WO2020144735A1 - Privacy risk analysis system, privacy risk analysis method, and privacy risk analysis program - Google Patents

Privacy risk analysis system, privacy risk analysis method, and privacy risk analysis program Download PDF

Info

Publication number
WO2020144735A1
WO2020144735A1 PCT/JP2019/000155 JP2019000155W WO2020144735A1 WO 2020144735 A1 WO2020144735 A1 WO 2020144735A1 JP 2019000155 W JP2019000155 W JP 2019000155W WO 2020144735 A1 WO2020144735 A1 WO 2020144735A1
Authority
WO
WIPO (PCT)
Prior art keywords
risk
entity
entities
personal data
role
Prior art date
Application number
PCT/JP2019/000155
Other languages
French (fr)
Japanese (ja)
Inventor
りな 清水
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to JP2020558643A priority Critical patent/JP6914454B2/en
Priority to PCT/JP2019/000155 priority patent/WO2020144735A1/en
Publication of WO2020144735A1 publication Critical patent/WO2020144735A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services

Definitions

  • the present invention relates to a technique for analyzing a privacy risk (hereinafter, privacy risk) which is a risk related to handling personal data.
  • privacy risk a privacy risk which is a risk related to handling personal data.
  • each business When a plurality of businesses handle personal data, each business does not individually understand each other's risk coping scope at present, and takes coping with the risk considering only their own interests. Therefore, there is a possibility that omissions or duplications of measures will occur in the entire risk countermeasure range necessary to protect the privacy of the personal data provider.
  • Non-Patent Document 1 describes discussing a privacy risk between a data provider and a business in the consideration of a multi-stakeholder process regarding utilization of personal data.
  • Non-Patent Document 2 describes PIA (Privacy Impact Assessment), which is a privacy risk evaluation method in which the risk of privacy invasion is evaluated in advance and reflected in the system design in order to prevent damage due to privacy invasion in advance. There is. In PIA, it is required to analyze a business operator related to the development and operation of a system subject to risk assessment, and to clarify the responsibility range of the business operator for risk management.
  • the privacy risk analysis system is Whether or not there is a contract regarding the personal data between two entities that are in a personal data providing relationship, an entity that determines the purpose of use of the personal data, and the coincidence status of the purpose of use of the personal data in the two entities Accordingly, a role specifying unit that specifies the roles of the specified entities by specifying the two entities as specific targets, And a risk identifying unit that identifies a risk action of the entity of the identification target based on the role of the entity of the identification target identified by the role identification unit.
  • the role of each entity is identified from the information such as the existence of contract regarding personal data between the two entities, and the risk action of each entity is identified.
  • Information such as whether or not there is a contract is information that can be specified without depending on the ability of the analyst, and it is possible to analyze the privacy risk without depending on the ability of the analyst.
  • FIG. 1 is a configuration diagram of a privacy risk analysis system 10 according to the first embodiment.
  • FIG. 3 is a configuration diagram of an entity analysis device 20 according to the first embodiment.
  • 3 is a configuration diagram of a risk identification device 30 according to the first embodiment.
  • FIG. 1 is a configuration diagram of an evaluation device 40 according to the first embodiment.
  • 3 is a flowchart showing the operation of the entity analysis device 20 according to the first embodiment.
  • the figure which shows the data flow information 232 (step S12) which concerns on Embodiment 1.
  • the figure which shows the data flow information 232 (step S13) which concerns on Embodiment 1.
  • the figure which shows the data flow information 232 (step S16) which concerns on Embodiment 1. 3 is a flowchart showing the operation of the risk identifying device 30 according to the first embodiment.
  • the figure which shows the analysis information 332 (step S22) which concerns on Embodiment 1. 3 is a flowchart showing the operation of the evaluation device 40 according to the first embodiment.
  • the privacy risk analysis system 10 includes an entity analysis device 20, a risk identification device 30, and an evaluation device 40.
  • the entity analysis device 20, the risk identification device 30, and the evaluation device 40 are connected via a transmission line 50 such as the Internet, a LAN (Local Area Network), and a dedicated line.
  • a transmission line 50 such as the Internet, a LAN (Local Area Network), and a dedicated line.
  • the entity analysis device 20 is a computer.
  • the entity analysis device 20 analyzes the data flow between the entities and the contract relationship, and identifies the role of each entity regarding personal data. Entities are businesses that handle personal data and personal data providers.
  • the entity analysis device 20 includes hardware such as a processor 21, a memory 22, a storage 23, and a communication interface 24.
  • the processor 21 is connected to other hardware via a signal line and controls these other hardware.
  • the entity analysis device 20 includes, as functional components, a data input unit 211, a dataflow generation unit 212, a dataflow input unit 213, a contract relationship generation unit 214, a contract relationship input unit 215, and a role identification unit 216. Equipped with.
  • the function of each functional component of the entity analysis device 20 is realized by software.
  • the storage 23 stores programs that implement the functions of the functional components of the entity analysis device 20. This program is read into the memory 22 by the processor 21 and executed by the processor 21. As a result, the function of each functional component of the entity analysis device 20 is realized.
  • the storage 23 stores data input information 231, data flow information 232, contract relationship information 233, and provision form information 234.
  • the configuration of the risk identifying device 30 according to the first embodiment will be described with reference to FIG.
  • the risk identification device 30 is a computer.
  • the risk identification device 30 identifies the privacy risk act of the entity from the role of the entity identified by the entity analysis device 20.
  • the risk identification device 30 includes hardware such as a processor 31, a memory 32, a storage 33, and a communication interface 34.
  • the processor 31 is connected to other hardware via a signal line and controls these other hardware.
  • the risk identification device 30 includes a risk identification unit 311 and an analysis information generation unit 312 as functional components.
  • the function of each functional component of the risk identification device 30 is realized by software.
  • the storage 33 stores programs that implement the functions of the functional components of the risk identification device 30. This program is read into the memory 32 by the processor 31 and executed by the processor 31. As a result, the function of each functional component of the risk identification device 30 is realized.
  • the storage 33 stores risk information 331 and analysis information 332.
  • the configuration of the evaluation device 40 according to the first embodiment will be described with reference to FIG.
  • the evaluation device 40 is a computer.
  • the evaluation device 40 calculates the degree of privacy risk of the entity from the risk behavior of the entity identified by the risk identification device 30.
  • the evaluation device 40 includes hardware such as a processor 41, a memory 42, a storage 43, and a communication interface 44.
  • the processor 41 is connected to other hardware via a signal line, and controls these other hardware.
  • the evaluation device 40 includes a risk calculation unit 411 and an output unit 412 as functional components.
  • the function of each functional component of the evaluation device 40 is realized by software.
  • the storage 43 stores programs that implement the functions of the functional components of the evaluation device 40. This program is read into the memory 42 by the processor 41 and executed by the processor 41. As a result, the function of each functional component of the evaluation device 40 is realized.
  • the processors 21, 31, 41 are ICs (Integrated Circuits) that perform processing. Specific examples of the processors 21, 31, 41 are a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
  • CPU Central Processing Unit
  • DSP Digital Signal Processor
  • GPU Graphics Processing Unit
  • the memories 22, 32, 42 are storage devices for temporarily storing data.
  • the memories 22, 32, 42 are, for example, SRAM (Static Random Access Memory) and DRAM (Dynamic Random Access Memory).
  • the storages 23, 33, 43 are storage devices for storing data.
  • the storages 23, 33, 43 are HDDs (Hard Disk Drives) as a specific example.
  • the storages 23, 33, 43 are SD (registered trademark, Secure Digital) memory card, CF (CompactFlash, registered trademark), NAND flash, flexible disk, optical disc, compact disc, Blu-ray (registered trademark) disc, DVD (Digital). It may be a portable recording medium such as Versatile Disk).
  • the communication interfaces 24, 34, 44 are interfaces for communicating with external devices.
  • the communication interfaces 24, 34, and 44 are, for example, Ethernet (registered trademark), USB (Universal Serial Bus), and HDMI (registered trademark, High-Definition Multimedia Interface) ports.
  • FIG. 2 only one processor 21 is shown. However, there may be a plurality of processors 21, and the plurality of processors 21 may execute the programs that realize the respective functions in cooperation with each other. Similarly, a plurality of processors 31 and 41 may be provided, and a plurality of processors 31 and 41 may cooperate to execute programs that implement respective functions.
  • the operation of the privacy risk analysis system 10 according to the first embodiment will be described with reference to FIGS. 5 to 17.
  • the operation of the privacy risk analysis system 10 according to the first embodiment corresponds to the privacy risk analysis method according to the first embodiment.
  • the operation of the privacy risk analysis system 10 according to the first embodiment corresponds to the processing of the privacy risk analysis program according to the first embodiment.
  • Step S11 data input process
  • the data input unit 211 receives input of data items of personal data to be analyzed. Then, the data input unit 211 writes the data item of the accepted personal data in the storage 23 as the data input information 231. Specifically, the data input unit 211 receives an input of a data item of personal data to be analyzed from the user of the entity analysis device 20 via the communication interface 24.
  • the data items of personal data to be analyzed are, for example, items of personal data handled by a user's business development service or a developing system.
  • the data input unit 211 assigns an ID (IDentification) to each data item and writes it in the storage 23 as the data input information 231.
  • ID ID
  • FIG. 6 data input information 231 including a data item ID (IDentification) and a data item is generated.
  • “name” and “video information” are shown as data items of personal data to be analyzed.
  • Step S12 data flow generation process
  • the data flow generation unit 212 generates a sheet of data flow information 232 for each data item of the personal data received in step S11, as a target. That is, if there are n data items of personal data, the data flow generation unit 212 generates n sheets of data flow information 232.
  • the data flow information 232 is information regarding the data flow between the entities. Specifically, as shown in FIG. 7, the data flow generation unit 212, for the target data item, the entity ID, the data item, the entity, the order in which the data passes, the role of the entity, and the risk action.
