PPC Introducing a Data Mapping Toolkit for Privacy Protection
The Personal Information Protection Commission (“PPC”), the data protection agency for Japan, recently published a data mapping tool kit (“Toolkit”) for privacy protection purposes. This article is to introduce the Toolkit and its methodology.
1. Overview
The Toolkit consists of three chapters – (1) Meaning of data mapping, (2) Items of the data mapping table, and (3) Confirmation and correction of the data mapping table.
The first chapter of the Toolkit (Meaning of data mapping) describes the significance and procedures of data mapping (including preparation, tabulation, checking and responding, updating of data), whilst the second chapter (items of the data mapping table) lists examples of data mapping table items together with explanations. The third chapter (confirmation and correction of the data mapping table) explains in detail, the necessary procedures following the creation of data mapping table.
2. Meaning of Data Mapping
The Toolkit defines that data mapping enables business operators to understand what data they are handling and allows business operators to check compliance with laws and regulations applicable to personal data, as well as to take necessary actions according to risks arising from the handling of personal data. Data mapping is also considered as a method used to secure personal data, which is required under Article 23 of the Act on the Protection of Personal Information (“APPI”).
The Toolkit uses the following steps as procedures for data mapping:
(1) Preparation
- Determining who is responsible for data mapping and which department is responsible
- Setting the purpose of data mapping
- Setting of the items to be mapped and the range of data to be mapped
- Creating the format of the data mapping table
- Determination of fillers in the data mapping table
(2) Creating and Filling the Data Mapping Table
- Filling out data mapping tables
- Confirmation of accuracy of the entries
(3) Confirming and Correcting the Data Mapping Table
- Confirming, revising and correcting the data mapping tables in accordance with the purpose of data mapping
(4) Updating the Data Mapping Table
- Occasional or periodic updates of the data mapping table
The Toolkit also suggests that business operators should determine the handling conditions according to the risks involved in the data and to enter such conditions in the data mapping table. For example, if the business operator has obtained consent from the principal to provide personal data to a third party but has not obtained consent to provide such personal data to foreign countries, the business operator should enter such conditions in the data mapping table.
3. Items of the data mapping table
The toolkit provides examples of data mapping items as using the cross-border transfer of personal data based on the APPI.
The following is a list of items listed in the Toolkit:
Basic information | Data name, department handling data, person responsible, number of individuals included in the data, data item, purpose of use, data classification (personal information, personal data (retained personal data), pseudonymously processed information, anonymously processed information, personally referable information), existence of special care-required personal, Name or attribute of principal, acquisition method, consent to third party provision |
Items related to personal information handling within business operators | (1) Basic Items on storage How data is stored, location of storage, storage period (2) Use and access by employee List or attribute of Employees who can use and access information, countries of employee (3) Cloud services Name of cloud service provider, country of cloud service provider, country of cloud server, contract information (4) Country where data is stored (in cases of in-house storage) |
Items related to personal information handled by outsourcers | (1) Basic Items of outsourcers Name of outsourcer, country of outsourcers, contract information, purpose and scope of outsourcing, whether outsourcers subcontract the handling of information (2) Storage by outsourcers How data is stored, location of storage (3) Use and access by employee List or attribute of Employees who can use and access information, countries of employee (4) Clouds services used by outsourcers Name of cloud service provider, country of cloud service provider, country of cloud server (5) Country where data is stored (in cases of storage by outsourcer) |
Items related to third party provision | Name of recipient, attributes of recipient (industry etc.), country of recipient, country of head office of recipients, contract information |
4. Confirmation and Correction of the Data Mapping Table
The purpose of data mapping is not the creation of a data mapping table per se, and the Toolkit requires that the data mapping table should be checked in accordance with the purpose of data mapping and the business operators to take actions (such as correcting the data mapping table, or review of the businesses using data) if necessary.
When using the data mapping tables to check compliance with the APPI on the cross-border transfer of personal data, the Toolkit suggests that business operators consider the following issues: (i) providing personal data to third parties in foreign countries (Article 28 of APPI), and (ii) handling of personal data in foreign countries (Article 23 and 32 of APPI). The toolkit provides a checklist to identify and check whether the legal requirements for the above issues are met.
The Toolkit also suggests the use of data mapping tables to identify risks arising from the data handling and to take necessary actions. The risks that may be identified by using the data mapping table include risks in the content of data, risks in storage, and risks in use.
Article provided by INPLP member: Satoshi Shono (MATSUDA & PARTNERS, Japan)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)