Personal Information Protection Regulations

Saitama Medical Center Visiting Nursing Station Personal Information Protection Regulations

(Purpose)

Article 1These regulations are designed as guidance that the Visiting Nursing Station at the Saitama Medical Center (Hereinafter referred to as "the office") shall adhere to for the "Act on the Protection of Personal Information" and relevant laws, to properly handle the personal information of users under the philosophy of respecting the personalities of individuals, and based on the personal information protection regulations of the Saitama Medical University.

(Policy of Personal Information Protection)

Article 2"The basic policy on personal information protection" (The privacy policy) shall be specified separately. All staff at the office shall understand the privacy policy and must adhere to this in their work.

(Definition of Terms)

Article 3Definitions of terms used in these regulations are as listed below.

1. Personal Information
   "Personal information" is the information about living individuals which can identify a specific individual by name, birth date or other description including such information (Including the information which can identify the specific individuals by verifying it easily with other information.) When the information relating to a deceased person is also the personal information of living bereaved family as well, it shall be as the information of a living individual. Meantime, information listed in various records relating to providing visiting nurses (Hereinafter referred to "business record.") must be handled carefully, as it has information from two sides, not only of the user but also the decisions and evaluations of the nurse.
2. "Employees" are the workers specified in Article 5, the operation rules of the Visiting Nursing Station at the Saitama Medical School Medical Center (Established on October 1, 1999).

(Scope)

Article 4These regulations are basically regarding the personal information of the users that is used in the office and in the visiting locations.

(Observing the Laws and Other Norms)

Article 5Employees shall observe the "Laws related to the protection of personal information" as well as other laws or the norms.

(System and Responsibility)

Article 6System of personal information protection in the office shall be as follows.

1. Person responsible for personal information protection (Manager),
2. Education supervisor,
3. Person responsible for complaints,
4. Person responsible for audits

Article 7The person responsible in the prior article shall be as follows.

1. The person responsible for personal information protection (Manger) shall supervise the system of personal information protection, including clarifying the reporting lines as necessary in order to protect personal information.
2. The education supervisor shall understand and observe these rules as well as bear responsibility for conducting educational training for employees to help them understand and observe this and implementing safety measures.
3. The person responsible for complaints shall understand and observe this rule, as well as respond quickly and sincerely after receiving inquires and complaints regarding personal information from users, reflecting this rule in operations by analyzing the consultation details and reviewing the recurrence prevention measures.
4. The person responsible for audits shall understand and observe this rule as well as evaluate and conform whether this rule is enforced properly and effectively on a regular basis.

(Disclosure of Purpose of Use of the Personal Information)

Article 8The office shall disclose the purpose of use of the personal information as described in Form No.1 and Form No. 2. Form 1 shall be posted inside the office and Form 2 shall be provided to the users along with the Form 1 depending on their desires and needs.

Article 9Collection of personal information shall be limited to the information necessary to achieve the business purposes of such users.

Article 10When information can't be collected directly from such users in cases such as below, the information can be collected from a third party such as families, considering the necessity to the business.

1. When information is collected from family due to the user having impaired consciousness or mental disorder, or the user is a baby or infant.
2. When information is collected from neighborhood residents and people at work because the user has an issue with their living condition.
3. When information is collected from a public organization, their primary doctor, or related companies, etc.
4. When information on persons other than such individual is collected from such an individual with the purpose of investigation of family history, etc.

Article 11As a general principle, the following information must not be collected. However, when the collection of these information can't be avoided in order to perform the work, collect the information after clearly specifying the reason for in the business record and use the information only to the extent necessary for the work.

1. Rights of workers, matters concerning collective bargaining and other acts of collective action.
2. Participation in collective industrial actions, the exercise of the right of petition, and other matters concerning the exercise of political rights.
3. Matters concerning beliefs, thoughts and religion.
4. Family origin, permanent address, criminal records and other matters that could lead to social discrimination.
5. Matters concerning their sex lives.

Article 12As a general principle, the consent of the person needs to be obtained when information about such user is collected from other than the user. However, it is not necessary to obtain the person's consent in following cases.

1. When the handling of personal information is based on laws and regulations such as on-site inspection based on Medical Service Law and Long-Term Care Insurance Act.
2. When it is necessary for the protection of a person's life, body or assets and receiving consent from the person would be difficult.
3. When there is a particular need to do so in order to improve the public health or promote the healthy development of children and receiving consent from the person would be difficult.

(Precautions when removing personal information to outside of the Office)

Article 13Precautions when removing personal information to outside of the office shall be as follows.

