KR102345750B1 - Method and system for analysing data de-identification risk - Google Patents

Abstract

A method and system for data de-identification risk analysis are disclosed. Data, a method for non-identified Chemistry risk analysis, at the request of system users provide data for compliance (compliance) comprising a data protection laws and regulations as its data (1 ^st party data) applied and, according to the non-identified Chemistry Based on the data leakage risk analysis result, data de-identification is performed for at least a portion of the data to which the compliance is applied and exported.

Description

Method and system for data de-identification risk analysis

The description below relates to a technology for exporting data from a data distribution environment.

The transmission performance through the network is increasing, and the demand for data transmission is rapidly increasing due to the development of IT technology.

Recently, traffic demands for various types of information data and ultra-low latency real-time data such as health care information for individual users, traffic data, smart energy management, and environmental information sensing data are increasing.

In addition, data traffic according to autonomous vehicle technology or virtual reality (VR)/augmented reality (AR) services is also increasing.

Various types of information data distribution environments are being formed due to the overflow of big data and the surge in personalized information services.

In this environment, as various services move from B2B (business to business) to B2C (business to consumer) or people-centered, the problem of personal information leakage due to personalized services is rapidly increasing.

Accordingly, there is a need for an optimal balance between the activation of data ecosystems such as the data-based 4th industry and the needs of individuals to protect privacy.

To its data (1 ^st party data) identifying the non-data on the basis of compliance as possible applied to the data when taken out of the screen provides a technique that can be taken out.

It provides technology to analyze the risk of data de-identification for system users who want to export data in case of duplicate export of data through de-identification.

A computer system, comprising at least one processor configured to execute computer-readable instructions contained in a memory, and wherein the at least one processor, information protected as its data (1 ^st party data), at the request of the system user laws The process of providing data subject to compliance including regulations; and data de-identification for at least a portion of the data to which the compliance has been applied.

According to one aspect, the at least one processor, the personal information collected and the degree of information security-related topics, privacy rights guaranteed whether or not the provider, leveraging privacy policy and third-party (3 ^rd party) said system based on a share if It can be provided by evaluating the reliability of users.

According to another aspect, the at least one processor may perform data de-identification on at least a portion of data to be exported based on the reliability of the system user.

According to another aspect, the at least one processor may de-identify at least a portion of the data to which the compliance is applied through any one of a masking method, a categorization method, a generalization method, and a method using homomorphic encryption.

According to another aspect, the at least one processor analyzes the data leakage risk according to de-identification for each data characteristic, and then performs data de-identification for the data to which the compliance is applied based on the analysis result of the data leakage risk. can be done

According to another aspect, the at least one processor may analyze the risk of data leakage according to the de-identification using an unsupervised learning algorithm.

According to another aspect, the at least one processor may derive a guideline for data identification based on the analysis result of the data leakage risk.

According to another aspect, the at least one processor may perform data de-identification of the data to which the compliance is applied, focusing on a data combination in which the risk of data leakage is less than a predetermined level.

According to another aspect, the at least one processor analyzes the risk of data de-identification for the system user based on de-identification of previously exported data in the case of data for which there is a duplicate export request from the system user. can do.

According to another aspect, the at least one processor analyzes the intersection of identifiable data among data duplicated exported to the system user in the case of data for which there is a duplicate export request from the system user, so that the data leakage risk is set to a certain level. Data de-identification of the data to which the compliance is applied may be performed in a manner of avoiding abnormal data combinations.

A method executed in a computer system, the computer system comprising at least one processor configured to execute computer readable instructions contained in a memory, the method comprising, by the at least one processor, at a request of a system user. providing data subject to compliance including information protection laws and regulations as company data; and performing, by the at least one processor, data de-identification on at least a portion of the data to which the compliance has been applied, and exporting the data.

According to embodiments of the present invention, it is possible to provide an optimal balance between the activation of a data ecosystem such as the data-based fourth industry and the demand for personal privacy protection.

1 is a block diagram for explaining an example of an internal configuration of a computer system according to an embodiment of the present invention.
2 is a flowchart illustrating an example of a data compliance providing method that can be performed by a computer system according to an embodiment of the present invention.
3 to 12 are diagrams illustrating an example of a service screen for providing data compliance according to an embodiment of the present invention.
13 illustrates an example of a process of generating a personal information utilization decision matrix according to an embodiment of the present invention.
14 is a flowchart illustrating an example of a data de-identification process based on a risk of leakage in an embodiment of the present invention.
15 is a flowchart illustrating an example of a personal information management process according to an embodiment of the present invention.
16 illustrates an example of a process of recording and managing personal data used by a service provider according to an embodiment of the present invention.
17 shows an example of real service configuration according to an embodiment of the present invention.
18 is a flowchart illustrating an example of a data privacy-related contract process according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

Embodiments of the present invention relate to a method and system for data de-identification risk analysis.

