KR102636559B1 - Pseudonym information combining solution provision system - Google Patents

Abstract

The present invention relates to a system for combining pseudonym information and providing a solution for pseudonym processing. The system for combining pseudonym information and providing a solution for processing pseudonym information is provided by a combination applicant who submits an application for combining pseudonym information and receives and confirms the combined object. Applicant organization terminal; A specialized agency terminal owned by the merger party that performs combination processing, pseudonym processing, appropriateness evaluation, and export screening for the pseudonym information subject to the combination based on the received application; And it may include a pseudonym information combination and pseudonym processing solution providing device that provides a pseudonym information combination solution to support the work of a professional organization that performs pseudonym information combination work based on the application.

Description

Pseudonym information combining solution provision system {Pseudonym information combining solution provision system}

The present invention relates to a system for combining pseudonym information and providing a pseudonym processing solution.

With the implementation of the three data laws (Personal Information Protection Act, Information and Communications Network Act, and Credit Information Protection Act), the use of data by companies and institutions has rapidly increased, and protections and restrictions related to processing/provision/utilization have also been further strengthened, and data has been processed in a safe form. Technology that helps process data so that it can be utilized is attracting attention.

However, in the past, some data processing technologies have been applied to group data or anonymize (de-identify) personal attributes through masking, semi-identification, and typing. However, conventionally known technologies combine processing between pseudonymized information. There are aspects of performance where safety, efficiency, and performance are deteriorated.

The technology behind the present invention is disclosed in Korean Patent Publication No. 10-1794169.

The present invention is intended to solve the problems of the prior art described above, and improves safety, efficiency, and performance compared to conventional data processing technology, and processes data in a safe form so that it can be used more effectively (especially pseudonymized information). The purpose is to provide a system for combining pseudonym information and providing a pseudonym processing solution that can help with combining and processing between pseudonym information.

The present invention is intended to solve the problems of the prior art described above, and provides (supports) work convenience when performing tasks related to pseudonymization (anonymity) processing of data or data combination processing at a data combination specialized agency, and thereby provides data Aggregation (data) specialized agencies that specialize in combining (data specialized agencies) or companies/institutions that develop big data and my data businesses can safely process and utilize data. The purpose is to provide a system for combining pseudonym information and providing a pseudonym processing solution for pseudonym processing agencies.

However, the technical problems to be achieved by the embodiments of the present invention are not limited to the technical problems described above, and other technical problems may exist.

As a technical means for achieving the above-described technical problem, the system for providing a solution for combining pseudonym information and processing pseudonym information according to an embodiment of the present invention includes submitting an application for combining pseudonym information and receiving and confirming the combined object. Application institution terminal owned by the combination applicant; A specialized agency terminal owned by the merger party that performs combination processing, pseudonym processing, appropriateness evaluation, and export screening for the pseudonym information subject to the combination based on the received application; And it may include a pseudonym information combination and pseudonym processing solution providing device that provides a pseudonym information combination solution to support the work of a professional organization that performs pseudonym information combination work based on the application.

In addition, the device for combining pseudonym information and providing a pseudonym processing solution includes: a project management unit that reviews the application and registers and manages a project corresponding to the application when the application is received from the application agency terminal; a combining processing unit that generates and provides a combined object by performing combining processing on a plurality of combined target information based on the registered project; When a request for export is made from the application agency terminal, an export management unit that performs export screening for the combined object and then provides the export screening result to the application agency terminal; And it may include a control unit that controls the operation of the application organization terminal, the professional organization terminal, and each unit.

In addition, the apparatus for combining pseudonym information and providing a pseudonym processing solution includes: a pseudonymization processing unit that performs pseudonymization on the combined object; And it may further include an adequacy review progress unit that performs an adequacy review on the pseudonymized combined object.

In addition, the control unit, when a connection is detected from the application agency terminal or the specialized agency terminal, provides a dash capable of checking step-by-step monitoring information, target file monitoring information, and processing status monitoring information in relation to pseudonym information combination and pseudonym processing. The board screen can be controlled to be displayed on the screen of the application organization terminal or the professional organization terminal whose connection is detected.

In addition, the pseudonym processing processing unit may control rules for pseudonym processing techniques to be set for each attribute in the combined object by providing a rule setting screen before performing pseudonym processing.

In addition, the project management department, through the pseudonym information combination solution, has a function for creating individual applications for each project, a function for accepting and rejecting the completed and submitted application, and a function for separating the input stage for each stakeholder for pseudonym processing, and May provide application creation and management functions, including the ability to print applications and upload signed applications.

In addition, when performing the export review, the export management unit operates the export examiner terminal so that the export examiner checks each export screening evaluation item on the evaluation screen for each item, makes a judgment on export appropriateness, and inputs a judgment value. You can control it.

Additionally, the combination processing unit can provide a large file transmission/reception agent function capable of combining processing of large amounts of data through the pseudonym information combination solution.

The above-described means for solving the problem are merely illustrative and should not be construed as limiting the present invention. In addition to the exemplary embodiments described above, additional embodiments may be present in the drawings and detailed description of the invention.

According to the problem-solving means of the present invention described above, by providing a system for combining pseudonym information and providing a pseudonym processing solution, safety, efficiency and performance are improved compared to conventional data processing technology, and data can be processed into a safe form to be used more effectively. It can help with data processing (especially combining pseudonymous information).

According to the problem-solving means of the present invention described above, by providing a system for providing a solution for combining pseudonymized information and a pseudonymization processing agency for aggregation (data) specialized agencies and pseudonymization processing agencies, pseudonym (anonymous) processing of data in data aggregation specialized agencies is possible. We provide (support) work convenience when performing tasks related to data combination and processing, and through this, we enable combination agencies (data specialized agencies) that specialize in data combination or companies/institutions that develop big data and my data businesses. Data can be processed and utilized safely.

According to the means for solving the problem of the present invention described above, by providing a system for combining pseudonym information and providing a solution for pseudonym processing, a professional organization can perform combined processing on target information (pseudonym information to be combined) corresponding to pseudonym information or information collection. In carrying out the work of a specialized agency to combine and process combined information more safely and efficiently while complying with the restrictions of the Personal Information Protection Act and the Credit Information Act (especially restrictions related to combining pseudonymized information or information aggregates) (Combined processing tasks) can be supported.

However, the effects that can be obtained from the present invention are not limited to the effects described above, and other effects may exist.

Figure 1 is a diagram showing the schematic configuration of a system for combining pseudonym information and providing a pseudonym processing solution according to an embodiment of the present invention.
Figures 2 to 17 are diagrams for explaining a system for combining pseudonym information and providing a pseudonym processing solution according to an embodiment of the present invention.
Figure 18 is an operation flowchart of a method for providing a pseudonym information combination solution according to an embodiment of the present invention.

Below, with reference to the attached drawings, embodiments of the present invention will be described in detail so that those skilled in the art can easily implement the present invention. However, the present invention may be implemented in many different forms and is not limited to the embodiments described herein. In order to clearly explain the present invention in the drawings, parts that are not related to the description are omitted, and similar parts are given similar reference numerals throughout the specification.

Throughout the specification of the present invention, when a part is said to be “connected” to another part, this means not only “directly connected” but also “electrically connected” or “indirectly connected” with another element in between. Also includes cases where it is connected to.

Throughout the specification of the present invention, when a member is said to be located “on”, “in the upper part”, “at the top”, “below”, “at the bottom”, or “at the bottom” of another member, this means that a member This includes not only cases where a member is in contact with a member, but also cases where another member exists between two members.

Throughout the specification of the present invention, when a part is said to “include” a certain component, this means that it may further include other components rather than excluding other components unless specifically stated to the contrary.

Throughout the specification of the present invention, some of the operations or functions described as being performed by a terminal, apparatus, or device may instead be performed on a server connected to the terminal, apparatus, or device. Likewise, some of the operations or functions described as being performed by the server may also be performed in a terminal, apparatus, or device connected to the server.

Throughout the specification of the present invention, the term 'at least one' may be defined as a term including singular and plural, and even if the term 'at least one' does not exist, each component may exist in singular or plural, and singular Or, it is obvious that it can mean revenge. Additionally, whether each component is provided in singular or plural form may vary depending on the embodiment.

Figure 1 is a diagram showing the schematic configuration of a system 100 for combining pseudonym information and providing a pseudonym processing solution according to an embodiment of the present invention.

Hereinafter, for convenience of explanation, the system 100 for combining pseudonym information and providing a pseudonym processing solution according to an embodiment of the present invention will be referred to as the present system 100. In addition, the system 100 may include a pseudonym information combining and pseudonym processing solution providing device 10 according to an embodiment of the present invention. This pseudonym information combining and pseudonym processing solution providing device 10 is described below. For convenience of explanation, it will be referred to as this device 10.

In describing the present invention below, matters shown (described) in the drawings may be equally applied to the description of the device 10 or the system 100 even if the content is omitted below.

Referring to FIG. 1, the system 100 may include a pseudonym information combining and pseudonym processing solution providing device (10), an application agency terminal 20, and a specialized agency terminal 30. The system 100 may be referred to differently by terms such as a data combination system. The system 100 and the device 10 can provide a pseudonym information combination and pseudonymization solution, where the pseudonym information combination and pseudonymization solution includes a pseudonym information combination solution and pseudonymization information (or personal information). It can be understood as a concept that includes a solution. Each of these pseudonym information combination and pseudonym processing solutions, pseudonym information combination solutions, and pseudonym information pseudonym processing solutions are all solutions provided by this system 100 and this device 10, and are hereinafter referred to as solutions, services, etc. It may be referred to differently.

This device 10 can provide a pseudonym information combination solution to support the work of professional organizations that perform pseudonym information combination work based on applications. Additionally, the device 10 may be a device or server that provides a web page, app page, program, or application related to providing a pseudonymous information combination solution. The program or application related to providing the pseudonym information combination solution provided by the device 10 may be referred to as the program or app for convenience of description below. In the present invention, the term pseudonym may be alternatively referred to as anonymity.

The pseudonym information combination solution provision service provided by the device 10 may be referred to differently as a pseudonym information combination solution, a pseudonym information combination service, etc., and may be referred to as the main service for convenience of explanation below. This service may be referred to by the service name N-PIE (NTUMNETWORKS Privacy Information Enabler) (Korean name: N-PIE). As a service, this device 10 can provide a big data personal information pseudonymization, anonymization, and pseudonym information combination solution that protects personal information in a big data environment and supports the creation of various business opportunities. In other words, this service (N-PIE) provides pseudonymization, anonymization, and pseudonym information combination solutions, complies with international standard personal information de-identification technology (ISO/IEC 20889), and provides pseudonymization information processing, pseudonymization information combination, and It may be designed to comply with relevant laws, systems, and related guidelines.

The application agency terminal 20 may refer to a terminal possessed by the combination applicant 20' who submits an application for combination of pseudonym information (or information collection), receives and confirms the combination completed object. The application agency terminal 20 installs this program or this app provided by this device 10 and connects this program or this app to the combination applicant (20) who can use this service (pseudonym information combination solution). ') may refer to the terminal owned by the user.

The combination applicant 20' may be a user belonging to the applicant organization 200 who wishes to combine pseudonym information. The combination applicant 20' may be referred to differently by terms such as applicant, applicant, etc. In addition, the combination applicant (20') processes and combines personal information or personal credit information under a pseudonym (anonymization and combination) for the purposes of, for example, statistical compilation, scientific research, public record preservation, and marketing use. Users who wish to utilize and provide this information may be public institutions, non-profit corporations, private institutions, individuals, organizations, etc.

The professional organization terminal 30 installs this program or this app provided by this device 10, and then connects this program or this app to use this service (pseudonym information combination solution). 30') may refer to a terminal owned by a person. When an application is received, the merging party 30' is a user belonging to a specialized organization 300 that performs the merging process between the merging target information (pseudonym information to be combined) based on the received application. You can. Additionally, the merging party 30' may be a user belonging to a professional organization 300 that performs not only merging of target information but also pseudonymous (anonymous) processing of personal information or personal credit information. In the present invention, the specialized organization 300 may be referred to by terms such as a combined specialized agency or a data specialized agency.

The specialized agency terminal 30 includes the top administrator terminal 31 held by the top administrator 31', the processor terminal 32 owned by the processor 32', and the evaluator terminal held by the evaluator 33' ( 33), etc. may be included. According to this, when performing the combination processing on the combination target information, the combination party 30' uses the top manager 31', the processor 32', and the evaluator 33' according to the given role (task). It can be divided into multiple types of users, including: These top-level managers 31', processors 32', and evaluators 33' may all be users belonging to the professional organization 300. Here, the evaluator 33' may include an export reviewer who performs an export review and an adequacy reviewer who performs an appropriateness review. These evaluators, export reviewers, and appropriateness reviewers may be referred to by terms such as evaluation committee member, export review committee member, and appropriateness review committee member, respectively.

The top administrator 31' may refer to a person who has overall management authority (administrator authority) for processing related to combining pseudonymous information and for the device 10. The processor 32' may refer to a person who performs data processing, such as performing combination processing on combination target information and performing pseudonym (anonymity) processing. The evaluator 33' may refer to a person who evaluates a combined object. In particular, a export reviewer may refer to a person who performs a export review to determine whether export is appropriate when a request is made for export of an object that has been assembled. The adequacy reviewer may refer to a person who reviews the adequacy of combined objects combined through combination processing and pseudonymized objects for which pseudonym processing has been completed.

In explaining the present invention, the contents described with respect to the specialized agency terminal 30 are the same as the descriptions of each of the top administrator terminal 31, the processor terminal 32, and the evaluator terminal 33, even if the contents are omitted below. It can be applied easily.

In the present invention, the application organization terminal 20 and the professional organization terminal 30 may be collectively referred to by terms such as user terminal, for example. In the present invention, user terminals (i.e., application organization terminal 20, professional organization terminal, etc.) include, for example, PCS (Personal Communication System), GSM (Global System for Mobile communication), PDC (Personal Digital Cellular), and PHS (Personal Communication System). Handyphone System), PDA (Personal Digital Assistant), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (WCode Division Multiple Access), Wibro (Wireless Broadband Internet) terminal, smartphone It may include, but is not limited to, all types of wired and wireless communication devices such as (Smartphone), SmartPad, tablet PC, laptop, wearable device, desktop PC, etc.

This device 10 can transmit and receive data by linking with each of the application organization terminal 20 and the professional organization terminal 30 through the network 1.

The network (1) is, for example, a 3rd Generation Partnership Project (3GPP) network, a Long Term Evolution (LTE) network, a World Interoperability for Microwave Access (WIMAX) network, the Internet, a Local Area Network (LAN), and a Wireless LAN (Wireless LAN). Local Area Network), WAN (Wide Area Network), PAN (Personal Area Network), Bluetooth network, NFC (Near Field Communication) network, satellite broadcasting network, analog broadcasting network, DMB (Digital Multimedia Broadcasting) network, etc. It may include, but is not limited to, various wired/wireless communication networks.

In the example shown in Figure 1, the system 100 is illustrated as including one application organization terminal 20 and one professional organization terminal 30, but this is only an example to aid understanding of the present invention. , but is not limited to this, and the system 100 may include a plurality of application organization terminals and a plurality of professional organization terminals. According to this, the device 10 can transmit and receive data by linking with each of a plurality of application organization terminals and each of a plurality of professional organization terminals through the network 1.

In the present invention, the application organization terminal 20 may be one of a plurality of application organization terminals, and the contents described with respect to the application organization terminal 20 may be omitted below, but each of the plurality of application organization terminals The same can be applied to the explanation. Likewise, the professional organization terminal 30 may be one of a plurality of professional organization terminals, and the content described with respect to the professional organization terminal 30 is for each of the plurality of professional organization terminals even if the content is omitted below. The same can be applied to explanations.

Additionally, the system 100 may include a data key management terminal (not shown) owned by a data key manager (not shown) belonging to the data key management agency 400.

Users using the device 10 may include a combination applicant 20', a combination party 31', a data key manager, and a device manager who manages the device 10. As mentioned above, the combination party (31') may include the top manager (31'), the processor (32'), and the evaluator (33'), and the evaluator (33') may include the export reviewer and the appropriateness reviewer. there is. The device manager may mean the top administrator (31'), or it may mean a distributor who develops and distributes this program or this app, and the latter may be more preferable.

This device 10 is implemented in the form of a program or application (app, app) installed on the user terminal (i.e., the application organization terminal 20 and the professional organization terminal 30) and allows users (for example, to combine) through the user terminal. It may be provided to the applicant (20') and the connection party (30'). However, it is not limited to this, and as another example, the device 10 may be provided in the form of a server capable of transmitting and receiving data to and from the user terminal. In addition, this device 10, which is provided in the form of a server, can control the operation (for example, screen display) of a user terminal connected to this program or this app. In the description with reference to Figure 1, this device 10 is As an example, it will be described as being provided in the form of a server. In this case, the device 10 may be referred to differently as a server, a server providing a pseudonym information combination solution, etc.

Hereinafter, the present invention will be described in more detail with reference to the drawings.

Figures 2 to 17 are diagrams for explaining a system 100 for combining pseudonym information and providing a pseudonym processing solution according to an embodiment of the present invention. At this time, the matters shown (described) in the drawings of the present invention, as mentioned above, can be equally applied to the description of the present device 10 and/or the present system 100, even if the contents are omitted below. Referring to FIGS. 1 to 17, the device 10 can provide various functions as follows.

Figure 2 is a diagram schematically showing the structure of the present system 100 and the architecture of the pseudonym information combination solution provided by the present device 10. Referring to FIG. 2, the pseudonymous information combination solution (this service, this solution) provided by this device 10 may be referred to by terms such as this product, this service product, and N-PIE product. Additionally, this system 100 may be referred to as an N-PIE system. This device 10 can be prepared to operate in various operating environments with Java-based software, and can enable stable system operation by adopting a standard architecture of pseudonymization and combination processing.

In describing the present invention below, the definitions of terms used in the present invention may be as follows.

< Definition of terms >

In the present invention, 'information subject' may mean a person who is identifiable by the information being processed and is the subject of the information. According to Article 2, Paragraph 1 of the Personal Information Protection Act, 'personal information' is information about a living individual, i) information that can identify an individual through name, resident registration number, video, etc., and ii) information that cannot identify a specific individual through that information alone. Information that can be easily identified by combining it with other information (in this case, whether it can be easily combined must be determined by reasonable consideration of the time, cost, and technology required to identify the individual, including the availability of other information). It can be included.

According to Article 2, Paragraph 1 of the Personal Information Protection Act, 'pseudonymized information' may refer to information that cannot identify a specific individual without the use/combination of additional information to restore the original state by pseudonymizing personal information. . According to Article 58-2 of the Personal Information Protection Act, 'anonymous information' may mean information that can no longer identify an individual even if other information is used when reasonable consideration of time/cost/technology, etc. ‘Additional information’ refers to information that can restore deleted or replaced parts of personal information through means or methods (algorithms, etc.) used to replace all or part of personal information, comparison/contrast with pseudonymized information, etc. (mapping) table information, personal information used in pseudonym processing, etc.), etc., where additional information (original information and algorithm/mapping table information) and pseudonym information must be separated administratively or technically, and access rights must be separated. can do. ‘Other information’ may refer to information that is not included in additional information but can be used/combined to restore pseudonymized information to its original state, and may be limited to information held by the personal information processor or reasonably obtainable. there is.

According to Article 2 1-2 of the Personal Information Protection Act, 'pseudonymization' may mean processing so that a specific individual cannot be identified without additional information, such as by deleting part of personal information or replacing part or all of it. there is. ‘Anonymization’ can mean processing so that an individual can no longer be identified. ‘Additional pseudonymization’ may refer to additional pseudonymization performed when the level of pseudonymization of the combined results is insufficient as a result of the appropriateness review.

In addition, in the Credit Information Act, for example, 'personal credit information' is, according to Article 2, Paragraph 2 of the Credit Information Act, credit information about a living individual that falls under any of the following: i) Name , information that can identify a specific individual through resident registration numbers, videos, etc., and ii) information that can be easily combined with other information to identify a specific individual even if the information alone cannot identify the specific individual. ‘Pseudonymized information’ refers to pseudonymized personal credit information according to Article 2, Paragraph 16 of the Credit Information Act, and ‘anonymous information’ refers to anonymized personal credit information according to Article 2, Paragraph 17 of the Credit Information Act. You can. In addition, according to Article 2, Paragraph 15 of the Credit Information Act, 'pseudonymization' means processing personal credit information so that a specific individual, the subject of credit information, cannot be identified without using additional information, and 'anonymization' means processing credit information. According to Article 2, Paragraph 17 of the Information Act, this may mean processing personal credit information so that a specific individual can no longer identify the subject of credit information.

The data key management agency (400) is the Korea Internet & Security Agency or the Korea Internet & Security Agency, which supports safe combination of pseudonym information, such as generating combination key linkage information and providing it to a specialized organization (300) in accordance with Paragraph 2 of Article 29-3 of the Enforcement Decree. It may refer to an institution designated and notified by the Protection Commission.

‘Data specialized agency’ may refer to a specialized agency (300) within this system (100), and the Personal Information Protection Committee is responsible for combining pseudonymized information between different personal information processors in accordance with Article 28-3 (1) of the Act. Alternatively, it may mean a specialized organization designated by the head of the relevant central administrative agency. 'Data combination application organization' may refer to the application organization 200 in this system 100, and is a personal information processor who applies for combination of pseudonym information and is a person who only provides pseudonym information and provides pseudonym information and combines it. It may include anyone who uses information or anyone who uses combined information without providing pseudonymized information.

‘Personal information processor’ may mean a public institution, corporation, organization, or individual that processes personal information on its own or through another person in order to operate personal information files for business purposes. 'Personal information handler' may mean a person who processes personal information under the direction/supervision of a personal information processor, such as executives, employees, dispatched workers, or part-time workers, to ensure that personal information is safely managed. ‘Pseudonymized information processor’ may refer to public institutions, corporations, organizations, and individuals that use or provide pseudonymized personal information for business purposes. ‘Pseudonymized information handler’ may refer to executives, employees, dispatched workers, part-time workers, etc. who process pseudonymized information under the direction and supervision of a personal information processor.

‘Adequacy review’ may refer to a procedure to check whether a pseudonym has been appropriately processed according to predefined pseudonym processing standards. 'Re-identification' can mean the state or act of getting to know or trying to recognize a specific individual through additional information or combining or contrasting/comparing it with other information held by the actor or public information. 'Identification information' includes unique identification information (passport number, alien registration number, driver's license number), name, phone number, e-mail address, medical record number, health insurance number, and vehicle registration number for the purpose of external linkage (identification). It may mean generated information, etc. ‘Identifiable information’ may refer to information that can identify an individual from the perspective of the person processing the pseudonym information, such as gender, age (age), nationality, blood type, height, weight, occupation, location information, detailed address, etc., where The standard for determining whether an individual is 'recognizable' can be the person who processes the information (including the person who receives the information in the provision relationship). 'Special information' is information that may generate extreme values that deviate from the overall pattern, such as the oldest person in the country, the tallest person, the amount of arrears owed, the recipient of a large amount of benefits, etc. Information such as rare surnames, rare blood types, rare eye colors, names of rare diseases, and rare occupations. It may mean information that has a unique value in itself.

'Identifiers' are attributes that can identify an individual and may include resident registration number, phone number, email, name, account number, MRI photo, genetic information, etc. Encrypted values can also be classified as identifiers. 'Quasi-identifiers' are not identifiers in themselves, but are attributes that can be used to indirectly infer a specific individual through combination with other data. For example, they can mean the name of the city of residence, weight, blood type, etc., and are not de-identified. Techniques may be subject to transformation/manipulation. 'Sensitive information' is an attribute that can reveal an individual's private life, and can mean the name of the disease, deposit balance, card payment amount, etc. It is a target attribute that is mainly measured when analyzing data, and is used in most modern de-identification techniques. Data values can be preserved. 'Personal information file' may refer to a collection of personal information systematically arranged or organized according to certain rules so that personal information can be easily searched. 'Combined key' may refer to information temporarily used when a combined key management agency generates combined key linkage information. 'Combining key linkage information' may refer to information linking the combination keys between different combination applicants so that pseudonym information can be combined for the same information subject.

<Laws related to data combination>

In combining pseudonymized information, the Personal Information Protection Act restricts it to specialized agencies equipped with security facilities according to Article 28-3, and the Credit Information Act restricts it to designated data specialized agencies according to Article 17-2. . In other words, the restrictions under the Personal Information Protection Act and the Credit Information Act have similar aspects when it comes to combining pseudonymous information.

Specifically, with regard to restrictions on combination of pseudonymized information, Article 28-3 of the Personal Information Protection Act states that: [1) Notwithstanding Article 28-2, personal information processing between different personal information processors for the purpose of statistical preparation, scientific research, public interest record preservation, etc. The combination of pseudonymized information is performed by a specialized agency designated by the Protection Committee or the head of the relevant central administrative agency. 2) A personal information processor who wishes to export combined information outside the organization that performed the combination must process it as pseudonymized information or information corresponding to Article 58-2 and obtain approval from the head of the specialized organization. 3) Necessary matters such as combination procedures and methods pursuant to paragraph 1), designation and cancellation standards/procedures of specialized organizations, management/supervision, export and approval standards/procedures pursuant to paragraph 2 shall be determined by Presidential Decree.] .

In addition, in relation to the combination of information collections, etc., Article 17-2 of the Credit Information Act stipulates that [1) a credit information company, etc. (excluding persons prescribed by Presidential Decree; hereinafter the same shall apply in this Article and Article 40-2) shall provide information held by it; In the case where an aggregate is to be combined with an information aggregate held by a third party, the combination must be done through a data specialized agency designated in accordance with Article 26-4. 2) When a data specialized agency designated pursuant to Article 26-4 delivers the combined information collection pursuant to paragraph 1 to the relevant credit information company, etc. or its third party, it must be delivered in a pseudonymized or anonymized state. do. 3) In addition to the matters stipulated in paragraphs 1 and 2, procedures and methods for combining/providing/storing information collections shall be prescribed by Presidential Decree].

Accordingly, the present invention (i.e., this system 100 and this device 10) allows a specialized organization (data specialized agency, combination specialized agency) 300 to combine target information (combined information) corresponding to pseudonymized information or information aggregates. When performing combined processing (combined processing work) on target pseudonymized information, the restrictions (especially restrictions related to combining pseudonymized information or information sets) under the Personal Information Protection Act and the Credit Information Act (Credit Information Protection Act) are complied with. At the same time, we aim to provide a pseudonym information combination solution that supports the work (combination processing work) of professional organizations (300) so that the combined information can be combined and processed more safely and efficiently. Hereinafter, a detailed description of the system 100 is as follows.

The system 100 may include the device 10, an application organization terminal 20, and a specialized organization terminal 30. Additionally, the system 100 may include a data key management terminal (not shown) owned by a data key manager (not shown) belonging to the data key management agency 400.

The application organization terminal 20 may refer to the terminal of the application organization 200 owned by the combination applicant who submits an application for combining pseudonym information (or information collection) and receives and confirms the combined object. .

The specialized agency terminal 30 is a specialized agency ( 300) terminal.

This device 10 is a device for combining pseudonym information and providing a pseudonym processing solution, and can provide a pseudonym information combining solution (N-PIE, N-PIE). This device (10) includes a project management unit (11), a project DB (12), a combination processing unit (13), an export management unit (14), a control unit (15), a pseudonym processing unit (16), and an adequacy review process unit (17). may include.

When the application is received from the application agency terminal 20, the project management unit 11 may review the application and register and manage the project corresponding to the application in the project DB 12.

The combination processing unit 13 completes the combination by performing combination processing on a plurality of combination target information (i.e., multiple combination target pseudonym information) corresponding to the project, based on the project registered in the project DB 12. Objects can be created and provided.

At this time, the application submitted by the application agency terminal 20 to the project management department 11 may be an application for combining pseudonymized information from the perspective of the Personal Information Protection Act, and may be an application for combining information sets from the perspective of the Credit Protection Act. It may be an application for. According to this, the combination processing unit 13 may perform combination processing on pseudonym information or information collection based on the application. In other words, the object on which the combined processing is performed by the combining processing unit 13 (combined processing target) can be divided into two types, one of which may be pseudonymized information, and the other may be an information collection.

The combining processing unit 13 may perform combining processing using different processes (procedures) when the target of combining processing is pseudonymized information and when it is an information set, which will be explained in more detail later. In the present invention, the term “object of combination processing” may be referred to differently as combination target information, combination target pseudonym information, etc. That is, in the present invention, pseudonym information or information sets that are the subject of combined processing may be collectively referred to as combined target information (or combined processing target, combined target pseudonym information). In other words, an information set can also mean pseudonymized information. Accordingly, in the present invention, pseudonymous information can be referred to interchangeably with the terms pseudonymized information or information set, and in the present invention, pseudonymized information and information set are used interchangeably. are terms (words) that have the same meaning, but from the perspective of the Personal Information Protection Act, they may be referred to as pseudonymous information, and from the perspective of the Credit Protection Act, they may be referred to as the term information collection. Therefore, even if the content is omitted below in the present invention, the content described with respect to pseudonymous information can be equally applied to the content explained with respect to the information set, and vice versa.

When an export request is made from the application organization terminal 20, the export management unit 14 performs an export screening for the combined object provided by the combination processing unit 13 and sends the export screening result to the application institution terminal 20. It can be provided (transmitted). At this time, if the export management unit 14 determines that the combined object satisfies the preset export acceptance criteria as a result of carrying out the export screening, it generates a export screening result corresponding to approval and sends it to the application organization terminal 20. It can be provided, and through this, the applicant organization terminal 20 can take the combined object out to the outside. In addition, the export management unit 14 can generate export screening results corresponding to approval and provide them to the application organization terminal 20, and simultaneously provide (export) the combined object to the application organization terminal 20. If the export screening is approved, the application organization terminal 20 then processes the combined object provided from the device 10 (i.e., the combined object exported from the device 10) according to the purpose of the combined application. can do.

On the other hand, if the combined object does not meet the preset export acceptance criteria, the export management unit 14 generates a export screening result corresponding to disapproval and provides it to the application organization terminal 20, thereby This bonded object can be prevented from being taken out to the outside. Here, the preset export acceptance criteria may be set and changed by the device manager who manages the device 10.

The control unit 15 can control the operation of the application organization terminal 20, the specialized organization terminal 30, and each unit within the device 10.

For example, when an export request is made from the application agency terminal 20, the pseudonym processing unit 16 assigns a pseudonym (or Anonymous) processing can be performed. The pseudonym processing unit 16 may provide a pseudonymized combined object by performing pseudonym processing.

The adequacy review progress unit 17 may perform an adequacy review (evaluation) on the pseudonymized combined object provided by the pseudonym process process unit 16.

At this time, when the export management unit 14 determines (evaluates) that the pseudonymized combined object satisfies the preset adequacy level (adequacy satisfaction standard) as a result of the adequacy review conducted by the adequacy review progress unit 17. , By providing (transmitting) the pseudonymized combined object that meets a preset appropriateness level to the applicant organization terminal 20, the applicant organization terminal 20 can enable the pseudonymized combined object to be taken out to the outside. .

In other words, when a request for export is made from the application agency terminal 20, the device 10 may allow the application organization terminal 20 to export, for example, if the export screening result is approved, or the export screening result is approved. At the same time, if the result of the adequacy review is determined to 'satisfy the preset adequacy level', the applicant organization terminal 20 may be allowed to be taken out. In the present invention, it may be more preferable for export to be carried out in the latter case, but it is not limited to this, and as mentioned above, export may only be carried out in the former case.

The device 10 performs combining processing (for example, combining two pseudonymized information or combining two information sets) using different processes (procedures) when the information to be combined is pseudonymized information and when it is an information set. It can be done, and the specific explanation for this is as follows.

<Combining processing procedure when the information to be combined is pseudonymized information>

For example, when the information to be combined is pseudonymized information, the processing procedure (step, process) for combining data (information) can be more easily understood by referring to FIGS. 3 to 5.

Referring to FIGS. 3 to 5, when the information to be combined is pseudonymized information, the device 10, for example, receives an application as shown in FIG. 5 from the application organization terminal 20 (i.e., an application form between pseudonymized information). You can receive an application for combination, combination application), and then combine pseudonym information through combining processing of multiple combination target information in the application based on the received application, and then if export is required (combined) If the applicant (20') requests export), it can be exported to the combination applicant (20') after export screening and export approval.

In other words, when the application (for example, a combination application as shown in FIG. 5) is submitted from the application organization terminal 20, the device 10 allows the professional organization terminal 30 to access the program or this app to collect pseudonym information. The combination solution (this product) can be used to perform combination processing on multiple combination target information in the application, and at this time, the combination processing can be performed within this product, which is an analysis space with guaranteed stability. If the combination completed object needs to be taken out (i.e., when the combination applicant (20') makes a request for export), after the specialized agency terminal (30) performs the export screening and export approval using this product, the combination applicant (20') ) can be taken out.

As an example, the combination application may include information such as that shown in FIG. 5. Briefly, the combination application may include i) information related to the combination applicant, ii) information related to the combination summary, iii) information related to the pseudonym information provider, iv) information related to the combined information user, and v) information related to attached documents.

Here, i) Information related to the combination applicant may include the name of the organization, address, person in charge, type, business registration number or corporation registration number, name of representative, contact information of person in charge, etc. ii) Information related to the combination outline may include information related to repeat combination and information related to application for additional procedures. Here, information related to application for additional procedures may include items corresponding to confirmation of combination rate, extraction of pseudonym information, and mock combination. iii) Information related to pseudonymous information providers may include file name, submission method, expected submission date, information provision summary, names of all pseudonymous information providers (total number), support requests, etc. iv) Combined information user-related information may include the purpose of combination, detailed purpose of combination, use of analysis space, and support requests. Here, the purpose of combining may include items related to statistical compilation, scientific research, and public interest record preservation.

Referring to Figures 3 and 4, the device 10 performs a combination process on the combination target information, for example, a first-step procedure regarding pre-preparation and combination request, and a two-step procedure regarding combination and additional processing. , and a three-step procedure for export and utilization can be performed. Here, the first step procedure may be performed by the project management unit 11, the second step procedure may be performed by the combination processing unit 13, and the third step procedure may be performed by the export management unit 14. Here, the two-step procedure is a detailed procedure and may include a first detailed procedure regarding transmission and reception of combined information, and a second detailed procedure regarding request for combination and export review. In performing the combination processing, the data transmission and reception flow between the application organization 200, the professional organization 300, and the data key management organization 400 to which the combination applicant 20' belongs is based on the drawings shown in FIGS. 3 and 4. It can be understood in more detail, and even if the content is omitted below, it can be equally applied to the description of the device 10.

When combining pseudonymized information, the combining of pseudonymized information between different personal information processors must be performed through a specialized combining agency (i.e., specialized agency (300)) designated by the Personal Information Protection Committee or the head of the relevant central administrative agency. The device 10 can combine and export pseudonym information according to the procedures shown in FIGS. 3 and 4. When combining pseudonym information, the detailed procedures for each performing entity (for each combination applicant (20'), professional agency (300), and data key management agency (400)) may be the same as those shown in Figures 3 and 4. . In the present invention, the data key management agency 400 may be referred to differently as a combination key management agency, etc.

This device 10, for example, the applicant organization terminal 20 goes through a total of 4 steps, including the 1st step procedure, the 1st detailed procedure of the 2nd step procedure, the 2nd step detailed procedure of the 2nd step procedure, and the 3rd step procedure. Pseudonymized information can be combined and exported.

