Ritsumeikan Trust Personal Information Protection Regulations

 This English document is a reference translation of the Japanese version of Ritsumeikan Trust Personal Information Protection Regulations (Gakkō Hōjin Ritsumeikan Kojin Johō Hogo Kitei). The official text of the Regulations is the Japanese version. If there are any contradictions between the Japanese version and this reference translation, the former shall prevail.

April 13, 2005 Rule No. 637

Chapter 1: General Provisions

Article 1: Purpose
In accordance with the Ritsumeikan Trust Privacy Policy, the purpose of these Regulations is to protect individual rights and interests while ensuring the proper and smooth operation of the affairs and business of the Ritsumeikan Trust (hereinafter called "Trust") and schools established by the Trust, ensuring that the proper and effective use of personal information contributes to the improvement of the quality of education, research, etc. of the Trust and schools established by the Trust, and otherwise taking consideration of the usefulness of personal information by stipulating necessary matters regarding personal information handled by the Trust and schools established by the Trust.

Article 2: Definitions
The following terms as used herein have the following meanings, respectively:
(1) Personal Information
(i) Information about a living individual containing a name, date of birth, or other descriptions etc. (meaning any and all matters (excluding an individual identification code) stated, recorded or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record (meaning a record kept in an electromagnetic form (meaning an electronic, magnetic or other form that cannot be recognized by human senses); the same applies hereinafter) whereby a specific individual can be identified (including details which can be readily collated with other information and thereby identify a specific individual).
(ii) Information containing an individual identification code.
(2) Individual Identification Code
Codes prescribed in Article 1 of the Cabinet Order to Enforce the Act on the Protection of Personal Information (hereinafter called “Cabinet Order”) which are any character, letter, number, symbol or other codes falling under any of each of the following items:
(i) Codes able to identify a specific individual that are a character, letter, number, symbol or other codes into which a bodily partial feature of the specific individual has been converted in order to be provided for use by computers
(ii) Character, letter, number, symbol or other codes which are assigned in regard to the use of services provided to an individual or to the purchase of goods sold to an individual, or which are stated or electromagnetically recorded in a card or other document issued to an individual so as to be able to identify a specific user or purchaser, or recipient of issuance by having made the codes differently assigned or, stated or recoded for the user or purchaser, or recipient of issuance
(3) Special Care-Required Personal Information
Personal Information comprising a principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by Article 2 of the Cabinet Order as those for which handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal
(4) Pseudonymized Information
Information about an individual obtained by processing personal information so that the individual cannot be identified unless the information is cross-checked with other information according to measures stipulated in the following items according to the category of personal information listed in the relevant item.
(i) Personal information falling under Item (1), Sub-item (i): Deleting part of the identifiers, etc. contained in said personal information (including replacing the part of the identifiers, etc. with other identifiers without following patterns that enable its restoration.)
(ii) Personal information falling under Item (1), Sub-item (ii): Deleting all individual identification codes contained in the personal information (including replacing the individual identification codes with other identifiers, etc. without following patterns that enable restoration of the individual identification codes).
(5) Anonymized Information
Information on individuals obtained by processing personal information so that specific individuals cannot be identified according to measures stipulated in the following items according to the category of personal information listed in the relevant item, and where said information cannot be restored)
(i) Personal information falling under Item (1), Sub-item (i): Deleting part of the identifiers, etc. contained in said personal information (including replacing the part of the identifiers, etc. with other identifiers without following patterns that enable its restoration.)
(ii) Personal information falling under Item (1), Sub-item (ii): Deleting all individual identification codes contained in the personal information (including replacing the individual identification codes with other identifiers, etc. without following patterns that enable restoration of the individual identification codes).
(6) Personal Information Database, etc
Databases set forth in the following which are a collective body of information comprising personal information (excluding those prescribed by Article 4, Paragraph 1 of the Cabinet Order as having little possibility of harming an individual's rights considering their utilization method).
(i) Databases systematically organized so as to be able to search for particular Personal Information using a computer
(ii) In addition to information listed in Sub-item (i) above, databases prescribed by Article 4, Paragraph 2 of the Cabinet Order as having been systematically organized so as to be able to easily search for particular Personal Information
(7) Personal Data
Personal information constituting Personal Information Database, etc.
(8) Retained Personal Data
Personal Data for which the Trust has the authority to disclose, correct, add or delete the contents of, suspend the use of, erase, and suspend the third-party provision of, and excludes data prescribed by the Cabinet Order as likely to harm the public or other interests if its presence or absence is made known.
(9) Principal
A specific individual identifiable by Personal Information.
(10) Students, etc.
Pupils and students enrolled at a school established by the Trust at present or in the past.
(11) Faculty and Staff, etc.
Executives of the Trust and persons who are or have been in employment with the Trust, including students, temporary workers, etc., who are engaged in work under the direction of faculty and staff members.
(12) Business
The education and research activities of the Trust and the Business as set forth in Articles 4, 5 and 6 of the Detailed Regulations on the Enforcement of the Bylaws of the Ritsumeikan Trust.
(13) Divisions/Offices
Organizations such as Divisions and Offices as set forth in the Bylaws of the Ritsumeikan Trust and the Detailed Regulations on the Enforcement of the Bylaws of the Ritsumeikan Trust.
(14) Academic research institution, etc.
A university or other institution or association whose purpose is academic research, or a person affiliated therewith.

Chapter 2: Obligations of the Trust

Article 3: Responsibilities
1. The Trust must recognize the importance of Personal Information of Students, etc. and Faculty and Staff, etc., and take necessary measures for proper handling of Personal Information based on the recognition that it should be handled cautiously under the principle of respecting the personalities of individuals.
2. In case of obtaining and using Personal Information or providing the same for a third party, Faculty and Staff, etc. must comply with these Regulations.
3. Faculty and Staff, etc. must not leak Personal Information obtained through the Business to others for any other purpose than the Business.
4. Faculty and Staff, etc. must not use Personal Information Database, etc. improperly.

