information protection basic training course

Information Protection Basic Training 1/19

--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--

Information Protection Basic Training Course

--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--

Introduction:

In this training pack we will be explaining the basic knowledge you need to be able to handle information in an appropriate and confidential manner during assignments from PERSOL TEMPSTAFF CO., LTD. Be sure to read all sections carefully and if you have any further questions about any issues raised, please discuss them with your personal coordinator.

--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--

In this training course we will be covering the following topics: Part 1: Handling Confidential Information Part 2: Using computers in the work place Part 3: Removing Confidential Information from the Work Place Part 4: Insider Trading Part 5: Personal Information Protection Law

About the Personal Information Protection Law

Proper Acquisition of Personal Information

Restrictions on providing personal information to a third party Part 6: Penal regulations

--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- *** Please read all sections carefully and then take the short 10 question test to check your knowledge *** *** If you have any questions/ concerns about any topics covered during this training, please be sure to contact a PERSOL TEMPSTAFF representative

--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--


Part 1: Handling Confidential Information

What is “confidential information”? How to handle confidential information during assignments by PERSOL

TEMPSTAFF CO., LTD. Please consider the following example and see if you can spot the mistakes that Ms A makes when handling confidential information.

A) Getting ready for lunch: Can you spot 4 mistakes?

B) At Lunch: Can you spot 1 mistake?

It’s lunch time for Ms A

Ms A’s PC is switched on and documents are lying on the desk.

Ms A leaves the office for lunch

Ms A is disposing of documents in the waste-paper basket.

Ms.A (staff)

Ms A and Ms B are discussing their work in a restaurant

Ms.A (staff)

Ms. B (co-worker)

About the estimate, we are going to submit to

client X…


A) Ms A’s 3 mistakes whilst getting ready for lunch:

Never dispose of documents in the waste-paper basket! * Never throw documents/ memos or other paper information in the

waste-paper basket- always use the shredder!!! Always shred paper documents after use! Check the rules for disposing of documents at your designated

workplace!

…because, documents discarded carelessly could find their way into the hands of third parties and could be used for malicious purposes…

Never leave PCs switched on and unattended!

Always shut down, or lock the screen with a password when leaving your desk!

Never tell anyone your ID or password, or place them somewhere they could be seen by others.

…because, other people could access documents on your computer for

malicious purposes whilst you are away… …because if your password becomes known to a third party, there is a possibility your computer could be used for malicious purposes…

Never leave documents unattended on your desk!

Always place documents into a lockable desk drawer or cabinet, even if you’re only leaving your desk for a short time.

…Because, if you leave documents unattended, they could be seen by third

parties who could use the information for malicious purposes…

Don’t dispose of documents in the waste-paper basket!

Confidential information: Be sure that no third-parties can read

confidential information!

Whenever you leave your desk, always make sure your computer and other documents are inaccessible to third parties.

I am going to re-write the data…

Don’t leave computers switched on unattended!

Don’t leave documents

unattended in the office!

Malicious third party


A) Ms A’s mistake whilst at lunch with a colleague: Mistake: Ms A talked about her work in a public place (restaurant) where there are large numbers of people who could overhear...

… protecting confidential information means you may not disclose any information you’ve received through your work to any third

person in any circumstances… This includes ensuring that you do not “accidentally” disclose information, for example by discussing your work in a public place.

KEEP ALL INFORMATION CONFIDENTIAL!

Do not speak about your work to people who are not related to your work itself, e.g. family, friends, or co-workers in unrelated departments.

Never talk with co-workers about your work in public places such as restaurants, trains, elevators, bars, or any other place that is public.

Remember, this responsibility doesn’t end when your contract finishes. Even after the end of your contracted work term, you are still required to protect confidential information you received during the work period!

It is your responsibility is to protect confidential information * Be care not to disclose any information you’ve received via work;

this includes both “intentional” and “accidental” disclosure.

KEEP ALL WORK RELATED ISSUES CONFIDENTIAL!

