privacy policy
the purpose
Article 1 The purpose of these regulations is to protect the rights and interests of individuals while taking into consideration the usefulness of personal information by prescribing the necessary matters regarding ensuring the appropriate handling of personal information held by Soka University Educational Institution (hereinafter referred to as "the University").
2 Notwithstanding the provisions of the preceding paragraph, the handling of “specific personal information” (so-called My Number) shall be governed by the “Soka University School Corporation Regulations for the Handling of Specific Personal Information, etc.”
Definition
Article 2 Personal information in these regulations refers to information acquired or created by the University in the course of its business regarding current and former faculty, staff, students, examinees, and other individuals connected to the University (hereinafter referred to as "faculty, staff, students, etc."), and which falls under either ① or ② below.
① Name, date of birth, and other descriptions contained in the information (all matters (excluding personal identification codes) written or recorded in documents, drawings, or electromagnetic records (meaning records made in electronic, magnetic, or other formats that cannot be recognized by human perception), or expressed using voice, movement, or other methods) that can identify a specific individual (including information that can be easily collated with other information and thereby identify a specific individual)
② Items that contain personal identification codes
2. The individual identification code in the preceding paragraph refers to any of the following letters, numbers, symbols or other codes that fall under either ① or ② and are specified by the Enforcement Order of the Personal Information Protection Act (hereinafter referred to as the "Cabinet Order, etc.").
(1) Characters, numbers, symbols, or other codes that have been converted from a part of a specific individual's body for use in a computer and that can identify that specific individual
(2) Letters, numbers, symbols or other codes that are assigned in relation to the use of services provided to an individual or the purchase of goods sold to an individual, or that are written on a card or other document issued to an individual, or that are recorded in an electromagnetic form, and that are assigned, written or recorded so as to be unique for each user, purchaser or recipient, and thereby capable of identifying a specific user, purchaser or recipient.
3. "Sensitive personal information" refers to personal information that includes descriptions, etc. specified by government ordinance, etc. that require special consideration in the handling of the information, such as the individual's race, creed, social status, medical history, criminal history, facts of having been the victim of a crime, or other information so as to avoid unfair discrimination, prejudice, or other disadvantage against the individual.
4. A "personal information database, etc." in these regulations refers to a collection of information that includes personal information and is set forth below (excluding those specified by government ordinance, etc. as being unlikely to infringe on the rights and interests of individuals in terms of their method of use):
① Systematically organized so that specific personal information can be searched using a computer
② In addition to the items listed in ①, a collection of information that is systematically organized so that specific personal information can be easily searched for, and that has a table of contents, index, or other features to facilitate searching.
5. Personal data in these regulations refers to personal information that constitutes a personal information database, etc.
6. Retained personal data in these regulations refers to personal data that the University has the authority to disclose, correct, add or delete content, suspend use, erase, and suspend provision to third parties, except for the following:
(1) The existence or absence of the personal data in question may be likely to cause harm to the life, body or property of the individual or a third party if it becomes clear.
(2) There is a risk that revealing the existence or absence of the personal data in question will encourage or induce illegal or improper acts.
(3) The disclosure of the existence or absence of the personal data in question may be likely to threaten national security, damage the relationship of trust with other countries or international organizations, or cause disadvantage in negotiations with other countries or international organizations.
(4) If the existence or absence of the personal data in question becomes known, it is likely to cause disruption to the prevention, suppression or investigation of crimes or to the maintenance of other public safety and order.
(5) Personal data to be deleted within six months.
7. In these regulations, "faculty and staff" refers to full-time and part-time teaching staff, assistants, technical staff, administrative staff, contract staff, and part-time staff at universities, graduate schools, and junior colleges.
Responsibilities of the University and its faculty and staff
Article 3: In order to achieve the purpose of these regulations, the University must take the necessary measures to protect personal information.
2. Faculty and staff members of the University or former faculty and staff members must not disclose to a third party any personal information that they have learned in the course of their duties, or use it for improper purposes.