1. Obtain approval of the manager when removing it to outside of the office.
2. The information to be removed outside the office shall be limited to the minimum necessary.
3. Always carry it in a bag, etc. and don't carry the files exposed.
4. When carrying it in a vehicle, make sure to carry it with you when you leave the vehicle. When it is difficult to carry it with you, keep it locked in the vehicle's trunk.

(Handling Complaints and Consultations)

Article 14The person responsible for complaints shall receive and respond to complaints, questions and consultations. When a user or their agent (this is limited to a legal representative or an agent authorized by the person to request the disclosure) requests disclosure of their own personal information, as a general principle, the disclosure shall be made within two weeks. The cost shall be determined in accordance with the work, etc.

As a general principle, when there is misinformation as the result of the disclosure and when amendment or deletion is requested, such change can be made.

(Ensuring the Accuracy of Personal Information)

Article 15Personal information shall be managed in an accurate and updated condition to the extent necessary for the purpose of its use.

(Ensuring Security When Using Personal Information)

Article 16Reasonable technical and organizational safety measures shall be made for the risks concerning personal information (loss, destruction, alteration or leakage of personal information).

(Providing Personal Information to a Third Party)

Article 17Obtain clear consent in advance from the person when personal information is provided to a third party. This includes inquiries, etc., from public organization, etc. However, consent is not required when; the matter is based on an exception specified in the guideline of the Ministry of Health, Labor and Welfare,

1. when it is based on the law,
2. when it is necessary for the protection of a person's life, body or assets,
3. when there is a particular need to do so in order to improve public health or promote the healthy development of children (cancer registration business based on the Health Promotion Law and in child abuse cases),
4. when cooperating with a business specified by the law which is conducted by the national government or local governments (statistical surveys conducted by the national government).

(Method for Disposing of Personal Information)

Article 18When personal information is disposed of, the method shall be as follows.

1. Information used for conferences and training and other personal information written in other documents, etc. shall be quickly destroyed, dissolved or incinerated after its use.
2. Information recorded as electromagnetic records shall have the recording medium destroyed or completely deleted along with the electronic file (non-reusable method).

(Handling the Personal Information Written in Documents not Destroyed)

Article 19Information written in documents where there is the possibility of disrupting operations by destroying it shall be stored in a locked storage location.

(Handling Papers and Research Presentations)

Article 20Papers and research presentations which contribute to progress of insurance, healthcare and welfare and play an important role in health of people and improvement of welfare are guaranteed under the philosophy of "Freedom of Education" under the Constitution. Anonymization of the information shall be as follows.

1. The person responsible for personal information protection has the responsibility of anonymizing the personal information before using it for academic presentations.
2. As a general principle, the person responsible for personal information protection must not provide the personal information removed during anonymization to an external organization.
3. The person responsible for personal information protection must conduct the anonymization as well as strictly manage the information included in the personal information to prevent a leak.

(Employee Education)

Article 21All employees must receive education concerning personal information protection that is given by the education supervisor.

1. (1) Education shall include following matters.
   
   1. ① Importance and advantages of protecting personal information
   2. ② Roles and responsibilities for protecting personal information
   3. ③ Expected results and processes when there is a violation of these rules and regulation or of a related law
2. (2) The contents of training are listed in the "Education Plan / Performance Table."

(Audits)

Article 22The person responsible for audits shall make "Audit Plans" as needed. Audit targets based on this rule shall be listed in the following items. However, this is not applied to the cases when it is likely to cause considerable impediments to the proper execution of the work.

1. Collection of personal information and its usage situation
2. Management situation
3. Openness of information
4. Situation of responding to requests for disclosure, correction or suspension of use
5. System operational status for handling complaints

The person responsible for audits shall conduct audits according to the "Audit Plan" and create an "Audit Report." When a recommendation for improvement is included in the report, the person responsible for personal information protection has to improve things according to the improvement plan. The person responsible for audits shall support the creation of the improvement plan and follow-up with the improvement activity.

(Penalties)

Article 23When this rule is violated, it will be confidentially reported to the chief director according to the Saitama Medical University Work Rules (Established on April 1, 1978) Article 59, and be considered to be conduct that corresponds to Disciplinary Action specified in the same rule Article 63.

(Revision of Rules)

Article 24When it is necessary to revise this rule, the general director shall do this through a committee concerning the protection of personal information.

Supplemental
This rule shall become effective as of November 26, 2005 and will apply from April 1, 2005.

Supplemental (March 25, 2006)
This rule shall become effective as of April 1, 2006.