About the estimate we are going to submit to the

client…


Part 2: Using computers in the work place A) General rules:

The following actions are prohibited when using computers at work:

Never tell your ID or password to a third person, or place them somewhere they could be seen by others

Never use company e-mails accounts for private purposes

Never use the company computer to browse the internet for private purposes e.g. Internet-surfing, Internet-shopping, internet chat-rooms, internet-bulletin boards, Internet auctions etc

Never download files that are not related to your work

Never write about your work in an internet chat-room, or on a bulletin board (even outside of work hours). Remember that even if you are writing anonymously it may be possible for your company to trace the source of any leaks to you!

Never make any changes your workplace’s PC system settings, or download any files without permission.

B): Sending Emails for Work Purposes

How to address emails correctly:

To : Use the “To” field for the email address of the person who you wish to send

the message to

CC : Use the “CC” field for the email address of the person who you wish to send the message as a reference

BCC : Use BCC for addresses of recipients whose address you do not wish to be

seen by other recipients (addresses placed in this field will not be displayed by people viewing the email)

Remember, if you accidentally include people whose email address is not meant to be seen in the “TO” or “CC” fields, it will be considered as an information security breach!

EXAMPLE : If you are sending an email announcement to multiple clients or customers simultaneously it’s important to use the “BCC” box. Otherwise, you will have inadvertently distributed confidential contact information about your clients or customers to multiple third parties!


Part 3: Removing Confidential Information from the Work Place

Removing confidential Information from the workplace is prohibited! Always follow the correct procedures: “Report” “Contact” & ”Consult”

Please look at the following example. Can you spot the two very important mistakes related to the correct handling of confidential information that Ms A makes?

Ms.A

Can you finish these documents by tomorrow morning?

Ms A’s supervisor asks her to be sure to finish the documents she is working on by tomorrow morning.

Sure!

Ms A isn’t able to finish working on the documents before going home. So, she decides to send the documents to her home computer in order to finish them later that evening.


However, when Ms A is working at home, she realizes she doesn’t know how to sum up the data in the documents correctly.

So, she uses her own initiative to change the style of the documents. She then sends the data back to her work PC.

I don’t know how to do

this…

At work the next day Ms A’s supervisor tells her that the method she used for summing up the data in the documents is incorrect.

This data is incorrect. You’ll have to do it again.


Q: What are the two major mistakes Ms A made?

Ms A receives a message from the IT Systems department telling her that her computer has been found to have been used to send important data outside the company…

Your computer was used to send confidential information outside the company….

!

Systems Department


Ms A’s mistakes:

Ms. A’s First Mistake: She didn’t tell the manager at her workplace that she was not able to

finish her work. Ms. A’s Second Mistake: She emailed the data to her home computer. When you have a problem, DON’T decide how to solve it yourself. Report the situation to the manager at your workplace and ask him or her for instructions. ALWAYS consult with your supervisor to solve problems Confidential information generally MAY NOT leave the company. Ms. A thought it was a good idea to send the data to her home PC so she could finish her work on time, but in doing so, she put her company at risk of information being leaked.

Be careful not to make the same mistakes as Ms. A!

2: Don’t solve problems alone

1: Don’t send out confidential information

Always follow the “Report”, “contact”, and “consult” procedure when you have a problem.

* REPORT any problems that occur during work to your superior * CONTACT your superior if you have any doubts on how to proceed * CONSULT a superior when you face difficulties


Important Rules to Remember:

DON’T use cellpones during your designated working hours. (Turn it off or set it to silent mode, and keep it in your bag.)

DON’T make private calls, send private text messages, or play games during working hours

DON’T take pictures in your workplace.

DON’T bring memory devices (e.g. floppy disk, memory stick, CD-R, or thumb drive) to your workplace without permission.

If you don’t follow these rules, you may be wrongly suspected of leaking information!!!

Handling loaned company property: Do not lose your company ID, procedure manuals, or confidential references/ documents. Be sure to return the any loaned property when your contact is finished. Remember “report” “contact” and “consult.” Do not copy, edit, or revise data without instruction. Always ask for instruction and follow the company rules

Memory devices

What is Winny? Winny is a software program that allows multiple PCs to share files through a network.

■Confidential information may not leave the company Never take confidential information home or forward it to your own PC. →You risk losing it or causing an information leak.

If a PC that uses Winny is infected by a virus, other PCs in the same network are also at risk of being infected. This may cause a data leak.

