Topics Held the Pharmaceutical Manufacturers Association of Japan (PMAJ) Media Forum. The theme was "Trends in the Amendment of the Personal Information Protection Law and the Legislative Policy for Medical Information
On February 5, 2020, the "Pharmaceutical Manufacturers Association of Japan Media Forum" was held at the Nihonbashi Life Science Hub (Chuo-ku, Tokyo). The theme of the forum was "Trends in the Amendment of the Personal Information Protection Law and the Ideal Legislative Policies for Medical Information," with a lecture by Dr. Masatomo Suzuki, Professor of Niigata University Graduate School of Modern Society and Culture and Faculty of Law. Twenty journalists attended the event. The following is a transcript of Mr. Suzuki's lecture.
Lecture Scene
Overall Structure and Origin of Personal Information Protection Legislation
The overall structure of Japan's personal information protection legislation is as follows: in the private sector, the Act on the Protection of Personal Information (hereinafter referred to as "Personal Information Protection Act"), which covers private companies such as businesses handling personal information; in the public sector, the Act on the Protection of Personal Information Held by Administrative Organs (hereinafter referred to as "Administrative Organs Personal Information Protection Act"), which covers central government agencies, etc. In the public sector, there is the "Act on the Protection of Personal Information Held by Administrative Organs" (hereinafter referred to as "Administrative Organs Personal Information Protection Act"), the "Act on the Protection of Personal Information Held by Independent Administrative Institutions, etc." (hereinafter referred to as "Independent Administrative Institutions Personal Information Protection Act") for national universities and national university hospitals, and "Personal Information Protection Regulations" for local governments, including prefectural, municipal and regional associations. The so-called "Basic Law" consisting of Chapters 1 to 3 of the Personal Information Protection Law governs the entire process (Figure 1).
Niigata University Graduate School of Modern Society and Culture
Graduate School and Faculty of Law Professor
Mr. Masatomo Suzuki
Figure 1: Overall Structure of Personal Information Protection Legislation
Originally, when the national government was not involved in the legislative policy of personal information protection legislation, progressive local governments had studied overseas legislative examples and invited experts to create ordinances. I think it can be said that the personal information protection legislation in Japan was created by local governments.
Later, with the spread of general-purpose computers, major companies, local governments, and the national government began to operate databases using general-purpose computers, and in 1988, the "Act on the Protection of Personal Information Pertaining to Computers" was created for the first time. The dawn of Japan's personal information protection legislation was in the local governments, followed by the national government, which enacted the 1988 law binding only administrative agencies, and the successor to this law is the current Administrative Organs Personal Information Protection Law. Initially, the law was limited to information processed by computers.
In the private sector, each industry group had a history of handling personal information under the guidance of the ministry and with industry guidelines. For a long time, the era of self-regulation continued. However, in 1999, when the bill to revise the Basic Resident Registration Law with the aim of introducing the Basic Resident Registration Network System (hereinafter referred to as "Juki Net") was submitted to the Diet, the three parties in the ruling coalition of the then Liberal Democratic Party, New Komeito, and Liberal Party agreed to create the Personal Information Protection Law. This was because it was necessary to respond to criticism from the public. At the time, Kasumigaseki's position was that a comprehensive general law would cause problems of overreaction in the utilization of information, and that guideline administration would be sufficient. I was also a member of an industry organization at the time, and I expressed the opinion that self-regulation was sufficient. The opinion of Kasumigaseki and the industry was dismissed before the political decision was made to include Juki Net, and a bill was hastily drafted to pass the Personal Information Protection Law as well as the revised Basic Resident Registration Law in 1999.
However, the bill was then criticized by the Newspaper Publishers Association, the Pen Club, and others as a media regulation law, and was twice continued for further discussion, and finally scrapped the third time. In 2003, the Personal Information Protection Law, which regulates the private sector, was first enacted.
Later, when introducing the My Number system, it was decided that a third-party organization should be established in accordance with the intent of the Supreme Court's constitutional ruling in the Sumimoto Net lawsuit, which is also a common number system, and the "Specified Personal Information Protection Commission" was established as an independent administrative commission under the Number Law. This was amended in 2015 (Heisei 27) to change the existing competent ministerial system and expand the authority so that the Personal Information Protection Law in the private sector is under the jurisdiction of the Personal Information Protection Commission, and this has continued to this day. Currently, there is a study underway to integrate the authority of the public sector under the Act on the Protection of Personal Information of Administrative Organs and the Act on the Protection of Personal Information of Independent Administrative Agencies under the jurisdiction of the Ministry of Internal Affairs and Communications into the Personal Information Protection Commission, and to harmonize the rules as well. It appears that the policy is to integrate the two. We are currently in the process of holding hearings with local governments to determine whether or not the personal information protection ordinances of local governments should also be taken over by the law.
