Privacy and libraries in the case of Japan

Abstract

This essay introduces the concept of privacy from the perspective of the East Asian nation of Japan. Firstly, it provides background context to how privacy is viewed in the country; then it discusses relevant legislative approaches to the protection of privacy in Japan. It goes on to discuss privacy in relation to its relevance to libraries, illustrated with two case studies, before concluding with some suggestions as to the way forward in Japan.

Keywords

Japan library management privacy laws

Background and context

When you visit Japan and ride on a train or subway, you may notice that people are reading books covered by paper. You know the size of the book, but you do not know the title of the book. Not all but many Japanese hesitate to show a cover of the book they are reading to strangers in public places. This gives an indication of how Japanese think of privacy as “freedom to read”, meaning reading any books freely without being noticed by others. Which book you read or not is “private information”. In Japanese libraries one of the most important issues is protection of people’s freedom to read, that is, protecting private information.

In 2015 Japan the amended Act on the Protection of Personal Information (Japanese Law, 2017) was promulgated for approval, and in May 2017 the Amended Act (Japanese Law, 2017) came into force. This paper analyzes and discusses privacy issues in libraries, especially in public libraries, related to this Amended Act.

(Amended) Act on the Protection of Personal Information

The main purpose for the (Amended) Act on the Protection of Personal Information (Japanese Law, 2017) is the control of businesses buying and selling various lists of personal information. As the World Economic Forum mentioned in 2011, “personal data is becoming a new economic ‘asset class’, a valuable resource for the 21st century that will touch all aspects of society” (World Economic Forum, 2011). The amendment of the Act on the Protection of Personal Information resulted in the following changes (Japanese Law, 2017):

The centralization under one Personal Information Protection Commission’s control of the various agents and governmental offices previously responsible for the supervision of data protection;

The definition of “personal information” was clarified;

Setting up the rule to change from using anonymous processed personal information to limited particular person;

Measures against private businesses which are providers of personal information data for sale, and both public and private sectors must provide reports about their business to the Personal Information Protection Commission on duty;

Abolishment of the exemption for private companies or organizations with a small quantity of personal information (prior to this amendment, companies and organizations holding personal information for fewer than 5000 individuals did not need to report to the Government agency);

Agencies which utilize personal information must now notify the Commission, and the Commission must announce that to the public;

Regulations on the limitation and exemption of providing personal information to third parties outside of Japan.

Personal information and data have become a business resource. To deal with this in 2016, the Basic Act on the Advancement of Utilizing Public and Private Sector Data (Japanese Law, 2016) was approved and enforced. Thus the (Amended) Act on the Protection of Personal Information (Japanese Law, 2017) tries to set up the rules and obligations in the case of utilizing “big data” such that business operators can process personal information anonymously. This raises the question of whether personal information can be processed anonymously and confidentially.

Legal definition

Article 2 of the Act on the Protection of Personal Information (Japanese Law, 2017) amended the definition of “personal information” to mean “that information relating to a living individual” and “containing a name, date of birth, or other descriptions etc.”, “that cannot be recognized through the human senses”. Article 2 of the Act on the Protection of Personal Information added “meaning any and all matters (excluding an individual identification code) stated, recorded or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record (meaning a record kept in an electromagnetic, magnetic or other form)”. Also this Article 2 explains more in detail about the meaning of “individual identification code”: that is, personal information includes formats such as DNA, face composition, iris, voiceprint, physical appearance when walking, vein of hands/fingers, finger print, palm print, and so on. Various public identified numbers are also considered “individual identification code” including the basic pension number or individual number set forth in Article 2 of the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Japanese Law, 2016).

In addition to those, the Act on the Protection of Personal Information (Japanese Law, 2017) defines special care-required concerning personal information, meaning:

personal information comprising a principal’s race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal.

Among this personal information requiring special care is “the fact that an arrest, search, seizure, detention, institution of prosecution or other procedures related to a criminal case have been carried out against a principal as a suspect or defendant” (Article 2.4 of the Cabinet Order). This could be considered as an example of the “right to be forgotten” (Mantelero, 2013).

Exclusion

Article 76 of the Act on the Protection of Personal Information (Japanese Law, 2017) excludes a number of institutions and individuals from its provisions but not libraries.