Personal Information Protection Manager
Article 4: In order to ensure the proper management and safeguarding of personal information, the University shall appoint a Chief Personal Information Protection Officer (hereinafter referred to as the "Chief Personal Information Protection Officer").
2. The Chief Executive Officer shall be selected by the Board of Directors from among the Directors.
Personal Information Protection Manager
Article 5 The University shall appoint a Personal Information Protection Manager (hereinafter referred to as the "Manager") to assist and divide the duties of the Chief Executive Officer.
2. The duties of the Administrator shall be governed by these Regulations and the Detailed Implementation Regulations of Article 27.
Trustees
Article 6 The University shall establish an Information Management Committee (hereinafter referred to as the "Committee") to deliberate important matters related to the protection of personal information.
2. The Committee will request reports from the Chief Executive Officer and the Manager regarding the handling of personal information and illegal activities, conduct investigations, and provide necessary advice, recommendations, and instructions.
3. Other regulations concerning the Committee will be determined separately.
Restrictions on personal information use purposes
Article 7 When handling personal information, the University must specify the purpose of use as specifically as possible.
2. The University may change the purpose of use of personal information to the extent that it is reasonably deemed relevant to the purpose of use prior to the change.
3. The University shall not handle personal information beyond the scope necessary to achieve the specified purpose of use without the prior consent of the individual.
4. When the University acquires personal information as a result of taking over the business of another personal information handling business due to a merger or other reason, the University shall not handle the personal information beyond the scope necessary to achieve the purpose of use of the personal information prior to the succession without obtaining the prior consent of the individual.
5. Paragraphs 3 and 4 shall not apply in any of the following cases:
(1) When required by law
(2) When it is necessary for the protection of an individual's life, body, or property and it is difficult to obtain the individual's consent.
(3) When the information is particularly necessary for the improvement of public health or the healthy development of children and it is difficult to obtain the individual's consent.
(4) When it is necessary to cooperate with a national government agency, a local government, or a person commissioned by them in carrying out business prescribed by law, and obtaining the individual's consent is likely to impede the performance of said business.
Appropriate Acquisition of Personal Information
Article 8 When acquiring personal information, the University must do so by appropriate and fair means and to the extent necessary to achieve the purpose of use.
2. Sensitive personal information must not be obtained without the prior consent of the individual, except in the following cases:
(1) When required by law
(2) When it is necessary for the protection of a person's life, body or property and it is difficult to obtain the individual's consent.
(3) When it is particularly necessary for the improvement of public health or the promotion of healthy child development and it is difficult to obtain the consent of the individual.
(4) When it is necessary to cooperate with a national government agency, local government entity, or a person commissioned by them in carrying out duties prescribed by law, and obtaining the individual's consent is likely to impede the performance of those duties.
(5) When the sensitive personal information in question has been made public by the person himself/herself, a national government agency, a local government, a news organization, a professional writer, a university or other academic research institution, a religious organization, a political organization, or a foreign government, etc.
(6) When acquiring sensitive personal information that is obvious from its appearance by visually inspecting or photographing the individual
(7) When receiving sensitive personal information that is personal data in the cases listed in Article 13, paragraph 2.
Notification of purpose of use at the time of acquisition
Article 9 When the University acquires personal information, it must promptly notify the individual of the purpose of use or publicly announce the purpose of use, unless the individual has already been notified of the purpose of use or publicly announce the purpose of use.
2. Notwithstanding the provisions of the preceding paragraph, when obtaining personal information of an individual directly from that individual in writing (including electromagnetic records), the purpose of use shall be clearly indicated to that individual in advance, except in cases where there is an urgent need to protect the life, body, or property of a person.
3. If the purpose of use is changed, the changed purpose of use will be notified to the individual or made public.
4. The provisions of the preceding three paragraphs shall not apply in the following cases:
(1) When there is a risk of harming the life, body, property or other rights and interests of the individual or a third party by informing the individual of the purpose of use or by making the purpose public.
