Controlling your personal information
Keisuke KAMIMURA (Senior Research Fellow, GLOCOM)
For the last couple of months, Japanese people have witnessed that an unprecedented quantity of personal information and classified records had been leaked out on the Internet from private companies and public institutions. Investigation records of Kyoto Prefecture Police were also leaked out via the Winny file-sharing software, which was ironically under the investigation by the Police for contributory copyright infringement. People are extremely critical about the unpreparedness of information management in these institutions.
Until quite recently, once you subscribed to mobile phone or other personalized services, you ended up receiving a series of calls from various telemarketers. Calls for dubious offers and fraudulent advertisements start coming in even before you give your number to your friends and colleagues. This would never happen unless your personal information is leaked somewhere between the mobile phone operator and their retail agent. I was also surprised to receive a call from an unauthorized reseller of NTT's telephone subscription right (which you need to buy for a one-off fee of 72,000 yen when you have a new telephone line installed by NTT), only a week after I switched to a cable phone operator. I had never got a call from such a reseller before, and have never since then, either. Obviously my customer information was leaked out.
These cases often lead to an argument that personal information should be controlled and regulated in a stricter manner, or another argument against it. But I would like to have a different take.
After the Act for Protection of Computer Processed Personal Data took effect in April 2003, the legal environment for the management of personal information is gradually improving. But, once information flows out, it is difficult to control it in reality. Generally speaking, it would be less likely that you ask for correction or removal of the personal details that others may have about you, except for incorrect credit records and other socially significant information.
Therefore, before arguing how we should manage and control the information in the hand of others, every one of us needs to reflect on the extent to which we do or do not want to provide our personal information. In turn, it is necessary for companies and public institutions to review the adequacy of the information that they require from the customers of their service.
Today, we often disclose and collect more personal information than is adequately required. For example, if you sign up for mobile phone, you will be asked to show your official identification document, such as driver's license. For the sake of safety and security, it is necessary for the mobile phone operator to identify who exactly you are. But the problem is that they almost always take a photocopy of your ID. On the driver's license in Japan, you will find your name, address, date of birth, place of birth, driving grade, license class, license number and photo of your face. It includes far more information than is necessary for identification. If the purpose really is identification, they would only have to collate the information both in the application form and in the ID, and no need to take a photocopy. But, they collect more information than is adequate.
Since January 2003, banks and financial institutes have been required by law to identify their customers in account opening, transactions of more than two million yen, and other designated transactions by official identification documents. But even in these cases, photocopy is not required. They only have to identify their customers and make records of identification. There is no need of collecting more than adequate information to identify the person who shows up.
Not a few of people have already begun to use multiple email addresses, one or two "real" address for receiving real messages, and other addresses for "aliases". Them use alias addresses when they sign up for online shopping, auction and other web-based services that require email their address, as well as their name, password, postal address and so on as part of registration process. If spams begin to come in to the address they registered, they simply give them up, and get a new one. What they are doing here, whether consciously or unconsciously, is to limit the personal information that flows out of your control.
It seems to me that too much attention is being paid to how to manage and protect our personal information that has gone under control of others. But we also need to consider the extent of our personal information that we may want to disclose without feeling insecure. These issues are by nature the two sides of the same coin, and actually, the Act for Protection of Computer Processed Personal Data take these two aspects into consideration. Now it is time to have balanced attention.