JP3799479B1 - Personal information management system, personal information management server, and personal information management program - Google Patents

Abstract

[PROBLEMS] To prevent inadvertent transmission of contents that are deemed unnecessary for users, to reliably prevent inadvertent leakage or leakage of personal information and unauthorized use of personal information, and to protect personal information Is realized.
For each user who can access a personal information capsule from a client terminal, a filter that defines personal information elements that can be used by the user is set, and the user requests access to the personal information capsule. The personal information element in the personal information capsule is filtered using the filter set for the user to extract the personal information element usable by the user from the personal information capsule, and the extracted personal information The element is transmitted to the client terminal 20 as a personal information file.
[Selection] Figure 1

Description

  The present invention manages personal information capable of identifying a specific individual as a data set (personal information capsule) composed of a plurality of personal information elements related to the specific individual, and the contents corresponding to each user from the personal information capsule It is related with the technique for implement | achieving the provision service of a personal information which takes out and uses for each user.

For example, the following Patent Document 1 discloses a technique for managing personal information of a mobile terminal such as a mobile phone, a telephone to a personal computer, and an e-mail sender via a network. In the technique disclosed in Patent Document 1, a user uses a network from a calling terminal, registers personal information such as name, address, telephone number, mail address, and photo in a personal information management server, and sends the information. If the personal information notification permission is set when sending a call or e-mail from the terminal to the receiving terminal, the server receives the telephone number and e-mail by performing the personal information acquisition operation from the receiving terminal that received the call or e-mail. The sender's personal information is searched using the address as an index, and the searched personal information is transmitted from the server to the receiving terminal.
JP-A-2005-51475

By the way, in the system that provides personal information to the user as in the technique disclosed in Patent Document 1, the personal information registered in the personal information management server is transmitted as it is to the user who performed the personal information acquisition operation.・ It will be provided.
There is a growing awareness of the protection of personal information, and it has been desired to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information. Rather than sending / providing personal information with the same content to the user, it is possible to send / provide only personal information according to the user's content. It is desired to prevent inadvertent transmission of elements).

  For example, when a user browses and uses personal information of a specific individual while managing personal information including various personal information elements that can identify a specific individual in a company, etc. If you are a personal supervisor or administrator, you can view and use detailed contents (personal information elements), while if you are a colleague or subordinate, you can view and view only a part of your personal information. It is desired to construct a system that can provide a user with only personal information elements having contents corresponding to the user, such as making it usable.

  The present invention was devised in view of such a situation, so that only a personal information element having contents corresponding to the user can be provided to a user who uses personal information about a specific individual. Prevents inadvertent transmission of content that seems unnecessary to users, ensures the prevention of inadvertent leakage / leakage of personal information and unauthorized use of personal information, and realizes protection of personal information The purpose is that.

To achieve the above object, the personal information management system of the present invention (Claim 1) is a personal information capable of identifying a specific individual, a data set (hereinafter referred to as a data set) composed of a plurality of personal information elements related to the specific individual. A management server managed as a personal information capsule), and a client terminal connected to the management server so as to be able to communicate with each other and capable of accessing the personal information capsule and using a personal information element in the personal information capsule The management server generates a personal information capsule from the client terminal, a storage unit that stores the personal information capsule generated by the generation unit, and the personal information capsule stored in the storage unit. For each accessible user, a filter setting means for setting a filter that defines personal information elements that can be used by the user; An access request receiving means for receiving an access request for the personal information capsule from the client terminal through the client terminal, and when the access request is received by the access request receiving means, the filter setting means for the user who sent the access request Filtering means for extracting personal information elements available to the user from the personal information capsule by filtering the personal information elements in the personal information capsule using the set filter, and the filtering means And a personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule as a personal information file to the client terminal. The client terminal manages the access request for the personal information capsule. Send to server That the access request transmitting means, and personal information file receiving means for receiving said individual information files corresponding to the access request from the management server, and changing means for changing the contents of said individual information capsules stored in said storage means When the contents of the personal information capsule are changed by the changing means, the invalidation for invalidating the personal information file extracted from the changed personal information capsule and transmitted to the client terminal before the change And a digital signature for the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means Personal information for searching personal information from data in the digital signature attaching means and data in the client terminal The personal information searched by the searching means and the personal information searched by the personal information searching means is not given the digital signature by the digital signature adding means, and the user of the client terminal holding the personal information Is registered as a management target of the management server, the personal information is registered and stored in the storage unit as a personal information capsule, and the digital signature is attached to the personal information searched by the personal information search unit If the digital signature by the means is not given and the user of the client terminal holding the personal information does not want to register the personal information as a management target of the management server, the personal information It is characterized by comprising deletion means for deleting from the client terminal .
At this time, the exploration means extracts the text data of the data aggregate included in the data in the client terminal, and the character section delimited by the delimiter from the text data extracted by the extraction means. Determination of whether or not the character string in the character section extracted by the cutting means and the character section satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition To determine whether it corresponds to any one of a telephone number, an e-mail address and an address, which is a personal information element other than the name, and a telephone by the first determination means The number of characters in the character section determined not to correspond to any of the number, e-mail address, or address is within a predetermined range. The character determination means for determining whether or not the character in the same character section is a kanji, and the character section determined by the character determination means to be within the predetermined range and to be a kanji are included in the character section. By comparing a character or character string with an improper character or inappropriate character string preset as a Chinese character or character string that cannot appear in the name, the character section becomes the inappropriate character or inappropriate character string. Collating means for determining whether or not to include the number of character sections determined by the first determining means to correspond to any one of a telephone number, an e-mail address and an address, The number of character sections determined not to include appropriate characters or inappropriate character strings is counted, and based on the count result, the data aggregate May be configured by comprising a second determining means for determining whether a human information (claim 2).

Further, the management server encrypts the personal information file transmitted by the personal information file transmitting means using an encryption key corresponding to the client terminal of the transmission destination, creates an encrypted file, and An encryption unit that causes the personal information file transmission unit to transmit a file as the personal information file, an authentication information reception unit that receives authentication information about the encrypted file from the client terminal, and an authentication information reception unit that receives the file. And determining means for determining whether or not the client terminal is a valid transmission destination of the encrypted file based on the authentication information, and determining by the determination means that the client terminal is a valid transmission destination. And a decryption key transmitting means for transmitting a decryption key for decrypting the encrypted file to the client terminal. In addition, when the client terminal opens the encrypted file that is the personal information file received by the personal information file receiving means, the authentication information about the encrypted file is transmitted to the management server. Authentication information transmitting means, decryption key receiving means for receiving a decryption key corresponding to the encrypted file from the management server, and decrypting the encrypted file using the decryption key received by the decryption key receiving means And a decryption means for restoring the original personal information file (claim 3 ).

The management server further comprises conversion means for converting the personal information file transmitted by the personal information file transmission means into a completed document file having a container function, and the encryption means of the management server includes The completed document file is encrypted with the original file of the personal information file attached to the completed document file obtained by the converting means using the container function, and the encrypted completed document file is You may make it transmit to this personal information file transmission means as a personal information file (Claim 4 ).

At this time, the management server is further configured with access authority setting means for setting a predetermined access authority for the encrypted file in accordance with a user to whom the personal information file is transmitted, and in the client terminal, The user may be configured to be allowed access according to the access authority set by the access authority setting unit as access to the personal information file restored by the decryption unit (claim). 5 ).

The client terminal further comprises editing means for editing the original file extracted from the completed document file which is the personal information file restored by the decryption means, and the user When the authority setting means sets the extraction authority to extract the original file from the completed document file and the editing authority to the extracted original file as the predetermined access authority, the editing is performed at the client terminal. The original file may be permitted to be edited by the means (claim 6 ). At this time, in the client terminal, the original file edited by the editing means is other than the completed document file. It may be configured to be prohibited from being stored in ( Claim 7 ).

Further, the management server may further comprise log recording means for recording a history of transmission of the personal information file executed in response to an access request for the personal information capsule from the client terminal as a log. (Claim 8 ).

In such a personal information management system, the invalidation means of the management server invalidates the personal information file by changing the decryption key to be transmitted to the client terminal by the decryption key transmission means. may be (claim 9), by prohibiting the transmission of the decoding key by the the decoding key transmission means, may be to disable the individual personal information file (0 claim 1), recorded by the log recording unit Even if the personal information file is invalidated by transmitting an instruction to delete the personal information file to the client terminal to which the personal information file is transmitted based on the recorded log, and causing the client terminal to delete the personal information file. Good (Claim 1 1 ).

Furthermore, when the management server invalidates the personal information file by the invalidation means, the user is notified of that fact by re-execution of the access request for the personal information capsule. It may be configured to have a notification means for prompting the user (claim 1 2 ).

And the personal information management server (Claims 1 3 to 2 2 ) of the present invention corresponds to the management server in the personal information management system (Claims 1 to 5 and 8 to 12 ) of the present invention described above, The personal information management program of the present invention (claims 2 3 to 32 ) causes a computer to function as the personal information management server of the present invention (claims 1 3 to 2 2 ).

  According to the present invention described above, in the personal information management server (management server), personal information that can identify a specific individual is centrally managed as a personal information capsule that is a standardized data set. For each user who can access the personal information capsule from the client terminal, a filter that defines the personal information element that can be used by the user is set. The personal information element in the personal information capsule is filtered using the filter set for the user, and the personal information element usable by the user is extracted from the personal information capsule, and the extracted personal information element Is transmitted to the client terminal as a personal information file. This allows users who use personal information about a specific individual to be provided with only the personal information elements of the content according to the user, so content that seems unnecessary for the user is inadvertent The personal information can be prevented from being transmitted unintentionally, and inadvertent leakage / leakage of personal information and unauthorized use of personal information can be reliably prevented, and personal information can be protected.

  At this time, the personal information management server is configured to invalidate the personal information file extracted before the change from the changed personal information capsule and transmitted to the client terminal. If it is changed, the personal information file before the change will be invalidated and no one will be able to use it. It can be surely protected. Also, if the user recognizes that the personal information file can no longer be used due to the invalidation of the personal information file, the user can request access again to obtain the latest personal information file after the change. Become. When the personal information file is invalidated, the management server automatically notifies the client terminal to that effect so that the user can be prompted to re-execute the access request for the personal information capsule. If the user makes an access request again at his / her own discretion, the latest personal information file after the change can be obtained, and the convenience for the user can be improved.