(2) If there is a risk of infringing the rights or legitimate interests of the University by informing the individual of the purpose of use or by making the purpose public.
(3) When it is necessary to cooperate with a national government agency or a local public entity in carrying out legally required business, and informing the individual of the purpose of use or making it public would be likely to impede the performance of said business.
(4) When the purpose of use is deemed clear given the circumstances of acquisition.
Management of personal data
Article 10 The person with responsibility and the administrator must keep personal information accurate and up-to-date in order to achieve the purpose of the business that handles personal data.
2. The person in charge and the administrator must take necessary measures to prevent the leakage, loss, or damage of personal data.
3. Personal data must be promptly destroyed or erased after the expiration of the specified retention period.
Supervision of faculty and staff
Article 11: In order to ensure the safe management of personal data, the Head of Department and the Administrator will provide necessary and appropriate instructions and supervision to faculty and staff who handle personal data.
Supervision of contractors
Article 12 When the University outsources all or part of its work involving the handling of personal data to an outside party, it must select a contractor that is deemed to have taken sufficient measures to protect the personal data entrusted to it, and must provide necessary and appropriate supervision to the contractor.
2. When carrying out the supervision under the preceding paragraph, the Manager shall prescribe the following items in the entrustment contract, etc. However, this does not apply to items that are deemed unnecessary to state due to the content or nature of the entrustment.
(1) Matters concerning clarification of the person who will handle personal data at the entrusted party
(2) Details of safety control measures to be taken by the contractor
(3) Prohibition of processing of personal data (except within the scope of the entrustment contract), falsification, copying or duplication (except within the scope of the entrustment contract, such as for the purpose of backup necessary for safety management)
(4) Matters concerning confidentiality of the entrusted party
(5) Matters concerning the possibility of re-entrusting entrusted personal data and the conditions, etc.
(6) Matters concerning the return of personal data or its destruction or deletion by the entrusted party after the termination of the entrustment contract
(7) Matters concerning compensation for damages and other measures in the event that the contents of the consignment contract are not observed
(8) Matters concerning reporting obligations and responsibilities in the event of a leak or other incident of personal data occurring at a trustee
(9) Matters concerning the period of the contract, etc.
Restrictions on provision to third parties
Article 13: Except in the following cases, the University shall not provide personal information to a third party without the prior consent of the individual.
(1) When required by law
(2) When it is necessary for the protection of a person's life, body or property and it is difficult to obtain the individual's consent.
(3) When it is particularly necessary for the improvement of public health or the promotion of healthy child development and it is difficult to obtain the consent of the individual.
(4) When it is necessary to cooperate with a national government agency, local government entity, or a person commissioned by them in carrying out duties prescribed by law, and obtaining the individual's consent is likely to impede the performance of such duties.
2. In the cases listed below, the recipient of the personal data shall not be considered a third party under these regulations.
(1) When entrusting all or part of the handling of personal data to a third party within the scope necessary to achieve the purpose of use
(2) When personal data is provided in connection with business succession due to a merger or other reasons.
(3) When personal data is jointly used with a specific person, the individual is notified in advance or the information is made readily available to the individual as to that effect, the items of personal data to be jointly used, the scope of those jointly using the data, the purpose of use by those using the data, and the name or title of the person responsible for the management of the personal data.
(4) If the University changes the name or title of the person responsible for the purpose of use of the personal data of the user or the management of the personal data set forth in paragraph 3 of the preceding article, the University must notify the individual of the changes in advance or make such changes readily available to the individual.
Restrictions on provision to third parties in foreign countries
Article 14: The University may provide personal data to a third party in a foreign country (a country or region outside Japan; the same applies below) only in the following cases:
(1) When the individual has given prior consent to providing the information to a third party in a foreign country
(2) When measures are ensured between the University and a third party in a foreign country regarding the handling of personal data by the third party in question in an appropriate and reasonable manner in accordance with the purpose of the Personal Information Protection Act.