Embodiments including those specifically disclosed herein refer to various laws or guides related to data management in the distribution of own data, including personal information, to generate a matrix (PCM) for decision-making when exporting data, and to create a final decision It can provide a data compliance management environment for use in decision making.

1 is a block diagram for explaining an example of an internal configuration of a computer system according to an embodiment of the present invention. For example, a system for providing data compliance according to embodiments of the present invention may be implemented through the computer system 100 of FIG. 1 . As shown in FIG. 1 , the computer system 100 is a component for executing the data compliance providing method, including a processor 110 , a memory 120 , a persistent storage device 130 , a bus 140 , an input/output interface ( 150 ) and a network interface 160 .

Processor 110 may include or be part of any device capable of processing a sequence of instructions as a component for providing data compliance. Processor 110 may include, for example, a computer processor, a processor in a mobile device, or other electronic device and/or a digital processor. The processor 110 may be included in, for example, a server computing device, a server computer, a series of server computers, a server farm, a cloud computer, a content platform, and the like. The processor 110 may be connected to the memory 120 through the bus 140 .

Memory 120 may include volatile memory, persistent, virtual, or other memory for storing information used by or output by computer system 100 . The memory 120 may include, for example, random access memory (RAM) and/or dynamic RAM (DRAM). Memory 120 may be used to store any information, such as state information of computer system 100 . Memory 120 may also be used to store instructions of computer system 100 including, for example, instructions for providing data compliance. Computer system 100 may include one or more processors 110 as needed or appropriate.

Bus 140 may include a communications infrastructure that enables interaction between various components of computer system 100 . Bus 140 may carry data between, for example, components of computer system 100 , such as between processor 110 and memory 120 . Bus 140 may include wireless and/or wired communication media between components of computer system 100 and may include parallel, serial, or other topological arrangements.

Persistent storage 130 is a component, such as memory or other persistent storage, as used by computer system 100 to store data for an extended period of time (eg, compared to memory 120 ). may include Persistent storage 130 may include non-volatile main memory as used by processor 110 in computer system 100 . Persistent storage 130 may include, for example, flash memory, a hard disk, an optical disk, or other computer-readable medium.

The input/output interface 150 may include interfaces to a keyboard, mouse, voice command input, display, or other input or output device. Input to provide configuration commands and/or data compliance may be received via input/output interface 150 .

Network interface 160 may include one or more interfaces to networks such as a local area network or the Internet. Network interface 160 may include interfaces for wired or wireless connections. Input to provide configuration commands and/or data compliance may be received via network interface 160 .

Also, in other embodiments, computer system 100 may include more components than those of FIG. 1 . However, there is no need to clearly show most of the prior art components. For example, the computer system 100 is implemented to include at least some of the input/output devices connected to the input/output interface 150 described above, or a transceiver, a global positioning system (GPS) module, a camera, various sensors, It may further include other components such as a database and the like.

2 is a flowchart illustrating an example of a method for providing data compliance that can be performed by a computer system according to an embodiment of the present invention.

The processor 110 may load the program code stored in the program file for the data compliance providing method into the memory 120 . For example, a program file for the data compliance providing method may be stored in the persistent storage device 130 described with reference to FIG. 1 , and the processor 110 is stored in the persistent storage device 130 via the bus 140 . The computer system 100 may be controlled to load program code from a program file into the memory 120 . In this case, in order to execute the data compliance providing method, the processor 110 and components of the processor 110 may directly process an operation according to a control command or control the computer system 100 .

Hereinafter, specific embodiments will be described using personal information (or personal data) as an example. However, it is not limited to personal information, and as data that is subject to distribution between companies or between companies and individuals, it can be extended and applied to all types of company data owned by the company.

In the present embodiment, when personal information is distributed in an Internet of Things environment (eg, smart home, smart office, wearable healthcare, etc.), the individual who can determine compliance, such as whether or not the General Data Protection Regulation (GDPR) policy is satisfied, and can satisfy it We provide a new personal information management platform that fits the personal information distribution paradigm through the information management framework.

Referring to FIG. 2 , in step S210 , the processor 110 may register country-specific information protection laws related to personal information as a compliance item on the platform. The processor 110 may register each of the information protection laws such as EU GDPR, Korea Personal Information Protection Act, and US HIPAA in the form of a pre-template. The system user can automatically check the compliance of the data by selecting the function suitable for the data collection and utilization environment. The processor 110 binds the personal information collected in various service environments with the user profile and service contract information (including whether the user agrees or not), and then provides a function of checking compliance in accordance with the information protection laws of each collection country.