In addition, it is confirmed that the personal information capsule or personal information file has not been tampered with by giving a digital signature to the newly generated personal information capsule or changed personal information capsule or personal information file in the management server. It can be guaranteed and counterfeiting by a third party can be prevented. At that time, the personal information is searched from the data in the client terminal, and if the digital information is not attached to the searched personal information, the personal information is deleted from the client terminal. Personal information that is not assigned a digital signature at the server is not under the management of the management server, and is judged to be personal information created locally on the client terminal or the like, and is automatically deleted from the client terminal. . As a result, only the personal information managed centrally by the management server exists and is used in the system of the present invention, and the personal information can be reliably managed and reliably protected.
In particular, in the exploration means of the present invention, a character section that does not correspond to any of a telephone number, an e-mail address, and an address and includes an inappropriate character / unsuitable character string is considered not to relate to personal information, A character section that does not correspond to any of a telephone number, an e-mail address, and an address and does not include an inappropriate character / unsuitable character string is considered to be related to a name. Therefore, for the character section determined to correspond to any one of the telephone number, e-mail address, and address, the determination process is terminated when the determination is made, and any of the telephone number, e-mail address, or address is terminated. Is also checked for inappropriate characters / unsuitable character strings only for character sections determined to be not applicable, and it is determined that even one inappropriate character / unsuitable character string is included in the character section. At that point, the collation process can be terminated, so that the name collation process can be performed at a higher speed than the method that collates with all the name strings included in the name list, that is, the personal information file search process Can be performed at high speed. In addition, since all character sections that do not contain inappropriate characters / unsuitable character strings are considered to correspond to names, it is possible to include electronic files that do not contain inappropriate characters / unsuitable character strings for names, that is, name information. It is possible to reliably search an electronic file that is highly likely to be a personal information file. That is, the number of electronic files that are determined to be personal information files by the searching means of the present invention increases, and electronic files that are highly likely to be personal information files (suspicious electronic files) can be reliably identified. Furthermore, since it is determined whether or not the number of characters in the character section is within a predetermined range and all the characters in the character section are kanji, and only character sections that satisfy this character determination condition are targeted for verification, The character section is narrowed down to the character section having a higher possibility of the name, so that the name collation accuracy can be improved and the name collation process can be performed at high speed. In addition, since a long character section whose number of characters exceeds the predetermined range is excluded from the object to be collated, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process. Since the personal information file can be automatically identified and searched by the above-described search method by the search means of the present invention, without obtaining human cooperation and without placing a special load on the person in charge, For example, a personal information file (an electronic file that is likely to be a personal information file) that exists in a distributed manner within a company, etc., is searched and identified, and personal information is inadvertently leaked or leaked, or personal information is illegally used. Can be reliably prevented.

  Furthermore, when the personal information file is transmitted from the management server to the client terminal, the personal information file is encrypted using an encryption key corresponding to the destination client terminal, transmitted as an encrypted file, and authenticated by the management server. The content of the personal information file sent from the management server to the client terminal is configured so that only the legitimate user (the user of the client terminal that is the legitimate destination) can decrypt and access the encrypted file. Can be reliably prevented from being inadvertently leaked, leaked, or illegally used, and personal information can be reliably protected.

  In the management server, the personal information file is converted into a completed document file having a container function, and the completed document file is encrypted with the original personal information file attached using the container function. The personal information file is transmitted as a complete document file that is difficult to falsify, and the original file attached by the container function is used while preventing the personal information file from being falsified and used illegally. It is also possible to perform operations such as editing. However, in this case, editing and other operations can be performed only by users who have been given the access authority to retrieve or edit the original file, and the original file after editing on the client terminal is not a completed document file. By prohibiting the data from being stored in the file, it is possible to reliably prevent the original file from being inadvertently leaked or leaked or illegal use of personal information.

  In addition, the management server records the personal information file transmission history executed in response to the access request for the personal information capsule from the client terminal as a log, thereby managing the access status to the personal information capsule. Since access to the personal information file can be tracked and managed, unauthorized use of personal information can be prevented more reliably.

  The means for invalidating the personal information file before the change is, for example, changing the decryption key (key for decrypting the encrypted file) to be transmitted to the client terminal or prohibiting the transmission of the decryption key Or by sending a personal information file deletion command to the client terminal that is the destination of the personal information file based on the transmission history log to delete the personal information file.

Embodiments of the present invention will be described below with reference to the drawings.
[1] Configuration of Personal Information Management System of this Embodiment [1-1] Overall Configuration of Personal Information Management System FIG. 1 is a block diagram showing the configuration of a personal information management system as an embodiment of the present invention. A personal information management system 1 shown in FIG. 1 includes a personal information management server 10, a client terminal 20, and a network 30.

  The personal information management server (management server) 10 is configured with a personal information capsule database 11 and an authentication information / decryption key storage unit 12 to be described later. Personal information that can identify a specific individual is associated with the specific individual. It is managed as a data set composed of a plurality of personal information elements. In the system 1 of the present embodiment, a data set composed of a plurality of personal information elements is standardized and managed as a personal information capsule. For example, one personal information capsule is generated and stored for one employee in a company or the like.

  The personal information elements included in the personal information capsule include, for example, name, gender, age, date of birth, blood type, home information (home address, telephone number, fax number, e-mail address, etc.), workplace information (work (Name, department, job title, work address / phone number / fax number / email address, etc.), family structure, basic resident register number, account number, credit card number, license number, passport number, hospital history, In addition to medical history, medication information, medical history, image information and audio information related to the person.

  The client terminal 20 is a personal computer or the like operated by each employee (user) in a company or the like, and is connected to the personal information management server 10 via a network 30 such as the Internet, an intranet, or an in-house LAN (Local Area Network). The personal information capsules managed by the personal information management server 10 can be accessed and the personal information elements in the personal information capsule can be used in response to user operations. The user uses the provision of the personal information management service provided by the personal information management server 10 through the client terminal 20 and the network 30. For example, the user creates / changes his / her own personal information capsule, A personal information capsule of each employee in the information management server 10 can be accessed to acquire a personal information element, and the personal information element can be edited to create a name list or address book.

[1-2] Configuration of Personal Information Management Server FIG. 2 is a block diagram showing the configuration of the personal information management server 10 in the present embodiment. As shown in FIG. As described above, the personal information capsule database 11 and the authentication information / decryption key storage means 12 are attached, and various means 101 to 119 described later are provided. The functions as these means 101 to 119 are realized by causing a CPU (Central Processing Unit) of a computer to function as a server to execute a predetermined application program (personal information management program).

The personal information capsule database (storage means) 11 stores personal information capsules generated by the generation means 101 described later, and filters set by the filter setting means 103 described later for the users of the individual information capsules. Also, a function of storing the personal information capsule in association with the user is also achieved.
The authentication information / decryption key storage unit 12 stores user authentication information (identification number and password) registered in advance to use the service provided by the personal information management server 10 of the present embodiment, and an encryption unit described later. It also fulfills the function of storing a decryption key for decrypting the encrypted file obtained by 107.

  The personal information capsule generation / change request receiving means 101 receives a personal information capsule generation request and a personal information capsule change request together with authentication information (identification number and password) from the client terminal 20 via the network 30, or manages personal information. A personal information capsule generation request and a personal information capsule change request are received together with authentication information (identification number and password) through an input device (keyboard, mouse, etc.) of the server 10. At that time, a plurality of types of personal information elements to be stored as the contents of the personal information capsule or the contents of changes to the already registered personal information capsule are also input and received by the personal information capsule generation / change request receiving means 101. Shall be. In other words, each employee (each individual) may input the personal information element and the changed content from the client terminal 20, or an administrator in a company or the like that manages the personal information of the employee directly with the personal information management server 10. You may enter. The user can input personal information elements and changes by operating an input device such as a keyboard or mouse, or by scanning character information (such as business cards or name lists) or image information printed or written on paper. You may carry out by reading by.

  Further, the personal information capsule generation / change request receiving means 101 of the present embodiment is based on the authentication information (identification number and password) input by the user, and the user is an authorized user of the personal information management service. It is assumed that an authentication determination function for performing authentication determination as to whether or not is also provided. Specifically, by determining whether or not the identification number and password input by the user match the identification number and password registered and stored in the authentication information / decryption key storage unit 12 in advance, Whether or not the user is a valid user is determined and authenticated.

The generation unit 102 is a data set having a predetermined format including a plurality of types of personal information elements input and received for each individual as described above when the authentication determination function of the reception unit 101 determines that the user is a valid user. Is generated as a personal information capsule.
The filter setting means 103 sets a filter that defines personal information elements that can be used by the user for each user who can access the personal information capsule stored in the personal information capsule database 11 from the client terminal 20. is there. Here, different filters may be set for each personal information capsule or for each individual, or the same filter may be set for users belonging to the same group. For example, it is a filter to perform user ranking such as a level for publishing all personal information including image information, a level for publishing personal information other than image information, and a level for publishing only name and contact information. Can be set. Also, for example, in a company or the like, when a user is a supervisor or manager of a specific employee, detailed contents (personal information elements) can be viewed and used while the user is a colleague or a subordinate. In some cases, a filter can be set so that only a part of personal information can be viewed and used.

  In the present embodiment, the filter set by the filter setting unit 103 is stored in the personal information capsule database 11. At this time, the filter is stored in association with each personal information capsule or each user, or in association with the rank or job title of the user. The contents of the filter set for each user may be instructed from the client terminal 20 by the user who has requested the generation of the personal information capsule, or the administrator may instruct the management server 10. In addition, it may be instructed by selecting a preset filter pattern, or it may be automatically set according to the rank / title, etc., by recognizing the rank, job title, etc. of the filter setting target user. .

  The access request receiving unit 104 receives an access request for the personal information capsule from the user through the client terminal 20 and the network 30 together with authentication information (identification number and password). Similarly to the receiving unit 101, the access request receiving unit 104 also determines whether the user is a valid user of the personal information management service based on the authentication information (identification number and password) input by the user. It is assumed that an authentication determination function for performing such authentication determination is also provided.

  When it is determined by the authentication determination function of the receiving unit 104 that the filtering unit 105 is a legitimate user, the filtering unit 105 displays the personal information capsule to be requested for access and the filter set for the user from the personal information capsule database 11. Using the read and read filter, the personal information element in the read personal information capsule is filtered, so that the personal information element usable by the user is stored as a personal information file from the personal information capsule. To extract.

