Displaying present location in the site.

Personal Information Protection and Privacy

Policy on Personal Information Protection and Privacy

The NEC Group Code of Conduct stipulates respect for human rights and privacy and the management of personal information, and NEC has positioned “Provision and Utilization of AI with Respect for Human Rights (AI and Human Rights),” including personal information protection initiatives, as a priority management theme from an ESG perspective—materiality. From this perspective, we are tackling prevention of any privacy-related issues stemming from the handling of personal information, in addition to undertaking other personal information protection measures.

Personal Information Protection

In October 2005, NEC Corporation received PrivacyMark certification, recognizing it as a business operator with systems in place to ensure appropriate protection measures for personal information in conformance with Japanese industrial standard JIS Q 15001 (personal information protection management systems—requirements). Since receiving the certification, we have stipulated within the NEC Privacy Policy that personal information must be handled in accordance with JIS Q 15001 standards.

NEC Corporation has also built an implementation framework for personal information protection and a personal information protection management system in compliance with the Act on the Protection of Personal Information and JIS Q 15001. Our personal information protection management system includes the creation of a manual for personal information protection (including personal data safety management measures, a prohibition on secondary use of personal information without prior consent of the person in question, and respect for that person’s rights to access, amend, and delete their personal information).
Furthermore, we enter into agreements with third parties with which we share data or outsource the handling of data requiring compliance with these standards. Also, we have established escalation rules and emergency response procedures to be followed in the event of incidents such as personal information leaks or mishandling of data.
Each consolidated subsidiary in Japan sets out its personal information protection policies using NEC Corporation’s Privacy Policy as the standard. International subsidiaries set their policies to conform with the applicable local laws of their respective countries, and those policies are then checked by NEC.

Medium- to Long-term Targets, Priority Activities and Progress, Achievements, and Issues

Medium- to Long-term Targets and Priority Activities

(Scope: NEC Corporation unless otherwise specified) Period: April 2021 to March 2026

  1. Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in Japan and abroad
  2. Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers

FY2023 Goals, Progress, Achievements and Issues, and FY2024 Goals

FY2023 Goals

  1. Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in Japan and abroad
    • Establish the Center of Excellence (CoE) group in the Company’s Risk and Compliance Departments to supervise data compliance at international subsidiaries
    • Finish rebuilding personal information protection system and assign Privacy Compliance Supervisors to international subsidiaries that handle high-risk personal information in accordance with the personal information protection guidelines for international consolidated subsidiaries
    • Implement training and education for Privacy Compliance Supervisors assigned to international consolidated subsidiaries
    • Expand the number of subsidiaries based in Japan that have assigned Personal Information Protection Administrators and Personal Information Protection Professionals, and that have introduced the new personal information protection management ledger system
  2. Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
    • Continue the training and education of Personal Information Protection Administrators and Personal Information Protection Professionals assigned to all business divisions

Progress, Achievements and Issues

  1. Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in Japan and abroad
    • Established the Center of Excellence (CoE) group in the Company’s Risk and Compliance Departments at the head office to supervise data compliance at international subsidiaries
    • Finished rebuilding the personal information protection system and assigned Privacy Compliance Supervisors to international subsidiaries that handle high-risk personal information in accordance with personal information protection guidelines for international consolidated subsidiaries
    • Implemented training and education for Privacy Compliance Supervisors assigned to international consolidated subsidiaries
    • Assigned Personal Information Protection Administrators and Personal Information Protection Professionals, and completed introduction of the new personal information protection management ledger system at five domestic subsidiaries
  2. Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
    • Implemented the following training and education programs throughout the year for Personal Information Protection Administrators and Personal Information Protection Professionals in all business divisions:
      (1) Basic course on personal information protection, including human rights and privacy education
      (2) Guidance through individual consultations
      (3) Basic course on the EU’s General Data Protection Regulation (GDPR)
      (4) Courses to acquire certifications in personal information protection

FY2024 Goals

  1. Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in Japan and abroad
    • Introduce new personal information protection management ledger system at major international consolidated subsidiaries
    • Continue to implement training and education for Privacy Compliance Supervisors assigned to international consolidated subsidiaries
    • Continue to implement training for employees at international consolidated subsidiaries
    • Assign Personal Information Protection Administrators and Personal Information Protection Professionals, and complete introduction of the new personal information protection management ledger system at major subsidiaries in Japan
  2. Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
    • Continue the training and education of Personal Information Protection Administrators and Personal Information Protection Professionals assigned to all business divisions

System for Personal Information Protection and Privacy

At NEC Corporation, the head of the department responsible for protecting personal information serves as the Personal Information Protection Administrator, the person in charge of implementing the personal information protection management system. This person is also responsible for protecting specific personal information related to the Social Security and Tax Number System.