Important points to empahsize:

Cellphones and other

mobile devices

NO

NO

NO


Part 4: Insider Trading This section will cover the issue of insider trading. Please look at the following example and see if you can see what Mr C does wrong

Mr. C works in the product development department of a pharmaceutical company.

Mr. C

Mr C has just developed an amazing new drug for his company. He knows that it’s likely that his company’s stock price will increase as a result of this new product.

When we release this drug, the company

stock price is bound to increase…

I’m sure I could make a lot of money if I bought company shares now…


Q: What did Mr. C do wrong?

Stock trading company

Mr. C decides to buy shares in his company before the development of the new drug is officially announced


Answer: He participated in insider trading!!!

Insider trading is banned by the Financial Instruments and Exchange Act, and is subject to strict penal regulations.

By accepting employment at a company, the employee becomes an “insider” and agrees to a legal obligation to put the company’s shareholders' interests before his or her own in matters related to the company. When the employees buys or sells stock based on his “insider” knowledge of the company, he or she is violating his or her obligation to the shareholders. Mr. C is had access to “inside information”, so what he did would be considered insider trading and subject to the penal regulations dictated by law.

Q: What is “Insider Trading”?

Insider trading is the trading of a company’s stock or other securities (e.g., stock options) by individuals who have access to non-public information about the company.

Q: What is an "Insider“?

1. An “insider” is a person with access to material information about the company. This includes.

Company officers, directors, & employees of the company in question, including temporary workers and part-time workers.

Anyone who has concluded a contract or is under negotiations to form a contract with the company. * e.g., account bank, stock firm, certified public accountant, etc.

2. Someone who doesn’t currently have access to “inside” information, but has had access to such information within the previous one year period is also considered an “insider”.

3. An information recipient, meaning one who has received any information about the company from one who is a party of interest for said company.

If you pass information to someone outside the company and that person uses your information, this is also considered to be insider trading!


Part 5: Personal Information Protection Law About the Personal Information Protection Law

Q1: What constitutes an item of “Personal Information”?

Personal information is the information about a living individual which contains any description by which the specific individual can be identified.

Q2: What is the “Personal Information Protection Law”?

“Personal Information Protection Law” is the law which determines the rules that all entrepreneurs or businesses which handle personal information are obliged to follow. Its aim is to protect the rights and interests of individuals by stipulating the obligations to be complied with by the entrepreneurs or businesses handling personal information while taking the usefulness of personal information into consideration.

Q3: Who does this law apply to?

The law applies to any entrepreneur or company which has used more than 5,000 pieces of personal information for business use within the past 6 months. * * Please note that even if the company you are dispatched to does not match the above description, you will still be obliged to adhere to this law. Regardless of your position you will be handling personal information so it is very important to understand this law in detail.

Q4: How should “Personal Information” be acquired and used? Before acquiring any personal information, companies must first determine and publicly specify that purpose. Once information has been acquired, it may only be handled within the limits of the specified purpose, and may not be used for any other purpose.

Q5: What requirements does the Personal Information Protection Law specify in relation to the use of Personal Information by companies? In accordance with this law companies handling personal information are required to:

Specify and restrict the purpose of usage of personal information Acquire information through proper procedures Notify individuals of aim of usage when acquiring personal information Ensure data held is accurate and securely handled Take measures to safely control handling of personal information Supervise employees handling personal information Supervise clients handling personal information Restrict provision of personal information to third parties Not release personal data into the public sphere Ensure all data is held according the the Personal Information Protection Law

Article 2 of the Personal Information Protection Law: In this Law, “personal information” means information about a living individual, including their name, date of birth and/or any other description by which said individual can be identified. (This includes information that can be easily collated with other information, so that a specific individual can be identified).

Personal Information Protection Law


Personal Information Protection Law Proper Acquisition of Personal Information

Please look at the following example and see if you can spot what Ms A does wrong:

What did Ms. A do wrong?

Ms. A sees that there are email addresses written on postcards that were sent to her company....

