Login
Contact us
Handing Secure Managment of Personal Data

Handling Regulations for the Security Management of Personal Data

 

Affinity Digital Insurance Services LLC

 

The handling regulations concerning the safe management of personal data stipulated in Article 20, Paragraph 2 of the Personal Information Handling Regulations related to insurance agency operations are established as follows.

 

  1. Handling rules at the acquisition and input stages

Article 1 (Purpose)

These regulations stipulate the handling of personal information at the "acquisition and input" stage among the security management measures for personal data at our agency.

 

Article 2 (Definitions)

  1. "Acquisition" means the acquisition of personal information from the individual or a third party by physical and electronic means (excluding acquisition from other departments within the Agency).
  2. "Input" means the physical and electronic input of acquired personal information into an information system such as a database.

 

Article 3 (Roles and Responsibilities of the Handler and Limitation of Handlers Regarding Acquisition and Input)

  1. The person responsible for personal data management must define the roles and responsibilities of the person handling the acquisition and input of personal information and disseminate them within the organization.
  2. The personal data controller must limit the handlers so that personal information can be acquired and entered only by those who are necessary for business in each department.

 

Article 4 (Limitation of Handlers Regarding the Acquisition and Input of Sensitive Information)

Among the personal information, the personal data controller shall collect special care-required personal information (race, creed, social status, medical history, criminal record, previous history, criminal damage information, etc.). and information related to labor union membership, permanent domicile, health and medical care (excluding those that fall under the category of special care-required personal information) (hereinafter referred to as "sensitive information" in each handling regulations). The number of people handling acquisition and input must be limited to the minimum necessary.

 

Article 5 (Limitation of Personal Data Subject to Acquisition and Input)

The personal data controller must limit the personal information to be acquired and entered to the scope necessary for business.

 

Article 6 (Verification and Confirmation Procedures at the Time of Acquisition and Input)

  1. When acquiring personal information, the Handler of Personal Data shall confirm the identity and authority of the information provider.
  2. When entering personal data, the Handler of Personal Data shall ensure that the input data is accurate.

 

Article 7 (Application and Approval Procedures for Work Outside the Regulations for Acquisition and Input)

When acquiring or inputting personal information by any method other than those stipulated in these Regulations, the Handler of Personal Data must apply to the Personal Data Administrator and obtain approval before doing so.

 

Article 8 (Management Procedures for Equipment, Recording Media, etc.)

  1. The Personal Data Manager shall designate the installation location of the equipment, recording media, etc. where the acquired and entered personal information is stored, set the management classification and authority, and change it as necessary.
  2. The Handler of Personal Data shall appropriately store equipment, recording media, etc. in which personal information is stored in accordance with the specifications and settings set in the preceding paragraph.

 

Article 9 (Control of Access to Personal Data)

In order to control access to personal information acquired and entered, the personal data controller shall take the following measures with respect to equipment, recording media, etc. on which personal data acquired and entered are stored.

(1) Thoroughly manage IDs and passwords required for entering personal data.

(2) Restrict access by outsiders to spaces where equipment, recording media, etc. where personal data is stored.

(3) Appropriately manage personal information such as received mail and faxes.

 

Article 10 (Recording and Analysis of Acquisition and Input Status)

  1. When acquiring or inputting personal information, the Handler of Personal Data shall record the status of acquisition and input as necessary and appropriately according to the type and form of information.
  2. The personal data controller shall check the recorded status as necessary to prevent leakage, etc. of personal information.

 

Article 11 (Restrictions on Acquisition of Sensitive Information)

The Handler of Personal Data shall not acquire Sensitive Information except in the following cases.