Specifically, in order to perform the first step procedure (i.e., pre-preparation and application for combination), the device 10 allows the combination applicant 20' (i.e., the application agency terminal 20) to connect between different combination applicants in advance. Through consultation, prepare in advance for combining pseudonym information, such as performing the pseudonym processing necessary for the combination application or filling out the combination application form, and submit the application (combination application form) to the specialized agency (300) to apply for the combination at the application agency terminal. The operation of (20) can be controlled.

Afterwards, the device 10 generates a combination key and transmits information (for example, serial information, combination target information, and combination key information) to perform the first detailed procedure (i.e., transmission and reception of combination information) of the two-step procedure. transmission) can be made, and specifically, the combination applicant 20' negotiates the combination schedule, transmission method, etc. with the specialized organization 300, and receives information used to generate the combination key from the data key management agency 400. After receiving and generating a combination key, the operation of the application organization terminal 20 can be controlled to transmit combination-related information. At this time, the specialized organization 300 can provide the serial number and combination target information, and the data key management organization 400 can provide the serial number and combination key information. Additionally, the device 10 can control the combination applicant 20' to request the data key management agency 400 to confirm the pre-combination rate.

Afterwards, the device 10 can allow additional processing and export requests to be made in order to perform the second detailed procedure (i.e., request for combination and export screening) of the two-step process, specifically, the combination applicant 20'. Before exporting the combined information, the operation of the application organization terminal 20 can be controlled to perform additional pseudonym processing in a separate space installed in the specialized organization 300, and also exported to the specialized organization 300. When requesting, the operation of the application organization terminal 20 can be controlled to submit basic data for export review.

Here, the separate space is provided by the professional organization 300 for additional pseudonym (anonymity) processing before exporting the combined information (i.e., the combined object provided by the combination processing unit 13) necessary to ensure safety. It can mean a space with technical, managerial, physical, and protective measures. In addition, basic data may refer to matters related to the pseudonym (anonymity) processing technique and level applied during additional pseudonym (anonymity) processing.

Thereafter, in order to perform the three-step procedure (i.e., export and utilization), the device 10 uses the combined object provided (exported) from the combination processing unit 13 by the combination applicant 20' to apply for combination. The operation of the application organization terminal 20 can be controlled to process according to the purpose, and safety measures for processing pseudonymized information can be observed.

<Combining processing procedure when the information to be combined is an information collection>

For example, when the information to be combined is an information collection, the processing procedure (step, process) for combining data (information) can be more easily understood by referring to FIGS. 6 and 7.

Referring to Figures 6 and 7, when the combination target information is an information set, the device 10 receives, for example, an application as shown in Figure 7 from the application organization terminal 20 (i.e., an information set). You can receive an application for combining information (an application for combining information, an application for combining information sets), and then based on the received application, combine pseudonym information through combining processing of multiple combination target information in the application, and then export it. If necessary (when the combination applicant (20') requests export), it can be exported to the combination applicant (20') after export screening and export approval. In addition, the device 10 performs pseudonym information combining (particularly, combining information sets) through combining processing on a plurality of combination target information, and before exporting it, for example, the combined information through combining processing is performed. After performing pseudonym (or anonymization) processing on the combined object (i.e., a combined object that is a combination of two information sets in the application), an adequacy evaluation is performed, and if appropriate, the combined object is provided to the combined applicant (20'). It can be taken out.

In other words, when the application (for example, an application for combining information sets as shown in FIG. 7) is submitted from the application organization terminal 20, the device 10 allows the specialized organization terminal 30 to access the program or this app. By doing so, it is possible to perform combined processing on multiple combination target information in the application using the pseudonym information combination solution (this product), and at this time, the combined processing can be performed within this product, which is an analysis space with guaranteed stability. In the case where the combined object needs to be taken out (i.e., when the combined applicant 20' makes a request for exported goods), the professional agency terminal 30 performs the export screening and export approval using this product, and then the combined applicant 20' It can be taken out to (20').

Meanwhile, the pseudonym information combination solution provided by this device 10, as mentioned above, may be referred to differently by terms such as N-PIE, N-PIE, this product, this solution, etc., and this solution is a personal information pseudonym. As a solution for combining information, examples include portal and dashboard support, mock/extracted combination support, pseudonymized information combination support, additional pseudonymization support, adequacy evaluation support, data transfer support, authority management and separate storage support, visualization support, etc. Services can be provided (supported).

In addition, this device 10 can provide consulting services to professional organizations 300 (i.e., professional organization terminals 30), and the consulting services include professional organization application preparation consulting, professional organization application preparation consulting, and professional organization application preparation consulting. May include operational consulting, pseudonymization process consulting, and pseudonymization technology consulting.

The main functions of this solution may include functions related to portal support, integrated dashboard support, access control and account management support, and pseudonym information combination support. Portal support-related functions may refer to functions that support professional organizations (300), application organizations (200), export screening and additional pseudonym processing portals, comply with pseudonym information combination guidelines, and support flexible customization. Functions related to integrated dashboard support may mean functions that support status monitoring at each processing stage, status monitoring by data size/number of records/attributes, and pseudonym processing status monitoring. Access control and account management-related functions support account management by role (e.g., combination applicant (20'), administrator (top administrator, 31'), evaluator (33'), etc.) and access control by account. It can mean a function. Functions related to pseudonym information combination may refer to functions that support combination management functions such as file upload for mock combination, mock combination management function, dictionary combination rate analysis, and attribute analysis.

Figures 8 and 9 are diagrams to explain the function of the pseudonym information combination solution provided by the device 10.

Referring to Figures 8 and 9, this solution has detailed functions, for example, a portal provision function for each authority, a dashboard provision function, a pseudonym information combination process provision function, a system management function, a user management function, a log management function, and a project function. It may include role assignment/application management/mock combination functions, pseudonym information combination/additional processing functions, appropriateness evaluation/export review/export functions, additional processing functions, visualization support functions, and agent functions for sending and receiving large files. .

Here, in relation to the function of providing a portal by authority, the device 10 can provide a portal by authority when providing this solution, and the portal by authority is a portal dedicated to the combination applicant 20', a web portal for the applicant organization, A web portal for specialized organizations, which is a portal dedicated to specialized organizations (300), a web portal for appropriateness evaluations, which is a portal dedicated to evaluators who conduct appropriateness evaluation (review) or export screening (33'), and a processor that performs pseudonymization or additional pseudonymization (32) ') It may include a dedicated portal, a web portal for additional pseudonym processing, etc.

In relation to the function of providing the pseudonym information combination process, the device 10 can provide the user with a screen UI suitable for each authority for each authority, and provides a dashboard that reflects the process of pseudonym information combination processed by each authority. can be provided. In addition, in relation to the system management function, the device 10 can provide, for example, functions that can perform environment setting management, evaluation item management, license management, and bulletin board management for the top administrator terminal 31. there is. In addition, in relation to the user management function, the device 10 can provide functions to perform account management, rule management, and role management targeting the top-level administrator terminal 31. In addition, in relation to the log management function, the device 10 has a function to manage the authority management log, access management log, destruction management log, operation management log, transmission management log, etc. targeting the top administrator terminal 31. can be provided.

In addition, in relation to the project role assignment/application management/mock combination function, the device 10 allows the top administrator 31' to assign roles for each project to the top administrator terminal 31, as shown in FIG. 8. Function to manage applications received from multiple application agency terminals, perform mock combination for combination target information in the application applied (submitted) by the application agency terminal 20, and set mock combination environment. Functions that enable such things may be provided.

In addition, in relation to the pseudonym information combination/additional processing function, the device 10 can perform combination processing or additional processing on pseudonym information, check progress, check results, etc., as shown in FIG. 8. functions can be provided.

In addition, in relation to the suitability evaluation/export review/export function, the device 10, as shown in FIG. 9, allows the export examiner among the evaluators to attach the combined object corresponding to the export request made by the combination applicant 20'. A function that allows an appropriateness reviewer among evaluators to perform an adequacy review on a combined object (for example, a pseudonymized combined object), a function that allows an appropriateness reviewer to perform an appropriateness review on a combined object (for example, a pseudonymized combined object), a function that allows an appropriateness reviewer among evaluators to perform an appropriateness review on a combined object that has been requested for export A function may be provided that allows the applicant 20' to download and use (export possible) the combined object for which the export screening result has been approved through the application organization terminal 20.

In addition, in relation to the additional processing function, the device 10 allows the processor 32' or the top administrator 31' to additionally pseudonym (anonymize) the combined object that has been pseudonymized by the pseudonym processing unit 16. Functions that enable processing such as the like may be provided. Here, at this time, the pseudonym processing progress unit 16 may perform target selection, risk review, rule setting, and additional processing when pseudonym processing is in progress. In addition, in relation to the visualization support function, the device 10 allows users using the device 10 to view and confirm data (particularly, objects that have been combined), check class distribution, check attribute graphs, and properties of combined data. It can provide functions that enable analysis and confirmation of the data set structure to check information.

In addition, in relation to the large file transmission and reception agent function, the device 10 can provide a function that allows the top administrator 31' to configure settings for large file transmission and reception, as shown in FIG. 9. there is. Here, the environment settings may include items that allow setting whether or not to download the agent in relation to transmission management of the original/resultant.

In addition, in providing a large-capacity file transmission/reception agent function, the device 10 may, for example, provide a function for combining and processing large-capacity data (i.e., 100GB or more), for example, 100GB + Combination processing can be performed to combine two or more large amounts of combination target information (pseudonym information to be combined), such as 100GB or 100GB+100GB+100GB (multiple key combination), and this is a special feature unique to this solution (i.e. It can be said that this is a function that is only available in this solution. In other words, the combining processing unit 13 in the device 10 can provide a large file transmission/receiving agent function capable of combining processing of large amounts of data through a pseudonym information combining solution.

In addition, this solution (pseudonymous information combination solution, NPY) provided by this device 10 may have the following functions and advantages.

This solution has a first function that provides a dashboard related to general pseudonym processing, a second function that provides a dashboard related to batch pseudonym processing, a third function that provides a protection level management function, and a fourth function that provides an intuitive/flexible pseudonym processing project status management function, a single function. The 5th function is the project management function of the processing process, the 6th function uses the dual authority allocation method, the 7th function is the application creation and management function, the 8th function allows scalable original target settings, the 9th function is the original information preprocessing function, and risk review. The 10th function is a function, the 11th function is an automatic input review result report generation and output function, the 12th function is a pseudonym processing planning function, the 13th function is a pseudonym processing rule setting function, the 14th function is a pseudonym processing rule application function, and the 15th function is a combination method selection function. Functions: Function 16, which is a combined management function, Function 17, which is an adequacy review function, Function 18, which is a result management function, Function 19, which is a function to enhance personal information filtering using AI, Function 20, which is a log management function for each management function, and Function 21, which is a bulletin board provision function. Functions may be included.

Specifically, the first function is: i) a function to view the status board according to time search conditions (for example, 1 month, 2 months, 3 months, 1 year, 2 years, 3 years), ii) the case of the project subject to processing in each stage of pseudonymization Function to view status board, iii) Function to view status board regarding data size, number of records, number of attributes, etc. regarding original information and processing information of projects in progress of pseudonymization (1. Preparation ~ 5. Results management), iv) Function to view pseudonym processing It can include a status board view function for status (progress status, project name, processing type, application/change/reception date and time, creator/applicant/processor).

The second function is: i) trend view function according to time search conditions (today, week, 1 month, 2 months, 3 months, 6 months, 1 year), ii) maximum and minimum time required for target project information according to search conditions ( Number of records, number of properties, number of conversion properties, dataset type, dataset name) provided functions, iii) Batch pseudonymization history (project name, dataset name, dataset type, number of records, number of properties, number of conversion properties, start date) Time, end date and time, time required) and viewing functions (provided functions) may be included.

The third function is: i) the function to set the protection level analysis, such as re-identification intention and analysis ability, personal information protection level analysis, and impact upon re-identification, ii) the function to set the protection level evaluation criteria according to the protection level analysis settings. , iii) It may include a function to visualize evaluation indicators (possibility of re-identification attempt, evaluation standard value) according to the protection level evaluation.

The fourth function is: i) a function to display the allocation status and role status for stakeholders (creator, applicant, processor, and accessor of original information/additional information/result information) for each project; ii) processing steps and processing for each project; It may include a function to display the date and time (application, reception, termination), etc., iii) a function to individually set the project display method for each user account (tile format, list format), etc.

The fifth function is: i) a function that allows project work to be performed according to the pseudonym processing steps displayed on the screen; ii) a function that automatically creates an independent storage space for each project (i.e., files (original, intermediate, etc.) used in different projects iii) a function that provides a structure to configure individual directories for each product, result, etc.), and iii) a function that allows the original data uploaded by the user to be immediately used in the project without any additional manipulation by the administrator.

The sixth function is: i) in relation to primary authority allocation, the function to perform authority allocation through user role management (by menu) and account management (by role, administrator/processor/evaluator), ii) secondary authority allocation In relation to this, it may include functions to assign additional rights (applicant, processor, original information accessor, additional information accessor, result information accessor) to users who have been granted primary authority assignment in individual projects. there is.

The 7th function is: i) individual application writing function for each project, ii) acceptance and rejection function for the completed and submitted application, iii) pseudonym processing function that separates the input stage for each stakeholder, iv) application output (PDF) and the ability to upload a signed application. In other words, the project management unit 11 in the device 10, through the pseudonym information combination solution, has an individual application writing function for each project, a reception and rejection function for the completed and submitted application, and an input step for each stakeholder in pseudonym processing. It may provide separate functions, and application creation and management functions, including the ability to print applications and upload signed applications.

The eighth function is: i) a function to set the properties of the analysis target due to the increase in the capacity of the original information (only the properties set as the analysis target can be set in the next step), ii) an alias for the column information (property name) of the original information Functions provided, iii) Functions that enable automatic and manual classification of column information types (character and numeric) of original information, iv) Functions of creating combination keys and extracting datasets for mock combination, extracted combination, and dictionary combination rate analysis It may include etc.

The 9th function is: i) personal information filtering function different from pre-defined and user-defined, ii) sampling function by ratio extraction or conditional extraction for the original information, iii) function to replace setting value for each column (attribute), iv) It may include a function to merge columns (attributes), etc.

The tenth function may include i) a function to classify attributes and manage reasons for classification according to risk, and ii) a function to enable automated attribute classification according to predefined attribute classification values.

The 11th function may include i) an automatic input function for application and risk review contents, ii) a manual input function for additional review results, and iii) a function to print the review result report (PDF).

The twelfth function may include i) an automatic pseudonymization plan (pseudonymization algorithm recommendation) input input function, ii) a visualization (icon) display function according to risk classification by attribute, etc.

The 13th function is: i) a function to automatically set pseudonym processing rules (algorithm recommendation), ii) a function to display only a list of applicable rules (processing technology and detailed technology) according to character-type attributes and numeric attributes, iii) a function to Inversion setting (example: Hong** >> *Gildong) function, iv) Function to simultaneously apply upper and lower coding (maximum/minimum value) and generalization to numeric attributes, v) Sample of pseudonymization results for applied rules ( Examples) may include a view (original data, modified data) function, vi) a rule setting initialization (all properties or individual properties) function, etc.

The 14th function is: i) the function of applying the option to apply or not apply pseudonymization rules, ii) the function of presetting (defined in protection level management) or directly setting the protection model (k-anonymity, l-diversity, t-proximity), iii) ) Matched data/mismatched data display function when applying a protection model, iv) Target attribute selection when creating a combination key, attribute and noise order definition, multiple noise insertion function, v) Single method (e.g. Financial Services Commission) and dual method (e.g. It may include a function to support the combination key generation method of the Personal Information Protection Commission.

The 15th function is: i) a function to select a combination method according to the combination key type (single method, dual method), ii) a function to select a combination method according to the type of the combination key (same key, multiple keys), iii) the order of the data sets to be combined. It may include selection functions, etc.

The 16th function is: i) system resource (memory) allocation function according to data capacity, ii) combining resource (node) adjustment function according to data processing performance, iii) distributed processing function according to data capacity and processing performance, iv) combining. It may include status monitoring (start date and time, elapsed time, etc.) functions.

The 17th function is 1) the function to add, change, delete, and activate evaluation items, 2) the function to define the minimum number of evaluation members when forming an adequacy review committee, 3) the function to set the chair of the adequacy review committee, 4) Function to configure multiple appropriateness review committees for each project (e.g. 1st, 2nd, 3rd, nth in case of inadequate evaluation), 5) Function to set appropriate, conditional, and inappropriate for evaluation results, 6) By evaluation item Function to write an evaluation opinion when conditional or inappropriate, 7) Function to view the evaluation status of each evaluation item and the individual's evaluation results, 8) Function to monitor the evaluation status of each member by the administrator, 9) Final evaluation function by the chairperson, 10 ) A function for the chairperson to view the evaluation results of other members, 11) A function to view the evaluation results of previous rounds when the committee is formed more than twice, 12) If the evaluation results are conditional, support is provided to proceed to the next step after confirmation by the manager (person in charge) It may include functions such as

The 18th function is: i) a function to download results for each user with result management authority, ii) a function to download pseudonymized results, iii) a file related to the combination key (combination key + serial number, serial number + combination target information, combination key + It may include a combination target information) download function, iv) a record search function for downloaded results, etc.

The 19th function is: i) pattern-based, dictionary-based classic personal information filtering technique support function, ii) intelligent dictionary, biographical dictionary, address dictionary, and interactive dictionary support function, iii) exception dictionary, bypass sentence support function, iv) filtering. Personal information filtering function when detecting personal information through target entity type management and entity name analysis, v) Convenient personal information filtering policy establishment support function by providing personal information filtering processing results and filtering results (detected entity name), vi) Text It can include functions such as providing a personal information filtering test environment for formats and document (Korean file) formats.

The 20th function may include the function to separate and support audit log functions by log characteristics (authority, access, destruction, operation, transmission, processing history).

The 21st function may include i) a function to provide necessary notices to users by providing FAQs and data rooms, and ii) a function to enable or disable postings in FAQs and data rooms by the administrator.

