Keywords

1 Introduction

On May 24, 2013, the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure, also known as the My Number law, was raised. From this law, the Social Security and Tax Number System or the My Number system came in.

The My Number system is used to confirm that information on individuals possessed by multiple agencies such as administrative agencies and local governments are information of the same person. This system advocates a fairer and more just society, enhanced public convenience and improved administrative efficiency [1].

From October 2015, the government has enforced the My Number law, and notified the residents of their My Number numbers. The personal information including My Number is called Specific Personal Information.

Protection Assessment is done to prevent infringement of privacy of personal information and ensure the trust and protect the rights of citizens and residents [2]. After protection assessment, each local government unit must conduct their risk assessment as assessment report [3].

In this paper, we analyzed the report published by the local governments in the following perspectives:

  1. 1.

    Adequacy of risk items, and

  2. 2.

    Re-use of the Assessment report.

In other countries, privacy impact assessment (from now on referred to as PIA) has been carried out to preliminarily assess the influence on privacy when introducing or repairing a system involving the acquisition of personal information, and taking measures to avoid or mitigate privacy risk [4].

In the PIA, there are two studies on the validity of impact assessment: one is the assessment of the suitability of the PIA applied to the biometrics system. The other is a study evaluating the effectiveness of the PIA itself.

Officials in charge of the administrative organization self-evaluate the Specific Personal Information Protection Assessment about the system and operation. On the other hand, the PIA does not include the operation, but only the system is assessed by a specialized neutral third party. The government has published protection assessment as equivalent to PIA, but as stated above, PIA and protection assessment are fundamentally different.

This paper analyzes and assesses whether the Specific Personal Information Protection Assessment prescribed by the My Number law is properly implemented by local governments based on the assessment report issued by the local governments.

2 Related Works

There are two similar researches on the appropriateness of risk assessment in conjunction with PIA. Protection assessment concerning specific personal information was implemented in 2015, and no case study on the protection assessment was found. The protection assessment is conducted only in Japan, while the PIA is an assessment method that has international standards and is implemented in other countries. In the PIA, there are two cases of research on the appropriateness.

First, Kush Wadhwa et al. applied PIA to biometric systems then assessed the appropriateness of the procedures for PIA by ranking [5]. They assumed that the PIA method is useful and evaluated its adequacy as to whether the implementation procedure is appropriate for the case of PIA. For example, their work assessed whether the report release procedure is appropriate or not. The other related work is a case study where Sakamoto et al. conducted the effectiveness assessment of PIA itself [6]. They assessed the effect of how much privacy risk could be reduced by implementing PIA using the risk assessment method developed based on the international standard ISO 22307. In other words, the effectiveness of PIA is quantitatively assessed from two viewpoints: visualization of privacy risk on personal information and improvement of awareness of stakeholders concerning personal information protection.

The protection assessment to be implemented in Japan is stipulated by the guidelines so that risk assessment is carried out in a mixture of system and operation by self-evaluation of officials in charge of the administrative organizations who have used the system [4, 7]. Due to these reasons, the two assessment methods are completely different, and it’s hard to apply the assessment method implemented in the PIA to the Specific Personal Information Protection Assessment.

In our work, we evaluate whether the assessment is done properly by analyzing the assessment report which is the result of the protection assessment of the specific personal information.

3 Specific Personal Information Protection Assessment

3.1 Outline of Specific Personal Information Protection Assessment

In the case of the My Number system, it was imperative to implement the protective assessment as one of the protective measures against the task of handling specific personal information [1]. Figure 1 shows an overview of protective assessment.

Fig. 1.
figure 1

Overview of specific personal information protection assessment

Full size image

Protection assessment for specific personal information aims to prevent the leakage of specific personal information and other accidents beforehand by ensuring proper handling of specific personal information files such as the My Number number, to prevent and protect rights and interests of residents. That is the basic idea of the protection assessment. Its purpose lies in the following.

  1. 1.

    Preventing infringement of rights and interests such as personal privacy by prior response, and

  2. 2.

    Ensuring the confidence of citizens and residents through appropriate disclosure of information.

3.2 Procedure of the Specific Personal Information Protection Assessment

In the protection assessment, it is obligatory to carry out either essential item assessment, priority item assessment, or all item assessment by threshold judgment.

Indicators of threshold judgments include the number of people to be handled, the number of persons dealing with specific personal information files (from now on referred to as the number of handlers), and the occurrence or not of a serious accident concerning specific personal information at the assessment executing agency.

For example, if the target number of people is 300,000 or more, all items are assessed. For more than 100,000 or more are less than 300,000 people, priority item assessment is required. For less than 100,000 people, only the essential item assessment is obliged.

If the number of handlers is 500 or more or a serious accident related to protection of specific personal information has occurred within the past year, it switches from priority item assessment to all item assessment, and essential item assessment to priority item assessment. However, if the target number of people is less than 1,000, implementation of protection assessment is not obligatory.