  1. When acquiring sensitive information to the extent necessary for business execution based on the consent of the person due to the necessity of ensuring the appropriate business operation of the insurance business
  2. When acquiring sensitive information to the extent necessary for the performance of insurance claim payment affairs, etc. involving inheritance procedures
  3. To the extent necessary for the performance of insurance premium collection work, etc., when acquiring sensitive information from employees, etc. regarding affiliation or affiliation with political, religious, or other organizations or labor unions
  4. In addition to the preceding items, in the cases listed in each item of Article 6, Paragraph 1 of the Financial Services Agency Guidelines

 

Article 12 (Consent of the Principal and Matters to be Explained to the Person in Cases Where Consent of the Principal is Required for Sensitive Information)

  1. When acquiring sensitive information pursuant to (1) of the preceding article, the Handler of Personal Data shall, in principle, obtain the sensitive information with the consent of the person (in principle, in writing) from the necessity of ensuring the appropriate business operation of the insurance business. It must be acquired to the extent necessary for the performance of business.
  2. The Handler of Personal Data shall not acquire such sensitive information unless the consent of the person is obtained in the preceding paragraph.
  3. If a document, etc. containing personal data obtained by mail, etc. contains sensitive information, the Handler shall, in principle, promptly return or dispose of such information to the person by the method specified by the individual. provided, however, that if other information contained in such documents, etc. is necessary for the performance of business, the Handler of Personal Data shall immediately acquire the stated part of the Sensitive Information in an illegible state.

 

  1. Handling rules at the usage and processing stages

Article 1 (Purpose)

These regulations stipulate the handling of personal data at the "use and processing" stage among the security management measures for personal data at the agency.

 

Article 2 (Definitions)

  1. "Use" means the handling of personal data within the scope of the purpose of use.
  2. "Processing" means updating personal data or using personal data to create a new database.
  3. "Managed area" means an area designated in advance in consideration of the scope of business.

 

Article 3 (Roles and Responsibilities of the Handler and Limitation of Handlers Regarding Use and Processing)

  1. The person responsible for personal data management must define the roles and responsibilities of the handler regarding the use and processing of personal data and make them known within the organization.
  2. The personal data controller must limit the persons who handle personal data so that only those who are necessary for business use and processing are carried out in each department.

 

Article 4 (Limitation of Handlers Regarding the Use and Processing of Sensitive Information)

The Personal Data Controller shall limit the number of persons handling the use and processing of sensitive information among personal data to the minimum necessary.

 

Article 5 (Limitation of Personal Data Subject to Use and Processing)

The personal data controller must limit the personal data to be used and processed to the scope necessary for business.

 

Article 6 (Verification and Confirmation Procedures at the Time of Use and Processing)

  1. The data handler must confirm that the personal data to be used is correct as the data to be used.
  2. The Processor of Personal Data must check the original data against whether the personal data used has been correctly processed.

 

Article 7 (Application and Approval Procedures for Work Outside the Regulations for Use and Processing)

If the Handler of Personal Data uses or processes Personal Data in a manner other than those stipulated in these Regulations, the Handler of Personal Data must apply to the Personal Data Controller and obtain approval before doing so.

 

Article 8 (Management Procedures for Equipment, Recording Media, etc.)

  1. The Personal Data Manager shall designate the installation location of the equipment, recording media, etc. where the personal data to be used and processed is stored, set the management classification and authority, and change it as necessary.
  2. The Handler of Personal Data shall appropriately store equipment, recording media, etc. in which Personal Data is stored in accordance with the specifications and settings set in the preceding paragraph.

 

Article 9 (Control of Access to Personal Data)

  1. In order to control access to personal data to be used and processed, the personal data controller shall take the following measures with respect to equipment, recording media, etc. on which personal data to be used and processed are stored.

(1) We will thoroughly manage IDs and passwords necessary for the use and processing of personal data.

(2) Restrict access by outsiders to spaces where equipment, recording media, etc. containing personal data are stored.

  1. With regard to access control to sensitive information, the personal data controller must assign an ID and password so that the information can be used and processed only by the minimum necessary handler who is authorized to use and process the information, and must thoroughly manage the ID and password.

 

Article 10 (Recording and Analysis of Usage and Processing Status)

  1. When using or processing personal data, the person handling personal data must record the status of use and processing as necessary and appropriately according to the type and form of the data.
  2. The Personal Data Controller shall check the recorded status as necessary to prevent leakage, etc. of personal data.

