On November 2, 2022, the Personal Information Protection Commission (PPC) in Japan issued a report on Star Japan LLC's handling, storage, sharing, and overall management of personal information derived from surgical videos. Following discrepancies in their practices, the body conducted a similar review of 60 other medical institutions' practices related to surgical videos.
Star Japan's employees have contractual obligations to acquire surgical videos. These surgical videos are supposed to be received without including information that could identify individuals. Due to several factors, such as the lack of internal notifications and a dedicated management plan for appropriately handling such videos, patients' personal data, such as their names, was released. Medical institutions that offer surgical videos include those that handle them as personal data and those that do not, thereby managing the videos as personal information without building a database.
More importantly, patients' explicit consent had not been gained before making such videos highlighting the overall lack of appropriate safety management measures. Additionally, doctors (who were employees of each medical institution) provided surgical videos to Star Japan LLC without the permission of the medical institution that held the patient's personal data.
The following guidelines were issued to Star Japan following the identification of the aforementioned issue:
- Going forward, before collecting users' personal data, they must specify the purpose of their collection, potential uses, and appropriately notify the users when sharing any data with third parties;
- When users' data is being shared with third parties, the organization must ensure the implementation of an appropriate system design and determine whether the data being shared contains any personal data. If so, any sharing of such data must comply with the requirements set per the Act on the Protection of Personal Information 2020 (APPI).
Major Implications For Other Institutions
Following its instructions to Star Japan, the PPC Notification also contains general recommendations and guidelines 7 medical institutions that manage surgical videos as part of their users' collected personal data:
- Proper consent of the users must be gained before an organization can share such data with a third party and establish appropriate systems to obtain that consent;
- Employees of the medical institutions (doctors, nurses, etc.) must not share personal data with third parties without the permission of the institution;
- Organizations must ensure adequate safety control measures to supervise employees appropriately and make relevant changes in their employee training programs to educate new employees accordingly.
The other medical institutions were also warned that the agency would conduct a stricter investigation in the future and collect all necessary information with appropriate actions to follow. It advises medical institutions to take steps to establish a data management system that creates a proper catalog of what data is being collected and in what form.
How Can Securiti Help
A major reason why Star Japan and other medical institutions found themselves in such a situation is the lack of a proper data management infrastructure. They were collecting data that had a category of personal data without even realizing it.
That problem is further exacerbated by the volume of data as hundreds of such videos were made and stored without any proper internal notifications or management system related to their storage and use that would comply with the APPI.
Securiti is a leader in providing data compliance and governance solutions that can help organizations effectively comply with the data obligations placed on them by APPI. With products such as sensitive data intelligence and asset & data discovery, organizations can not only find personal and sensitive data in structured and unstructured data systems but also gain insights related to who has had access to this data with the option to set up policies that curate access privileges to such data.
Request a demo today and learn more about how Securiti can help you comply with APPI and any other global data regulation.