Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
In Japan, there are no mandatory requirements to report data breaches except for My Number data. Generally, it’s recommended to report breaches to the Personal Information Protection Commission (PIPC) where there may be a personal data breach, unless the potential breach:
- is unlikely to result in a risk to the data subjects (for example, when the personal data has been encrypted); or,
- is insignificant (for example, when an email was sent to the wrong person and does not contain personal information beyond the addressee).
Reports to the PIPC should include the details of the personal data breach and the measures that have been taken or are proposed to address the breach. In addition, data subjects should be notified of the breach depending on the sensitivity of the data and scale of the breach. When there is a significant breach of My Number data (such as leaking more than 100 My Numbers or when an employee intentionally misuses the data), the employer must report the breach to the PIPC.
Data breach notification requirements will be changing once the 2020 Revisions to the 2016 Amended Act on the Protection of Personal Information goes into effect (currently anticipated in spring 2022). Under the new requirements, a data breach report to the authority and to data subjects will be required. Further details are expected to be outlined under applicable guidelines.
HR Best Practices: Make sure to follow any security and data protection controls outlined in your company’s security policies. Notifications to the Personal Information Protection Commission and impacted individuals are recommended, depending on the nature of the breach.