Excluded institutions and individuals include:

Broadcasting institutions, newspaper publishers, communication agencies and other press organization (including individuals engaged in the press as their business). These are excluded so that those press can function;

Professional writers are also excluded so that they can function;

Universities and other organizations or groups engaged in academic studies, or a person belonging thereto, so that they may conduct research;

Religious bodies for use in a religious activity;

Political bodies for use in a political activity.

Therefore, libraries, public libraries in particular, are not excluded from the provisions of the Act on the Protection of Personal Information (Japanese Law, 2017), and need to handle personal information data as specified in the Act. Prior to this legislation, librarians in Japan discussed and implemented measures to protect personal information for users’ freedom to read. There has been much discussion in the library sector relating to the management of personal information since the Japan Library Association (JLA) proclaimed the Statement on Intellectual Freedom (JLA, 1954, rev. 1979) and the Code of Ethics for Librarians (JLA, 1980), and since then libraries have been actively trying to protect personal information.

The Act and libraries

Japanese libraries have largely defined personally identifying information and data as consisting of circulation records, data on overdue/lost library materials, records of reference services, data on reserved materials, inter-library-loan records, and documents on photocopy services. These data have been regarded as users’ personal identification information in the same way that name, date of birth, or other descriptions etc. are regarded as personal identification information data by the Act on the Protection of Personal Information (Japanese Law, 2017).

Article 3 of the Japan Library Association’s Statement on Intellectual Freedom in Libraries (JLA, 1954, rev. 1979), guarantees the privacy of users. This means “what book a particular person has read or is reading shall be regarded as the privacy of the reader. Libraries shall not reveal a reader’s record of reading”. But, if the business operators insist that they can handle library users’ personal information anonymously under this Act on the Protection of Personal Information (Japanese Law, 2017), and demand that libraries provide access to users’ data, what are libraries to do?

As far as any local public libraries are regarded as part of local government authority, full-time positioned librarians come under Article 34 of the Local Public Service Officers’ Act (Japanese Law, 1950a), which requires that they keep secret whatever they learn about an individual through their work. Well-trained professional librarians recognize the Statement on Intellectual Freedom in Libraries (JLA, 1954, rev. 1979), and also Article 3 of the Code of Ethics for Librarians, “a librarian should respect the confidentiality of each library user” (JLA, 1980).

Yet when the Committee on Intellectual Freedom of the Japan Library Association undertook a national survey on intellectual freedom in public libraries (JLA, 2013) in 2011, more than 60% answered “yes” when they were demanded by local governmental authority or others to open users’ reading records without a warrant issued by a competent judicial officer, as provided in the Constitution (Article 35). Can librarians protect users’ personal information to read books freely?

Discussion points

Risk of management by the private sector

There are two trends impacting privacy issues in Japanese libraries: (1) outsourcing the management of public libraries; and (2) the use of part-time staff.

Since the Local Autonomy Law (Japanese Law, 1947) was revised in 2003, and with the Act on Promotion of Private Finance Initiative (Japanese Law, 1999) (approved in 1999), local government authorities have contracted the management of roughly 10% of all public libraries to non-profit organizations (NPO) which are organized by library volunteers, and private sectors including local bookstores and nationwide book and audio-visual material rental chain stores. These private sector management firms are not obliged to protect user privacy.

Public officers are obliged to keep secret whatever they know through their daily work under Article 34 of the Public Service Officers’ Act. As mentioned above, library workers are obliged to respect and keep secret users’ privacy under the JLA’s the Intellectual Freedom Statement (JLA, 1954, rev. 1979) and the Code of Ethics for Librarians (JLA, 1980). As far as library workers are not public officers, what they are obliged to do is provided for by this Statement and the Code of Ethics, now including the IFLA Statement on Libraries and Intellectual Freedom (IFLA, 1999) and the IFLA Code of Ethics for Librarians and other Information Workers (IFLA, 2012). Nevertheless, there have been cases and issues relating to library management and protection of users’ personal information. Here, two cases are analyzed and discussed.

Case A: Local public library managed by a private business company (s.n., 2012)

In 2014, the management of the Takeo city local public library was privatized and re-opened by one of the nationwide book and audio-visual material rental chain stores. At the time of the re-opening, the new management company asked residents and others who wanted to use the library to re-register as a library user. The new library card included the company’s “point card” which can be added to whenever a user borrows a book or other materials from the library. Librarians from other cities complained, so the company changed the registration system offering users the right to choose a library card with or without the “point card” as there is insufficient explanation of the privacy implications of the card.

