Ritsumeikan Trust Personal Information Protection Regulations

April 13, 2005 Rule No. 637

Article 1: Purpose
The purpose of these Regulations is to protect individual rights and interests while taking consideration of the usefulness of personal information by setting down necessary matters regarding personal information handled by the Ritsumeikan Trust (hereinafter called "Trust") and schools established by the Trust.

Article 2: Definitions
The following terms as used herein have the following meanings, respectively:
(1) Personal Information
(i) Information about a living individual containing a name, date of birth, or other descriptions etc. (meaning any and all matters (excluding an individual identification code) stated, recorded or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record (meaning a record kept in an electromagnetic form (meaning an electronic, magnetic or other form that cannot be recognized by human senses)); the same shall apply in Article 9-3, Paragraph 2 and Article 14, Paragraph 1); hereinafter the same) whereby a specific individual can be identified (including details which can be readily collated with other information and thereby identify a specific individual).
(ii) Information containing an individual identification code.
(2) Individual Identification Code
Codes prescribed in Article 1 of the Cabinet Order to Enforce the Act on the Protection of Personal Information (hereinafter called “Cabinet Order”) which are any character, letter, number, symbol or other codes falling under any of each of the following items:
(i) Codes able to identify a specific individual that are a character, letter, number, symbol or other codes into which a bodily partial feature of the specific individual has been converted in order to be provided for use by computers
(ii) Character, letter, number, symbol or other codes which are assigned in regard to the use of services provided to an individual or to the purchase of goods sold to an individual, or which are stated or electromagnetically recorded in a card or other document issued to an individual so as to be able to identify a specific user or purchaser, or recipient of issuance by having made the codes differently assigned or, stated or recoded for the user or purchaser, or recipient of issuance
(3) Special Care-Required Personal Information
Personal Information comprising a principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by Article 2 of the Cabinet Order as those for which handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal
(4) Personal Information Database, etc
Databases set forth in the following which are a collective body of information comprising personal information (excluding those prescribed by Article 3, Paragraph 1 of the Cabinet Order as having little possibility of harming an individual's rights considering their utilization method).
(i) Databases systematically organized so as to be able to search for particular Personal Information using a computer
(ii) Besides databases set forth in the preceding item, databases prescribed by Article 3, Paragraph 2 of the Cabinet Order as having been systematically organized so as to be able to easily search for particular Personal Information
(5) Personal Data
Personal information constituting Personal Information Database, etc.
(6) Retained Personal Data
Personal Data for which the Trust has the authority to disclose, correct, add or delete the contents of, cease the utilization of, erase, and cease the third-party provision of, and excludes data prescribed by the Cabinet Order as likely to harm the public or other interests if its presence or absence is made known.
(7) Principal
A specific individual identifiable by Personal Information.
(8) Students, etc.
Pupils and students enrolled at a school established by the Trust at present or in the past.
(9) Faculty and Staff, etc.
Officers of the Trust and persons employed by the Trust at present or in the past, and Students and temporary workers, etc. engaged in Business under the directions of faculty and staff.
(10) Business
The education and research activities of the Trust and the Business as set forth in Articles 4, 5 and 6 of the Detailed Regulations on the Enforcement of the Bylaws of the Ritsumeikan Trust.
(11) Divisions/Offices
Organizations such as Divisions and Offices as set forth in the Bylaws of the Ritsumeikan Trust and the Detailed Regulations on the Enforcement of the Bylaws of the Ritsumeikan Trust.
(12) Academic research institution, etc.
A university or other institution or association whose purpose is academic research, or a person affiliated therewith.

Article 3: Responsibilities
1. The Trust must recognize the importance of Personal Information of Students, etc. and Faculty and Staff, etc., and take necessary measures for proper handling of Personal Information based on the recognition that it should be handled cautiously under the principle of respecting the personalities of individuals.
2. In case of obtaining and using Personal Information or providing the same for a third party, Faculty and Staff, etc. must comply with these Regulations.
3. Faculty and Staff, etc. must not leak Personal Information obtained through the Business to others for any other purpose than the Business.
4. Faculty and Staff, etc. must not use Personal Information Database, etc. improperly.

Article 4: Establishment of Personal Information Protection Committee
1. To attain the purpose of these Regulations, the Ritsumeikan Trust Personal Information Protection Committee (hereinafter called "Committee") will be established under the Executive Board of Trustees.
2. The Committee must report to the Executive Board of Trustees promptly its decisions regarding the matters set forth in Paragraph 1, Article 5.
3. Matters regarding the operation of the Committee will be determined by the Committee.
4. The Office of General Affairs within the Division of General Affairs will administer the running of the Committee.

