Employee Data Privacy

Japan - Employee Consent

 Download as a PDF

Do I have to obtain employees' consent in order to collect their personal data?


The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.  


In Japan, the Amended Act on the Protection of Personal Information (2016) regulates the processing of personal data. Under Article 2.1 of the Act, “personal information” is defined as any information which relates to a living individual and:

  • can identify the individual from that information or,
  • can identify the individual from that information with easy reference to other information (such as public records).

When companies handle or acquire personal information, the purpose must be restricted to a specific utilization. That purpose must be clearly disclosed to the individuals whose data is being collected or to the public (whichever is appropriate) unless it’s been previously announced. Individuals can be informed through a privacy policy, notice on the company’s website or via another method. When personal information will be used for a new purpose, employers should obtain consent in advance of using the data for the new purpose.


joshua-newton-210070According to the Act, companies must obtain explicit consent when collecting “special care-required personal information” (i.e., sensitive personal data). This includes data on an individual’s:

  • race;
  • creed;
  • social status;
  • medical history (which includes employee medical records and files);
  • criminal record;
  • fact of having suffered damage by a crime;
  • other information (as prescribed by cabinet order) where processing requires special care so as not to cause unfair discrimination, prejudice or other disadvantages (including mental/physical disorders, health examination results, and criminal procedures).

Consent for special care-required personal information is exempted in certain circumstances such as when the data is required based on other laws and regulations.

When transferring data to or from a third party, businesses generally have additional recordkeeping obligations relating to the data transfer (including retaining the name/appellation of the recipients of the data, the date of transmission, etc.). These records must be kept for a time prescribed by the PIPC, generally three years.


HR Best Practices: When collecting personal information in the context of HR, commit to properly informing employees, documenting legal rationales for data collection and making corrections/deletions when requested. Obtain informed consent prior to processing special care-required personal information. If you have a new use for previously collected HR data, request consent before processing the information in a new way.


UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk