Data & Privacy Governance

Basic Approach

"Safety and Trust" is the ANA Group's unwavering promise to our customers, and in the handling of personal data, in order to protect the privacy of its customers, each and every employee always bear in mind the safety and security of our customer data.
The personal data entrusted to us is handled with the strictest care and is protected and managed in accordance with the laws and regulations of various countries, including Japan's Personal Information Protection Act. Also, in the utilization of personal data for the expansion of a "World where people can live on miles = the ANA Economic Zone", we are continuously strengthening our mechanisms and systems to protect privacy in consideration of the ethical appropriateness.

Privacy Governance Fundamental Policy and Principles of Conduct

The Fundamental Policy and Principles of Conduct are formulated with the intention that ANA Group employees all together sincerely respect our customers to maintain safety and security in the management and utilization of personal data entrusted to us, similarly in the operation of flights.

Fundamental Policy

-The ANA Group respects the needs and rights of each individual customer and protects their privacy
by handling the important personal data entrusted to us in a lawful and appropriate manner.-

  • To achieve our vision of "Uniting the World in Wonder" through inspiration and empowerment:
    While creating a "World where people can live on miles = the ANA Economic Zone", we act with sincerity and respect for our customers in the utilization of personal data, not simply by complying with laws and regulations, but by proactively aligning our approach to privacy with social demands and quickly evolving times.
  • To continue to uphold the ANA Group's promise of "Security and Trust":
    With the same philosophy of safety for flight operations, each and every employee always bears in mind the safety and security of our customer data when handling personal information, and the ANA Group as a whole continuously improves the mechanisms and systems in place to enhance privacy protection.

Principles of Conduct

  • Ensure the security of all personal data handled by the ANA Group.

    For the comfort and peace of mind of our customers and all stakeholders*, we conduct regular internal information security assessments and inspections, take necessary measures against external cyber-attacks and other potential threats, and handle every piece of personal data entrusted to us with the strictest care. (*ANA Group employees, business partners, shareholders, etc.)

  • Create new value by utilizing personal data in a privacy-conscious manner to bring smiles and joy to our customers.

    With core values of security and trust at heart, we deliver experiences that exceed our customers' expectations through development of inspiring and exciting products and services while responding to the ever shifting needs of society.

  • Ensure transparency in data utilization and fulfill our social responsibility.

    We enhance transparency and reliability by providing comprehensible explanations and disclosing information that reassure customers about the types of personal data we collect from them and how it is used.

  • Be aware of our philosophy and policies regarding privacy protection all the time and make every effort to pursue proper privacy governance.

    We earnestly pursue the ideal structure of privacy governance from the customer's perspective, and raise the awareness of each and every employee through education and awareness-raising, leading to the continuous improvement of our privacy protection mechanisms and systems.

  • Be committed to protecting the privacy of our customers around the world.

    While striving to comply with laws and regulations including those of foreign countries, we continuously endeavor to strengthen governance from a global perspective in collaboration with third parties such as business partners and experts.

The Organizational Structure for Privacy Protection

The Group ESG Management Promotion Committee discusses core policies and measures in accordance with the fundamental policy and principles of conduct decided by the Board of Directors and ANA Group Personal Information Protection Rules, which stipulate the basic terms of the group's personal information protection.
The Chief ESG Promotion Officer (CEPO) is responsible for overseeing the personal information protection operations within ANA Group. Also, each group company has its own privacy protection system in place by appointing the ESG Promotion Officer (EPO) as a Chief Officer for Personal Information Protection, and the ESG Promotion Leader (EPL) as a Personal Information Protection Officer.