Article 5: Authority of Committee
1. The functions of the Committee will be as follows:
(1) Deliberation and decision of important matters regarding protection of Personal Information;
(2) Establishment, revision, and abolition of detailed regulations required for the enforcement of these Regulations;
(3) To grasp the situation surrounding the handling of Personal Information handled by the Trust and the schools established by the Trust; and
(4) Any other matters deemed necessary by the Committee.
2. In case a school established by the Trust establishes a committee related to the protection of Personal Information (hereinafter called "Committee of Each School"), the authority held by the Ritsumeikan Trust Personal Information Protection Committee regarding the handling of the Personal Information on the Students, etc. and Faculty and Staff, etc. of the relevant school may be delegated to the Committee of Each School.

Article 6: Constitution of Committee
1. The Committee shall be composed of the following members:
(1) Chair: Personal Information General Administrator
(2) Committee member:
Personal Information School Administrator
Dean, Division of Academic Affairs, Ritsumeikan University
Dean, Division of Academic Affairs, Ritsumeikan Asia Pacific University
Dean, Division of Research, Ritsumeikan University
Dean, Division of Research, Ritsumeikan Asia Pacific University
Dean, Division of Student Affairs, Ritsumeikan University
Dean, Division of Student Affairs, Ritsumeikan Asia Pacific University
Dean, Division of Integrated Primary and Secondary Education, Ritsumeikan University
Executive Director, Office of Legal Compliance
Managing Director, Division of Human Resources
Managing Director, Division of Academic Affairs, Ritsumeikan University
Managing Director, Division of Research, Ritsumeikan University
Managing Director, Division of Integrated Primary and Secondary Education
Managing Director, Division of Information Technology Services
Several other persons appointed by the Chair
2. The Committee may, when deemed necessary, cause persons other than the Committee members to attend a meeting to ask for their opinions.

Article 7-1: Establishment of Personal Information Administrators
To attain the purpose of these Regulations, the following Personal Information Administrators will be established:
(1) Personal Information General Administrator
(2) Personal Information School Administrator
(3) Personal Information Handling Administrator

Article 7-2: Personal Information General Administrator
1. The Personal Information General Administrator will be assumed by the Executive Trustee for General Affairs.
2. The Personal Information General Administrator will have authority and responsibilities for the protection of Personal Information of the Trust and supervise any and all Business regarding the protection of Personal Information at the Trust.
3. The Personal Information General Administrator may appoint a Deputy Personal Information General Administrator to assist with the Personal Information General Administrator’s duties and to act on behalf of the Personal Information General Administrator when the Personal Information General Administrator is absent.

Article 7-3 (deleted)

Article 7-4: Personal Information School Administrator
1. The Personal Information School Administrator of the Trust and Ritsumeikan University will be assumed by the Managing Director, Division of General Affairs; while that of Ritsumeikan Asia Pacific University will be assumed by the Director-General, Ritsumeikan Asia Pacific University; and that of an affiliated school will be assumed by the principal of that school.
2. A Personal Information School Administrator will administer the following Business:
(1) necessary measures to prevent Personal Information leaks, loss, or damage and other Personal Information security control actions;
(2) education and training for Faculty and Staff, etc. that handle Personal Data; and
(3) appropriate treatment of requests to disclose or correct, etc. Retained Personal Data.
3. A Personal Information School Administrator may appoint a Deputy Personal Information School Administrator to assist with the Personal Information School Administrator’s duties and to act on behalf of the Personal Information School Administrator when the Personal Information School Administrator is absent.

Article 7-5 (deleted)

Article 7-6: Personal Information Handling Administrator
1. The Personal Information Handling Administrator will be assumed by the respective Administrative Manager.
2. The Personal Information Handling Administrator will establish the procedures regarding the Personal Information in the Business under its charge, make such procedures well known to its Faculty and Staff, etc., and give directions and make confirmation regarding the proper handling of Personal Information.

Article 7-7: Control of Personal Information in Class Management, etc. of Universities and Affiliated Schools
Notwithstanding the provisions of the preceding Article, in case it is required for materials, reports, papers, and theses related to class management and the execution of any other education activities in universities and affiliated schools, the person in charge of each class will be the administrator of the Personal Information retained by such teacher. In such case, the relevant teacher must handle the Personal Information appropriately in accordance with the prescribed control method, etc. for Personal Information.