Chapter 3: Systems related to the Act on the Protection of Personal Information

Section 1: Establishment of a Personal Information Protection Committee
Article 4: Establishment of Personal Information Protection Committee
1. To attain the purpose of these Regulations, the Ritsumeikan Trust Personal Information Protection Committee (hereinafter called "Committee") will be established under the Executive Board of Trustees.
2. The Committee must report to the Executive Board of Trustees promptly its decisions regarding the matters set forth in Paragraph 1, Article 5.
3. Matters regarding the operation of the Committee will be determined by the Committee.
4. The Office of General Affairs within the Division of General Affairs will administer the running of the Committee.

Article 5: Authority of Committee
1. The functions of the Committee will be as follows:
(1) Deliberation and decision of important matters regarding protection of Personal Information;
(2) Establishment, revision, and abolition of detailed regulations required for the enforcement of these Regulations;
(3) To grasp the situation surrounding the handling of Personal Information handled by the Trust and the schools established by the Trust; and
(4) Any other matters deemed necessary by the Committee.
2. In case a school established by the Trust establishes a committee related to the protection of Personal Information (hereinafter called "Committee of Each School"), the authority held by the Ritsumeikan Trust Personal Information Protection Committee regarding the handling of the Personal Information on the Students, etc. and Faculty and Staff, etc. of the relevant school may be delegated to the Committee of Each School.

Article 6: Constitution of Committee
1. The Committee shall be composed of the following members:
(1) Chair: Personal Information General Administrator
(2) Committee member:
Personal Information School Administrator
Dean, Division of Academic Affairs, Ritsumeikan University
Dean, Division of Academic Affairs, Ritsumeikan Asia Pacific University
Dean, Division of Research, Ritsumeikan University
Dean, Division of Research, Ritsumeikan Asia Pacific University
Dean, Division of Student Affairs, Ritsumeikan University
Dean, Division of Student Affairs, Ritsumeikan Asia Pacific University
Dean, Division of Integrated Primary and Secondary Education, Ritsumeikan University
Executive Director, Office of Legal Compliance
Managing Director, Division of Human Resources
Managing Director, Division of Academic Affairs, Ritsumeikan University
Managing Director, Division of Research, Ritsumeikan University
Managing Director, Division of Integrated Primary and Secondary Education
Managing Director, Division of Information Technology Services
Manager, Office of Education and Research DX Promotion
Several other persons appointed by the Chair
2. The Committee may, when deemed necessary, cause persons other than the Committee members to attend a meeting to ask for their opinions.

Section 2: Management Framework for the Protection of Personal Information
Article 7: Establishment of Personal Information Administrators
To attain the purpose of these Regulations, the following Personal Information Administrators will be established:
(1) Personal Information General Administrator
(2) Personal Information School Administrator
(3) Personal Information Handling Administrator

Article 8: Personal Information General Administrator
1. The Personal Information General Administrator will be assumed by the Executive Trustee for General Affairs.
2. The Personal Information General Administrator will have authority and responsibilities for the protection of Personal Information of the Trust and supervise any and all Business regarding the protection of Personal Information at the Trust.
3. The Personal Information General Administrator may appoint a Deputy Personal Information General Administrator to assist with the Personal Information General Administrator’s duties and to act on behalf of the Personal Information General Administrator when the Personal Information General Administrator is absent.

Article 9: Personal Information School Administrator
1. The Personal Information School Administrator of the Trust and Ritsumeikan University will be assumed by the Managing Director, Division of General Affairs; while that of Ritsumeikan Asia Pacific University will be assumed by the Director-General, Ritsumeikan Asia Pacific University; and that of an affiliated school will be assumed by the principal of that school.
2. A Personal Information School Administrator will administer the following Business:
(1) necessary measures to prevent Personal Information leaks, loss, or damage and other Personal Information security control actions;
(2) education and training for Faculty and Staff, etc. that handle Personal Data; and
(3) appropriate treatment of requests to disclose or correct, etc. Retained Personal Data.
3. A Personal Information School Administrator may appoint a Deputy Personal Information School Administrator to assist with the Personal Information School Administrator’s duties and to act on behalf of the Personal Information School Administrator when the Personal Information School Administrator is absent.

Article 10: Personal Information Handling Administrator
1. Personal Information Handling Administrators shall be each Manager or Managing Director.
2. Personal Information Handling Administrators shall establish, revise, and abolish regulation and procedures concerning personal information in the business under their jurisdiction, inform the faculty and staff belonging to their department, and provide guidance and confirmation on the proper handling of personal information.
3. When the Personal Information Handling Administrator becomes aware of the occurrence of or signs of leakage, loss, or damage of personal information in the operations under their jurisdiction or involvement, or the occurrence or signs of acts that violate the law, these Regulations, or other regulations, they shall take appropriate action in accordance with the provisions of this Section.

Article 11: Control of Personal Information in Class Management, etc. of Universities and Affiliated Schools
Notwithstanding the provisions of the preceding Article, in case it is required for materials, reports, papers, and theses related to class management and the execution of any other education activities in universities and affiliated schools, the person in charge of each class will be the administrator of the Personal Information retained by such teacher. In such case, the relevant teacher must handle the Personal Information appropriately in accordance with the prescribed control method, etc. for Personal Information.

Section 3: Management Framework for the Protection of Personal Information Used for Academic Research
Article 12: Management of personal information for academic research purposes
Notwithstanding the provisions of the preceding article, in cases in which Personal Information is needed for academic research purposes in a university or affiliated school, the teacher retaining Personal Information will be the administrator of said Personal Information. In such case, the relevant teacher must handle the Personal Information appropriately in accordance with the prescribed control method, etc. for Personal Information.

