Portal field news

Portal field news

in

🌏 | Facebook policy not to notify users due to information leakage of more than 5 million people


写真 

Facebook policy not to notify users due to information leak of more than 5 million people

 
If you write the contents roughly
Facebook settled with the Federal Trade Commission (FTC) in July 19 over deficiencies in personal information protection, and as part of the settlement, the company said that if more than 7 user information was leaked due to unauthorized intrusion. , It is obligatory to report the details within 500 days after confirmation.
 

[Reuters] – Facebook, a major US social networking site (SNS), has leaked XNUMX users in the past ... → Continue reading

 Reuters


Wikipedia related words

If there is no explanation, there is no corresponding item on Wikipedia.

personal information

personal information(Kojinjoho) is information about any one individual, and refers to something that can identify a specific individual by the description contained in that information. in English personally identifiable information (PIIOr sensitive personal information (SPI),[1][2][3] More generally personal data Called.

Definition

National Institute of Standards and Technology (NIST)Computer security-related guidelines issued by[4]In SP800-800, one of the SP122 series, personal information is defined as follows:

Any information about an individual that is maintained by the agency, including:
1. Any information that can be used to identify or track an individual's identity. For example a name,social Security number, Birthday and birth location, mother's maiden name, biometric information
2. Any other information that is or can be linked to an individual. Information about healthcare, education, finance, and employment, for example. — NIST SP800-122

EU General Data Protection RegulationDefines as follows:

"Personal Data" means all information about an identified or identifiable natural person ("Data Subject"). An identifiable natural person refers in particular to an identifier (such as a name, identification number, location data, online identifier) ​​or the uniqueness of that natural person (physical, physiological, genetic, spiritual, economic). , Cultural, or social) that can be identified directly or indirectly by reference to one or more indicators that are unique. — GDPR Article 4 (1)

JapanesePersonal Information Protection LawDefines as follows:

The term "personal information" as used in this Act refers to information relating to living individuals that falls under any of the following items.

(I) Name, date of birth or other description included in the information (document, drawing or electromagnetic record (electromagnetic method (electronic method, magnetic method or any other method that cannot be recognized by human perception. The same shall apply in item XNUMX of the following paragraph.) The same shall apply in paragraph XNUMX of Article XNUMX), or shall be recorded, or shall be recorded using voice, motion or any other method. (Excluding personal identification code. The same shall apply hereinafter.) that can identify a specific individual (being able to easily collate with other information and thereby identify a specific individual). Including that.)

(Ii) Personal identification code included — Personal Information Protection Law Article 2

Name, age, gender, address, phone number, E-mail address,Social MediaInformation that may identify "who", such as the above connection, school name, bank account, credit card number, etc., is not personal information, but the entire information including such information is personal information. is there.

JIS Q 15001: 2006(Chapter 3.1), although in parentheses, has almost the same definition as the Personal Information Protection Law, but JIS Q 15001 does not have the restriction that it is information about an individual who survives personal information, unlike the Personal Information Protection Law.Data of the dead is also included in personal information[5].

In any of the above definitions,Personal information includes a description that makes it possible to identify an individual even if they cannot identify the individual at first glance, if combined with other information..

When the Personal Information Protection Law was revised in 2015, the personal identification code was added to the article,Keidanren"The mobile phone number can be changed on the same day if the user requests it, and can be reused by another user. It cannot be said that an individual can be identified."[6]In addition, Shinkeiren said, "In the first place, it is not possible to identify an individual by letters or numbers alone. The definition of the code shown in (2) of the revised law is actually the empty set (= no code is included. )[6]Both parties argued that mobile numbers were not included in personal information. In response to the legal revisions from the business world, including both groups, the final result is "specific" (Law Article 2, paragraph 2, item 1) "identifying specific users or purchasers or recipients It was settled by inserting a wording such as "What can be done" (Article 2, Paragraph 2, Item 2) into the definition of the personal identification code.[7]However, although the term "personal identification code" was introduced during the 2015 revision, when the law concerning the protection of personal information related to computer processing owned by administrative agencies was enacted in 63, "numbers, symbols and other codes assigned to each individual Was included in the definition of personal information.[7] The mobile phone number that the two groups claimed to be non-personal information on its own is considered to be personal information on its own, even if it is not the personal identification code itself if it is included in the information about the individual. can do.[8]

Protection of personal information and privacy

The move to legalize the protection of personal information begins with the 1980 announcement by the OECD Council of the OECD Council Recommendations on the Guidelines for Privacy Protection and International Distribution of Personal Data (OECD Privacy Guidelines).[9][10].. The eight principles of the OECD Privacy Guidelines, which are collection restriction principles, data content principles, purpose clarification principles, use restriction principles, security protection principles, disclosure principles, individual participation principles, and responsibility principles, are in many countries. Was adopted in the legislation of[10].