Article 7-8: Management of personal information for academic research purposes
Notwithstanding the provisions of the preceding article, in cases in which Personal Information is needed for academic research purposes in a university or affiliated school, the teacher retaining Personal Information will be the administrator of said Personal Information. In such case, the relevant teacher must handle the Personal Information appropriately in accordance with the prescribed control method, etc. for Personal Information.

Article 7-9: Specifying a Purpose of Use
1. The Trust must, in handling Personal Information, specify the purpose of utilizing the Personal Information (hereafter “Purpose of Use”) as explicitly as possible.
2. The Trust shall, in case of altering a Purpose of Use, not do so beyond the scope recognized as being reasonably relevant to the pre-altered Purpose of Use.

Article 7-10: Restrictions Due to a Purpose of Use
1. The Trust shall not handle Personal Information without obtaining in advance a Principal's consent beyond the necessary scope to achieve a Purpose of Use specified pursuant to the provisions under the preceding Article.
2. The Trust shall, in case of having acquired Personal Information accompanied with succeeding a business from another personal information handling business operator because of a merger or other reason, not handle the Personal Information without obtaining in advance a Principal's consent beyond the necessary scope to achieve the pre-succession Purpose of Use of the said Personal Information.
3. The provisions under the preceding two paragraphs shall not apply to those cases set forth in the following:
(1) cases based on laws and regulations;
(2) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a Principal's consent;
(3) cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a Principal's consent;
(4) cases in which there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a Principal's consent would interfere with the performance of the affairs.
(5) cases in which the Trust needs to handle Personal Information for the purpose of carrying out academic research (hereinafter referred to as “academic research purposes”) (including cases in which academic research is one part of the purposes of handling said Personal Information, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals);
(6) cases in which Personal Data is provided to an academic research institution, etc., when said institution needs to handle said Personal Data for academic research purposes (including cases in which academic research is one part of the purposes of handling said Personal Data, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals).
4. The Personal Information acquired for the purpose of conducting an entrance examination or a faculty recruitment assessment at a school established by the Trust will be handled within the scope of use for such purpose or for use in investigations or statistics, etc.

Article 7-11: Prohibition of Inappropriate Use
The Trust shall not use Personal Information in a way that encourages or leads to the possibility of illegal or unfair behavior.

Article 8: Proper Acquisition
1. The Trust shall not acquire Personal Information by deceit or other improper means.
2. The Trust shall, except in those cases set forth in the following, not acquire Special Care-Required Personal Information without obtaining in advance a Principal's consent:
(1) cases based on laws and regulations;
(2) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a Principal's consent;
(3) cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a Principal's consent;
(4) cases in which there is a need to cooperate in regard to a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a Principal's consent would interfere with the performance of the affairs;
(5) cases in which there is a need to handle Special Care-Required Personal Information for academic research purposes (including cases in which academic research is one part of the purposes of handling said Special Care-Required Personal Information, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals);
(6) cases in which Special Care-Required Personal Information is to be acquired from an academic research institution, etc., and said Special Care-Required Personal Information needs to be acquired for academic research purposes (including cases in which academic research is one part of the purposes of acquiring said Special Care-Required Personal Information, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals) (restricted to cases in which the Trust and said academic research institution, etc. are conducting academic research jointly);
(7) cases in which the Special Care-Required Personal Information is being open to the public by a Principal, a government organization, a local government, or a foreign government, etc.;
(8) other cases prescribed by Article 7 of the Cabinet Order as equivalent to those cases set forth in each preceding item.

Article 9-1 (deleted)

Article 9-2 (deleted)

Article 9-3: Notification of Purpose of Use when Acquiring
1. The Trust must, in case of having acquired Personal Information except in cases where a Purpose of Use has been disclosed in advance to the public, promptly inform a Principal of, or disclose to the public, the Purpose of Use.
2. The Trust must, notwithstanding the provisions under the preceding Paragraph, in cases where it acquires, accompanied by concluding an agreement with a Principal, the Principal's Personal Information stated in a written agreement or other document (including an electromagnetic record; hereinafter the same in this paragraph) or other similar cases where it acquires, directly from a Principal, his or her Personal Information stated in a written document, state a Purpose of Use explicitly to the Principal; provided, however that this shall not apply in cases where there is an urgent need to protect a human life, body or fortune.
3. The Trust must, in case of altering a Purpose of Use, inform a Principal of, or disclose to the public, a post-altered Purpose of Use.
4. The provisions under the preceding three paragraphs shall not apply to those cases set forth in the following:
(1) cases in which there is a possibility that informing a Principal of, or disclosing to the public, a Purpose of Use would harm a Principal or third party's life, body, fortune or other rights and interests;
(2) cases in which there is a possibility that informing a Principal of, or disclosing to the public, a Purpose of Use would harm the rights or legitimate interests of the Trust;
(3) cases in which there is a need to cooperate in regard to a central government organization or a local government performing affairs prescribed by laws and regulations, and when there is a possibility that informing a Principal of, or disclosing to the public, a Purpose of Use would interfere with the performance of the affairs;
(4) cases in which it can be recognized, judging from the acquisitional circumstances, that a Purpose of Use is clear.