The conversion unit 106 converts the personal information file extracted by the filtering unit 105 into a completed document file having a container function [here, a PDF (Portable Document Format) file that is difficult to falsify].
The encryption unit 107 attaches and stores the original file of the personal information file to the PDF file using the container function, and then encrypts the PDF file with an encryption key corresponding to the destination client terminal 20 To create an encrypted file. Note that conversion to a PDF file is performed by, for example, a PDF driver, and by starting the PDF driver, the management target file is converted to PDF and a PDF file file is generated. Also, the decryption key [the key for decrypting the encrypted file (plain culture)] corresponding to the encryption key used for encryption is stored in the authentication information / decryption key storage means 12 by the user or It is assumed that it is stored in association with an encrypted file (personal information file).

  The access authority setting means 108 sets a predetermined access authority for the encrypted file according to the user to whom the personal information file is transmitted. With this access authority setting means 108, for users who access the encrypted file, access authority to the encrypted file (for example, viewing, annotation, printing, copying, taking out the original file attached by the container function, It is assumed that the setting of the authority to execute the one selected from access such as editing of the retrieved file is automatically performed or according to the instruction of the user (administrator). As a result, in the client terminal 20, the user is allowed access according to the access authority set by the access authority setting unit 108 as access to the personal information file restored by the decryption unit 26 as described later. It has become.

The personal information file transmission unit 109 transmits the encrypted file obtained by the encryption unit 107 (the original file is a personal information file including a personal information element extracted from the personal information capsule by the filtering unit 105) via the network 30 to the client terminal. 20 is transmitted.
The log recording means 110 transmits a personal information file transmission history (transmission date and time, transmission destination information, information for specifying a transmitted file, etc.) executed in response to an access request to the personal information capsule from the client terminal 20. Is recorded as a log.

  The authentication information receiving unit 111 receives authentication information (identification number and password) about the encrypted file transmitted from the client terminal 20 when the encrypted file transmitted from the management server 10 is used in the client terminal 20. Is. At this time, the authentication information receiving unit 111 also receives a request for transmitting a decryption key for decrypting the encrypted file from the client terminal 20 together with the authentication information. Since the authentication information (identification number and password) for the encrypted file is set for each encrypted file, the authentication information necessary for user authentication by the authentication determination function of the receiving means 101 and 104 described above It is assumed that the authentication information for the encrypted file is also stored in the authentication information / decryption key storage unit 12.

  The determination unit 112 performs the same function as the authentication determination function of the reception unit 101 or 104 described above. Based on the authentication information received by the authentication information reception unit 111, the client terminal 20 determines whether the encrypted file is valid. It is determined whether or not it is a transmission destination (authentication determination whether or not the user accessing the encrypted file through the client terminal 20 is a valid user of the personal information management service).

When the determination unit 112 determines that the client terminal 20 is a valid transmission destination, the decryption key transmission unit 113 stores an authentication information / decryption key storage key as a decryption key for decrypting the encrypted file to be accessed. The information is read from the means 12 and transmitted to the client terminal 20 via the network 30.
When the authentication unit function of the receiving unit 101 determines that the change unit 114 is a valid user, the change unit 114 stores the change in the personal information capsule database 11 according to the content of the change to the personal information capsule input and received as described above The contents of the personal information capsule to be changed are changed.

  When the content of the personal information capsule is changed by the changing unit 114, the invalidating unit 115 invalidates the personal information file extracted from the changed personal information capsule and transmitted to the client terminal 20 before the change. Is. As an invalidation method by the invalidation unit 115, a method of changing a decryption key (stored in the authentication information / decryption key storage unit 12) for decrypting an encrypted file corresponding to the personal information file, Even if a request for access to the encrypted file corresponding to the personal information file (authentication information) is received and user authentication is performed, the decryption key transmission means 113 prohibits transmission of the decryption key, and is recorded by the log recording means 110. For example, a method of transmitting a deletion command of the file to the client terminal 20 to which the encrypted file corresponding to the personal information file is transmitted based on the log and causing the client terminal 20 to delete the personal information file is used.

  When the invalidating unit 115 invalidates the personal information file (encrypted file), the notifying unit 116 has been invalidated by notifying the client terminal 20 by e-mail or the like via the network 30. This prompts the user to re-execute an access request for the personal information capsule corresponding to the personal information file (encrypted file).

  The digital signature giving means 117 gives a digital signature to the personal information capsule generated by the generating means 102, the personal information capsule changed by the changing means 114, and the personal information file obtained by the filtering means 105. is there. Here, a digital signature is encrypted signature information attached to guarantee the validity of a digital document, and a digital document (here, a personal information capsule or a personal information file) is created by applying a public key cryptosystem. The document is certified and the document is guaranteed not to be tampered with. The signer (administrator on the management server 10 side) sends the digital document with a signature encrypted using its own private key. The recipient (the user on the client terminal 20 side) decrypts the signature using the signer's public key and confirms whether the content is correct. This can be used for proof that the signer has created the digital document as well as forgery prevention by a third party.

  The personal information searching means 118 searches for personal information or a personal information file from data in the client terminal 20, and the search may be performed by sucking the data of the client terminal 20 to the management server 10 side. A personal information search program for realizing a personal information search tool is installed in each client terminal 20 by the information search means 118, and the personal information search program is executed on each client terminal 20, thereby allowing personal information and personal information files to be stored. The self-exploration may be executed and the result of the self-exploration may be received from each client terminal 20.

  Here, as a search method for the personal information file, any one of the two search methods described later can be used. In the present embodiment, the condition of the personal information file is a file that holds a predetermined number or more of records including personal information elements, and the personal information element is a character string that can identify a specific individual alone or in combination. For example, name, date of birth, contact information (address, residence, telephone number, e-mail address), etc. In addition to these, personal information elements include title, basic resident register number, account number, credit card number, license number, passport number, and the like.

  The deleting unit 119 deletes the personal information and the personal information file from the client terminal 20 when the personal information or personal information file searched by the personal information searching unit 118 has not been given the digital signature by the digital signature adding unit 117. The deletion unit 119 may also transmit a deletion instruction from the management server 10 to the client terminal 20 via the network 30 on the management server 10 side, or to realize the function as the deletion unit 119. This program may be installed in each client terminal 20 together with the personal information search program, and the function as the deleting means 119 may be realized on the client terminal 20 side.

  Before deleting the personal information or personal information file by the deleting means 119, an inquiry is made as to whether or not the personal information or personal information file found by the search is registered as a personal information capsule to be managed by the management server 10. It may have a function. When registering, the generating unit 102 generates a personal information capsule based on the searched personal information or personal information file, and registers and stores it in the personal information capsule database 11. On the other hand, in the case of not registering, the searched personal information or personal information file may be deleted by the deleting unit 119, or when a fixed period is set and not registered within the predetermined period, the deleting unit 119 The searched personal information and personal information file may be automatically deleted. The searched personal information or personal information file can be forcibly deleted immediately by the deleting means 119 without using the inquiry function as described above.

  In addition, when a personal information or personal information file that has a digital signature but is not encrypted is searched, a function is provided for inquiring whether or not to convert the personal information or personal information file into an encrypted file. You may have it. When converting to an encrypted file, the searched personal information or personal information file may be converted into an encrypted file by the conversion means 106 or the encryption means 107 described above. On the other hand, when not converting to an encrypted file, the searched personal information or personal information file may be deleted by the deleting means 119, or when a fixed period is set and the converted file is not converted into the encrypted file within the fixed period The searched personal information or personal information file may be automatically deleted by the deleting means 119. Note that the searched personal information and personal information file can be immediately forcibly converted into an encrypted file by the converting means 106 and the encrypting means 107 without using the inquiry function as described above.

  The functions as the personal information capsule generation / change request receiving means 101, the access request receiving means 104, the personal information file transmitting means 109, the authentication information receiving means 111, the decryption key transmitting means 113, the notifying means 116, etc. 10 is realized by using a transmission / reception function that 10 originally has.

  Also, authentication information / decryption key storage unit 12, conversion unit 106, encryption unit 107, access authority setting unit 108, personal information file transmission unit 109, log recording unit 110, authentication information reception unit 111, determination unit 112, decryption key The function as the transmission means 113 is also provided in the personal information management server 10 in this embodiment, but is separate from the personal information management server 10 and communicates with the personal information management server 10 via the network 30 or directly. You may implement | achieve by the file access management server connected so as to be possible.

  Similarly, the functions as the personal information search unit 118 and the deletion unit 119 are also provided in the personal information management server 10 in this embodiment, but are separate from the personal information management server 10 and directly or via the network 30. It may be realized by another server that is communicably connected to the personal information management server 10, and at that time, the management of personal information files by the P mark described later is further executed by the other server. Also good.

[1-3] Configuration of Client Terminal FIG. 3 is a block diagram showing the configuration of the client terminal 20 in the present embodiment. As shown in FIG. 3, the client terminal 20 of the present embodiment includes various means 21 described later. To 27. The functions as these means 21 to 27 are realized by causing a CPU of a computer to function as a client terminal to execute a predetermined application program.

The access request transmission means 21 uses the contents of the personal information capsule (personal information element) managed by the management server 10 in the client terminal 20 to create a personal list or address book, for example. The access request to the management server 10 is transmitted to the management server 10 via the network 30 together with the authentication information (identification number and password).
The personal information file receiving unit 22 receives a personal information file corresponding to the access request transmitted from the management server 10 by the access request transmitting unit 21 via the network 30.

The personal information file storage unit 23 stores the personal information file received from the management server 10 by the personal information file receiving unit 22.
The authentication information transmitting unit 24 manages authentication information (identification number and password) about the encrypted file via the network 30 when opening the encrypted file that is the personal information file stored in the personal information file storing unit 23. This is transmitted to the server 10.

The decryption key receiving unit 25 receives a decryption key corresponding to the encrypted file from the management server 10 via the network 30.
The decryption means 26 decrypts the encrypted file using the decryption key received by the decryption key receiving means 25 and restores the original personal information file.