Policies

One of the most popular theories of privacy[11]Is the "right to control over information about himself," as described by Alan Westin in his 1967 book "Privacy and Freedom."[12][13]That is. Based on this idea also in Japanese constitutional studiesRight to control personal informationHas become the dominant interpretation of privacy rights[14].

References in this section:

議論

International UniversityGLOCOMThe professor wrote in his book, "Personal identification information is originally shared socially and is not a subject that should be kept secret. For example, if you hide your name and address, you will not receive mail, on the other hand, under the current law, We cannot protect personal information from misuse or defamation, and we need active protection."[15].

Status by organization and area

Administrative agency

Government agencies such as municipal offices, tax offices, and police stations have a large amount of extremely important personal information such as permanent domicile, address, family structure, and income.

According to the 2013 (Heisei 25) survey report,Personal information leakageAbout 44% of these are via government agencies[16].

Since there is a large amount of personal information, it is highly necessary to thoroughly manage personal information and prevent leakage.

In addition, the formerBasic Resident RegisterWas able to be viewed by a third party without the consent of the person. Those who use the Basic Resident Register reading system,Handyman,RosterMost of the people are in the gray zone, such asHuman tacticsIndirectly brought out from the administrative body by copying it in "handwriting" and recording it in the databasedirect mailDue to the occurrence of situations such as use for commercial purposes such as sending and the use for criminal purposes in some cases,Basic Resident Registration ActHas been revised to restrict viewing.

In recent years, the government has outsourced business to external private companies (outsourcing,ア ウ ト ソ ー シ ン グ) Is also increasing, in which case,Region-National Civil Service Lawbased onconfidentialityTherefore, there are many government agencies that have outsourced contracts to supervise the orderer so that safety management can be achieved at the subcontractor.

National examanation,National qualificationWho passedSelf-bankruptcyThose who didOfficial gazette,PrefecturesSuch asBulletinPublished in.

There are about 2000 personal information protection laws in Japan. Not only the law that targets national administrative bodies, but also each local government has established its own personal information protection regulations. Due to the existence of a large number of laws concerning the protection of personal information, the laws and regulations to be applied and their contents are subtly different depending on each region/local government.Ministry of DefenseAccording to the Human Resource Development Division, the Ministry of Defense requires the municipalities to submit a list each year regarding the address, name, date of birth, and gender of young people (18 and 22 years old) who are graduating from high school or university to recruit SDF personnel. ing. 9% of local governmentsSDFTo the relevant information. Hisashi SonodaKonan UniversityThe law professor (personal information problem) said that "there is a high possibility that it is illegal" for the local government who handed over the list in response to the request of the Self-Defense Forces. Of each local governmentPersonal Information Protection OrdinanceCriticized for suspecting that[17].. on the other hand,Self Defense Force ActArticle 97SDFThe SDF Law Enforcement Ordinance Article 120 states that the Minister of Defense may require the Chief to submit "materials" regarding recruitment of SDF personnel. This issue has been discussed since 2016, and Professor Masamasa Suzuki (Information Law) of Niigata University graduate school said that the Minister of Defense requested the local government to provide information on the Basic Resident Register and the local government responded to it by the Basic Resident Registration Act. It cannot be said that it is illegal because there is no provision provision in the SDF, and it is said that it is legal because the SDF law and the enforcement order have a legal basis. In addition, the decision to provide information is entrusted to the local governments in light of each personal information protection ordinance, and the state respects the individual decisions of each local government, which is appropriate for the operation of the law. He said that the risk of abuse of the list could be suppressed if each local government sends a direct mail on behalf of the Self-Defense Forces based on the information in the Basic Resident Register.[18].. As can be seen from this matter, each local government has its own method of operating personal information protection and its method of operation.

Private enterprises

For private companies,

  • Personal information collected in the course of business activities
  • Personal information of employees and their families
    • It is collected by having a written guarantee of identity, etc. be entered when joining the company.
  • Personal information of people who have applied for recruitment or company briefing sessions

There is.

Educational institution

In addition to the above personal information, we also handle student health examination data, grades, career choice surveys, internal reports, proof of attendance, diplomas, etc. Documents must be retained for a certain period of time after graduation or withdrawal from school.