Article 9-4: Proper Control of Personal Data
The Personal Information School Administrator must take appropriate measures for ensuring the security and accuracy of Personal Data regarding the following matters:
(1) to prevent falsification, leak, or loss of, or damage to Personal Data;
(2) to keep Personal Data accurate and updated within the scope required to attain the purpose of use;
(3) to establish means to check the status of handling of Personal Data; and
(4) to destroy or delete information promptly which does not need to be maintained any longer.

Article 9-5: Restricted Taking Out and Copying of Personal Information
1. Faculty and Staff, etc. shall not take out Personal Information from schools; provided, however, that this shall not apply in the following cases:
(1) cases where the Personal Information Handling Administrator gives permission;
(2) cases where the Business using Personal Information is outsourced to an external contractor having agreed on matters required for the protection of Personal Information;
2. In the case of item (1) of the preceding Paragraph, the persons handling Personal Information must take measures necessary and sufficient to prevent external leaks of such information.
3. Faculty and Staff, etc. shall not copying Personal Information without the permission of the Personal Information Handling Administrator.

Article 9-6: Measures When Leaks, etc. Occur
1. Faculty and Staff, etc. must, when Personal Information is leaked, lost, damaged or falsified (hereinafter called “Leaks, etc.”) or when such a situation is suspected, inform the relevant Personal Information School Administrator promptly of such fact.
2. The Personal Information School Administrator must, when there are reports that Leaks, etc. have occurred or are suspected of having occurred, promptly investigate the facts and report the facts to the Personal Information General Administrator.
3. The Personal Information General Administrator who receives the report provided for in the preceding Paragraph must promptly take necessary measures and report the details of the measures to the Committee.

Article 9-7: Reporting, etc. of Leaks, etc.
1. The Personal Information General Administrator must, when there is a significant possibility as prescribed by rules of the Personal Information Protection Committee that a leak, loss, or damage of Personal Data, or other situation related to ensuring the security of the handled Personal Data may cause harm to an individual’s rights and interests, report as prescribed by rules of the Personal Information Protection Committee to the Personal Information Protection Committee that such a situation has occurred. However, this shall not apply in cases where the Trust has been entrusted by another personal information handling business operator to all or a part of handling the Personal Data, and the personal information handling business operator has been informed, as prescribed by rules of the Personal Information Protection Committee, that the situation has occurred.
2. In the case prescribed in the preceding Paragraph, the Personal Information General Administrator (with the exception of the person that has given notice pursuant to the proviso in said Paragraph) must inform the Principal, as prescribed by rules of the Personal Information Protection Committee, that the situation has occurred. However, this shall not apply in cases where it is difficult to inform the Principal and when necessary alternative action is taken to protect the Principal’s rights and interests.

Article 9-8: Supervision over a Contractor
1. The Personal Information Handling Administrator must, in case of outsourcing the whole or any part of the Business of processing Personal Data, exercise necessary and appropriate supervision over the outsourcee to ensure the security of the outsourced Personal Data.
2. The Personal Information Handling Administrator must, in concluding an outsourcing agreement with the outsourcee, set forth in the agreement matters stated each of the following items:
(1) matters concerning the confidentiality of Personal Data;
(2) matters concerning the prohibition of the utilization of Personal Data other than for the intended purpose and provision to a third party;
(3) matters concerning the prohibition of re-outsourcing and confidentiality, etc. of Personal Information when re-outsourcing;
(4) matters concerning the prohibition of Personal Data processing, use, copying, and reproducing in excess of the extent absolutely essential;
(5) matters concerning the return and destruction of Personal Data after the completion of outsourcing agreements;
(6) matters concerning the supervision and training of employees;
(7) matters concerning the duty to report when accidents occur; and
(8) matters concerning the duty to compensate.
3. The Personal Information Handling Administrator shall inform the Personal Information School Administrator as appropriate of an outline of agreements concluded.

