Specific personal information protection regulations

(the purpose)

Article 1

The purpose of these regulations is to stipulate the necessary matters regarding ensuring the proper handling of individual numbers and specific personal information (hereinafter referred to as "specific personal information, etc.") at Chiba Gakuen School Corporation (hereinafter referred to as the "School") based on the "Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures" (hereinafter referred to as the "My Number Act"), the "Act on the Protection of Personal Information" and the "Guidelines for the Proper Handling of Specific Personal Information" (hereinafter referred to as the "Specific Personal Information Guidelines").

(Definitions)

Article 2

The definitions of terms used in these regulations are as follows:

  1. (1) "Personal information" means information about a living individual that can identify a specific individual based on the name, date of birth, or other description contained in the information (including information that can be easily collated with other information and thereby used to identify a specific individual).
  2. (2) "Individual Number" means a number obtained by converting a resident registration code as defined in Article 2, Paragraph 5 of the My Number Act, and is designated to identify a person whose resident registration contains the resident registration code.
  3. (3) "Specific personal information" means personal information that includes an individual number.
  4. (4) "Specific personal information file" means a personal information file that contains personal information.
  5. (5) "Teaching staff, etc." refers not only to staff members who are employed by the Institute, but also to those who are not employed by the Institute.
  6. (6) "Administrative officer" means a person engaged in administrative work involving the handling of personal identification numbers.
  7. (7) "External administrative staff" refers to an administrative staff member who performs all or part of the work using personal numbers under the direction and supervision of the person in charge at the outsourcing company to which the university has outsourced such work.

(Personal Number Use Affairs)

Article 3

The scope of administrative tasks involving the use of personal numbers at our university is as follows:

  1. (1) Administration of withholding tax by the school in accordance with the Income Tax Act
  2. (2) Administration of personal inhabitant tax by the school in accordance with the Local Tax Law
  3. (3) Employment insurance-related affairs conducted by the university in accordance with the Employment Insurance Act
  4. (4) Mutual aid-related affairs conducted by the school in accordance with the Private School Teachers Mutual Aid Law
  5. (5) Employee's Pension Insurance-related affairs conducted by the university in accordance with the Employee's Pension Insurance Act
  6. (6) Affairs related to claims under the Workers' Accident Compensation Insurance Act
  7. (7) Administration of payment records for remuneration, fees, contracts, wages, etc.
  8. (8) Administration related to payment records for real estate usage fees, etc.
  9. (9) Preparation of payment records for the transfer of real estate, etc.
  10. (10) Affairs related to (1) to (9) above

(Scope of specific personal information, etc.)

Article 4

The individual numbers used in the affairs of the preceding article and the specific personal information managed in association with the individual numbers are as follows:

  1. (1) Identification documents (individual number card, notification card, identification document, etc.) presented by faculty and staff members or individuals other than faculty and staff members when implementing identity verification measures pursuant to Article 16 of the My Number Act, and copies of these documents
  2. (2) Legal records and copies thereof prepared by the school to be submitted to administrative agencies such as the tax office
  3. (3) Declarations, etc. containing personal numbers received from faculty and staff members or individuals other than faculty and staff members when the university prepares legal documents
  4. (4) Other information stored in association with the Individual Number
    5. 2 If it is unclear whether or not a case falls under any of the items of the preceding paragraph, the person in charge of administrative affairs shall make the decision.

(Organization)

Article 5

The personnel responsible for handling specific personal information at the school will be Human Resources Division, accounting department, and staff of the affiliated Administration Office.
2 The person responsible for the management of specific personal information, etc. at the school (hereinafter referred to as the "Administrative Manager") shall be the Corporate Executive Director of the Corporate Office.

(Responsibilities of the Person in Charge of Administrative Affairs)

Article 6

The administrative manager is responsible for carrying out the following tasks:

  1. (1) Formulation of a basic policy on the handling of specific personal information and dissemination of such policy to faculty and staff
  2. (2) Approval of applications for use of specific personal information, etc. and management of records, etc.
  3. (3) Setting of management areas and handling areas for specific personal information, etc.
  4. (4) Management of settings and changes regarding classification and authority for handling specific personal information, etc.
  5. (5) Understanding the handling status of specific personal information, etc.
  6. (6) Providing education and training regarding the safe management of specific personal information, etc.
  7. (7) Other matters related to the safe management of specific personal information, etc.

2. The person in charge of handling affairs shall provide necessary and appropriate supervision to the person in charge of handling affairs to ensure that specific personal information, etc. is handled appropriately.

(Responsibilities of the Person in Charge of Handling Administrative Procedures)

Article 7

When handling work involving specific personal information, etc., administrative personnel shall perform their work with due care to protect specific personal information, etc., in accordance with the My Number Act, the Personal Information Protection Act, other related laws and regulations, the Specific Personal Information Guidelines, these regulations, and other university regulations.