  • a sheet of data flow information 232 including is generated.
  • the data flow generation unit 212 sets the name of the target data item in the data item column of the sheet and writes it in the storage 23.
  • a "name” sheet and a "video information” sheet are received as shown in FIG. Is generated.
  • D1 and D2 indicate the data item ID of the data acquisition source.
  • Step S13 data flow input process
  • the data flow input unit 213 receives, for each data item of the personal data received in step S11, an input of an entity that handles the personal data and an order in which the data passes, for the target data item. Then, the data flow input unit 213 writes the accepted entity and the order in which the data are passed to the corresponding sheet of the data flow information 232. Specifically, the data flow input unit 213 receives, via the communication interface 24, an input from the user of the entity analysis apparatus 20 regarding the target data item, the entity that handles personal data and the order in which the data passes.
  • the data flow input unit 213 When there are m entities that handle personal data of the target data item, the data flow input unit 213 includes m entities and numerical values 1 to m that represent the order in which the data is passed for each of the m entities. Accept input.
  • the data flow input unit 213 receives E1, E2,. . . , Em are assigned entity IDs. Then, as shown in FIG. 8, the dataflow input unit 213 sets data in the columns of the entity ID of the sheet for the target data item in the dataflow information 232, the entity, and the order in which the data passes.
  • records with entity IDs E1 to E4 are set for the “name” sheet of the data flow information 232. Then, in the columns of the order in which the entity and the data of each record cross, "passerby" and "1", “X company” and “2", “Y company” and “3", and “Z company”. And “4” are set.
  • Step S14 Contract relationship generation process
  • the contract relationship generation unit 214 generates a sheet of contract relationship information 233 for each data item of the personal data received in step S11 based on the sheet of the data flow information 232 for the target data item.
  • the contract relationship generation unit 214 generates n sheets of contract relationship information 233 when there are n data items of personal data.
  • the contract relationship information 233 is information that constitutes a contract relationship between entities. Specifically, as shown in FIG. 9, the contract relationship generation unit 214 determines a contract ID, a data item, a combination of entities, the presence/absence of a contract between entities, and a purpose of use for the target data item. Generate a sheet of contract relationship information 233 including the matching status of the usage purpose.
  • the combination of entities includes an entity that passes data and an entity that receives data.
  • the contract relationship generation unit 214 generates a record for each combination of entities having a direct personal data providing relationship. Therefore, when there are m entities that handle the personal data of the target data item, m-1 records are generated.
  • the contract relation generation unit 214 sets the name of the target data item in the data item column of the sheet, and sets the combination of entities that are in the direct provision relationship of personal data in the entity combination column of the sheet. Specifically, the entity with the earlier data passing order is set in the column of the entity passing the data, and the entity with the later data passing order is set in the column of the entity receiving the data.
  • the contract relation generating unit 214 assigns contract IDs C1, C2,.
  • the contract relationship generation unit 214 writes the contract relationship information 233 in the storage 23.
  • the flow of personal data is E1. Passer ⁇ E2. Company X ⁇ E3. Company Y ⁇ E4. Company Z. Therefore, as shown in FIG. 9, records with contract IDs C1 to C3 are generated. Then, in the record with the contract ID C1, "E1. passerby" and "E2.X company” are set in the entity combination column. In the record with the contract ID C2, “E2.X company” and “E3.Y company” are set in the entity combination column. In the record whose contract ID is C3, “E3.Y company” and “E4.Z company” are set in the entity combination column. It should be noted that E1 to E4 indicate entity IDs from which data is acquired.
  • Step S15 Contract relationship input process
  • the contract-relationship input unit 215 targets each record of each sheet of the contract-relationship information 233 generated in step S14 to determine whether there is a contract between the entities, the entity that determines the purpose of use, and the matching status of the purpose of use. Accept input. Then, the contract relationship input unit 215 sets the presence/absence of a contract between the received entities, the entity that determines the purpose of use, and the matching status of the purpose of use in the target record of the target sheet in the contract relationship information 233. To do. Specifically, the contract relationship input unit 215 determines whether or not there is a contract between the entities regarding the target record of the target sheet and the purpose of use from the user of the entity analysis device 20 via the communication interface 24.
  • the contract relationship input unit 215 sets the presence/absence of a contract between the received entities, the entity that determines the purpose of use, and the matching status of the purpose of use in the target record of the target sheet in the contract relationship information 233. To do.
  • the presence/absence of a contract between entities means the presence/absence of a contract regarding personal data between two entities having a personal data providing relationship. "Present” or “absent” is entered as the presence/absence of a contract between entities.
  • the entity that determines the purpose of use means which of the two entities determines the purpose of use of personal data. It should be noted that, here, a situation in which it is unclear whether or not the usage purpose of the data is determined by the two entities is not considered.
  • the entity that determines the purpose of use at least one of the entity in the column of the entity to which data is passed and the entity in the column of the entity to receive data in the combination of entities, or "-" that indicates that the entity does not determine the purpose of use Is input.
  • the matching status of the usage purposes means whether the usage purposes of the personal data in the two entities match. As the usage purpose matching status, any one of "match” indicating that the usage purposes match, "mismatch” indicating that the usage purposes do not match, and "-" indicating no input is input. If two entities are not entered in the entity field for determining the purpose of use, the matching status of the purpose of use is not required to be input.
  • the record of contract ID C1 in the “name” sheet indicates “None”.
  • the contract here refers to a data provision contract for entrustment, provision by a third party, and joint use as prescribed by the Personal Information Protection Law.
  • the agreement with the person at the time of data provision and the contract regarding the use of the service is out of scope.
  • the case where a contract is concluded between the business operators directly providing the data is excluded, and the case where a contract is concluded between the business operators indirectly providing the data is excluded.
  • Step S16 Role specifying process
  • the role specifying unit 216 specifies the roles of the two entities for each record of each sheet of the contract relationship information 233 generated in step S14. Then, the identified role is set in the column of the role of the entity in the record of the entity to be identified in the data flow information 232. At this time, the role specifying unit 216 determines whether or not there is a contract regarding the personal data between the two entities that are in the personal data providing relationship, the entity that determines the purpose of using the personal data, and the purpose of using the personal data in the two entities.
  • the roles of the two entities are specified according to the matching status of. Note that a plurality of roles may be specified for one entity.
  • the role identification unit 216 refers to the provision form information 234 as shown in FIG.
  • the provision form information 234 includes four provisions of data flow and contract relationship between entities, that is, data provision (consignment, third party provision, shared use) and provision from the information provider himself as defined by the Personal Information Protection Law. It is information that is patterned according to the type.
  • the provision form information 234 indicates the role of the entity for each combination of the presence or absence of a contract between the entities, the entity that determines the purpose of use, and the matching status of the purpose of use.
  • the role specifying unit 216 extracts the role of the entity corresponding to the combination of the presence/absence of a contract between the entities for the target record of the target sheet, the entity that determines the purpose of use, and the matching status of the purpose of use. Accordingly, the role specifying unit 216 specifies the role of the entity for the target record of the target sheet. Then, as shown in FIG. 12, “data subject” is set as the role in the record of the entity ID E1 in the “name” sheet of the data flow information 232, and the record is set as the role in the record of the entity ID E2.
  • a “data processor” is set, a record having an entity ID of E3 has a role of “data manager”, and a record having an entity ID of E4 has a role of “third party”.
  • PII principal a data subject
  • PII controller a data administrator
  • PII processor a data processor
  • third party third party
  • Step S17 data transmission process
  • the role identification unit 216 reads the data flow information 232 from the storage 23 and transmits the data flow information 232 to the risk identification device 30 via the communication interface 24. That is, the role identification unit 216 transmits the data flow information 232 in which the risk action column is blank to the risk identification device 30, as shown in FIG.
  • the risk identification unit 311 identifies each entity in each sheet of the data flow information 232 transmitted in step S17 as an identification target, and identifies the risk action of the identification target entity based on the role of the identification target entity. Specifically, the risk identifying unit 311 refers to the risk information 331 as shown in FIG.
  • the risk information 331 is definition information indicating a risk act of privacy invasion for each role of the entity.
  • the risk act is, for example, an act of violation of a standard such as ISO27018 or GDPR (General Data Protection Regulation) in which requirements are organized by the role of the entity.
  • the risk action is organized according to the role of the entity, it may be included in the risk information 331 as the risk action regardless of whether it is described in these standards.
  • the risk action column of the risk information 331 may not be information about risk, but may be information about requirements described in the standard organized by the role of the entity.
  • the risk identifying unit 311 extracts the risk action regarding the role of the entity to be identified from the risk information 331.
  • the risk identifying unit 311 extracts the risk action for each role from the risk information 331.
  • the risk information 331 sets the identified risk action in the risk action column of the data flow information 232.
  • information such as “Do not thoroughly implement safety management measures” is set as a risk act in a record with an entity ID of E2 in the “name” sheet of the data flow information 232.
  • Risk acts are also set for other records.
  • the analysis information generation unit 312 refers to each sheet of the data flow information 232 and generates analysis information 332 in which risk actions are regrouped for each entity. Specifically, as shown in FIG. 16, the analysis information generation unit 312 generates the analysis information 332 including the entity, the risk, and the risk size. Risks include entity roles, data items, and risk actions.
  • the analysis information generation unit 312 generates a record for the target entity for each entity included in any sheet of the data flow information 232, and sets the target entity in the entity column.
  • the analysis information generation unit 312 sets information about the target entity in the fields of the role of the entity, the data item, and the risk action of the record of the target entity of the analysis information 332. Then, the analysis information generation unit 312 writes the analysis information 332 in the storage 33.
  • Step S23 data transmission process
  • the analysis information generation unit 312 reads the analysis information 332 from the storage 23 and transmits the analysis information 332 to the evaluation device 40 via the communication interface 34.
