The schedule for delivering My Number IDs to individuals’ home address has been delayed. Information from news reports indicate that some incidents have occurred during the delivery stage. Nevertheless, we believe that companies are continuing to prepare for the upcoming implementation of My Number as per the original schedule.
Considering the severity of penalties that apply to a breach of the My Number system, each company must at least set some internal guideline around how to securely manage the IDs in order to protect the company and its employees, who are responsible for the ID administration, from implications of a breach.
The Cabinet Office states on the official website 3 important strategies for managing security of My Number. They are (1) human security management strategy, (2) physical security management strategy, and (3) technical security management strategy. In order to clarify the basic idea and the overall structure of the My Number system, we strongly recommend that companies set their own rules around how to implement strategies to securely manage My Number IDs and discuss the actual implementation of these strategies among the relevant internal departments in their company.
When the Personal Information Protection Law (PIPL) was released, a standard template was issued by the respective government office. Each company could then use the template as template to create their own PIPL guideline. However, at this time, no template has been released for My Number by neither the Cabinet Office nor other government offices. It is said that creating a standard template was once considered but the discussion has been discontinued.
It is important to keep the My Number policy separate from the company’s Rules of Employment. This way, a meeting with the employees’ representative or a submission of the guideline to the Labor office will not be required, and companies can voluntarily revise the guideline anytime.
The My Number policy is for internal use and is shared with employees only. However, there may be a time in the future where companies will need to obtain My Number IDs from non-employees too. It is thus strongly recommended to think ahead and also create some basic guideline on how to deal with this now. Ways of making these guidelines available could be by posting them to an internal website or to nominate a contact person within the company who can be contacted to address any inquiries from employees and non-employees.
PMP has created a basic guideline (for websites) and an internal policy document that can be used to address employees. We will provide these to clients who have an advisory contract with PMP. Non advisory clients that are interested in the guidelines or policy document can contact us directly. We will be happy to assist you.