner to issue and approve such a code. Under the Ordinance, personal identifiers are identifiers (usually a set of numbers and/or letters) that are assigned by an organisation to an individual which identify the individual uniquely.

Stephen Lau, Privacy Commissioner for Personal Data, said that the widespread use of the identity card number in Hong Kong had raised concerns that it may be misused for fraudulent purposes, assisted by the public display and disclosure of identity card numbers with the names of the identity card holders and the widespread practice of collecting and holding copies of the identity card. Also, it ‘is sometimes collected for unnecessary or trivial purposes’, and there is also a danger that it can be used to combine personal data held by different organisations.

The following major recommendations are contained in the draft code:

• Collection — Generally speaking, the identity card number should only be collected for identification and ensuring that a record is correctly attributed to an individual where such collection is necessary to advance the interests of the individual, to prevent the individual or some other persons from suffering a detriment or to safeguard against a loss by the collecting party that is more than trivial. Collection of identity card number is also allowed when such collection is authorised or required by statute.
• Manner of collection — The identity card number should be collected or checked by means of the physical production of the identity card in person by the individual, unless the individual chooses voluntarily to provide a copy instead.
• Use — The identity card should only be used for the permitted purposes for collection and to link or process personal records within a single data user, but not among different data users. For example, records held by different data users containing personal data relating to a particular individual cannot be linked using the identity card number to create an overall profile of that individual.
• Copies — Generally speaking, other than the Immigration Department or a law enforcement agency, no data user may require an individual to provide a copy of an identity card. Data users may however accept a copy if the individual chooses voluntarily to provide this in place of the physical production of the identity card for identification, but the copy must be destroyed once the identity card number is recorded.
• Public display — Unless required or authorised by law, the identity card together with the name of the holder or a copy of an identity card should not be displayed publicly.

To allow time for organisations to make changes to their current practices and systems, the draft code provides for the requirements with regard to the collection and use of personal identifiers to come into force one year after the final version of the code is approved.

Edited from the Commissioner’s press release. The consultation paper is on the Commissioner’s web site at http://www.pco.org.hk (General Editor)