My Number Act (Japan)
About the My Number Act
The Japanese government enacted the My Number Act (Japanese and English), which took effect in January 2016. It assigned a unique 12-digit number — called My Number, or the Social Benefits and Tax Number or Individual Number — to every resident of Japan, whether Japanese or foreign. Giving each person one number for all purposes (like the US Social Security number) was designed to simplify and make more efficient taxation and the implementation of social benefits such as the national pension, medical insurance, and unemployment.
The Personal Information Protection Commission (PPC), which acts as the centralized data protection authority, was established by the Act on the Protection of Personal Information (Japanese and English). In the PPC's role of supervising and monitoring compliance with the My Number Act, it has issued My Number Guidelines (Japanese) to ensure that organizations properly handle and adequately protect personal data, including My Number data, as required by law.
Microsoft and the My Number Act
To help our Japanese customers protect the privacy of personal data, Microsoft contractually commits through the Microsoft Online Services Terms that our in-scope business cloud services have implemented the technical and organizational security safeguards that help our customers comply with the My Number Act. This means that customers in Japan can deploy Microsoft business cloud services with the confidence that they can comply with Japanese legislative requirements.
The Q&A (Japanese) published by the Personal Information Protection Commission (PPC) sets forth guidelines for the appropriate handling and protection of personal information. It provides that a third party is not construed as handling personal data if the third party stipulates in its agreement that (a) it does not do so, and (b) it establishes a proper access control system. The My Number Act specifies obligations when data is transferred to a third party, but section Q3-12 (Japanese) of the PPC Q&A explains that these do not apply if the third party does not 'handle' — that is, have standing access to — personal data.
Microsoft business cloud services address those requirements in the Microsoft Online Services Terms, which stipulate that the ownership of and responsibility for customer data that contains My Number data lie with our customers, not Microsoft. The customer, therefore, must have appropriate controls in place to protect My Number data contained in customer data.
Because Microsoft does not have standing access to My Number data stored in its cloud services, an 'outsourcing' contract for handling My Number data is not required. If a customer wants Microsoft to have access to customer data that contains My Number data, the customer must create an additional outsourcing contract with Microsoft for every case before making such a request.
The terms also state that Microsoft commits to use customer data only to provides services to the customer — not for any advertising or similar commercial purposes — and that Microsoft has robust access control systems in place.
Regarding security concerns, Microsoft business cloud services meet the Cloud Security Mark (Gold) standard, the first Japanese security accreditation for cloud service providers.
Therefore, Microsoft business cloud services support My Number Act requirements and do not create any additional obligations under the act for customers, such as consent from an individual owner of personal data.
Microsoft in-scope cloud services
How to implement
Microsoft Security Policy: How Microsoft handles the security of personal and organizational information in its cloud services.
Privacy in Office 365: How Microsoft builds strong privacy protections into Office 365.
Admin Access in Office 365: How Microsoft manages administrative access to customer data.
Audits & Reports in Office 365: Explore the features customers can use to track user and administrative activity within their tenant.
Data Retention in Office 365: Understand the data handling policy for how long customer data is retained after being deleted.
Frequently asked questions
Who is ultimately responsible for protecting personal data under the My Number Act?
Section Q3-13 (Japanese) of the PPC Q&A states that because the ownership of personal data lies with Microsoft customers, they are required to take appropriate security measures, such as controlling administrator passwords, to protect personal information and My Number data.