The Risk and Compliance Departments play a central part in promoting the protection of personal information within the NEC Group under the leadership of the head of the Personal Information Protection Promotion Bureau appointed by the Personal Information Protection Administrator.

In addition, the Chief Personal Information Protection Auditor is assigned to the Group’s Corporate Auditing Bureau to conduct regular audits of privacy protection in conformance with JIS Q 15001.

The general managers of each business division are responsible for directing personal information protection in their respective divisions. Each appoints a division personal information protection manager, who is responsible for carrying out personal information protection management for the division, and a personal information protection professional, who possesses expert insight regarding personal information protection. The personal information protection management system operates through each division inspecting the status of personal information handling to identify risks, including human rights and privacy issues, and improving handling rules based on the inspection results.

The person responsible for each project ensures that persons who handle personal information undertake thorough personal information protection measures.

Consolidated Subsidiary Management Framework

At our consolidated subsidiaries in Japan, we have built systems to comply with the Act on the Protection of Personal Information and the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (also known as the My Number Act), which is related to the numbers used to identify individual residents of Japan for administrative procedures. We have also built personal information protection management systems to conform with JIS Q 15001, which is a PrivacyMark requirement, to match those which were built for NEC Corporation, and we use these systems to promote the protection of personal information. Furthermore, 15 consolidated subsidiaries in Japan have acquired PrivacyMark certification as of March 31, 2023.

At our consolidated international subsidiaries, we are tackling compliance with the laws and regulations in each jurisdiction as a matter of course, and we have appointed a Privacy Compliance Supervisor at each of our major subsidiaries to promote the protection of personal information.

Management of Personal Information

Internal Measures (Including the Establishment of Regulations for Personal Information Protection)

  • NEC Corporation runs the Personal Identifiable Information Control System, a ledger-based system to manage personal information and make its management more transparent.
    We have documented standard procedures and operate a personal information protection management system at NEC Corporation and its consolidated subsidiaries in Japan. Also, as necessary, operational rules are created at the individual company and division level and by type of personal information and are rigorously enforced.
  • To raise awareness of personal information protection and information security in general, the Basic Rules for Handling Customer-Related Work and Trade Secrets have been established, and NEC Corporation rigorously informs all employees about these rules.
  • We have not received any claims or complaints regarding invasion of the privacy of customers from any third party organizations, including Japan’s Ministry of Economy, Trade and Industry, which is the ministry overseeing personal information protection, and the Personal Information Protection Commission of Japan.

Personal Information Management Initiatives Abroad

  • We appoint Privacy Compliance Supervisors at our consolidated international subsidiaries to maintain a global management framework. At the same time, we create personal information management ledgers at each subsidiary to have an understanding of the information being handled by each company and the risks involved. We also work to ensure that the procedures to manage these risks, as well as common safety measures that need to be observed, are disseminated thoroughly.
  • We also ensure that consolidated international subsidiaries implement personal information management rules that comply with personal information protection laws and regulations in the country or region in question, as well as any applicable laws and regulations from outside the country or region in question. In addition, NEC Group companies obtain individual consent based on the laws and regulations in each country or region to facilitate any cross-border transfer of personal information for employees or otherwise and enter into any required data transfer contracts to enable cross-border transfer of personal data between Group companies in Japan and abroad and processing of personal data.

Measures for Customers and Business Partners

  • NEC Corporation and its consolidated subsidiaries in Japan establish data protection standards (such as personal data safety management measures) for contractors that handle personal information, enter into agreements with contractors with which data is shared requiring compliance with these standards, and require contractors to conduct privacy management equivalent to that of the NEC Group.
  • We request the contractors engaged in work for NEC Corporation or its consolidated subsidiaries in Japan to submit a pledge on the Basic Rules for Customer-Related Work and to have their employees take an online test to verify their knowledge. These steps help ensure rigorous management of personal information.
  • We make sure to handle My Number data carefully and securely, as it is classed as Specific Personal Information in compliance with personal information protection laws in Japan. We deploy technical measures such as controlling access, blocking unauthorized external access, and preventing information leaks, while moving forward with initiatives to maintain sufficient privacy protection levels in each system.

Monitoring and Improvement

NEC Corporation appropriately manages personal information by executing plan–do–check–act (PDCA) cycles on an autonomous basis through various inspection activities.

Also, NEC Corporation and its consolidated subsidiaries in Japan conduct regular internal audits based on internal audit check items stipulated in JIS Q 15001. Furthermore, for operations related to the handling of My Number data, we use security control measure check sheets prepared based on Japan’s guidelines for the My Number Act and self-check sheets during re-entrustment in order to monitor divisions and subcontractors handling My Number data.

