Japan Digital Agency Told to Shape Up over My Number Issues; Ordered to Report by October on Measures to Improve

Yomiuri Shimbun file photo
Digital Minister Taro Kono explaining the issue of My Number identification card at the Diet in July.

The government’s Personal Information Protection Commission has finally wagged its finger at the Digital Agency’s slack attempts to deal with problems riddling the My Number national identification system and shortcomings in its management of personal information.

The commission on Wednesday issued administrative guidance to the agency under the My Number law and the Personal Information Protection Law. It also ordered the agency to submit a report on the status of its response to the administrative guidance — the first issued to the agency since it was launched in September 2021 — by the end of October.

Similar guidance also was issued to the National Tax Agency, which erroneously linked My Number identification numbers to the bank accounts of different people with the same name.

Administrative guidance also was issued to Fujitsu Ltd. subsidiary Fujitsu Japan Ltd., a Tokyo-based company that developed and operated a system that enables My Number cardholders to print copies of certificates at convenience stores, but was found to have glitches.

It was also issued to the municipal governments of Adachi Ward, Tokyo; Kawasaki; and Munakata, Fukuoka Prefecture, which failed to prevent certificates from being erroneously issued to the wrong people.

According to the Digital Agency, there were 940 cases in which bank accounts designated for receiving public funds were suspected to have been linked to the wrong My Number cardholder. These errors are believed to have occurred because the users did not log out after completing the registration procedure on shared terminals at these local governments.

The commission criticized these authorities for “not properly verifying the identity of the person throughout the entire registration process.” It also said it would be “desirable” to consider “effective methods” to confirm the identity of people using the system.

After these registration errors were detected, information about the problem was not shared widely within the agency. The commission stated that “systematic safety management measures needed to be improved” because the agency lacked awareness that the cases amounted to information leaks.

‘Law violation’

Hidemi Kataoka, a counsellor at the commission, blasted the agency over the mistakes in the bank account registration process. “Their safety management measures had problems,” Kataoka said at a press conference Wednesday.

Kataoka also said the agency’s delay in notifying the commission was a “law violation.”

Administrative guidance issued by the commission may include “guidance” or “advice,” which call for steps to prevent a recurrence and ensure the appropriate handling of personal information, and “recommendations,” which demand action to rectify malicious illegal behavior. After an investigation that took about two months and included questioning senior agency officials and employees, the commission decided it was necessary to issue “guidance” under the My Number and Personal Information Protection laws.

Lack of awareness

The agency’s tardy response to the problems became evident during the investigation.

The first case of an error with the registration of a bank account was detected in Toshima Ward, Tokyo, in July 2022. A Digital Agency staffer who was contacted about the problem took steps to resolve it, but did not tell senior agency officials about the case.

Reports of similar mistakes later came in from multiple municipal governments, but information on these cases was not widely shared within the agency. Instead, the agency continued to deal with each case individually.

This situation began to change from April this year. After the discovery of a registration error that arose after a user failed to log out in Fukushima City, a city government official contacted the agency and requested that an investigation be conducted “to check whether any other cases had occurred.” The agency confirmed three similar cases in the city. In May, the sequence of events was finally reported to digital minister Taro Kono.

The agency admitted that it initially believed these were “extremely unusual cases.” The commission criticized the agency for “lacking awareness” that the mishaps amounted to personal information leaks, right from the stage when the case in Toshima Ward emerged.

“The agency missed a chance to swiftly deal with the problem,” the commission concluded.

Skepticism remains

The agency was launched in 2021 to serve as a control tower for the government’s digitization policies.

Almost half of the agency’s about 1,000 staffers came from the private sector. Although the agency has a reputation for having a culture of openness, some observers have pointed out that its information gathering and decision making methods were vague. “The agency bears a major responsibility for the frequent mistakes and problems that have plagued the My Number system,” a Liberal Democratic Party senior official said, sharing a view held by many inside the government and ruling parties.

Following the issuance of administrative guidance, the agency revealed Wednesday that it has set up an “emergency case management hotline” for quickly sharing information within the agency. It also announced a plan to provide employees with more extensive training to ensure they thoroughly understand regulations covering the protection of personal information.

The tax agency and municipalities including Adachi Ward also were issued administrative guidance, but only the Digital Agency and Fujitsu Japan were told to submit a report on the status of their steps to improve the situation by the end of October.

“The commission probably only half-believed that we will take sufficient countermeasures,” a stern-faced senior agency official said. “We must show unwavering resolve in taking steps to prevent these mistakes from happening again.”