 

Article 11 (Restrictions on Use and Processing of Sensitive Information)

The Handler of Personal Data shall not use or process Sensitive Information except in the following cases.

(1) When using or processing sensitive information to the extent necessary for business execution based on the consent of the person due to the necessity of ensuring the appropriate business operation of the insurance business

(2) When using or processing sensitive information to the extent necessary for the execution of insurance claim payment affairs, etc. involving inheritance procedures

(3) When using or processing sensitive information of employees, etc. regarding affiliation or affiliation with political, religious, or other organizations or labor unions to the extent necessary for the performance of insurance premium collection affairs, etc.

(4) In addition to the preceding items, in the cases listed in each item of Article 6, Paragraph 1 of the Financial Services Agency Guidelines

 

Article 12 (Obtaining the consent of the person and explaining it to the person when the consent of the person is required for the use of sensitive information))

  1. When using sensitive information pursuant to (1) of the preceding article, the Handler of Personal Data shall, in principle, obtain the sensitive information with the consent of the person (in principle, in writing) from the necessity of ensuring the appropriate business operation of the insurance business. It must be used to the extent necessary for the performance of business.
  2. The Handler of Personal Data shall not use such sensitive information unless it is based on the consent of the person in the preceding paragraph.
  3. If a document, etc. containing personal data obtained by mail, etc. contains sensitive information, the Handler shall, in principle, promptly return or dispose of such information to the person by the method specified by the individual. provided, however, that if other information contained in such documents, etc. is necessary for the performance of business, the Handler of Personal Data shall immediately acquire the stated part of the Sensitive Information in an illegible state.

 

Article 13 (Measures Concerning Removal of Personal Data Outside the Managed Area)

  1. The Personal Data Manager shall establish the roles and responsibilities of the Handler regarding the removal of personal data outside the management area and make it known throughout the organization.
  2. The Personal Data Controller shall limit the number of persons handling the removal of personal data outside the controlled area to the minimum necessary.
  3. The personal data controller shall limit the personal data that can be taken out of the controlled area to the minimum extent necessary for business purposes.
  4. When taking personal data out of the controlled area, the personal data controller must confirm that the person taking personal data is the person who is taking the personal data as defined in paragraph 2. In addition, the personal data controller must confirm that the personal data to be taken out is within the scope of the personal data restricted to be taken out in accordance with Paragraph 3.
  5. When the Handler of Personal Data takes personal data out of the Controlled Area, the Handler must apply to the Personal Data Controller and obtain approval before doing so.
  6. When taking personal data out of the controlled area, the person handling personal data must limit the number of cases necessary and manage it appropriately, such as carrying equipment, media, etc. on which personal data is stored at all times.
  7. When the Handler of Personal Data takes personal data out of the Controlled Area, the Handler shall report and record the status of the personal data taken out as necessary and appropriate, depending on the type and form of the data.
  8. The personal data controller shall check the status reported and recorded as necessary in order to prevent leakage, etc. of personal data.

 

Article 14 (Identification and Authentication of Users of Personal Data)

The personal data controller shall establish a function to identify and authenticate the data handlers who use and process personal data.

 

Article 15 (Setting of Personal Data Management Classification and Access Control)

  1. The personal data controller must establish management categories and access control functions at the stage of use and processing of personal data.
  2. When setting up the access control function set forth in the preceding paragraph, the Personal Data Controller shall set the use and processing of sensitive information so that the handling of sensitive information is limited to the minimum number necessary.

 

Article 16 (Management of Access Rights to Personal Data)

  1. The personal data controller shall provide functions related to access authority at the stage of use and processing of personal data.
  2. When setting the functions related to access authority set forth in the preceding paragraph, the Personal Data Controller shall set the number of persons handling the use and processing of sensitive information to the minimum necessary.

 

Article 17 (Measures to Prevent Leakage and Damage of Personal Data)

The personal data controller must take measures to prevent leakage, damage, etc. at the stage of use and processing of personal data.

