Global Site
Displaying present location in the site.
Personal Information Protection and Privacy
Governance
Implementation Framework for Personal Information Protection and Privacy
NEC has appointed a Chief Legal and Compliance Officer (CLCO) as the officer in charge of personal information protection, and has established the position of Personal Information Protection Administrator as well as the Personal Information Protection Promotion Bureau to promote personal information protection at the corporate level.
The head of the bureau responsible for protecting personal information serves as the Personal Information Protection Administrator, and is the person in charge of implementing the personal information protection management system. This person is also responsible for protecting specific personal information related to the Numbers to identify a specific individual in administrative procedures (Individual Number which is called My Number) System.
The Risk Management and Compliance Departments play a central role in promoting the protection of personal information within the NEC Group under the leadership of the head of the Personal Information Protection Promotion Bureau appointed by the Personal Information Protection Administrator.
At the same time, the Chief Personal Information Protection Auditor is assigned to the Group Internal Audit Division to conduct regular audits of privacy protection in conformance with Japanese Industrial Standard JIS Q 15001 (Personal information protection management systems—Requirements).
The general managers of each business division are responsible for directing personal information protection in their respective divisions. Each general manager appoints a division Personal Information Protection Manager, who is responsible for carrying out personal information protection management for the division, and a Personal Information Protection Professional, who possesses expert insight regarding personal information protection. The personal information protection management system operates based on each division’s inspection of the status of personal information handling to identify risks, including human rights and privacy issues, and improvement in handling rules based on the inspection results.
The person responsible for each project ensures that persons who handle personal information undertake thorough personal information protection measures.
Consolidated Subsidiary Management Framework
Our consolidated subsidiaries in Japan have built systems to comply with the Act on the Protection of Personal Information and the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (also known as the My Number Act). We have also built personal information protection management systems to conform with JIS Q 15001, which is a Privacy Mark requirement, to match those built for NEC Corporation, and we use these systems to promote the protection of personal information. Furthermore, 31 NEC Group subsidiaries in Japan had acquired Privacy Mark certification as of March 31, 2023.
At our consolidated subsidiaries outside Japan, we are tackling compliance with the laws and regulations in each jurisdiction as a matter of course, and we have appointed a Privacy Compliance Supervisor at each of our major subsidiaries to promote the protection of personal information.
Strategy
Policy on Personal Information Protection and Privacy
The NEC Group Code of Conduct stipulates respect for human rights and privacy and the management of personal information, and NEC has positioned “Provision and Utilization of AI with Respect for Human Rights (AI and Human Rights),” including personal information protection initiatives, as a priority management theme from an ESG perspective—materiality. From this perspective, we are tackling prevention of any privacy-related issues stemming from the handling of personal information, in addition to undertaking other personal information protection measures.
Personal Information Protection
In October 2005, NEC Corporation received Privacy Mark certification, recognizing it as a business operator with systems in place to ensure appropriate protection measures for personal information in conformance with JIS Q 15001. Since then, the NEC Privacy Policy has stipulated that personal information must be handled in accordance with JIS Q 15001.
In addition, the personal information management manual for our personal information protection management system, which complies with the Act on the Protection of Personal Information and JIS Q 15001, stipulates the following:
- When obtaining personal information from sources including documents, email, and websites, the person to whom the information pertains must be notified in advance in writing and the person’s consent must be obtained in writing.
- Measures for secure management of personal information.
- Prohibition of secondary use of personal information without the prior consent of the person to whom the information pertains.
- Respect for the rights of the person to whom the information pertains, including the rights to access, amend and delete their personal information.
We also enter into agreements with third parties with whom we share or to whom we entrust the handling of data, stipulating that these rules must be observed. Furthermore, we have established escalation rules and emergency response procedures in the event of a leak or inappropriate handling of personal information. Subsidiaries in Japan set their personal information protection policies using NEC Corporation’s Privacy Policy as the standard.
Subsidiaries outside Japan set their policies to conform with the applicable local laws of their respective countries, and those policies are then checked by NEC Corporation.
Risk Management (Including Opportunity Generation)
Management of Personal Information
Internal Measures (Including the Establishment of Regulations for Personal Information Protection)
- NEC Corporation runs the Personal Identifiable Information Control System, a ledger-based system to manage personal information and make its management more transparent. We have documented standard procedures and operate a personal information protection management system at NEC Corporation and its consolidated subsidiaries in Japan. Also, as necessary, operational rules are created at the individual company and division level and by type of personal information. Strict adherence to these rules is enforced.
- To raise awareness of personal information protection and information security in general, the Basic Rules for Handling Customer-Related Work and Trade Secrets have been established, and NEC Corporation rigorously informs all employees about these rules.
- We have not received any claims or complaints regarding invasion of the privacy of customers from any third-party organizations, including Japan’s Ministry of Economy, Trade and Industry, which is the ministry overseeing personal information protection, and the Personal Information Protection Commission of Japan.