In step S220 , the processor 110 may provide a data set to which the compliance pre-registered on the platform is applied to data corresponding to the request of the system user. The processor 110 may generate a query for the data request, check raw data corresponding to the query, and then provide a location-based result value based on a country in which the raw data is collected. The processor 110 may provide a data set to which compliance is applied by applying pre-registered compliance to raw data on the platform.

In step S230, the processor 110 provides a function of exporting the data to which the compliance has been applied. The processor 110 provides a function of verifying data characteristic information on the platform, and provides a function of confirming the data characteristic of an individual data field when data is exported. The processor 110 may apply data de-identification to individual data fields when exporting data. For example, as a data masking method, the processor 110 may apply de-identification by masking at least a portion of data with a symbol (eg, an asterisk) that cannot be identified as data. As another example, the processor 110 may de-identify the exported data field through unit conversion for data as a categorization method. For example, you can convert your actual age into age units such as teenagers and 20s, or convert to last name units such as Kim and Lee by excluding your first name from your full name. The processor 110 can de-identify data using categorization, generalization, data masking methods, etc., as well as de-identification using homomorphic encryption. Accordingly, the system user can acquire data in a form that complies with the compliance.

The processor 110 may provide reliability for each company in a scored form when personal information is distributed between companies on the platform. As an example, the processor 110 may evaluate the reliability based on the reliability evaluation target's ability (ability), relationship (benevolence), consistency (integrity), tendency (inclination), and the like. Capability includes the degree of personal information collection and information security-related items, and may include the personal information collection scope, personal information processing security, etc. Relationship includes whether the rights of the personal information provider are guaranteed or not, and it is the nature of the attitude of the person subject to reliability evaluation to work or act with the personal information provider. It may include whether to deliver and how to deliver. Consistency includes personal information use policy and whether or not to share with a third party Consistency of use may be included. The trend indicates the importance of trust indicators in evaluating the reliability of personal information providers. The trend can be expressed as a weight in the reliability calculation, and the value may be different for each service domain or reliability evaluation target based on the provider's experience and reputation. This is the accumulated information of the credibility evaluator's experience and reputation, including personal opinions. The actual evaluation of each item (capability, relationship, consistency, tendency) used for reliability evaluation can be evaluated using a personal information policy book and mobile application access right information data set.

The processor 110 may determine a guide for de-identification of data to be exported based on the reliability of the company requesting the data export. The processor 110 may provide a column-by-column de-identification guide for the data requested by a specific company when exported to the outside after compliance matching.

3 to 12 are diagrams illustrating an example of a service screen for providing data compliance according to an embodiment of the present invention.

The data compliance providing system provides a web-based user interface.

Service users can be broadly classified into two groups, and can be divided into data managers who have the authority to directly manage internal data and data requesters who want to use data from external or internal organizations.

The data compliance providing system may support a web-based ID/password service login method.

Referring to FIG. 3 , main functions of the dashboard are as follows.

The dashboard page 300 may include a 'data management' menu 301 and a 'compliance evaluation' menu 302 .

The 'data management' menu 301 includes a function for managing internal or external data requests and exporting data under the approval of the data manager.

The 'compliance evaluation' menu 302 includes a function for managing information on compliance provided on the platform. At this time, compliance means a series of functions that check its suitability in accordance with specific data export standards. may include Individual countries or institutions' privacy-related rules or standards can be registered as an additional form of compliance.

In addition, the 'compliance evaluation' menu 302 includes a function of providing a guideline for safe export of data through reliability evaluation of a corresponding company when exporting data.

At the top of the dashboard page 300 , the logged-in user, authority, and access time are displayed.

In the dashboard page 300, new data request details 310 can be checked through the 'data export request' menu of the 'data management' menu 301, and data request processing details 320 through the 'data export status' menu )can confirm.

The data manager may check the new data request details 310 on the dashboard page 300 and select and process the request to be processed by using the 'selection' menu 311 .

In the case of a new data request, the data requester may log in with a previously issued user account for data request on the login page and proceed with the new data request process.

4 shows an example of an information input screen 400 for a new data request.

The information input screen 400 includes information input fields necessary for data request, and includes a title 401, a requester 402, a exporting company 403, data request content 404, data utilization purpose 405, data It may include an interface for inputting a utilization period 406 , a country or region 407 , and the like. The data request content 404 is a field for entering a detailed description of the data to be actually used, and the data utilization purpose 405 is a field for entering a specific purpose of use, such as a research purpose or a commercial analysis purpose. The data usage period 406 is a field for entering the data usage period in order to comply with the GDPR regulations, etc., and the country or region 407 is an input field necessary to apply the data protection law appropriate to the country or region when exporting data. to be.