2,000 Privacy Law Issues
In the past, the competent ministerial system was used, with the Minister of Economy, Trade and Industry (METI) supervising and enforcing the Personal Information Protection Law, the Minister of Internal Affairs and Communications (MIC) supervising the areas under MIC jurisdiction, and the Minister of Health, Labour and Welfare (MHLW) supervising the medical field. However, as a result of the interpretation of the Personal Information Protection Law by the stove-piped government, the criteria for determining the applicability of personal information were actually different. Only the MHLW had a special interpretation. It adopted the criteria for the recipient of the information and had a special interpretation called "linkable anonymization" to meet the needs of the medical field. However, this is not usually the case. In government interpretation, it must be one law one interpretation. This problem was resolved in the 2015 (2015) amendment when the authority was centralized in the Personal Data Protection Commission.
What remains is the "2,000 Personal Data Protection Laws Problem" ("the 2,000 Problem"), which I have been advocating for the past 10 years. The "2,000-piece problem" refers to the harmful effects of having 2,000 rules and 200 separate authorities. This is based on the historical background that Japan's personal information protection legislation has been nurtured through the efforts of local governments, starting with Kasuga City in Fukuoka Prefecture, and Article 5 of the Personal Information Protection Law allows each municipality to handle personal information according to the characteristics of its area. This is a consequence of the fact that the system is designed in such a way. This is a consequence of the fact that the basic specifications were designed in such a way. This adverse effect has become more pronounced in the process of responding to wide-area disasters and in the transition to a data-based society.
To count the 2,000, there are three laws: first, the "Personal Information Protection Law," the "Law for Protection of Personal Information of Administrative Organs," and the "Law for Protection of Personal Information of Independent Administrative Agencies, etc.". Next, as of 2010, there are 1,912 "personal information protection ordinances" of ordinary local public entities (47 prefectures, 1,727 municipalities, and 23 special wards). In addition, there are nearly 100 "personal information protection ordinances" of special local public entities (wide-area federations and partial administrative unions), which together total more than 2,000 (Figure 2). (Figure 2). Some people often say that these ordinances are largely the same because they are imitations of the "Act on the Protection of Personal Information Held by Administrative Organs," but there is considerable variation. There are more than 10 different definitions of personal information. Some municipalities have genome information that is personal information, while others do not. Some may say that since 90-50% of hospitals are private hospitals, the "Personal Information Protection Law" is applied to 90-plus% of them, so there is no problem. However, rare diseases and intractable diseases are basically treated by national and public university hospitals and municipal hospitals, so the issue cannot be discussed simply in terms of numbers and percentages. I think that the problem of disparate application laws among hospitals is quite serious, and if we escape from it by using the guidelines of the Ministry of Health, Labor and Welfare, etc., we will probably have to go back to the drawing board. Clearly, this will continue to be an obstacle to informatization in the future.
Figure 2: Personal Information Protection Law in the Medical Field: Examples of Application of Laws and Ordinances
Looking at hospitals, we can see the reality of the "2,000-piece problem. Different laws, competent ministries, etc. apply to different entities that handle personal information, and this is one of the causes that hinder the coordination of medical record and receipt information databases, emergency responses, etc. In other words, the fact that the government agencies that should promptly instruct and notify hospitals that are confused about the handling of medical information and media response to emergency situations in which patients are brought to the hospital are separated is a result of the adverse effects of this stove-piped administration in the Personal Information Protection Law system. This is a problem even in the case of wide-area disasters that cross over municipalities.
Professor Tetsutaro Uehara of Ritsumeikan University's Faculty of Information Science and Engineering investigated the "2,000 pieces problem. First of all, we can see that the definitions of personal information are so different even when limited to 67 pieces in 47 prefectures and 20 ordinance-designated cities (Figures 3 and 4).