 

Article 18 (Access Recording and Analysis of Personal Data)

The personal data manager shall acquire access records at the stage of use and processing of personal data, keep them for the necessary period, and analyze them as necessary to prevent leakage, etc. of personal data.

 

Article 19 (Recording and Analysis of the Operation Status of Information Systems Handling Personal Data)

The personal data controller shall acquire records of the operation status of the system at the stage of use and processing of personal data, keep them for the necessary period, and analyze them as necessary to prevent leakage, etc. of personal data.

 

  1. Handling rules at the storage and preservation stage

Article 1 (Purpose)

These regulations stipulate the handling of personal data at the "storage and preservation" stage of personal data among the security management measures of personal data at the agency.

 

Article 2 (Definitions)

  1. "Storage" means that personal data is placed and managed on the office floor without processing.
  2. "Storage" means not processing personal data, but placing it outside the office floor (library, etc.) and managing it until it is disposed of, and storing electronic data on a personal computer, electronic media, etc. and managing it until it is deleted (including backup of personal data). And so on.

 

Article 3 (Roles and Responsibilities of the Handler and Limitation of Handlers Regarding Storage and Preservation)

  1. The person responsible for personal data management must define the roles and responsibilities of the person handling the storage and storage of personal data and make them known throughout the organization.
  2. The Personal Data Controller shall limit the persons who handle personal data in each department so that personal data is stored and stored only to those who are necessary for business.

 

Article 4 (Limitation of Handlers Regarding Storage and Storage of Sensitive Information)

The Personal Data Controller shall designate the persons who handle the storage and storage of sensitive information among the personal data to the minimum necessary.

 

Article 5 (Limitation of Personal Data Subject to Storage and Retention)

The personal data controller shall limit the personal data to be stored and stored to the extent necessary for business.

 

Article 6 (Application and Approval Procedures for Work Outside the Regulations for Storage and Preservation)

If the Handler of Personal Data stores or stores Personal Data in a manner other than those stipulated in these Regulations, the Handler of Personal Data must apply to the Personal Data Controller and obtain approval before doing so.

 

Article 7 (Management Procedures for Equipment, Recording Media, etc.)

  1. Based on the personal data management ledger, the personal data controller shall designate the storage location of the equipment, recording media, etc. where the personal data is stored, set the management classification and authority, and change it as necessary.
  2. The Handler of Personal Data shall appropriately store equipment, recording media, etc. in which Personal Data is stored in accordance with the specifications and settings set in the preceding paragraph.

 

Article 8 (Control of Access to Personal Data)

  1. In order to control access to personal data stored and stored, the person responsible for personal data management must take the following measures with respect to equipment, recording media, etc. on which stored and stored personal data are stored.

(1) Thoroughly manage IDs and passwords necessary for the storage and storage of personal data.

(2) Restrict access by outsiders to spaces where equipment, recording media, etc. containing personal data are stored.

  1. With regard to access control to sensitive information, the personal data controller must assign an ID and password so that only the minimum necessary handler who is authorized to store and store the information is stored and stored, and must thoroughly manage the ID and password.

 

Article 9 (Recording and Analysis of Storage and Preservation Status)

  1. When storing and storing personal data, the person handling personal data must record the storage and storage status as necessary and appropriately according to the type and form of the data.
  2. The Personal Data Controller shall check the recorded status as necessary to prevent leakage, etc. of personal data.

 

Article 10 (Response and Recovery Procedures in the Event of Failure Related to Personal Data)

  1. The Personal Data Manager shall ensure that the Handler regularly backs up the stored and stored Personal Data, and in the event of a failure of the stored or stored Personal Data, the Personal Data Manager shall restore the Personal Data by backup data, etc.
  2. The Handler of Personal Data shall appropriately manage the created Backup Data, etc.

 

Article 11 (Identification and Authentication of Users of Personal Data)

The personal data controller shall establish identification and authentication functions for the data handling of personal data that stores and stores personal data.

 

Article 12 (Setting of Personal Data Management Classification and Access Control)

  1. The personal data controller shall establish a management classification and access control function at the storage and storage stage of personal data.
  2. When setting up the access control function set forth in the preceding paragraph, the personal data controller must set the number of persons who handle the storage and storage of sensitive information to the minimum necessary.

