Open search panel Close search panel Open menu Close menu

Safety and Security

Personal Information Protection

Relevant GRI Standards: 103-2

Relevant SDGs





Policies and Concepts

The NTT Group has been entrusted with a considerable quantity of personal information, ranging from data on individual customers to that of corporate customers. In recent years, our customers' concern over protection of personal information has only increased. Meanwhile, the importance of enforcing personal information protection and information management is growing in terms of laws and regulations, as seen in the revision of Japan's Act on the Protection of Personal Information in 2017 and the enactment of the EU's General Data Protection Regulation (GDPR) in 2018.

Under these circumstances, personal information leakage could have various repercussions for the NTT Group in the operations of its businesses, including damage to its corporate value and loss of customers, which makes it essential to rigorously manage personal information as a top priority.

Organization for Implementation

Under the NTT Group Information Security Policy, we disclose on our website specific policies for protecting the personal information of customers and shareholders and policies for protecting personally identifiable information required by Japan's Social Security and Tax Number System. In this policy, we also define how we respond to requests for disclosure, correction, and suspension of use related to the personal information retained by the NTT Group. We have also put in place a security management system that ensures thorough and rigorous security practices, with the Chief Information Officer (CISO) placed in charge (see page 054).

Policy on Protecting Personal Information

Main Initiatives

NTT has systematic security control measures, human security control measures, physical security control measures, and technical security control measures in place for handling our customers' personal information.

  1. Systematic security control measures
    We have created a statement outlining the building of management systems such as placing a person responsible for management of the committee and each organization, the establishment of internal regulations, management ledgers and process management charts, and other matters. Furthermore, we are also building management systems for handling ongoing improvements and the like.
  2. Human security control measures
    All employees who handle customers' personal information are informed and made aware of the importance of protecting this information, regardless of whether they are officers, regular employees, or temporary employees. We ensure employees conclude non-disclosure agreements and provide necessary auditing and supervision to ensure their effectiveness.
  3. Physical security control measures
    We enact various measures including controlling access to physical equipment which handles customers' personal information and the floors where these are kept, measures to prevent theft, measures to prevent damage to customers' personal information during incidents such as fires and lightning strikes, and the use of locks when taking out, moving, or storing systems and documents.
  4. Technical security control measures
    We have put in place various technical security control measures such as access management when accessing personal data including authentication, authority administration, control, and recording, countermeasures against viruses and malware in systems, measures for use when sending and receiving information including encryption and clarification of responsibility, and the monitoring of information systems.

Each domestic company in the Group has established a personal information protection system in line with its business and based on the revised Act on the Protection of Personal Information. We are consistently pursuing initiatives to protect information, including stringent measures on the physical and systems aspects of security and appropriate supervision of outsourcing contractors.

Main Initiatives of Domestic Group Companies

  • Establishment of internal rules and regulations
  • Employee training to ensure appropriate implementation of the above rules and regulations
  • Establishment of an organization to promote information security management
  • Establishment of a security management system for preventing illegal access to information or the loss, alteration, or information leakage as well as managing antivirus measures and the physical transfer of information

In addition, NTT Group companies that conduct business globally conform to the laws and regulations of the various countries.

To conform to the EU's General Data Protection Regulation (GDPR) enacted in May 2018, Group companies are promoting compliance following discussions within the NTT Group. They implement the measures necessary for the acquisition of personal information and its transfer outside of the EU, and, based on the EU regulation and other countries' regulations, are taking actions with respect to the sharing of employee information among NTT Group companies in Japan and overseas.

Establishment of Contact Points on Personal Information

NTT has set up the Customer Contact Point on Personal Information, and similar contact points for services related to personal information have been set up at each NTT Group company. Since NTT is a holding company that does not directly provide telecommunications services, inquiries regarding personal information related to services are redirected to the contact points of the operating companies concerned.

Additionally, inquiries regarding the handling of personal information under laws and regulations are redirected to the person responsible for information security at the operating companies concerned.

Nippon Telegraph and Telephone Corporation Customer Contact Point on Personal Information

Email :