Article 10: Restricted Third Party Provision
1. The Trust shall, except in those cases set forth in the following, not provide Personal Data to a third party without obtaining a Principal's consent in advance.
(1) cases based on laws and regulations;
(2) cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a Principal's consent;
(3) cases where there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a Principal's consent;
(4) cases in which there is a need to cooperate with a central government organization or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a Principal's consent would interfere with the performance of the affairs.
(5) when the provision of Personal Data is an unavoidable consequence of teaching or publication of the findings of academic research (excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals);
(6) when there is a need to provide Personal Data for academic research purposes (including cases in which academic research is one part of the purposes of providing said Personal Data, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals) (restricted to cases in which the Trust and said third party are conducting academic research jointly);
(7) cases in which the third party receiving provision of Personal Data is an academic research institution, etc., and when said Personal Data needs to be provided for academic research purposes (including cases in which academic research is one part of the purposes of providing said Personal Data, but excluding cases in which there is a risk of unreasonably infringing the rights and interests of individuals) (restricted to cases in which the Trust and said third party are conducting academic research jointly).
2. In those cases set forth in the following, a person receiving provision of Personal Data shall not fall under a third party in regard to applying the provisions of the preceding Paragraph:
(1) cases in which Personal Data is provided accompanied by the Trust entrusting the whole or any part of the handling of the Personal Data within the necessary scope to achieve a Purpose of Use;
(2) cases in which Personal Data is provided accompanied with business succession caused by a merger or other reason;
(3) cases where the Personal Data to be jointly utilized by a specified person is provided to the specified person, and when the Principal has in advance been informed or a state has been in place where the Principal can easily know to that effect as well as of the categories of the jointly utilized Personal Data, the scope of a jointly utilizing person, the Purpose of Use for the utilizing person and the name or appellation and the address of the person responsible for controlling the Personal Data, and for a corporate body, the name of its representative.
3. The Trust must, in cases where there has been a change in the name or appellation or address of a person responsible for controlling Personal Data as prescribed in item 3 of the preceding Paragraph, and for a corporate body, in the name of its representative, inform without delay, and in cases where there is an intent to change the Purpose of Use for the utilizing person as prescribed in the same item or the person responsible for controlling Personal Data, inform in advance the Principal of the situation, or the Principal must be placed in a state to be easily informed of the situation.
4. The Trust must, when providing Personal Data to a third party, conclude an agreement with the third party in consideration of the following matters:
(1) that employees of the recipient of such data must not leak or make unauthorized use of Personal Information obtained through the handling of the relevant Personal Information;
(2) that a prior written approval of the Personal Information School Administrator must be obtained when the relevant Personal Data is re-provided;
(3) that the retention period, etc. at the recipient must be clearly established;
(4) that the Personal Data must be returned or destroyed or deleted by the recipient appropriately and securely after the purpose of use is attained; and
(5) that the recipient must be prohibited from copying or duplicating Personal Data (excluding making backups necessary for a security reason).
5. The Personal Information Handling Administrator must, when Personal Data is jointly utilized by a specified person, obtain approval from the Personal Information General Administrator in advance.

Article 11-1 (deleted)

Article 11-2: Restriction on Provision to a Third Party in a Foreign Country
1. The Trust, except in those cases set forth in each item of the Article 10, Paragraph 1, must, in case of providing Personal Data to a third-party (excluding a person establishing a system conforming to standards prescribed by rules of the Personal Information Protection Committee as necessary for continuously taking action equivalent to the one that a personal information handling business operator shall take pursuant to the provisions from Article 7-9 to Article 15-3, concerning the handling of personal data (said action referred to as “equivalent action” in Paragraph 3); hereinafter the same in this Paragraph and the next Paragraph of this Article and the same item) in a foreign country (meaning any country or region outside Japan; hereinafter the same) (excluding countries prescribed by rules of the Personal Information Protection Committee as a foreign country establishing a personal information protection system recognized to have equivalent standards to that in Japan in regard to the protection of an individual's rights and interests; hereinafter the same in this Article), obtain the Principal's consent in advance to the effect that he or she approves the provision to a third party in a foreign country. In this case, the provisions of the same Article shall not apply.
2. The Trust must, in cases where the consent of the Principal is to be obtained pursuant the provisions of the preceding Paragraph, provide as prescribed by rules of the Personal Information Protection Committee information in advance to the Principal regarding the personal information protection system in the foreign country, the action to be taken by the third party to protect personal information, and any other information that will serve as a useful reference to the Principal.
3. The Trust must, in cases where Personal Data is provided to a third party (limited to a person establishing a system prescribed in Paragraph 1) in a foreign country, take action as prescribed by rules of the Personal Information Protection Committee as necessary for continuously taking equivalent action by the third party, and in response to a request by the Principal for information related to the necessary action, provide the information to the Principal.