Article 13 (Management of Access Rights to Personal Data)

  1. The personal data controller shall provide functions related to access authority at the storage and storage stage of personal data.
  2. When setting the functions related to access authority set forth in the preceding paragraph, the Personal Data Controller shall set the storage and storage of sensitive information so that the handling of the storage and storage of sensitive information is limited to the minimum necessary persons.

 

Article 14 (Measures to Prevent Leakage and Damage of Personal Data)

The personal data controller must take measures to prevent leakage, damage, etc. at the storage and storage stage of personal data.

 

Article 15 (Access Recording and Analysis of Personal Data)

The Personal Data Controller shall acquire access records at the storage and storage stage of personal data, retain them for the necessary period, and analyze them as necessary to prevent leakage, etc. of personal data.

 

Article 16 (Recording and Analysis of the Operation Status of Information Systems Handling Personal Data)

The personal data controller shall obtain records of the operation status of the system at the stage of storage and storage of personal data, keep them for the necessary period, and analyze them as necessary to prevent leakage, etc. of personal data.

 

  1. Handling rules at the transfer and transmission stages

Article 1 (Purpose)

These regulations stipulate the handling of personal data at the "transfer / transmission" stage among the security management measures for personal data at the agency.

 

Article 2 (Definitions)

  1. "Transfer" means, for example, the transfer of personal data to another place or person by physical means.
  2. "Transmission" means, for example, the transfer of personal data to a different location or person by electronic means.

 

Article 3 (Roles and Responsibilities of the Handler and Limitation of Handlers in Relation to Transfer and Transmission)

  1. The person responsible for managing personal data must define the roles and responsibilities of the handler regarding the transfer and transmission of personal data and make them known within the organization.
  2. The personal data controller shall limit the persons who handle personal data so that it is transferred and transmitted only to those who are necessary for business in each department.

 

Article 4 (Limitation of Handlers Regarding the Transfer and Transmission of Sensitive Information)

The Personal Data Controller shall designate the persons handling the transfer and transmission of sensitive information among the personal data to the minimum necessary.

 

Article 5 (Limitation of Personal Data Subject to Transfer and Transmission)

The Personal Data Controller shall limit the personal data to which it is transferred and transmitted within the scope necessary for business purposes.

 

Article 6 (Verification and Confirmation Procedures at the Time of Transfer and Transmission)

When transferring or transmitting personal data, the data processor must verify and confirm that there are no differences in the transfer or transmission destination.

 

Article 7 (Application and Approval Procedures for Work Outside the Regulations for Transport and Transmission)

When transferring or transmitting personal data in a manner other than those stipulated in these Regulations, the Handler of Personal Data must apply to the Personal Data Controller and obtain approval before doing so.

 

Article 8 (Control of Access to Personal Data)

  1. In order to control access to personal data to be transferred or transmitted, the personal data controller shall take the following measures with respect to equipment, recording media, etc. on which personal data to be transferred or transmitted is stored:

(1) Thoroughly manage the IDs and passwords necessary for the transfer and transmission of personal data.

(2) Restrict access by outsiders to spaces where equipment, recording media, etc. containing personal data are stored.

  1. With regard to access control to sensitive information, the personal data controller must assign an ID and password so that only the minimum necessary number of persons authorized to transfer or transmit the information can be transferred and transmitted, and must thoroughly manage the ID and password.

 

Article 9 (Recording and Analysis of Transport and Transmission Status)

  1. When transferring or transmitting personal data, the Handler of Personal Data shall record the status of the transfer and transmission as necessary and appropriately according to the type and form of the data.
  2. The Personal Data Controller shall check the recorded status as necessary to prevent leakage, etc. of personal data.