Chapter 4: Handling of Personal Information

Section 1: Handling pertaining to the Protection of Personal Information
Article 13: Specifying a Purpose of Use
1. The Trust must, in handling Personal Information, specify the purpose of utilizing the Personal Information (hereafter “Purpose of Use”) as explicitly as possible.
2. The Trust shall, in case of altering a Purpose of Use, not do so beyond the scope recognized as being reasonably relevant to the pre-altered Purpose of Use.

Article 14: Restrictions Due to a Purpose of Use
1. The Trust shall not handle Personal Information without obtaining in advance a Principal's consent beyond the necessary scope to achieve a Purpose of Use specified pursuant to the provisions under the preceding Article.
2. The Trust shall, in case of having acquired Personal Information accompanied with succeeding a business from another personal information handling business operator because of a merger or other reason, not handle the Personal Information without obtaining in advance a Principal's consent beyond the necessary scope to achieve the pre-succession Purpose of Use of the said Personal Information.
3. The provisions under the preceding two paragraphs shall not apply to those cases set forth in the following:
(1) cases based on laws and regulations;
(2) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a Principal's consent;
(3) cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a Principal's consent;
(4) cases in which there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a Principal's consent would interfere with the performance of the affairs.
(5) cases in which the Trust needs to handle Personal Information for the purpose of carrying out academic research (hereinafter called “academic research purposes”) (including cases in which academic research is one part of the purposes of handling said Personal Information, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals);
(6) cases in which Personal Data is provided to an academic research institution, etc., when said institution needs to handle said Personal Data for academic research purposes (including cases in which academic research is one part of the purposes of handling said Personal Data, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals).
4. The Personal Information acquired for the purpose of conducting an entrance examination or a faculty recruitment assessment at a school established by the Trust will be handled within the scope of use for such purpose or for use in investigations or statistics, etc.

Article 15: Prohibition of Inappropriate Use
The Trust shall not use Personal Information in a way that encourages or leads to the possibility of illegal or unfair behavior.

Article 16: Proper Acquisition
1. The Trust shall not acquire Personal Information by deceit or other improper means.
2. The Trust shall, except in those cases set forth in the following, not acquire Special Care-Required Personal Information without obtaining in advance a Principal's consent:
(1) cases based on laws and regulations;
(2) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a Principal's consent;
(3) cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a Principal's consent;
(4) cases in which there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a Principal's consent would interfere with the performance of the affairs;
(5) cases in which there is a need to handle Special Care-Required Personal Information for academic research purposes (including cases in which academic research is one part of the purposes of handling said Special Care-Required Personal Information, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals);
(6) cases in which Special Care-Required Personal Information is to be acquired from an academic research institution, etc., and said Special Care-Required Personal Information needs to be acquired for academic research purposes (including cases in which academic research is one part of the purposes of acquiring said Special Care-Required Personal Information, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals) (restricted to cases in which the Trust and said academic research institution, etc. are conducting academic research jointly);
(7) cases in which Special Care-Required Personal Information is disclosed by the individual concerned, a national agency, a local government, an academic research institution, etc., a person listed in the items of Article 57 of the Act on the Protection of Personal Information (hereinafter, “the Act”), or any other person specified in the Rules of the Personal Information Protection Committee.
(8) other cases prescribed by Article 7 of the Cabinet Order as equivalent to those cases set forth in each preceding item.

Article 17: Notification of Purpose of Use when Acquiring
1. The Trust must, in case of having acquired Personal Information except in cases where a Purpose of Use has been disclosed in advance to the public, promptly inform a Principal of, or disclose to the public, the Purpose of Use.
2. The Trust must, notwithstanding the provisions under the preceding Paragraph, in cases where it acquires, accompanied by concluding an agreement with a Principal, the Principal's Personal Information stated in a written agreement or other document (including an electromagnetic record; hereinafter the same in this paragraph) or other similar cases where it acquires, directly from a Principal, his or her Personal Information stated in a written document, state a Purpose of Use explicitly to the Principal; provided, however that this shall not apply in cases where there is an urgent need to protect a human life, body or fortune.
3. The Trust must, in case of altering a Purpose of Use, inform a Principal of, or disclose to the public, a post-altered Purpose of Use.
4. The provisions under the preceding three paragraphs shall not apply to those cases set forth in the following:
(1) cases in which there is a possibility that informing a Principal of, or disclosing to the public, a Purpose of Use would harm a Principal or third party's life, body, fortune or other rights and interests;
(2) cases in which there is a possibility that informing a Principal of, or disclosing to the public, a Purpose of Use would harm the rights or legitimate interests of the Trust;
(3) cases in which there is a need to cooperate in regard to a central government organization or a local government performing affairs prescribed by laws and regulations, and when there is a possibility that informing a Principal of, or disclosing to the public, a Purpose of Use would interfere with the performance of the affairs;
(4) cases in which it can be recognized, judging from the acquisitional circumstances, that a Purpose of Use is clear.

Article 18: Supervision over a Contractor
1. The Personal Information Handling Administrator must, in case of outsourcing the whole or any part of the Business of processing Personal Data, exercise necessary and appropriate supervision over the outsourcee to ensure the security of the outsourced Personal Data.
2. The Personal Information Handling Administrator must, in concluding an outsourcing agreement with the outsourcee, set forth in the agreement matters stated each of the following items: however, this shall not apply in cases where there are unavoidable circumstances that make it impossible to include these matters in the agreement.
(1) matters concerning the confidentiality of Personal Data;
(2) matters concerning the prohibition of the utilization of Personal Data other than for the intended purpose and provision to a third party;
(3) matters concerning the prohibition of re-outsourcing and confidentiality, etc. of Personal Information when re-outsourcing;
(4) matters concerning the prohibition of Personal Data processing, use, copying, and reproducing in excess of the extent absolutely essential;
(5) matters concerning the return and destruction of Personal Data after the completion of outsourcing agreements;
(6) matters concerning the duty to report when accidents occur; and
(7) matters concerning the duty to compensate.
3. The Personal Information Handling Administrator shall inform the Personal Information School Administrator as appropriate of an outline of agreements concluded.

