Available in VPC
Default settings of Data Box Frame are based on the anonymous data by defaults. In addition, in order to handle pseudonymous data, you must follow separate regulations. We will tell you all about this.
Responsibility for compliance with the handling of pseudonymous data
The responsibility for compliance with pseudonymous data regulations falls to customers who utilize Data Box Frame. Data Box Frame provides features that may assist in compliance.
Regulations for handling pseudonymous data
Regulations for handling pseudonymous data can be largely summarized as shown in the table below.
| Legal requirements to be followed by customers for the handling of pseudonymous data | Matters requiring response |
|---|---|
| Article 8 of Standards for ensuring the safety of personal information (Storage and inspection of access records) ① The personal information manager (customer) shall keep and manage the record of access to the personal information processing system by the personal information manager (customer) for at least 1 year. Article 5 of Standards for Technical and Administrative Protection of Personal Information (Prevention of Forgery and Alteration of Access Records) ① The information and communication service provider, etc. shall regularly check and supervise the record of access to the personal information processing system by the personal information handler at least once a month. Access records must be preserved and managed for at least 1 year to check for system abnormalities. Article 20 of Credit Information Supervision Regulations (Criteria for Preparation of Technical, Physical, and Administrative Security Measures) [Appendix 3] 2. Prevention of forgery and alteration of access records Credit information companies, etc. store the access records of the personal credit information processing system for at least 1 year and keep them backed up in a separate storage device to prevent forgery or alteration. |
Collection and storage of access logs by server |
| Article 8 of Standards for ensuring the safety of personal information (Storage and inspection of access records) ③ The personal information manager shall keep the relevant access records safely to prevent forgery, alteration, theft, and loss of the personal information handler's access records. Article 5 of Standards for Technical and Administrative Protection of Personal Information (Prevention of Forgery and Alteration of Access Records) ③ Information and communication service providers, etc., are required to keep access records of personal information handlers in a separate physical storage device to protect them from unauthorized access and alteration, and to perform regular backups of such records. Article 5 of Standards for measures to ensure the safety of personal information (Management of access rights) ③ According to Paragraphs 1 and 2, the personal information manager must keep a record of the details of granting, changing, or canceling authority for a minimum of 3 years. |
Long-term storage of access logs (at least 3 years) |
| [ISMS-P 2.11.2 Vulnerability Check and Measures] The vulnerability of an information system should be checked regularly, and action should be taken promptly if a vulnerability is discovered. |
Server vulnerability check (at least once a year) |
| Article 9 of Standards for measures to ensure the safety of personal information (Prevention of malicious programs, etc.) A personal information manager shall install and operate security programs such as vaccine software that can prevent and treat malicious programs, etc. Article 7 of Standards for Technical and Administrative Protection of Personal Information (Prevention of malicious programs, etc.) Information and communication service providers, etc. shall install and operate security programs such as vaccine software that can prevent and cure malicious programs, etc. Article 20 of Credit Information Supervision Regulations (Criteria for Preparation of Technical, Physical, and Administrative Security Measures) [Appendix 3] 4. Preventing computer viruses Credit information companies, etc. install vaccine software so that the personal credit information processing system and the information processing device used by personal credit information handlers to process personal credit information can always be inspected and repaired for infiltration of malicious programs such as computer viruses and spyware. |
Run antivirus software for server security |
| Article 12 of standards for measures to ensure the safety of personal information (safety measures in preparation for disasters) ② The personal information manager shall prepare a plan for backing up and restoring the personal information processing system in the event of a disaster. Article 28-3 of Credit Information Supervision Regulations (data specialized institutions) [Attached Table 7] ※ In case of using DataBox Frame for data combination Equipped with the following information processing information communication facilities (2. Backup and recovery system) |
Backup of important information |
Note
More detailed regulations follow the Personal Information Protection Act and Protection of Credit Information Act.
- Personal Information Protection Act
- Guidelines for handling pseudonymous information
- Personal (technical and managerial protection measures for pseudonymous information)
- Measures to secure the stability of personal (pseudonym) information
- Protection of Credit Information Act
- Requirements for facilities/equipment, manpower/organization, financial ability, etc. of data specialized institutions
- Regulations on Supervision of Credit Information Business - Standards for Protection of Pseudonymous Information