Japan: PPC issues administrative guidance to Fujitsu Japan on incorrect issuance of residence certificates at convenience stores
On September 20, 2023, the Personal Information Protection Commission (PPC) announced that it had issued administrative guidance to Fujitsu Japan Limited, and local authorities in relation to the incorrect issuance of residence certificates at convenience stores.
Background to the guidance
The PPC noted that there was a data leakage of retained personal information at local authorities that were using Fujitsu Japan to carry out certification issuance work.
Findings of the PPC
The PPC concluded that the data leakage occurred due to a defective program. In particular, the PPC explained that the error occurred owing to unnecessary processing within the system among other things, which were not detected in testing and development. The PPC explained that each local authority was obliged to take security control measures in relation to the delivery of work for the handling of personal data when outsourcing the same and to carry out adequate supervision.
Notably, the PPC confirmed that Fujitsu Japan is a personal information controller entrusted by the applicable cities to handle personal information, and failed to take the necessary and appropriate security control measures to prevent the incorrect issuance of certificates.
Further to the above, the PPC noted that Fujitsu Japan should adopt appropriate technical security control measures to prevent the incorrect issuance of certificates in connection with the utilized system and share past failures and other appropriate measures. Furthermore, the PPC ordered Fujitsu Japan to provide a report on the implementation of the administrative response by October 31, 2023, with relevant documents.
In regard to the local authorities, the PPC explained that they should:
- ensure that the same security control measures are taken when staff issue certificates at their own counter;
- conduct checks to ensure that no documents have been issued;
- train and educate staff on the proper handling of information; and
- supervise contractors as necessary and appropriate.
You can read the guidance, only available in Japanese, here.