Article 19: Measures When Leaks, etc. Occur
1. Faculty and Staff, etc. must, when Personal Information is leaked, lost, damaged or falsified (hereinafter called “Leaks, etc.”) or when such a situation is suspected, inform the relevant Personal Information School Administrator promptly of such fact.
2. The Personal Information School Administrator must, when there are reports that Leaks, etc. have occurred or are suspected of having occurred, promptly investigate the facts and report the facts to the Personal Information General Administrator.
3. The Personal Information General Administrator who receives the report provided for in the preceding Paragraph must promptly take necessary measures and report the details of the measures to the Committee.

Article 20: Reporting, etc. of Leaks, etc.
1. The Personal Information General Administrator must, when there is a significant possibility as prescribed by rules of the Personal Information Protection Committee that a leak, loss, or damage of Personal Data, or other situation related to ensuring the security of the handled Personal Data may cause harm to an individual’s rights and interests, report as prescribed by rules of the Personal Information Protection Committee to the Personal Information Protection Committee that such a situation has occurred. However, this shall not apply in cases where the Trust has been entrusted by another personal information handling business operator to all or a part of handling the Personal Data, and the personal information handling business operator has been informed, as prescribed by rules of the Personal Information Protection Committee, that the situation has occurred.
2. In the case prescribed in the preceding Paragraph, the Personal Information General Administrator (with the exception of the person that has given notice pursuant to the proviso in said Paragraph) must inform the Principal, as prescribed by rules of the Personal Information Protection Committee, that the situation has occurred. However, this shall not apply in cases where it is difficult to inform the Principal and when necessary alternative action is taken to protect the Principal’s rights and interests.

Article 21: Restricted Third Party Provision
1. The Trust shall, except in those cases set forth in the following, not provide Personal Data to a third party without obtaining a Principal's consent in advance.
(1) cases based on laws and regulations;
(2) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a Principal's consent;
(3) cases where there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a Principal's consent;
(4) cases in which there is a need to cooperate with a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a Principal's consent would interfere with the performance of the affairs.
(5) when the provision of Personal Data is an unavoidable consequence of teaching or publication of the findings of academic research (excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals);
(6) when there is a need to provide Personal Data for academic research purposes (including cases in which academic research is one part of the purposes of providing said Personal Data, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals) (restricted to cases in which the Trust and said third party are conducting academic research jointly);
(7) cases in which the third party receiving provision of Personal Data is an academic research institution, etc., and when said Personal Data needs to be provided for academic research purposes (including cases in which academic research is one part of the purposes of providing said Personal Data, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals) .
2. In those cases set forth in the following, a person receiving provision of Personal Data shall not fall under a third party in regard to applying the provisions of the preceding Paragraph:
(1) cases in which Personal Data is provided accompanied by the Trust entrusting the whole or any part of the handling of the Personal Data within the necessary scope to achieve a Purpose of Use;
(2) cases in which Personal Data is provided accompanied with business succession caused by a merger or other reason;
(3) cases where the Personal Data to be jointly utilized by a specified person is provided to the specified person, and when the Principal has in advance been informed or a state has been in place where the Principal can easily know to that effect as well as of the categories of the jointly utilized Personal Data, the scope of a jointly utilizing person, the Purpose of Use for the utilizing person and the name or appellation and the address of the person responsible for controlling the Personal Data, and for a corporate body, the name of its representative.
3. The Trust must, in cases where there has been a change in the name or appellation or address of a person responsible for controlling Personal Data as prescribed in item 3 of the preceding Paragraph, and for a corporate body, in the name of its representative, inform without delay, and in cases where there is an intent to change the Purpose of Use for the utilizing person as prescribed in the same item or the person responsible for controlling Personal Data, inform in advance the Principal of the situation, or the Principal must be placed in a state to be easily informed of the situation.
4. The Trust must, when providing Personal Data to a third party, conclude an agreement with the third party in consideration of the following matters; however, this shall not apply in cases where there are unavoidable circumstances that make it impossible to conclude an agreement contract or include the following matters in an agreement.
(1) that the recipient shall not use the personal data provided for purposes other than those specified in advance, and shall not disclose, divulge, or steal said personal data;
(2) that a prior written approval of the Personal Information School Administrator must be obtained when the relevant Personal Data is re-provided;
(3) that the retention period, etc. at the recipient must be clearly established;
(4) that the Personal Data must be returned or destroyed or deleted by the recipient appropriately and securely after the purpose of use is attained; and
(5) that the recipient must be prohibited from copying or duplicating Personal Data (excluding making backups necessary for a security reason).
5. The Personal Information Handling Administrator must, when Personal Data is jointly utilized by a specified person, obtain approval from the Personal Information General Administrator in advance.

Article 22: Restriction on Provision to a Third Party in a Foreign Country
1. The Trust, except in those cases set forth in each item of Paragraph 1 of the preceding Article, must, in case of providing Personal Data to a third-party (excluding a person establishing a system conforming to standards prescribed by rules of the Personal Information Protection Committee as necessary for continuously taking action equivalent to the one that a personal information handling business operator shall take pursuant to the provisions of Articles 17 through 40 of the Act, concerning the handling of personal data (said action referred to as “equivalent action” in Paragraph 3); hereinafter the same in this Paragraph and the next Paragraph of this Article and the same item) in a foreign country (meaning any country or region outside Japan; hereinafter the same) (excluding countries prescribed by rules of the Personal Information Protection Committee as a foreign country establishing a personal information protection system recognized to have equivalent standards to that in Japan in regard to the protection of an individual's rights and interests; hereinafter the same in this Article), obtain the Principal's consent in advance to the effect that he or she approves the provision to a third party in a foreign country. In this case, the provisions of the same Article shall not apply.
2. The Trust must, in cases where the consent of the Principal is to be obtained pursuant the provisions of the preceding Paragraph, provide as prescribed by rules of the Personal Information Protection Committee information in advance to the Principal regarding the personal information protection system in the foreign country, the action to be taken by the third party to protect personal information, and any other information that will serve as a useful reference to the Principal.
3. The Trust must, in cases where Personal Data is provided to a third party (limited to a person establishing a system prescribed in Paragraph 1) in a foreign country, take action as prescribed by rules of the Personal Information Protection Committee as necessary for continuously taking equivalent action by the third party, and in response to a request by the Principal for information related to the necessary action, provide the information to the Principal.