In the past, an emergency contact network for each student was created for each class, but after the enforcement of the Personal Information Protection Law, he became reluctant to create an emergency contact network.電子 メ ー ルAre often used. To protect minorsUniversityRare below,University-graduate studentThen in the laboratoryHome PageMay be forcibly posted in the middle of the name.

Under the Personal Information Protection Act, the obligation of a business operator handling personal information is not applicable when a university or other institution or organization for the purpose of academic research or a person who belongs to it is for the purpose of providing academic research (50 article).

家庭

In the case of households, at least the address and name will be leaked if the postal matter that is sent as garbage is collected by someone (DetectiveIs one of the information gathering methods used byGarbage catchCalled).

Depending on the mail,Credit cardNumber orbankaccountNumbers are also leaked,crimeThe risk of being injured increases. For this reason, mailshredderHouseholds that dispose of garbage after cutting are increasing. In addition, recently, the company side has provided a character string (account number,Credit card numberEtc.) is part of the letters.

インターネット

With the development of search technology,インターネットNow you can easily collect personal information. NameSearch engine,FacebookEtcEgosearchIf you search, you may be able to get the detailed attributes of that individual (The same nameHowever, there is a possibility that personal information of another person may be collected without intention). This is increasing due to the spread of SNS.

Note that search engines are not subject to the Personal Information Protection Act. In addition, since the Internet is a global network, it is difficult to deal with international leakage of personal information,Winny,ShareIt is regarded as a problem that there is a case where the outflow does not stop inside the file exchange network such as.

Specific method
In some cases, personal information can be specified by combining multiple pieces of fragmentary information, such as landscape photographs and snapshots, which are not personal information. For exampledigital camera,SmartphoneFor photos taken in, unless otherwise specifiedExifIs built in by default, and the shooting date and time and the shooting location received by GPS (if GPS function is available) are recorded here, so it is easy to identify.
There is also a method of identifying the shooting location from a photograph in which the shooting location is not recorded.Landscape photographyIn the case of,Window glass,(I.e. OfbonnetReflected inobjectResearched or reflected in the backgroundHouse(Building, store sign, etc.)(I.e.With hints of very small information such asGoogle Earth,Street viewThe same)Everyday LifeAnd the positional relationship so thatdirectionThere is a method to identify the place where the picture was taken[19].
twitter,FacebookThis is also the case when posting to SNS services such as, the risk of identifying your home, friendship, commuting to school, etc. from fragment information such as your favorite shops, travel, work-related contents, followers, followers, etc. There is also.

Personal information protection in Japan

Law concerning the protection of personal information

Until 2005, there was no comprehensive law in Japan other than administrative organs, but the Personal Information Protection Law realized comprehensive legislation between the government and the private sector.[20].

Personal information

Ministry of Economy, Trade and IndustryIn "Guidelines for the Law on the Protection of Personal Information for the Economic and Industrial Fields", "Information on the individual" in the Personal Information Protection Law is explained as follows.

"Information about an individual" is not limited to information that identifies an individual, such as name, sex, and date of birth, but is all information that represents facts, judgments, and evaluations regarding attributes of the individual's body, financial category, title, etc. It includes evaluation information, information made public by publications, and information by video and audio, regardless of whether it is concealed by encryption or the like (omitted). In addition, when the information related to the dead person is also the information related to the surviving individual such as the bereaved family, the information is related to the surviving individual. In addition, "surviving individuals" are not limited to Japanese nationals, and include foreign nationals, but since corporations and other groups do not fall under "individuals", information about corporations and other organizations themselves is not included (however, , Information about employees, etc. is personal information). — Guidelines for the law on the protection of personal information in the economic and industrial fields(pdf) p2

First of all, it is a necessary condition that the personal information is a whole unit of information about any one individual. Then, if a specific individual is identified by the description or the like included in the information, the entire "information about the individual" corresponds to personal information.

Personal information database

Information including personal informationDatabaseWhen converted, the database is treated as a personal information database. Generally, one unit of information registered in a database is called a record, and a record in a personal information database is treated as personal data.

Personal information that is not stored in a database is scattered information. On the other hand, personal data is easier to perform processing such as searching and merging with other databases as compared with scattered information, as long as a database including the personal data can be accessed. Therefore, the business operator handling the personal information database can utilize the personal data under the regulation as the business operator handling personal information.

Positioning of personal information, personal data, and retained personal data under the Personal Information Protection Law

Personal Information Protection CommitteeStates that the personal information, personal data, and retained personal data have the following positional relationship.[21].