  The editing unit 27 edits the original file extracted from the PDF file that is the personal information file restored by the decrypting unit 26, and the user using the client terminal 20 sets the access authority of the management server 10. If the extraction authority to extract the original file from the PDF file and the editing authority to the extracted original file are set as the predetermined access authority by the means 108, the editing means 27 is allowed to edit the original file. . In the client terminal 20, the original file edited by the editing unit 27 is prohibited from being stored other than the PDF file from which the original file was extracted. That is, the edited original file can be stored only in the PDF file from which the original file is extracted.

[1-4] Personal Information File Searching Methods Here, two searching methods used when searching for a personal information file by the personal information searching unit 118 of this embodiment will be described.
(A) First exploration method In the first exploration method, the frequency of appearance of addresses, telephone numbers, e-mail addresses, and names is quantified and the personal information file is specified as follows.

  First, a character or character string included in a certain file in the client terminal 20 is collated with a character / character string preset as a character / character string that characteristically appears in personal information, Count the number of times the characteristic character string appears in the file. However, if collation / recognition using character strings is performed, the load on the CPU becomes extremely large. Therefore, collation / recognition for each character is performed. Therefore, as the condition, characteristic characters are set one by one. In addition, when the arithmetic processing capability of the CPU is sufficiently high, collation / recognition by a character string may be performed.

  Then, the characters extracted from the file (text file) are collated one by one with the characteristic character set as the condition, and if they match, it is determined that the characteristic character has appeared. The count value of the characteristic character is incremented by “1”. Thus, after counting the number of appearances of characteristic characters in all the characters included in the file, the personal information file is identified based on the count result (determination of whether the file is a personal information file). ).

  Here, the characteristic character set in advance as the condition will be specifically described. In general personal information, an address is usually required. Therefore, a character that appears characteristically in an address in Japan is set and registered in the above condition as a characteristic character. For example, the address information may include “city”, “road”, “fu”, “prefecture”, “city”, “ward”, “town”, “village”, “county”, etc. In the case of “Tokyo”, the characters “East” and “Kyo” appear in ordinary documents, but in the case of address information, they will appear in combination with “City”. It becomes possible to regard the number of appearances as the number of addresses. Similarly, “prefecture”, “prefecture”, and “road” are considered as address information, and “@” can be used as e-mail address information.

Specifically, the following characteristic characters and points are set as the conditions.
(1) “East”, “Kyo”, “Metro”, “Large”, “Osaka”, “Fu”, “North”, “Sea”, “Road” are set as address information (characters). The total of the count values of these characteristic characters is counted / calculated as the address point 1.
(2) As presumed address information (characteristics), prefecture names other than address point 1, that is, “mountain”, “form”, “god”, “na”, “river”, “saki”, “tama”, ..., "Fuku", "Oka", "Prefecture", etc. are set, and the total of the count values of these characteristic characters is counted and calculated as address point 2.

(3) “City”, “District”, “Town”, “Village” and “County” are set as address disregard information (characteristic characters), and the total of the count values of these characteristic characters is calculated as address point 3 Is done.
(4) “@” is set as the mail address deemed information (characteristic character), and the count value of “@” is used as the mail address point.

  (5) “N” (numeric string with a predetermined number of digits consisting of numerals and hyphens) is set as the telephone number deemed information (characteristic character string), and the counted value is used as the telephone number point. More specifically, the phone number is a specific number string corresponding to the mobile phone area code or area code, such as “090-XXXX-XXXX”, “03-XXXX-XXXX”, “048-XXX-XXXX”. It consists of “090”, “03”, “048” followed by an 8-digit or 7-digit numeric string. When such a numeric string appears, the telephone number point is incremented by “1”. . At this time, the count-up is performed regardless of the presence or absence of a hyphen in the numeric string.

(6) As name disregard information (characters), for example, the characters “sa”, “wisteria”, “da”, “middle”, “high”, “bridge”, etc. included in the best 50 of last names in Japan. , “Mountain”, and “field” are set, and the sum of the count values of these characteristic characters is calculated as a name point.
(7) As the total points, the total value of the points (1) to (6) described above is counted and calculated.

  In addition, when calculating the appearance rate of each prefecture name based on the counting result (number of appearances) obtained as described above, handling when there are duplicate characters will be described. For example, if “Tokyo” and “Kyoto Prefecture” are mixed in a text file, “Metropolitan” is duplicated. Therefore, the “Metropolitan” count is the same as the “Tokyo” count. It will be mixed. Since “Fu” in “Kyoto” overlaps with “Fu” in “Osaka”, first calculate the appearance rate of “Osaka” and subtract that appearance rate from the appearance rate of “Fu”. It is possible to predict the appearance rate of “fu”. By subtracting the appearance rate of “Kyoto Prefecture” predicted in this way from the appearance rate of “Metropolitan”, the appearance rate of “Tokyo” can be obtained. If the prefecture name and city name overlap (for example, Osaka City, Osaka Prefecture), the appearance rate of “Osaka” will double, but based on the Japanese address book published by the Ministry of Posts and Telecommunications. It is possible to estimate the actual appearance rate by calculating the duplication rate for each prefecture name and adjusting the appearance rate based on the calculated duplication rate.

  Furthermore, the handling when there is no state display will be described. In the file, when the title header is used for the prefecture name, or when the address display using the government-designated city or the postal code is used, the appearance rate of “city”, “road”, “prefecture”, “prefecture” is extremely high. Will be reduced. Instead, since the name appearance rate such as the prefecture name becomes high, it is possible to specify that the file is a personal information file including address information from the name appearance rate.

  In the above conditions, characters / character strings that appear characteristically in addresses, e-mail addresses, telephone numbers, and names are set as characteristic characters / character strings, but the present invention is not limited to these. Character / character string that appears characteristically in the date of birth, title, personal identification information (for example, Basic Resident Register Number, Account Number, Credit Card Number, License Number, Passport Number, etc.) It may be set as a character string.

  Based on the counting result obtained as described above, a determination value for determining whether or not the file is a personal information file is calculated. As the determination value, the value of (a) quarantine total points (see item (7) above) may be used as it is, or (b) a determination point that increases as the appearance rate of characteristic characters / characteristic strings increases. It may be calculated as the determination value, or (c) the appearance pattern of the feature character / feature character string in the target file is obtained based on the counting result obtained for each feature character / feature character string, and the obtained appearance pattern And a degree of coincidence indicating a degree of coincidence with a feature appearance pattern set in advance as an appearance pattern of a feature character / feature character string may be calculated as the judgment value, or (d) of these three kinds of judgment values 2 or more may be combined, and a value calculated by substituting two or more determination values into a predetermined function may be used as the determination value.

  At this time, if there are characteristic characters / characteristic strings related to multiple types of information (for example, four types of address, e-mail address, telephone number, and name) in the file, the target file relates to one type of information. The count result is weighted so that the determination value is larger than when a characteristic character / characteristic character string exists. In other words, when a data file includes a plurality of types of information that can identify an individual, the possibility that the data file is a personal information file includes only one type of information that can identify an individual. Therefore, weighting is performed so that the determination value (importance) for the data file becomes large. Further, weighting may be performed so that the determination value increases as the number of types of information increases. This makes it possible to specify the personal information file more reliably.

When the determination value as described above is calculated, it is determined whether or not the file is a personal information file based on the determination value. For example, if the determination value exceeds a predetermined threshold, it is determined that the target file is a personal information file.
When making such a determination, in this embodiment, a P mark (private level mark) corresponding to the size of the determination value is further assigned to the file and set and registered in the P mark table (not shown). , Ranking may be performed. As described above, the P mark is a level indicating the high possibility that the target file is a personal information file, and the higher the determination value, the higher the P mark is set.

  For example, when the determination value is 10 or more, it is determined that the file is a personal information file, that is, the file is determined to be a management target file. When the determination value is 10 or more and less than 100, “P1” is assigned as the P mark, and when the determination value is 100 or more and less than 1000, “P2” is assigned as the P mark. When it is 1000 or more and less than 10,000, “P3” is assigned as the P mark, and when the determination value is 10000 or more, “P4” is assigned as the P mark.

As described above, according to the level (rank) of the P mark given to the file, the management server 10 may manage the file as a management target file as follows.
For example, when the rank of the P mark is “P1”, the recommendation based on the warning information is not performed, but the fact that the management target file of “P1” exists is recorded as a log. When the rank of the P mark is “P2”, notice information in a pop-up display is sent to alert the user of the management target file. When the rank of the P mark is “P3”, an instruction to return the management target file is given. When the rank of the P mark is “P4”, the management target file is forcibly captured and collected from the user terminal 10A. Even if the rank of the P mark is not “P4”, if the data file of “P3” is left for a predetermined number of days, the data file may be forcibly captured and collected from the client terminal 20.

(B) Second exploration method In the second exploration method, the personal information file is specified as follows.
First, text data (for example, CSV (Comma Separated Value) format data) of a file in the client terminal 20 is extracted, and character sections delimited by delimiters are extracted from the extracted text data to be determined / verified. Are sequentially written in a buffer (not shown). Here, the delimiter is, for example, a half-width space, a half-width comma (half-width comma + half-width space is also regarded as a half-width comma), a tab character (half-width), CR (Carrige Return), or LF (Line Feed). Symbols other than alphanumeric characters, katakana, hiragana, and kanji characters, such as hyphens, underbars, and parenthesis symbols, are removed from the extracted character section.

  A character string (hereinafter simply referred to as a character string) in a character section from which symbol characters have been removed as described above is a personal information element other than a name (specifically, in this embodiment, a telephone number, an e-mail address, and an address). It is determined whether it corresponds to any one of them. Here, the character string determination process is performed in the order of the lighter determination process load, that is, in the order of the telephone number, the e-mail address, and the address.

  First, it is determined whether or not the character string corresponds to a telephone number. Specifically, if the character string satisfies the telephone number determination condition set as the condition, it is determined that the character string corresponds to the telephone number. In the present embodiment, it is assumed that the telephone number determination condition includes a 9-15 digit number in the character string.

  Next, when it is determined that the character string does not correspond to a telephone number, it is determined whether or not the character string corresponds to an e-mail address. Specifically, when the character string satisfies the e-mail address determination condition set as the condition, it is determined that the character string corresponds to the e-mail address. In the present embodiment, the e-mail address determination condition is as follows: “One or more ASCII (American Standard Code for Information Interchange)” + “@ (at sign)” + “One or more ASCII characters” + “. It is assumed that a character string “dot)” + “ASCII of one or more characters” is included. In this case, the shortest e-mail address is “a@a.a”, for example.