Article 23: Creating Records of Third-Party Provision
1. The Personal Information Handling Administrator must, when having provided Personal Data to a third party (excluding a person set forth in each of the following items, (hereinafter the same in this Article and the next Article), create as prescribed by rules of the Personal Information Protection Committee a record of the date of the Personal Data provision, the name or appellation of the third party, and other data concerning matters prescribed by rules of the Personal Information Protection Committee; provided, however, that this shall not apply in cases where Personal Data provision falls under any of each item of Article 21, Paragraph 1 or any of each item of Article 21, Paragraph 2 (in cases of providing Personal Data pursuant to the provisions of Paragraph 1 of the preceding Article, any of each item of Article 21, Paragraph 1).
(1) a central government organization;
(2) a local government;
(3) an incorporated administrative agency, etc.; and
(4) a local incorporated administrative agency.
2. The Personal Information Handling Administrator must keep the record under the preceding Paragraph for a period prescribed by rules of the Personal Information Protection Committee from the date the record is created.

Article 24: Confirmation etc. when Receiving a Third Party Provision
1. The Personal Information Handling Administrator must, when receiving the provision of Personal Data from a third party, confirm those matters set forth in the following; provided, however, that this shall not apply in cases where Personal Data provision falls under any of each item of Article 21, Paragraph 1 or any of each item of Article 21, Paragraph 2.
(1) the name or appellation and address of the third party and, for a corporate body, the name of its representative;
(2) circumstances under which the Personal Data was acquired by the third party.
2. The Personal Information Handling Administrator must, when having confirmed pursuant to the provisions of the preceding Paragraph, create and keep a record concerning the date of receiving the provision of Personal Data, matters concerning the confirmation, and other matters prescribed by rules of the Personal Information Protection Committee.
3. The Personal Information Handling Administrator must keep the record under the preceding Paragraph for a period prescribed by rules of the Personal Information Protection Committee from the date the record is created.

Section 2: Security Management Measures for Personal Information
Subsection 1: General Provisions
Article 25: Proper Control of Personal Data
The Personal Information School Administrator must take appropriate measures for ensuring the security and accuracy of Personal Data regarding the following matters:
(1) to prevent falsification, leak, or loss of, or damage to Personal Data;
(2) to keep Personal Data accurate and updated within the scope required to attain the purpose of use;
(3) to establish means to check the status of handling of Personal Data; and
(4) to destroy or delete information promptly which does not need to be maintained any longer.

Article 26: Restricted Taking Out and Copying of Personal Information
1. Faculty and Staff, etc. shall not take out Personal Information from schools; provided, however, that this shall not apply in the following cases:
(1) cases where the Personal Information Handling Administrator gives permission;
(2) cases where the Business using Personal Information is outsourced to an external contractor having agreed on matters required for the protection of Personal Information;
2. In the case of item (1) of the preceding Paragraph, the persons handling Personal Information must take measures necessary and sufficient to prevent external leaks of such information.
3. Faculty and Staff, etc. shall not copying Personal Information without the permission of the Personal Information Handling Administrator.

Article 27: Personal Data Security Management
1. To prevent the leakage, loss, or damage of personal data handled by the Trust and otherwise implement security management for personal data, the Trust shall take the measures stipulated in Subsections 2 through 5 of this Section.

Article 28: Confirmation of the Status of Operation in Accordance with the Regulations
1. The Trust shall create system logs or handling records to confirm the status of operation in accordance with these Regulations with respect to the handling of personal data.

Article 29: Establishment of Means to Confirm the Status of Handling
1. The Trust shall establish a means to confirm the status of the handling of personal data.

Article 30: Duties of Faculty and Staff Members
1. No person who has been a faculty or staff member of the Trust shall disclose or divulge to another person the contents of personal information obtained in the course of their duties, or use said information for purposes or in a manner that violates the law, these Regulations, or other internal regulations of the university.
2. A faculty and staff or staff member who becomes aware of the occurrence of or signs of leakage, loss, or damage of personal information shall report said occurrence or sign thereof to the Personal information General Administrator as soon as possible.
3. A faculty and staff or staff member who becomes aware of the occurrence of or signs of a violation of the law, these Regulations, or other internal regulations of the university shall report said occurrence or sign thereof to the Personal information General Administrator as soon as possible.

Article 31: Establishment of a System to Respond to Information Leaks, etc.
1. When the Trust becomes aware of the occurrence of or signs of leakage, loss, or damage of personal data, it shall establish a system to respond appropriately and promptly thereto.

Article 32: Ascertaining the Handling Status and Review of Security Management Measures
1. Personal Information Handling Administrator shall inspect and confirm the status of personal data handling at least once a year to ascertain the status thereof and to evaluate, review, and improve security management measures.

Subsection 2: Institutional Security Management Measures
Article 33 : Establishment an Organization
1. The Trust shall establish the organizational framework stipulated in Chapter 3 to ensure the secure management of personal data.