The data manager's new data request processing process will be described as follows.

5 illustrates a request processing screen 500 selected by the data manager using the 'selection' menu 311 .

The processor 110 generates a query 501 for data extraction based on the request written in the data request through the information input screen 400 and displays it on the data request processing screen 500 . It is also possible to provide a search term for data extraction in the form of a workbench rather than a query form.

The data request processing screen 500 includes a 'query' menu 502 for executing the query 501, a 'compliance application' menu 503 for applying compliance to the raw data retrieved by the query 501, etc. can

When the data manager selects the 'query' menu 502, the processor 110 may provide a data search result 601 corresponding to the query 501 on the map 610 as shown in FIG. have.

The processor 110 may provide the data search result 601 on the map 610 in the form of data distribution for each country (or region) based on the country (or region) in which the data is collected for each data. The provision of the data search result 601 based on the map 610 is for preferential filtering because international laws or privacy-related laws have regional characteristics. By showing the overall data volume by country (or region), it is possible to quickly recognize the utilization of data.

As a search result screen, the processor 110 may provide a raw data check screen 720 for checking raw data included in a search result corresponding to the query 501 as shown in FIG. 7 .

On the raw data confirmation screen 720 , data retrieved through a query based on the raw data may be displayed on a field basis. In other words, it provides the ability to directly check the raw data for data extraction from the data manager side.

The processor 110 provides a function for applying compliance to the basic searched raw data.

The data manager may check the basic properties of the searched data through the query 501 and then apply compliance to the searched data in order to actually export the corresponding data to the outside.

When the data manager selects the 'compliance application' menu 503 , the processor 110 may provide a pre-registered compliance list 801 as shown in FIG. 8 . The data manager can create a compliance that complies with the user terms for each product and the laws of each country of data collection, which are the characteristics of the data to be collected. Pre-generated compliance can be applied directly to raw data.

The processor 110 may apply the compliance selected by the data manager from the compliance list 801 to the basic searched raw data.

As shown in FIG. 9 , the processor 110 may provide a function for checking the result 901 to which the compliance is applied, and similarly to the basic search result ( FIGS. 6 and 7 ), the result 901 of the compliance application is displayed. It can be displayed on a map or as a raw data list.

After confirming the result 901 to which the compliance is applied, the data manager may proceed with the actual export operation.

When the data manager selects the 'Apply Compliance' menu 503, the 'Export' menu 1002 is displayed on the data request processing screen 500 along with the result 1001 to which the compliance is applied, as shown in FIG. 10 . can be If there is a prior export history for the currently displayed data, the corresponding export history 1003 may be displayed on the data request processing screen 500 .

In addition to the export history 1003, a function of visually providing characteristics for each field through a graph is included.

The processor 110 may provide a result of applying de-identification to each data field included in the compliance application result to be exported.

The data manager can apply de-identification to the exported data at the field level, and can selectively set the de-identification type. For example, de-identification can be applied to the 'gender' field, and the graph at the top can visually show what kind of data distribution by gender. In the case of the 'age' field, a method of completely de-identifying a level in which a numeric value cannot be read, a method of randomly increasing/decreasing in a certain unit, a method of converting a unit into an age group type, etc. can be applied.

For this de-identification function, a predefined de-identification function can be applied according to the characteristics of the data field. In addition, it is also possible for the data manager to directly input de-identified data.

The data request processing screen 500 includes a function for the data manager to finally check export information before exporting data. This is a function for the data manager to check the final data request before processing. Map-based data distribution information, requester information, request date information, person in charge (data export) information, processing date information (data export), applied compliance Information and key issuance information (key information issued to prove that the data requester accesses the data they want to export) can be checked. The data manager can write and input the export confirmation phrase together with the key issuance, and can proceed with the export of data after the key issuance procedure and the export confirmation procedure through the user's direct input.

The data export case performed through the above process may be displayed in addition to the data request processing history 320 on the dashboard page 300 . In this case, the processor 110 may highlight and display the newly created case newly added to the data request processing history 320 to be distinguished from other cases.

The 'compliance evaluation' menu 302 on the dashboard page 300 is a function for managing information on compliance provided on the platform, and may provide a function for providing compliance in a data compliance solution.

11 shows the compliance management screen 1100 by the 'compliance evaluation' menu 302 .

Referring to FIG. 11 , the data manager can check the compliance list 1102 through the 'compliance control' menu 1101 on the compliance management screen 1100 to manage the existing compliance. In addition, the 'add compliance' menu 1103 may be included as a function for the data manager to directly create compliance.