  • the risk calculation unit 411 calculates the degree of risk of the personal data of the calculation target entity based on the risk action of the calculation target entity, with each entity of the analysis information 332 transmitted in step S23 as the calculation target.
  • the risk calculation unit 411 refers to the analysis information 332 and calculates the number of risk actions of the entity to be calculated as the magnitude of risk.
  • the risk calculation unit 411 determines a value for each risk action in advance, refers to the analysis information 332, and calculates the total value of the risk action values of the entities to be calculated as the risk value. Calculate as size.
  • the risk calculation unit 411 sets the calculated risk size in the risk size field of the record of the calculation target entity in the analysis information 332.
  • the magnitude of the risk of each entity is set.
  • Step S32 output process
  • the output unit 412 outputs the analysis information 332 having the risk size set in step S31 to the user terminal or the like via the communication interface 44.
  • the data input information 231, the data flow information 232, the contract relationship information 233, and the analysis information 332 have the relationship shown in FIG. That is, a sheet of data flow information 232 is generated for each data item in the data input information 231. Also, a sheet of contract relationship information 233 is generated for each data item in the data input information 231, and a record of contract relationship information 233 is generated for each combination of two entities in the data flow information 232 that have a relationship of providing personal data. .. Further, a record of the analysis information 332 is generated for each entity included in all sheets of the data flow information 232.
  • the privacy risk analysis system 10 identifies the role of the entity from the information such as the presence or absence of a contract regarding personal data between the two entities, and identifies the risk action based on the role of the entity. .. Information such as whether or not there is a contract is information that can be specified without depending on the ability of the analyst, and it is possible to analyze the privacy risk regarding personal data without depending on the ability of the analyst.
  • the privacy risk analysis system 10 can specify the magnitude of privacy risk for each entity from the specified risk action.
  • the entity analysis device 20, the risk identification device 30, and the evaluation device 40 are described as different devices.
  • the entity analysis device 20, the risk identification device 30, and the evaluation device 40 may be configured as one device.
  • the entity analysis device 20 and the risk identification device 30 may be configured as one device, or the risk identification device 30 and the evaluation device 40 may be configured as one device.
  • the entity analysis device 20 may be realized by a plurality of devices. That is, a part of the functional components of the entity analysis device 20 may be realized by a device and the rest may be realized by another device.
  • the risk identification device 30 and the evaluation device 40 may be realized by a plurality of devices.
  • the risk calculation unit 411 may calculate the total risk, which is the risk magnitude of all the plurality of entities, by summing the risk magnitudes of the respective entities regarding certain personal data. Then, the risk calculation unit 411 may calculate each entity as a calculation target, and calculate the ratio of the size of the risk of the calculation target entity to the overall risk as the size of the responsibility of the calculation target entity.
  • each functional component generates a tabular sheet.
  • this sheet is an example, and the format of the generated data may be any format.
  • the data flow information 232 may be represented in a graphic format.
  • each functional component is realized by software.
  • each functional component may be realized by hardware. Differences between this modification 4 and the first embodiment will be described.
  • the entity analysis device 20 includes an electronic circuit instead of the processor 21, the memory 22, and the storage 23.
  • the electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 22, and the storage 23.
  • the risk identifying device 30 includes an electronic circuit instead of the processor 31, the memory 32, and the storage 33.
  • the electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 32, and the storage 33.
  • the evaluation device 40 includes an electronic circuit instead of the processor 41, the memory 42, and the storage 43.
  • the electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 42, and the storage 43.
  • each functional component may be realized by one electronic circuit, or each functional component may be dispersed and realized in a plurality of electronic circuits.
  • the processors 21, 31, 41, memories 22, 32, 42, storages 23, 33, 43, and electronic circuits are called processing circuits. That is, the function of each functional component is realized by the processing circuit.
  • 10 privacy risk analysis system 20 entity analysis device, 21 processor, 22 memory, 23 storage, 24 communication interface, 211 data input section, 212 dataflow generation section, 213 dataflow input section, 214 contract relationship generation section, 215 contract relationship Input part, 216 role specifying part, 231, data input information, 232 data flow information, 233 contract relationship information, 234 provision form information, 30 risk specifying device, 31 processor, 32 memory, 33 storage, 34 communication interface, 311 risk specifying part 312 analysis information generation unit, 331 risk information, 332 analysis information, 40 evaluation device, 41 processor, 42 memory, 43 storage, 44 communication interface, 411 risk calculation unit, 412 output unit, 50 transmission line.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Human Resources & Organizations (AREA)
  • Economics (AREA)
  • Tourism & Hospitality (AREA)
  • Strategic Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Marketing (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Educational Administration (AREA)
  • Quality & Reliability (AREA)
  • Operations Research (AREA)
  • Development Economics (AREA)
  • Game Theory and Decision Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Primary Health Care (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Provided is an entity analysis device (20) that identifies, on the basis of whether or not there is a contract relating to personal data between two entities that have a personal data provision relationship, an entity that determines the purpose of use of personal data, and a matching status of the purposes of use of personal data in the two entities, a role for each of the two entities. A risk identification device (30) identifies risk behavior for each of the two entities in light of the roles of the entities.

Description

プライバシーリスク分析システム、プライバシーリスク分析方法及びプライバシーリスク分析プログラムPrivacy risk analysis system, privacy risk analysis method, and privacy risk analysis program
 この発明は、パーソナルデータの取り扱いに関するリスクであるプライバシーに関するリスク(以下、プライバシーリスク)を分析する技術に関する。 The present invention relates to a technique for analyzing a privacy risk (hereinafter, privacy risk) which is a risk related to handling personal data.
 パーソナルデータのサービスでの活用が広がっている。これに伴いプライバシー侵害の事案も増加し、パーソナルデータを取り扱う事業者はプライバシーへの配慮が求められている。そのため、事業者はパーソナルデータを取り扱うシステムの開発、又は、パーソナルデータを使ったサービスを行うにあたり、プライバシーリスクを把握し、対策を行う必要がある。
 しかし、複数の事業者でパーソナルデータを取り扱う場合、事業者毎にプライバシーリスクが異なる。例えば、システムの運用を担当する事業者からシステムの保守を担当する別の事業者にパーソナルデータを提供する場合、「データの安全管理措置の不備」といったリスクの対処については、システムの運用事業者と保守事業者の両方に求められる。これに対して、「利用目的が具体的でない」といったリスクの対処についてはシステムの運用事業者のみに求められる。
 複数の事業者でパーソナルデータを取り扱う場合、現状は各事業者が個別にお互いのリスク対処範囲を把握せず、自身の利害のみを考慮してリスク対処を行っている。そのため、パーソナルデータ提供者のプライバシー保護に必要なリスク対処範囲全体において、対処の漏れや重複が発生する可能性がある。 The use of personal data in services is expanding. Accompanying this, cases of privacy infringement are increasing, and businesses handling personal data are required to consider privacy. Therefore, when developing a system that handles personal data or providing a service that uses personal data, the business operator needs to understand the privacy risk and take countermeasures.
However, when a plurality of businesses handle personal data, the privacy risk differs for each business. For example, when personal data is provided from the operator who is in charge of operating the system to another operator who is in charge of maintaining the system, when dealing with risks such as “insufficient data safety management measures” And both maintenance operators. On the other hand, only system operators are required to deal with risks such as "purpose of use is not specific".
When a plurality of businesses handle personal data, each business does not individually understand each other's risk coping scope at present, and takes coping with the risk considering only their own interests. Therefore, there is a possibility that omissions or duplications of measures will occur in the entire risk countermeasure range necessary to protect the privacy of the personal data provider.
 このようなプライバシーリスク対処の漏れや重複を回避する手段として、パーソナルデータを取り扱う事業者間でリスク対処について協議及び連携しながら、各事業者がリスクに対処する方法が検討されている。
 例えば、非特許文献1には、パーソナルデータ利活用に関するマルチステークホルダープロセスの検討の中で、データ提供者と事業者との間でプライバシーリスクについて協議することが記載されている。
 また、非特許文献2には、プライバシー侵害による損害を事前に防ぐため、プライバシー侵害が起こるリスクを事前に評価しシステム設計に反映させるプライバシーリスク評価手法であるPIA(Privacy Impact Assessment)が記載されている。PIAでは、リスク評価対象システムの開発や運用に関連する事業者を分析し、事業者のリスク対処の責任範囲を明らかにすることが求められている。 As a means for avoiding such omission or duplication of privacy risk countermeasures, a method is being considered in which each operator deals with the risk while discussing and coordinating the risk countermeasures among the operators who handle personal data.
For example, Non-Patent Document 1 describes discussing a privacy risk between a data provider and a business in the consideration of a multi-stakeholder process regarding utilization of personal data.
Further, Non-Patent Document 2 describes PIA (Privacy Impact Assessment), which is a privacy risk evaluation method in which the risk of privacy invasion is evaluated in advance and reflected in the system design in order to prevent damage due to privacy invasion in advance. There is. In PIA, it is required to analyze a business operator related to the development and operation of a system subject to risk assessment, and to clarify the responsibility range of the business operator for risk management.
 現状は、各事業者のプライバシーリスク又はリスク対処の責任の大きさを分析するための詳細手順及びツールは無く、分析者は独自のノウハウで分析を実施している。そのため、知識を持っている人でないと分析が困難である。さらに、分析の詳細手順が体系的に整理されていないため、分析を実施できる人であっても時間がかかってしまう。
 この発明は、分析者の能力に依存せずにプライバシーリスクに関する分析を可能とすることを目的とする。 Currently, there are no detailed procedures and tools for analyzing the privacy risk of each business operator or the degree of responsibility for dealing with the risk, and the analyst carries out the analysis with his own know-how. Therefore, it is difficult to analyze unless you have knowledge. Furthermore, the detailed procedure of the analysis is not systematically organized, so that even a person who can perform the analysis takes time.