Article 34: Oversight and Education of Faculty and Staff
1. In allowing faculty and staff to handle personal data, the Trust shall provide said faculty and staff with necessary and appropriate supervision to ensure that said personal data can be securely managed, and it will ensure that faculty and staff are fully informed and educated about the proper handling of personal data.

Subsection 3: Physical Security Management Measures
Article 35 : Prevention of Theft of Equipment, Electronic Media, etc.
1. The Trust shall take physical security management measures to prevent the theft or loss of equipment that handles personal data, electronic media on which personal data is recorded, documents containing personal data, etc.
Article 36: Prevention of Leakage, etc. when Taking Electronic Media, etc. out of the Office
1. The Trust shall take security measures to ensure that personal data is not easily revealed when electronic media or documents, etc. containing personal data are taken out of the office.

Subsection 4: Technical Security Management Measures
Article 37: Access Rights
1. When using information systems (including equipment such as personal computers) to handle personal data (including transmission to and receipt from external parties via the internet, etc.), the Trust shall implement appropriate access controls to limit the scope of factors such as persons handling administrative duties and the personal information databases, etc. to be handled.

Article 38: Identification and Authentication of Users
1. The Trust shall take measures to authenticate that the person in charge of duties involving the handling of personal data has legitimate access rights to the information system that handles personal data, using information they know, information they possess, etc.

Article 39: Prevention of Unauthorized access
1. The Trust shall take measures to protect information systems that handle personal data from unauthorized external access or unauthorized software, and it shall ensure the appropriate operation thereof.

Article 40: Prevention of Information Leaks
1. The Trust shall take measures to prevent leakage, loss, or damage of personal data in connection with the use of information systems, and it shall ensure the appropriate operation thereof.

Subsection 5: Understanding the External Environment
Article 41: Understanding the External Environment
1. When handling personal data in a foreign country, the Trust shall take the necessary and appropriate measures for the secure management of personal data based on an understanding of the systems for the protection of personal information in said foreign country, and it shall the ensure appropriate operation thereof.

Chapter 5: Pseudonymized Information and the Creation of Pseudonymized Information

Section 1: Creation of Pseudonymized Information
Article 42 Creation, etc. of Pseudonymized Information
1. When creating pseudonymized information, the Personal Information Handling Administrator shall process or cause to be processed said personal information in accordance with the standards stipulated in the Rules of the Personal Information Protection Committee as it is necessary to make it impossible to identify specific individuals unless said personal information is cross-checked with other information.
2. After creating pseudonymized personal information, the Personal Information Handling Administrator shall take or cause to be taken measures for the secure management of said information in accordance with the standards stipulated in the Rules of the Personal Information Protection Committee as they are necessary to prevent the leakage of personal information (including identifiers, etc. and personal identification codes deleted from the personal information used in the creation of pseudonymized information and information on the processing methods used in accordance with the provisions of the preceding paragraph (hereinafter called "deleted information, etc.")).
3. After creating pseudonymized information, the Personal Information Handling Administrator shall not handle or allow others to handle said pseudonymized information beyond the scope necessary to achieve the specified purpose of use, unless otherwise required by law.
4. After creating pseudonymized information, the Personal Information Handling Administrator shall not provide or cause to be provided said pseudonymized information to any third party, unless otherwise required by law.
5. When creating pseudonymized information and handling said pseudonymized information on their own accord, the Personal Information Handling Administrator shall not cross-check or cause to be cross-checked with other information said pseudonymized information in order to identify the individuals whose personal information was used to create said pseudonymized information.
6. When handling pseudonymized information, the Personal Information Handling Administrator shall not use or allow to be used the contact information or other information contained in said pseudonymized information for the purpose of making telephone calls, sending correspondence by postal mail, general delivery service provider, or specified delivery service provider, sending a telegram, sending a transmission via facsimile or electromagnetically, or visiting a residence.
7. When there is no longer a need to use pseudonymized information, the Personal Information Handling Administrator must make an effort or cause an effort to be made to delete said pseudonymized information and deleted information, etc. promptly.
8. After creating pseudonymized information, the Personal Information Handling Administrator must take necessary and appropriate measures for the secure management of said pseudonymized information, handle complaints concerning the creation or other handling of said pseudonymized information, and take any other necessary measures to ensure the proper handling of said pseudonymized information, and make an effort or cause an effort to be made to make public the details of said measures.

Section 2: Creation of Anonymized Information
Article 43: Creation, etc. of Anonymized Information
1. When creating anonymized information, the Personal Information Handling Administrator shall process or cause to be processed personal information in accordance with the standards stipulated in the Rules of the Personal Information Protection Committee as it is necessary to make it impossible to identify specific individuals and to restore said personal information used in the creation anonymized information.
2. After creating anonymized personal information, the Personal Information Handling Administrator shall take or cause to be taken measures for the secure management of said information in accordance with the standards stipulated in the Rules of the Personal Information Protection Committee as they are necessary to prevent the leakage of identifiers, etc. and personal identification codes deleted from the personal information used in the creation of anonymized personal information and information on the processing methods used in accordance with the provisions of the preceding paragraph.
3. After creating anonymized personal information, the Personal Information Handling Administrator shall publicly announce or cause to be publicly announced the items of information concerning individuals contained in said anonymized personal information pursuant to the Rules of the Personal Information Protection Committee.
4. When creating anonymized information and providing said anonymized information to a third party, the Personal Information Handling Administrator must, pursuant to the Rules of the Personal Information Protection Committee, publicly announce in advance the items of information concerning individuals contained in the anonymized information to be provided to the third party and the method by which said information will be provided, and they must clearly state or cause it to be clearly stated to said third party that said provided information is anonymized information.
5. When creating anonymized information and handling said anonymized information on their own accord, the Personal Information Handling Administrator shall not cross-check or cause to be cross-checked with other information said anonymized information in order to identify the individuals whose personal information was used to create said anonymized information.
6. After creating anonymized information, the Personal Information Handling Administrator must take necessary and appropriate measures for the secure management of said anonymized information, handle complaints concerning the creation or other handling of said anonymized information, and take any other necessary measures to ensure the proper handling of said anonymized information, and make an effort or cause an effort to be made to make public the details of said measures.

