Displaying present location in the site.
Personal Information Protection and Privacy
The NEC Group Code of Conduct stipulates respect for human rights and privacy and the management of personal information, and NEC has positioned “Provision and Utilization of AI with Respect for Human Rights (AI and Human Rights),” including personal information protection initiatives, as a priority management theme from an ESG perspective—materiality. From this perspective, we are tackling prevention of any privacy-related issues stemming from the handling of personal information in addition to undertaking other personal information protection measures.
Personal Information Protection
In cooperation with its consolidated subsidiaries in Japan and overseas, NEC Corporation has also built an implementation framework for personal information protection and a personal information protection management system in compliance with the Act on the Protection of Personal Information and JIS Q 15001. Our personal information protection management system includes the establishment of data protection standards (personal data safety management measures and so on). Further, we conclude agreements with third parties with which we share data or outsource the handling of data requiring compliance with these standards. Also, we have established escalation rules and emergency response procedures to be followed in the event of incidents such as personal information leaks or mishandling of data.
The General Data Protection Regulation (GDPR), which became effective in 2018 in the Europe Economic Area, is one example of the privacy protection laws and regulations currently being established in several countries and regions. As enforcement of these laws and regulations become more stringent, the roles and responsibilities placed on companies to protect privacy are increasing.
NEC Corporation aims to maximize social value and minimize the negative impact on society by developing and providing products and services with consideration for privacy issues, which may be perceived differently depending on the country, region or culture, and also with consideration for discrimination and other human rights issues that could be exacerbated with the use of AI. To clarify our stance, the NEC Group Code of Conduct stipulates that business activities aimed at resolving social issues using ICT must not give rise to human rights issues, including invasion of privacy.
NEC Corporation acquired PrivacyMark certification in October 2005 and subsequently renewed it for the ninth time in October 2021. As of the end of March 2022, NEC Corporation and its 31 affiliated companies have obtained this certification. In principle, we forbid acquiring information that could have an economic impact such as bank account or credit card numbers, sensitive information such as one’s birthplace, or highly private information such as mobile telephone numbers without the principal’s prior consent.
At NEC Corporation, the head of the department responsible for protecting personal information serves as the Personal Information Protection Administrator, the person in charge of implementing the personal information protection management system. This person is responsible for protecting specific personal information with respect to the Social Security and Tax Number System as well.
The Compliance Department plays a central part in promoting the protection of personal information within the NEC Group under the leadership of the head of the Personal Information Protection Promotion Bureau appointed by the Personal Information Protection Administrator.
In addition, we conduct regular audits of privacy protection in conformance with JIS Q 15001, with the General Manager of the Corporate Auditing Bureau serving as Chief Personal Information Protection Auditor.
The general managers are responsible for managing personal information protection in their respective divisions. Each appoints a division personal information protection manager, who is responsible for carrying out personal information protection management for the division, and a personal information protection professional, who possesses expert insight regarding the protection of the personal information protection management system by inspecting personal information, including human rights and privacy issues, and through personal information handling in each division and improving handling rules based on the inspection results. The person responsible for handling personal information for each project ensures that persons who handle personal information undertake thorough personal information protection measures.
Consolidated Subsidiary Management Framework
At our consolidated subsidiaries in Japan, we have built systems to comply with the Act on the Protection of Personal Information and the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures, the socalled My Number Act, which is related to the numbers used to identify individual residents of Japan for administrative procedures, and we use these systems to promote the protection of personal information. Furthermore, 30 consolidated subsidiaries in Japan have acquired PrivacyMark certification as of March 31, 2022.
At our consolidated overseas subsidiaries, we are tackling compliance with the laws and regulations in each jurisdiction as a matter of course, and we have appointed a Personal Data Administrator at each of our major subsidiaries to promote the protection of personal information.
Response in an Emergency Such as Leakage of Personal Information
NEC maintains systems for responding swiftly if an incident occurs involving the loss, outflow or leak, etc., of personal information. If an incident should occur, the response is coordinated quickly and systematically based on standardized procedures. Specifically, if an incident occurs related to personal information or an event takes place for which the occurrence of such an incident is a possibility, the discoverer or the employee involved in the incident contacts their manager and the NEC Group contact window for information security incidents. The person at the contact window then coordinates the necessary response with the related divisions that make up the Personal Information Protection Promotion Bureau and relevant divisions in accordance with applicable laws, ordinances, ministry guidelines, and other regulations, taking into account the risk for infringing on the rights and interests of the persons involved. These responses may include promptly notifying the people concerned, making a public announcement, and taking corrective measures appropriate to the incident.
Response to Requests from National Governments for Personal Information Provision
If NEC Corporation’s business divisions are requested by a government or law enforcement agency of a country to provide personal information that the Company holds, the general manager of the division that receives the request reports to and consults with the Personal Information Protection Administrator as necessary. In such cases, the Personal Information Protection Administrator reports to and consults with the executive officer in charge of personal information protection and management. Premised upon respect for the human rights of the person in question, the Company will then determine the necessity of providing such information and undertake the appropriate procedures and measures pursuant to the applicable laws.
Measures and Main Fiscal 2022 Activities
Personal Information Protection Training
|Training for all officers and employees including dispatched employees (NEC Corporation)
|Education for personal information protection professionals (NEC Corporation, all business units)
|Training for newly hired employees and transferred employees (NEC Corporation and its consolidated subsidiaries in Japan)
Management of Personal Information
|Initiatives at NEC Corporation
|Initiatives for customers and business partners
|Personal information management initiatives abroad
Monitoring and Improvement
NEC Corporation appropriately manages personal information by executing plan–do–check–act (PDCA) cycles on an autonomous basis through various inspection activities.
Also, NEC Corporation and its consolidated subsidiaries in Japan conduct regular internal audits based on internal audit check items stipulated in JIS Q 15001. Further, for operations related to the handling of “My Number” data, we use security control measure check sheets prepared based on Japan’s security control regulations and self-check sheets during re-entrustment in order to monitor divisions and subcontractors handling “My Number” data.
|Verification of the operation of information security measures
|Verification of the status of personal information management
|Verification of operations during emergencies