Pre-registered compliance means a set of laws or regulations to be applied to company data. Each compliance clause includes one or more clauses, and it can be expressed by scoring it as a whole according to each compliance or non-compliance. An item of data evaluated (confirmed) by the data manager for each compliance included in the pre-registered compliance list 1102 may be provided together.

The data manager can add a new compliance by using the 'Add Compliance' menu 1103. In this case, if you want to add a compliance, select and apply the desired compliance from the interface for entering the compliance title and the predefined compliance list for each region. An interface for doing so may be provided.

As a management function for the pre-registered compliance list 1102, for each compliance included in the compliance list 1102, as shown in FIG. 12, a 'job review' menu 1201 for reviewing the compliance items, the title of the compliance A 'group name change' menu 1202 for changing the 'group name' menu 1202, a 'group deletion' menu 1203 for deleting the compliance, etc. may be provided.

The 'job review' menu 1201 is a function for evaluating individual items of compliance, and an administrator who added compliance may evaluate each of the compliance rules.

The service page according to the 'job review' menu 1201 may provide information on terms of use at the time of data collection. In this case, the service or device that collects personal data presents contract information with the user, and the data manager can determine the usability of the data collected from the service or device based on the terms and conditions information at the time of data collection.

The data manager may request information on terms of use related to compliance through the service page according to the 'job review' menu 1201 to check the terms of use information of a target service or device to which compliance is to be applied. It provides the ability to easily and conveniently judge compliance by providing information on terms of use at the time of collection for the personal data of the data owner.

In addition, when applying compliance, it is possible to provide a function to check the specific text of related provisions together. It provides the ability for data controllers to check and evaluate the original text of each relevant provision to be applied for compliance.

The service page according to the 'compliance evaluation' menu 302 may include a 'custom compliance' function for managing information on compliance items managed by itself in order to apply and manage the overall PCM on the compliance management system. The data manager can define rules on the data compliance solution through the 'custom compliance' function. In addition to the 'custom compliance' function, a function to register and utilize data-related laws and provisions for each region in advance, a function to manage user rights, and a function to manage a list of operators who want to export data may be further included.

13 illustrates an example of a process of generating a personal information utilization decision matrix according to an embodiment of the present invention.

Referring to FIG. 13 , the processor 110 may generate a matrix (PCM) for decision-making when using personal information based on various compliances related to personal information management including personal information security analysis 1301, and finally An overall function for use in decision making 1302 may be provided.

The processor 110 may construct a matrix by extracting data for personal information use decision making from the personal information security analysis 1301 and each region raw data, and may update the final decision 1302 using this. .

The processor 110 analyzes the compliance 1301 based on machine learning in consideration of the continuous update of related laws and guide information, and as a final decision 1302, the decision to use personal information according to the decision of the data manager as well as In addition, it is possible to verify the suitability of compliance (personal information protection guideline setting) through evaluation of individual items of compliance, and to provide different risk management according to the level of risk after calculating the risk of personal data.

The present embodiments may include an architecture for analyzing the risk of leakage of personal information.

14 is a flowchart illustrating an example of a data de-identification process based on a risk of leakage in an embodiment of the present invention.

Referring to FIG. 14 , in step S1401 , the processor 110 may analyze the leakage risk of de-identified data for each characteristic included in the data to be exported.

The processor 110 may analyze the risk of data de-identification through the leakage risk analysis model for personal data. For example, the processor 110 may analyze the leakage risk for each data characteristic using an unsupervised learning algorithm.

The processor 110 may de-identify personal data through a de-identification method using categorization, generalization, data masking, or the like, or a de-identification method using homomorphic encryption.

The leakage risk for single data among individual data included in personal data may be defined as in Equation 1.

[Equation 1]

는 사용자 i의 특징 j에 대해 비식별화된 데이터

의 PII 유출위험도를 의미하고, I는 사용자 집합,

는 비식별화 함수, M_i,j는 사용자 i의 특징 j가 기록된 데이터 집합을 의미한다.here,

is the unidentified data for feature j of user i.

means the risk of PII leakage, I is the set of users,

is a de-identification function, and M _i,j is a data set in which the feature j of user i is recorded.

가 사용자 i의 정보일 확률을 나타낸다.In other words, Equation 1 is the given data

represents the probability that is information of user i.

Equation 2 is given when defining the leakage risk for multiple data including at least two or more features based on the leakage risk for single data.

[Equation 2]

의 PII 유출위험도를 의미한다.Equation 2 is unidentified data for _{specific j 1} and feature j _{2 .}

of PII leakage risk.

In step S1402, the processor 110 may perform data de-identification based on the leakage risk analysis result.