(Training of administrative staff)

Article 8

The school will comply with the matters set out in these regulations and will provide training to its administrative staff to ensure compliance with these regulations.

(Record of operation status)

Article 9

In order to verify the implementation status of these regulations, the person in charge of administrative affairs shall record the following items:

  1. (1) Date of acquisition of specific personal information, etc.
  2. (2) Date of preparation and submission of statutory records such as tax withholding slips and payment records
  3. (3) Records of documents, media, etc. taken out
  4. (4) Records of deletion and disposal of specific personal information files
  5. (5) If deletion or disposal is entrusted, records etc. proving this
  6. (6) When handling specific personal information files through an information system, records of the use of the information system by the person in charge of handling the files (login history, access logs, etc.)

(Response to information leaks, etc.)

Article 10

When an administrative officer determines that an incident of leakage, loss, etc. of specific personal information has occurred or that there is a high possibility of such an incident, he/she must immediately report this to the administrative manager.
2 The person in charge of administrative matters shall report to Chairman of the Board and immediately begin an investigation, and shall promptly notify the subject of the information leak of the facts, express gratitude, and investigate the cause, etc.
3 The person in charge of administrative affairs shall consider ways to prevent recurrence.

(Management of areas where specific personal information is handled)

Article 11

The University will clarify the areas where it manages information systems that handle specific personal information (hereinafter referred to as the "management areas") and the areas where it carries out administrative tasks that handle specific personal information (hereinafter referred to as the "handling areas"), and will take the measures set out below for each area.

  1. (1) Controlled Area
    The controlled area will be the server room, and an entrance and exit control system will be used to keep track of who enters the room, and restrictions will be placed on the devices and electronic media that can be brought into the controlled area.
  2. (2) Service area
    The handling area will be Human Resources Division and Accounting Department offices, and entry to the handling area will be restricted to department staff. Walls or partitions will be installed as much as possible, and the handling area will be located in an area with little traffic other than that of administrative personnel.

(Prevention of theft of devices, electronic media, etc.)

Article 12

In order to prevent theft or loss of equipment, electronic media, documents, etc. that handle specific personal information, etc. in the management area and handling area, the following measures will be taken.

  1. (1) Electronic media or documents that handle specific personal information, etc. shall be stored in a lockable cabinet, etc.
  2. (2) Equipment that handles specific personal information files will be secured with security wire, etc.

(Prevention of leakage, etc., when electronic media, etc. are taken out)

Article 13

When electronic media or documents containing specific personal information, etc. are taken outside the controlled or handling area, safety measures must be taken to prevent loss or theft, such as encrypting the data being taken, setting a password, and placing the data in an envelope and carrying it in a bag.

(Access control, identification and authentication of accesses)

Article 14

Information systems that handle specific personal information will use user account control based on user IDs and passwords to authenticate the person handling the information, based on the results of identifying that they have legitimate access rights.
2. Limit the scope of information that can be accessed in association with personal information through access control.

(Prevention of unauthorized access from outside)

Article 15

The following measures will be taken to prevent unauthorized access to information systems from outside.

  1. (1) Install firewalls or other security measures at the connection points between information systems and external networks to block unauthorized access.
  2. (2) Install security software in information systems and devices
  3. (3) Check for the presence of malicious software in input/output data using installed security software, etc.
  4. (4) Use automatic update functions that are standard on devices and software to keep software up to date.
  5. (5) Regularly analyze logs, etc. to detect unauthorized access, etc.

(Prevention of information leaks, etc.)

Article 16

When transmitting specific personal information, etc. to an external party via the Internet, etc., the following measures shall be taken:

  1. (1) Communication channels will be encrypted to prevent information leaks, etc.
  2. (2) As a measure to prevent the leakage of specific personal information and other information stored in information systems, data will be encrypted or password protected.

(Appropriate Acquisition)

Article 17

The school will acquire specific personal information, etc. through lawful and fair means.

(Specifying the purpose of use)

Article 18

The purpose of use of specific personal information, etc. obtained from faculty and staff members, etc. or individuals other than faculty and staff members, etc. shall be within the scope of the business that handles the Individual Numbers listed in Article 3.

(Notification of purpose of use when acquiring information, etc.)

Article 19

When the University acquires specific personal information, it will promptly notify the individual of the purpose of use or make public the purpose of use, unless the purpose of use has been made public in advance.
2 Notwithstanding the provisions of the preceding paragraph, when acquiring specific personal information, etc. of an individual that is described in a contract or other document (including records created by electronic means, etc.) in conjunction with the conclusion of a contract with the individual, the purpose of use shall be clearly indicated to the individual in advance, except in cases where there is an urgent need to protect a person's life, body, or property.

