Ritsumeikan Trust Personal Information Protection Regulations

April 13, 2005 Rule No. 637

(Purpose)
Article 1 The purpose of these Regulations is to protect individual rights and interests while taking consideration of the usefulness of personal information by setting down necessary matters regarding personal information handled by the Ritsumeikan Trust (hereinafter called "Trust") and schools established by the Trust.

(Definitions)
Article 2 The following terms as used herein have the following meanings, respectively:
(1) Personal Information
Information about a living individual containing the name, date of birth, or other description by which the specific individual can be identified (including such information as will allow easy reference to other information and will thereby enable the identification of a specific individual).
(2) Personal Information Database, etc.
An assembly of information including Personal Information systematically arranged in such a way that specific personal information can be retrieved by a computer, and an assembly of information designated by the Personal Information Protection Committee as set forth in Article 4 hereof as being systematically arranged in such a way that specific personal information can be easily retrieved.
(3) Personal Data
Personal information constituting Personal Information Database, etc.
(4) Students, etc.
Pupils and students enrolled at a school established by the Trust at present or in the past.
(5) Faculty and Staff, etc.
Officers of the Trust and persons employed by the Trust at present or in the past, including Students, etc. engaged in Business under the directions of faculty and staff.
(6) Business
The education and research activities of the Trust and the business as set forth in Articles 4 and 5 of the Bylaws of the Ritsumeikan Trust.
(7) Divisions/Offices
Organizations such as Divisions and Offices as set forth in Articles 4, 4-3, 4-4, and 5 of the Bylaws of the Ritsumeikan Trust.

(Responsibilities)
Article 3.1 The Trust must recognize the importance of Personal Information of Students, etc. and Faculty and Staff, etc., and take necessary measures for proper handling of Personal Information based on the recognition that it should be handled cautiously under the principle of respecting the personalities of individuals.
3.2 In case of obtaining and using Personal Information or providing the same for a third party, Faculty and Staff, etc. must comply with these Regulations.
3.3 Faculty and Staff, etc. must not leak Personal Information obtained through the Business to others for any other purpose than the Business.
3.4 Faculty and Staff, etc. must not use Personal Information Database, etc. improperly.
(deleted)

(Establishment of Personal Information Protection Committee)
Article 4.1 To attain the purpose of these Regulations, the Ritsumeikan Trust Personal Information Protection Committee (hereinafter called "Committee") will be established under the Executive Board of Trustees.
4.2 The Committee must report to the Executive Board of Trustees promptly its decisions regarding the matters set forth in Paragraph 1, Article 5.
4.3 Matters regarding the operation of the Committee will be determined by the Committee.

(Authority of Committee)
Article 5.1 The functions of the Committee will be as follows:
(1) Deliberation and decision of important matters regarding protection of Personal Information;
(2) Deliberation and recommendation regarding complaint filing;
(3) Establishment, revision, and abolition of detailed regulations required for the enforcement of these Regulations;
(4) Grasp of the situation of the execution of business using Personal Information handled by the Trust and the schools established by the Trust; and
(5) Any other matters deemed necessary by the Committee.
5.2 In case a school established by the Trust establishes a committee related to the protection of Personal Information (hereinafter called "Committee of Each School"), the authority held by the Ritsumeikan Trust Personal Information Protection Committee regarding the handling of the Personal Information on the Students, etc. and Faculty and Staff, etc. of the relevant school may be delegated to the Committee of Each School.

(Constitution of Committee)
Article 6.1 The Committee shall be composed of the following members:
(1) Chair: Personal Information General Administrator
(2) Vice-Chair:
Vice Personal Information General Administrator
Dean, Division of Academic Affairs, Ritsumeikan University
Dean, Division of Academic Affairs, Ritsumeikan Asia Pacific University
(3) Committee member:
Personal Information School Administrator
Dean, Division of Student Affairs, Ritsumeikan University
Dean, Division of Student Affairs, Ritsumeikan Asia Pacific University
Dean, Division of Integrated Primary and Secondary Education, Ritsumeikan University
Several other persons appointed by the Chair
6.2 The Committee may, when deemed necessary, cause persons other than the Committee members to attend a meeting to ask for their opinions.

