Our readings this week drew a lot of connections to conversations the Japan international tech community has been having recently about improvements to Japan’s data protection laws. Like our colleagues in Europe dealing with the educational implications of GDPR, Japan has recently significantly amended their Act on the Protection of Personal Information (APPI), which has large implications on businesses that hold personal information of clients (school’s included).

Here at YIS, I just stopped by a grade 5 class and did a quick, informal survey of services students have used just this week that collect their data. They include:

  • Veracross (our student information system)
  • Seesaw
  • Google (G.Suite for email addresses and Drive)
  • Flipgrid (via Google)
  • Padlet (via Google)
  • Quizlet (via Google)

What information about our students are these organizations holding and how can we ensure that it is being used appropriately?

What changes in data protection are we seeing in Japan?

Japan’s Act on the Protection of Personal Information (APPI) was one of the earliest privacy laws when it was enacted in 2003 (read an English translation of the 2003 act here). It was created to “protect the rights and interests of individuals while taking consideration of the usefulness of personal information.” The original act was amended in 2015 (coming into force in 2017) after numerous high profile data breaches in Japan (see Sony’s 2014 data breach).

The 2003 act applied only to business operators that had 5,000 identifiable individuals in their database on at least one day during the previous six months, with the 2017 amendment, that restriction is now gone.

What is the impact on education?

Every school in Japan is collecting personal data of its students. That data often includes what Japan terms “special care required” personal information. This data includes a clients race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions – while most might not apply to schools, we certainly have some data on medical history.

Having the data isn’t the problem according to APPI, it’s more about the rights data subjects have in regard to their data. Schools need to be prepared to respond to requests for the purpose of how we are using their data, and if we don’t reply in two weeks we could face legal action. We also must apply cybersecurity measures to guarantee the security of data we house.

How do we address these changes with our community?

Being open and transparent with what data we collect and why we need it. As schools, we need to have a comprehensive review of the data we are collecting and actually decide what is necessary and build concrete rationale on why that data is necessary. While I’m not a lawyer, I believe a great first step is a well developed privacy policy that is shared with the community.

Or even better, join the Japanese Privacy Law Conference on May 21 at Christian Academy of Japan and learn from a real expert from the Personal Information Protection Commission.

What about teachers? This seems aimed at administrators…

While conforming to the expectations required to be APPI-compliant are mostly at the administrative level, there are some important elements that apply to teachers. As teachers we have access to a lot of this date and use this data regularly, especially with the growing amount of tech tools that require student information. Our teachers are at high risk for having that data stolen. One school in Japan that I recently chatted with are using KnowBe4’s phishing security test with their teachers to see how likely their teachers will fall for phishing emails. This data can then help train staff in data protection.

Sources

Coos, Andrada. “Data Protection in Japan: All You Need to Know about APPI.” Endpoint Protector Blog, 1 Feb. 2019, www.endpointprotector.com/blog/data-protection-in-japan-appi/.

Insights, Focal Point. “Beyond the GDPR: What You Should Know about Japan’s Act on the Protection of Personal Information.” Focal Point, 18 Apr. 2018, blog.focal-point.com/beyond-the-gdpr-what-you-should-know-about-japans-act-on-the-protection-of-personal-information.

“Amended Privacy Protection Law.” The Japan Times, 1 June 2017, www.japantimes.co.jp/opinion/2017/06/01/editorials/amended-privacy-protection-law.