It is an object of the present invention to enable analysis regarding privacy risk without depending on the analyst's ability.
 この発明に係るプライバシーリスク分析システムは、
 パーソナルデータの提供関係にある2つのエンティティの間の前記パーソナルデータに関する契約の有無と、前記パーソナルデータの利用目的を決定するエンティティと、前記2つのエンティティにおける前記パーソナルデータの利用目的の一致状況とに応じて、前記2つのエンティティそれぞれを特定対象として、特定対象のエンティティの役割を特定する役割特定部と、
 前記役割特定部によって特定された前記特定対象のエンティティの前記役割に基づき、前記特定対象のエンティティのリスク行為を特定するリスク特定部とを備える。 The privacy risk analysis system according to this invention is
Whether or not there is a contract regarding the personal data between two entities that are in a personal data providing relationship, an entity that determines the purpose of use of the personal data, and the coincidence status of the purpose of use of the personal data in the two entities Accordingly, a role specifying unit that specifies the roles of the specified entities by specifying the two entities as specific targets,
And a risk identifying unit that identifies a risk action of the entity of the identification target based on the role of the entity of the identification target identified by the role identification unit.
 この発明では、2つのエンティティの間のパーソナルデータに関する契約の有無といった情報から各エンティティの役割を特定して、各エンティティのリスク行為を特定する。契約の有無といった情報は、分析者の能力に依存せずに特定可能な情報であり、分析者の能力に依存せずにプライバシーリスクに関する分析が可能である。 In this invention, the role of each entity is identified from the information such as the existence of contract regarding personal data between the two entities, and the risk action of each entity is identified. Information such as whether or not there is a contract is information that can be specified without depending on the ability of the analyst, and it is possible to analyze the privacy risk without depending on the ability of the analyst.
実施の形態1に係るプライバシーリスク分析システム10の構成図。1 is a configuration diagram of a privacy risk analysis system 10 according to the first embodiment. 実施の形態1に係るエンティティ分析装置20の構成図。FIG. 3 is a configuration diagram of an entity analysis device 20 according to the first embodiment. 実施の形態1に係るリスク特定装置30の構成図。3 is a configuration diagram of a risk identification device 30 according to the first embodiment. FIG. 実施の形態1に係る評価装置40の構成図。1 is a configuration diagram of an evaluation device 40 according to the first embodiment. 実施の形態1に係るエンティティ分析装置20の動作を示すフローチャート。3 is a flowchart showing the operation of the entity analysis device 20 according to the first embodiment. 実施の形態1に係るデータ入力情報231を示す図。The figure which shows the data input information 231 which concerns on Embodiment 1. 実施の形態1に係るデータフロー情報232(ステップS12)を示す図。The figure which shows the data flow information 232 (step S12) which concerns on Embodiment 1. 実施の形態1に係るデータフロー情報232(ステップS13)を示す図。The figure which shows the data flow information 232 (step S13) which concerns on Embodiment 1. 実施の形態1に係る契約関係情報233(ステップS14)を示す図。The figure which shows the contract relationship information 233 (step S14) which concerns on Embodiment 1. 実施の形態1に係る契約関係情報233(ステップS15)を示す図。The figure which shows the contract relationship information 233 (step S15) which concerns on Embodiment 1. 実施の形態1に係る提供形態情報234を示す図。The figure which shows the provision type information 234 which concerns on Embodiment 1. 実施の形態1に係るデータフロー情報232(ステップS16)を示す図。The figure which shows the data flow information 232 (step S16) which concerns on Embodiment 1. 実施の形態1に係るリスク特定装置30の動作を示すフローチャート。3 is a flowchart showing the operation of the risk identifying device 30 according to the first embodiment. 実施の形態1に係るリスク情報331を示す図。The figure which shows the risk information 331 which concerns on Embodiment 1. 実施の形態1に係るデータフロー情報232(ステップS21)を示す図。The figure which shows the data flow information 232 (step S21) which concerns on Embodiment 1. 実施の形態1に係る分析情報332(ステップS22)を示す図。The figure which shows the analysis information 332 (step S22) which concerns on Embodiment 1. 実施の形態1に係る評価装置40の動作を示すフローチャート。3 is a flowchart showing the operation of the evaluation device 40 according to the first embodiment. 実施の形態1に係る分析情報332(ステップS31)を示す図。The figure which shows the analysis information 332 (step S31) which concerns on Embodiment 1. データ入力情報231とデータフロー情報232と契約関係情報233と分析情報332との関係の説明図。Explanatory drawing of the relationship between the data input information 231, the data flow information 232, the contract relationship information 233, and the analysis information 332. 変形例3に係るデータフロー情報232を示す図。The figure which shows the data flow information 232 which concerns on the modification 3.
 実施の形態1.
 ***構成の説明***
 図1を参照して、実施の形態1に係るプライバシーリスク分析システム10の構成を説明する。
 プライバシーリスク分析システム10は、エンティティ分析装置20と、リスク特定装置30と、評価装置40とを備える。エンティティ分析装置20と、リスク特定装置30と、評価装置40とは、インターネットとLAN(Local Area Network)と専用線といった伝送路50を介して接続されている。 Embodiment 1.
***Composition explanation***
The configuration of the privacy risk analysis system 10 according to the first embodiment will be described with reference to FIG.
The privacy risk analysis system 10 includes an entity analysis device 20, a risk identification device 30, and an evaluation device 40. The entity analysis device 20, the risk identification device 30, and the evaluation device 40 are connected via a transmission line 50 such as the Internet, a LAN (Local Area Network), and a dedicated line.
 図2を参照して、実施の形態1に係るエンティティ分析装置20の構成を説明する。
 エンティティ分析装置20は、コンピュータである。エンティティ分析装置20は、エンティティ間のデータフローと契約関係とを分析し、パーソナルデータに関する各エンティティの役割を特定する。エンティティとは、パーソナルデータを取り扱う事業者及びパーソナルデータ提供者である。
 エンティティ分析装置20は、プロセッサ21と、メモリ22と、ストレージ23と、通信インタフェース24とのハードウェアを備える。プロセッサ21は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。 The configuration of the entity analyzing apparatus 20 according to the first embodiment will be described with reference to FIG.
The entity analysis device 20 is a computer. The entity analysis device 20 analyzes the data flow between the entities and the contract relationship, and identifies the role of each entity regarding personal data. Entities are businesses that handle personal data and personal data providers.
The entity analysis device 20 includes hardware such as a processor 21, a memory 22, a storage 23, and a communication interface 24. The processor 21 is connected to other hardware via a signal line and controls these other hardware.
 エンティティ分析装置20は、機能構成要素として、データ入力部211と、データフロー生成部212と、データフロー入力部213と、契約関係生成部214と、契約関係入力部215と、役割特定部216とを備える。エンティティ分析装置20の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ23には、エンティティ分析装置20の各機能構成要素の機能を実現するプログラムが格納されている。このプログラムは、プロセッサ21によりメモリ22に読み込まれ、プロセッサ21によって実行される。これにより、エンティティ分析装置20の各機能構成要素の機能が実現される。 The entity analysis device 20 includes, as functional components, a data input unit 211, a dataflow generation unit 212, a dataflow input unit 213, a contract relationship generation unit 214, a contract relationship input unit 215, and a role identification unit 216. Equipped with. The function of each functional component of the entity analysis device 20 is realized by software.
The storage 23 stores programs that implement the functions of the functional components of the entity analysis device 20. This program is read into the memory 22 by the processor 21 and executed by the processor 21. As a result, the function of each functional component of the entity analysis device 20 is realized.
 ストレージ23は、データ入力情報231と、データフロー情報232と、契約関係情報233と、提供形態情報234とを記憶する。 The storage 23 stores data input information 231, data flow information 232, contract relationship information 233, and provision form information 234.
 図3を参照して、実施の形態1に係るリスク特定装置30の構成を説明する。
 リスク特定装置30は、コンピュータである。リスク特定装置30は、エンティティ分析装置20によって特定されたエンティティの役割からエンティティのプライバシーリスク行為を特定する。
 リスク特定装置30は、プロセッサ31と、メモリ32と、ストレージ33と、通信インタフェース34とのハードウェアを備える。プロセッサ31は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。 The configuration of the risk identifying device 30 according to the first embodiment will be described with reference to FIG.
The risk identification device 30 is a computer. The risk identification device 30 identifies the privacy risk act of the entity from the role of the entity identified by the entity analysis device 20.
The risk identification device 30 includes hardware such as a processor 31, a memory 32, a storage 33, and a communication interface 34. The processor 31 is connected to other hardware via a signal line and controls these other hardware.
 リスク特定装置30は、機能構成要素として、リスク特定部311と、分析情報生成部312とを備える。リスク特定装置30の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ33には、リスク特定装置30の各機能構成要素の機能を実現するプログラムが格納されている。このプログラムは、プロセッサ31によりメモリ32に読み込まれ、プロセッサ31によって実行される。これにより、リスク特定装置30の各機能構成要素の機能が実現される。 The risk identification device 30 includes a risk identification unit 311 and an analysis information generation unit 312 as functional components. The function of each functional component of the risk identification device 30 is realized by software.
The storage 33 stores programs that implement the functions of the functional components of the risk identification device 30. This program is read into the memory 32 by the processor 31 and executed by the processor 31. As a result, the function of each functional component of the risk identification device 30 is realized.
 ストレージ33は、リスク情報331と、分析情報332とを記憶する。 The storage 33 stores risk information 331 and analysis information 332.
 図4を参照して、実施の形態1に係る評価装置40の構成を説明する。
 評価装置40は、コンピュータである。評価装置40は、リスク特定装置30によって特定されたエンティティのリスク行為から、エンティティのプライバシーリスクの大きさを計算する。
 評価装置40は、プロセッサ41と、メモリ42と、ストレージ43と、通信インタフェース44とのハードウェアを備える。プロセッサ41は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。 The configuration of the evaluation device 40 according to the first embodiment will be described with reference to FIG.