Below, the process of combining pseudonym information by the device 10 will be described in more detail. In particular, for each role (task, task) of users using the device 10, the process for each user to perform their role (task) will be described in more detail.

The bonding party 30' can use this service by accessing a web portal for professional organizations through the professional organization terminal 30. In particular, the top administrator 31' can use this service by accessing the web portal for professional organizations through the top administrator terminal 31.

When an application is received from the application organization terminal 20, the project management unit 11 may review the application and register and manage a project corresponding to the application in the project DB 12. In the present invention, the project may be alternatively referred to by the term pseudonym information combination project.

The project management unit 11, when the top-level manager 31' selects a menu related to combining pseudonym information during project management in this program through the top-level manager terminal 31, the top-level manager 31' uses a pseudonym to combine pseudonym information. By creating an information combination project, you can perform the pseudonym information combination task, and you can control the project to be created individually for each application for pseudonym information combination.

<Project Management>

The project management unit 11 can enable the top-level manager 31' to create and manage a pseudonym information combination project for pseudonym information combination on the pseudonym information combination project management screen as shown in FIG. 10.

Here, the pseudonym information combination project can be prepared to apply various display methods (card type, list type) and conditions (processing stage, processing type) according to the convenience of the user (i.e., top administrator 31'). . The top level administrator (31') can manage the pseudonym information combination project by displaying it in card or list format for convenience of management.

The project management unit 11 can store the display method selected by the top-level manager 31', and then display the project list on the screen using the saved display method when the pseudonym information combination project menu is selected. As an example, Figure 10 shows an example where the pseudonym information combination project is displayed in a list format.

The project management unit 11 can allow the top-level administrator 31' to check information on the user type of the project by hovering the mouse over the user type on the list-type screen. Additionally, if the project creator and the logged-in administrator are different, , You can control the detailed information of the selected project so that it cannot be confirmed.

The project management unit 11 may display an icon 501 of the user type (i.e., the user's person in charge) for each project on the pseudonym information combination project management screen. At this time, the user type icon 501 may include the first to sixth icons. The first icon is a creator icon indicating the person in charge of creating the project, the second icon is an application icon indicating the person in charge of the pseudonym information combination application task, and the third icon indicates the person in charge of the pseudonym information combination application task. The 4th icon is a processing icon that displays the person in charge of additional processing related to pseudonym information combination, the 5th icon is an export icon that displays the person in charge of export work related to pseudonym information combination, and the 6th icon is pseudonym information. An analysis icon indicating the person in charge of the combination-related analysis task may be included.

The project management unit 11 can display the project in the list if the three conditions of project name, processing stage, and person in charge are satisfied when the top manager 31' searches for a project on the project inquiry conditions screen. If all three conditions mentioned above are satisfied, it can be displayed in the project list. When the top-level manager 31' enters a project name and selects the 'Search' button, the project management unit 11 displays a list of projects corresponding to the entered project name on the screen so that the top-level manager can check it. .

On the pseudonym information combination project management screen, the project management unit 11 displays a list of projects corresponding to the conditions (i.e., the selected stage) on the screen when the top-level manager 31' selects the pseudonym information combination stage (processing stage) to be searched. It can be displayed so that it can be checked. Here, the selectable pseudonym information combination steps (processing steps) include 'all', 'application', 'mock combination', 'information reception', 'combination', 'additional processing', 'export review', 'export', and It can contain 9 processing steps, including ‘Finish’. The project management unit 11 can control so that each step cannot be repeatedly set as a query condition when querying processing steps.

Additionally, the project management unit 11 may allow you to check a list of projects that meet the conditions by selecting the type of person in charge of the project you want to inquire.

When the project management unit 11 causes the top level manager 31' to create a project (pseudonym information combination project), the project management unit 11 may allow the representative applicant to input the assigned application number and a description of the project.

<Application for combining pseudonym information>

When the project management unit 11 receives an application from the application agency terminal 20, the top manager 31' creates a pseudonym information combination project based on the application and appoints a person in charge at each step. You can allocate and have the combination application form completed (registered) and confirmed.

The project management department 11 may have the top manager 31' assign a person in charge for each stage of pseudonym information combination on the person assignment screen in order to prepare for the pseudonym information combination in the preliminary preparation of the first stage procedure (pseudonym processing pre-preparation procedure). there is. At this time, each item (items corresponding to application, combination, processing, export, analysis) displayed on the role in the person in charge assignment screen may mean the following. In other words, 'Application' is an item to enter a person with a role to create a project and manage (create and confirm) the combined application. The default value may be set to the creator who created the project, and 'Combine' is an item to enter a person with a role to perform mock combination, information reception, and combination, and the default value may be set to unspecified. 'Processing' is an item to enter a person with a role to perform additional pseudonym processing on the combined pseudonym information, and the default value may be set to unspecified. 'Export' is an item to enter a person with a role to perform export screening and export for the export of combined products, and the default value may be set to unspecified. 'Analysis' is an item that enters a person who has a role to perform analysis on the simulated combination result and the actual combined result as a support role rather than performing a direct role in combining pseudonym information, and the default value may be set to unspecified. . At this time, in order to enable the top level manager 31' to assign a person in charge to the pseudonym information combination project, the project management unit 11 assigns a user role in advance on the role setting screen for each stage of combination and assigns the corresponding role to the manager account. You can control it to do so.

In relation to the management of the application for pseudonym information combination, the project management unit 11, for example, appoints a person in charge of pseudonym information combination (in particular, a person in charge of managing the application, for example, a top-level manager) on the pseudonym information combination applicant management screen as shown in FIG. 10. (31')) can manage (add and delete) combination applicants at the application stage and perform the work of completing and confirming the combination application form.

When an application is received from the application organization terminal 20, the project management unit 11 causes the top administrator 31' to register a project based on the received application, and at this time, the top administrator 31' registers the project. Based on the received application, an application can be created to register (enter) the information stated in the application into the project. In other words, when an application is received, the project management department (11) has the person in charge of combining pseudonym information (in particular, the person in charge of managing the application, for example, the top administrator (31')) of the project containing the information stated in the application in the project DB ( 12) can be controlled to register. In the present invention, as an example, the person in charge of managing the application (the person in charge of combining pseudonym information) is illustrated as the top level manager (31'), but this is only an example to help understand the present invention, and is not limited to this, and is the top level manager (31'). Separately from the manager 31', the person in charge of the application may be affiliated with a professional organization 300.

When registering a project, the project management department (11) can register (create, enter) a project containing the information stated in the application in the project DB (12) based on the application received from the application agency terminal (20). there is.

At this time, the application (particularly, the combination application), as mentioned above and as shown in Figure 5, includes i) information related to the combination applicant, ii) information related to the combination summary, iii) information related to the pseudonym information provider, and iv) information related to the combined information user. , v) Information related to attached documents may be included. In other words, the combination application may be composed of five elements including i) combination applicant, ii) combination summary, iii) pseudonym information provider, iv) combination information user, and v) attached documents.

Based on the received application, the project management unit 11 may enable the top-level manager 31' to input items corresponding to each of the five elements constituting the combination application form when registering a project.

At this time, the project management department 11, when the top level manager 31' registers the project, i) in relation to the combination applicant in the combination application form, the application number, organization name, business registration number or corporation registration number, representative name, address, person in charge , you can enter the contact information (phone number), contact email, and type. Here, the application number may be information automatically entered when creating a project, the organization name refers to the organization name (company name or organization name) of the combination applicant, and the business registration number or corporate registration number refers to the business registration number or corporate registration number of the combination applicant. means, the representative name means the name of the representative of the combination applicant, the address means the address of the combination applicant, the person in charge means the contact information of the combination applicant, the representative phone number means the contact phone number of the combination applicant, The contact email refers to the email address of the combination applicant, and the type refers to the type of combination applicant and can include individuals, public institutions, non-profit corporations, and private companies.

The project management department 11 may have the top administrator 31' enter values for each of the application type item, repeat combination item, and additional procedure application item in relation to the combination outline in the combination application form when registering the project. there is. Here, the application type item is an item for entering the type of combination applicant participating in pseudonym information combination, and can be entered as one of three items including provision of pseudonym information, use of pseudonym information, and provision and use of pseudonym information. Repeated combination items are items selected depending on the periodic/repeated combination application, including 1) Not applicable: one-time combination application, 2) Initial: initial application for periodic/repeated combination, and 3) Additional: including additional application for periodic/repeated combination. It can be entered as any one of three items. The additional procedure is an item for applying for additional pseudonym information combination support, and can be entered as at least one of three items including combination rate confirmation, pseudonym information extraction, and mock combination.

The project management department (11), when the top administrator (31') registers a project, iii) regarding the pseudonym information provider in the combination application, file name, submission method, expected submission date, information provision summary (file size, total number of records, mock number of combined records), the name of all pseudonym information providers (total number), the organization name and file name of each pseudonym information provider, and support requests. Here, the file name means the file name of the file to be combined (i.e., the target file to be combined) to be provided, and the submission method may include online or offline as a method of submitting the file to be combined. The scheduled submission date refers to the scheduled submission date of the file to be combined, the file size in the provided information summary refers to the size of the combined target file to be provided, and the total number of records in the provided information summary refers to the number of records of the pseudonym information to be combined to be provided. can do. At this time, the combination target file refers to the pseudonym information that the applicant organization terminal 20 wishes to combine written in the application form when filling out the application, which may mean multiple combination target information (multiple combination target pseudonym information). . The number of mock combination records in the summary of provided information may refer to the number of records of pseudonym information subject to mock combination to be provided when requesting a mock combination. The total pseudonym information provider name (total number) refers to the total number (number) of pseudonym information providers and can be set to 2. In the organization name and file name of each pseudonymous information provider, the organization name may refer to the organization name of the pseudonymous information provider, and the file name may refer to the file name that the pseudonymous information provider intends to provide. The support request is an item to input whether to request pseudonym processing support before applying for combination, and may include check items regarding pseudonym processing required for combination application.

The project management department (11), when the top administrator (31') registers a project, iv) provides the purpose of combination, detailed purpose of combination, use of analysis space, and support requests in relation to users of combined information (pseudonymous information users) in the combination application form. You can input it. The combined information user may be a combined applicant (20').

Here, the purpose of combining is the purpose of combining pseudonymous information, and can be entered as any one of statistical compilation, scientific research, and public interest record preservation. The detailed purpose of combining may refer to the detailed purpose (written in detail) of combining pseudonym information. Analysis space use is a support item to be used when using the internal analysis space of a combination specialized agency, and can be entered as one of the following: additional pseudonymization, combination information analysis, or no use. A support request is a request for support for a combined result, and can be entered into at least one of the processing and analysis before export.

The project management unit 11 may allow the top level manager 31' to selectively upload basic documents and additional documents in relation to v) attached documents when registering a project. Here, the basic documents may include documents related to the applicant for combination, documents proving the purpose of combination, and documents related to pseudonym information to be combined. Documents related to the pseudonym applicant are documents that prove that the applicant is a combination applicant applying for the combination of pseudonym information, and may include business registration certificate, certified copy of corporate register, etc., can be set as required input items, and are applicable to both the provider and the user. It can be. Documents proving the purpose of combining are documents that prove the purpose of combining pseudonym information, and may mean research plans, business plans, etc., and may be matters applicable to the user. 3 Documents related to pseudonym information to be combined, when providing pseudonym information, refer to documents related to pseudonym information to be combined, and may include data specifications, etc., and may be matters applicable to the provider. Additional documents may refer to documents that need to be submitted in addition to the basic documents.

Once registration of the project is completed by the top-level administrator 31', the project management department 11 can process the application completed (submitted) for the application submitted (applied) by the applicant organization terminal 20. The project management department (11) can view and modify the contents of the application (i.e., the application that has been submitted and processed) within the project registered by the top administrator (31'), and if any of the contents of the application require rewriting, the submission is processed. You can reject an application that has been submitted, and you can reject a combined application by entering the reason for rejection.

The project management unit 11 may, for example, when the top administrator 31', who is in charge of combining pseudonym information, rejects an application (combination application), for example, as shown in FIG. 10, the combination applicant 20' sends the application to the application organization terminal. By accessing the combined applicant portal (i.e. web portal for applicant organizations) through (20), you can check the rejection status and reason for rejection of the application on the rejected application status confirmation screen.

Once the application received from the application agency terminal 20 through the project management unit 11 is submitted and processed and the registration of the project corresponding to the application is completed in the project DB 12, the combination processing unit 13 then operates at the highest level. The top-level administrator (31') can select the step completion button provided in the work area on the pseudonym information combination application step completion screen displayed on the administrator terminal 31, and the 'mock combination' step can be completed by selecting the step completion button. You can control it to be activated. At this time, the combination processing unit 13 may enter the 'mock combination' stage if mock combination support is selected in the submitted application, and if mock combination support is not selected in the application, the 'mock combination' stage may be entered. You can control it to skip and enter the ‘information reception’ stage.

<Mock combination>

After the project is registered, the combination processing unit 13 may perform a mock combination (mock combination step) on a plurality of combination target information (i.e., two combination target information) within the project. The mock combination step may be a procedure performed in the first detailed procedure of the two-step procedure.

The combination processing unit 13 may perform the combination in the mock combination stage through the combination key provided by the pseudonym information provider among the combination applicants and the combination target information extracted for the mock combination. The combination processing unit 13 may allow the analysis manager and the combination applicant who applied for the mock combination to download the combination results generated in the mock combination stage through the combination specialized agency analysis portal (i.e., web portal for specialized agencies). As shown in FIG. 11, the mock combination step may include i) a combination key combination step, ii) a combination key extraction step, iii) a combination performance step, and iv) a result analysis step.

The combination processing unit 13, on the first screen of the combination key combination step, performs 'combination' after the top-level administrator 31', who is in charge of pseudonym information combination, uploads the combination key file and selects the combination method in the i) combination key combination stage of the mock combination stage. You can select the button to perform a mock combination, and when entering the combination key combination stage for the first time, the status of the combination key target file can be displayed as initialized, and by selecting the 'Sample' button, you can display the uploaded combination key. You can check a sample of the target file.

Additionally, the combination processing unit 13 may allow the top-level administrator 31' to set the combination method and perform combination key combination for mock combination in the i) combination key combination step. Here, when setting (selecting) the combination method, the types of combination methods may include INNER JOIN, OUTER JOIN, and LEFT JOIN. In this case, in the case of LEFT JOIN, it can be arranged to select the combination applicant that serves as the basis for combination. . In addition, the combination processing unit 13 can perform combination key combination for mock combination when the top-level administrator 31' selects the combination button in i) the combination key combination step, and clicks the next button after completion of combination key combination for mock combination. When the top-level administrator 31' inputs ii) the combination key extraction step can be performed.

The combination processing unit 13, in the ii) combination key extraction step, extracts some of the combined combination keys after the top-level administrator 31' sets the extraction range, as shown in the combination key extraction step screen shown in FIG. 11. You can do it.

At this time, the combination key extraction stage screen may include 'result summary information 502' including combination method, number of records, capacity, start date and time, end date and time, and time required. Here, the combining method is the combining method set for the mock combining, the number of records is the number of records of the combined key combined for the mock combining, the capacity is the size of the result file of the combined key combined for the mock combining, and the start date is the combined key for the mock combining. The start date and time of key combination, the end date and time may mean the date and time when combination key combination for mock combination was completed, and the time required may refer to the time required to combine key combination for mock combination.

Additionally, the combination key extraction step screen may include ‘combined key combination result display information 503’. The combination key combination result display information may include the applicant organization, original record, combination record, and combination rate (%) information. Here, the applicant organization is the name of the applicant organization written in the combination application, the original record is the number of original records in the file subject to the combination key, the combined record is the number of combined records in the combined result file, and the combining rate (%) is the number of original records in the file subject to the combined key. This may mean the combination rate of the provided combination key.

Additionally, the combination key extraction step screen may include an extraction range setting column 504. The combination processing unit 13 can enable the top level manager 31' to automatically or manually extract the results of the combined key for the mock combination through the extraction range setting field 504.

In relation to automatic extraction, the combination processing unit 13 can extract the combination key for mock combination based on a preset standard in the combination configuration screen, and the combination key combination result for mock combination is the standard for extracting the mock combination combination key. If the requirements are not met, the 'Extract' button is disabled and an information icon showing a related message can be displayed in the area to the right of the 'Extract' button. For example, when selected by the top-level administrator (31'), the information icon displays 'Extraction conditions not met.' It may be an icon that displays information such as 'If the number of resultant records is smaller than the set number of combined/non-joined records, extraction is not possible.' In relation to manual extraction, the combination processing unit 13 can extract the combination key for mock combination by setting the number of combined keys and noise keys within the range of the preset standard (larger than the set value) in the combination environment settings. there is.

In addition, when the top-level administrator 31' selects the extraction button 505 on the combination key extraction step screen, the combination processing unit 13 extracts the combination key according to the set extraction range, and then selects the 'Next' button. Once this is achieved, the 'download button' is activated in the next step so that the extracted combination key can be downloaded.

Thereafter, the combination processing unit 13 may, in the iii) combination execution step, allow the top-level administrator 31' to upload the combination target information for the mock combination extracted through the extracted combination key result file, and the uploaded combination target Using the combination target information for mock combination uploaded from the information screen, you can perform a mock combination by selecting the combination button. At this time, you can perform a mock combination using the combination method set in the combination key combination step. .

Thereafter, the combination processing unit 13 may enable the top-level manager 31' to check the simulated combination results in the iv) result analysis step, where the simulated combination results include the aforementioned result summary information 502, It may include information about the applicant organization, original record, combined record, and combined rate. Additionally, the combination processing unit 13 may enable the top level manager 31' to check a sample of the simulated combination result in the result analysis stage.

<Receiving information>

When the mock combining step is completed, the combining processing unit 13 may perform the information receiving step. The information reception step may be a procedure performed in the first detailed procedure of the two-step procedure.