Few people understand the implications of using a “point card” as their library registration card. The management company explained that users can get more points if they borrow more books, and then users can buy any goods with those points at the bookshop attached to the public library. The library does not offer new editions of magazines or newly-published books. If a user wants to read a new one, they must buy these at the shop attached to a coffee shop inside the library. This marketing technique not only sells newly-published books or magazines at the library bookshop but also gathers data from library users. How can this private business undertake this marketing approach?

This is because of the Takeo city mayor’s policy at the time of the contract, and also the content of the local government regulation on the protection of personal information. The legal definition of the personal information regulation at this city is too simple, and guidelines on protecting personal information based on the Statement on Intellectual Freedom at Libraries (JLA, 1954, rev. 1979) insisted on by the library staff were not regarded as an important issue. At this library, most of the library staff are contracted part-time workers, and they are in an unstable working situation. They faced difficulties clarifying and persuading the new management authority of the mission of public libraries.

Article 17 of the Library Law (Japanese Law, 1950b) in Japan, states that publicly-funded libraries cannot demand any fee from users. Therefore, the private rental book shop company managing the public library attached a bookshop and café as a means of gaining profit and gathering personal library usage information as a valuable data resource. The company continues expanding its management of public library businesses, and keeps collecting users’ personal information, including data on reading. The company does not have any rules or guidelines, or code of ethics on protecting personal information, but under the new amended Act on Protection of Personal Information (Japanese Law, 2017), it is required to have these and make them available to the public.

Case B: Leaking personal information by outsourcing library systems (JLA, 2011)

The second case occurred at a local publicly-funded library and involves two issues: (1) a library director providing users’ registered records to the police, and (2) duplicating users’ registration and circulation record to other libraries which can be seen by other library staff.

In 2010 the library found their library system was jammed because too many people were searching for books or other information through their OPAC via the Internet at the same time. No library staff members were able to understand the library computer system sufficiently to fix it. The library sought outside assistance from the system vendor, but they were no help. Assuming the system had been hacked, the library director then called the local police. But in fact, the problem was caused by automatic searching by a library user. The library considered that this was done with ill-intention and accused the person of interference with the library functions. The library user was arrested even though the user had no intention to hack. He was kept in custody for a few days and was released on bail.

Because of lack of knowledge of their own system and the failure of the vendor to advise appropriately, the library director released personal information on a user in violation of both the Statement and the Code as a professional librarian. When investigating this case, it was found that the library system vendor had duplicated the library computer system with the library user’s registration record including name, address, and other personal information along with circulation records into their library systems, thus failing to protect personal identification information and user privacy.

Conclusion and recommendation

These cases raise several issues and recommendations for dealing with them. Lack of training is a major issue. Librarians need library computer system training. Librarians also need sufficient and consistent training in user privacy issues to recognize and understand users’ privacy related to the Intellectual Freedom Statement at Libraries (JLA, 1954, rev. 1979) and the Code of Ethics for Librarians (JLA, 1980). This training should be made available to all library workers including information workers and outsourcing agency staff as well as librarians.

Lack of a clear local user privacy policy and guideline is also an issue. Libraries need to establish rules or guidelines on users’ privacy. The trend of library management outsourcing raises a number of issues. If local authorities outsource library management they should build privacy requirements into the contract and further mandate that contracting businesses share information on these measures with the public. Contracting businesses should also be required to train their workers on library users’ privacy.

As a result of these cases, the Intellectual Freedom Committee of JLA suggested several actions (JLA, 2011):

If a library is considering whether personal information should be given to an outside person or sector, especially to police or other authorities, the potential action must be thoroughly discussed, and, as appropriate, advice sought from the local government’s department on public information scrutiny or an attorney belong to the local government;

Libraries should provide staff with up-to-date training on their library systems;

Local authorities and any library outsourcing library functions to the private sector must be sure the company has guidelines or a code of ethics protecting personal information in libraries.

In addition, libraries should establish rules or guidelines on protecting personal information, and make these rules open to the public. Although the definition of personal information in the Act on the Protection of Personal Information (Japanese Law, 2017) is different from the definition typically used by libraries, each library should discuss this and make its own rules or guidelines. Finally, local government regulations protecting personal information should include library data, too.