Name: Mr XXX Company: XXX Co., Ltd Address: …. Tokyo Email:

[email protected]

Hmmm, these addresses might be useful…

Ms. A (staff)

Ms A is sending emails to her

company’s clients…

Clients

To: [email protected] Please check out this URL: http://xxxyyy.net

Ms A decides to send emails to the addresses she found on the postcards inviting the recipients to look at her own personal homepage


Ms A’s mistake:

Q: What is Usage beyond the Specified Purpose? It is the usage of personal information beyond the limit of the purpose that has been specified by the company for said information. Personal information that is held by a company must only be used for the specified business usage, and not for an individual’s personal use.

Please note that accessing contact or other personal information (such as purchase/ account history) for out of curiosity or for other non-work related purposes is also considered to be “usage beyond the specified purpose”. For example looking at the purchase history of celebrity clients, or accessing the contact information of co-workers is prohibited.

Specifying the purpose of use for Personal Information In order to acquire personal information, you must specify the purpose of its usage, and publicly notify others of the purpose you will use it for. The information you acquire is only to be used within the parameters of the notification you released about its intended usage earlier. Specification of the purpose of use Article 15: Businesses shall, when handling any personal information, specify the purpose of said information’s use (hereinafter referred to as the “Purpose”) in as much detail as possible. The Purpose’s limits Article 16: Without prior consent from the individual whose information is being used, any business handling personal information may not use the personal information at their disposal beyond what is allowed by the Purpose, as defined in Article 15 above.


By using the email addresses of clients for a usage outside the specified purpose, Ms A violated the Person Information Protection Law.


Personal Information Protection Law Restrictions on providing personal information to a third party

Please look at the following example and see if you can spot what Ms A does wrong:

What did Ms. A do wrong?

A caller asks Ms A for the telephone number of a relative who works at their company.

Could you give me my son’s telephone number? Sure. His

telephone Number is 090-xxxx-xxxx.

Ms. A (staff)


Ms A’s mistake:

* The provisions for non-disclosure of Personal Information shall not apply if the use or handling of personal information is:

1. Handled according to appropriate laws and regulations regulations; 2. Necessary for protecting the life, body or property of any person, and it

is difficult to obtain the consent of the person the needed personal information in question applies to.

3. Necessary for improving public health or promoting the child welfare, and it is difficult to obtain the consent of the person the needed personal information in question applies to, and/or

4. Handled in cooperation with state institutions or their delegates in their execution of any law and their performance is expected to be hampered by obtaining the consent of the personal the personal information in question applies to. An extra note of caution: If you mistake someone for a different person who has same name and release their personal information, this will be considered providing information to a third party as well. You must be very careful when handling information and be sure to completely identify someone before you use their personal information.

Could you give me my

son’s number? Mr.00’s

telephone # is 090-xxxx-xxx

x.

You should never disclose personal information to a third party. Legal restrictions on providing information to a third party

Article 23: Businesses handling personal information, excluding the following cases*, shall not provide any personal information to a third person without getting permission from the person to whom the information applies when the information is acquired.


In cases like this, before to consult with your company supervisor and follow the instructions of your designated work place


Part 6: Penal Regulations

Application of penal regulations: If you handle any confidential information or personal information inappropriately at your designated workplace, and/or cause damage to your workplace or any other person, you may be subject to penal regulation. In this case it is likely that you will be required to pay compensation for any damage caused by your actions. It is also likely that the contract you work under will be cancelled under these circumstances. Also, please be aware that if you are found to have handled any confidential information or personal information inappropriately, your actions may also have a negative impact on other personnel working at your designated work company.

--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- Thank you for taking this PERSOL TEMPSTAFF Information Protection Basic Training Course. If you have any questions/ concerns about any of the topics covered in this training, please be sure to talk to a PERSOL TEMPSTAFF representative Please be sure to handle all information at work with appropriate care and common sense, and be sure to consult your supervisor at your designated work company in case of doubt.

--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--

Penal regulations that apply to the violations listed in this handbook

Larceny (Penal Code: Article235) Misappropriation (Penal Code: Article252) Embezzlement (Penal Code: Article253) Obstruction of Business by Damaging a Computer

(Penal Code: Article234-2) Computer Fraud (Penal Code: Article246-2) Act for the Prohibition of Unauthorized Computer

Access (Article8~9) Personal Information Protection Law (Article56~59)

information protection basic training course

Documents