 

Article 10 (Restrictions on Transfer and Transmission of Sensitive Information)

The Processor of Personal Data shall not transfer or transmit sensitive information except in the following cases:

(1) When transferring or transmitting sensitive information to the extent necessary for the performance of business based on the consent of the person due to the necessity of ensuring the appropriate business operation of the insurance business

(2) When transferring or transmitting sensitive information to the extent necessary for the performance of insurance claim payment affairs, etc. involving inheritance procedures

(3) When transferring or transmitting sensitive information of employees, etc. regarding affiliation or affiliation with political, religious, or other organizations or labor unions to the extent necessary for the performance of insurance premium collection affairs, etc.

(4) In addition to the preceding items, in the cases listed in each item of Article 6, Paragraph 1 of the Financial Services Agency Guidelines

 

Article 11 (Response and Recovery Procedures in the Event of Failure Related to Personal Data)

  1. The Personal Data Controller shall ensure that the Handler regularly backs up the transferred or transmitted personal data, and in the event of a failure in the transferred or transmitted personal data, the Personal Data Manager shall restore the personal data by backup data, etc.
  2. The Handler of Personal Data shall appropriately manage the created Backup Data, etc.

 

Article 12 (Identification and Authentication of Users of Personal Data)

The personal data controller shall provide identification and authentication functions for the persons to whom personal data is transferred and transmitted.

 

Article 13 (Setting of Personal Data Management Classification and Access Control)

  1. The personal data controller shall establish a management classification and access control function at the stage of transfer and transmission of personal data.
  2. When setting up the access control function set forth in the preceding paragraph, the personal data controller must set the number of persons handling the transfer and transmission of sensitive information to the minimum number necessary.

 

Article 14 (Management of Access Rights to Personal Data)

  1. The personal data controller shall provide functions relating to access authority at the stage of transfer and transmission of personal data.
  2. When setting the functions related to access authority set forth in the preceding paragraph, the Personal Data Controller shall set the number of persons handling the transfer and transmission of sensitive information to the minimum number necessary.

 

Article 15 (Measures to Prevent Leakage and Damage of Personal Data)

The personal data controller shall take measures to prevent leakage, damage, etc. at the stage of transfer and transmission of personal data.

 

Article 16 (Access Recording and Analysis of Personal Data)

The personal data controller shall acquire access records at the stage of transfer and transmission of personal data, keep them for the necessary period, and analyze them as necessary to prevent leakage, etc. of personal data.

 

  1. Handling rules at the erasure and disposal stage

Article 1 (Purpose)

These regulations stipulate the handling of personal data at the "erasure and disposal" stage among the security management measures for personal data at the agency.

 

Article 2 (Definitions)

  1. "Erasure" means, for example, the deletion of personal data on the medium on which personal data is stored by electronic or other means.
  2. "Disposal" means, for example, the physical disposal of the medium on which personal data is stored.

 

Article 3 (Roles and Responsibilities of the Handler and Limitation of Handlers Regarding Deletion and Disposal)

  1. The person responsible for personal data management must establish the roles and responsibilities of the person handling the deletion and disposal of personal data and make them known throughout the organization.
  2. The Personal Data Controller shall limit the persons who handle personal data so that personal data is erased and destroyed only by those who are necessary for business.

 

Article 4 (Limitation of Handlers Regarding Deletion and Disposal of Sensitive Information)

The Personal Data Manager shall designate the persons who handle the deletion and disposal of sensitive information among the personal data to the minimum necessary.

 

Article 5 (Verification and Confirmation Procedures at the Time of Deletion and Disposal)

  1. When deleting or disposing of personal data, the Handler of Personal Data shall verify the retention period of the personal data to be erased or disposed of by checking the retention period using the Personal Data Management Register, etc., or confirming the reason for the erasure or disposal, and then delete or dispose of the personal data.
  2. When deleting or disposing of personal data, the Handler of Personal Data shall delete or dispose of it in an appropriate manner according to the nature of the equipment, recording medium, etc. on which the data is stored.

 

Article 6 (Application and Approval Procedures for Work Outside the Regulations for Erasure and Disposal)

If the Handler of Personal Data deletes or disposes of Personal Data by any method other than those stipulated in these Regulations, the Handler of Personal Data must apply to the Personal Data Administrator and obtain approval before doing so.

