On February 15, 2024, the Personal Information Protection Commission (PPC) announced that it had issued administrative guidance to NTT Docomo Inc. and NTT Nexia Inc. regarding their compliance with the data security requirements under Article 23 of the Act on the Protection of Personal Information (APPI).

Background to the guidance

The PPC noted that Docomo had outsourced customer information management services to Nexia. According to the PPC, in March 2023 a former Nexia employee accessed a cloud service using a PC used to manage customer information and uploaded the personal data of approximately 5.96 million people to the cloud service leading to a data leak.

Findings of the PPC

The PPC found that Docomo violated Article 23 of the APPI by failing to implement appropriate physical, technical, and organizational security measures to prevent the leakage of personal data. Additionally, the PPC determined that Docomo had violated Article 25 of the APPI for failing to adequately supervise Nexia to whom it had outsourced data processing activities.

Finally, Nexia was found to have violated Article 23 of the APPI for failing to implement organizational security measures to prevent data leakage and failing to train employees on proper data handling practices.

Outcomes

Further to the above, the PPC instructed the companies to implement appropriate security measures to prevent data leakage of personal data and train employees on how to safely handle personal data.

The PPC noted that the companies have until March 15, 2024, to provide an update on the status of their implementation of the remedial measures.

You can read the guidance, only available in Japanese, here.