12.3.8 Protection of Personal Information
The University’s rules of personal information management, as prescribed by the following paragraphs, are intended to ensure that personal information will be appropriately protected.
18.104.22.168 Scope of This Policy. This policy is applied to personal information contained by Corporate Documents, defined by 12.8.2.
22.214.171.124 General Policy. The University will use and hold personal information only when it is necessary for carrying out its businesses and for achieving its missions. Any proposed or intended University use of personal information must be specifically explained to the extent possible at the time of retention.
126.96.36.199 Handling of Personal Information
188.8.131.52.1 Access to personal information. Employees who may have access to personal information must be designated by the department heads and shall be limited in number to the minimum staff necessary. Even designated individuals may access such information only for stated business purposes. Unauthorized access to personal information is strictly prohibited.
184.108.40.206.2 Copy and Distribution. The following actions related to personal information require a prior approval by the department head.
- Distribution (electronically and physically)
- Bringing out media containing personal information
- Other actions which could impede the proper management of personal information
220.127.116.11.3 Errors. Errors in personal information should be corrected promptly upon instruction by the department head.
18.104.22.168.4 Store. Any media containing personal information must be stored at the location designated by the department head and, when deemed necessary, stored in a locked and fireproof safe. (Refer to 22.214.171.124 for electronic records.)
126.96.36.199.5 Disposal. When personal information, or media (including those built in a server or terminal) containing personal information, is no longer needed, the department head must instruct the staff (who have been designated by the department head to be responsible for the said information or media) to delete relevant information and/or destroy relevant media in a manner which makes impossible the restoration or deciphering of the personal information.
188.8.131.52.6 Recording. The status of use and hold of personal information within each department must be recorded in writing in a systematic way by the department head.
184.108.40.206.1 Business operations in which personal information is handled must not be outsourced to a party lacking the capacity to appropriately manage personal information. When outsourcing such business operations in which personal information is handled, the departments in charge must take all necessary measures, such as confirming the management structure, etc., to avoid selection of inappropriate or incompetent parties to manage personal information.
Any contracts for outsourcing shall be made in accordance with the guideline provided by the VPAC. Especially, any contracts for outsourcing all of or part of operations related to the handling of Specified Persona l Information shall be made in accordance with the “OIST Regulations on Handling Individual Numbers and Specific Personal Information ” The Procurement Section is responsible for ensuring that any contracts meet the guideline.
220.127.116.11.2 Any contracts for staff from agencies providing temporary staff must include explicit provisions regarding management and handling of personal information, including confidentiality obligations.
18.104.22.168 IT System and Server Room Security
Most personal information at the University is prepared and held as electronic records. The Chief Information Officer (CIO), in cooperation with the VPAC, is responsible for ensuring the appropriate protection of personal information in electronic records.
The CIO must take necessary actions in accordance with the guideline published by the government [link: TBD]. Such actions include the following:
- Establish internal guidelines for the management of passwords
- Record access to personal information and store such records
- Prevent unauthorized external access to personal information
- Prevent the unauthorized disclosure and destruction of personal information by infection of IT system by computer virus
- Access management of the server room
For additional security matters regarding IT, refer to Chapter 17, Information Technology and Security.
22.214.171.124 Unauthorized Disclosure
126.96.36.199.1 Any person who is aware of unauthorized disclosure of personal information or other security problems related to personal information must immediately report to the department head (and the CIO if the issue is related to IT).
188.8.131.52.2 Department heads are responsible for taking all necessary measures to prevent any harm/damage from an unauthorized disclosure and for making a report on the incident to the VPAC.
184.108.40.206.3 The VPAC is responsible for making a report to the President and analyzing the factors resulting in the incident and take necessary measures to prevent further recurrence in collaboration with the CIO and other relevant employees.
220.127.116.11.4 Unauthorized disclosures must be made public if warranted by an examination of the nature and impact of the incident, the measures implemented to prevent reoccurrence, and responses to persons whose personal information was involved.
The Personal Information Protection Act confers a right of access to personal information so that individuals can find out what personal information the University holds about them and check that it is accurate, up to date, and relevant to a function of the University.
All requests for disclosure, correction, and suspension of use are received and processed in accordance with the applicable provisions of the Act.
18.104.22.168.1 The VPAC’s office is responsible for handling any requests regarding personal information in close cooperation with Legal Counsel. The requests are handled based on the same procedure specified for the information disclosure requests.
22.214.171.124. Handling of Specific Persona l Information
Handlings of Specific Personal Information are stipulated in “OIST Regulations on Handling Individual Numbers and Specific Personal Information”