  Further, when it is determined that the character string does not correspond to an e-mail address, it is determined whether or not the character string corresponds to an address (residence), and the character string is set as the condition. When the address determination condition is satisfied, it is determined that the character string corresponds to the address. In the present embodiment, the address determination condition includes a character string of “one or more double-byte characters” + “city” or “city” or “county” + “one or more double-byte characters” in the character string. Suppose that At this time, if the CPU has sufficiently high processing capability, it may be added to the address determination condition that a 7-digit number corresponding to the postal code is included in addition to the character string. Further, the address determination condition is that the character string includes a 7-digit numeric string corresponding to the postal code instead of the above-described condition, or “3-digit numeric string” + “− ( Hyphens) ”+“ a 4-digit number string ”may be included.

  When it is determined that the character string does not correspond to any of a telephone number, an e-mail address, and an address, whether or not the character string satisfies the character determination condition set as the condition, Specifically, it is determined whether or not the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji. In the present embodiment, the character determination condition is that, as described above, the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji characters. Is set to a general (appropriate) number range, for example, 1 to 6 as the number of characters of the name (including only the last name and only the name).

  Thereafter, a character section determined not to correspond to any of a telephone number, an e-mail address, and an address, and further, a character section within the predetermined range and all characters determined to be kanji By comparing the character / character string included in the character section with an inappropriate character / unsuitable character string preset as a character / character string that cannot appear in the name, the character section is determined to be an inappropriate character. / Judge whether or not to include an inappropriate character string.

  Here, inappropriate characters / inappropriate character strings are set in advance as the above-mentioned conditions. For example, Tokyo, Osaka, Nagoya, Yokohama, Kyushu, Hokkaido, Kyoto, capital, individual, school, store, stock, prefecture, University, academy, TSE, research, management, general affairs, accounting, sales, supervision, pharmaceutical, sales, school, education, specialization, architecture, machine, corporation, factory, manufacture, technology, commerce, books, unknown, deputy director, disclosure, Publication, Advertising, Broadcasting, Target, Wholesale, Retail, Planning, Human Resources, Information, Department, President, Regulatory, General Manager, Section Manager, General Manager, Officer, Head Office, Branch Office, Business, Business, Education, Precision, Petroleum, Transportation, Management, Strategy, material, engineer, electricity, production, tax, public relations, transportation, chief, computer, finance, office work, development, policy, production, economy, industry, finance, bank, research, English, quality, warranty, equipment, charge, President, Director, Audit, Support, Design, Insurance, Safe, Business, Representative, Transportation, First, Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, Ninth, Special Sales, Facility, Name, Mail, Name, Name, City Hall, Affiliation, Characteristic, Childhood, Christianity, Association, Church, Union, cult, commerce, nationwide, branch, contact, assembly, life, consumption, promotion, city hall, ward office, general, modification, function, overview, composition, company, organization, association, deletion, document, deadline, validity, etc. A character / character string that cannot appear in a typical name, that is, a character / character string that is inappropriate as a name.

  Then, based on the above-described telephone number determination result, e-mail address determination result, address determination result, and inappropriate character / inappropriate character string collation determination result, it is determined whether or not the target file is a personal information file. . More specifically, the number of character sections considered to correspond to each of a telephone number, an e-mail address, and an address is counted, and an inappropriate character / unsuitable character string matching determination result is received. / The character section determined not to contain an inappropriate character string is regarded as corresponding to the name, and the number is counted.

  Based on the counting results (four counting values; the number of telephone numbers, the number of e-mail addresses, the number of addresses, the number of names) for each of the telephone number, e-mail address, address, and name, the larger the counting value, the larger the count value. A judgment value is calculated. For example, the sum of four count values may be calculated as the determination value, or a weighting factor is set in advance for each of the telephone number, e-mail address, address, and name, and the weighting factor for each personal information element The sum of multiplication results of the count value and the count value may be calculated as the determination value, and various methods for calculating the determination value are conceivable.

  When the determination value as described above is calculated, it is determined whether the target file is a personal information file based on the determination value. Specifically, when the determination value exceeds a predetermined threshold, it is determined that the target file is a personal information file. At this time, as described in the first exploration means, a P mark may be assigned, and management according to the P mark may be performed by the management server 10.

In the second exploration method described above, the case where the personal information elements other than the name are the three elements of the telephone number, the e-mail address, and the address has been described. However, the present invention is not limited to this. As the personal information element other than the name, for example, the date of birth, the basic resident register number, the account number, the credit card number, the license number, the passport number, etc. may be used.
Using the first search method or the second search method as described above, the personal information file is searched by the personal information search unit 118, and according to the search result, as described above, deletion by the deletion unit 119 or Various inquiries will be executed.

[2] Operation of Personal Information Management System of the Present Embodiment Next, the operation of the personal information management system 1 of the present embodiment configured as described above will be described with reference to FIGS. 4 and 5 are flowcharts for explaining the operation of the personal information management server 10 in the present embodiment, and FIG. 6 is a flowchart for explaining the operation of the client terminal 20 in the present embodiment.

[2-1] Operation of Personal Information Management Server First, the operation of the personal information management server 10 of this embodiment will be described according to the flowchart shown in FIG. 4 (steps S10 to S14, S20 to S26, S30 to S43, S50). .

  When the personal information capsule generation / change request receiving means 101 receives a personal information capsule generation request together with a plurality of types of personal information elements to be stored as authentication information (identification number and password) and the contents of the personal information capsule ( The YES route in step S10), and the user who made the personal information capsule generation request based on the authentication information (identification number and password) by the authentication determination function of the receiving means 101 is a valid user of the personal information management service. Whether or not there is an authentication determination is executed (step S11). That is, the receiving unit 101 searches the authentication information / decryption key storage unit 12 by the identification number, reads the registration password corresponding to the identification number from the authentication information / decryption key storage unit 12, and the password included in the authentication information; The registered password read from the authentication information / decryption key storage unit 12 is compared, and it is determined whether or not these passwords match.

  If these passwords match and it is authenticated that the user who made the personal information capsule generation request is a valid user (YES route in step S11), the plurality of weekly individuals received by the receiving means 101 Based on the information element, the generation unit 102 generates a personal information capsule (data set of a predetermined format) (step S12). At this time, a digital signature is attached to the generated personal information capsule by the digital signature attaching means 117.

  When the personal information capsule is generated by the generation unit 102, the filter setting unit 103 sets, for each user who can access the personal information capsule, a filter that defines the personal information element that can be used by the user. (Step S13). The personal information capsules and filters generated and set as described above are stored in the personal information capsule database 11 in association with, for example, personal information capsules and users (step S14), and the process returns to step S10.

  When the personal information capsule generation / change request receiving means 101 receives the personal information capsule change request together with the authentication information (identification number and password) and the contents of the change to the already registered personal information capsule (NO in step S10). From the route (YES route in step S20), the authentication determination function of the receiving means 101 performs the same authentication determination as in step S11 (step S21).

  When the passwords match and it is authenticated that the user who made the personal information capsule change request is a valid user (YES route in step S21), the changing means 114 changes the personal information capsule to be changed into the personal information. The contents of the personal information capsule to be changed are changed (step S23) in accordance with the changed contents (address, telephone number, etc.) taken out from the capsule database 11 (step S22) and received by the receiving means 101. The personal information capsule whose contents have been changed is newly given a digital signature by the digital signature giving means 117 and then stored in the personal information capsule database 11 (step S24).

  When the contents of the personal information capsule are changed as described above, the invalidation means 115 invalidates the personal information file extracted from the changed personal information capsule and transmitted to the client terminal 20 before the change. (Step S25). As described above, the invalidation is performed by changing the decryption key (stored in the authentication information / decryption key storage unit 12) for decrypting the encrypted file corresponding to the personal information file, or by changing the personal information. Even when an access request (authentication information) to the encrypted file corresponding to the file is received and user authentication is performed, the decryption key transmission unit 113 prohibits transmission of the decryption key, or based on the log recorded by the log recording unit 110 This is done by sending an instruction to delete the file to the client terminal 20 that is the destination of the encrypted file corresponding to the personal information file, and causing the client terminal 20 to delete the personal information file. The content of the encrypted file cannot be referred to on the terminal 20 side.

  Then, the notification means 116 notifies the client terminal 20 by e-mail or the like via the network 30 that the personal information file (encrypted file) has been invalidated (step S26). After prompting the user to re-execute the access request for the personal information capsule corresponding to (encrypted file), the process returns to step S10.

  When the access request receiving unit 104 receives an access request for the personal information capsule together with the authentication information (identification number and password) (NO route in step S10, NO route in step S20 to YES route in step S30), the access request is received. The authentication determination function of the means 104 performs authentication determination similar to step S11 (step S31).

  If the passwords match and it is authenticated that the user who made the access request is a valid user (YES route in step S31), the filtering means 105 causes the personal information capsule to be accessed and the user to be requested. The set filter is extracted from the personal information capsule database 11 (step S32), and the filtering process of the personal information element in the personal information capsule to be accessed is executed using the filter, and the user can use it. A personal information element is extracted from the personal information capsule as a personal information file (step S33). A digital signature is attached to the personal information file extracted from the personal information capsule by the digital signature attaching means 117.

  The personal information file with the digital signature is converted into a PDF file having a container function by the converting means 106 (step S34), and the original file of the personal information file is attached to the PDF file using the container function. Thereafter (step S35), the PDF file is encrypted with an encryption key corresponding to the destination client terminal 20, and an encrypted file is created (step S36). At this time, for the user who accesses the encrypted file, for example, access authority (for example, viewing authority and original file extraction authority / edit authority) for the encrypted file is set by the access authority setting means 108 ( Step S37).

  The encrypted file created as described above is transmitted to the client terminal 20 via the network 30 by the personal information file transmission means 109 (step S38). At that time, the log recording unit 110 records the transmission history of the encrypted file (transmission date and time, destination information, information for specifying the transmitted file, etc.) as a log (step S39), and then step The process returns to S10.

  When the authentication information receiving unit 111 receives the decryption key transmission request together with the authentication information (identification number and password) about the encrypted file (from the NO route in step S10, the NO route in step S20, and the NO route in step S30 to step S40). YES route), based on the authentication information (identification number and password) about the encrypted file by the judging means 112, the user who made the transmission request for the decryption key (the user who accesses the encrypted file) is authorized. An authentication determination as to whether or not the user is a valid registrant (authorized transmission destination) is executed (step S41).

