Abstract
In this paper, we analyze the total item assessment reports that have been published by municipalities for the mandated implementation of the specific personal information assessment in three perspectives. The three perspectives are (1) Adequacy of risk items, (2) Re-use of the assessment report, and (3) Classification of the assessment model. As a result, for example, in risk measures where there are many assessment reports, there is a description of the measures in the system but there are missing measures outside the system such as operation, etc.
Access provided by CONRICYT-eBooks. Download conference paper PDF
Similar content being viewed by others
Keywords
- Specific personal information protection assessment
- Specific personal information
- Assessment report
- My number
1 Introduction
Residents in Japan were notified about the “My number” system on October 2015. The personal information including my number is called “Specific personal information.”
Implementation of the “Specific Personal Information Protection Assessment,” which we also refer to “Protection Assessment” has been required in the appropriate municipal offices to keep certain personal information [1].
Protection assessment is done to prevent infringement of privacy of personal information and ensure the trust and protect the rights of citizens and residents. After protection assessment, each municipality must conduct their risk assessment.
The results of the protection assessment are published as an “Assessment report.” However, it has been pointed out that the protection assessment may not have been properly implemented [2].
In this paper, we analyzed the report published by the municipality in the following perspectives: (1) Adequacy of risk items; (2) Re-use of the Assessment report; and (3) Classification of the Assessment model [3].
2 Overview and Issues of Specific Personal Information Protection Assessment
Protection assessment is classified into three aspects of evaluation by the threshold decision: basic items assessment, priority items assessment, and all items assessment. Threshold decision is affected by the number of target people, the number of transactors, and the occurrence or non-occurrence of major accidents of specific personal information.
The case which puts evaluation of all items into effect treats a lot of specific personal information more than other evaluation. Also, since there is a large number of persons handling the information, there is a high risk for leakage of specific personal information and other accidents. Therefore, all item assessment report (From now on referred to as the “Assessment Report”) is necessary to evaluate concrete risk measures in more detail. In this paper, the assessment reports were analyzed in three aspects that have been pointed out by the persons concerned as targeted by the assessment report.
-
Adequacy of the Risk Item
The protection assessment, which is carried out by a municipality is performed to describe the contents of a risk measure to the risk item indicated on an evaluation document beforehand. However, the risk items are not uniform, and the standards used by municipalities when considering a risk measure are not specified in detail. Therefore, it is likely that there is a difference in the level of the methods and measures to select various things such as the municipality of risk items.
-
Re-use of the Assessment Report
It is not a big difference that the contents of office work are defined by law in the municipality, except partial for the municipality. Then, it is also conceivable to reuse the contents of the assessment report, which was evaluated previously in the same municipality.
-
Classification of the Assessment Model
In the office work that handles specific personal information, it is possible to perform an information link via the information provided by the network system. Therefore, the scope of protection assessment of municipality is asked to be evaluated, including the cooperation foundation such as the intermediate server of the relevant office works and the providing information network system, etc.
3 Analysis of Issues
3.1 Adequacy of Risk Items
In the protection assessment, assessment depends on the municipality because there is no procedure manual for risk evaluation. There is a possibility that proper implementation of risk evaluation is difficult because the person who estimates risk does is not specialized as we have also investigated in actual conditions. We target the all item assessment report for analysis because it puts risk analysis into all risk issues comprehensively. The 221 assessment reports exhibited were analyzed on (June 10, 2015) from a specific personal information protection committee. The analysis is the same as office works, which targets the assessment report for the “Office works concerning the Basic Resident Register.” Nine cases were analyzed, which corresponds to about 10 % of the assessment report of the target affairs that has been published at that time (80 cases).
We make a comparison between the assessment standard that we created and the assessment report of the municipality to be analysis target [4]. The result of the comparison is indexed in Table 1 to confirm the excess or deficiency for each corresponding risk item.
Table 2 shows the average value of the distribution and all the items of the assessment index for risk correspondence of system in the municipality. The assessment index when not mentioning the risk correspondence indicated by the assessment standard at all, is 1 point.
Average values of assessment index of all 49 items were conducted in municipalities is likely not to be applied appropriate assessment when close to 1 point.
Table 3 shows the distribution of the assessment index of the response to the management risk in municipalities and average values of the all item assessment.
3.2 Re-Use of the Assessment Report
The analysis target is personal confirmation information file on an assessment report. The number of characters to which an assessment report and a mentioning point are parallel is counted, and its ratio is calculated [5]. The indexing would make based on Table 4.
3.3 Classification of the Assessment Model
In the municipality, the My Number system promotes task collaboration with other government agencies by information cooperation. Information cooperation is performed by the intermediate server and providing information network system to be established. The intermediate server performs information cooperation and dissemination of information in the network system. The scope of the specific personal information protection assessment is expressed in four models, as illustrated in Fig. 1. The bold line frame of Fig. 1 illustrates the extent of the assessment, and the dotted box refers to an original specific personal information file and a duplicate DB. Table 5 shows the model classification of the assessment report of the municipality.
-
Model A: The model that assesses relevant office work.
-
Model B: The model that assesses relevant office work from the intermediate server.
-
Model C: The model to assessment, including the intermediate server and information provided network system on relevance office work.
-
Model D: The model to assessment separately the intermediate server which is assessment the information furnished the network system that relevance office work.
Office systems are often packaged products and it is difficult for municipality officials to get familiar with the technical specifications particularly the detailed specifications of the intermediate server and information provided the network system. In addition, the risk in the system and the operation are the causes because of the measures are also fundamentally different, whose risks should be assessed in isolation.
4 Conclusion
We analyzed the implementation of the risk assessment based on published assessment reports as the target because it was pointed out that assessments may not have been adequately implemented. As a result, we came up with a description of risk measures in the system. However, many assessment reports such as system management are missing. Furthermore, the municipality assumed that office work was estimated through a target of evaluation, but when it lacked in knowledge to a system actually, it was revealed that there is a possibility that the system and the files, which were assessment targets were overlooked.
References
The Specific personal information protection committee.: Description of the specific personal information protection evaluation guidelines. http://www.ppc.go.jp/files/pdf/explanation.pdf
Takashi, M.: Improper specific personal information protection evaluation shakes “My number” system. NikKei Computer, May 14 2014, pp. 6–10 (2015)
The Specific personal information protection committee.: My number protection assessment Web. http://www.ppc.go.jp/mynumber/evaluationSearch/
Yoichi, S.: The guideline of specific personal information protection assessment practice for the municipality. Gyosei, Kyoto (2015)
The specific personal information protection assessment book mentions point about the office work about the Basic Resident Register. http://www.ppc.go.jp/files/pdf/260624siryo1.pdf
Acknowledgments
This research carried out in the Project Based Learning in the Advanced Institute of Industrial Technology. In advancing the PBL, we got the cooperation of Kazuhiro Midorikawa, Yuta Kurosawa, Okimura Seiji, and Xiaofei Ma. We would like to express our appreciation here.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Shin, S., Seto, Y., Sasaki, M., Sakamoto, K. (2017). The Problem Analysis of Specific Personal Information Protection Assessment in Japan Case. In: Park, J., Pan, Y., Yi, G., Loia, V. (eds) Advances in Computer Science and Ubiquitous Computing. UCAWSN CUTE CSA 2016 2016 2016. Lecture Notes in Electrical Engineering, vol 421. Springer, Singapore. https://doi.org/10.1007/978-981-10-3023-9_8
Download citation
DOI: https://doi.org/10.1007/978-981-10-3023-9_8
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-3022-2
Online ISBN: 978-981-10-3023-9
eBook Packages: EngineeringEngineering (R0)