(Establishment of Personal Information Administrators)
Article 7 To attain the purpose of these Regulations, the following Personal Information Administrators will be established:
(1) Personal Information General Administrator and Vice Personal Information General Administrator
(2) Personal Information School Administrator and Vice Personal Information School Administrator
(3) Personal Information Operational Administrator
2. (deleted)
3. (deleted)
4. (deleted)

(Personal Information General Administrator)
Article 7-2 The Personal Information General Administrator will be assumed by the Executive Trustee for General Affairs.
2. The Personal Information General Administrator will have authority and responsibilities for the protection of Personal Information of the Trust and supervise any and all Business regarding the protection of Personal Information at the Trust.

(Vice Personal Information General Administrator)
Article 7-3 The Vice Personal Information General Administrator will be assumed by the Managing Director, Division of General Affairs.
2. The Vice Personal Information General Administrator shall assist the Personal Information General Administrator and act on behalf thereof when he or she is absent.
(Personal Information School Administrator)
Article 7-4 The Personal Information School Administrator of Ritsumeikan University will be assumed by the Managing Director, Division of General Affairs; that of Ritsumeikan Asia Pacific University will be assumed by the Director; and that of an affiliated school will be assumed by the Principal.
2. The Personal Information School Administrator will make well known to the Faculty and Staff, etc. of the universities or schools under its charge the laws and regulations regarding the handling of Personal Information, these Regulations, and the rules, etc. on the handling of Personal Information prescribed by the Trust, establish the control method, etc. required for the proper handling of Personal Information, and perform educational activities.

(Vice Personal Information School Administrator)
Article 7-5 The Vice Personal Information School Administrator of Ritsumeikan University will be assumed by the Managing Director or the Deputy Managing Director of each Division; that of Ritsumeikan Asia Pacific University will be assumed by the Deputy Directors; and that of an affiliated school will be assumed by the Assistant Principal.
2. The Vice Personal Information School Administrator will establish the operation procedures, etc. for Personal Information of the field under its charge, make such procedures well known to its Faculty and Staff, etc., and oversee the compliance of the handling of Personal Information of the field under its charge with these Regulations and the prescribed procedures, etc.
3. The Vice Personal Information School Administrator will, when the Personal Information School Administrator is absent, act on behalf thereof according to the order designated by the Personal Information School Administrator in advance.

(Personal Information Operational Administrator)
Article 7-6 The Personal Information Operational Administrator will be assumed by the respective Administrative Manager.
2. The Personal Information Operational Administrator will establish the procedures regarding the Personal Information in the Business under its charge, make such procedures well known to its Faculty and Staff, etc., and give directions and make confirmation regarding the proper handling of Personal Information.

(Control of Personal Information in Class Management, etc. of Universities and Affiliated Schools)
Article 7-7 Notwithstanding the provisions of the preceding Article, in case it is required for materials, reports, papers, and theses related to class management and the execution of any other education activities in universities and affiliated schools, the person in charge of each class will be deemed to be the administrator of the Personal Information retained by such teacher. In such case, the relevant teacher must handle the Personal Information appropriately in accordance with the prescribed control method, etc. for Personal Information.

(Restricted Acquisition of Personal Information)
Article 8.1 Personal Information must be obtained with the purpose of use clearly defined and to the extent necessary to attain the purpose.
8.2 The following Personal Information may not be obtained:
(1) Matters regarding thought, faith, and religion; and
(2) Matters determined by the Committee as inappropriate including those that may cause social discrimination.
8.3 Personal information must be obtained directly from the subject person except in cases where the purpose of use is notified to the subject person or publicly announced; provided, however, that this shall not apply in the following cases:
(1) where the subject person's consent is obtained;
(2) where Personal Information on Students, etc. is provided by a group consisting of the graduates, etc. and the parents of the Students, etc. of a school established by the Trust;
(3) where there is an urgent need for the protection of the life, body, or property and it is difficult to obtain the consent of the subject person; and
(4) where the Committee recognizes that there is a due reason.

