Following the Enactment of the Personal Information Protection Law: Problems with Nursing Care Businesses

Privacy Law is on an Individual Level, Nursing-Care Insurance System is on a Household Level

The framework of Japan's Privacy Law is, in the end, nothing more than an "import product". At the present time, there are aspects of the Privacy Law that are even mutually exclusive to many of Japan's existing systems. One such contradiction is with the social welfare system; in Japan's system, there are circumstances in which aspects of welfare that cannot be covered by individual families have come to be supported by the social welfare system. Thus, the framework of the nursing-care insurance system also clearly reflects this household level. For example, when nursing-care businesses provide services, the users' personal information must be categorized, and information regarding members of the household must be known. This example demonstrates that, in this way, there exist conflicting requirements for nursing-care services and Privacy Law measures, and as such it is necessary to consider proper countermeasures in the near future.

Three Problems Confronted by Nursing-related Businesses

Accompanying the enforcement of the Privacy Law, there are three risks confronted by nursing-care insurance businesses: (1) the risk of government punishment, (2) the risk of lawsuits, and (3) the risk of losing public trust.

In the case of the first, there is the risk that orders for business improvement can be issued as an administrative punishment for transgressing the Privacy Law.

In regard to the second, in the case of personal information being leaked, the risk that users could file lawsuits against businesses increases.

In the case of the third, nursing-care businesses face the risk of losing the characteristic trust in nursing-care services. Since these services possess the special quality of being a "community-based interpersonal service", if personal information is leaked, news of the scandal can spread like wildfire through word-of-mouth and can only result in performance loss.

In the medical and welfare businesses-where there are many cases of information leakage-the potential for straying off-course will be great until sufficient judicial precedents can be amassed.

There is no shortage of cases involving information leakage by nursing-care businesses. According to a June 2004 report compiled by the Japan Network Security Association (JNSA), a non-profit organization, the medical and welfare businesses ranked within the top eight categories of businesses with the most cases of information violation. Hereafter, developing proper measures to deal with protecting personal information is likely to become a matter of life or death for these businesses.

Guidelines that are illustrative of the Ministry of Health and Ministry of Labor's definitions of personal information include care plans, service-providing plans, service content registration, and the recording of the circumstances of accidents. However, if it would seem that information leakage that falls outside of these bounds would not constitute a problem, this is not actually the case; privacy issues regarding personal information can easily become a problem. In regard to privacy protection within the nursing-care field, extremely delicate information relating to individuals' health maintenance and recovery is often handled, and thus this kind of information especially must be handled with the greatest of care.

As judicial precedent, personal information must fulfill the following three requirements to be classified as a matter of "privacy": (1) information regarding the facts of one's personal life, (2) information that someone would not wish to be released, according to the sensibilities of the average member of society, (3) information not known by the average person.

Examining the above three conditions, a great amount of information handled by nursing-care businesses can be said to fulfill the requirements for the definition of "privacy". Hypothetically speaking, if emotional damages are claimed as a result of an individual user's (or family's) privacy being compromised, it is conceivable that a business will be questioned as having unlawful responsibility. Further, unlawful responsibility is a concept based on civil court precedent, and thus cannot be precisely determined. As legal precedent regarding the leakage of personal information continues to accumulate in the future, the unlawful responsibility related to privacy infringement will also become more defined, but it may take as long as ten years before this comes to pass.

In regional areas, the countermeasure policies of ministries such as the Ministry of Health, Labor, and Welfare remain ambiguous, and it is predicted that the process will be an arduous one. In circumstances such as these, nursing-care businesses have no choice but to conduct risk control on their own.

The Establishment of Moral Compliance for Human Resources as a High-Priority Issue

What kind of management system will be necessary in the years to come? Among businesses, it is common to emphasize computer security in the way of information management. In actuality, however, for the majority of nursing-care businesses, employment information is kept in paper media that is locked, filed, and managed in cabinets; on the other hand, it is common for digital data to consist only of nursing-care insurance demands. Consequently, the management of computer security only is not sufficient.

According to the above-mentioned JNSA, in addition to such computer-related problems as "malfunctions and installation misses", common causes of information leakage are personnel-related issues such as "internal criminal activity, taking information out of the office, and theft". Thus, from the perspective of personal information protection, the following approaches are critical.

Upon entering a company, nursing staff should undergo orientation and be given letters of consent regarding personal information protection. In order for staff to achieve qualification, they must have personal information protection education; however, in order to further improve awareness of the issues, it is important that they also undergo periodic training. In the case of help staff, where resignations and other instances of transfer are very frequent, nondisclosure obligations are also important after they leave the company.

In order to increase the user-friendliness of nursing-care services, disclosure of information is necessary to a certain extent. In nursing-care contracts, there should be letters of consent stipulating the business' obligation not to disclose information to third parties. In the case of those engaged in outsourcing, a nondisclosure obligation should be included within the outsourcing contract.

In order to improve the quality of customer service, social responsibility is also important, and thus a privacy mark system for businesses should also be investigated.

As mentioned above, the enactment of the Act concerning Protection of Personal Information means that, for people working in both business and nursing-care services, "establishing moral compliance" will become the highest priority, and whether these businesses proactively engage this issue or not will become a major controlling factor for the future of nursing-care businesses.