(3) When a third party in a foreign country is certified based on an international framework regarding the handling of personal information
(4) Any of the items in the preceding Article 1 applies.
(5) If the foreign country is recognized by the Personal Information Protection Commission of the Cabinet Office as having a personal information protection system equivalent to that of Japan.
Creation of records related to third-party provision, etc.
Article 15 When the University provides personal data to a third party (national government organizations, local public entities, independent administrative institutions, etc., local independent administrative institutions; the same applies hereinafter in this Article), the University must promptly create a record of the date of the provision of the personal data, the name or title of the third party (if the data is provided to an unspecified number of people, to that effect), the name of the person identified by the personal data, etc., the fact that the consent of the person in question has been obtained (excluding the so-called opt-out case), and the items of the personal data. However, this does not apply if the provision of the personal data falls under any of the items of Article 13, Paragraph 1 or 2 (or any of the items of Article 13, Paragraph 1 in the case of the provision of personal data pursuant to the provisions of the previous Article).
2. The personal information handling manager must retain the records referred to in the preceding paragraph for three years from the date on which the records were created.
Confirmation when receiving information from a third party
Article 16 When the University receives personal data from a third party, it must confirm the following items by appropriate means, such as receiving a declaration from the third party. However, this does not apply if the provision of the personal data falls under any of the items of Article 13, Paragraph 1 or 2.
(1) The name or title and address of the third party, and if the third party is a corporation, the name of its representative (or, if the third party is an unincorporated organization that has a representative or manager, the name of the representative or manager).
(2) How the third party acquired the personal data
2. When the personal information handling manager has conducted the confirmation pursuant to the provisions of paragraph 1, he/she must promptly prepare a record each time he/she receives personal data, which record includes the date on which the personal data was received, the name, address and representative name of the third party who provided the personal data, how the third party acquired the personal data, the fact that consent has been obtained from the person identified by the personal data (if personal data was received by opting out, that fact has been made public), and the items of the personal data.
3. The personal information handling manager must retain the records referred to in the preceding paragraph for three years from the date on which the records were created.
Disclosure of held personal data
Article 17 With regard to personal data held by the University, the University will post the following items on its website etc. and make them available to the individual (including cases where the University will respond to the individual's request without delay).
(1) Name of the university
(2) Purpose of use of all retained personal data (excluding cases falling under Article 9, Paragraph 4, Items 1 to 3)
(3) Procedures for responding to requests for notification of the purpose of use of retained personal data, requests for disclosure, requests for correction, etc., or requests for suspension of use, etc.
(4) Contact point for complaints and inquiries regarding the handling of retained personal data
Request for notification of purpose of use
Article 18 An individual may request to be notified of the purpose of use of the personal data held about that individual. A request may also be made by a representative.
2. Requests under the preceding paragraph must be made to the General Manager, clearly indicating the identity of the person in question or the agent by providing a student identification card, ID card, or written proof of authority to act on behalf of the student.
3. When the General Manager receives a request under paragraph 1, he/she must notify the individual of the purpose of use without delay. However, this does not apply in any of the following cases:
(1) When the purpose of use of the retained personal data is clear pursuant to Article 17
(2) Cases falling under Article 9, Paragraph 4, Items 1 to 3
4. When the general administrator decides not to notify the requested purpose of use of retained personal data, he/she must notify the individual to that effect without delay.
Disclosure of Information
Article 19 Faculty, staff, students, etc. may request the General Manager to disclose any retained personal data that can identify them.
2. When a request as described in the preceding paragraph is made, the Chief Executive Officer must disclose the information promptly.
Exceptions to disclosure
Article 20 Notwithstanding the provisions of the preceding article, the person in charge may refrain from disclosing retained personal data if any of the following items apply:
(1) When disclosure is deemed to be likely to harm the life, body, property, or other rights and interests of the individual or a third party.
(2) When disclosure is deemed to be likely to seriously impede the proper performance of the business of each organization.