The combination processing unit 13 may have the top level manager 31', who is the pseudonym information provider or person in charge of pseudonym information combination among the combination applicants, transmit the combination target information in the information reception stage, and the pseudonym information combination person in charge of combining information can send the information that he or she wants to check in the screen list. If you select the combination target information, you can check a sample of the transmitted combination target information and, if necessary, reject the transmission of the combined target information. In addition, the combination processing unit 13 displays a reason button when rejecting the combination target information transmitted in the information reception stage, and when the reason button is selected, the reason for rejecting the transmission of the combination target information can be confirmed. , In a state where the transmission of the combination target information is rejected, the pseudonym information provider or the person in charge of pseudonym information combination can control the retransmission of the combination target information.

<Combined>

After the information reception step is completed, the combining processing unit 13 may perform a combining step that allows the person in charge of combining pseudonym information to upload the combining key linkage information and then perform combining with the transmitted combining target information. The combining step may be a procedure performed in the second detailed procedure of the two-step procedure.

In the combining step, the combining processing unit 13 can select the selection button displayed on the combining step screen to have the top-level administrator 31' upload the combining key linking information, and when uploading the combining key linking information is completed, the combining The properties of the key linkage information are displayed and can be controlled to establish a connection with the serial number of the linkage target information. Thereafter, when the combining button displayed on the combining step screen is selected, the combining processing unit 13 may cause a screen displaying the combining progress to be displayed, and then display the pseudonym information combining result as a result of the combining progress.

<Additional processing>

After the combining step is completed, the combining processing unit 13 may allow an additional processing step to be performed, or may allow the export screening to proceed without performing an additional processing step.

The combination processing unit 13 can, in the additional processing step, allow the top administrator 31' to designate a person in charge of performing additional processing by selecting an add button in the list of additional processing persons, and if the additional processing person is designated, additional processing is performed. You can display a designated person in charge on the list of people in charge. In addition, the combination processing unit 13 may, in the additional processing step, allow the top administrator 31' to set whether to do additional processing by selecting a user option button on the additional processing step screen, and select the 'export screening' option. In this case, the screen can be displayed as ‘User Options: Export Review’, and when the export review option is selected, the screen can be displayed as ‘User Options: Additional Processing’.

In addition, the combination processing unit 13 controls the top level manager 31' to change to the additional processing state by selecting the additional processing button displayed on the additional processing step screen when additional processing needs to be performed due to an inappropriate decision in the export screening stage. can do.

If the combination processing unit 13 detects that the processor 32' has completed additional processing through the additional processing portal (i.e., web portal for additional pseudonym processing) in the additional processing step, it confirms the processing on the additional processing step screen. The status can be displayed, and if the top-level administrator (31') selects the processing confirmation button displayed at this time, it can be controlled to change the status to a status where additional export screening is possible.

The combination processing unit 13 performs the above-described mock combination step, information reception step, combination step, and additional processing step to combine processing for a plurality of combination target information corresponding to the registered project, based on the registered project. can be performed, and through this, a combined object corresponding to the registered project can be created and provided. Here, the combination processing may include mock combination, information reception, combination, and additional processing.

<Examination screening>

When the additional processing step is completed, the export management unit 14 performs an export screening step on the combined object provided by the combination processing unit 13 and then provides the export screening result to the application organization terminal. You can. At this time, the export screening step may be a three-step procedure.

Specifically, the export management unit 14 may allow the top level manager 31', who is in charge of combining pseudonym information, to designate a reviewer who performs the export screening and manage the export screening at the export screening stage. In particular, when the top level manager 31' first accesses the export review stage screen as shown in FIG. 12, the export management unit 14 fills out an export application form and designates an export review member. It is possible to ensure that export screening is carried out.

The export management unit 14 can enable the top-level manager 31' to fill out the export application when the export application form is written in the writing state. However, the combination applicant who only provides pseudonym information and the combination information within the combination specialized agency can do so. For those who only perform analysis in the analysis space, it is possible to avoid the need to fill out an export application form.

Here, the export application may be composed of four elements, including 1) export applicant, 2) combination type, 3) export outline, and 4) attached documents.

The export management unit 14 can control the top level manager 31' to create an export application form by entering the export applicant item, combination type item, export outline item, and attached document items.

Here, the export applicant item may include the name of the organization, business registration number or corporation registration number, representative name, address, person in charge, telephone number of the person in charge, and email address of the person in charge. Since the description of each item has been previously described, overlapping descriptions will be omitted below. The combination type item may include a repeat combination selection item, and the repetition combination selection item is an item for selecting whether to combine periodically/repeatedly, and may include a check box for selecting initial or additional.

Export overview items may include file name, export purpose, detailed export purpose, type of export information, method of receiving information, and support requests. Here, the file name is the name of the combination result file to be exported, and the purpose of export is the purpose of combining and using pseudonymized information, and can be prepared to select at least one of statistical compilation, scientific research, and public record preservation. The detailed export purpose refers to the detailed purpose (written in detail) of exporting the combined results, and the export information type is the type of combined result information to be exported, and can be prepared to select pseudonymized information or anonymous information. The method of receiving is an item that selects the method of providing the combined information to be exported, and can be arranged to select either online or offline, and an analysis space within a combined information agency. The support request is an item for entering a support request along with export, and may be prepared to select at least one of analysis of the exported information and personal information protection training.

Attached document items can be prepared so that the top-level administrator (31') can upload them by dividing them into basic documents and additional documents, and can be prepared so that basic documents and additional documents can be uploaded selectively. Basic documents may include documents related to information subject to export, documents supporting the purpose of export, and safety measure plan documents. Here, additional pseudonym processing is performed on documents related to information to be exported through the analysis space, so that they can be submitted only when the information to be exported is different from the pseudonym information to be combined that was originally submitted, and can be omitted if they are the same. Documents proving the purpose of export can be submitted only when the purpose of export is different from the original purpose of combination (need to review compatibility of purpose of combination and purpose of export), and can be omitted in cases where they are the same. The safety measure plan document may be prepared to submit data related to safety measures for exported information, such as personal information processing policy, internal management plan, and operating guidelines, and these may be required input items. Additional documents may refer to items that upload documents that need to be submitted in addition to the basic documents.

The export management unit 14 can control the status of the export application form to be changed from 'created' to 'view' when the top level manager 31' completes the preparation of the export application form, and can also control the status of the export application form to be changed from 'created' to 'view', and the person in charge of combining pseudonym information The top-level administrator 31' can view or modify the contents of the submitted export application as shown in FIG. 12.

In addition, the export management unit 14 can control the top level manager 31' to manage the examiners who will perform the export screening and monitor the export screening status. In relation to reviewer management, the export management department (14) allows the top level manager (31') to designate judges who will perform export reviews, and to designate as the head judge a judge who has been appointed as the head judge among the designated judges. It can be done.

In the export management unit 14, the top-level manager 31' selects the 'Add judge' button on the export review member addition screen, selects the judge who will perform the export review, and selects the 'Add' button to add the export judge. can be controlled to add, and in order to perform the export review, you can select the 'Start Review' button and designate the export review committee chairperson to start the export review by the export reviewer.

In addition, the export management unit 14 can control the top level manager 31' to manage the review status of each export review member and the comprehensive export review status according to the order (minimum, re-examination).

In relation to the management of the export screening status, the export management unit 14, as an example, as shown in the status confirmation screen during export screening shown in FIG. 12, the top manager 31', who is in charge of combining pseudonym information, performs the first export screening, for example. (1st round) The operation of the top administrator terminal (31) can be controlled to manage the status, and in the case of the first export review, the review status is displayed as 'under review', and the export reviewer (export review committee member) If the review is in progress, the review status can be displayed as 'under review' in the list for each export reviewer, and for export reviewers who have completed the export review, the written review opinion can be displayed.

The export management unit 14 can enable the top level manager 31' to check the evaluation contents of the export review member if, at the export review stage, the export review member selects inappropriate or conditional among the review items of the export review. In order to check the evaluation contents of the export review committee, you can select the 'Examination Items' button, and by selecting the review item button, you can check the detailed export screening results as shown in the export screening result confirmation screen shown in Figure 12. It can be made possible.

At this time, the status confirmation screen during export screening may include the number of screening rounds, screening status, overall opinion, start time, and end time. The number of rounds of review refers to the number of export reviews due to additional pseudonym processing, the review status refers to the current progress status of the export review, the comprehensive opinion refers to the final review opinion of the export review committee chairman, the start time refers to the start time of the export review, and the end time refers to the end time of the export review. can do.

At the export review stage, if an opinion is presented as inappropriate as a result of the export review, the export management unit 14 causes the review status to be displayed as 'negative' on the status confirmation screen during export screening or the export screening result confirmation screen, and displays the review status as 'negative' by the export review committee chairman. Comprehensive opinions can be controlled so that the top administrator (31') can check them, and if inappropriate, the person in charge of pseudonym processing (top administrator (31')) or combined information user can perform additional processing by selecting the 'additional processing' button. You can control it so that you can

In addition, the export management unit 14 may display the screening status as 'adequate' if additional processing is completed and the export screening is re-performed at the export screening stage and an opinion of 'appropriate' is obtained, and then the next step. The operation of the top administrator terminal (31) can be controlled to move to the export stage, and at this time, the top administrator (31'), who is in charge of combining pseudonym information, can check the export screening results of the previous round by selecting the order indicated in the screening order. It can be controlled so that

The export management unit 14 completes the combination when, as a result of performing an export screening on the combined object for which an export request has been made, the screening status corresponding to the plurality of export examiners who have performed the export screening is all detected as 'appropriate'. It is determined that the object meets the preset export acceptance criteria, and the export screening result corresponding to approval can be generated and provided to the application organization terminal 20. At the same time, the combined object can be sent to the application organization terminal 20. It can be provided.

In other words, if the export screening result is approved, the export management unit 14 can ensure that the combined object is provided (exported) to the application organization terminal 20. If the export screening is approved, the application organization terminal 20 then processes the combined object provided from the device 10 (i.e., the combined object exported from the device 10) according to the purpose of the combined application. can do.

<Export>

After the export review is completed by the export reviewer, the export management unit 14 may perform an export step to ensure that the combined object for which the export screening result is approved is exported. The export step may be a procedure performed in a three-step procedure.

The export management unit 14 can control the pseudonym information combination manager and the combined information user to download the combined object, which is the combined information, at the export stage. For example, the person in charge of combining pseudonym information may mean a top-level administrator (31'), and the user of combined information may mean a combination applicant (20') who has applied for combination or exported information.

The export management unit 14 can control the top-level manager 31' in the export stage to download and export the combined object, which is the combined information, and display the export status as 'complete' when the download is completed. there is.

<Complete>

When the export is completed (when the download is completed), the export management unit 14 can display on the screen that the performance of the pseudonym information combination task has been completed, and when the pseudonym information combination has reached the completion stage, the combination target information stored by upload and combination information along with combination key linkage information can all be controlled to be deleted.

By completing the above-described step 1 to step 3 procedures, the device 10 responds to the application submitted by the combination applicant 20', and performs and completes the combination processing for a plurality of combination target information in the application. You can.

The control unit 15 can display a dashboard screen as shown in FIG. 8 on the screen of the top administrator terminal 31', through which the top administrator 31' can view the step-by-step situation regarding pseudonym information combination, The combination target information, combination result status, pseudonym information combination status, etc. can be monitored through the dashboard screen.

At this time, the dashboard screen may include step-by-step monitoring items, target file monitoring items, and processing status monitoring items. The step-by-step monitoring item may refer to an item that displays information on monitoring work status (number of tasks) for each step of pseudonym information combination. The target file monitoring item may refer to an item that displays information on capacity monitoring regarding the combined target information for combining pseudonym information and the resulting file. The processing status monitoring item may refer to an item in which processing status monitoring information for each pseudonym information combination project is displayed. In other words, when a connection is detected from the application organization terminal 20 or the professional organization terminal 30, the control unit 15 in the device 10 monitors step-by-step monitoring information and target files in relation to pseudonym information combination and pseudonym processing. A dashboard screen where information and processing status monitoring information can be checked can be controlled to be displayed on the screen of the application organization terminal 20 or the specialized organization terminal 30 where the connection is detected.

In relation to the log management function, the control unit 15 of the device 10 allows the top administrator 31' to manage the authority management log, access management log, destruction management log, operation management log, and transmission management log. function can be provided. The control unit 15 can support the creation of accounts that require system access in relation to the authority management log and manage the management log, and can inquire information about the access of users who have accessed the system in relation to the access management log. In relation to the destruction management log, we can support you to search the destruction records for the original information and results used for pseudonymization. In addition, the control unit 15 can support inquiring the results of work performed by the user for pseudonymization in relation to the operation management log, and provides information on files transmitted and received from the system for pseudonymization in relation to the transmission management log. We can support you to check the results.

The combination applicant 20' can use this service by accessing the web portal for the applicant organization through the application organization terminal 20. In particular, the combination applicant (20') can perform the pseudonym information combination task through the web portal for the applicant organization. At this time, in order to perform the pseudonym information combination task, 1) combination application preparation stage, 2) mock combination stage, 3) The combined target information transmission step, 4) pseudonym information combining step, 5) additional pseudonym processing step, 6) export screening step, 7) combined information export, and 8) pseudonym information combination completion step can be performed. Below, the pseudonym information combining process from the perspective of the combination applicant (20') will be explained.

The application organization terminal 20 (i.e., the combination applicant 20') provides a URL so that it can access the application institution web portal (i.e., in other words, the combination applicant portal) from the specialized organization 300 or this device 10. The control unit 15 can control the operation (for example, screen display, etc.) of the applicant organization terminal 20, and the contents described for the combination applicant 20' in the present invention. The same can be applied to the description of the applicant organization terminal 20.

The control unit 15 may allow the combination applicant 20' to log in to the web portal for application organizations and check the status of the combination of pseudonym information corresponding to the application submitted to the professional organization 300 on the dashboard. The pseudonym information combination status can be prepared to inform the combination task processing status for each pseudonym information combination application, as shown in the dashboard of FIG. 13. In addition, in order to combine pseudonym information, the control unit 15 transmits (uploads, uploads) pseudonym information combination target information from the combination applicant 20', or receives combination information (i.e., combined object) when export approval is completed ( You can enable it (download, download).

< 1) Steps to fill out the combination application form >

When the combination applicant 20' applies for pseudonym information combination, the control unit 15 may control the combination applicant 20' to first fill out the combination application form in the combination application preparation stage screen 601. The combination application may be in the same form as shown in Figure 5 above, and as mentioned above, may be composed of five elements, including the combination applicant, combination summary, pseudonym information provider, combination information user, and attached documents. , Hereinafter, overlapping descriptions will be omitted. The control unit 15 may allow the combination applicant 20' to check the reason for rejection on the combination application preparation stage screen 601 when the submitted application (combination application) is rejected by the professional organization 300. .

< 2) Mock combination step>

After the preparation and submission of the combination application is completed, the control unit 15 can then allow the mock combination step to be performed, and if the combination applicant 20' applies for the mock combination in the combination application in the mock combination stage, the mock combination is performed. The status can be controlled to be checked on the mock combination step screen 602.

The mock combination steps are: 1) generation of combination key, 2) transmission of combination key, 3) combination of combination keys, 4) extraction of combination key, 5) reception of extracted combination key, 6) extraction of combination target information, 7) extracted combination target. It may include nine detailed steps, including information transmission, 8) combining the extracted combination target information, and 9) analyzing the results of the simulated combination. The task performance of each detailed step within the simulated combination step is shown in Figure 13 [Mock Combined]. As in [Detailed description of detailed steps], some detailed steps are performed by the combination applicant 20', and some of the remaining detailed steps are performed by the professional organization 300 (i.e., the professional organization terminal 30). It can be done.

In addition, combination information generated through a simulated combination can only be used in the analysis space of a combination specialist agency and may be arranged to prohibit export. Combination information generated through simulated combination may mean a simulated combined object that has completed the combination.

The control unit 15 causes the combination applicant 20' to generate a combination key for the combination target information to be combined with pseudonym information for mock combination and prepare a combination key file for mock combination consisting of only the combination key, and then prepares the prepared combination key file. The combination key file for mock combination can be transmitted to the professional organization terminal 30, and if there is a rejection by the professional organization 300, the combination key file can be controlled to be sent again after checking the reason for rejection, and the mock combination step screen ( At 602), control is possible so that the combination applicant 20' can check the transmission status of the combination key for mock combination. The combination applicant 20' can check the description of the transmission status of the combination key for mock combination on the mock combination stage screen 602, and there are four types of transmission status: ready to transmit, transmission completed, transmission rejected, and retransmission completed. It can be displayed as , ready to transmit is the ready state to transmit the binding key for mock combining, transmission completed is the combined key for mock combining transmission complete, transmission rejected is the rejected state of transmitting the combined key for mock combining, retransmission is completed is the combined key for mock combining This may mean key retransmission completion status.

The control unit 15 can control the combination applicant 20' to download the extracted combination key when the expert organization 300 completes extraction of the combination key for mock combination, and receive the extracted combination key for mock combination. You can control it so that you can check its status.

In addition, the control unit 15 may extract combination target information for mock combination from the original combination target information using the extracted combination key downloaded by the combination applicant 20' and then perform pseudonym processing, and perform pseudonym processing. The processed extracted combining target information can be controlled so that the transmission status of the extracted combined target information for mock combining can be checked.

Here, the transmission status of the extracted combination target information for mock combination can be prepared in three types, including ready for transmission, transmission completed, and waiting for processing, and the control unit 15 completes the mock combination in the waiting state for mock combination. Once the result information is generated, the combination applicant 20' can control the analysis to be performed in the analysis space of the professional organization 300. Here, preparation for transmission means waiting for transmission of the combination target information extracted for mock combination, transmission completion means transmission of combination target information extracted for mock combination has been completed, and waiting for processing means completion of transmission of combination target information extracted for mock combination. This may mean that the data is waiting for combination and analysis processing.

