Enacted on November 29, 2022
Revised on January 16, 2024

This privacy policy (hereinafter referred to as "the Policy") sets out how personal information of users of the research data management service "GakuNin RDM" (hereinafter referred to as "the System") provided by the National Institute of Informatics (hereinafter referred to as "NII") shall be handled as follows. The definition of the terminology shall conform to the terms of use（国立情報学研究所研究データ管理基盤利用規程）and the attached detailed provisions.

The System is operated by NII following an application from a user institution, and the personal information of the users is also acquired by the user institution. The handling of the personal information of the users acquired by the user institution shall be done in accordance with the rules of the user institution.

(Personal and Other Information to be Acquired)
Article 1. NII shall acquire the following personal information of the users via the System
(i) Attribute information such as eduPersonPrincipalName (ePPN), organizationName, displayName, e-mail, etc. registered in the GakuNin IdP of a user's affiliated institution
(ii) Information registered in the user profile of the System
(iii) Access history, usage history, etc. of the System
(iv) Information registered by a user institution at the time of application for use of the System

(Appropriate Management)
Article 2. NII shall appropriately manage the personal information of the users in accordance with theregulations ( 情報・システム研究機構情報セキュリティ対策規程 ), and shall take measures to prevent unauthorized use and disclosure of such personal information.

(Purposes of Use)
Article 3. NII shall use the personal information of the users for the following purposes of use and within the scope permitted by laws and regulations, except in cases where there is a risk of unreasonable infringement of the rights and interests of the individuals.
(i) For notification and communication to the users
(ii) For identity proofing prior to the use of the System by the users
(iii) To understand and analyze the usage of the System by the users, and to improve the service contents of the research data management service via the System and other services of NII
(iv) To understand and analyze the usage status and results of the usage of the System and other services of NII by the users, and to use them for academic research
(v) To analyze information in response to security incidents, etc., and to contact the person concerned or a third party

(Disclosure to Third Parties)
Article 4. NII shall not provide the personal information of the users to any third party, except in the following cases. NII shall not provide the personal information of the users to any third party even in the following cases if there is a risk of unreasonable infringement of the rights and interests of the individuals.
(i) In case there is the consent of the user
(ii) In case it is permitted by laws and regulations
(iii) In case of publishing or teaching the results of academic research
(iv) In case it is necessary to provide the information to a third party who conducts academic joint research with NII, or to a third party who has academic research purposes with the consent of NII
(v) In case of providing the information to third parties, including institutions, in order to respond to security incidents, etc.
2 NII may use the data containing the personal information of the users of the System by matching it with the data containing the personal information of the users of other services provided by NII.
3 NII may provide data containing the personal information of the users of the System in a statistical form to the relevant institutions, or may publish such data.

(Retention Period)
Article 5. In principle, the retention period of data containing the personal information of the users of the System shall be at least ten years from the end of the fiscal year in which the institution that approved the use of the System by the users terminates the use of the System as an institution (including the expiration of the period of use or the cancellation of approval for use). Provided, however, that the personal information that directly identifies a specific individual is disposed of within one year from the end of the fiscal year in which the use is terminated, or is processed into a form that does not identify the individual.

(Contact Information)
Article 6. The contact point for disclosure, correction, etc. of the personal information of the users of the System and for inquiries shall be as follows.

Scholarly and Academic Information Division, Cyber Science Infrastructure Development Department, the National Institute of Informatics

(Revision, etc.)
Article 7. NII may revise the Policy as required. Prior to any revision, NII shall post the revised Policy on the homepage of the System or notify the users in a manner that NII deems appropriate.