(Requests and restrictions on the provision of personal numbers)

Article 20

The provision of personal numbers may be requested from individuals or other persons involved in personal number-related affairs only when it is necessary to process the personal number-related affairs set out in Article 3.
2 The time to request the provision of the Individual Number shall be when it becomes necessary to include the Individual Number in documents to be submitted to administrative agencies. However, if it is anticipated that the Individual Number will be required due to an employment contract or other reason with the individual, the Individual Number may be provided in advance.
3. The University will not collect specific personal information beyond the scope of the personal number-related affairs set out in Article 3.

(Identity verification)

Article 21

The person handling the procedure will verify the identity of the person using the methods prescribed in Article 16 of the My Number Act, and for the representative, will verify the identity of the representative, confirm the power of attorney, and confirm the person's personal number.

(Restrictions on use of personal numbers)

Article 22

The personal number will be used only to the extent necessary to process the business stipulated in Article 3. Even if the individual gives consent, the personal number will not be used beyond the intended purpose.

(Restrictions on the creation of specific personal information files)

Article 23

The person in charge of handling the administrative procedures shall create specific personal information files only to the extent necessary to carry out the personal number-related administrative procedures prescribed in Article 3.

(Storage of specific personal information)

Article 24

The University will store specific personal information, etc. until the completion of the affairs set forth in Article 3. However, if a storage period is stipulated by applicable laws and regulations, the University will store specific personal information, etc. until the said period has elapsed.
2 When documents or files containing specific personal information continue to be stored after the statutory retention period has elapsed, the parts relating to the personal identification number will be masked or erased before storage.

(Restrictions on the provision of specific personal information)

Article 25

Except as provided for in Article 19 of the My Number Act, the school will not provide specific personal information to third parties, regardless of whether or not the individual has given their consent.

(Disclosure, correction, and suspension of use of specific personal information)

Article 26

The school will disclose specific personal information, etc. held by the individual to the extent that it is lawful and reasonable, and will respond promptly to any request from the individual to correct the specific personal information, etc.
2 If an individual requests the suspension of use of specific personal information held by the University on the grounds that it has been acquired or used in violation of these regulations or laws and regulations, the University will conduct the necessary investigation without delay and take the necessary measures.

(Disposal and deletion of specific personal information, etc.)

Article 27

For documents, etc. for which the retention period prescribed in Article 24 has expired, the personal identification number shall be disposed of or deleted as promptly as possible.
2 Notwithstanding the provisions of the preceding paragraph, disposal or deletion may be carried out in one lump sum at the end of each fiscal year at the discretion of the person in charge of administrative affairs.
3. When an administrative officer deletes an individual number or a specific personal information file, or disposes of electronic media, etc., he/she shall keep a record of the deletion or disposal. In addition, when outsourcing such work, he/she shall confirm by a certificate, etc. that the outsourced party has certainly deleted or disposed of the data.

(Supervision of contractors)

Article 28

When outsourcing all or part of the personal number-related affairs stipulated in Article 3, the University will exercise necessary and appropriate supervision to ensure that the outsourced party takes appropriate measures for security control equivalent to those that the University must take itself pursuant to the My Number Act.
2 The following items shall be implemented with respect to the contractor under the preceding paragraph:

  1. (1) When selecting a contractor, confirm that the contractor has taken appropriate safety control measures in accordance with the My Number Act.
  2. (2) A contract will be concluded with the contractor that includes the following items:
    A. Confidentiality obligation regarding specific personal information
    (a) Obligation to properly store and manage specific personal information, etc.
    Prohibition on taking specific personal information, etc. out of the workplace
    D. Prohibition of use of specific personal information, etc. for purposes other than those stated
    Responsibility of the contractor in the event of a leak
    F. Return or disposal of specific personal information, etc. after the termination of the entrustment contract
    G. Supervision and education of specific personal information handlers
    H. Reporting on compliance with the contents of the consignment contract

(Subcontracting)

Article 29

The contractor may subcontract all or part of the entrusted work using personal numbers only with the consent of the University.
2 The provisions of the preceding Article 2, paragraph 2 shall apply mutatis mutandis to the supervision of the subcontractor.

(Administrative Procedures)

Article 30

Human Resources Division will be responsible for the administration of these regulations.

(Amendment and repeal of regulations)

Article 31

Any amendment or repeal of these regulations will be made by the Board Director following a discussion by the Personal Information Protection Committee.

Supplementary Provisions
This regulation shall come into effect on November 1, 2015.

Supplementary Provisions (revised on January 25, 2023)
This regulation shall come into effect on April 1, 2023.

return
Chiba University of Commerce
千葉商科大学付属高等学校
ご寄付のお願い
古本募金
採用情報
株式会社CUCサポート