Personal Information Management Initiatives outside Japan
- We appoint Privacy Compliance Supervisors at our consolidated subsidiaries outside Japan to maintain a global management framework. At the same time, we create personal information management ledgers at each subsidiary to gain an understanding of the information being handled by each company and the risks involved. We also work to ensure that the procedures to manage these risks, as well as common safety measures that need to be observed, are thoroughly disseminated.
- We require consolidated subsidiaries outside Japan to implement personal information management rules that comply with personal information protection laws and regulations in the country or region in question, as well as any laws and regulations from outside the country or region in question that apply extraterritorially. In addition, NEC Group companies obtain individual consent based on the laws and regulations in each country or region to facilitate any cross-border transfer of personal information for employees or otherwise and enter into any required data transfer contracts to enable cross-border transfer and processing of personal information between Group companies in and outside Japan.
Measures for Customers and Business Partners
- When outsourcing personal information, NEC Corporation and its consolidated subsidiaries in Japan establish safety management measures for contractors according to the risk involved, stipulate in agreements with contractors with which data is shared that they must comply with these measures, requiring privacy management equivalent to that of the NEC Group.
- We request the contractors engaged in work for NEC Corporation or its consolidated subsidiaries in Japan submit a pledge on the Basic Rules for Customer-Related Work and trade secrets to help ensure rigorous management of personal information throughout the supply chain.
- We make sure to handle Numbers to identify a specific individual in administrative procedures (Individual Number which is called My Number) System data carefully and securely, as it is classed as Specific Personal Information in compliance with personal information protection laws in Japan. We deploy technical measures such as controlling access, blocking unauthorized external access, and preventing information leaks, while moving forward with initiatives to maintain sufficient privacy protection levels in each system.
Monitoring and Improvement
NEC Corporation appropriately manages personal information by executing plan–do–check–act (PDCA) cycles on an autonomous basis through various inspection activities.
Also, NEC Corporation and its consolidated subsidiaries in Japan conduct regular internal audits based on internal audit check items stipulated in JIS Q 15001. Furthermore, for operations related to the handling of Numbers to identify a specific individual in administrative procedures (Individual Number which is called My Number) System data, we use security control measure checklists prepared based on Japan’s guidelines for the My Number Act and self-checklists during re-entrustment in order to monitor divisions and subcontractors handling Numbers to identify a specific individual in administrative procedures (Individual Number which is called My Number).
Verification of the Operation of Information Security Measures
- The implementation status of security measures carried out by all employees is verified once a year. If there are cases of non-compliance, improvement plans are formulated and carried out at the organization level.
Verification of the Status of Personal Information Management
- Control forms registered in the Personal Identifiable Information Control System are reviewed at least once a year to confirm the status of personal information management.
- In addition, once a year the general managers of each division implement management reviews to confirm the status of personal information management, enabling corrective action to be taken as needed, and to maintain appropriate management conditions.
Verification of Operations During Emergencies
- In the event of an incident involving the loss, outflow or leak, etc., of personal information, operation of the above information security measures is thoroughly reviewed as needed.
Details of Personal Information Protection-related Incidents, Accidents, or Complaints, and Measures Taken
In fiscal 2024, there were no incidents involving the loss, outflow or leak, etc., of personal information at NEC, and no incidents involving secondary use of personal information without prior consent of the person to whom the information pertains.
There were no external complaints regarding personal information in fiscal 2024.
Response to Requests from National Governments for Personal Information Provision
If NEC Corporation’s business divisions are requested by a government or law enforcement agency of a country to provide personal information that the Company holds, the general manager of the division that receives the request reports to and consults with the Personal Information Protection Administrator as necessary. In such cases, the Personal Information Protection Administrator reports to and consults with the officer in charge of personal information protection. Premised upon respect for the human rights of the person to whom the information pertains, the Company will then determine the necessity of providing such information and undertake the appropriate procedures and measures pursuant to the applicable laws.
There were no requests from government or law enforcement agencies for personal information held by NEC in fiscal 2024.
Privacy in Business Activities
The General Data Protection Regulation (GDPR), which came into effect in the European Economic Area in 2018, is one example of the privacy protection laws and regulations currently being established in several countries and regions. As enforcement of these laws and regulations becomes more stringent, the roles and responsibilities required of companies to protect privacy are increasing.
NEC Corporation aims to maximize social value and minimize the negative impact on society by developing and providing products and services with consideration for privacy issues, which may be perceived differently depending on the country, region or culture, and also with consideration for discrimination and other human rights issues that could be exacerbated by the use of AI. To clarify our stance, the NEC Group Code of Conduct and the NEC Group AI and Human Rights Principles (the Companywide principles) stipulate that business activities aimed at resolving social issues using ICT must not give rise to human rights issues, including invasion of privacy.