 

Article 7 (Management Procedures for Equipment, Recording Media, etc.)

  1. The Personal Data Manager shall designate the installation location of the equipment, recording media, etc. where the personal data to be deleted or disposed of is stored, set the management classification and authority, and change it as necessary.
  2. The Handler of Personal Data shall appropriately store equipment, recording media, etc. in which Personal Data is stored in accordance with the specifications and settings set in the preceding paragraph.

 

Article 8 (Control of Access to Personal Data)

In order to control access to personal data to be erased or disposed of, the personal data controller shall take the following measures with respect to equipment, recording media, etc. on which personal data to be erased or disposed of is stored.

(1) Thoroughly manage IDs and passwords required for entering personal data.

(2) Restrict access by outsiders to spaces where equipment, recording media, etc. containing personal data are stored.

 

Article 9 (Recording and Analysis of Erasure and Disposal Status)

  1. When deleting or disposing of personal data, the person handling personal data must record the status of erasure and disposal as necessary and appropriately according to the type and form of data.
  2. The Personal Data Controller shall check the recorded status as necessary to prevent leakage, etc. of personal data.

 

  1. Handling rules at the stage of responding to leaks, etc.

Article 1 (Purpose)

These regulations stipulate the handling of personal data security management measures at the agency at the stage of responding to personal data leaks, etc.

 

Article 2 (Definitions)

"Leakage Incident, etc." refers to cases in which personal information is leaked, lost, or damaged due to an accident such as theft or loss of forms or electronic recording media (USB memory, CD, DVD, etc.) in which personal information is written or recorded, erroneous mail is sent, or e-mail or fax is erroneously transmitted.

 

Article 3 (Roles and Responsibilities of Responding Departments and Limitation of Handlers in Response to Leakage Cases, etc.)

  1. The person responsible for personal data management shall be a department related to the response to leaks, etc. (hereinafter referred to as the "response department"). Roles and responsibilities must be established and disseminated throughout the organization.
  2. The personal data manager of the corresponding department must limit the handlers so that only those who are necessary for business can respond to leaks, etc. in each department.

 

Article 4 (Application and Approval Procedures for Out-of-Regulation Work for Response to Leakage Cases, etc.)

If the Handler of Personal Data responds to a Leakage Incident, etc. by a method other than those stipulated in these Regulations, the Handler of Personal Data must apply to the Personal Data Administrator and obtain approval before doing so.

 

Article 5 (Investigation Procedures for Impacts of Leakage Cases, etc.)

The personal data manager of the department where the leakage incident occurred shall, in cooperation with the person in charge of personal data management and the corresponding department, analyze the contents of records of the handling status of the leaked personal data, and investigate the content and impact of the leaked personal data, such as the quantity, quality, cause, mode of the accident, and degree of damage.

Article 6 (Procedures for Consideration of Recurrence Prevention Measures and Follow-up Measures)

The personal data manager of the department where the leak occurred, etc., shall, in consultation with the department in which the leak occurred, formulate measures to prevent recurrence and follow-up measures based on the analysis of the recorded contents of the handling status of the leaked personal data, and report them to the person in charge of personal data management.

 

Article 7 (Reporting Procedures)

  1. In the event of a leak, the discoverer must take necessary measures to prevent the expansion of the scope of the leak and immediately report to the corresponding department.
  2. The response department must immediately report the reported leakage to the insurance company.
  3. The personal data manager of the corresponding department must decide whether or not and how to report to the outside of the company (notification to the police, notification to the person, etc., and publication of facts such as leakage cases and recurrence prevention measures from the viewpoint of preventing secondary damage and avoiding the occurrence of similar cases) in accordance with the instructions of the insurance company.

 

Article 8 (Record and Analysis of Response to Leakage Cases, etc.)

  1. When responding to a leak, etc., the person handling personal data in the corresponding department must record the status of response to the leakage case as necessary and appropriately according to the type and form of the data.
  2. The personal data manager of the corresponding department shall check the recorded status as necessary to prevent leakage, etc. of personal data.

 

 

above