The evaluation device 40 is a computer. The evaluation device 40 calculates the degree of privacy risk of the entity from the risk behavior of the entity identified by the risk identification device 30.
The evaluation device 40 includes hardware such as a processor 41, a memory 42, a storage 43, and a communication interface 44. The processor 41 is connected to other hardware via a signal line, and controls these other hardware.
 評価装置40は、機能構成要素として、リスク計算部411と、出力部412とを備える。評価装置40の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ43には、評価装置40の各機能構成要素の機能を実現するプログラムが格納されている。このプログラムは、プロセッサ41によりメモリ42に読み込まれ、プロセッサ41によって実行される。これにより、評価装置40の各機能構成要素の機能が実現される。 The evaluation device 40 includes a risk calculation unit 411 and an output unit 412 as functional components. The function of each functional component of the evaluation device 40 is realized by software.
The storage 43 stores programs that implement the functions of the functional components of the evaluation device 40. This program is read into the memory 42 by the processor 41 and executed by the processor 41. As a result, the function of each functional component of the evaluation device 40 is realized.
 プロセッサ21,31,41は、プロセッシングを行うIC(Integrated Circuit)である。プロセッサ21,31,41は、具体例としては、CPU(Central Processing Unit)、DSP(Digital Signal Processor)、GPU(Graphics Processing Unit)である。 The processors 21, 31, 41 are ICs (Integrated Circuits) that perform processing. Specific examples of the processors 21, 31, 41 are a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
 メモリ22,32,42は、データを一時的に記憶する記憶装置である。メモリ22,32,42は、具体例としては、SRAM(Static Random Access Memory)、DRAM(Dynamic Random Access Memory)である。 The memories 22, 32, 42 are storage devices for temporarily storing data. The memories 22, 32, 42 are, for example, SRAM (Static Random Access Memory) and DRAM (Dynamic Random Access Memory).
 ストレージ23,33,43は、データを保管する記憶装置である。ストレージ23,33,43は、具体例としては、HDD(Hard Disk Drive)である。また、ストレージ23,33,43は、SD(登録商標,Secure Digital)メモリカード、CF(CompactFlash,登録商標)、NANDフラッシュ、フレキシブルディスク、光ディスク、コンパクトディスク、ブルーレイ(登録商標)ディスク、DVD(Digital Versatile Disk)といった可搬記録媒体であってもよい。 The storages 23, 33, 43 are storage devices for storing data. The storages 23, 33, 43 are HDDs (Hard Disk Drives) as a specific example. The storages 23, 33, 43 are SD (registered trademark, Secure Digital) memory card, CF (CompactFlash, registered trademark), NAND flash, flexible disk, optical disc, compact disc, Blu-ray (registered trademark) disc, DVD (Digital). It may be a portable recording medium such as Versatile Disk).
 通信インタフェース24,34,44は、外部の装置と通信するためのインタフェースである。通信インタフェース24,34,44は、具体例としては、Ethernet(登録商標)、USB(Universal Serial Bus)、HDMI(登録商標,High-Definition Multimedia Interface)のポートである。 The communication interfaces 24, 34, 44 are interfaces for communicating with external devices. The communication interfaces 24, 34, and 44 are, for example, Ethernet (registered trademark), USB (Universal Serial Bus), and HDMI (registered trademark, High-Definition Multimedia Interface) ports.
 図2では、プロセッサ21は、1つだけ示されていた。しかし、プロセッサ21は、複数であってもよく、複数のプロセッサ21が、各機能を実現するプログラムを連携して実行してもよい。同様に、プロセッサ31,41は、複数であってもよく、複数のプロセッサ31,41が、各機能を実現するプログラムを連携して実行してもよい。 In FIG. 2, only one processor 21 is shown. However, there may be a plurality of processors 21, and the plurality of processors 21 may execute the programs that realize the respective functions in cooperation with each other. Similarly, a plurality of processors 31 and 41 may be provided, and a plurality of processors 31 and 41 may cooperate to execute programs that implement respective functions.
 ***動作の説明***
 図5から図17を参照して、実施の形態1に係るプライバシーリスク分析システム10の動作を説明する。
 実施の形態1に係るプライバシーリスク分析システム10の動作は、実施の形態1に係るプライバシーリスク分析方法に相当する。また、実施の形態1に係るプライバシーリスク分析システム10の動作は、実施の形態1に係るプライバシーリスク分析プログラムの処理に相当する。 ***Description of operation***
The operation of the privacy risk analysis system 10 according to the first embodiment will be described with reference to FIGS. 5 to 17.
The operation of the privacy risk analysis system 10 according to the first embodiment corresponds to the privacy risk analysis method according to the first embodiment. The operation of the privacy risk analysis system 10 according to the first embodiment corresponds to the processing of the privacy risk analysis program according to the first embodiment.
 図5を参照して、実施の形態1に係るエンティティ分析装置20の動作を説明する。
 (ステップS11:データ入力処理)
 データ入力部211は、分析対象とするパーソナルデータのデータ項目の入力を受け付ける。そして、データ入力部211は、受け付けられたパーソナルデータのデータ項目をデータ入力情報231としてストレージ23に書き込む。
 具体的には、データ入力部211は、通信インタフェース24を介して、エンティティ分析装置20のユーザから、分析対象とするパーソナルデータのデータ項目の入力を受け付ける。分析対象とするパーソナルデータのデータ項目は、例えば、ユーザがビジネス展開するサービスや開発するシステムで取り扱うパーソナルデータの項目である。そして、データ入力部211は、各データ項目にID(IDentification)を割り当てて、データ入力情報231としてストレージ23に書き込む。
 その結果、図6に示すように、データ項目ID(IDentification)と、データ項目とを含むデータ入力情報231が生成される。図6では、分析対象とするパーソナルデータのデータ項目として、「氏名」と「映像情報」とが示されている。 The operation of the entity analyzer 20 according to the first embodiment will be described with reference to FIG.
(Step S11: data input process)
The data input unit 211 receives input of data items of personal data to be analyzed. Then, the data input unit 211 writes the data item of the accepted personal data in the storage 23 as the data input information 231.
Specifically, the data input unit 211 receives an input of a data item of personal data to be analyzed from the user of the entity analysis device 20 via the communication interface 24. The data items of personal data to be analyzed are, for example, items of personal data handled by a user's business development service or a developing system. Then, the data input unit 211 assigns an ID (IDentification) to each data item and writes it in the storage 23 as the data input information 231.
As a result, as shown in FIG. 6, data input information 231 including a data item ID (IDentification) and a data item is generated. In FIG. 6, “name” and “video information” are shown as data items of personal data to be analyzed.
 (ステップS12:データフロー生成処理)
 データフロー生成部212は、ステップS11で受け付けられたパーソナルデータの各データ項目を対象として、対象のデータ項目について、データフロー情報232のシートを生成する。つまり、データフロー生成部212は、パーソナルデータのデータ項目がn個ある場合、データフロー情報232のシートをn枚生成する。データフロー情報232は、エンティティ間のデータフローに関する情報である。
 具体的には、図7に示すように、データフロー生成部212は、対象のデータ項目について、エンティティIDと、データ項目と、エンティティと、データが渡る順序と、エンティティの役割と、リスク行為とを含むデータフロー情報232のシートを生成する。そして、データフロー生成部212は、シートのデータ項目の欄に対象のデータ項目の名称を設定して、ストレージ23に書き込む。
 図6に示すように「氏名」と「映像情報」とのデータ項目がステップS11で受け付けられた場合には、図7に示すように、「氏名」のシートと、「映像情報」のシートとが生成される。「氏名」のシートのデータ項目の欄には、D1.氏名が設定され、「映像情報」のシートのデータ項目の欄には、D2.映像情報が設定される。なお、D1及びD2は、データの取得元のデータ項目IDを示す。 (Step S12: data flow generation process)
The data flow generation unit 212 generates a sheet of data flow information 232 for each data item of the personal data received in step S11, as a target. That is, if there are n data items of personal data, the data flow generation unit 212 generates n sheets of data flow information 232. The data flow information 232 is information regarding the data flow between the entities.
Specifically, as shown in FIG. 7, the data flow generation unit 212, for the target data item, the entity ID, the data item, the entity, the order in which the data passes, the role of the entity, and the risk action. A sheet of data flow information 232 including is generated. Then, the data flow generation unit 212 sets the name of the target data item in the data item column of the sheet and writes it in the storage 23.
When the data items of "name" and "video information" are received in step S11 as shown in FIG. 6, a "name" sheet and a "video information" sheet are received as shown in FIG. Is generated. In the data item column of the “Name” sheet, D1. A name is set, and D2. Video information is set. Note that D1 and D2 indicate the data item ID of the data acquisition source.
 (ステップS13:データフロー入力処理)
 データフロー入力部213は、ステップS11で受け付けられたパーソナルデータの各データ項目を対象として、対象のデータ項目について、パーソナルデータを取り扱うエンティティと、データが渡る順序との入力を受け付ける。そして、データフロー入力部213は、受け付けられたエンティティとデータが渡る順序とを、データフロー情報232の対応するシートに書き込む。
 具体的には、データフロー入力部213は、通信インタフェース24を介して、エンティティ分析装置20のユーザから、対象のデータ項目について、パーソナルデータを取り扱うエンティティと、データが渡る順序との入力を受け付ける。データフロー入力部213は、対象のデータ項目のパーソナルデータを取り扱うエンティティがm個ある場合には、m個のエンティティと、m個のエンティティそれぞれについてデータが渡る順序を表す1~mの数値との入力を受け付ける。データフロー入力部213は、データが渡る順に、E1,E2,...,EmのエンティティIDを割り当てる。そして、図8に示すように、データフロー入力部213は、データフロー情報232における対象のデータ項目についてのシートのエンティティIDと、エンティティと、データが渡る順序との欄にデータを設定する。
 その結果、図8に示すように、データフロー情報232の「氏名」のシートについては、エンティティIDがE1からE4のレコードが設定される。そして、各レコードのエンティティ及びデータが渡る順序の欄には、「通行人」及び「1」と、「X社」及び「2」と、「Y社」及び「3」と、「Z社」及び「4」とが設定される。 (Step S13: data flow input process)
The data flow input unit 213 receives, for each data item of the personal data received in step S11, an input of an entity that handles the personal data and an order in which the data passes, for the target data item. Then, the data flow input unit 213 writes the accepted entity and the order in which the data are passed to the corresponding sheet of the data flow information 232.