(Restricted Use of Personal Information)
Article 9 The Personal Information obtained may not be used for any other purpose than intended; provided, however, that this shall not apply in the following cases:
(1) where the consent of the subject person is obtained;
(2) where it is based on laws and regulations;
(3) where there is an urgent need for the protection of the life, body, or property and it is difficult to obtain the consent of the subject person;
(4) where the information needs to be used for investigation or statistics, etc.; and
(5) where the Committee recognizes that there is a due reason.
2. In case the purpose of use is changed, the changed purpose must be notified to the person or publicly announced; provided, however, that this shall not apply in cases of falling under the proviso of the preceding paragraph.

(Restricted Taking Out and Copying of Personal Information)
Article 9-2 It will be prohibited to take out Personal Information from schools; provided, however, that this shall not apply in the following cases:
(1) where the Personal Information Operational Administrator gives permission. In such case, the persons handling Personal Information must take measures necessary and sufficient to prevent external leaks of such information.
(2) where the Business using Personal Information is outsourced to an external contractor. In such case, an agreement on matters required for the protection of Personal Information must be made.
(3) (deleted)
2. The Faculty and Staff, etc. may not copy Personal Information without the permission of the Personal Information Operational Administrator.

(Restricted Third Party Provision)
Article 10.1 Personal Data may not be provided for a third party without the prior consent of the subject person; provided, however, that this shall not apply in the following cases:
(1) where it is based on laws and regulations;
(2) where there is a need for the protection of the life, body, or property of Students, etc. and it is difficult to obtain the consent of the subject person; and
(3) where the Committee recognizes that there is a due reason.
10.2 Personal information on Students, etc. may be provided within the scope required to attain the purpose of use for a group operating scholarship business, a group consisting of the graduates, etc. or the parents of the Students, etc., and other groups approved by the Committee.
10.3 In case of providing Personal Data for a third party, an agreement must be made in consideration of the following matters:
(1) that employees of the recipient of such data must not leak or make unauthorized use of Personal Information obtained through the handling of the relevant Personal Information;
(2) that a prior written approval of the Personal Information School Administrator must be obtained when the relevant Personal Data is re-provided;
(3) that the retention period, etc. at the recipient must be clearly established;
(4) that the Personal Data must be returned or destroyed or deleted by the recipient appropriately and securely after the purpose of use is attained; and
(5) that the recipient must be prohibited from copying or duplicating Personal Data (excluding making backups necessary for a security reason).
(Personal Information of Applicants and Successful Applicants, etc.)
Article 11 The Personal Information provided by the subject person for the purpose of becoming among the Student, etc. or Faculty and Staff, etc. of a school established by the Trust will be handled within the scope of use for such purpose and investigations or statistics, etc.

(Proper Control of Personal Data)
Article 12 The Vice Personal Information School Administrator must take appropriate measures for ensuring the security and accuracy of Personal Data regarding the following matters:
(1) to prevent falsification, leak, or loss of, or damage to Personal Data;
(2) to keep Personal Data accurate and updated within the scope required to attain the purpose of use; and
(3) to destroy or delete information promptly which does not need to be maintained any longer.

(Handling in Outsourcing)
Article 13.1 The Personal Information Operational Administrator must, in case of outsourcing the whole or any part of the Business of processing Personal Data, exercise necessary and appropriate supervision over the outsourcee to ensure the security of the outsourced Personal Data.
13.2 The Personal Information Operational Administrator must, in concluding an outsourcing agreement with the outsourcee, set forth in the agreement the terms regarding the prevention of falsification, leak, or loss of or damage to Personal Data, and the scope of the Business in case of exceptional re-outsourcing, as well as matters regarding the supervision over such re-outsourcee and the liabilities to be shared in the event of an accident.
13.3 The outsourcee must comply with the agreement as set forth in the preceding paragraph and protect Personal Data in executing the Business.
13.4 The outsourcee must not leak any Personal Data obtained through the Business to any person other than those set forth in the agreement for any purpose other than the Business, or use Personal Information Database, etc. improperly.

