3.2 Rigorous Management Standards for Services Participating in Ecosystem

Services participating in the ecosystem will be subjected to significant financial penalties if they fail to appropriately protect the personal information, violate requirements notified, specific order related to consent, responsibilities of data controller and processor, and need for data protection evaluation, etc. In addition, approval of the patient (Opt-In[1] format) for the ‘personal information requiring considerations’[2] including the medical data is a requisite in principle, and Opt-Out format of providing personal information to 3rd party without clear awareness of the patient is not acknowledged.

Business operator tasked with anonymization of medical information will be limited to corporations who can satisfy prescribed standards including securing of high level of information security and holding of sufficient anonymization processing technology as well as capable of appropriately and definitively execute anonymization for the management and utilization of medical information. Consigned business operator to handle medical information is limited to corporation capable of appropriately and definitively prevent disclosure and damaging of anonymized medical information and execute measures necessary for safe management of other corresponding (anonymized) medical information for participation in the provision of services within the ecosystem.

[2] Personal information needing considerations: Information with concerns for occurrence of discrimination, prejudice and disadvantages in accordance with race, social status and past medical history, etc.

[1] Opt-In: Format of processing information in accordance with consent of individual in advance