Fig. 3 Differences in definitions of "personal information" (47 prefectures)
Figure 4 Differences in Definition of "Personal Information" (20 government-designated cities)
Differences in the wording of the definitions, as well as differences in interpretation of the criteria for determining the applicability of personal information, etc., result, for example, in private hospitals, whereas certain genomic information alone is considered personal information in accordance with the Personal Information Protection Law, there are public hospitals that do not fall under the category of personal information. I think the reason why this has not been a problem until now is because the Ministry of Health, Labor, and Welfare's guidelines, guidance, guidelines, and other bulletins and notifications have been overridden by the ordinances, so to speak, and many hospital personnel have been operating mainly based on the notifications without looking at the ordinances. In other words, lower-level rules violate higher-level rules. This is not a nation governed by the rule of law, and yet we have managed to get by. However, the organizations that had a well-developed legal function were facing more problems than those that did not.
This is where the EU's General Data Protection Regulation (GDPR) comes in. In an era when medical and drug discovery data, including rare disease and genomic data, must be distributed globally, Japan's domestic legislation and its operational reality, which clearly do not provide the same level of protection as the EU, cannot meet the EU's requirements for sufficiency, and data exchange is always subject to stoppage. The Japanese domestic legal system and its operational reality, which has not yet reached the EU level of protection, have not met the EU's requirement of sufficiency. Recently, the long-sought mutual recognition of sufficiency has been achieved, but only for the private sector. The public sector, which is regulated by the Act on the Protection of Personal Information of Administrative Organs, the Act on the Protection of Personal Information of Independent Administrative Institutions, etc. and the Ordinance on the Protection of Personal Information, is still very concerned about data exchange with the EU. The National Cancer Center, national university hospitals, public university hospitals and other municipal hospitals are left outside the mosquito net. Private hospitals and municipal universities and their affiliated hospitals are not a problem because they are in the private sector. This is the difference even though they are the same research institutions and the same hospitals.
Research institutes and the pharmaceutical industry will not be able to move forward if they are unable to collect genome data from around the world, conduct research and development of genomic drug discovery, and expand their business globally under these conditions. Relocation of R&D centers to the EU is also an issue to be considered.
The majority of current ordinances have clauses that prohibit online binding. Japan has introduced the My Number system in an effort to promote e-government, but this is only for the national government, and the basic philosophy of the ordinances is that the connection and networking of computers with the outside world is dangerous. So the common number is also anathema. It is true that it may be safer and less risky to operate the system as a stand-alone system, strictly adhering to security standards such as entry and exit from the computer center, and avoiding the common number system by using independent identifiers for each database.
However, as long as there are as many as 2,000 different personal information protection ordinances based on such a concept, it is only natural that the transition to a data society, including e-government, will not progress smoothly.
The exceptions are also scattered (Figures 5 and 6). Not only are the rules scattered, but even in the aftermath of 3.11, only two cases of exceptions were applied and personal information was provided to the government. Iwate Prefecture and Minamisoma City in Fukushima Prefecture. In the chaos of a disaster, it would have been impossible to make a decision based on the exception clause, even if it existed. I think it would be more reasonable to unify the rules by law, integrate the authority into the Personal Information Protection Commission, and notify the government of its interpretation in a timely manner.
Figure 5 Restrictions on computer processing and online processing (47 prefectures)
Figure 6 Restrictions on computer processing and online processing (20 government-designated cities)
In fact, there are exemptions to the Privacy Act for academic research purposes, political purposes, and religious purposes, in addition to journalistic purposes. In medical drug discovery, the exemption clause for academic research purposes is very important. If the purpose of use is limited to academic research, personal information can be handled by self-regulation without the consent of the individual and without the application of mandatory rules for businesses handling personal information protection, based on the judgment of the head of each organization based on the opinions of the organization's ethics committee and other factors. However, there are 13 prefectures that have not established exemptions for academic research purposes because of the 2000 separate rules and authorities as mentioned earlier as the "2000-piece problem. Because of the "2,000-piece problem," the rules for handling personal information among national universities, public universities, and private universities, as well as hospitals, differ, and this has become an obstacle to the development of academic research in Japan.
From "Medical Big Data Policy" to "Medical Quality Data Policy
Now, 35 years from now, in 2055, the total population of Japan is estimated to be 88 million. If the current standard of living is to be maintained, next-generation industries with higher added value must be established. Let us consider what the pharmaceutical industry should do at that time.
What has been promoted in the past is the "Medical Big Data Policy. The aim of this policy is to collect and analyze a large amount of "anonymized processed information" across the medical and related fields to obtain mainly correlational knowledge. The target information is public and private medical information and related information, and the correlation between them will be explored. The method is to protect the identity of the person by anonymization and to promote the utilization of the information. In order to do this, it is necessary to solve the "2,000-piece problem" mentioned earlier. Unless this issue is resolved, the medical big data policy will not flourish.
