Regulatory Considerations for Product Development
Using Personal Information

Please note: This is mainly for Japanese startups, and machine translated. Please refer to the original Japanese for accuracy. For overseas firms, doing business in Japan typically requires Japanese-speaking staff or local support.

@K.Kamitani

Summary

The key legal systems, guidelines, and required actions for each phase of business activity are as follows.

Business Activity	Key Laws and Guidelines	Required Key Actions
Treatment and Data Collection Using Medical Devices	Act on the Protection of Personal Information / 3 Ministries 2 Guidelines	Obtaining clear consent for treatment (informed consent), thorough implementation of security measures.
Collaborative Research with Universities (Academic Purposes)	Ethical Guidelines for Life Science and Medical Research Involving Human Subjects	Approval from an ethics review committee, use of existing information through public disclosure and providing an opportunity to opt-out.
Commercial RWD Registry Construction	Next Generation Medical Infrastructure Act	Collaboration with or obtaining certification as an accredited business, prior notification to patients by medical institutions, and implementation of opt-out procedures.
Medical Device Development and Regulatory Application	Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices (PMD Act)	Establishment of a QMS compliant with IEC 62304, cybersecurity measures, and application for approval to the PMDA.

@K.Kamitani

Act on the Protection of Personal Information (APPI)

Overview

A law aimed at protecting the rights and interests of individuals while considering the utility of personal information. Medical information, in particular, is classified as "sensitive personal information" and requires stricter handling.

Reference: Guidelines for the Proper Handling of Personal Information in Medical and Long-Term Care Businesses (April 2022 Version) →

Key Considerations

• In principle, explicit consent from the individual is required to acquire and use sensitive personal information, such as medical data.
• When secondarily using data obtained for treatment purposes for commercial purposes like medical device development, it is generally necessary to specify the purpose and obtain new consent (opt-in).
• When obtaining consent via a website, it is essential to have a mechanism where the individual can actively indicate their consent (e.g., a checkbox) and to properly record that consent.
• There is an obligation to take necessary and appropriate security control measures to prevent leakage, loss, or damage of collected personal data.

Other Reference URLs

• Guidelines for the Proper Handling of Personal Information in the Health and Welfare Sector (MHLW)

@K.Kamitani

3 Ministries 2 Guidelines (Guidelines for Safety Management of Medical Information Systems)

Overview

A common name for a set of guidelines established by the Ministry of Health, Labour and Welfare (MHLW), the Ministry of Economy, Trade and Industry (METI), and the Ministry of Internal Affairs and Communications (MIC). They outline the security management standards that providers of medical information systems and services must comply with, aiming to protect and properly use medical information.

Reference: Guidelines for Safety Management of Medical Information Systems, Version 6.0 (MHLW) →

Key Considerations

• These guidelines apply not only to medical institutions but also to businesses that develop and provide medical information systems and services.
• Comprehensive measures are required from four perspectives: organizational, human, physical, and technical security management.
• When handling medical information under contract, businesses are responsible for explaining their compliance status to the contracting medical institution.
• Compliance with these guidelines is a de facto industry standard and is essential for gaining the trust of business partners.

Other Reference URLs

• Q&A concerning the "Guidelines for Safety Management of Medical Information Systems, Version 6.0"

@K.Kamitani

Ethical Guidelines for Life Science and Medical Research Involving Human Subjects

Overview

These guidelines establish the principles that all parties involved in medical research must adhere to, aiming to promote proper research while respecting human dignity and rights.

• Reference: Ethical Guidelines for Life Science and Medical Research Involving Human Subjects →
• Reference: Guidance for the Ethical Guidelines for Life Science and Medical Research Involving Human Subjects →

Key Considerations

• These guidelines apply strictly to academic research with universities and cannot be directly applied to commercial business activities like medical device development.
• Before conducting research, it is necessary to obtain approval for the research plan from an ethics review committee.
• When using existing clinical information for academic research, it may be possible to omit individual consent by notifying subjects or disclosing information about the research and providing an opportunity to opt-out.

Other Reference URLs

• About MHLW's Guidelines for Life Science and Medical Research

@K.Kamitani

Next Generation Medical Infrastructure Act

Overview

A special law under the Act on the Protection of Personal Information that establishes a framework for the safe and smooth utilization of medical information to contribute to research and development in the medical field.

Reference: About the Revised Next Generation Medical Infrastructure Act (MHLW) →

Key Considerations

• This act provides the substantive legal basis for collecting sensitive medical information from medical institutions for commercial purposes.
• Data is collected through nationally accredited entities for anonymized medical data processing.
• Medical institutions can provide data without individual patient consent by notifying patients in advance and providing an opportunity to opt-out.

Other Reference URLs

• About the Next Generation Medical Infrastructure Act (Summary) (Cabinet Secretariat)
• Inquiries about the Next Generation Medical Infrastructure Act (Cabinet Secretariat)

@K.Kamitani

Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices (PMD Act)

Overview

A law to ensure the quality, efficacy, and safety of pharmaceuticals and medical devices. Medical devices that use data, including personal information, are also subject to this act.

• Reference: Pharmaceuticals and Medical Devices (MHLW) →
• Reference: Act on Securing Quality, Efficacy and Safety of Products Including Pharmaceuticals and Medical Devices →

Key Considerations

• Medical devices, especially those with software or network connectivity, are required by the Essential Requirements standards under the PMD Act to implement cybersecurity measures.
• In all development processes, including for pharmaceuticals and regenerative medicine products, there is a duty to protect personal information handled in clinical trials and post-market surveillance and to ensure data reliability based on standards like GCP and GVP.
• For regulatory approval (marketing application), the submitted clinical data must have been collected with patient privacy protected and be accurate. Improper information management can undermine the credibility of the application materials.

Other Reference URLs

• About Cybersecurity for Medical Devices

@K.Kamitani

Consult a Lawyer

Once the business model is solidified,
it's advisable to consult a lawyer specializing in the use of personal information in the medical field.

TIPS

It is a good practice to first consult with the MHLW's MEDISO (Medical Device Innovation Support Office) to understand the general framework and direction. Then, you can seek detailed paid consultation from a lawyer for tasks like drafting contracts.

@K.Kamitani