Chapter 6: Publication, Disclosure, Correction, Suspension of Use, etc.

Article 44: Public Disclosure etc. on Matters relating to Retained Personal Data
1. A Personal Information School Administrator must, concerning its Retained Personal Data, put those matters set forth in the following into a state where a Principal can know (including those cases in which it, at the request of a Principal, responds without delay):
(1) the appellation and address of the Trust, and the name of its representative:
(2) the Purpose of Use of all Retained Personal Data (excluding those cases falling under item (1) to item (3) of Article17, Paragraph 4);
(3) procedures in response to the following requests, etc. (including the amount of the handling fee if any has been stipulated)
① request for notification of the purpose of use pursuant to the provisions of Paragraph 3 of this Article
② request for disclosure pursuant to the provisions of Article 45, Paragraph 1
③ request for revision, etc. pursuant to the provisions of Article 46, Paragraph 1
④ request for suspension of use pursuant to the provisions of Article 47, Paragraphs 1 and 5
⑤ request for suspension of provision to third parties pursuant to the provisions of Article 47, Paragraphs 3 and 5
(4) the division that accepts complaints and consultations relating to the handling of Retained Personal Data.
(5) in addition to the matters set forth in the preceding four items, matters prescribed by the Cabinet Order as being necessary for ensuring the appropriate handling of Retained Personal Data
2. Disclosure shall be by putting up or distributing printed matter or posting on the Trust’s website.
3. A Personal Information School Administrator must, when requested by Students, etc. or Faculty and Staff, etc. to get informed of a Purpose of Use of Retained Personal Data that can identify the Principal, inform the Principal thereof without delay; provided, however, that shall not apply in those cases falling under any of each following item:
(1) cases in which the Purpose of Use of Retained Personal Data that can identify the Principal is clear pursuant to the provisions of Paragraph 1;
(2) cases falling under item (1) to item (3) of Article 17, Paragraph 4.
4. A Personal Information School Administrator must, when having been requested based on the provisions of the preceding Paragraph but decided not to inform a Principal of the Purpose of Use of Retained Personal Data, inform the Principal to that effect without delay.

Article 45: Disclosure
1. Students, etc., and Faculty and Staff, etc., may demand of a Personal Information School Administrator the disclosing of the Retained Personal Data that can identify the Principal by providing the data in an electromagnetic form or any other method prescribed by rules of the Personal Information Protection Committee.
2. The Personal Information School Administrator must, in the case of receiving a demand pursuant to the provisions of the preceding Paragraph, disclose to the Principal the Retained Personal Data without delay by the method demanded by the Principal pursuant to the provisions of the preceding Paragraph (by issuing a document in cases where disclosure by said method requires a substantial expense or is otherwise difficult); provided, however, in cases where the disclosure falls under any of each of the following items, the whole or any part of the Retained Personal Data may not be disclosed:
(1) cases in which there is a possibility of harming a Principal or third party's life, body, fortune or other rights and interests;
(2) cases in which there is a possibility of interfering seriously with the Trust implementing its Business properly; and
(3) cases of violating other laws or regulations.
3. The Personal Information School Administrator must, when having decided not to disclose the whole or any part of Retained Personal Data in connection with a disclosure request pursuant to the provisions of Paragraph 1; when the Retained Personal Data does not exist; or when disclosure by the method demanded by the Principal pursuant to the provisions of said Paragraph is difficult, inform the Principal to that effect without delay.
4. In cases where the whole or any part of Retained Personal Data that can identify a Principal is to be disclosed to the Principal pursuant to the provisions of other laws or regulations using a method equivalent to that prescribed in the main clause of Paragraph 2, the provisions of Paragraph 1 and Paragraph 2 shall not apply in regard to the said whole or any part of the Retained Personal Data.
5. The provisions from Paragraph 1 to Paragraph 3 shall be applied mutatis mutandis to records concerning Personal Data that can identify the Principal (excluding data prescribed by the Cabinet Order as likely to harm the public or other interests if their presence or absence is known) under Article 23, Paragraph 1 and Article 24, Paragraph 2.

Article 46: Correction, etc.
1. Students, etc. and Faculty and Staff, etc. may, when the contents of Retained Personal Data that can identify the Principal are not factual, demand of a Personal Information School Administrator for such Retained Personal Data a correction, addition or deletion (hereinafter called "Correction, etc." in this Article) in regard to the contents of the Retained Personal Data.
2. A Personal Information School Administrator must, in case of having received a demand pursuant to the provisions of the preceding Paragraph except in cases where special procedures concerning a Correction, etc. of the contents is prescribed by the provisions of other laws or regulations, conduct a necessary investigation without delay to the extent necessary to achieve a Purpose of Use and, based on the result thereof, make a Correction, etc. to the contents of the Retained Personal Data.
3. A Personal Information School Administrator must, when having made a Correction, etc. to the whole or any part of the contents of the Retained Personal Data in connection with a demand pursuant to the provisions under Paragraph 1 or when having made a decision not to make a Correction, etc., inform a Principal without delay to that effect (including, when having made a Correction, etc., the contents thereof).