Next, the "medical quality data policy" should be promoted. This policy aims to collect and analyze accurate "processed medical pseudonym information" in the medical field, mainly to obtain causal knowledge. In order to obtain causal findings, it is necessary to obtain accurate information. However, we believe that the target information should be limited to public and private medical information. The method is to promote the protection and utilization of the person by means of medical pseudonymization (Pseudonymisation). Although the legal systems of Japan, the U.S., and Europe differ, it is possible to overcome the differences in legal systems and harmonize the conceptual arrangement of target information. The foundation should be created so that the same concepts of anonymity and pseudonyms can be used in the EU and the US, and databases in Japan, the US, and Europe should be linked, including data on rare diseases, etc. Special laws can be enacted to limit the scope to medical information. I would like to propose that this be enacted, for example, as the "Medical Pseudonymization and Processing Information Act" (Fig. 7).
Figure 7 From Medical Big Data Policy to Medical Quality Data Policy
The reason why a "Medical Quality Data Policy" is necessary is that there is a limit to the utilization of medical personal information in the form of "anonymized processed information" and other non-personal information. For example, image information such as brain scan data, x-rays, and organ photos are pseudonymized information in the sense that they have a one-to-one relationship with the person concerned, even if names, etc., are deleted. Strictly speaking, the evaluation of the applicability of this shadow information as personal information may vary from municipality to municipality. In order to make such shadow information anonymous, for example, mosaic processing would be performed on the shadow, but this would be medically meaningless information. Therefore, the concept of "linkable anonymization" has been adopted in the past to allow the provision of this type of image information to third parties without the consent of the person concerned, or to make it public at academic conferences and the like. There is a contradiction in this concept. If the information is linkable, it cannot be said to be anonymized, because it is nothing but personal information.
If a medical ID is introduced, the medical ID itself becomes personal information. All medical information will be evaluated as personal information. It is necessary to create a special law on pseudonymized information limited to the field of medicine, etc., and open the way to use pseudonymized information (personal data). In order to ensure the traceability and portability of medical data, as well as the right of erasure, it must be personal data because specific individuals must be identifiable. Therefore, medical data should always be systematically structured to be searchable as personal data.
So what exactly should the law be?
The subject should be a certification system, limited to physicians and designated researchers as qualified persons. The subject should be limited by law to specific medical databases designated by the MHLW. It is not that anything is acceptable, but the subject and target should be limited. Target information should be "medical pseudonymized information," and since the concept of pseudonymized information will be introduced in the 2020 amendment, a special medical version of the law can be created.
Next, the purpose of use should be specified as legal use. Under the current Personal Data Protection Law, users are free to specify the purpose of use, but under the special law, the purpose of use will be limited by law to (1) academic research and public health, (2) treatment of the individual, and (3) drug discovery. Data transfer takes encryption measures designated by the Personal Information Protection Commission, and the processing facility is designated by the Ministry of Health, Labor and Welfare as a specified safeguard business site. Individual data (medical pseudonymization information) will be erased after ensuring academic verifiability. Audits by a designated organization of the Personal Information Protection Committee will also be included.
Measures include suspension or revocation of medical license and suspension of eligibility for this process in case of violation. The penalty is direct punishment (imprisonment) in accordance with the Medical Practitioners Act. The effect is that data can be collected and analyzed, which can be provided to third parties without the consent of the individual through medical pseudonym processing.
In other words, we are of the opinion that, after strictly binding the rules, accurate data on each person should be able to be handled in large quantities as pseudonym-processed information without harming the rights and interests of the person. If this could be achieved, it would dramatically improve the accuracy of image diagnosis by AI, and would also lead to early detection and early treatment of diseases, thereby contributing to reducing the rise in total medical costs.
The case of unauthorized provision of name-registered Suica history data
I would like to look back on the "Unauthorized Provision of Registered Suica Historical Data Case" (hereinafter referred to as the "Suica Case") because I believe that understanding the Suica Case will help us understand one of the key points of the revision of the Personal Information Protection Law in 2020 (2020). To conclude first, this is a good case study for understanding the proposed amendment to the Personal Information Protection Law, which is to process pseudonymized information. In short, what is personal information? "Anonymized information," which is one of the non-personal information processing, so to speak, questioned the concept of personal information from behind the scenes. This case came to teach us what a pseudonym is, which is positioned in the middle of the two, so to speak. Unfortunately, at the time of the case seven years ago, our proposal was widely criticized as a privacy fundamentalist opinion that would hinder big data business and lack consideration for the usefulness of personal information by many lawyers who handle information law, people in legal departments of IT companies, and people in the business world. The majority of media coverage was not based on legal issues, but rather on the understanding that the issue was a failure to respond to consumer concerns. In short, there was no concept of pseudonyms in Japan. In short, the concept of personal information was never clarified.