In Japan, we cover books read when we read them in public places. This demonstrates the value placed on reading privacy and corresponds with the library and librarians’ protections for readers’ freedom to read. Anyone working in libraries should recognize the mission of librarians, that is, for whom the library is working. The library, especially the public library, is the gateway to a democratic society where people gather information, read books and access information in many formats, gain knowledge, and discuss ideas with others without observation or surveillance.

Footnotes

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

References

IFLA (1999) Statement on Libraries and Intellectual Freedom. The Hague: IFLA. Available at: https://www.ifla.org/publications/ifla-statement-on-libraries-and-intellectual-freedom (accessed 5 September 2017).

IFLA (2012) Code of Ethics for Librarians and other Information Workers. The Hague: IFLA. Available at: https://www.ifla.org/faife/professional-code-of-ethics-for-librarians (accessed 5 September 2017).

Japan Library Association (1954, rev. 1979) Statement on Intellectual Freedom in Libraries. Tokyo: Japan Library Association. Available at: https://www.jla.org.jp/portals/0/html/jiyu/english.html (accessed 5 September 2017).

Japan Library Association (1980) Code of Ethics for Librarians: Approved at the Annual General Conference in June 1980. Tokyo: Japan Library Association. Available at: https://www.jla.org.jp/portals/0/html/ethics-e.html (accessed 5 September 2017).

Japan Library Association (2011) Okazaki-shi no toshokan system wo meguru jiken ni tuite. Tokyo: Japan Library Association. Available at: http://www.jla.org.jp/portal/0/html/jiyu/okazaki2003.html (accessed 5 September 2017).

Japan Library Association (2013) National Survey on Intellectual Freedom at Public Libraries in Japan, 2011. Tokyo: Japan Library Association.

Japanese Law (1947) Local Autonomy Law. Tokyo: Japan Government. Available at: http://nippon.zaidan.info/seikabutsu/1999/00168/contents/095.htm (accessed 5 September 2017).

Japanese Law (1950a) Local Public Service Officers’ Act. Tokyo: Japan Government. Available at: http://elaws.e-gov.go.jp/search/elawsSearch/elaws_search/lsg0500/detail?lawId=325AC0000000261 (accessed 5 September 2017).

Japanese Law (1950b, rev. 1985) Library Law (Law No. 118). Tokyo: Japan Government. Available at: http://www.jla.or.jp/portals/0/html/law-e.html (accessed 5 September 2017).

10.

Japanese Law (1999) Act on Promotion of Private Finance Initiative (Act No. 117 of July 30, 1999). Tokyo: Japan Government. Available at: http://www.japaneselawtranslation.go.jp/law/detail/?id=103&vm=04&re=01&new=1 (accessed 5 September 2017).

11.

Japanese Law (2013) Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (Act No. 27 of May 31, 2013). Tokyo: Japan Government. Available at: http://www.japaneselawtranslation.go.jp/law/detail/?id=2755&vm=04&re=01&new=1 (accessed 5 September 2017).

12.

Japanese Law (2016) Basic Act on the Advancement of Utilizing Public and Private Sector Data [Tentative translation] (Act No. 103 of December 14, 2016). Tokyo: Japan Government. Available at: http://www.japaneselawtranslation.go.jp/law/detail/?id=2871&vm=04&re=01&new=1 (accessed 5 September 2017).

13.

Japanese Law (2017) Act on the Protection of Personal Information [Tentative translation] (Act No. 57 of May 30, 2003, amended in 2017). Tokyo: Japan Government. Available at: http://www.japaneselawtranslation.go.jp/law/detail/?id=2781&vm=04&re=01&new=1 (accessed 5 September 2017).

14.

Mantelero

(2013) The EU proposal for a general data protection regulation and the roots of the ‘right to be forgotten’. Computer Law & Security Review 29(3): 229–235.

15.

s.n. (2010) Kojin jouhou ga ryuushutu toshokan system ni huguai cyber kougeki-mondai mo shazai. Nihon-Keizai-Shinbun, 1 December.

16.

s.n. (2012) Minkan itaku saarani sinka TSUTAYA toshokan saga ni heikan enchou point huyo. Nihon-Keizai-Shinbun, 23 July.

17.

The World Economic Forum (2011) Personal Data: The Emergence of a New Asset Class. Geneva: WEF. Available at: http://www.weforum.org/reports/personal-data-emergence-new-asset-class (accessed 5 September 2017).