The processor 110 may use an unsupervised learning algorithm to find a data combination with a high risk of leakage and apply it to data de-identification. By applying several unsupervised learning algorithms to all data combinations and forming clusters, it is possible to find data combinations with a high risk of leakage above a certain level. After evaluating the performance by comparing the records created by the same user with the records of the cluster, a PII combination with a high risk of leakage for each characteristic can be derived by comparing the performance. It is possible to determine a feature selection algorithm optimized for the corresponding dataset by comparing it with the PII combination calculated through the feature selection algorithm.

The processor 110 may derive a guideline for data de-identification based on the risk of data leakage, and through this guideline, data de-identification may be performed focusing on data combinations having a risk of leakage below a certain level. .

Furthermore, the processor 110 may analyze the risk of data de-identification for the corresponding system user based on the previously exported data de-identification in the case of data for which there is a duplicate export request from the same system user. The processor 110 may perform data de-identification in a manner that avoids data combinations having a risk of leakage above a certain level by analyzing data intersections that are identifiable between data duplicately exported to the same system user. For example, the processor 110 may perform data de-identification with the same data combination as previously de-identified data with respect to data that the system user wants to repeatedly export. As another example, the processor 110 finds a data combination in which the risk of leakage is less than a certain level, including previously de-identified data and additional de-identified data, for the data that the system user wants to export in duplicate, and de-identifies the data. can be performed.

The present embodiments may include a blockchain architecture that complies with compliance for personal information management.

15 is a flowchart illustrating an example of a personal information management process according to an embodiment of the present invention.

The computer system 100 according to the present embodiment may implement a controller node on a blockchain network.

Referring to FIG. 15 , in step S1510, the computer system 100 separates the personal data received from the user node from the controller node on the blockchain network into personally identifiable information (PII) and potential personally identifiable information (PPII). have.

In step S1520, the computer system 100 may store personal identification information in a local database. Among personal data, PII can be stored in the local database of the controller node, and the hash of this PII and PPII can be stored in the blockchain.

In step S1530, the computer system 100 may generate a hash value of personal identification information. Since only the hash value of PII is stored in the blockchain, if PII is deleted from the local database, the hash value of PII stored in the blockchain becomes useless.

In step S1540, the computer system 100 determines that a user corresponding to a smart contract generated by consensus, potential personal identification information, a generated hash value, and a user node when a consensus is reached between nodes on the block chain network. A block containing the identifier and the controller identifier corresponding to the controller node can be created and stored in the blockchain. At this time, the computer system 100 may publish a list of personal data to nodes on the blockchain network. In addition, the conditions for an agreement may be based on compliance applicable to personal data, for example GDPR regulations.

Meanwhile, when sharing personal data with a processor node on a block chain network, the computer system 100 may notify the user node of whether personal data is shared and the purpose of sharing personal data. At this time, the processor node separates the personal data into personally identifiable information and potential personally identifiable information, stores the personally identifiable information in the local database of the processor node, generates a hash value of the personally identifiable information, When consensus is reached, a block containing a smart contract generated by consensus, potential personally identifiable information, a generated hash value, a user identifier corresponding to a user node, a controller identifier corresponding to a controller node, and a processor identifier corresponding to a processor node can be implemented to create and store in the blockchain.

In addition, each of the nodes on the blockchain network can delete the personal data of the user node stored in their local database by checking the smart contract stored on the blockchain as a request to delete personal data from the user node is received. .

In addition, each of the nodes on the blockchain network can modify the personal data of the user node stored in their local database by checking the smart contract stored on the blockchain as a request for modification of personal data from the user node is received. , at this time, a node that has modified the user node's personal data in its local database can create a new block containing the modified personal identification information hash and add it to the blockchain.

The present embodiments may include a BCP (Blockchain Controller for Privacy) architecture that can provide personal data by using a contract with a blockchain controller having access rights.

The computer system 100 according to the present embodiment may implement BCP as a personal information providing system.

When a service provider such as social service, search service, mail service, media service, etc. wants to use personal data, by accessing the personal data using a contract with the BCP with personal data access rights, the usage record and usage information for personal data can be verified. can

16 illustrates an example of a process of recording and managing personal data used by a service provider according to an embodiment of the present invention.

As shown in FIG. 16 , for example, real user data is moved to the cloud platform through the social service provider #B. Other social service providers #A and #C may collect personal data through BCP #2.

In this case, using the BCP (#1, #2) authenticated by the user, the usage details of the personal identification information (PII) of the services can be verified, and service providers must also use the BCP type function. .

17 is a diagram showing a real service configuration example according to an embodiment of the present invention, wherein the user delegates access to his/her data to the BCP, and the service provider uses personal data through a contract with the BCP delegated by the user. can

The functional characteristics of the BCP according to the present invention are as follows.

