JAPAN Law and Practice Contributed by: Yoshifumi Onodera, Hiroyuki Tanaka, Naoto Shimamura and Rio Ichii, Mori Hamada & Matsumoto
Special care-required personal information is defined as personal information comprising a data principal’s race, creed, social status, medi - cal history, criminal record, the fact of having been a victim of a crime, or other descriptions that may be prescribed by a cabinet order as requiring special care in handling so as not to cause unfair discrimination, prejudice or other disadvantages to the data subject (Article 2.3). 2.4 State Responsibilities and Obligations Governmental authorities that have specific jurisdiction over some of the 15 critical informa - tion infrastructure sectors have issued specific guidelines, described below, concerning cyber - security. For the healthcare industry, see 6.3 Cybersecu- rity in the Healthcare Sector . For the financial industry, see 3. Financial Sector Operational Resilience Regulation . The Ministry of Land, Infrastructure, Transport and Tourism (MLIT) issued: • the Safety Guidelines for Ensuring Information Security for Air Transport Operators for avia - tion services; • the Safety Guidelines for Securing Informa - tion Security in the Airport Sector for airport services; • the Safety Guidelines for Ensuring Informa - tion Security for Railway Operators for railway services; and • the Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services. The MLIT also issues information security coun - termeasure checklists for railway service, bus
service, bus terminals, taxis, hotels, ferries, and airports and airport buildings. The MHLW issued the Information Security Guidelines for the Water Sector for water ser - vices. 3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation The FSA issued the Comprehensive Guidelines for the Supervision of Major Banks, etc. (the “Comprehensive Guidelines for SMB”), which mention cybersecurity obligations, referring to the Guidelines for Cyber Security in Finance Sector (the “Guidelines for CSFS”). The Com - prehensive Guidelines for SMB further include measures regarding operational resilience. Operational resilience refers to the ability of financial institutions to continue to maintain the minimum level of their critical operations even in the event of a system failure, terrorist attack, cyber-attack, infectious disease, natural disaster or other event. The Comprehensive Guidelines for SMB specify the actions to be taken by the board of directors and the regulations of the authorities to achieve operational resilience. 3.2 ICT Service Provider Contractual Requirements Not limited to the financial sector, when a han - dling operator entrusts personal data, it must exercise the necessary and appropriate supervi - sion over the entrusted person to ensure security control over the entrusted personal data (Article 25 of the APPI). Handling operators shall super - vise the entrustees to ensure that the same levels of security control are taken as those imposed on the operators under the APPI.
171 CHAMBERS.COM
Powered by FlippingBook