After the all item assessment report is prepared by the local government, it is necessary to publicize the assessment report, request the opinion of the residents, and do an appropriate review of the assessment report after fully considering the obtained opinion. After consideration of the assessment report, they are submitted to the Personal Information Protection Committee after undergoing a third party inspection. Table 1 shows an example of the assessment items of all item assessment report [8].

Table 1. Examples of assessment items of all item assessment report
Full size table

The method of describing the assessment report includes the method of writing an outline in the blanks shown in ① to ④ in Table 1 and the selection description method shown in ⑤. For example, in ②, actions that correspond systematically such as “restrict accessible terminals” and measure concerning operation (human/organizational) such as “to verify identification based on notification/application details or identification documents” are described. In other words, it is necessary to assess both system and operation for every item and describe each measure without omissions. In the selection description, chooses one from options such as (1) Putting particular emphasis, (2) Enough, and (3) Issues remain, etc. In the case of PIA, risk assessment targets are not administrative (operations) but systems. The privacy commissioner issued the standard guideline and risk assessment carries out the assessment based on this guidance. Also, risk assessment is not classified by the number of personal information handled [4].

3.3 Issues of Specific Personal Information Protection Assessment

Although protection evaluation is said to be equivalent to PIA adopted in other countries, there are the following differences when compared with PIA.

  1. 1.

    The assessment object is “clerical work handling specific personal information file,” the definition of administrative tasks is unclear, and the system and operation related to the target functions (organizational and human) are mixed.

  2. 2.

    While PIA is evaluated by a third-party organization with neutrality and expertise, protection evaluation is a self-assessment by the system operator (officials such as administrative agencies) and self-declaration by the chief, etc.

  3. 3.

    Risk assessment manual etc. for protection evaluation still has not been sorted out. Therefore, administrative agencies are preparing assessment reports by individual risk analysis methods.

As described above, there is a possibility that the risk assessment is not properly implemented in the protection assessment on specific personal information. Therefore, using all the item assessment reports released by the local governments, we analyze whether the risk assessment is properly implemented from the two following viewpoints.

  1. 1.

    Adequacy of risk assessment and measures: assess the excess and deficiency of assessment standard and safety control measures created separately for system and operation.

  2. 2.

    Reuse of the assessment report: We analyze the assessment report published by the local governments and assess the situation on reuse.

4 Analysis of All Item Assessment Report

4.1 Analysis Method

As described in Sect. 3.3, protection assessment and PIA have different targets and procedures. For this reason, we analyzed whether protection assessment deals with the protection of specific personal information in the My Number system based on the two following points.

Adequacy of risk assessment and measures

In the protection assessment, for example, each local government implements measures of risk countermeasure against the risk items described in the all item assessment report. However, there is a possibility that risk assessment and safety control measures will not be considered sufficiently in the protection evaluation. From this issue, three issues 1 to 3 are conceivable.

  1. 1.

    For risk countermeasures, since risks (threats and vulnerabilities) are different in the system and operation, they should be evaluated and described separately, but many local governments expressed mixed opinions about systems and operational risk mitigation measures.

  2. 2.

    The basis for the content of the description for the risk item is unclear. Although the risk item shown in Table 1 is presented from the central government, there is no explanation about its basis.

  3. 3.

    Risk items in the assessment reports are uniform entries and the specific level when the local governments consider the risk countermeasure is not indicated. For that reason, it is conceivable that local governments differ in the way of grasping risks and the level of description. There are issues such as whether adequacy judgment is carried out is subjective, such as “adequate measures” for risks in situations where countermeasure standards are not presented. As a result, the local governments that assess can select “Enough” etc. depending on their personal opinions.

Reuse of assessment reports

Reuse of the assessment report has two viewpoints. One is to reuse assessment reports of other local governments that precede the same affairs, or samples provided by the central government. The second one is to reuse the content of the assessment report of the administrative office that was previously assessed in the same local government in the assessment of another office work.

4.2 Selection of Analysis Targets

As described in Sect. 3.2, the protection assessment is classified into three assessments based on threshold judgment, essential item assessment, priority item assessment, and all item assessment.

In this paper, we focused the assessment report of all items. Many officials deal with a lot of specific personal information in the all items assessment. Therefore, the risk of leakage of specific personal information and other accidents is high thus more detailed and accurate risk measures are required.

As of June 2015, 221 assessment reports of all items have been released by the Personal Information Protection Committee. We investigated 10 cases of all item assessment reports.

Selection criteria for the all item assessment report to be investigated are as follows.

  1. 1.

    Official assessment report released by the Personal Information Protection Committee.

  2. 2.

    Assessment report for the same affairs, that is, “affairs concerning the basic resident register.”

  3. 3.

    Selection from local governments in various parts of Japan that do not depend on locality: 9 assessment reports corresponding to approximately 10% of all item assessment documents (80 cases).

  4. 4.

    Select the description procedure that is presented from the central government as a criterion to compare with all the item assessment reports of the local government.

Table 2 shows the basic data of the local governments that were selected as assessment targets [9].

Table 2. Basic data of local governments Unit (people)
Full size table

5 Assessment Analysis of All Items Assessment Report

5.1 Adequacy of Risk Assessment and Measures

In the protection assessment, there is no procedural manual on risk assessment, so the assessment is left to the administrative agencies and local governments. Also, the skill level of the person in charge who performs the assessment is not stipulated. In this section, we analyze whether each local government described appropriate risk response for risk assessment.