NEC Corporation acquired Privacy Mark certification in October 2005 and subsequently renewed it for the tenth time in October 2023. As of the end of March 2024, NEC Corporation and its 31 affiliated companies have obtained this certification. In principle, without the prior consent of the person to whom the information pertains, we forbid the acquisition of information that could have an economic impact such as bank account or credit card numbers, sensitive information such as one’s birthplace, or highly private information such as mobile telephone numbers.
Response in an Emergency Such as Leakage of Personal Information
NEC maintains systems for responding swiftly if an incident occurs involving the loss, outflow or leak, etc., of personal information. If an incident should occur, the response is coordinated quickly and systematically based on standardized procedures. Specifically, if an incident occurs related to personal information or an event takes place for which the occurrence of such an incident is a possibility, the discoverer or the employee involved in the incident contacts their manager and the NEC Group contact desk for information security incidents.
In coordination with the Personal Information Protection Promotion Bureau and relevant divisions, the person at the contact desk then takes necessary actions in accordance with applicable laws, ordinances, ministry guidelines, and other regulations, while considering the risk of infringing on the rights and interests of the people involved. These responses may include promptly notifying the people involved, making a public announcement, and taking corrective measures appropriate to the incident.
Indicators and Goals
Medium- to Long-term Goals, Priority Activities and Progress, Achievements, and Issues
Medium- to Long-term Goals and Priority Activities
(Scope: NEC Corporation unless otherwise specified) Period: April 2021 to March 2026
M: Major non-financial indicators related to materiality
-
Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in and outside Japan
-
Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
FY2024 Goals, Progress, Achievements and Issues, and FY2025 Goals
FY2024 Goals
-
Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in and outside Japan
- Introduce the new personal information protection management ledger system at major consolidated subsidiaries outside Japan
- Continue to implement training and education for Privacy Compliance Supervisors assigned to consolidated subsidiaries outside Japan
- Continue to implement training for employees at consolidated subsidiaries outside Japan
- Assign Personal Information Protection Managers and Personal Information Protection Professionals, and complete introduction of the new personal information protection management ledger system at major consolidated subsidiaries in Japan
-
Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
- Continue the training and education of Personal Information Protection Managers and Personal Information Protection Professionals assigned to all business divisions
Progress, Achievements and Issues
-
Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in and outside Japan
- Completed introduction of the new Personal Identifiable Information Control System at 32 major consolidated subsidiaries outside Japan
- Continued to provide support, including training, for Privacy Compliance Supervisors assigned to consolidated subsidiaries outside Japan
- Continued to provide training for employees of consolidated subsidiaries outside Japan
- Establishment of management systems equivalent to those of NEC and the introduction of ledger systems for major consolidated subsidiaries in Japan (13 subsidiaries and 5 affiliates) are nearly complete; establishment of management systems equivalent to those of NEC is currently being expanded to other subsidiaries in Japan
-
Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
- Continued to implement training and education programs for Personal Information Protection Managers and Personal Information Protection Professionals in all business divisions
FY2025 Goals
-
Strengthen governance in the fields of data privacy and compliance at consolidated subsidiaries in and outside Japan
- Introduce the new personal information protection management ledger system at major consolidated subsidiaries outside Japan that have not yet implemented it
- Enhance monitoring of personal information protection at consolidated subsidiaries outside Japan, and supplement rules
- Continue to implement training for employees at consolidated subsidiaries outside Japan
- Continue to establish management systems equivalent to those of NEC by appointing Personal Information Protection Managers and Personal Information Protection Professionals at all consolidated subsidiaries in Japan, and enhance monitoring
-
Deepen risk management pertaining to the handling of personal information, based on the risk ownership of general managers
- Continue the training and education of Personal Information Protection Managers and Personal Information Protection Professionals assigned to all business divisions
Indicators for Personal Information Protection
Personal Information Protection Training and Awareness-Raising
Training for All Officers and Employees (NEC Corporation)
The Company conducts web-based information security training once a year. (Completion rate of companywide training in fiscal 2024: 98.6%)
Education for Personal Information Protection Professionals (NEC Corporation, All Business Divisions)
- Textbooks have been prepared on risk management in the handling of personal information, in addition to education through 16 lectures
- Courses aimed at acquiring personal information protection qualifications
- Held practical training course for business lines (4 times)
- Held basic course on the EU’s General Data Protection Regulation
- Conducted training (2 times) to improve practical skills for collective response based on actual cases
Training for Graduates and Mid-career Hires (NEC Corporation and Its Consolidated Subsidiaries in Japan)
- In fiscal 2024, created a textbook on personal information protection as introductory training material; used textbook to train newly hired and transferred employees
- When there is a request from a division, or when it is otherwise deemed necessary by the Personal Information Protection Promotion Bureau, awareness training is conducted as appropriate at individual business divisions or consolidated subsidiaries in Japan