Specifically, the data flow input unit 213 receives, via the communication interface 24, an input from the user of the entity analysis apparatus 20 regarding the target data item, the entity that handles personal data and the order in which the data passes. When there are m entities that handle personal data of the target data item, the data flow input unit 213 includes m entities and numerical values 1 to m that represent the order in which the data is passed for each of the m entities. Accept input. The data flow input unit 213 receives E1, E2,. . . , Em are assigned entity IDs. Then, as shown in FIG. 8, the dataflow input unit 213 sets data in the columns of the entity ID of the sheet for the target data item in the dataflow information 232, the entity, and the order in which the data passes.
As a result, as shown in FIG. 8, records with entity IDs E1 to E4 are set for the “name” sheet of the data flow information 232. Then, in the columns of the order in which the entity and the data of each record cross, "passerby" and "1", "X company" and "2", "Y company" and "3", and "Z company". And “4” are set.
 (ステップS14:契約関係生成処理)
 契約関係生成部214は、ステップS11で受け付けられたパーソナルデータの各データ項目を対象として、対象のデータ項目について、データフロー情報232のシートに基づき、契約関係情報233のシートを生成する。つまり、契約関係生成部214は、パーソナルデータのデータ項目がn個ある場合、契約関係情報233のシートをn枚生成する。契約関係情報233は、エンティティ間の契約関係を構成する情報である。
 具体的には、図9に示すように、契約関係生成部214は、対象のデータ項目について、契約IDと、データ項目と、エンティティの組合せと、エンティティ間の契約の有無と、利用目的を決定するエンティティと、利用目的の一致状況とを含む契約関係情報233のシートを生成する。エンティティの組合せには、データを渡すエンティティと、データを受け取るエンティティとが含まれる。契約関係生成部214は、パーソナルデータの直接の提供関係にあるエンティティの組合せ毎にレコードを生成する。そのため、対象のデータ項目のパーソナルデータを取り扱うエンティティがm個ある場合には、m-1個のレコードが生成される。契約関係生成部214は、シートのデータ項目の欄に対象のデータ項目の名称を設定し、シートのエンティティの組合せの欄にパーソナルデータの直接の提供関係にあるエンティティの組合せを設定する。具体的には、データが渡る順序が早い方のエンティティがデータを渡すエンティティの欄に設定され、データが渡る順序が遅い方のエンティティがデータを受け取るエンティティの欄に設定される。契約関係生成部214は、データが渡る順序が早い方から、契約IDをC1,C2,...Cm-1の順に設定する。そして、契約関係生成部214は、契約関係情報233をストレージ23に書き込む。
 図8に示すようにデータフロー情報232の「氏名」のシートが設定されている場合には、パーソナルデータの流れは、E1.通行人→E2.X社→E3.Y社→E4.Z社である。そのため、図9に示すように、契約IDがC1からC3のレコードが生成される。そして、契約IDがC1のレコードには、エンティティの組合せの欄に「E1.通行人」及び「E2.X社」が設定される。契約IDがC2のレコードには、エンティティの組合せの欄に「E2.X社」及び「E3.Y社」が設定される。契約IDがC3のレコードには、エンティティの組合せの欄に「E3.Y社」及び「E4.Z社」が設定される。なお、E1からE4は、データの取得元のエンティティIDを示す。 (Step S14: Contract relationship generation process)
The contract relationship generation unit 214 generates a sheet of contract relationship information 233 for each data item of the personal data received in step S11 based on the sheet of the data flow information 232 for the target data item. In other words, the contract relationship generation unit 214 generates n sheets of contract relationship information 233 when there are n data items of personal data. The contract relationship information 233 is information that constitutes a contract relationship between entities.
Specifically, as shown in FIG. 9, the contract relationship generation unit 214 determines a contract ID, a data item, a combination of entities, the presence/absence of a contract between entities, and a purpose of use for the target data item. Generate a sheet of contract relationship information 233 including the matching status of the usage purpose. The combination of entities includes an entity that passes data and an entity that receives data. The contract relationship generation unit 214 generates a record for each combination of entities having a direct personal data providing relationship. Therefore, when there are m entities that handle the personal data of the target data item, m-1 records are generated. The contract relation generation unit 214 sets the name of the target data item in the data item column of the sheet, and sets the combination of entities that are in the direct provision relationship of personal data in the entity combination column of the sheet. Specifically, the entity with the earlier data passing order is set in the column of the entity passing the data, and the entity with the later data passing order is set in the column of the entity receiving the data. The contract relation generating unit 214 assigns contract IDs C1, C2,. . . Set in the order of Cm-1. Then, the contract relationship generation unit 214 writes the contract relationship information 233 in the storage 23.
When the “name” sheet of the data flow information 232 is set as shown in FIG. 8, the flow of personal data is E1. Passer → E2. Company X → E3. Company Y → E4. Company Z. Therefore, as shown in FIG. 9, records with contract IDs C1 to C3 are generated. Then, in the record with the contract ID C1, "E1. passerby" and "E2.X company" are set in the entity combination column. In the record with the contract ID C2, "E2.X company" and "E3.Y company" are set in the entity combination column. In the record whose contract ID is C3, “E3.Y company” and “E4.Z company” are set in the entity combination column. It should be noted that E1 to E4 indicate entity IDs from which data is acquired.
 (ステップS15:契約関係入力処理)
 契約関係入力部215は、ステップS14で生成された契約関係情報233の各シートの各レコードを対象として、エンティティ間の契約の有無と、利用目的を決定するエンティティと、利用目的の一致状況との入力を受け付ける。そして、契約関係入力部215は、受け付けられたエンティティ間の契約の有無と、利用目的を決定するエンティティと、利用目的の一致状況とを、契約関係情報233における対象のシートの対象のレコードに設定する。
 具体的には、契約関係入力部215は、通信インタフェース24を介して、エンティティ分析装置20のユーザから、対象のシートの対象のレコードについてのエンティティ間の契約の有無と、利用目的を決定するエンティティと、利用目的の一致状況との入力を受け付ける。そして、契約関係入力部215は、受け付けられたエンティティ間の契約の有無と、利用目的を決定するエンティティと、利用目的の一致状況とを、契約関係情報233における対象のシートの対象のレコードに設定する。 (Step S15: Contract relationship input process)
The contract-relationship input unit 215 targets each record of each sheet of the contract-relationship information 233 generated in step S14 to determine whether there is a contract between the entities, the entity that determines the purpose of use, and the matching status of the purpose of use. Accept input. Then, the contract relationship input unit 215 sets the presence/absence of a contract between the received entities, the entity that determines the purpose of use, and the matching status of the purpose of use in the target record of the target sheet in the contract relationship information 233. To do.
Specifically, the contract relationship input unit 215 determines whether or not there is a contract between the entities regarding the target record of the target sheet and the purpose of use from the user of the entity analysis device 20 via the communication interface 24. And the input of the matching status of the purpose of use. Then, the contract relationship input unit 215 sets the presence/absence of a contract between the received entities, the entity that determines the purpose of use, and the matching status of the purpose of use in the target record of the target sheet in the contract relationship information 233. To do.
 エンティティ間の契約の有無は、パーソナルデータの提供関係にある2つのエンティティの間のパーソナルデータに関する契約の有無を意味している。エンティティ間の契約の有無としては、「有」又は「無」が入力される。
 利用目的を決定するエンティティは、2つのエンティティのうちのどちらのエンティティがパーソナルデータの利用目的を決定するかを意味している。なお、ここでは2つのエンティティにおいてデータの利用目的を決定するかどうか不明といった状況は考慮しない。利用目的を決定するエンティティとしては、エンティティの組合せにおけるデータを渡すエンティティの欄のエンティティとデータを受け取るエンティティの欄のエンティティとの少なくともいずれか、又は、エンティティが利用目的を決定しないことを示す「-」が入力される。
 利用目的の一致状況は、2つのエンティティにおけるパーソナルデータの利用目的が一致しているか否かを意味している。利用目的の一致状況としては、利用目的が一致することを示す「一致」と、利用目的が一致しないことを示す「不一致」と、入力不要を示す「-」とのいずれかが入力される。なお、利用目的を決定するエンティティ欄にエンティティが2つ入力されていない場合には、利用目的の一致状況は入力不要になる。
 ここでは、図10に示すように、エンティティ間の契約の有無と、利用目的を決定するエンティティと、利用目的の一致状況として、「氏名」のシートにおける契約IDがC1のレコードには、「無」と、「-」と、「-」とが設定され、契約IDがC2のレコードには、「有」と、「E3.Y社」と、「-」とが設定され、契約IDがC3のレコードには、「有」と、「E3.Y社、E4.Z社」と、「不一致」とが設定されたとする。 The presence/absence of a contract between entities means the presence/absence of a contract regarding personal data between two entities having a personal data providing relationship. "Present" or "absent" is entered as the presence/absence of a contract between entities.
The entity that determines the purpose of use means which of the two entities determines the purpose of use of personal data. It should be noted that, here, a situation in which it is unclear whether or not the usage purpose of the data is determined by the two entities is not considered. As the entity that determines the purpose of use, at least one of the entity in the column of the entity to which data is passed and the entity in the column of the entity to receive data in the combination of entities, or "-" that indicates that the entity does not determine the purpose of use Is input.