Article 11-3: Creating Records of Third-Party Provision
1. The Personal Information Handling Administrator must, when having provided Personal Data to a third party (excluding a person set forth in each of the following items, (hereinafter the same in this Article and the next Article), create as prescribed by rules of the Personal Information Protection Committee a record of the date of the Personal Data provision, the name or appellation of the third party, and other data concerning matters prescribed by rules of the Personal Information Protection Committee; provided, however, that this shall not apply in cases where Personal Data provision falls under any of each item of Article 10, Paragraph 1 or any of each item of Article 10, Paragraph 2 (in cases of providing Personal Data pursuant to the provisions of Paragraph 1 of the preceding Article, any of each item of Article 10, Paragraph 1).
(1) a central government organization;
(2) a local government;
(3) an incorporated administrative agency, etc.; and
(4) a local incorporated administrative agency.
2. The Personal Information Handling Administrator must keep the record under the preceding Paragraph for a period prescribed by rules of the Personal Information Protection Committee from the date the record is created.

Article 11-4: Confirmation etc. when Receiving a Third Party Provision
1. The Personal Information Handling Administrator must, when receiving the provision of Personal Data from a third party, confirm those matters set forth in the following; provided, however, that this shall not apply in cases where Personal Data provision falls under any of each item of Article 10, Paragraph 1 or any of each item of Article 10, Paragraph 2.
(1) the name or appellation and address of the third party and, for a corporate body, the name of its representative;
(2) circumstances under which the Personal Data was acquired by the third party.
2. The Personal Information Handling Administrator must, when having confirmed pursuant to the provisions of the preceding Paragraph, create and keep a record concerning the date of receiving the provision of Personal Data, matters concerning the confirmation, and other matters prescribed by rules of the Personal Information Protection Committee.
3. The Personal Information Handling Administrator must keep the record under the preceding Paragraph for a period prescribed by rules of the Personal Information Protection Committee from the date the record is created.

Article 12 (deleted)

Article 13-1 (deleted)

Article 13-2: Public Disclosure etc. on Matters relating to Retained Personal Data
1. A Personal Information School Administrator must, concerning its Retained Personal Data, put those matters set forth in the following into a state where a Principal can know (including those cases in which it, at the request of a Principal, responds without delay):
(1) the appellation and address of the Trust, and the name of its representative:
(2) the Purpose of Use of all Retained Personal Data (excluding those cases falling under item (1) to item (3) of Article 9-3, Paragraph 4);
(3) the procedures for responding to a request pursuant to the provisions of Paragraph 3 of this Article or Paragraph 1 of Article 14-1 (including cases of application of mutatis mutandis pursuant to Paragraph 5 of said Article), or a demand pursuant to the provisions of Article 14-2, Paragraph 1, Article 14-3, Paragraph 1, Article 14-3, Paragraph 3 or Article 14-3, Paragraph 5 (including the amount of a fee pursuant to the provisions of Article 14-5): and
(4) the division that accepts complaints and consultations relating to the handling of Retained Personal Data.
(5) in addition to the matters set forth in the preceding four items, matters prescribed by the Cabinet Order as being necessary for ensuring the appropriate handling of Retained Personal Data
2. Disclosure shall be by putting up or distributing printed matter or posting on the Trust’s website.
3. A Personal Information School Administrator must, when requested by Students, etc. or Faculty and Staff, etc. to get informed of a Purpose of Use of Retained Personal Data that can identify the Principal, inform the Principal thereof without delay; provided, however, that shall not apply in those cases falling under any of each following item:
(1) cases in which the Purpose of Use of Retained Personal Data that can identify the Principal is clear pursuant to the provisions of Paragraph 1;
(2) cases falling under item (1) to item (3) of Article 9-3, Paragraph 4.
4. A Personal Information School Administrator must, when having been requested based on the provisions of the preceding Paragraph but decided not to inform a Principal of the Purpose of Use of Retained Personal Data, inform the Principal to that effect without delay.