(3) When disclosure would violate laws and regulations
(4) When there are other reasonable grounds equivalent to those listed above.
2. When the Person with General Affairs has decided not to disclose all or part of the retained personal data pertaining to a request made pursuant to the provisions of paragraph 1, or when such retained personal data does not exist, he/she shall clearly state the reason and promptly notify the person concerned.
Method of Disclosure
Article 21 The disclosure under the previous article shall be made by any of the following methods:
(1) For personal data held on paper, a copy of the relevant information shall be made available for inspection or provided.
(2) For personal data held and recorded on electronic media, a printed copy of that information will be made available for viewing or provided.
(3) In relation to personal data stored on other objects, we shall process such data in a manner equivalent to those set out above.
2. The costs associated with the disclosure may be charged to the applicant.
Correction of information, etc.
Article 22 If there is a factual error in the retained personal data that identifies the individual, faculty, staff, students, etc., they may request the General Manager to correct, add, or delete (hereinafter referred to as "correction, etc.").
2. When the General Manager receives a request under the preceding paragraph, he/she must promptly investigate the matter and make any corrections, etc. based on the results of that investigation.
3. When the person in charge has made corrections, etc. to retained personal data pursuant to the preceding paragraph, he/she shall promptly notify the individual.
4. If the Chief Administrator has a reasonable excuse for not making a correction, etc., he/she will clearly state the reason and promptly notify the individual.
Suspension of use of information, etc.
Article 23. A faculty member, staff member, student, etc. may request the suspension of use or deletion of the relevant information or the suspension of its provision to a third party (hereinafter referred to as "suspension of use, etc.") on the grounds that retained personal data that identifies the individual is being handled in violation of Articles 7, 8, or 10.
2. When the General Manager receives a request under the preceding paragraph, he/she must promptly investigate the matter and take appropriate measures, such as suspending use, based on the results of the investigation.
3. If retained personal data that can identify the individual is provided to a third party in violation of the provisions of Article 13, Paragraph 1 or Article 14, a faculty member, staff member, student, etc. may request that the University stop providing said retained personal data to a third party.
4. When the University receives a request pursuant to the provisions of the preceding paragraph and finds that the request is justified, the University must suspend the provision of the relevant retained personal data to a third party without delay, unless it would require a significant amount of expense to suspend the provision to a third party or it is otherwise difficult to suspend the provision to a third party and the University takes alternative measures necessary to protect the rights and interests of the individual.
5. When the person in charge has suspended the use of retained personal data pursuant to the preceding paragraph or has decided not to suspend the use, etc., he/she shall promptly notify the individual.
Appeal
Article 24 If faculty, staff, students, etc. have complaints about the handling of their personal data held by the Committee, they may file a complaint with the Committee.
2. When the Committee receives a complaint, it will promptly deliberate the matter and notify the person in question of the result.
Research Activities Exemption
Article 25: These regulations shall not apply when the University handles personal information for the purpose of academic research. However, even in such cases, the University must endeavor to take the necessary measures to ensure the appropriate handling of personal information, such as handling personal information in accordance with these regulations as much as possible.
others
Article 26 Matters not stipulated in these regulations and the interpretation and application of these regulations shall comply with the Personal Information Protection Act and other relevant laws and regulations.
Implementation details
Article 27 Detailed implementation rules for these regulations shall be determined separately.
Revision and abolition of regulations
Article 28 Any amendment or repeal of these regulations will be made by the Board of Directors following a discussion by the Committee.
Revision and abolition of regulations
Article 29 If any faculty or staff member becomes aware of any violation of these regulations, he/she must immediately report it to the Head of Department and the Committee.
Supplementary Provisions
This regulation shall come into effect on April 1, 2005.
Supplementary Provisions
This regulation shall come into effect on April 25, 2005.
Supplementary Provisions
This regulation shall come into effect on April 1, 2016.
Supplementary Provisions
This regulation shall come into effect on July 27, 2020.