1. Formulation of basic policy
A basic policy for “compliance of relevant laws, regulations, guidelines, and other rules,” “contact point for inquiries and complaints,” and the like will be formulated in order to ensure proper handling of personal data.
2. Organization of rules for handling personal data
Rules for handling personal data will be organized regarding the handling method, responsible person and persons in charge and their duties, and the like for each step of responses to acquisition, input, use, processing, storing, saving, transfer, transmission, deletion, destruction, leakage, and other events.
3. Organizational safety control measures
A person responsible for handling personal data will be appointed, employees in charge of handling personal data and the scope of personal data handled by the employees will be clarified, and a reporting line to the responsible person in the case of detection of an actual or potential breach of a relevant law or the handling rules will be set up.
4. Human security control measures
Matters to note in handling personal data will be informed to employees in regular trainings.
5. Physical security control measures
-
Measures will be implemented to control access by employees to and restrict devices, etc. brought into the area in which personal data is handled and to prevent browsing of personal data by unauthorized persons.
-
Measures will be taken to prevent theft, loss, or the like of devices, electronic media, documents, etc. used to handle personal data and measures will be implemented so that personal data is not easily found if any of those devices, electronic media, documents, etc. are carried to another place including a place within the relevant business facility.
-
At the time of destruction of personal data, the data will be deleted so that it will not be easily restored and the media containing or recording the data will be physically destroyed.
6. Technical security control measures
-
If personal data is handled using an information system (including personal computers and other devices) (including if personal data is transmitted to and from or otherwise processed with an external place through the internet or the like), the access will be appropriately controlled to limit persons in charge and the scope of database of personal data handled.
-
Whether or not each employee who attempts to use the information system handling personal data is a person authorized to access the data will be judged based on the results of authentication of his or her identification.
-
A mechanism to prevent the information system handling personal data from external unauthorized access or malware will be introduced.
-
Measures will be taken and appropriately conducted to prevent leakage or the like of personal data in connection with the use of the information system.
7. Understanding of external environment
The Company handles personal data in foreign countries. The Company will implement safety control measures based on its understanding of the legislation for protecting personal information in the foreign countries.