1. BCP performs data privacy-related contracts with users.

2. BCP provides its own private data storage (storage or vault).

3. BCP concludes a contract function with the online data storage used by the user.

4. BCP provides interworking interface function with online data storage used by users.

5. BCP provides BCP agent for monitoring user service usage environment (personal information related data generation environment).

First, the data privacy-related contract process between the BCP and the user is as follows.

BCP provides contracts for data privacy as a way to clearly monitor personal data at the various touchpoints where it is exposed online.

Regarding the main online data that can be exposed by the user, depending on the contract with the user (1) only the part that can be provided in the form of SDK (Software Development Kit) or API (Application Program Interface) for major exposure points, or (2) network At the level of monitoring (Network Monitoring), personal information can be distinguished through overall monitoring.

In this case, in the case of a web- or App-based server, it falls under (1) above, and the corresponding service providers should be able to provide information on the authority for data monitoring as well.

18 is a flowchart illustrating a data privacy-related contract process between a BCP and a user.

Referring to FIG. 18 , for a smart contract, a user may access a BCP to which he/she wants to delegate access to his/her data (S1801), and the corresponding BCP may receive a contract request from the connected user.

The BCP may receive a selection for the service (online data store or service provider) used by the user (S1802).

The BCP determines whether it is linked with the service selected by the user (S1803). If the service used by the user is not linked with the BCP, the blockchain-based personal information provision service cannot be provided.

When the service used by the user is linked with the BCP, the BCP side may perform user authentication for data interworking with the service (S1804). For example, the BCP may request to allow access to a service used by the user, such as an Oauth (Open Authorization) method.

BCP may set the contract right scope when user authentication is completed (S1805). The contract rights scope means the scope of access rights, and may include, for example, data items, monitoring and tracking periods, and the like. The service provider may provide information on the scope of data provision agreed upon by the user at the time of subscription, the timing of consent, etc. In this case, the BCP may set data accessibility such as access using API and direct file access (DFA). In addition, the BCP may set data coverage including whether to access different data in grades such as Potential Personal Identifiable Information (PPII) and Personal Identifiable Information (PII). In addition, the BCP may set data anonymization according to the user's request.

When the service used by the user is a new service or data is collected from the user terminal, information connected to the BCP can be set in the user environment (terminal, application, IoT, etc.), and the BCP can receive connection information with the user environment. It can be (S1806). For this, the BCP side can provide a separate API gateway address to upload the user's data.

In the case of an online-based service provider, such as when personal data already exists online, the setting process with the terminal ( S1806 ) may be omitted.

The BCP may store information set through the above processes (S1801 to S1806) for the service used by the user as contract information with the user (S1807).

A user may proceed with subscribing to a specific web service that he/she wants to use on a browser through various user environments.

For example, in a web service, it is possible to confirm whether or not to use BCP in the user registration process. If the user inputs his/her intention to use BCP, the BCP login process can be provided, and through this, the user can log in to the BCP used by the user.

The BCP side provides the user with a list of data that can be monitored for the user's personal information requested by the web service the user wants to subscribe to, and then can set the data item selected by the user through the list as the monitoring target.

BCP can itself provide the function of private data storage.

For example, existing personal cloud data storage operators or providers of productivity tools provide monitoring and smart contract-based third-party services for data input/output in a data management environment. It is possible to extend to the BCP form by adding the monitoring function of authority control and provision to the input/output of personal data. By establishing a contract with a separate BCP and only BCP manages the contact point of exposure with a third-party service, it is also possible to exclusively link and provide its own BCP function.

As such, according to embodiments of the present invention, it is possible to provide a data distribution environment in which privacy is guaranteed as well as a data management environment that complies with the compliance based on the compliance related to personal data. In particular, de-identification of data to be exported can be applied by analyzing the risk of leakage by data characteristics when exporting data in the data distribution process.

The device described above may be implemented as a hardware component, a software component, and/or a combination of the hardware component and the software component. For example, the apparatus and components described in the embodiments may include a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA), and a programmable logic unit (PLU). It may be implemented using one or more general purpose or special purpose computers, such as a logic unit, microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications executed on the operating system. A processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that can include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

Software may comprise a computer program, code, instructions, or a combination of one or more thereof, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be embodied in any tangible machine, component, physical device, computer storage medium or device for interpretation by or providing instructions or data to the processing device. have. The software may be distributed over networked computer systems and stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. In this case, the medium may be to continuously store a program executable by a computer, or to temporarily store it for execution or download. In addition, the medium may be a variety of recording means or storage means in the form of a single or several hardware combined, it is not limited to a medium directly connected to any computer system, and may exist distributedly on a network. Examples of the medium include a hard disk, a magnetic medium such as a floppy disk and a magnetic tape, an optical recording medium such as CD-ROM and DVD, a magneto-optical medium such as a floppy disk, and those configured to store program instructions, including ROM, RAM, flash memory, and the like. In addition, examples of other media may include recording media or storage media managed by an app store that distributes applications, sites that supply or distribute various other software, and servers.

