The recent amendments of the Japanese Act on the Protection of Personal Information (AAPI) have implications for healthcare businesses. According to the amendments, companies/health institutions are not allowed to transfer personal data overseas. Transfer of data outside of Japan is only permitted under special circumstances. For example, if the company/institution has received consent from the individual, or if it is impossible to obtain consent, and the data is needed to protect a human life. It has also been clarified that possible and actual data breaches must be notified to the Personal Information Protection Committee (PIPC) as well as affected individuals. In order to reinforce these privacy policies, the maximum penalties for violations of the AAPI have been increased to 95 million yen (about $700,000 USD).
Global medical companies must consider these new requirements if they process and/or import personal information from Japan. They must take steps to ensure that their data transfer preparation or processing agreement complies with these requirements. Data breaches, especially data related to a patient’s medical history, must be reported to the PIPC.