The evaluation criteria were prepared according to the safety measure standards shown in the (Separate) Safety Management Measures for Specific Personal Information (Operator’s Guide). We prepared assessment criteria by classifying risk correspondence to be implemented for each risk item into systematic correspondence and human organizational correspondence [10].

We analyzed to compare each risk items which are assessment criteria classified into system-related measures and measures concerning the operation of the “III Risk measures in the handling process of specific personal information” about the basic resident register file with all item assessment reports to be analyzed which published by local governments. Figure 2 show the example of the comparative assessment.

Fig. 2.
figure 2

Comparison of all item assessment report and assessment standard

Full size image

The result of the comparison is indexed in Table 3 to confirm the excess or deficiency for each corresponding risk item. We roughly distinguished that the assessment index of risk to three stages (Table 3) because it is hard to fix the index based on a logical basis. This assessment index was decided based on a discussion with the expert on PIA.

Table 3. The category of assessment of the risk response.
Full size table

Table 4 shows the distribution and the assessment value of the assessment index concerning the risk correspondence on the system in each local government. The assessment value is calculated by adding the value of multiplying risk number by the assessment index and dividing by the number obtained by subtracting the number of items not subject to evaluation from the total number of items (49).

Table 4. The situation of corresponding to the risk (System).
Full size table

For example, in the case of City A, it is calculated as follows.

$$ {\text{Assessment value}} = \, \left( { 3\times 7+ 2\times 1 2+ 1\times 5} \right) \, \div \, \left( { 4 9- 2 5} \right) \, = { 2}.0 8 $$

The assessment index when not mentioning the risk correspondence indicated by the assessment standard at all is 1 point. Also, since the assessment index when only a part of the risk correspondence is indicated in the assessment criteria is described is 2 points. When the average value of the assessment index is 2 points or less, there is a possibility that proper risk response could not be made. The fact that the average value of the assessment index is 2 points or less means that many risk items did not cope with the risk indicated by the assessment criteria.

Table 5 shows the distribution and the assessment value of the assessment index concerning the risk correspondence on the operation in each local government. As for the operation, the assessment index is lower as a whole compared to the system. This is because local governments do not mention countermeasures concerning operations. They only describe the risk correspondence concerning the system in risk countermeasures.

Table 5. The situation of corresponding to the risk (Operation).
Full size table

5.2 Reuse of Assessment Reports

Many descriptions of all items assessed by local governments are similar to the Procedure for Specific Personal Information Protection Evaluation Procedure (draft) on affairs related to basic residential ledger (from now on referred to as the Procedure) exemplified by the Ministry of Internal Affairs and Communications [11, 12].

In other words, there is a possibility that the all item assessment report announced previously was reused by simply copying and pasting. In the case of preparing the all items evaluation document by reuse, it may be considered that the examination of risk assessment is inappropriate and it is possible that the existing reason of the system itself will be gone. We analyzed the identity confirmation information file of all items assessment report selected in Sect. 4.2. We compared the corresponding items in the description procedure and its similarities concerning the “III Risk measures in the handling process of specific personal information.”

Specifically, we count the number of characters for which the Description of the assessment report and the statement of description are identical and then calculate the ratio. The higher the reuse rate, the higher the likelihood of reuse. Table 6 shows the reuse rate by the local governments.

Table 6. Local government reuse rate.
Full size table

All item assessment report in which the reuse rate exceeded 50% is 44% (4 out of 9: A/B/C City and D District). All item assessment report in which mistook the incorrect legal number is 89% (8 out of 9: local governments excluding B City). All item assessment report in which misprinted typographical errors similarly is 67% (6 out of 9: A/B/C/G City and D/I District).

For reasons that the reuse rate for each local government exceeds 50%, there may be uniformity in the description format of all item assessment reports. Thus, the description contents are similar. Therefore, it can’t be said that there is a problem in reuse and it can be said that it is effective means to reuse to improve efficiency. However, it is important that proper risk assessment and countermeasures are implemented, and confirming this is the responsibility of third party inspection. If the inspection committee (or the personal information council) functions properly, it can be confirmed whether or not there is a problem with reuse.

6 Conclusion

In this paper, we analyzed from the viewpoint of all items assessment report the specific personal information protection assessment system for all item assessment. As a result of the analysis, the following problems were found out.

  1. 1.

    Since risk assessment guidelines do not exist, cases were found where appropriate risk assessment was not conducted for each local government.

  2. 2.

    Because the legal status of third-party inspection is unclear, there are local governments whose third-party inspections are not functioning effectively.

To deal with these problems, it is necessary to consider countermeasures from both the improvement in the current system and the review of the institutional design. Improvement measures in the current system are to prepare guidelines for common evaluation of local governments [13]. By conducting assessment and inspection according to the guidelines, we believe that appropriate correspondence without missing will be possible, and variations in responses among local governments will be improved. Also, the load on the evaluator can be reduced.