< 3) Combined target information transmission step>

When the mock combination step is completed, the control unit 15 can cause the combination target information transmission step to occur, and in the combination target information transmission step, the combination applicant 20' accesses the file transmission and reception system for combination applicants for the main combination. It can be controlled to transmit the combination target information and check the combination target information transmission screen 603 shown in FIG. 13, and an explanation of the transmission status of the combination key for mock combination is provided in the combination target information transmission screen 603. You can control it so that you can check it. At this time, the binding target information transmitted is for main binding and may be different from the binding target information extracted for the above-mentioned mock binding.

< 4) Step of combining pseudonym information >

When the pseudonym target information transmission step is completed, the control unit 15 may perform the pseudonym information combining step, and in the pseudonym information combining step, the combination applicant 20' may contact the professional organization 300 through the pseudonym information combining screen 604. It is possible to control the progress status while combining pseudonym information using the combination target information and combination key linkage information.

< 5) Additional pseudonym processing steps >

When the pseudonym information combining step is completed, the control unit 15 may perform an additional pseudonymization processing step, and in the additional pseudonymization processing step, the combination applicant 20' may re-apply personal information to the combined combined information (i.e., the combined object). If it is determined that there is a possibility of identification, additional processing can be performed, and the progress status can be checked on the additional pseudonym processing screen 605 while the professional organization 300 performs additional pseudonymization processing.

< 6) Export screening stage>

When the additional pseudonym processing step is completed, the control unit 15 can cause the export screening step to be performed, and if the combination applicant 20' wants to export the combined combined information (i.e., the combined object) in the export screening step, first You can control to fill out the export application form on the export screening screen 606. As mentioned above, the export application may be composed of four elements, including the export applicant, combination type, export outline, and attached documents, and since the explanation for this has been explained previously, redundant explanations will be omitted below.

When the export application form is completed by the combination applicant 20', the control unit 15 can control the export screening (export screening stage) to be carried out at the specialized agency 300, and the export is carried out according to the results of the export screening. Possibility can be determined.

< 7) Export of combined information >

When the export screening step is completed, the control unit 15 can then perform the combined information export step, and in the combined information export step, the combined information applicant 20' completes the export screening process (i.e., the export screening result is approved). It is possible to control the export of the derived combination completed object) through downloading, and also so that the combination applicant 20' can check the status of the combination information export on the combination information export screen 607 in FIG. 13. You can control it. At this time, the control unit 15 can control so that the combination applicant 20' can no longer download the combination information once the export is completed by downloading.

< 8) Complete step of combining pseudonym information >

In the combined information export step, once the combination applicant 20' completes the export of the combined object, which is combined information (pseudonym information combined information), the control unit 15 then sends the top level manager 31', who is in charge of a specialized organization, The project (pseudonym information combination project) can be finalized (completed), and through this, the pseudonym information combination work can be controlled to be completed. In the pseudonym information combination completion screen 608 in FIG. 13, the combination applicant 20' ) can be controlled to check the end sign of the pseudonym information combination task. In addition, the control unit 15 may control such that when the project is completed, all combination target information provided by the combination applicant 20' to the specialized organization 300 is deleted.

Meanwhile, the combination applicant 20' combines the pseudonym information using the combination target information provided to the professional organization 300 and the combination key linkage information provided by the data key management agency 400 (combined key management agency), and then adds Pseudonym processing can be performed. At this time, when performing additional pseudonymization processing, additional pseudonymization processing is performed by accessing the additional processing portal (i.e., web portal for additional pseudonymization processing) with the application agency terminal 20. It may be possible to perform work. In addition, the combination applicant (20') can perform additional pseudonym processing on the combined object if the professional organization (300) returns an inappropriate opinion during the export review, and may add an additional pseudonym using the web portal for additional pseudonym processing. Processing can be performed. Below, the process of performing additional pseudonym processing is explained in more detail.

For example, the combination applicant 20' performs additional pseudonym processing steps (i.e., additional processing steps) for the combined object, 1) project information confirmation step, 2) combination result setting step, 3) target selection step, 4) Risk review step, 5) Rule setting step, and 6) Additional processing step can be performed. Below, the process of performing the additional pseudonym processing step (additional processing step) from the perspective of the combination applicant 20' will be described. At this time, the additional pseudonymization step may be performed by the combination applicant 20' through control of the pseudonymization processing unit 16. That is, the pseudonymization processing unit 16 can perform an additional pseudonymization step on the combined object, and can control the additional pseudonymization step to be performed by the combination applicant 20'.

< 1) Project information confirmation step >

The combination applicant 20' can access the web portal for additional pseudonym processing using the application agency terminal 20 and perform additional pseudonym processing steps (tasks). When the combination applicant 20' has assigned additional pseudonymization processing to the combined information in the professional organization 300, the pseudonymization processing unit 16 displays the additional pseudonymization process on the additional pseudonymization list screen as shown in FIG. 14. You can control which projects to perform additional pseudonymization by selecting them. In the present invention, combination information may mean an object that has been combined.

The pseudonym processing processing unit 16 performs the pseudonym information combination in the specialized agency 300, and when the combination applicant 20' selects it in the additional processing stage, or due to an inappropriate opinion in the export screening stage, the specialized agency 300 performs the pseudonym information combination. When the person in charge of 300 (for example, the top administrator 31') operates, the additional processing project can be controlled to be automatically created on the web portal for additional pseudonym processing.

The combination applicant 20' can check the general registration details of the project corresponding to the combination information (combined object) to be additionally pseudonymized on the project information screen. Here, general registration information is project information and may include information such as project type, receipt number, description, destruction conditions, creator, creation date, changer, and change date.

< 2) Combination result setting step >

After performing the project information confirmation step, the pseudonym processing unit 16 sets the combined result as shown in FIG. 14, which is displayed on the screen when the combination applicant 20' clicks the 'Prepare for processing > Combined result settings' menu. On the screen, it is possible to check the number of attributes, number of records, and each attribute information for the combined information, and also use an alias for the attribute name of the combined information to be additionally pseudonymized so that the user (the combined applicant (20')) can understand it. It can be easily changed.

The pseudonym processing unit 16 may enable the combination applicant 20' to analyze each attribute information of the combination information by selecting the attribute analysis button in the combination result setting screen, and data of each attribute through attribute analysis. Types and statistical information can be analyzed in advance. In addition, the pseudonym processing unit 16 allows the combination applicant 20' to provide basic information (size, number of attributes, number of records) of the combined information collected through attribute analysis of the combined information as original information on the combined result setting screen. You can make it verifiable.

In addition, the combination result setting screen may include attribute information, and the pseudonym processing unit 16 may enable the combination applicant 20' to change the alias and data type for the attribute name of the loaded combination information. , 'Change' and 'Initialize' buttons are not displayed unless the alias and data type values are changed, and can be displayed on the screen when the alias and data type values are changed. In addition, the pseudonym processing unit 16 may allow the combination applicant 20' to change the attribute information by selecting the 'Change' button at the top after changing the alias and data type values, and the 'Reset' button. You can select to initialize the property information before completing the change. In addition, the pseudonymization processing unit 16 allows changing the 'data type' in the case of the 'analysis target' attribute for which 'whether to analyze' is selected on the attribute analysis attribute information screen, and for the 'data type' for which 'whether to analyze' is not selected. In this case, the 'data type' cannot be changed, but only the 'alias' can be controlled to be changed.

< 3) Target selection stage >

After performing the combined result setting step, the pseudonym processing progress unit 16 selects a target for performing additional pseudonym processing (i.e., a project subject to additional pseudonym processing) among the plurality of projects registered in the project DB 12. You can.

In addition, the pseudonymization processing unit 16 can perform preprocessing on the original data by deleting columns or merging columns for the attributes (columns) that the combination applicant 20' wants to additionally pseudonymize through the target selection menu. As shown in FIG. 14, it is possible to control the target properties to be provided while checking the data on the target selection screen. The pseudonym processing unit 16 can control the original to be changed and preprocessed after setting attribute deletion, attribute merging, and attribute value substitution on the target selection screen.

< 4) Risk review stage >

Once the target is selected in the target selection step, the pseudonym processing processing unit 16 can perform the risk review step, and in the risk review step, the combination applicant 20' can do so through the risk review menu in the additional processing step. In the risk review settings screen of Figure 14, it is possible to set the risk level for each item for the properties subject to pseudonymization, and for each property, it is possible to control the property type to be selected according to the risk level and the analyzed content to be input.

< 5) Rule setting step >

After the risk review step is performed, the pseudonym processing processing unit 16 can perform the rule setting step, and in the rule setting step, the combination applicant 20' sets the rule on the puncture processing rule setting screen of FIG. 14. It is possible to set rules, which are pseudonym processing techniques for each attribute, and for each attribute, you can set pseudonym processing rules by selecting the target attribute from the attribute information list and then selecting the 'Rule' button. In addition, the pseudonym processing unit 16 performs the pseudonym processing by selecting the 'Reset' or 'Initialize All' button when the combination applicant 20' wants to initialize the settings for individual or all attributes while performing rule setting. You can control how to initialize the rules. At this time, the rule setting method for performing pseudonymization (or additional pseudonymization) can be more easily understood through the ‘pseudonymization technique’ explained later.

In addition, the pseudonym processing unit 16 provides a rule setting screen for the application organization terminal 20 before performing pseudonym processing on the combined object provided by the combination processing unit 13, so that the combination applicant can By (20'), it is possible to control the setting of rules for pseudonym processing techniques for each attribute within the combined object.

In addition, in the rule setting step, the pseudonymization processing unit 16 selects the 'data statistics/analysis subject to pseudonym processing' tab included in the rule setting screen before the pseudonymization process is performed. By selecting the target property from the 'property information' list in the status, it is possible to check the statistics/analysis details for each property of the target for which pseudonymization (additional pseudonymization) is to be performed. Here, the statistics/analysis content may include a list and graph of class distribution along with basic descriptive statistical information.

< 6) Additional processing steps >

After the rule setting step is completed, the pseudonymization processing unit 16 may allow the additional processing step to be performed, and in the additional processing step, the original is processed using the pseudonymization rules previously set by the combination applicant 20'. You can control the pseudonymization of data. The pseudonymization processing unit 16 selects 'Apply privacy protection model' or 'Do not apply privacy protection model' depending on whether the combination applicant 20' applies the privacy protection model on the additional processing screen as shown in FIG. 15. When a privacy protection model is applied, each protection model can be set and controlled so that the combination applicant (20') can check the processing result after pseudonymization.

Regarding the application of the privacy protection model, the combination applicant 20' can apply the privacy protection model to maintain a level of personal information protection higher than pseudonymization so that the information subject's information is not inferred. The combination applicant (20') can apply the privacy protection model based on predefined criteria or the user's direct settings, and if a general pseudonymization level that does not require application of the privacy protection model is required, the privacy protection model is applied. You may not. The privacy protection model preset and privacy protection model direct setting shown in Figure 15 show a method of pseudonymization by applying the privacy protection model. When applying the privacy protection model, the combination applicant 20' may be able to set sensitive information for each attribute in relation to the l-diversity and t-proximity protection models.

Privacy protection models may include k-anonymity protection model, l-diversity protection model, and t-proximity protection model.

The k-anonymity protection model is a basic model for privacy protection. It ensures that at least k identical values exist in a given data set so that they cannot be easily combined with other information, and modifies part of the data set so that all records are It has k-1 or more records that are identical (indistinguishable) to itself, and the k value can consist of an integer of 2 or more.

The l-diversity protection model is a privacy protection model that complements the weaknesses of k-anonymity. Records that are de-identified together in a given data set must have at least l different sensitive information (in a homogeneous set), and the de-identification action process A homogeneous set is constructed to have sufficiently diverse (l or more) different sensitive information, and the l value is an integer of 2 or more and can be less than or equal to the k value.

The t-proximity protection model is a privacy model that considers the meaning of the value. The distribution of specific information in the homogeneous set and the distribution of information in the entire data set must show a difference of less than t, and the distribution of specific information in each homogeneous set is ' should not be too unusual compared to the distribution of the entire data set, and the t value can be composed of a real number between 0 and 1.

Regarding non-application of the privacy protection model, if pseudonymization (or additional pseudonymization) is desired without applying the privacy protection model, the combination applicant (20') selects non-application of the privacy protection model condition and then sets the level of pseudonymization for each attribute. You can set it yourself.

Pseudonym processing (additional pseudonym processing) result data may be displayed in one area of the additional processing performance screen. The pseudonymization result data can be displayed according to the 'Apply privacy protection model' and 'Not apply privacy protection model' options.

When applying the privacy protection model, the combination applicant 20' can check the results of pseudonymization by applying the privacy protection model, and can also check the results using matched data and mismatched data, respectively. In the matching data tab in the display area of pseudonymization result data, samples are displayed for results that satisfy the set privacy protection model level, and in the mismatched data tab, samples that do not satisfy the set privacy protection model level (i.e., unmatched data) are displayed. results) can be displayed.

If the privacy protection model is not applied and pseudonymization is performed, the combination applicant 20' may be able to check the pseudonymization result sample in the 'pseudonymization result data tab (i.e., display area of pseudonymization result data)'. In addition, through the 'Statistics/Analysis of Pseudonymization Results Tab', the applicant for the combination (20') can check the structure of the pseudonymized data through statistics and analysis of the results of the additional pseudonymization after additional pseudonymization. On the screen, the combination applicant (20') can check the presence of special information by checking the 'class distribution', and the class distribution list showing the class distribution provides the frequency, ratio, and cumulative ratio for each class to determine the presence of specific information. The existence of outliers may be confirmed by checking the distribution. In the present invention, additional pseudonymization may be alternatively referred to as pseudonymization, etc.

Meanwhile, a more detailed description of the pseudonymization technique considered in the present device 10 is as follows. The description of the pseudonym processing technique can be explained with the pseudonym processing rule setting screen previously described with reference to FIG. 14. Pseudonym processing techniques may be referred to differently by terms such as pseudonymization technology, processing technique (processing technology), etc.

As mentioned above, the pseudonymization processing unit 16 allows the combination applicant 20' to set rules for pseudonymizing the attribute values of the original data on the rule setting screen (pseudonymization rule setting screen) as shown in FIG. 14. You can set it. The combination applicant (20') can set pseudonym processing rules for all attribute types on the rule setting screen, and this can be said to support setting the personal information pseudonymization environment for each attribute according to various data use conditions. .

The pseudonymization processing unit 16 can support six technologies (i.e., deletion technique, statistical tool, generalization technique, encryption technique, randomization technique, and pseudonymization processing) and detailed techniques according to the pseudonymization technology in setting the pseudonymization rule. there is. Additionally, the pseudonym processing unit 16 can support the combination applicant 20' to conveniently use frequently used pseudonym processing rules through a favorites function.

The pseudonym processing unit 16 applies the pseudonym processing techniques shown in FIG. 16 (i.e., techniques such as deletion techniques, statistical tools, generalization techniques, etc.) when the combination applicant 20' wishes to perform additional pseudonym processing. By doing so, it is possible to control the pseudonymization of personal information for the object of pseudonymization (object that has been combined) for which pseudonymization (additional pseudonymization) is desired.

The pseudonym processing techniques used by the pseudonym processing unit 16 when performing pseudonym processing (additional pseudonym processing) are not limited to the techniques shown in FIG. 16, and include various pseudonym processing techniques that have been previously known or will be developed in the future. It may also apply.

Pseudonymization techniques (pseudonymization techniques, processing techniques) considered in the pseudonymization processing unit 16 include deletion techniques, statistical tools, generalization techniques, encryption tools, randomization techniques, pseudonymization techniques, etc., as shown in FIG. 16. This may be included. Here, the deletion technique may include detailed deletion, partial deletion, and masking techniques. Statistical tools may include totals and subtotals. Generalization techniques may include general rounding, random rounding, range methods, categorization, and top and bottom coding. Encryption tools may include two-way encryption, one-way encryption, and form-preserving encryption. Randomization techniques may include noise addition and permutation. Pseudonymization techniques may include tokenization and mapping tables. Dissection can include table separation and attribute value separation.

Among the 'deletion technique' processing technologies, the 'deletion' detailed technology may refer to a method of deleting the set attribute on a column-by-column basis from the target data set, and according to this, it can be removed from the original data after processing. Among the 'delete technique' processing technologies, the 'partial deletion' detailed technology is not a method of deleting the entire identification information, but a method of deleting part of the identification information, and can be widely used for numeric or character data. Among the 'deletion technique' processing techniques, the 'masking' detailed technique is a technique that replaces part or all of a specific item with a space or alternative character, and can be used interchangeably with the masking technique.

Among the 'statistical tool' processing technologies, the 'total processing' detailed technology is a method of converting the total or average value of all data into individual data values. If the entire data consists of individuals with similar characteristics, the representative of the data You may need to be careful because the value may expose information of a specific individual. In the total processing technique, any one of the items that can be input by the combination applicant 20' can be input, such as total, average, minimum, maximum, mode, and center. Among the 'statistical tool' processing technologies, the 'partial total' detailed technology is a method of totalizing only a certain portion of records rather than the entire data. Items with a larger error range compared to other data values can be converted by totalizing.

Among the 'generalization technique' processing techniques, the 'general rounding' detailed technique is a method of final aggregate processing by applying rounding to aggregated values, and can generally be used when overall statistical information is needed rather than detailed information. In the general rounding technique, items that can be entered by the combination applicant (20') may include type and number of digits, and in relation to the type, either rounding up or down can be selected, and in the case of the number of digits, the number of digits of the number to be rounded can be selected. there is.

Among the 'generalization technique' processing techniques, the 'random rounding' detailed technique is a technique that rounds up or down numerical data for identifiable information to an arbitrary number, and totals the highly sensitive information by processing it as a representative value. It may be similar to the rounding method of . In random rounding, the combination applicant (20') may be able to select the number of digits of the number to be rounded in relation to the digit item.

