"Guideline For Protecting Personal Data"
In Electronic Network Management (Revised)

December 3, 1997
Electronic Network Consortium


The aim of these guidelines is to ensure that electronic networks develop in a well-structured way by providing all domestic online service providers regardless of business aims, size or business methods with a unified approach to managing and protecting personal data to safeguard the rights of the online user.

It is intended that online service providers refer to these guidelines when designing their online services. In addition to pursuing their own business aims, it is important that they act to protect personal data belonging to network users.


(Subject of the guidelines)

The guidelines apply to anyone who handles personal data on electronic networks. Following is a list of relevant organizations:


  1. Collecting personal data
    When people or organizations that are the subject of these guidelines collect personal data as a prerequisite to providing a service, the necessity of collecting the data must be clearly established and only the data that is required to provide the service should be requested. Following are some examples of the type of membership data that should be requested:

  2. Considerations in collecting personal data
    The personal data must be collected by legal and fair means, and the consent of the individual concerned must be obtained.

  3. Personal information that cannot be collected
    Personal data in the following categories cannot be requested, used or provided, with the following exceptions: When the unambiguous consent of the individual concerned has been obtained, when a specific law allows for the collection, usage and provision of such data, or when the information is essential for a specific legal procedure.

  4. Use of personal data
    Use of personal data must be limited to the purposes for which the data was collected. However, the data may be utilized for other purposes when the individual concerned gives consent for this use. Organizations that are the subject of these guidelines should maintain the necessary systems. Following is an example of the systems where personal data can be considered necessary.

  5. Providing personal data
    Personal data must not be provided to any third party, except in the case where a third party has valid legal reasons and the consent of the individual concerned is obtained. Following are some examples:

  6. Request by a person to view their own data
    When disclosure of personal data is requested by the subject of the data, the data shall be provided after confirming the identification of the requester. The provider or the host of the electronic network should have in place a system to provide legitimate data promptly.

  7. Disapproval of the use of personal data
    When the individual disapproves of the provision to a third party of his/her personal data already held by the provider or host of an electronic network, the data should not be given to a third party, except in cases where the data must be given to fulfill the responsibility as provider or host.

  8. Security of personal data
    Providers of electronic networks should have in place a suitable and effective security system to prevent leakage of data. They should keep personal data needed in fulfilling their business aims accurate and up-to-date.

  9. Managers of personal data
    Providers of electronic networks should appoint a manager within the organization who understands the objectives of these guidelines and who is capable of carrying them out to be responsible for the proper management of personal data.


Providers of electronic network should respect the aims of the guidelines and provide proper systems within the organization to protect personal data. The guidelines should be enforced among electronic network providers and the Electronic Network Consortium will follow up on spreading the use of the guidelines and user education.

go to index
e-mail address enc@nmda.or.jp
(c)1997 Electronic Network Consortium