(Request for Disclosure, Correction, Suspension, etc. of Personal Data)
Article 14.1 Students, etc. and Faculty and Staff, etc. may file a request in writing to the Personal Information School Administrator for the relevant Personal Data to disclose Personal Data on themselves.
14.2 The Personal Information School Administrator must, in case of being requested by Students, etc. or Faculty and Staff, etc. to disclose Personal Data on themselves, disclose the relevant Personal Data without delay; provided, however, that in the following cases, the whole or any part of the Personal Data may not be disclosed. In such case, the Personal Information School Administrator must notify the requestor of the reason in writing:
(1) where there is a possibility of causing damage to the life, body, property or any other right or interest of the subject person or a third party; and
(2) where it may be a significant hindrance to the proper execution of the Trust business.
14.3 The Personal Information School Administrator must, in case of receiving a request from Students, etc. or Faculty and Staff, etc. for a correction, addition, or deletion of Personal Data on the grounds that there is an error in such Data (hereinafter called "Correction, etc.") and it is found that there is a reason for such request, make such Correction, etc. of such Personal Data without delay and notify the requestor of the result. In case of having determined not to make such Correction, etc., the Personal Information School Administrator must give the subject person a written notice to such effect.
14.4 The Personal Information School Administrator must, in case of receiving a request from Students, etc. or Faculty and Staff, etc. to suspend, delete, or stop provision for a third party, Personal Data on the grounds that the Personal Data is handled, obtained, or provided for a third party in violation of these Regulations (hereinafter called "Suspension, etc."), and it is found that there is a reason for such request, execute the Suspension, etc. of the relevant Personal Data without delay, and notify the requestor of the result. In case of having determined not to execute the Suspension, etc., the Personal Information School Administrator must give the requestor a written notice to such effect.

(Filing of Complaint)
Article 15.1 Students, etc. and Faculty and Staff, etc. who have a complaint about the measures taken in response to the request for disclosure, Correction, etc. or Suspension, etc. under the preceding Article may file a complaint with the Committee in writing.
15.2 The Committee, when receiving the filing of a complaint pursuant to the preceding paragraph, must investigate or deliberate such complaint promptly.
15.3 The Committee, when determining that there is a need for the investigation or deliberation by the filing of a complaint, may hear the opinions of involved persons including the filing person or the relevant Personal Information School Administrator.
15.4 The Committee, when determining that there is a reason for the filing, may recommend disclosure, Correction, etc. or Suspension, etc. to the relevant Personal Information School Administrator.
15.5 The Committee must notify the filing person of the result of deliberation in writing.

(Reporting Obligation and Investigation)
Article 16.1 Faculty and Staff, etc., if recognizing that there is any fact of an infringement on these Regulations in relation to the handling of Personal Information, must report it to the Personal Information School Administrator or the Committee promptly.
16.2 The Personal Information School Administrator, if recognizing that there is any possibility of an infringement on these Regulations in relation to the handling of Personal Information, must investigate the fact promptly, and report it to the Personal Information General Administrator.
16.3 The Personal Information General Administrator, when receiving the report as set forth in the preceding paragraph, must take necessary actions promptly and report the content thereof to the Committee.

(Secretariat)
Article 17 (deleted)

(Penalty)
Article 18 In the event that any Faculty and Staff, etc. is in violation of the responsibilities set forth in these Regulations, such Faculty and Staff, etc. may be disciplined pursuant to the Ritsumeikan Trust Employee Working Regulations or the Ritsumeikan Asia Pacific University Faculty and Staff Working Regulations; provided, however, that the discipline of Students, etc. will be governed by the rules of the school to which the relevant student belongs.

(Revision and Abolition)
Article 19 The revisions and abolitions of these Regulations will be executed by the Executive Board of Trustees after the deliberations of the Committee.

Supplementary Provision (April 1, 2009 partial revision on the restrictions on taking out Personal Information and the procedures to change the purpose of use, etc.)
These Regulations will take effect as of April 1, 2009.
Supplementary Provision (January 20, 2010 partial revision on the establishment of the Personal Information Administrator)
These Regulations will take effect as of April 1, 2010.

ページトップへ