Among the 'generalization technique' processing techniques, the 'range method' detailed technique is a technique for setting numerical data for identifiable information into a range based on an arbitrary number, and can be expressed as a range or interval of the value, illustratively, To display age by section, such as 5 sections or 10 sections, you can enter 5 and 10 and then add them. For section settings, only numbers can be entered, and additions and deletions can be made. In relation to the range method technique, items that can be entered by the combination applicant 20' may include range, minimum value display, maximum value display, and interval standard. Here, the minimum and maximum values of the entire data can be entered as the range. Minimum value display may indicate the minimum value below a certain value for small information that is judged to be unique information and may mean bottom coding. Maximum value display may indicate the maximum value above a certain value for large pieces of information that are judged to be unique information, and may mean top coding. The interval standard can be set at regular intervals or random intervals. Constant interval means that the range is set at regular intervals according to the settings, and random interval means that the range is set (method) according to the section selected by the user. can do. If the user specifies the range at random intervals using the range method, the interval standard can be set on the range method technique (random interval) setting screen. When using the random interval, each range is specified and the alias to be displayed after conversion is combined to the applicant ( 20') may be inputable.

Among the 'generalization technique' processing techniques, the 'categorization' detailed technique is a generalization method for character data, and can be one-to-one replacement or many-to-one replacement for nominal data. In categorization, a default item may refer to a replacement value if there are no other settings, an original item may refer to an original value to be replaced, and a variant item may refer to a result value to be replaced.

Among the 'encryption tool' processing technologies, the 'two-way encryption' detailed technology is a method of replacing personal information by encrypting it by applying an algorithm of certain rules when processing information. It usually has a decryption key to enable decryption again, so it has security. Measures may be needed. Among the items that can be entered in relation to two-way encryption, the encoding item refers to the encoding method for the encrypted result, the algorithm refers to the two-way encryption algorithm, and the input value may refer to the encryption key to be used for two-way encryption.

Regarding the detailed technology of 'one-way encryption' among the 'encryption tool' processing technologies, using one-way encryption not only completely removes the identity of personal information, but also makes decryption fundamentally impossible in theory, making it safer and more effective than two-way encryption. This may be a pseudonym processing technique. In relation to one-way encryption, items that the combination applicant 20' can input may include algorithm, encoding, input value, and input value location. Here, the algorithm can be selected as one of SHA224/SHA256/SHA384/SHA512, the encoding is an encoding method for the encrypted result, and can be selected as Hexa or Base64, and the input value is the noise value to be used for one-way encryption. You can input the position of the input value, and you can enter the position containing the noise value.

Among the 'encryption tool' processing technologies, the 'form-preserving encryption' detailed technology may refer to an algorithm that can be used when it is necessary to apply an encryption technique that maintains the form of the original data.

Among the 'randomization technique' processing technologies, the 'noise addition' detailed technology is a method of adding noise, such as random numbers, to personally identifiable information. Noise is added within the range of the specified mean and variance, thereby reducing the usefulness of the original data. However, since the noise value is unrelated to the data value, it may be difficult to use it as valid data, and noise may be added to the original numerical data by adding, subtracting, multiplying, dividing, and remaining values. Among the 'randomization technique' processing technologies, the 'permutation' detailed technology is a method of rearranging data so that individuals are not identified while maintaining existing information values, mixing personal information with other people's information without damaging the overall information. It can refer to a way to prevent certain information from being linked to that individual.

Among the 'pseudonymization technique' processing technologies, the 'tokenization' detailed technology is a method of hiding detailed personal information by replacing the values corresponding to the identifier with a few set rules or processing it according to human judgment, taking into account the distribution of the identifier or Because all data is processed in the same way without prior analysis of the collected data, users can easily understand and utilize it. When setting tokenization rules, the values corresponding to the identifier can be automatically generated and replaced with random values, or the user can directly enter the replacement value to hide personal information. Among the 'pseudonymization technique' processing technologies, the 'mapping table' detailed technology can use a mapping table technique using a mapping table, which is mapping information for attribute values, as a pseudonym processing technology.

The pseudonymization processing unit 16 may enable the combination applicant 20' to pseudonymize personal information by selectively applying pseudonymization technology to each attribute subject to additional pseudonymization. At this time, pseudonymization is not performed in dependence on a specific pseudonymization technology, and pseudonymization technology can be applied depending on the situation of the data itself and the situation in which the data is used, so that the pseudonym information created through pseudonymization can be used safely.

The pseudonymization processing unit 16 may, in principle, delete attributes classified as identification information from the original data containing personal information when performing pseudonymization processing on the subject of pseudonymization. However, When generating a combination key, etc., appropriate safety measures can be taken and made available. Illustratively, the pseudonym processing unit 16 collects i) unique identification information such as resident registration number, driver's license number, passport number, and alien registration number within the pseudonym processing target (i.e., the combined object subject to additional pseudonym processing). As an exception, at least one pseudonymization technology among encryption, tokenization, mapping table, partial deletion, and masking is applied, and ii) pseudonymization technology is applied to each of the serial number, customer number, account number, and card number. By applying encryption as , iii) applying masking pseudonymization technology to names, and iv) applying partial deletion pseudonymization technology to addresses, pseudonyms are created by applying different pseudonymization technologies for each attribute of the subject of pseudonymization. Processing can be performed.

Additionally, the subject of pseudonymization may include identifiable information, which is information that can be used to infer an individual through connections between attributes. In the case of identifiable information, it is often not necessary for analysis, and in this case, deletion may be recommended. In addition, some of the identifiable information may have unusual values, raising concerns about infringement on the privacy of the information subject, so safe protection measures may be necessary through pseudonym processing. Accordingly, the pseudonymization processing unit 16 can apply pseudonymization technology to identifiable information, and adjusts the intensity of application of pseudonymization technology appropriately according to the situation of the data itself and the data use situation, thereby performing pseudonymization processing. It can be done. Identifiable information may include, for example, age, date, amount of money, gender, grade, education, disease name, height, weight, blood type, religion, occupation, race, and nationality.

For example, in the case of the 'age' attribute in the subject of pseudonymization, the pseudonymization processing unit 16 applies the range method pseudonymization technology so that, for example, in the case of 36, it is pseudonymized as '35-39', or 'age' In the case of attributes, by applying top and bottom coding pseudonymization technology, for example, if 71 is pseudonymized as '65 or more'. In addition, the pseudonym processing unit 16, for example, applies a partial deletion pseudonym processing technology in the case of the 'date' attribute in the pseudonym processing target, so that '2022-08-30' is pseudonymized as '2022-08'. It can be done as much as possible.

In addition, the pseudonymization processing unit 16 can enable pseudonymization techniques such as general rounding, random rounding, and total processing to be applied in the case of the 'amount' attribute within the pseudonymization target. Accordingly, for example, in the case of 12345678, 12350000 It can be pseudonymized. In addition, the pseudonymization processing unit 16 can apply categorization pseudonymization technology to the 'grade' attribute within the pseudonymization target, and accordingly, for example, '1, 2, 3' is changed to 'high', and ' '4,5,6' can be anonymized as 'medium', and '7,8,9' can be anonymized as 'low'. In addition, the pseudonymization processing unit 16 can apply categorization pseudonymization technology in relation to the 'educational background' attribute of the subject of pseudonymization, and accordingly, for example, in the case of 'elementary/middle/high school', 'elementary, middle and high school', and 'college graduate' In the case of ‘/graduate school graduate’, the name can be changed to ‘college graduate or higher’.

In addition, the pseudonymization processing unit 16 can apply categorization pseudonymization technology to each of the 'disease name' attribute, 'religion attribute', 'occupation' attribute, 'race' attribute, and 'nationality' attribute in the pseudonymization target. Accordingly, for example, in relation to the name of the disease, 'stomach cancer, gastric ulcer' is pseudonymized as 'stomach-related disease', in relation to religion, 'religion, Catholicism' is pseudonymized as 'Christianity', and in relation to nationality, 'Korean' ' can be treated as a domestic person, and 'other' can be treated as a foreigner.

In addition, the pseudonymization processing unit 16 can apply the range method or the pseudonymization technology of upper and lower coding to the 'height' attribute and the 'weight' attribute in the pseudonymization target, and accordingly, for example, in the case of height, 173 can be pseudonymized as '170s', and in relation to weight, 66 can be pseudonymized as '65~69'. In addition, the pseudonymization processing unit 16 can apply categorization or replacement processing to the 'blood type' attribute in the pseudonymization target, for example, by replacing 'blood type A with 1' and 'blood type B with 2'. It can be anonymized.

In addition, the control unit 15 operates the analysis portal provided by the device 10 to analyze combination information (mock combination, real combination) in the analysis space provided by the combination applicant 20' to the professional organization 300. You can use to control so that the relevant combined information required for analysis can be downloaded. The analysis portal may be prepared to support the function of downloading files or uploading analysis results required for analysis of the combined information generated in the combined system, however, the analysis portal can only be accessed from a PC provided in the analysis space of the professional organization 300. Arrangements can be made to make this possible.

When the control unit 15 detects that the applicant organization terminal 20 has accessed the analysis portal, the control unit 15 provides a combination information (mock combination) analysis support screen, and on the combination information (mock combination) analysis support screen, the combination applicant ( 20') If you choose to perform a mock combination when filling out the application for combination, the person in charge of the combination agency can control it so that it can be downloaded from the analysis portal once the mock combination is completed.

In addition, the control unit 15 can provide a combined information (pseudonymized information combined) analysis support screen, and when the combined information (pseudonymized information combined) analysis support screen is created by the combined information applicant 20', the combined information (pseudonymized information combined) analysis support screen is combined in the analysis space. If you choose to perform information analysis, the top level manager (31'), who is in charge of the combination agency, can control the pseudonym information to be downloaded from the analysis portal once the pseudonym information combination is completed. At this time, the combined information used for analysis in the analysis space cannot be exported, and only the analysis results can be exported through the combined information. Accordingly, the combination applicant 20' may be able to upload the combination information analysis result file from the analysis portal and download the analysis result file from the portal for combination applicants (i.e., web portal for applicant organizations).

Meanwhile, the export management department 14 has an export reviewer (export review committee member), one of the evaluators 33', conduct an export review for the combination of pseudonym information (i.e., perform an export review on the combined object) by a specialized organization ( By accessing the export screening portal, which is a portal corresponding to the export screening system of 300), it is possible to control the export screening work for the combined object. Here, the export review portal may refer to a web portal for appropriateness evaluation, which is a portal dedicated to the evaluator 33' who conducts an appropriateness evaluation (review) or export review.

For example, in order to perform an export screening for a combined object (i.e., carrying out the export screening stage), the export auditor performs the following steps: 1) project information confirmation stage, 2) item-specific evaluation stage, and 3) export screening opinion writing stage. can do. Below, the export screening stage is explained in more detail.

< 1) Project information confirmation step >

In order to perform the export review, the export management unit 14 logs in to the export review portal (i.e., web portal for suitability evaluation) and lists the export review list assigned to the export reviewer as shown in FIG. 17. It can be checked on the same dashboard, and the export review status of each combined information can be displayed on the dashboard, and the export examiner can apply for export for the export review of the combined result (i.e., the combined object for which the combined processing has been completed). The operation of the export examiner terminal (not shown), which is a terminal possessed by the export examiner, can be controlled so that the list of application organizations 200, which are one of the combined application organizations, can be checked and the export screening can be performed.

The export management unit 14 allows the export reviewer to check information about the pseudonym information combination project on which the export review will be performed (i.e., the project corresponding to the combined object for which the export review is to be performed) on the project information screen of FIG. 17. You can. The project information screen can be arranged to provide functions such as confirmation of combined information, confirmation of application form, and confirmation of export screening status.

Regarding confirmation of combined information, the export management unit 14 can control the export reviewer to check the combined information directly or in a summarized form provided by the system on the project information screen. In addition, the export management unit 14 allows the top level manager 31', who is in charge of the combination specialized agency, to 'remote access download' so that the export examiner can download the combined information from a remote location, such as a location other than the specialized organization 300. In this case, it can be controlled so that an export examiner who is allowed to download via remote access can download the combined information and perform the analysis directly.

In addition, the export management unit 14 can provide a combined information summary screen that displays summary information about the combined information on the project information screen, and when 'property details' is selected on the combined information summary screen and the 'View' button is selected, You can control statistical analysis of specific attribute information of combined information through the combined information attribute information statistical analysis screen.

In addition, the export management department 14 can control the export reviewer to check the contents of the project currently under export review, including the number of rounds of review, head of the review committee, review start date, and review end date. , it can be controlled to check the review status and review comprehensive opinion.

In addition, the export management unit 14 can enable the export evaluator to check the previously registered application (combined application) for the project on the project information screen, and also enable the export evaluator to check the already registered export application. You can. At this time, the explanation for each of the combination application form and export application form has been explained in detail previously, so overlapping explanations will be omitted below.

< 2) Evaluation stage for each item >

After the project information confirmation step is performed, the export management department 14 can then perform an evaluation step for each item, and when the export examiner performs an export review in the item evaluation step, an evaluation for each item as shown in FIG. 17 is performed. After checking each export screening evaluation item on the screen, the operation of the export reviewer terminal can be controlled to make a judgment on export suitability and input the judgment value. At this time, the judgment on the appropriateness of export may be judged as one of the following values: 'appropriate', 'conditional', and 'unsuitable'.

Here, the evaluation items may include unconfirmed, appropriate, conditional, and inappropriate. Unconfirmed is an item selected when the export reviewer does not confirm the export screening evaluation item, and appropriate is an item selected when the export screening evaluation item is not confirmed. An item is selected when the reviewer determines it to be appropriate, and a conditional is an item that is selected when the export reviewer needs to confirm some contents of the export review evaluation item and judges it to be conditionally appropriate, and an inappropriate is an item that is selected when the export review evaluation item is deemed appropriate. This may be an item selected by the reviewer if it is judged to be a talisman.

In addition, the export management unit 14 provides pre-defined prior evaluation items to the export evaluator terminal through the pre-evaluation tab in the evaluation screen for each item, so that the export evaluator can re-identify personal information with respect to the pre-defined pre-evaluation items. You can control it so that you can select the judgment result after checking the risk. In addition, the export management unit 14 provides predefined re-identification evaluation items through the re-identification evaluation tab in the evaluation screen for each item, so that the export reviewer checks the risk of re-identification to personal information for the re-identification evaluation items and makes a decision. You have control over choosing the outcome. In addition, the export management unit 14 provides predefined data evaluation items to the export evaluator terminal through the data evaluation tab in the evaluation screen for each item, thereby exposing the export evaluator to the risk of re-identification of personal information with respect to the predefined data evaluation items. After checking, you can control to select the judgment result.

< 3) Export review opinion writing stage >

Once the evaluation is completed on the evaluation screen for each item, the export management department 14 can control the export review opinion writing step to be performed. At this time, in the export review opinion writing step, the export reviewer checks the project information and each evaluation item and then provides an opinion. You can control it so that it can be written, and it can also be controlled so that the chairman of the export review committee can write a final opinion on behalf of the export reviewer (export review committee member).

In addition, on the evaluation result confirmation screen for each item shown in Figure 17, the export management unit 14, if the export reviewer determines that the export screening evaluation item is 'conditional' or 'unsuitable', selects the item to write an export screening opinion. You can make it possible to check detailed opinions.

The export management department 14 can control the export reviewer to submit the export review result by selecting one of 'appropriate', 'conditional', and 'unsuitable' according to the evaluation result after writing the final opinion.

In addition, the export management department 14 activates the 'View final opinions of other evaluators' button so that when all export reviewers, including the chairman of the export review committee, complete submission of evaluation opinions, they can check the final opinions of other evaluators. Control can be performed.

The export management unit 14 can ensure that the export review is performed by performing the above-described 1) project information confirmation step, 2) item-specific evaluation step, and 3) export review opinion writing step. After performing the export review, the export management department 14 generates a export screening result corresponding to approval if it is determined that the combined object meets the preset export acceptance criteria based on the results of the export screening by the export inspector. It can be provided to the application organization terminal 20, and through this, the application organization terminal 20 can take the combined object out to the outside.

Meanwhile, the adequacy review progress unit 17: i) When an application (e.g., an application for combining information sets) is received from the application agency terminal 20, the information set (i.e., information to be combined) included in the received application is an information set adequacy evaluation step that evaluates the adequacy of, and ii) reviewing the adequacy of the combined object (i.e., pseudonymized combined object) pseudonymized (anonymized) by the pseudonymization processing unit 16 ( The appropriateness evaluation step of pseudonymization can be controlled to be performed by an appropriateness reviewer within the evaluator 33'.

The adequacy review progress department (17) performs adequacy evaluation tasks (i.e., adequacy evaluation tasks for information sets and adequacy evaluation tasks for pseudonym processing) by allowing the adequacy reviewer to access the web portal for appropriateness evaluation through the adequacy reviewer terminal. It can be controlled to make it possible. In other words, the appropriateness reviewer can perform the information collection appropriateness evaluation step and the pseudonym processing appropriateness evaluation step.

The information collection adequacy evaluation step may include 1) project information confirmation step, 2) item-specific evaluation step, and 3) adequacy evaluation opinion writing step. In addition, the pseudonymization adequacy evaluation step may include 1) a pseudonymization adequacy evaluation project information confirmation step, 2) a pseudonymization adequacy evaluation item-specific evaluation step, and 3) a pseudonymization adequacy evaluation opinion writing step. A detailed description of each step is as follows.

[[Information collection adequacy evaluation stage]]

< 1) Project information confirmation step >

In the adequacy review progress unit 17, an adequacy reviewer, one of the evaluators 33', accesses the adequacy assessment web portal for adequacy assessment (review) of information collection combination (i.e., combined objects) and pseudonym processing. By doing so, it can be controlled so that the adequacy evaluation work can be performed. In the present invention, evaluation may be referred to differently by terms such as review. In the following description, the information set may refer to a combined object provided by the combined processing unit 13. Additionally, the adequacy reviewer may be referred to by other terms such as adequacy evaluation committee member.

