Members of the faculty members handle personal information belonging to students and research associates on a daily basis. Such personal information is maintained by the University, and based on laws, government indications and the University regulations, must be handled in an appropriate manner.

○System for protecting personal information

This system is designed to protect the rights and benefits of individuals, while allowing a certain amount of utilization of personal information. It is regulated by the basic law applicable to the public and private sectors, the Act on the Protection of Personal Information (hereinafter referred to as “the laws”).

Certain rules are set according to the laws, in relation to the handling of personal information.

○Definition of personal information

Information relating to a living person, which contains details of that person’s name, date of birth and other specific information allowing the identification of an individual (including other information that can be compared with other information to allow the easy identification of that person from others).

○Acquisition, use and supply of personal information

＊Restrictions regarding acquisition and use

When handling personal information, the purpose of use must be made clear as much as possible.

Personal information should not be handled without obtaining in advance a principal's consent beyond the necessary scope to achieve a utilization purpose specified.

However, in the following cases, personal information can be handled beyond the necessary scope to achieve a utilization purpose specified without prior consent of the person.

1. When based on laws and regulations

2. When it is necessary for the protection of human life, human health or property and it is difficult to obtain the consent of the person.

3. When it is necessary especially for the improvement of public health or sound upbringing of children and it is difficult to obtain consent of the person.

4. When it is necessary to cooperate with national or municipal governments or the agents who are asked to carry out their duties as stipulated by the laws and regulations, and when obtaining person’s consent may interfere with such duties.

5. When it is necessary to handle such personal information for the use of academic research (except when the purpose of handling such personal information is only partially academic and when it could possibly cause unjust harm to the rights and interests of an individual)

6. When providing personal data to academic research institutions and when it is necessary for such academic research institutions to handle such personal data for academic purposes (except when the purpose of handling such personal data is only partially academic and when it could possibly cause unjust harm to the rights and interests of an individual).

＊Clarification of the purpose of use

The purpose of use must be made clear when acquiring personal information from the individual in question in writing.

In response to GDPR: General Data Protection Regulations which came into force on May 2018, Kyushu University posted our privacy policy on our website (https://www.kyushu-u.ac.jp/en/website/privacypolicy).

When receiving personal data of foreign students or researchers, please ask them to access and check the website above. If there is any matter that cannot be covered with the listed privacy policy, please contact the Records Management Office.

＊Appropriate acquisition

Personal information must not be acquired under pretence or by other false means.

＊Restriction on providing personal information to a third party.

When providing personal data to a third party, consent must be obtained in advance. However, in the following cases, it can be provided without consent of the person.

1. When based on laws and regulations.

2. When it is necessary for the protection of human life, human health or property and it is difficult to obtain the consent of the person.

3. When it is necessary especially for the improvement of public health or sound upbringing of children and it is difficult to obtain consent of the person.

4. When it is necessary to cooperate with national or municipal governments or the agents who are asked to carry out their duties as stipulated by the laws and regulations, and when obtaining person’s consent may interfere with such duties.

5. When it is unavoidable to provide personal data to present academic research results or for educational purposes. (Except when it could possibly cause unjust harm to the rights and interests of an individual)

6. When it is necessary to provide persona data for academic research purpose (except when the purpose of handling such personal data is only partially academic and when it could possibly cause unjust harm to the rights and interests of an individual).

7. When a third-party is an academic research institution and when it is necessary for such academic research institution to handle such personal data for academic purposes (except when the purpose of handling such personal data is only partially academic and when it could possibly cause unjust harm to the rights and interests of an individual).

* Restrictions when providing information to a third party in a foreign country

In Article 28, Section 1, the handling of cross-border transfer of personal data is stipulated. When providing personal data to a third party (such as a business) in a foreign country, except in cases falling under either (1) or (2) according to Article 28, Section 1, it is necessary to obtain the prior “consent of the individual to provide personal data to a third party in a foreign country.”

However, in cases where providing such data to a third party in a foreign country falling under either (1) or (2), the provision shall be carried out using the same method as the third-party provision of personal data conducted domestically, as stipulated in Article 27 of the law.

(1) When the third party is located in a country recognized to have a personal information protection system equivalent to that of our country, as specified by the Enforcement Regulations of the Act on the Protection of Personal Information (Personal Information Protection Commission Rule No.3 of 2016).

(2) When the relevant third-party has established a system that complies with the criteria set forth in the regulations as necessary for continuously implementing measures equivalent to those that should be taken by a personal information handling business operator, then it has established a system that complies with the regulations.

＊Ensuring accuracy

The person retaining the information must strive to keep personal data accurately and updated and delete such personal data without delay when there is no need for its use within the requirements of the purpose of utilization.

＊Measures to ensure safety

Requisite measures must be taken to ensure that there is no leakage of the personal information being retained.

*Personal information being retained must not be removed from the University, in principle. In cases where the chief privacy officer (Dean, etc.) is permitted to remove personal information only, staff, etc. must comply with the instructions of the officer concerned.

○Appropriate management of personal information (General Affairs Section 2)

Punishments are defined in law in order to ensure the appropriate management of personal information, as noted above.

The University has also defined its own law based Regulations on Personal Information Management at Kyushu University, and created the Kyushu University Personal Information Protection Manual, based on the same regulations.

*The laws and the University’s rules, etc. apply to the protection and management of both electronic media and hard copies.
*The University’s rules of employment also stipulate that “Staff must not leak secret or personal information learned in the course of undertaking their work.”(Disciplinary action may be taken in the event of a violation of this rule.)

○Disclosure, etc., of personal information

Based on the laws, the following procedures (defined in the Regulations on Personal Information Disclosure, etc. at Kyushu University) can be used to request disclosure, etc.

＊Requests for disclosure

Any person can request the disclosure of personal information held regarding him/herself by the University. According to the laws, some undisclosed information might not be disclosed.

＊Request for correction

If the personal information disclosed is not correct, the person in question can request a correction.

＊Request for cessation of use

Any person who suspects that the information disclosed has been retained, obtained, used or supplied in any manner that infringes the laws, may request a cessation of use.

＊Appeals for review

If a person is dissatisfied with a decision such as receiving a refusal to disclose, they can appeal for review under the Administrative Appeal Act. Such cases are referred to the Cabinet Information Disclosure/Personal Information Protection Committee, which considers and makes a decision on the matter.