Article 47: Suspension of Use etc.
1. Students, etc. and Faculty and Staff, etc. may, when the Retained Personal Data that can identify the Principal is being handled in violation of the provisions of Article 14 or Article 15 or has been acquired in violation of the provisions of Article 16, demand the Personal Information School Administrator to suspend the use or delete (hereinafter called "Suspension of Use, etc." in this Article) the Retained Personal Data.
2. A Personal Information School Administrator shall, in case of having received a demand pursuant to the provisions of the preceding Paragraph and when it has become clear that there is a reason in the demand, fulfill a Suspension of Use, etc. of the Retained Personal Data to the extent necessary to redress a violation without delay; provided, however, that this shall not apply in cases where a Suspension of Use, etc. of Retained Personal Data requires a large amount of expenses or other cases where it is difficult to fulfil a Suspension of Use, etc. and when necessary alternative action is taken to protect a Principal's rights and interests.
3. Students, etc. and Faculty and Staff, etc. may, when Retained Personal Data that can identify the Principal is being provided to a third party in violation of the provisions of Article21, Paragraph 1 or Article 22, demand of the Personal Information School Administrator to suspend the third-party provision of the Retained Personal Data.
4. A Personal Information School Administrator must, in case of having received a demand pursuant to the provisions of the preceding Paragraph and when it has become clear that there is a reason in the demand, suspend a third-party provision of the Retained Personal Data without delay; provided, however, that this shall not apply in cases where ceasing a third-party provision of the Retained Personal Data requires a large amount of expenses or other cases where it is difficult to suspend a third-party provision and when necessary alternative action is taken to protect a Principal's rights and interests.
5. Students, etc., and Faculty and Staff, etc., may, in cases where it is no longer necessary for the personal information handling business operator to use the Retained Personal Data that can identify the Principal, where a situation concerning the Retained Personal Data that can identify the Principal as prescribed in the main text of Article 20, Paragraph 1, has occurred; or any other situation in which there is a possibility that the handling of the Retained Personal Data that can identify the Principal may harm the rights or proper interests of the Principal, demand of the Personal Information School Administrator a Suspension of Use, etc., or a suspension of a third-party provision of the Retained Personal Data.
6. The Personal Information School Administrator must, in case of having received a demand pursuant to the provisions of the preceding Paragraph and it has become clear that there is a reason for the demand, fulfill a Suspension of Use, etc., or suspension of third-party provision of the Retained Personal Data without delay to the extent necessary to prevent harm to the Principal’s rights or interests; provided, however, that this shall not apply in cases where a Suspension of Use, etc., or ceasing the third-party provision of the Retained Personal Data requires a large amount of expenses or other cases where it is difficult to fulfill a Suspension of Use, etc., or suspension of third-party provision and necessary alternative action is taken to protect the Principal’s rights and interests.
7. The Personal Information School Administrator must, when having fulfilled a Suspension of Use, etc. or decided not to fulfill a Suspension of Use, etc. of the whole or any part of the Retained Personal Data in connection with a demand pursuant to the provisions of Paragraph 1 or Paragraph 5, or when having suspended third-party provision or decided not to suspend a third-party provision of the whole or any part of the Retained Personal Data in connection with a demand pursuant to the provisions of Paragraph 3 or Paragraph 5, inform the Principal to that effect without delay.

Article 48: Explanation of Reason
The Personal Information School Administrator must, in case of informing the Principal to the effect that, as regards to the whole or any part of the action requested or demanded by the Principal pursuant to the provisions of Article 44, Paragraph 4, Article 45, Paragraph 3, (including cases of application of mutatis mutandis pursuant to Article 45, Paragraph 5), Article 46, Paragraph 3 or Paragraph 7 of the preceding Article, the action will not be taken, or to the effect that different action from said action will be taken, strive to explain a reason therefor to the Principal.

Article 49: Fee
Students, etc. and Faculty and Staff, etc. must, when notification of the Purpose of Use has been requested in accordance with provisions of Article 44, Paragraph 3 or when a request for disclosure has been made in accordance with the provisions of Article 45, Paragraph 1, pay an administrative fee of 300 JPY per record and actual fees in relation to conducting such disclosure, etc.

Chapter 7: Appeals

Article 50: Procedures for Appeals
1. Students, etc. and Faculty and Staff, etc. who have a complaint about the measures taken in response to the request for disclosure, Correction, etc. or Suspension, etc. under these Regulations may file a complaint with the Appeals Committee in writing.
2. The Appeals Committee, when receiving the filing of a complaint pursuant to the preceding Paragraph, must investigate or deliberate such complaint promptly.
3. The Appeals Committee, when determining that there is a need for the investigation or deliberation by the filing of a complaint, may hear the opinions of involved persons including the filing person or the relevant Personal Information School Administrator.
4. The Appeals Committee, when determining that there is a reason for the filing, may recommend disclosure, Correction, etc. or Suspension, etc. to the relevant Personal Information School Administrator.
5. The Appeals Committee must notify the filing person of the result of deliberation in writing.

Article 51: Appeals Committee
1. The Appeals Committee provided for in the preceding Article is made up of members appointed by the Executive Trustee for General Affairs as follows:
(1) the Executive Trustee for General Affairs
(2) a number of external experts
(3) a number of non-fixed term faculty and staff
2. The chair and vice-chair of the Appeals Committee will be elected by the committee members from among its members.

Article 52: Handling Complaints
1. A Personal Information School Administrator must, when receiving a complaint regarding the handling of Personal Information by the Trust, promptly inform the Personal Information General Administrator.
2. The Personal Information General Administrator must, when receiving a report in accordance with the provision of the preceding Paragraph, strive to handle the complaint properly and promptly.

Chapter 8: Penalties

Article 53: Penalties
In the event that any Faculty and Staff, etc. is in violation of the responsibilities set forth in these Regulations, such Faculty and Staff, etc. may be disciplined. The discipline of Students, etc. will be governed by the rules of the school to which the relevant student belongs.

Chapter 9: Revision and Abolishment

Article 54: Revision and Abolishment
The revision and abolishment of these Regulations will be executed by the Executive Board of Trustees after the deliberations of the Committee.

Supplementary Provision (March 14, 2024: Complete revision due to the addition of provisions concerning security management measures and the utilization of personal information)
These regulations go into effect on March 14, 2024.

ページトップへ