  Also in this case, as in step S11, the determination unit 112 searches the authentication information / decryption key storage unit 12 by the identification number, reads the registration password corresponding to the identification number from the authentication information / decryption key storage unit 12, and authenticates. The password included in the information is compared with the registered password read from the authentication information / decryption key storage unit 12, and it is determined whether or not these passwords match.

  When these passwords match and it is authenticated that the user is a valid transmission destination (YES route in step S41), the decryption key transmission unit 113 decrypts the encrypted file to be accessed. The decryption key is extracted from the authentication information / decryption key storage means 12 (step S42) and transmitted to the client terminal 20 via the network 30 (step S43). Thereafter, the process returns to step S10.

  Note that if it is determined that the passwords do not match by the authentication determination function of the reception units 101 and 104 or the determination unit 112, or the registration password corresponding to the identification number is not registered in the authentication information / decryption key storage unit 12. If it is determined that the user is not a legitimate user or a legitimate destination (NO route of steps S11, S21, S31, S41), an error notification is sent from the management server 10 to the client terminal 20 via the network 30. (Step S50), the process returns to Step S10. When a personal information capsule generation request is input from the management server 10, the error notification is sent to the user or administrator who made the personal information capsule generation request at the management server 10. If NO is determined in step S40, the process returns to step S10.

[2-2] Personal Information Search Operation of Personal Information Management System The personal information search operation in the personal information management system 1 of the present embodiment will be described according to the flowchart (steps S51 to S58) shown in FIG.
In the personal information management system 1, the personal information search operation by the personal information search means 118 is executed at a preset cycle or at a predetermined start timing (when the system is started).

  When the personal information search unit 118 is activated (YES route in step S51), in this embodiment, as described above, the personal information search unit 118 uses the personal information for realizing the personal information search tool on each client terminal 20 as described above. A search program is installed, and the personal information search program is executed by each client terminal 20 to execute self-search of personal information and a personal information file (step S52), and the result of the self-search is received from each client terminal 20. (Step S53).

  When the management server 10 confirms the existence of the client terminal 20 that holds the personal information / personal information file based on the result of self-exploration (YES route in step S54), the stored personal information / personal information It is determined whether or not a digital signature is given to the file by the management server 10 (step S55). If there is no client terminal 20 that holds the personal information / personal information file (NO route of step S54) or if a digital signature is given (YES route of step S55), the process returns to step S51.

  If the digital signature has not been given (NO route of step S55), whether or not the personal information / personal information file is registered in the management server 10 as a personal information capsule is stored in the personal information / personal information file. An inquiry is made to the user of the client terminal 20 (step S56). When the user desires to register (YES route of step S56), the management server 10 generates a personal information capsule based on the searched personal information / personal information file by the generation means 102 and stores it in the personal information capsule database 11. Register and save (step S57). Thereafter, the process returns to step S51.

  If the user does not want to register (NO route of step S56), the deletion means 119 deletes the personal information / personal information file that has not been digitally signed from the client terminal 20 (step S58). The process returns to S51. At this time, as described above, when a fixed period is set and the user does not register the personal information / personal information file within the predetermined period, the deleted personal information or personal information file is deleted by the deletion unit 119. You may make it delete automatically.

  Here, the personal information / personal information file that can determine the presence or absence of the digital signature is naturally not encrypted by the encryption means 107, and is given a digital signature by the digital signature assignment means 117 for some reason. However, it is considered that the data leaked to the client terminal 20 without being encrypted. Therefore, when a personal information / personal information file that has a digital signature but is not encrypted is searched (YES in step S55), as described above, the personal information / personal information file is encrypted. Inquires whether or not to convert to a file, and when the user desires to convert to an encrypted file, the above-described conversion means 106 and encryption means 107 convert the searched personal information or personal information file into an encrypted file. On the other hand, if it is not desired to convert to an encrypted file, the personal information / personal information file may be deleted by the deleting means 119.

[2-3] Operation of Client Terminal The operation of the client terminal 20 of the present embodiment will be described with reference to the flowchart (steps S60 to S63, S70 to S81) shown in FIG.
In the client terminal 20, when the user issues an access request to create, for example, a directory or address book using the contents (personal information elements) of the personal information capsule managed by the management server 10 (YES in step S60). Route), the access request transmitting means 21 transmits an access request for the personal information capsule together with the authentication information (identification number and password) to the management server 10 via the network 30 (step S61).

  In response to this access request, the personal information file receiving unit 22 has received a personal information file (encrypted file) corresponding to the access request transmitted from the management server 10 via the network 30 from the management server 10. In the case (file route in step S62), the received personal information file is stored in the personal information file storage means 23 (step S63), and the process returns to step S60. On the other hand, if an error notification is received instead of the personal information file in response to the access request (error route in step S62), an error is displayed on the display of the client terminal 20 (step S80), and the process in step S60 Return to.

  When the user performs file access (decryption key transmission request) to open an encrypted file that is a personal information file stored in the personal information file storage means 23 (YES in step S60 to NO in step S70). Route), the authentication information transmission means 24 transmits a decryption key transmission request to the management server 10 via the network 30 together with the authentication information (identification number and password) for the encrypted file (step S71).

  In response to the decryption key transmission request, when the decryption key receiving means 25 receives a decryption key corresponding to the encrypted file to be accessed from the management server 10 via the network 30 (YES route in step S72), decryption is performed. The encrypting unit 26 decrypts the encrypted file using the decryption key received by the decryption key receiving unit 25 to restore the original personal information file (PDF file) (step S73) and displays it on the display of the client terminal 20 (Step S74). On the other hand, if an error notification is received instead of the decryption key in response to the decryption key transmission request (error route in step S72), an error is displayed on the display of the client terminal 20 (step S80), and then in step S60. Return to processing.

  After the personal information file is displayed, if the user wants to edit the original file attached to the restored PDF file (YES route in step S75), the user has the authority to extract and edit the original file. (Step S76), if not set (NO route of step S76), after displaying an error to that effect (step S81), the process returns to the process of step S60 while being set If it is present (YES route in step S76), the editing unit 27 executes an editing process for the original file (step S77). If the user does not want to edit the original file (NO route in step S75), the process returns to step S60.

  When the editing process is ended (YES route in step S78), the original file edited by the editing means 27 is prohibited from being saved other than the PDF file from which the original file was extracted. The extracted PDF file is saved (step S79). Thereafter, the process returns to step S60.

[3] Effect of the personal information management system of the present embodiment As described above, according to the personal information management system 1 as an embodiment of the present invention, the personal information management server 10 can identify a specific individual. However, for each user who can be managed centrally as a personal information capsule which is a standardized data set and can access the personal information capsule from the client terminal 20, there is a filter that defines the personal information elements that can be used by the user. When the user sets an access request for the personal information capsule set by the filter setting means 103, the filtering means 105 uses the filter set for the user to filter the personal information elements in the personal information capsule. The personal information elements available for the user are extracted from the personal information capsule. The extracted personal information element is transmitted to the client terminal 20 as a personal information file.

  This allows users who use personal information about a specific individual to be provided with only the personal information elements of the content according to the user, so content that seems unnecessary for the user is inadvertent The personal information can be prevented from being transmitted unintentionally, and inadvertent leakage / leakage of personal information and unauthorized use of personal information can be reliably prevented, and personal information can be protected.

  At this time, for example, users are ranked such as a level at which all personal information including image information etc. is disclosed, a level at which personal information other than image information is disclosed, and a level at which only name and contact information are disclosed. By setting the filter, personal information corresponding to the rank can be provided. Also, for example, when a user browses / uses personal information of a specific individual while managing personal information including various personal information elements that can identify the specific individual in a company, for example, as described above. If the user is a supervisor or administrator of a specific individual, detailed contents (personal information elements) can be viewed and used while the user is a colleague or subordinate. In some cases, only a part of the personal information can be browsed and used, and only the personal information element with the content corresponding to the user can be provided to the user.

  In addition, the personal information management server 10 invalidates the personal information file (encrypted file) extracted from the modified personal information capsule before the change and transmitted to the client terminal 20 by the invalidating means 115. By configuring, if the content of the personal information capsule is changed, the personal information file before the change will be invalidated and no one will be able to use it. Unauthorized use can be reliably prevented and personal information can be reliably protected.

  At that time, the user can recognize that the personal information file cannot be used because the personal information file has been invalidated, and request access again to obtain the latest personal information file after the change. It becomes possible.

  Further, when the personal information file is invalidated, the notification means 116 automatically notifies the client terminal 20 from the management server 10 to prompt the user to re-execute the access request for the personal information capsule. The user who has received the notification makes an access request again at his / her discretion, so that the latest personal information file after the change can be obtained, and the convenience of the user can be improved. Thereby, for example, the user can immediately and reliably recognize a change in the contents of the personal information file received from the management server 10, specifically, a personnel change or job change of the other party, and does not know the personnel change or job change. The occurrence of inconvenience and disrespect due to accidents can be reliably suppressed.

  In addition, the digital signature is added to the personal information capsule newly generated in the management server 10 or the personal information capsule or personal information file that has been changed by the digital signature giving means 117, so that the personal information capsule or personal information It can be ensured that the file has not been tampered with, and counterfeiting by a third party can be prevented.

  At that time, the personal information / personal information file is searched from the data in the client terminal 20 by the personal information searching means 118, and if the digital information is not given to the searched personal information / personal information file, the deleting means By configuring the personal information to be deleted from the client terminal 20 by 119, personal information that has not been given a digital signature in the management server 10 is not under the management of the management server 10 and is not locally managed by the client terminal 20 or the like. It is determined that the personal information is not legitimate and is automatically deleted from the client terminal 20. Thereby, in the system 1 of the present embodiment, only personal information that is centrally managed by the management server 10 exists and is used, and it is possible to reliably manage and protect personal information. it can.

  Further, when the personal information file is transmitted from the management server 10 to the client terminal 20, the personal information file is encrypted by the encryption means 107 using the encryption key corresponding to the client terminal 10 of the transmission destination as an encrypted file. By configuring so that only an authorized user (a user of the client terminal 20 that is an authorized transmission destination) transmitted and authenticated by the management server 10 (determination means 119) can access the decrypted encrypted file. The personal information file transmitted from the management server 10 to the client terminal 20 can be reliably prevented from being inadvertently leaked, leaked, or illegally used, and personal information can be reliably protected.