Verification of the Operation of Information Security Measures

  • The implementation status of security measures carried out by all employees is verified once a year. If there are cases of non-compliance, improvement plans are formulated and carried out at the organization level.

Verification of the Status of Personal Information Management

  • Control forms registered in the Personal Identifiable Information Control System are reviewed at least once a year to confirm the status of personal information management.
  • In addition, once a year the general managers of each department implement management reviews to confirm the status of personal information management, enabling corrective action to be taken as needed, and to maintain appropriate management conditions.

Verification of Operations During Emergencies

  • Operation of the above information security measures is thoroughly reviewed as the need arises, in the event of an incident involving the loss, outflow or leak, etc., of personal information.

Details of Personal Information Protection-Related Incidents, Accidents, or Complaints, and Measures Taken

In fiscal 2023, there were no incidents involving the loss, outflow or leak, etc., of personal information at NEC, and no incidents involving secondary use of personal information without prior consent of the person in question.

The number of external complaints regarding personal information in fiscal 2023 was zero.

Response to Requests from National Governments for Personal Information Provision

If NEC Corporation’s business divisions are requested by a government or law enforcement agency of a country to provide personal information that the Company holds, the general manager of the division that receives the request reports to and consults with the Personal Information Protection Administrator as necessary. In such cases, the Personal Information Protection Administrator reports to and consults with the executive officer in charge of personal information protection and management. Premised upon respect for the human rights of the person in question, the Company will then determine the necessity of providing such information and undertake the appropriate procedures and measures pursuant to the applicable laws.

Personal Information Protection Training and Awareness-Raising

Training for All Officers and Employees (NEC Corporation)

The Company conducts web-based information security training once a year. (Completion rate of Companywide training in fiscal 2023: 98%)

Education for Personal Information Protection Professionals (NEC Corporation, All Divisions)

  • Textbooks have been prepared on risk management in the handling of personal information, in addition to education through 16 lectures.
  • Courses aimed at acquiring personal information protection qualifications
  • Held course for dealing with the Act in practice (12 times)
  • Held basic course on the EU’s General Data Protection Regulation

Training for Newly Hired Employees and Transferred Employees (NEC Corporation and its Consolidated Subsidiaries in Japan)

  • In fiscal 2023, created a textbook on personal information protection as an introductory training material; used textbook to train newly hired and transferred employees
  • When there is a request from a department, or when it is otherwise deemed necessary by the Personal Information Protection Promotion Bureau, awareness training is conducted as appropriate at individual departments or consolidated subsidiaries in Japan.

Privacy in Business Activities

PrivacyMark

The General Data Protection Regulation (GDPR), which came into effect in the European Economic Area in 2018, is one example of the privacy protection laws and regulations currently being established in several countries and regions. As enforcement of these laws and regulations becomes more stringent, the roles and responsibilities placed on companies to protect privacy are increasing.

NEC Corporation aims to maximize social value and minimize the negative impact on society by developing and providing products and services with consideration for privacy issues, which may be perceived differently depending on the country, region or culture, and also with consideration for discrimination and other human rights issues that could be exacerbated with the use of AI. To clarify our stance, the NEC Group Code of Conduct and NEC Group AI and Human Rights Principles stipulate that business activities aimed at resolving social issues using ICT must not give rise to human rights issues, including invasion of privacy.

NEC Corporation acquired PrivacyMark certification in October 2005 and subsequently renewed it for the ninth time in October 2021. As of the end of March 2022, NEC Corporation and its 31 affiliated companies have obtained this certification. In principle, we forbid acquiring information that could have an economic impact such as bank account or credit card numbers, sensitive information such as one’s birthplace, or highly private information such as mobile telephone numbers without the prior consent of the person in question.

Response in an Emergency Such as Leakage of Personal Information

NEC maintains systems for responding swiftly if an incident occurs involving the loss, outflow or leak, etc., of personal information. If an incident should occur, the response is coordinated quickly and systematically based on standardized procedures. Specifically, if an incident occurs related to personal information or an event takes place for which the occurrence of such an incident is a possibility, the discoverer or the employee involved in the incident contacts their manager and the NEC Group contact desk for information security incidents.

The person at the contact desk then coordinates the necessary response with the related divisions that make up the Personal Information Protection Promotion Bureau and relevant divisions in accordance with applicable laws, ordinances, ministry guidelines, and other regulations, taking into account the risk for infringing on the rights and interests of the people involved. These responses may include promptly notifying the people involved, making a public announcement, and taking corrective measures appropriate to the incident.