My Number Act (Japan)

About the My Number Act

The Japanese government enacted the My Number Act (Japanese and English), which took effect in January 2016. It assigned a unique 12-digit number, called My Number, or the Social Benefits and Tax Number or Individual Number, to every resident of Japan, whether Japanese or foreign. Giving each person one number for all purposes (like the US Social Security number) was designed to simplify and make more efficient taxation and the implementation of social benefits such as the national pension, medical insurance, and unemployment.

The Personal Information Protection Commission (PPC), which acts as the centralized data protection authority, was established by the Act on the Protection of Personal Information (Japanese and English). In the PPC's role of supervising and monitoring compliance with the My Number Act, it has issued My Number Guidelines (Japanese) to ensure that organizations properly handle and adequately protect personal data, including My Number data, as required by law.

Microsoft and the My Number Act

To help our Japanese customers protect the privacy of personal data, Microsoft contractually commits through the Microsoft Online Services Terms that our in-scope business cloud services have implemented the technical and organizational security safeguards that help our customers comply with the My Number Act. This support means that customers in Japan can deploy Microsoft business cloud services with the confidence that they can comply with Japanese legislative requirements.

The Q&A (Japanese) published by the Personal Information Protection Commission (PPC) sets forth guidelines for the appropriate handling and protection of personal information. It provides that a third party is not construed as handling personal data if the third party stipulates in its agreement that (a) it does not do so, and (b) it establishes a proper access control system. The My Number Act specifies obligations when data is transferred to a third party, but section Q3-12 (Japanese) of the PPC Q&A explains that these requirements do not apply if the third party does not 'handle', that is, have standing access to personal data.

Microsoft business cloud services address those requirements in the Microsoft Online Services Terms, which stipulate that the ownership of and responsibility for customer data that contains My Number data lie with our customers, not Microsoft. The customer, therefore, must have appropriate controls in place to protect My Number data contained in customer data.

Because Microsoft does not have standing access to My Number data stored in its cloud services, an 'outsourcing' contract for handling My Number data is not required. If a customer wants Microsoft to access customer data that contains My Number data, the customer must create another outsourcing contract with Microsoft for every case before making such a request.

The terms also state that Microsoft commits to use customer data only to provides services to the customer—not for any advertising or similar commercial purposes, and that Microsoft has robust access control systems in place.

Regarding security concerns, Microsoft business cloud services meet the Cloud Security Mark (Gold) standard, the first Japanese security accreditation for cloud service providers.

Therefore, Microsoft business cloud services support My Number Act requirements and do not create any other obligations under the act for customers, such as consent from an individual owner of personal data.

Microsoft in-scope cloud platforms & services

Office 365 and the My Number Act

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Azure Active Directory, Azure Information Protection, Bookings, Compliance Manager, Delve, Exchange Online, Exchange Online Protection, Forms, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Defender for Office 365, Microsoft Graph, Microsoft Teams, Microsoft To-Do for Web, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Cloud App Security, Office 365 Groups, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, Yammer Enterprise

How to implement

Frequently asked questions

Who is ultimately responsible for protecting personal data under the My Number Act?

Section Q3-13 (Japanese) of the PPC Q&A states that because the ownership of personal data lies with Microsoft customers, they are required to take appropriate security measures, such as controlling administrator passwords, to protect personal information and My Number data.

Resources