Personal information (such as information that can identify a specific individual) (Personal Information Protection Law(Article 2 paragraph 1)
  • Unorganized business cards, questionnaires, memos, things that are remembered by employees, etc.
  • Image data that is not organized and cannot be searched
Constituting (Personal Information Protection Law Article 2 Clause 4) (Personal Information Protection Law Article 2 Clause 6)
  • Data deleted within 6 months
  • Data that promotes illegal and unlawful acts when the existence of the data is revealed
  • Data required by competitors to search for other parties
Contracted data without disposal authority
  • Information provided by the contractor
  • Shared users without disposal authority
  • Information provided through business tie-ups, etc. that does not have disposal authority
(Those who have the authority to dispose) (Personal Information Protection Law, Article 2, Paragraph 7)

Data that can be disclosed without disclosure restrictions

  • Customer data
  • Employee data

Other data

Law Concerning Protection of Personal Information Held by Administrative Organs

Personal information protection in the United States

In the United States, there are federal privacy laws enacted in 1974, etc., but protection of personal information is handled by individual laws in each field, and third-party committees have been established for each.[10].

Personal information protection in Europe

In the EU, the "Directive on the protection of individuals regarding the processing of personal data and the free movement of data" (EU Personal Data Protection Directive) was issued in 1995.[10].

In 2002, the "Direction on the processing of personal information and protection of privacy in the electronic communications sector" (ePrivacy Directive) was issued, and was partially revised in 2009.[10].

footnote

[How to use footnotes]
  1. ^ "Management of Data Breaches Involving Sensitive Personal Information (SPI)". Va.gov. Washington, DC: Department OF Veterans Affairs (January 2012, 1). As of May 6, 2015オ リ ジ ナ ル[Broken link]More archives.2015th of February 5Browse.
  2. ^ Stevens, Gina (April 2012, 4). “Data Security Breach Notification Laws". fas.org. 2015th of February 5Browse.
  3. ^ Greene, Sari Stern (2014). Security Program and Policies: Principles and Practices. Indianapolis, IN, US: Pearson IT Certification. P. 349. ISBN 9780789751676. OCLC 897789345. https://books.google.com/books?id=UbwiAwAAQBAJ&pg=PA349&lpg=PA349&dq=%22Sensitive+Personal+Information%22+SPI+%22Personally+identifiable+information%22&source=bl&ots=J9qIzMKebf&sig=Bdxa9ct4X4_2tmz44jmGCna3ZrE&hl=en&sa=X&ei=PaljVZfkJcvjoASh_4KYDA&ved=0CFQQ6AEwCA#v=onepage&q=%22Sensitive%20Personal%20Information%22%20SPI%20%22Personally%20identifiable%20information%22&f=false 2015th of February 5Browse. 
  4. ^ NIST SP800 series NRI Secure. Retrieved September 2016, 9
  5. ^ Guidelines for implementing a personal information protection management system based on JIS Q 15001:2006-Second Edition- (pdf) p28 Japan Information Economy and Society Promotion Association (JIPDEC)
  6. ^ a b I asked the Shinkeiren what "the mobile phone number is not personal information" (2/5)
  7. ^ a b Hiromitsu Takagi (2017). “From personal information protection to personal data protection — a study for the integration of regulations between the private sector and the public sector (2)”. Information law research No.2: 88. 
  8. ^ "Anonymous processing information For both promoting utilization of personal data and ensuring consumer reliability”. Personal Information Protection Commission. 2018th of February 4Browse.
  9. ^ Uchikawa Kazuo, "Privacy Mark Acquisition Book 4th Edition", 2018, page 10.
  10. ^ a b c d e "Current situation in other countries”. Ministry of Internal Affairs and Communications. 2019th of February 2Browse.
  11. ^ Solove 2008, p. 24.
  12. ^ Privacy Rights 2004, p. 50.
  13. ^ Information privacy rights 2013, p. 239.
  14. ^ Information privacy rights 2013, p. 243.
  15. ^ Aoyagi "Privacy Research in the Information Age" NTT Publishing
  16. ^ "2013 Information Security Incident Survey Report -Personal Information Leakage-"[1]
  17. ^ June 2019, 2 Chunichi Shimbun 21 pages
  18. ^ Asahi Shimbun, September 2016, 3
  19. ^ How to identify the shooting location from the photos uploaded to Twitter and Instagram
  20. ^ Uchikawa Kazuo, "Privacy Mark Acquisition Book 4th Edition", 2018, page 11.
  21. ^ "Personal Information Protection Law Consultation Standard Handbook" (Personal Information Protection Committee (edited), 2017, Japanese Law,ISBN-978 4539725481) Page 64

Related item


 

Back to Top
Close