  Then, the management server 10 converts the personal information file into a PDF file having a container function, encrypts the PDF file with the original file of the personal information file attached using the container function, and then converts it into a personal information file. By transmitting to the client terminal 20, the personal information file is transmitted as a PDF file that is difficult to falsify, and the personal information file is prevented from being falsified and used illegally, while using the original file attached by the container function. It is also possible to perform operations such as editing.

  At this time, however, editing and other operations can be performed only by the user granted by the access authority setting means 108 with the original file retrieval authority and editing authority as the access authority, and the client terminal 20 performs the post-editing operation. By prohibiting the original file from being stored other than the PDF file from which the original file was extracted, it is possible to reliably prevent the original file from being inadvertently leaked or leaked or illegal use of personal information.

  In addition, the management server 10 records the history of the transmission of the personal information file executed in response to the access request for the personal information capsule from the client terminal 20 as a log by the log recording unit 110, thereby accessing the personal information capsule. Since access to the personal information file can be tracked and managed as necessary, unauthorized use of personal information can be prevented more reliably.

  Note that the means 115 for invalidating the personal information file before the change, for example, changes the decryption key (key for decrypting the encrypted file) to be transmitted to the client terminal 20 or transmits the decryption key. Can be realized very easily by prohibiting the personal information file or by sending a personal information file deletion command to the client terminal 20 that is the destination of the personal information file based on the transmission history log. .

  On the other hand, in the first search method described above, for each file in each client terminal 20, whether the file is a personal information file (or a confidential information file) based on a determination value based on the number of appearances of characteristic characters and characteristic character strings. It can be determined whether or not personal information files can be automatically identified and searched, so that it is distributed within a company, for example, without obtaining human cooperation and placing a special burden on the person in charge. Thus, the personal information file (data file that is likely to be a personal information file) that has existed can be reliably searched and identified, and can be managed by the management server 10 or the like. Accordingly, it is possible to reliably respond to requests for disclosure and correction of personal information, and to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information.

  In the second exploration method described above, a character section that does not correspond to any of a telephone number, an e-mail address, and an address and includes an inappropriate character / inappropriate character string is not considered to be related to personal information. On the other hand, a character section that does not correspond to any of a telephone number, an e-mail address, and an address and does not include an inappropriate character / unsuitable character string is considered to be related to a name. Therefore, for the character section determined to correspond to any one of the telephone number, e-mail address, and address, the determination process is terminated when the determination is made, and any of the telephone number, e-mail address, or address is terminated. Is also checked for inappropriate characters / unsuitable character strings only for character sections determined to be not applicable, and it is determined that even one inappropriate character / unsuitable character string is included in the character section. At that point, the collation process can be terminated, so that the name collation process can be performed at a higher speed than the conventional method that collates with all name strings contained in the name list. Processing can be performed at high speed.

At this time, it is possible to execute the determination process more quickly and efficiently by performing the determination process of the character string in the character section in the order of the light load of the determination process, that is, in the order of telephone number, e-mail address, and address. It becomes possible.
In addition, since all character sections that do not contain inappropriate characters / unsuitable character strings are considered to correspond to names, it is possible to include electronic files that do not contain inappropriate characters / unsuitable character strings for names, that is, name information. It is possible to reliably search for an electronic file that is highly likely to be a personal information file. That is, the number of electronic files that are determined to be personal information files according to the present embodiment is larger than that of the conventional method, and an electronic file that is likely to be a personal information file (suspicious electronic file) is reliably identified. be able to.

  Further, since it is determined whether or not the number of characters in the character section is 1 or more and 6 or less and all the characters in the character section are kanji characters, only the character section that satisfies this character determination condition is the target of verification. Are narrowed down to character sections that are more likely to be names, so that the matching accuracy of names can be improved and the name matching process can be performed at high speed. In addition, since a long character section having more than 6 characters is excluded from the object to be collated, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process.

  In this way, the personal information file can be automatically identified and searched by the second exploration method, so that, for example, a company can be obtained without obtaining human cooperation and applying a special load to the person in charge. Disclosure of personal information files (electronic files that are likely to be personal information files) that are distributed within the company, etc., can be surely searched and placed in a state that can be managed by the management server 10 etc. Requests and correction requests can be handled with certainty, and personal information can be prevented from being inadvertently leaked or leaked or unauthorized use of personal information.

  The personal information file is managed by the management server 10 or the like according to the P mark (rank / level) given to each personal information file, and attention information / warning information is sent to the user (owner) of the personal information file. Notification, personal information files can be forcibly captured and collected from the client terminal 20, and personal information files can be stored in a folder accessible only to the administrator.・ Leakage and unauthorized use of personal information can be prevented more reliably.

[4] Others The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the present invention.
Further, the functions (all or a part of the functions of the respective means) as the means 101 to 119 and 21 to 27 described above are performed by a computer (including a CPU, an information processing apparatus and various terminals) by a predetermined application program (personal information management This is realized by executing a program.

  The program is, for example, a computer such as a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.). It is provided in a form recorded on a readable recording medium. In this case, the computer reads the control program for the distributed storage system from the recording medium, transfers it to the internal storage device or the external storage device, and uses it. Further, the program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  Here, the computer is a concept including hardware and an OS (operating system), and means hardware operating under the control of the OS. Further, when the OS is unnecessary and the hardware is operated by the application program alone, the hardware itself corresponds to the computer. The hardware includes at least a microprocessor such as a CPU and means for reading a program recorded on a recording medium. The application program as the personal information management program includes a program code for causing the computer as described above to realize the functions as the means 101 to 119 and 21 to 27. Also, some of the functions may be realized by the OS instead of the application program.

  Furthermore, as a recording medium in the present embodiment, in addition to the flexible disk, CD, DVD, magnetic disk, optical disk, and magneto-optical disk described above, an IC card, ROM cartridge, magnetic tape, punch card, computer internal storage device (RAM) In addition, various computer-readable media such as an external storage device or a printed matter on which a code such as a barcode is printed can be used.

It is a block diagram which shows the structure of the personal information management system as one Embodiment of this invention. It is a block diagram which shows the structure of the personal information management server (management server) in this embodiment. It is a block diagram which shows the structure of the client terminal in this embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server in this embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server in this embodiment. It is a flowchart for demonstrating operation | movement of the client terminal in this embodiment.

Explanation of symbols

1 Personal Information Management System 10 Personal Information Management Server (Management Server)
11 Personal Information Capsule Database (Storage)
12 Authentication Information / Decryption Key Storage Means 101 Personal Information Capsule Generation / Change Request Receiving Means 102 Generating Means 103 Filter Setting Means 104 Access Request Receiving Means 105 Filtering Means 106 Conversion Means 107 Encryption Means 108 Access Authority Setting Means 109 Personal Information File Transmission Means 110 Log recording means 111 Authentication information receiving means 112 Judging means 113 Decryption key sending means 114 Changing means 115 Invalidating means 116 Notifying means 117 Digital signature giving means 118 Personal information searching means 119 Deleting means 20 Client terminal 21 Access request sending means 22 Personal information file receiving means 23 Personal information file storing means 24 Authentication information transmitting means 25 Decryption key receiving means 26 Decrypting means 27 Editing means 30 Network (in-house LAN)

Claims (32)

