親子会社間で情報共有に注意

企業法務

ベネッセの大量な顧客情報の流出が世間を騒がせています。営業秘密侵害罪（不正競争防止法違反）で刑事事件となる見通しです。今回の事件は、関連会社に顧客情報のデータベース管理を任せていたところ、その下請け業者の従業員が業務目的外で持ち出した疑いがあるということです。

不正な情報提供は論外です。しかし、企業は顧客情報、従業員情報などの個人情報を扱いますから、親会社と子会社の間で、子会社の従業員の情報を親会社が知る場合や親会社の情報を子会社に提供することが必要な場合など、情報共有が課題となることも少なくありません。

もっとも、親会社も子会社も別法人である以上、それぞれが社内で個人情報を扱う場合は異なる注意が必要です。個人情報の取扱いは、原則として本人の同意がなければ、第三者に提供することはできません。親会社が子会社に個人情報を提供する場合やまたその逆の場合も、第三者への情報提供に該当することになります。

個人情報保護法二十三条には、その例外規定があり、利用目的の範囲内では、本人の同意は不要となることがあります。

本人の求めに応じて第三者への提供を停止することにしている場合（オプトアウト）や、合併その他の理由による事業承継に伴って情報提供される場合、共同利用について利用者の範囲や目的、責任者を予め本人に通知するか、または本人が容易に知りうる状態においている場合などです。

欧州では個人情報保護に関する法律も日本よりも厳しいので、尚更気を付ける必要があります。

定型的な情報でなく、技術や営業秘密などの重要な情報の場合には、より一層、双方の会社で万全な管理体制が必要です。親子双方の会社において秘密と扱っていなければ、不正競争防止法の「営業秘密」とは扱われません。両社が経済産業省の営業秘密管理指針を参考に、記憶媒体や安全策にも留意してそれぞれが管理することです。それぞれの会社で、第三者情報を保持する契約を結んだ場合は、秘密情報の開示可能な範囲を特に注意します。

つまり、親会社の情報管理体制を子会社にコピーしただけでは不十分であり、それぞれに、関係に応じた情報管理をしたうえで、共有化を図ることが大切だと思います。

密接に関連している業務の情報漏えいによって、親子双方の存立を脅かすことのないように注意したいものです。

〈中部経済新聞　「中経論壇」平成26年７月２９日掲載　池田桂子　〉

Note : To share information between the Company and its subsidiaries
The information shared between the Company and the subsidiaries of Benesse Corporation has been plagued with trouble due to the outflow of a large amount of customer information data. The outflow of said customer information would be prosecuted as a criminal trade secret infringement crime in (the Unfair Competition Prevention Law violation). This incident was caused because Benesse Inc. had left the data with a subcontractor management firm and that information that of the (customer information database) fell into the hands of an employee of the subcontractor who then took the data against the business contract entered between Benesse Corporation and the sub contactor, thus violating the law.

Of course, sharing information that has been obtained illegally is strictly forbidden and completely out of question. However, in companies doing business between a subsidiary and the parent company when it becomes necessary to be in the possession of the parent company’s personal information, or customer information, they may have to provide the information of the parent company elsewhere or transversely if the parent company for its own internal record keeping, needs to know the information of the employees of a subsidiary, in that regard it may be a necessity to share that information back and forth between the parent company and a subsidiary.

One thing for is sure, a subsidiary and the parent company are each separate legal entities. They need to be diligent and extremely careful as how they deal with personal information in-house between each other. Without the express consent of a person involved, the handling of that personal information cannot be provided to any third party. Vice versa, it is appropriate to provide information under permissions of a third party and hence the parent company then is able provide personal information to the subsidiary.

Article 23 of the Personal Information Protection Act, has exceptions, within the scope of the purpose of use, consent is not required. If you are providing information in accordance with the business succession and (opt-out), by reason of a merger or other issue in the frame work of the article, as well as some other issues within the range of users for joint use if you have decided to stop providing data to a third party at the request of a person. For example, if you issue a statement in person, or notify the person in advance verbally or in writing, as to the dissemination of personal data for a specific purpose, the responsible person is then easily made aware of that data being used.

Since strict laws are in place as too the protection of personal information in Japan and in Europe, you need to keep that in mind and be even more diligent as to the security of personal information.

Needless to say, in the case of important or sensitive information such as proprietary trade secrets and or technology, more and more, you must have a thorough management system in place within the company. And if not dealt with and kept secret both in parent company and a subsidiary, it is not treated in the Unfair Competition Prevention Law as “trade secrets”.

It is that reference to the trade secret management guidelines of the Ministry of Economy, Trade and Industry, each of which manages to pay attention to safety measures and the storage medium of companies. If a company has entered into and signed a contract to hold a third party’s information special attention can be put into place so as to not disclose secret information.

In other words; I think that it is not enough that a subsidiary of a parent company copy the information within a management system of the data from a parent company, in terms of each related company they have to establish management systems first and then when it is able to reside in a secure environment it can then readably available to share that important information mutually and securely.

Please take care to note the importance of information leakage in business, so as not to threaten the existence of both the parent and child.