The facts of this case are as follows: JR East provided Hitachi, Ltd. (Hitachi) with processed Suica data, which Hitachi then analyzed and sold as statistical information in the form of station usage analysis reports. However, it was later discovered that JR East had handed over the Suica data in the form of what is known today as pseudonymized information, and this became a social problem.
JR East had established an internal information business center, erected barriers within the company, and sold the data to Hitachi as normal data with the understanding that the data had been anonymized and made non-personal in their view, without the consent of the individual or opt-out procedures.
The issue here is the regular Suica that records the user's name, furigana, phone number, and gender, which is called a "Registered Suica. The problem was that this was still personal data, even though it had been processed in a certain way. The database contains Suica ID, user name, phone number, date of birth, gender code, and boarding/exit history data. The boarding/exiting history contains bidding and exit information (station number, gate number, year, month, date, minute, and second, respectively) and the amount of money spent on the train. The database also records purchase history (merchandise sales information) at kiosks, etc.
When this Suica database was provided to the in-house business center, the name, furigana, and telephone number were deleted, and the date of birth was removed. Furthermore, when the business center provided the Suica database to Hitachi for sales, the Suica ID was replaced with another number generated irreversibly using a hash function so that the Suica ID could not be matched with the original data (the provider's database), and this number was changed each time it was provided. Since JR East had done so much processing, Hitachi believed that the data could not be easily matched with the original data, and that it could not be used to identify a specific individual.
However, JR East insisted that this data was still personal data. This is because if the original data and the data for provision are matched at JR East, the individual can be easily identified. In other words, in addition to the date of birth, the data for provision includes the boarding and alighting history. The data includes the station number and gate number of the boarding and alighting station, and the time of passing through the gate is recorded in seconds, making the data unique and individualized. Since the same history data is also available in the provider's database, it is easy to check the history part of the data against the original data. Naturally, it is possible to know whose data it is by looking at the contents of the original data.
In short, only the head part of the Suica ID is anonymized, and the body part of the history data is output as raw data. There may be many similar databases, but in general, the more historical data is accumulated, the more individualized it becomes, and eventually, the more unique it becomes. Even if names, etc., are deleted, the historical data itself will form a distinctiveness.
There must be a one-to-one relationship between the actual person and the data or record concerned, which is the basic premise of being personal information and the principle point for determining personal information nature.
In the proposal to introduce "medical pseudonymized information," we are proposing a strict regulatory proposal only because "medical pseudonymized information" remains personal information. It is more useful than anonymized information in that it can be traced back to the person in question, and in that it does not need to be rounded to maintain accuracy.
Rikunabi case
The following is an overview of the "Rikunabi Incident. Company B (34 Rikunabi contracted companies), which conducts recruitment activities, passes information collected from students to Company A (Recruit) in the form of cookies and IDs, with names, addresses, etc. deleted. Company B has the name and address of the applicant's ID, so it is easy to match the two companies' data.
Although Company A initially explained that the cookie was not personal information, Company B was able to match the predicted job offer rejection score with the evaluation of the job hunter in front of them.
The reason why Company A initially claimed that the cookie was not personal information was because Company A and Company B were two different companies, and both could consider the cookie to be personal information independently of each other. In reality, both companies were united in their efforts to quit the job offer. In reality, the two companies were working together to estimate the predicted score for declining job offers, and the company conducting the recruitment activities (Company B) should have been the controller responsible for the entire operation, and Recruit should have been the contracted processor.
The technical problem was that both Company A and Company B were configured as Controllers. Company B, as the Controller, should have evaluated the applicability of personal information in an integrated manner, including Company A, and specified the purpose of use, which should have been clearly indicated to job hunters.
In reality, Company A clearly indicated the purpose of use A and Company B clearly indicated the purpose of use B to the job hunters. Even if the job hunters were shown the separate purposes of use, they could not understand the whole picture of the two companies working together to score the predicted decline rate of job offers while having their browsing history and other information evaluated, and the possibility of their scores being used for recruiting purposes. Even if we were shown the partial purpose of use, there was no way for the individual to know that the site browsing history was being used to predict the decline of job offers. It should be said that the assessment that the Privacy Act was violated was almost inevitable.
( Ikuko Kakuta, Communications Promotion Subcommittee, Public Relations Committee)