A management server that manages personal information capable of identifying a specific individual as a data set (hereinafter referred to as a personal information capsule) including a plurality of personal information elements related to the specific individual;
A client terminal that is communicably connected to the management server and that can access the personal information capsule and use a personal information element in the personal information capsule;
The management server
Generating means for generating the personal information capsule;
Storage means for storing the personal information capsule generated by the generation means;
Filter setting means for setting a filter that defines personal information elements available to the user for each user who can access the personal information capsule stored in the storage means from the client terminal;
Access request receiving means for receiving an access request for the personal information capsule from a user through the client terminal;
When the access request is received by the access request receiving means, the filtering process of the personal information element in the personal information capsule is performed using the filter set by the filter setting means for the user who transmitted the access request. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing,
Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file ;
Changing means for changing the content of the personal information capsule stored in the storage means;
Invalidating means for invalidating the personal information file extracted from the changed personal information capsule and transmitted to the client terminal when the contents of the personal information capsule are changed by the changing means When,
Giving a digital signature to the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means Means,
Personal information exploration means for exploring personal information from data in the client terminal;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and the user of the client terminal holding the personal information receives the personal information from the management server Means for registering and storing the personal information as a personal information capsule in the storage means,
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and the user of the client terminal holding the personal information receives the personal information from the management server If it is not desired to be registered as a management target, it comprises a deletion means for deleting the personal information from the client terminal ,
The client terminal
Access request transmitting means for transmitting an access request for the personal information capsule to the management server;
A personal information management system comprising personal information file receiving means for receiving the personal information file in response to the access request from the management server.   The exploration means is
  Extracting means for extracting text data of a data aggregate included in data in the client terminal;
  Cutting out means for cutting out character sections delimited by delimiters from the text data extracted by the extracting unit;
  By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
  Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character determining means for determining;
  A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for collating appropriate characters or inappropriate character strings to determine whether the character section includes the inappropriate characters or inappropriate character strings;
  The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. And a second determination means for determining whether or not the data aggregate is personal information based on the counted result and counting the number of character sections determined. The personal information management system according to claim 1. The management server
The personal information file transmitted by the personal information file transmitting means is encrypted using an encryption key corresponding to the client terminal of the transmission destination to create an encrypted file, and the encrypted file is used as the personal information file. Encryption means for causing the personal information file transmission means to transmit;
Authentication information receiving means for receiving authentication information about the encrypted file from the client terminal;
Determination means for determining whether or not the client terminal is a valid transmission destination of the encrypted file based on the authentication information received by the authentication information receiving means;
And a decryption key transmitting means for transmitting to the client terminal a decryption key for decrypting the encrypted file when the determination means determines that the client terminal is a valid transmission destination. And
The client terminal
Authentication information transmitting means for transmitting authentication information about the encrypted file to the management server when opening an encrypted file that is the personal information file received by the personal information file receiving means;
Decryption key receiving means for receiving from the management server a decryption key corresponding to the encrypted file;
The decryption means for decrypting the encrypted file using the decryption key received by the decryption key receiving means and restoring the original personal information file, further comprising: The personal information management system according to claim 2 or claim 3 . The management server
Further comprising conversion means for converting the personal information file transmitted by the personal information file transmission means into a completed document file having a container function;
The encryption unit of the management server encrypts the completed document file with the original file of the personal information file attached to the completed document file obtained by the converting unit using the container function. 4. The personal information management system according to claim 3 , wherein the completed document file is transmitted as the personal information file to the personal information file transmitting means. The management server
And further comprising an access authority setting means for setting a predetermined access authority for the encrypted file in accordance with a user to whom the personal information file is transmitted,
In the client terminal, the user is permitted access according to the access authority set by the access authority setting unit as access to the personal information file restored by the decryption unit. The personal information management system according to claim 4 . The client terminal
And further comprising editing means for editing the original file extracted from the completed document file which is the personal information file restored by the decryption means,
When the access authority setting means sets the extraction authority to extract the original file from the completed document file and the editing authority to the extracted original file as the predetermined access authority. 6. The personal information management system according to claim 5 , wherein the original file is permitted to be edited by the editing means in the client terminal. 7. The personal information management system according to claim 6 , wherein in the client terminal, the original file edited by the editing means is prohibited from being stored other than the completed document file. The management server
The log recording means for recording as a log a history of transmission of the personal information file executed in response to an access request to the personal information capsule from the client terminal. The personal information management system according to any one of claims 2 to 7 . The disabling means of the management server, by changing the the decoding key to be sent to the client terminal by the decoding key transmission means, characterized by invalidating said individual information files, according to claim 3 The personal information management system according to claim 8 . The disabling means of the management server, by prohibiting the transmission of the decoding key by the the decoding key transmission means, characterized by invalidating said individual information file, any of claims 3 to 8 The personal information management system according to claim 1. The invalidation means of the management server transmits a deletion command for the personal information file to the client terminal to which the personal information file is transmitted based on the log recorded by the log recording means, and the personal information is transmitted to the client terminal. 9. The personal information management system according to claim 8 , wherein the personal information file is invalidated by deleting the file. The management server
When the personal information file is invalidated by the invalidation means, the client terminal is further notified of the fact, thereby further providing notification means for prompting the user to re-execute the access request for the personal information capsule. The personal information management system according to any one of claims 1 to 11, wherein the personal information management system is configured as described above. A personal information management server that manages personal information that can identify a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual,
Generating means for generating the personal information capsule;
Storage means for storing the personal information capsule generated by the generation means;
Filter setting means for setting a filter that defines personal information elements available to the user for each user who can access the personal information capsule stored in the storage means from a client terminal;
Access request receiving means for receiving an access request for the personal information capsule from a user through the client terminal;
When the access request is received by the access request receiving means, the filtering process of the personal information element in the personal information capsule is performed using the filter set by the filter setting means for the user who transmitted the access request. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing,
Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file ;
Changing means for changing the content of the personal information capsule stored in the storage means;
Invalidating means for invalidating the personal information file extracted from the changed personal information capsule and transmitted to the client terminal when the contents of the personal information capsule are changed by the changing means When,
Giving a digital signature to the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means Means,
Personal information exploration means for exploring personal information from data in the client terminal;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and the user of the client terminal holding the personal information receives the personal information from the management server Means for registering and storing the personal information as a personal information capsule in the storage means,
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and the user of the client terminal holding the personal information receives the personal information from the management server A personal information management server, comprising: deletion means for deleting the personal information from the client terminal when registration as a management target is not desired .   The exploration means is
  Extracting means for extracting text data of a data aggregate included in data in the client terminal;
  Cutting out means for cutting out character sections delimited by delimiters from the text data extracted by the extracting unit;
  By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
  Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character determining means for determining;
  A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for collating appropriate characters or inappropriate character strings to determine whether the character section includes the inappropriate characters or inappropriate character strings;
  The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. And a second determination means for determining whether or not the data aggregate is personal information based on the counted result and counting the number of character sections determined. The personal information management server according to claim 13. The personal information file transmitted by the personal information file transmitting means is encrypted using an encryption key corresponding to the client terminal of the transmission destination to create an encrypted file, and the encrypted file is used as the personal information file. Encryption means for causing the personal information file transmission means to transmit;
Authentication information receiving means for receiving authentication information about the encrypted file from the client terminal;
Determination means for determining whether or not the client terminal is a valid transmission destination of the encrypted file based on the authentication information received by the authentication information receiving means;
And a decryption key transmitting means for transmitting to the client terminal a decryption key for decrypting the encrypted file when the determination means determines that the client terminal is a valid transmission destination. The personal information management server according to claim 13 , wherein the personal information management server is a personal information management server. Further comprising conversion means for converting the personal information file transmitted by the personal information file transmission means into a completed document file having a container function;
The encryption means encrypts the completed document file with the original file of the personal information file attached to the completed document file obtained by the converting means by using the container function. 16. The personal information management server according to claim 15 , wherein a completed document file is transmitted to the personal information file transmission means as the personal information file. 17. The individual according to claim 16 , further comprising access authority setting means for setting a predetermined access authority for the encrypted file in accordance with a user to whom the personal information file is transmitted. Information management server. The log recording means for recording as a log a history of transmission of the personal information file executed in response to an access request to the personal information capsule from the client terminal. 1 3 ~ personal information management server according to any one of claims 17. The invalidation means, by changing the the decoding key to be sent to the client terminal by the decoding key transmission means, characterized by invalidating said individual information files, according to claim 15 to claim 18 The personal information management server according to any one of the above. The invalidation means, by prohibiting the transmission of the decoding key by the the decoding key transmission means, characterized by invalidating said individual information file, to any one of claims 15 to claim 18 The personal information management server described. The invalidation means transmits a deletion command of the personal information file to the client terminal that is the destination of the personal information file based on the log recorded by the log recording means, and causes the client terminal to delete the personal information file The personal information management server according to claim 18 , wherein the personal information file is invalidated. When the personal information file is invalidated by the invalidation means, the client terminal is further notified of the fact, thereby further providing notification means for prompting the user to re-execute the access request for the personal information capsule. characterized in that it is configured Te, personal information management server according to claim 1 3 - any one of claims 2 1. A personal information management program that causes a computer to function as a personal information management server that manages personal information that can identify a specific individual as a data set (hereinafter referred to as a personal information capsule) that includes a plurality of personal information elements related to the specific individual. There,
Generating means for generating the personal information capsule;
Storage means for storing the personal information capsule generated by the generation means;
Filter setting means for setting, for each user who can access the personal information capsule stored in the storage means from a client terminal, a filter that defines personal information elements that can be used by the user;
Access request receiving means for receiving an access request for the personal information capsule from a user through the client terminal;
When the access request is received by the access request receiving means, the filtering process of the personal information element in the personal information capsule is performed using the filter set by the filter setting means for the user who transmitted the access request. by performing the filtering means to extract personal information elements available for the user from the said individual information capsules,
Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file ;
Change means for changing the content of the personal information capsule stored in the storage means;
Invalidating means for invalidating the personal information file extracted from the changed personal information capsule and transmitted to the client terminal when the contents of the personal information capsule are changed by the changing means ,
Giving a digital signature to the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means means,
Personal information exploration means for exploring personal information from data in the client terminal;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and the user of the client terminal holding the personal information sends the personal information to the management server A means for registering and storing the personal information as a personal information capsule in the storage means;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and the user of the client terminal holding the personal information sends the personal information to the management server A personal information management program that causes the computer to function as a deletion unit that deletes the personal information from the client terminal when registration as a management target is not desired .   When operating the computer as the exploration means,
  Extracting means for extracting text data of a data aggregate included in data in the client terminal;
  Cutting means for cutting out character sections delimited by delimiters from the text data extracted by the extracting means;
  By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
  Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character judging means for judging,
  A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for determining whether or not the character section includes the inappropriate character or the inappropriate character string by verifying the appropriate character or the inappropriate character string, and
  The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. The number of character sections determined is counted, and the computer is caused to function as second determination means for determining whether the data aggregate is personal information based on the count result. The personal information management program according to claim 23. The personal information file transmitted by the personal information file transmitting means is encrypted using an encryption key corresponding to the client terminal of the transmission destination to create an encrypted file, and the encrypted file is used as the personal information file. Encryption means for transmitting the personal information file transmission means;
Authentication information receiving means for receiving authentication information about the encrypted file from the client terminal;
Determination means for determining whether the client terminal is a valid transmission destination of the encrypted file based on the authentication information received by the authentication information receiving means; and
When the determination unit determines that the client terminal is a valid transmission destination, the computer further functions as a decryption key transmission unit that transmits a decryption key for decrypting the encrypted file to the client terminal. 25. The personal information management program according to claim 23 or 24 , wherein: Causing the computer to further function as conversion means for converting the personal information file transmitted by the personal information file transmission means into a completed document file having a container function;
The encryption means encrypts the completed document file with the original file of the personal information file attached to the completed document file obtained by the converting means by using the container function. 26. The personal information management program according to claim 25 , wherein the computer is caused to function so that a completed document file is transmitted to the personal information file transmission means as the personal information file. 27. The individual according to claim 26 , further causing the computer to function as an access authority setting means for setting a predetermined access authority for the encrypted file according to a user to whom the personal information file is transmitted. Information management program. The computer is further functioned as log recording means for recording a history of transmission of the personal information file executed in response to an access request for the personal information capsule from the client terminal as a log. The personal information management program according to any one of claims 23 to 27 . The invalidation means causes the computer to function so as to invalidate the personal information file by changing the decryption key to be transmitted to the client terminal by the decryption key transmission means. The personal information management program according to any one of claims 25 to 28 . The invalidation means, by prohibiting the transmission of the decoding key by the the decoding key transmission means, so as to disable said individual information file, characterized in that to function the computer, according to claim 25 to claim Item 30. The personal information management program according to any one of Items 28 . The invalidation means transmits a deletion command of the personal information file to the client terminal that is the destination of the personal information file based on the log recorded by the log recording means, and causes the client terminal to delete the personal information file 29. The personal information management program according to claim 28 , wherein the computer is caused to function so as to invalidate the personal information file. When the personal information file is invalidated by the invalidating means, the client terminal is notified to that effect as a notification means for prompting the user to re-execute an access request for the personal information capsule. The personal information management program according to any one of claims 2 to 31 , further causing a computer to function.

Images