Article 14-1: Disclosure
1. Students, etc., and Faculty and Staff, etc., may demand of a Personal Information School Administrator the disclosing of the Retained Personal Data that can identify the Principal by providing the data in an electromagnetic form or any other method prescribed by rules of the Personal Information Protection Committee.
2. The Personal Information School Administrator must, in the case of receiving a demand pursuant to the provisions of the preceding Paragraph, disclose to the Principal the Retained Personal Data without delay by the method demanded by the Principal pursuant to the provisions of the preceding Paragraph (by issuing a document in cases where disclosure by said method requires a substantial expense or is otherwise difficult); provided, however, in cases where the disclosure falls under any of each of the following items, the whole or any part of the Retained Personal Data may not be disclosed:
(1) cases in which there is a possibility of harming a Principal or third party's life, body, fortune or other rights and interests;
(2) cases in which there is a possibility of interfering seriously with the Trust implementing its Business properly; and
(3) cases of violating other laws or regulations.
3. The Personal Information School Administrator must, when having decided not to disclose the whole or any part of Retained Personal Data in connection with a demand pursuant to the provisions of Paragraph 1; when the Retained Personal Data does not exist; or when disclosure by the method demanded by the Principal pursuant to the provisions of said Paragraph is difficult, inform the Principal to that effect without delay.
4. In cases where the whole or any part of Retained Personal Data that can identify a Principal is to be disclosed to the Principal pursuant to the provisions of other laws or regulations using a method equivalent to that prescribed in the main clause of Paragraph 2, the provisions of Paragraph 1 and Paragraph 2 shall not apply in regard to the said whole or any part of the Retained Personal Data.
5. The provisions from Paragraph 1 to Paragraph 3 shall be applied mutatis mutandis to records concerning Personal Data that can identify the Principal (excluding data prescribed by the Cabinet Order as likely to harm the public or other interests if their presence or absence is known) under Article 11-3, Paragraph 1 and Article 11-4, Paragraph 2.

Article 14-2: Correction, etc.
1. Students, etc. and Faculty and Staff, etc. may, when the contents of Retained Personal Data that can identify the Principal are not factual, demand of a Personal Information School Administrator for such Retained Personal Data a correction, addition or deletion (hereinafter called "Correction, etc." in this Article) in regard to the contents of the Retained Personal Data.
2. A Personal Information School Administrator must, in case of having received a demand pursuant to the provisions of the preceding Paragraph except in cases where special procedures concerning a Correction, etc. of the contents is prescribed by the provisions of other laws or regulations, conduct a necessary investigation without delay to the extent necessary to achieve a Purpose of Use and, based on the result thereof, make a Correction, etc. to the contents of the Retained Personal Data.
3. A Personal Information School Administrator must, when having made a Correction, etc. to the whole or any part of the contents of the Retained Personal Data in connection with a demand pursuant to the provisions under Paragraph 1 or when having made a decision not to make a Correction, etc., inform a Principal without delay to that effect (including, when having made a Correction, etc., the contents thereof).

Article 14-3: Utilization Cease etc.
1. Students, etc. and Faculty and Staff, etc. may, when the Retained Personal Data that can identify the Principal is being handled in violation of the provisions of Article 7-10 or Article 7-11 or has been acquired in violation of the provisions of Article 8, demand of the Personal Information School Administrator a utilization cease or deletion (hereinafter called "Utilization Cease, etc." in this Article) of the Retained Personal Data.
2. A Personal Information School Administrator shall, in case of having received a demand pursuant to the provisions of the preceding Paragraph and when it has become clear that there is a reason in the demand, fulfill a Utilization Cease, etc. of the Retained Personal Data to the extent necessary to redress a violation without delay; provided, however, that this shall not apply in cases where a Utilization Cease, etc. of Retained Personal Data requires a large amount of expenses or other cases where it is difficult to fulfil a Utilization Cease, etc. and when necessary alternative action is taken to protect a Principal's rights and interests.
3. Students, etc. and Faculty and Staff, etc. may, when Retained Personal Data that can identify the Principal is being provided to a third party in violation of the provisions of Article 10, Paragraph 1 or Article 11-2, demand of the Personal Information School Administrator to cease the third-party provision of the Retained Personal Data.
4. A Personal Information School Administrator must, in case of having received a demand pursuant to the provisions of the preceding Paragraph and when it has become clear that there is a reason in the demand, cease a third-party provision of the Retained Personal Data without delay; provided, however, that this shall not apply in cases where ceasing a third-party provision of the Retained Personal Data requires a large amount of expenses or other cases where it is difficult to cease a third-party provision and when necessary alternative action is taken to protect a Principal's rights and interests.
5. Students, etc., and Faculty and Staff, etc., may, in cases where it is no longer necessary for the personal information handling business operator to use the Retained Personal Data that can identify the Principal, where a situation concerning the Retained Personal Data that can identify the Principal as prescribed in the main text of Article 9-7, Paragraph 1, has occurred; or any other situation in which there is a possibility that the handling of the Retained Personal Data that can identify the Principal may harm the rights or proper interests of the Principal, demand of the Personal Information School Administrator a Utilization Cease, etc., or a cease of a third-party provision of the Retained Personal Data.
6. The Personal Information School Administrator must, in case of having received a demand pursuant to the provisions of the preceding Paragraph and it has become clear that there is a reason for the demand, fulfill a Utilization Cease, etc., or cease the third-party provision of the Retained Personal Data without delay to the extent necessary to prevent harm to the Principal’s rights or interests; provided, however, that this shall not apply in cases where a Utilization Cease, etc., or ceasing the third-party provision of the Retained Personal Data requires a large amount of expenses or other cases where it is difficult to fulfill a Utilization Cease, etc., or cease the third-party provision and necessary alternative action is taken to protect the Principal’s rights and interests.
7. The Personal Information School Administrator must, when having fulfilled a Utilization Cease, etc. or decided not to fulfill a Utilization Cease, etc. of the whole or any part of the Retained Personal Data in connection with a demand pursuant to the provisions of Paragraph 1 or Paragraph 5, or when having ceased a third-party provision or decided not to cease a third-party provision of the whole or any part of the Retained Personal Data in connection with a demand pursuant to the provisions of Paragraph 3 or Paragraph 5, inform the Principal to that effect without delay.