The adequacy review progress unit 17 can enable the adequacy reviewer to check the information set adequacy evaluation list assigned to him or her on the information set adequacy evaluation dashboard on the adequacy evaluation web portal, and the information set adequacy evaluation dashboard. The board can provide information regarding the adequacy evaluation status for each information set. In addition, the adequacy review progress department (17) checks the list of the combination applicant (20'), which is the combination requesting organization that the adequacy reviewer applied for export, in order to evaluate the adequacy of the information collection, and controls it so that the adequacy evaluation task can be performed. You can.

The adequacy review progress unit 17 allows the adequacy reviewer to check information about the project to perform the adequacy assessment (i.e., information collection adequacy evaluation project) through the project information screen at the project information confirmation stage, and at this time, The project information screen can provide functions related to confirmation of combined information, confirmation of application, and confirmation of evaluation status. In addition, the adequacy review progress unit 17 may enable the adequacy reviewer to check and download the combined result information, check summary information of the combined result information, and check statistical analysis information on the attribute information of the combined result information. .

In addition, the adequacy review progress department 17 can enable the adequacy reviewer to check the application for combining information sets among the applications, and the application for combining information sets includes 1) combination overview, 2) combination requesting agency, and 3) information set. It may consist of four elements, including water user agency, and 4) attached documents.

Here, 1) the combination outline may include information on application type, purpose of combination, summary of main contents of information collection, processing level, purpose of use, combination key processing method, application for additional procedures, use of analysis space, and other matters. there is. Here, the application type is the type of the combination applicant participating in the information collection combination, and can be entered as any one of data provision, data use, and data provision and use. The purpose of combination may be an item that specifically states the purpose of applying for information collection combination. The main content summary of the information collection may be an item in which a brief description of the main content of the combined data is written. The level of processing is the form of provision of the final calculated combined data, which can be input as pseudonymization (additional information, purpose of use, deletion of combination key) or anonymization. The purpose of use is an item to select the purpose of use, and can be entered as one of the following: statistical compilation (including commercial purposes), research (including industrial research), and public record preservation. The combination key processing method can be selected depending on the periodic/repeated combination request, and can be selected as deletion or replacement (periodic combination request when replacement is selected). The application for additional procedures is an item requesting support for combining additional information sets and can be entered as an extract. The use of analysis space is an item selected when using the analysis space within a specialized institution, and can be entered as use. Other information may be additional information required to fill out the application form.

2) The organization requesting the combination may include the number of organizations requesting the combination, name of the organization, person in charge, department in charge, phone number, email address, and location. Here, the number of combination requesting organizations is the number of combining requesting organizations participating in the information collection combination and can be entered as at least 2. The organization name refers to the name of the organization requesting the combination, and in the present invention, the requesting organization for the combination may refer to the applicant organization 200. The person in charge refers to the name and title of the person in charge of the organization requesting the combination, the department in charge is the department in charge of the organization requesting the combination, the phone number is the phone number of the person in charge of the organization requesting the combination, the email address is the email address of the person in charge of the organization requesting the combination, and the location is the email address of the person requesting the combination. It may refer to the location address of the institution.

3) Organizations using the information collection may include the number of organizations using the information collection, name of the organization, person in charge, department in charge, phone number, email address, and location. Here, the number of organizations using the information collection may refer to the number of organizations using the results of combining the information collection. The name of the organization is the name of the organization using the information collection, the person in charge is the name and title of the person in charge of the organization using the information collection, the department in charge is the department in charge of the organization using the information collection, the phone number is the phone number of the person in charge of the organization using the information collection, and the email address is information. The email address and location of the person in charge of the organization using the information collection may refer to the address of the location of the organization using the information collection. The organization using the information collection may be, for example, the applicant organization 200, or it may be an organization different from the applicant organization 200.

4) Attached documents may include information collection specifications, combination request agency consent, information collection user organization information, and additional documents. Here, in the case of data provision, the information set specification refers to a document regarding the information set to be combined, and may mean a data specification, etc., or may be a document provided by a providing organization. The consent form for the combination requesting institution may be a document provided by the requesting institution (e.g., the applicant institution 200) as the consent form for the combination requesting institution. The information on the information collection user organization is a document proving that the information collection request organization is applying for the combination of the information collection, and may include a business registration certificate, a certified copy of the corporate register, etc., and this may be a document provided by the user organization. Additional documents may refer to documents that need to be submitted in addition to the above-mentioned information collection specification, combination request agency consent form, and information collection user agency information.

< 2) Evaluation stage for each item >

After the project information confirmation step is performed, the adequacy review progress unit 17 performs the subsequent item-specific evaluation step through the adequacy reviewer terminal (i.e., the evaluator terminal 33 held by the evaluator 33'). )) can be controlled to be performed.

The adequacy review progress unit 17 may have the adequacy reviewer determine 'appropriate', 'conditional', and 'unsuitable' after checking each evaluation item in the item-by-item evaluation stage, which was previously described for each item in FIG. 17. Since it can be understood as the same or similar to the content explained in the evaluation screen, redundant explanation will be omitted below.

While the item-by-item evaluation in the item-by-item evaluation stage conducted in the adequacy review progress unit 17 is performed by the appropriateness reviewer, the item-by-item evaluation on the item-by-item evaluation screen as shown in FIG. 17 is exported. The only difference is that it is performed by an evaluator (i.e., the entity performing the evaluation is different), and the descriptions of the evaluation method, process, etc. can be understood as the same or similar to each other, so detailed explanations will be omitted below. do.

< 3) Adequacy evaluation opinion writing stage >

Just as the export reviewer previously performed preliminary evaluation, re-identification evaluation, data evaluation, and writing of export review opinions on the evaluation result confirmation screen for each item in Figure 17, the appropriateness reviewer evaluates each item by accessing the web portal for appropriateness evaluation. On the result confirmation screen, you can perform preliminary evaluation, re-identification evaluation, data evaluation, and write an opinion on adequacy evaluation.

In relation to writing an adequacy evaluation opinion, the adequacy review progress department (17) allows the adequacy reviewer to write an opinion after checking the project information and each evaluation item, and in the case of the user appointed as the chair of the adequacy evaluation committee, the adequacy evaluation committee member is represented. This allows you to control the final comprehensive opinion.

[[Pseudonym processing appropriateness evaluation stage]]

As mentioned above, the pseudonymization adequacy evaluation step may include 1) a pseudonymization adequacy evaluation project information confirmation step, 2) a pseudonymization adequacy evaluation item-specific evaluation step, and 3) a pseudonymization adequacy evaluation opinion writing step.

Here, the pseudonymization adequacy evaluation step is different from the information set adequacy evaluation step described above in that the object for which the adequacy is evaluated is different (i.e., in the information set adequacy evaluation step, the information set included in the application is The only difference between them is that the evaluation is performed on the adequacy of the pseudonymization process, and in the pseudonymization adequacy evaluation stage, the evaluation is performed on the combined object that has been pseudonymized by the pseudonymization processing unit 16. The process, method, etc. may be the same or similar to each other. Therefore, redundant description will be omitted below.

The adequacy review progress unit 17 may perform an adequacy review (evaluation) on the pseudonymized combined object provided by the pseudonym process process unit 16. Afterwards, if the export management unit 14 determines (evaluates) that the pseudonymized combined object satisfies the preset adequacy level (adequacy satisfaction standard) as a result of the adequacy review conducted by the adequacy review progress unit 17, By providing (transmitting) the pseudonymized combined object that meets a preset appropriateness level to the applicant organization terminal 20, the applicant organization terminal 20 can enable the pseudonymized combined object to be taken out to the outside.

As described above, the present invention not only provides a solution for combining pseudonym information through the provision of the present system 100 and the present device 10, but also provides pseudonymization processing by performing pseudonymization processing by the pseudonymization processing unit 16. We can also provide solutions.

This system 100 improves safety, efficiency, and performance compared to conventional data processing technology when the professional organization 300 performs data combining (particularly, combining pseudonymized information or combining information sets), It can help with data processing (especially combining pseudonymized information) so that the data can be processed into a safe form and used more effectively.

In addition, this system 100 provides this solution (Nphi), so that when performing tasks related to pseudonymization or data combination processing of data at a data combination specialized organization (i.e., specialized organization 300), We provide (support) work convenience, and through this, data combination agencies (data specialized agencies) that specialize in data combination or companies/organizations that develop big data and my data businesses safely process and utilize (use) data. You can do it.

In addition, this system 100 provides this solution, so that the professional organization 300 complies with the Personal Information Protection Act when performing combined processing on the combined target information (pseudonymized information to be combined) corresponding to pseudonymized information or information aggregates. and the work of the specialized agency (300) (combined processing work) to ensure that combined information can be combined and processed more safely and efficiently while complying with the restrictions in the Credit Information Act (especially restrictions related to combining pseudonymized information or information aggregates) ) can be supported.

In addition, by providing this solution, this system 100 can pseudonymise (anonymize) personal information, and process personal information as pseudonymized information (anonymous information) so that data can be safely used without the consent of the information subject. Support is available. In addition, by providing this solution, this system 100 performs pseudonymization (additional pseudonymization) in accordance with pseudonymization (anonymization)-related institutions and technical standards (e.g., statistical tools/encryption). We support safe use of data by providing tools / deletion technology / generalization technology / pseudonymization technology / randomization technology, etc.) and support the creation of various business opportunities while protecting personal information in a big data environment. Pseudonym processing can be performed with improved safety, efficiency, and performance compared to big data processing technology.

In addition, by providing this solution, this system 100 provides the best pseudonym processing solution and pseudonym information combination solution required by the customer company so that the customer service agency (300) can respond more flexibly to the data market that is changing due to diversification. It can be provided, and any user can easily and conveniently perform pseudonymization in a variety of ways by applying different pseudonymization techniques to each attribute in the object to be pseudonymized according to his or her wishes. Through this, the original information subject to pseudonymization can be obtained. Through the effective performance (progress) of pseudonymization on aggregates (i.e., personal information), it is possible to derive the pseudonymization result desired by the user (the user performing the pseudonymization).

Below, based on the details described above, we will briefly look at the operation flow of the present invention.

Figure 18 is an operation flowchart of a method for providing a pseudonym information combination solution according to an embodiment of the present invention.

The method of providing a pseudonym information combination solution shown in FIG. 18 can be performed by the device 10 described above. Therefore, even if the content is omitted below, the content described with respect to the device 10 can be equally applied to the explanation of the method of providing a solution for combining pseudonym information.

Referring to FIG. 18, in step S11, when an application is received from an application agency terminal, the project management unit may review the application and register and manage the project corresponding to the application in the project DB 12.

Next, in step S12, the combining processing unit 13 performs combining processing on a plurality of combining target information (i.e., two combining target pseudonym information) corresponding to the project, based on the project registered in step S11, thereby performing combining. Completed objects can be created and provided.

Next, in step S13, if an export request is made from the application agency terminal, the export management unit 14 performs an export screening for the combined object provided in step S12 and then provides the export screening result to the application agency terminal. .

Next, in step S14, the control unit 15 can control the operation of the application organization terminal, the specialized organization terminal, and each unit within the device 10.

In the above description, steps S11 to S14 may be further divided into additional steps or combined into fewer steps, depending on the implementation of the present invention. Additionally, some steps may be omitted or the order between steps may be changed as needed.

The method of providing a solution for combining pseudonym information according to an embodiment of the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc., singly or in combination. Program instructions recorded on the medium may be specially designed and constructed for the present invention or may be known and usable by those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. -Includes optical media (magneto-optical media) and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, etc. Examples of program instructions include machine language code, such as that produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter, etc. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

Additionally, the method of providing a solution for combining pseudonym information described above may also be implemented in the form of a computer program or application executed by a computer stored in a recording medium.

The description of the present invention described above is for illustrative purposes, and those skilled in the art will understand that the present invention can be easily modified into other specific forms without changing the technical idea or essential features of the present invention. will be. Therefore, the embodiments described above should be understood in all respects as illustrative and not restrictive. For example, each component described as unitary may be implemented in a distributed manner, and similarly, components described as distributed may also be implemented in a combined form.

The scope of the present invention is indicated by the claims described below rather than the detailed description above, and all changes or modified forms derived from the meaning and scope of the claims and their equivalent concepts should be construed as being included in the scope of the present invention. do.

Claims (8)

An application agency terminal owned by the combination applicant who submits an application for combining pseudonym information and receives and confirms the combined object;
A specialized agency terminal owned by the merger party that performs combination processing, pseudonym processing, appropriateness evaluation, and export screening for the pseudonym information subject to the combination based on the received application; and
A pseudonym information combination and pseudonym processing solution providing device that provides a pseudonym information combination solution to support the work of professional organizations performing pseudonym information combination work based on the above application,
Including,
The device for combining pseudonym information and providing a pseudonym processing solution,
A combining processing unit that generates and provides a combined object by performing combining processing on a plurality of combined target information based on the registered project; and
It includes a pseudonymization processing unit that performs pseudonymization on the combined object,
The pseudonym processing section is,
Before performing pseudonymization, a rule setting screen is provided to control the setting of rules for pseudonymization techniques for each attribute in the combined object,
After the rule setting step is completed, the additional processing step is performed, but in the additional processing step, the original data is controlled to be pseudonymized using the pseudonym processing rules previously set by the combination applicant.
On the additional processing screen, the combination applicant can select to apply the privacy protection model or not apply the privacy protection model depending on whether the privacy protection model is applied. If the privacy protection model is applied, each protection model is set and the processing result is processed after pseudonymization. Control so that the combination applicant can confirm,
Regarding the application of the privacy protection model, in order to maintain a level of personal information protection that prevents the information subject's information from being inferred, the combination applicant can apply the privacy protection model. However, if a general pseudonymization level is necessary, the privacy protection model must be applied. Avoid applying it,
The privacy protection model includes a k-anonymity protection model, l-diversity protection model, and t-proximity protection model,
The k-anonymity protection model is a basic model for privacy protection. It ensures that at least k identical values exist in a given data set so that they cannot be easily combined with other information, and modifies part of the data set to protect all records. is a model that has k-1 or more records identical to itself, and the k value is composed of an integer of 2 or more,
The l-diversity protection model is a model that complements the k-anonymity protection model, and ensures that de-identified records in a given data set have at least l different sensitive information in a homogeneous set, and l in the process of de-identification. This is a model in which a homogeneous set is formed to have different sensitive information, and the l value is an integer of 2 or more and is less than or equal to the k value,
The t-proximity protection model is a privacy model that considers the meaning of values, and ensures that the distribution of specific information in the homogeneous set and the distribution of information in the entire data set show a difference of less than t, and the distribution of specific information in each homogeneous set. is similar to the distribution of the entire data set, and the t value is a model composed of real numbers between 0 and 1.
The pseudonym processing section is,
Regarding non-application of the privacy protection model, if you want to pseudonymize without applying the privacy protection model, allow the user to select not to apply the privacy protection model condition and then directly set the level of pseudonymization for each attribute.
The pseudonym processing result data should be displayed in the main area of the additional processing performance screen.
When applying the privacy protection model, the combination applicant can check the pseudonymization results by applying the privacy protection model and check the results with matched data and mismatched data, respectively, and set in the matched data tab in the display area of the pseudonymization result data. Samples are displayed for results that satisfy one privacy protection model level, and non-matching data results, which are samples that do not satisfy the privacy protection model level set in the mismatch data tab, are displayed.
When the privacy protection model is not applied and pseudonym processing is performed, the merge applicant can check the pseudonymization result sample in the display area of the pseudonymization result data, and the user can enter the pseudonym after pseudonymization through the pseudonymization result statistics/analysis tab. The structure of pseudonymized data can be confirmed through statistics and analysis of processing results, the combination applicant can check the presence of special information by checking the class distribution, and the frequency of each class in the class distribution list showing the class distribution. A system that provides a solution for combining pseudonym information and processing pseudonymization that allows the presence of outliers to be confirmed by checking the distribution of a specific class by providing ratios and cumulative ratios. According to paragraph 1,
The device for combining pseudonym information and providing a pseudonym processing solution,
When the application is received from the application agency terminal, a project management unit that reviews the application and registers and manages a project corresponding to the application;
When a request for export is made from the application agency terminal, an export management unit that performs export screening for the combined object and then provides the export screening result to the application agency terminal; and
A control unit that controls the operation of the application organization terminal, the professional organization terminal, and each unit,
A system that provides a solution for combining pseudonym information and processing pseudonym information, which includes a. According to paragraph 2,
The device for combining pseudonym information and providing a pseudonym processing solution,
Appropriateness review progress department, which conducts an adequacy review on pseudonymized merged objects;
A system that further includes a pseudonym information combination and pseudonym processing solution provision system. According to paragraph 2,
The control unit,
When a connection is detected from the application agency terminal or the specialized agency terminal, the access is detected on a dashboard screen where step-by-step monitoring information, target file monitoring information, and processing status monitoring information related to pseudonym information combination and pseudonym processing can be checked. A system for providing a solution for combining pseudonym information and processing a pseudonym, which is controlled to be displayed on the screen of the application organization terminal or the professional organization terminal. delete According to paragraph 2,
The project management department,
Through the above pseudonym information combination solution, the function of creating individual applications for each project, the function of accepting and rejecting the completed and submitted application, the function of separating the input stage for each stakeholder for pseudonym processing, and the printing of the application and the signed application. A system for combining pseudonym information and providing a pseudonym processing solution that provides application creation and management functions, including uploading functions. According to paragraph 2,
The export management department,
When performing the export review, the export examiner checks each export review evaluation item on the evaluation screen for each item, makes a judgment on the appropriateness of export, and controls the operation of the export examiner's terminal to input the judgment value. A system that provides combination and pseudonymization solutions. According to paragraph 2,
The combination processing unit,
A system for providing a pseudonym information combination and pseudonym processing solution that provides a large file transmission and reception agent function capable of combined processing of large amounts of data through the pseudonym information combination solution.

Images