As described above, although the embodiments have been described with reference to the limited embodiments and drawings, various modifications and variations are possible from the above description by those skilled in the art. For example, the described techniques are performed in an order different from the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (16)

In a computer system,
at least one processor configured to execute computer readable instructions contained in memory
including,
the at least one processor,
The process of compliance (compliance) to provide the applied data, including data protection laws and regulations as its data (1 ^st party data), at the request of the system user; and
Process of performing data de-identification for at least a portion of the data to which the compliance is applied and exporting
process the
the at least one processor,
Personal information collected and the degree of information security-related topics, privacy rights guaranteed whether the providers, personal information utilization policies and third party (3 ^rd party) shares, whether personal information on the basis of confidence indicators for the provider confidence in the system user the process of evaluating; and
The process of performing data de-identification for at least a portion of the data to be exported based on the reliability of the system user
process the
the at least one processor,
By analyzing the risk of data leakage due to de-identification for each characteristic included in the company data,
The process of analyzing the risk of leakage for single data including one characteristic; and
The process of analyzing the risk of leakage for multiple data including at least two or more features based on the risk of leakage for the single data
process the
the at least one processor,
To perform data de-identification of the data to which the compliance is applied based on the analysis result of the risk of data leakage,
Data on data to which the compliance has been applied, focusing on data combinations in which the data leakage risk is less than a certain level, including previously de-identified data and additional de-identified data for data that the system user wants to export in duplicate performing de-identification
A computer system that processes them. delete delete According to claim 1,
the at least one processor,
De-identifying at least a portion of the compliant data through any one of a masking method, a categorization method, a generalization method, and a method using homomorphic encryption
A computer system characterized by a. delete According to claim 1,
the at least one processor,
Analyzing the risk of data leakage according to the de-identification using an unsupervised learning algorithm
A computer system characterized by a. According to claim 1,
the at least one processor,
Deriving a guideline for data identification based on the analysis result of the data leakage risk
A computer system characterized by a. delete delete According to claim 1,
the at least one processor,
In the case of data for which there is a duplicate export request from the system user, the data to which the compliance is applied in such a way as to avoid data combinations with the data leakage risk of a certain level or higher by analyzing the intersection of identifiable data among the data duplicated exported to the system user to perform data de-identification for
A computer system characterized by a. A method executed on a computer system, comprising:
the computer system comprising at least one processor configured to execute computer readable instructions contained in a memory;
The method is
providing, by the at least one processor, compliance data including information protection laws or regulations as company data according to a system user's request; and
performing, by the at least one processor, data de-identification on at least a portion of the data to which the compliance is applied and exporting
including,
The exporting step is
Personal information collected and the degree of information security-related topics, privacy rights guaranteed whether the providers, personal information utilization policies and third party (3 ^rd party) shares, whether personal information on the basis of confidence indicators for the provider confidence in the system user to evaluate; and
Performing data de-identification of at least a portion of the data to be exported based on the reliability of the system user
including,
The exporting step is
analyzing the risk of data leakage due to de-identification for each characteristic included in the company data; and
performing data de-identification of the data to which the compliance is applied based on the analysis result of the data leakage risk
further comprising,
The analyzing step is
analyzing the risk of leakage for single data including one characteristic; and
Analyzing the risk of leakage for multiple data including at least two or more features based on the risk of leakage for the single data
including,
The step of performing data de-identification on the data to which the compliance is applied,
Data on data to which the compliance has been applied, focusing on data combinations in which the data leakage risk is less than a certain level, including previously de-identified data and additional de-identified data for data that the system user wants to export in duplicate performing de-identification
How to characterize. delete 12. The method of claim 11,
The exporting step is
De-identifying at least a portion of the data to which the compliance has been applied through any one of a masking method, a categorization method, a generalization method, and a method using homomorphic encryption
How to include. delete delete 12. The method of claim 11,
The step of performing data de-identification on the data to which the compliance is applied,
In the case of data for which there is a duplicate export request from the system user, the data to which the compliance is applied in such a way as to avoid data combinations with the data leakage risk of a certain level or higher by analyzing the intersection of identifiable data among the data duplicated exported to the system user to perform data de-identification on
How to characterize.

Images