The matching status of the usage purposes means whether the usage purposes of the personal data in the two entities match. As the usage purpose matching status, any one of "match" indicating that the usage purposes match, "mismatch" indicating that the usage purposes do not match, and "-" indicating no input is input. If two entities are not entered in the entity field for determining the purpose of use, the matching status of the purpose of use is not required to be input.
Here, as shown in FIG. 10, as a condition of agreement between the entities, the entity that determines the purpose of use, and the matching purpose of the purpose of use, the record of contract ID C1 in the “name” sheet indicates “None”. , “−”, and “−” are set, and “Yes”, “E3.Y company”, and “−” are set in the record whose contract ID is C2, and the contract ID is C3. It is assumed that “Yes”, “E3.Y company, E4.Z company”, and “non-coincidence” are set in the record.
 ここでの契約は、個人情報保護法で規定される委託、第三者提供、共同利用におけるデータ提供契約を指す。データ提供時の本人同意及びサービス利用に関する契約に関しては、適用範囲外とする。また、ここでは、データ提供が直接行われる事業者間で契約を結ぶケースを対象とし、データ提供が間接的に行われる事業者間で契約を結ぶケースについては対象外とする。  The contract here refers to a data provision contract for entrustment, provision by a third party, and joint use as prescribed by the Personal Information Protection Law. The agreement with the person at the time of data provision and the contract regarding the use of the service is out of scope. In addition, here, the case where a contract is concluded between the business operators directly providing the data is excluded, and the case where a contract is concluded between the business operators indirectly providing the data is excluded.
 (ステップS16:役割特定処理)
 役割特定部216は、ステップS14で生成された契約関係情報233の各シートの各レコードを対象として、2つのエンティティの役割を特定する。そして、データフロー情報232の特定対象のエンティティのレコードにおけるエンティティの役割の欄に、特定された役割を設定する。この際、役割特定部216は、パーソナルデータの提供関係にある2つのエンティティの間のパーソナルデータに関する契約の有無と、パーソナルデータの利用目的を決定するエンティティと、2つのエンティティにおけるパーソナルデータの利用目的の一致状況とに応じて、2つのエンティティの役割を特定する。なお、1つのエンティティに対して、複数の役割が特定される場合も起こり得る。
 具体的には、役割特定部216は、図11に示すような提供形態情報234を参照する。提供形態情報234は、エンティティ間のデータフロー及び契約関係を、個人情報保護法で規定されるデータ提供(委託、第三者提供、共同利用)と情報提供者本人からの提供の4つの提供の種類に応じてパターン化した情報である。提供形態情報234は、エンティティ間の契約の有無と、利用目的を決定するエンティティと、利用目的の一致状況との組合せ毎にエンティティの役割を示す。役割特定部216は、対象のシートの対象のレコードについてのエンティティ間の契約の有無と、利用目的を決定するエンティティと、利用目的の一致状況との組合せに対応するエンティティの役割を抽出する。これにより、役割特定部216は、対象のシートの対象のレコードについてのエンティティの役割を特定する。そして、図12に示すように、データフロー情報232の「氏名」のシートにおけるエンティティIDがE1のレコードには、役割として「データ主体」が設定され、エンティティIDがE2のレコードには、役割として「データ処理者」が設定され、エンティティIDがE3のレコードには、役割として「データ管理者」が設定され、エンティティIDがE4のレコードには、役割として「第三者」が設定される。 (Step S16: Role specifying process)
The role specifying unit 216 specifies the roles of the two entities for each record of each sheet of the contract relationship information 233 generated in step S14. Then, the identified role is set in the column of the role of the entity in the record of the entity to be identified in the data flow information 232. At this time, the role specifying unit 216 determines whether or not there is a contract regarding the personal data between the two entities that are in the personal data providing relationship, the entity that determines the purpose of using the personal data, and the purpose of using the personal data in the two entities. The roles of the two entities are specified according to the matching status of. Note that a plurality of roles may be specified for one entity.
Specifically, the role identification unit 216 refers to the provision form information 234 as shown in FIG. The provision form information 234 includes four provisions of data flow and contract relationship between entities, that is, data provision (consignment, third party provision, shared use) and provision from the information provider himself as defined by the Personal Information Protection Law. It is information that is patterned according to the type. The provision form information 234 indicates the role of the entity for each combination of the presence or absence of a contract between the entities, the entity that determines the purpose of use, and the matching status of the purpose of use. The role specifying unit 216 extracts the role of the entity corresponding to the combination of the presence/absence of a contract between the entities for the target record of the target sheet, the entity that determines the purpose of use, and the matching status of the purpose of use. Accordingly, the role specifying unit 216 specifies the role of the entity for the target record of the target sheet. Then, as shown in FIG. 12, “data subject” is set as the role in the record of the entity ID E1 in the “name” sheet of the data flow information 232, and the record is set as the role in the record of the entity ID E2. A “data processor” is set, a record having an entity ID of E3 has a role of “data manager”, and a record having an entity ID of E4 has a role of “third party”.
ここでは、エンティティの役割は、ISO/IEC 29100:2011で定義されているデータ主体(PII principal)、データ管理者(PII controller)、データ処理者(PII processor)、第三者(third party)を指す。 Here, the roles of the entities are a data subject (PII principal), a data administrator (PII controller), a data processor (PII processor), and a third party (third party) defined in ISO/IEC 29100:2011. Point to.
 (ステップS17:データ送信処理)
 役割特定部216は、ストレージ23からデータフロー情報232を読み出し、通信インタフェース24を介してデータフロー情報232をリスク特定装置30に送信する。つまり、役割特定部216は、図12に示すように、リスク行為の欄が空欄になったデータフロー情報232をリスク特定装置30に送信する。 (Step S17: data transmission process)
The role identification unit 216 reads the data flow information 232 from the storage 23 and transmits the data flow information 232 to the risk identification device 30 via the communication interface 24. That is, the role identification unit 216 transmits the data flow information 232 in which the risk action column is blank to the risk identification device 30, as shown in FIG.
 図13を参照して、実施の形態1に係るリスク特定装置30の動作を説明する。
 (ステップS21:リスク特定処理)
 リスク特定部311は、ステップS17で送信されたデータフロー情報232の各シートにおける各エンティティを特定対象として、特定対象のエンティティの役割に基づき、特定対象のエンティティのリスク行為を特定する。
 具体的には、リスク特定部311は、図14に示すようなリスク情報331を参照する。リスク情報331は、エンティティの役割毎に、プライバシー侵害が生じるリスク行為を示す定義情報である。リスク行為は、例えば、エンティティの役割で要求事項が整理されているISO27018やGDPR(General Data Protection Regulation)といった規格への違反行為である。また、エンティティの役割に応じて整理されているリスク行為であれば、これらの規格に記載されているかに関わらずリスク行為としてリスク情報331に含めてもよい。
また、リスク情報331のリスク行為欄については、リスクに関する情報でなく、エンティティの役割で整理される規格に記載される要求事項に関する情報でもよい。
 リスク特定部311は、特定対象のエンティティの役割についてのリスク行為をリスク情報331から抽出する。リスク特定部311は、特定対象のエンティティに複数の役割がある場合には、各役割についてのリスク行為をリスク情報331から抽出する。これにより、特定対象のエンティティのリスク行為が特定される。そして、リスク情報331は、データフロー情報232のリスク行為の欄に、特定されたリスク行為を設定する。
 ここでは、図15に示すように、データフロー情報232の「氏名」のシートにおけるエンティティIDがE2のレコードには、リスク行為として「安全管理措置を徹底しない」といった情報が設定される。その他のレコードにもリスク行為が設定される。 The operation of the risk identifying device 30 according to the first embodiment will be described with reference to FIG.
(Step S21: Risk identification process)
The risk identification unit 311 identifies each entity in each sheet of the data flow information 232 transmitted in step S17 as an identification target, and identifies the risk action of the identification target entity based on the role of the identification target entity.
Specifically, the risk identifying unit 311 refers to the risk information 331 as shown in FIG. The risk information 331 is definition information indicating a risk act of privacy invasion for each role of the entity. The risk act is, for example, an act of violation of a standard such as ISO27018 or GDPR (General Data Protection Regulation) in which requirements are organized by the role of the entity. Further, if the risk action is organized according to the role of the entity, it may be included in the risk information 331 as the risk action regardless of whether it is described in these standards.
Further, the risk action column of the risk information 331 may not be information about risk, but may be information about requirements described in the standard organized by the role of the entity.
The risk identifying unit 311 extracts the risk action regarding the role of the entity to be identified from the risk information 331. When the entity to be identified has a plurality of roles, the risk identifying unit 311 extracts the risk action for each role from the risk information 331. As a result, the risk behavior of the entity to be identified is identified. Then, the risk information 331 sets the identified risk action in the risk action column of the data flow information 232.
Here, as shown in FIG. 15, information such as “Do not thoroughly implement safety management measures” is set as a risk act in a record with an entity ID of E2 in the “name” sheet of the data flow information 232. Risk acts are also set for other records.
 (ステップS22:分析情報生成処理)
 分析情報生成部312は、データフロー情報232の各シートを参照して、エンティティ毎にリスク行為をまとめ直した分析情報332を生成する。
 具体的には、分析情報生成部312は、図16に示すように、エンティティと、リスクと、リスクの大きさとを含む分析情報332を生成する。リスクには、エンティティの役割と、データ項目と、リスク行為とが含まれる。分析情報生成部312は、データフロー情報232のいずれかのシートに含まれる各エンティティを対象として、対象のエンティティについてのレコードを生成し、対象のエンティティをエンティティの欄に設定する。分析情報生成部312は、分析情報332の対象のエンティティのレコードのエンティティの役割とデータ項目とリスク行為との欄に、対象のエンティティに関する情報を設定する。そして、分析情報生成部312は、分析情報332をストレージ33に書き込む。 (Step S22: Analysis information generation process)
The analysis information generation unit 312 refers to each sheet of the data flow information 232 and generates analysis information 332 in which risk actions are regrouped for each entity.