Article 14-4: Explanation of Reason
The Personal Information School Administrator must, in case of informing the Principal to the effect that, as regards to the whole or any part of the action requested or demanded by the Principal pursuant to the provisions of Article 13-2, Paragraph 4, Article 14-1, Paragraph 3, (including cases of application of mutatis mutandis pursuant to Article 14-1, Paragraph 5), Article 14-2, Paragraph 3 or Paragraph 7 of the preceding Article, the action will not be taken, or to the effect that different action from said action will be taken, strive to explain a reason therefor to the Principal.

Article 14-5: Responsibility for Expenses
Students, etc. and Faculty and Staff, etc. must, when notification of the Purpose of Use has been requested in accordance with provisions of Article 13-2, Paragraph 3 or when a request for disclosure has been made in accordance with the provisions of Article 14-1, Paragraph 1, pay an administrative fee of 300 JPY per record and actual fees in relation to conducting such disclosure, etc.

Article 15-1: Filing of Complaints
1. Students, etc. and Faculty and Staff, etc. who have a complaint about the measures taken in response to the request for disclosure, Correction, etc. or Suspension, etc. under these Regulations may file a complaint with the Appeals Committee in writing.
2. The Appeals Committee, when receiving the filing of a complaint pursuant to the preceding Paragraph, must investigate or deliberate such complaint promptly.
3. The Appeals Committee, when determining that there is a need for the investigation or deliberation by the filing of a complaint, may hear the opinions of involved persons including the filing person or the relevant Personal Information School Administrator.
4. The Appeals Committee, when determining that there is a reason for the filing, may recommend disclosure, Correction, etc. or Suspension, etc. to the relevant Personal Information School Administrator.
5. The Appeals Committee must notify the filing person of the result of deliberation in writing.

Article 15-2: Appeals Committee
1. The Appeals Committee provided for in the preceding Article is made up of members appointed by the Executive Trustee for General Affairs as follows:
(1) the Executive Trustee for General Affairs
(2) a number of external experts
(3) a number of non-fixed term faculty and staff
2. The chair and vice-chair of the Appeals Committee will be elected by the committee members from among its members.

Article 15-3: Handling Complaints
1. A Personal Information School Administrator must, when receiving a complaint regarding the handling of Personal Information by the Trust, promptly inform the Personal Information General Administrator.
2. The Personal Information General Administrator must, when receiving a report in accordance with the provision of the preceding Paragraph, strive to handle the complaint properly and promptly.

Article 16 (deleted)

Article 17 (deleted)

Article 18: Penalty
In the event that any Faculty and Staff, etc. is in violation of the responsibilities set forth in these Regulations, such Faculty and Staff, etc. may be disciplined. The discipline of Students, etc. will be governed by the rules of the school to which the relevant student belongs.

Article 19: Revision and Abolition
The revisions and abolitions of these Regulations will be executed by the Executive Board of Trustees after the deliberations of the Committee.

Supplementary Provision (May 10, 2023, partial revisions in accordance with revisions to the Act on the Protection of Personal Information)
This regulation shall come into force on May 10, 2023, and shall apply as of April 1, 2023