Under the fundamental policy and principles of conduct determined by the Board of Directors, the “Group ESG Management Promotion Committee” discusses core policies and measures. The Group ESG Management Promotion Committee provides instructions and supervision to the Chief ESG Promotion Officer (Executive Officer in Charge of Group Risk & Compliance). If necessary, the ANAHD Internal Audit Department attends the Group ESG Management Promotion Committee as an observer. The secretariat is responsible for overall coordination and operation of the Group ESG Management Promotion Committee. The Chief ESG Promotion Officer undertakes the Commanding Chief Officer for Personal Information Protection of the ANA Group. Under the Commanding Chief Officer for Personal Information Protection, the Group General Affairs Department (Data & Privacy Governance Team) is established as the Personal Information Protection Supervisory Division to assist the Commanding Chief Officer for Personal Information Protection. In addition, in the event of an incident related to the system, the ANA Group CSIRT (specialized team for responding to security incidents), which is made up of the Group General Administration, Group IT Department, and ASY, and which is established under the Group CIO, will respond promptly. In each company of the ANA Group, the ESG Promotion Officer undertakes the Chief Officer for Personal Information Protection, and under them, the ESG Promotion Leader is appointed as the Personal Information Protection Officer. Furthermore, Information Owners (department managers) and System Owners are placed between the Personal Information Protection Officer and Management and Employees to establish a privacy protection system.
Under the fundamental policy and principles of conduct determined by the Board of Directors, the “Group ESG Management Promotion Committee” discusses core policies and measures. The Group ESG Management Promotion Committee provides instructions and supervision to the Chief ESG Promotion Officer (Executive Officer in Charge of Group Risk & Compliance). If necessary, the ANAHD Internal Audit Department attends the Group ESG Management Promotion Committee as an observer. The secretariat is responsible for overall coordination and operation of the Group ESG Management Promotion Committee. The Chief ESG Promotion Officer undertakes the Commanding Chief Officer for Personal Information Protection of the ANA Group. Under the Commanding Chief Officer for Personal Information Protection, the Group General Affairs Department (Data & Privacy Governance Team) is established as the Personal Information Protection Supervisory Division to assist the Commanding Chief Officer for Personal Information Protection. In addition, in the event of an incident related to the system, the ANA Group CSIRT (specialized team for responding to security incidents), which is made up of the Group General Administration, Group IT Department, and ASY, and which is established under the Group CIO, will respond promptly. In each company of the ANA Group, the ESG Promotion Officer undertakes the Chief Officer for Personal Information Protection, and under them, the ESG Promotion Leader is appointed as the Personal Information Protection Officer. Furthermore, Information Owners (department managers) and System Owners are placed between the Personal Information Protection Officer and Management and Employees to establish a privacy protection system.

Major Initiatives

Ensure the security of all personal data

Ensuring thorough information security
The ANA Group strives to ensure confidentiality, integrity, and availability by improving information system functions, taking security measures through multilayered defenses and implementing thorough security measures to protect customers’ personal data from external cyberattacks and other threats.

For more details Information Security

Utilizing personal data in a privacy-conscious manner

PIA (Privacy Impact Assessment)
PIA is a system to evaluate how businesses and services that utilize customers' personal data may affect their privacy. In order to identify and mitigate privacy risks, the ANA Group conducts PIAs at the planning stages of targeted businesses and services as well as prior to the release of systems.

Ensure transparency

We disclose our internal structure and initiatives regarding privacy governance on various reports such as the Annual Report and our corporate website. Furthermore, we are exploring ways to provide easy-to-understand explanations to our customers regarding the utilization of their personal data and mechanisms that enable customers to proactively control their own information.

Education and awareness-raising

We conduct education to ensure that each and every employee understands the importance of privacy protection and the proper handling of personal data. We also engage in awareness-raising activities through providing up-to-date information and FAQs on privacy and data protection by our internal website to foster a culture of constantly being conscious of our privacy protection principles and policies.

Strengthening governance with a global perspective

Compliance with laws and regulations in each country
We regularly revise our privacy policies and internal regulations to comply with domestic and international laws and regulations regarding personal information protection. We ensure appropriate compliance with the Amended Act on the Protection of Personal Information of Japan as well as changes in regulations in various countries such as the United States, Europe, China, and Thailand.

Checks and audits
To ensure and confirm compliance with laws and internal regulations among companies within and outside the ANA Group, we conduct inspections of the handling of personal data. These inspections are primarily carried out by the Privacy Protection Department, and regular self-assessments by departments and companies concerned are also performed. Additionally, internal audits are conducted by the Audit Department, taking a fair and objective standpoint.

Incorporating an external third-party perspective
To ensure that we understand the demands of society and further improve our governance structure, we incorporate the perspectives of outside experts and continuously exchange opinions with other companies that have advanced privacy protection initiatives.

pagetop