Specifically, as shown in FIG. 16, the analysis information generation unit 312 generates the analysis information 332 including the entity, the risk, and the risk size. Risks include entity roles, data items, and risk actions. The analysis information generation unit 312 generates a record for the target entity for each entity included in any sheet of the data flow information 232, and sets the target entity in the entity column. The analysis information generation unit 312 sets information about the target entity in the fields of the role of the entity, the data item, and the risk action of the record of the target entity of the analysis information 332. Then, the analysis information generation unit 312 writes the analysis information 332 in the storage 33.
 (ステップS23:データ送信処理)
 分析情報生成部312は、ストレージ23から分析情報332を読み出し、通信インタフェース34を介して分析情報332を評価装置40に送信する。 (Step S23: data transmission process)
The analysis information generation unit 312 reads the analysis information 332 from the storage 23 and transmits the analysis information 332 to the evaluation device 40 via the communication interface 34.
 図17を参照して、実施の形態1に係る評価装置40の動作を説明する。
 (ステップS31:リスク計算処理)
 リスク計算部411は、ステップS23で送信された分析情報332の各エンティティを計算対象として、計算対象のエンティティのリスク行為に基づき、計算対象のエンティティのパーソナルデータについてのリスクの大きさを計算する。
 具体例としては、リスク計算部411は、分析情報332を参照して、計算対象のエンティティのリスク行為の数をリスクの大きさとして計算する。また、他の具体例としては、リスク計算部411は、リスク行為毎に予め値を決めておき、分析情報332を参照して、計算対象のエンティティのリスク行為についての値の合計値をリスクの大きさとして計算する。
 そして、リスク計算部411は、計算されたリスクの大きさを、分析情報332における計算対象のエンティティのレコードのリスクの大きさの欄に設定する。ここでは、図18に示すように、各エンティティのリスクの大きさが設定される。 The operation of the evaluation device 40 according to the first embodiment will be described with reference to FIG.
(Step S31: Risk calculation process)
The risk calculation unit 411 calculates the degree of risk of the personal data of the calculation target entity based on the risk action of the calculation target entity, with each entity of the analysis information 332 transmitted in step S23 as the calculation target.
As a specific example, the risk calculation unit 411 refers to the analysis information 332 and calculates the number of risk actions of the entity to be calculated as the magnitude of risk. In addition, as another specific example, the risk calculation unit 411 determines a value for each risk action in advance, refers to the analysis information 332, and calculates the total value of the risk action values of the entities to be calculated as the risk value. Calculate as size.
Then, the risk calculation unit 411 sets the calculated risk size in the risk size field of the record of the calculation target entity in the analysis information 332. Here, as shown in FIG. 18, the magnitude of the risk of each entity is set.
 (ステップS32:出力処理)
 出力部412は、通信インタフェース44を介して、ステップS31でリスクの大きさが設定された分析情報332をユーザの端末等に出力する。 (Step S32: output process)
The output unit 412 outputs the analysis information 332 having the risk size set in step S31 to the user terminal or the like via the communication interface 44.
 プライバシーリスク分析システム10の処理において、データ入力情報231と、データフロー情報232と、契約関係情報233と、分析情報332とは、図19に示す関係になる。
 つまり、データ入力情報231におけるデータ項目毎にデータフロー情報232のシートが生成される。また、データ入力情報231におけるデータ項目毎に契約関係情報233のシートが生成され、データフロー情報232におけるパーソナルデータの提供関係がある2つのエンティティの組合せ毎に契約関係情報233のレコードが生成される。また、データフロー情報232の全てのシートに含まれるエンティティ毎に分析情報332のレコードが生成される。 In the processing of the privacy risk analysis system 10, the data input information 231, the data flow information 232, the contract relationship information 233, and the analysis information 332 have the relationship shown in FIG.
That is, a sheet of data flow information 232 is generated for each data item in the data input information 231. Also, a sheet of contract relationship information 233 is generated for each data item in the data input information 231, and a record of contract relationship information 233 is generated for each combination of two entities in the data flow information 232 that have a relationship of providing personal data. .. Further, a record of the analysis information 332 is generated for each entity included in all sheets of the data flow information 232.
 ***実施の形態1の効果***
 以上のように、実施の形態1に係るプライバシーリスク分析システム10は、2つのエンティティの間のパーソナルデータに関する契約の有無といった情報からエンティティの役割を特定し、エンティティの役割に基づきリスク行為を特定する。契約の有無といった情報は、分析者の能力に依存せずに特定可能な情報であり、分析者の能力に依存せずにパーソナルデータに関するプライバシーリスクに関する分析が可能である。 ***Effect of Embodiment 1***
As described above, the privacy risk analysis system 10 according to the first embodiment identifies the role of the entity from the information such as the presence or absence of a contract regarding personal data between the two entities, and identifies the risk action based on the role of the entity. .. Information such as whether or not there is a contract is information that can be specified without depending on the ability of the analyst, and it is possible to analyze the privacy risk regarding personal data without depending on the ability of the analyst.
 また、実施の形態1に係るプライバシーリスク分析システム10は、特定されたリスク行為からエンティティ毎のプライバシーリスクの大きさを特定することが可能である。 Also, the privacy risk analysis system 10 according to the first embodiment can specify the magnitude of privacy risk for each entity from the specified risk action.
 ***他の構成***
 <変形例1>
 実施の形態1では、エンティティ分析装置20と、リスク特定装置30と、評価装置40とは、それぞれ別の装置であるとして説明した。しかし、エンティティ分析装置20と、リスク特定装置30と、評価装置40とは、1つの装置として構成されてもよい。また、エンティティ分析装置20と、リスク特定装置30とが1つの装置として構成される、あるいは、リスク特定装置30と、評価装置40とが1つの装置として構成されるといった構成であってもよい。
 また、エンティティ分析装置20が複数の装置によって実現されてもよい。つまり、エンティティ分析装置20の機能構成要素のうち一部がある装置によって実現され、残りが他の装置によって実現されてもよい。同様に、リスク特定装置30及び評価装置40についても複数の装置によって実現されてもよい。 ***Other configurations***
<Modification 1>
In the first embodiment, the entity analysis device 20, the risk identification device 30, and the evaluation device 40 are described as different devices. However, the entity analysis device 20, the risk identification device 30, and the evaluation device 40 may be configured as one device. Further, the entity analysis device 20 and the risk identification device 30 may be configured as one device, or the risk identification device 30 and the evaluation device 40 may be configured as one device.
Also, the entity analysis device 20 may be realized by a plurality of devices. That is, a part of the functional components of the entity analysis device 20 may be realized by a device and the rest may be realized by another device. Similarly, the risk identification device 30 and the evaluation device 40 may be realized by a plurality of devices.
 <変形例2>
 リスク計算部411は、あるパーソナルデータに関する各エンティティについてのリスクの大きさを合計して、複数のエンティティ全体についてのリスクの大きさである全体リスクを計算してもよい。そして、リスク計算部411は、各エンティティを計算対象として、計算対象のエンティティのリスクの大きさが全体リスクに対して占める割合を計算対象のエンティティの責任の大きさとして計算してもよい。 <Modification 2>
The risk calculation unit 411 may calculate the total risk, which is the risk magnitude of all the plurality of entities, by summing the risk magnitudes of the respective entities regarding certain personal data. Then, the risk calculation unit 411 may calculate each entity as a calculation target, and calculate the ratio of the size of the risk of the calculation target entity to the overall risk as the size of the responsibility of the calculation target entity.
 <変形例3>
 実施の形態1では、各機能構成要素が表形式のシートを生成した。しかし、このシートは、一例であり、生成するデータの形式はどのような形式であってもよい。例えば、図20に示すように、データフロー情報232を図形式で表してもよい。 <Modification 3>
In the first embodiment, each functional component generates a tabular sheet. However, this sheet is an example, and the format of the generated data may be any format. For example, as shown in FIG. 20, the data flow information 232 may be represented in a graphic format.
 <変形例4>
 実施の形態1では、各機能構成要素がソフトウェアで実現された。しかし、変形例4として、各機能構成要素はハードウェアで実現されてもよい。この変形例4について、実施の形態1と異なる点を説明する。 <Modification 4>
In the first embodiment, each functional component is realized by software. However, as a fourth modification, each functional component may be realized by hardware. Differences between this modification 4 and the first embodiment will be described.
 各機能構成要素がハードウェアで実現される場合には、エンティティ分析装置20は、プロセッサ21とメモリ22とストレージ23とに代えて、電子回路を備える。電子回路は、各機能構成要素と、メモリ22と、ストレージ23との機能とを実現する専用の回路である。
 同様に、各機能構成要素がハードウェアで実現される場合には、リスク特定装置30は、プロセッサ31とメモリ32とストレージ33とに代えて、電子回路を備える。電子回路は、各機能構成要素と、メモリ32と、ストレージ33との機能とを実現する専用の回路である。
 同様に、各機能構成要素がハードウェアで実現される場合には、評価装置40は、プロセッサ41とメモリ42とストレージ43とに代えて、電子回路を備える。電子回路は、各機能構成要素と、メモリ42と、ストレージ43との機能とを実現する専用の回路である。 When each functional component is realized by hardware, the entity analysis device 20 includes an electronic circuit instead of the processor 21, the memory 22, and the storage 23. The electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 22, and the storage 23.
Similarly, when each functional component is realized by hardware, the risk identifying device 30 includes an electronic circuit instead of the processor 31, the memory 32, and the storage 33. The electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 32, and the storage 33.
Similarly, when each functional component is realized by hardware, the evaluation device 40 includes an electronic circuit instead of the processor 41, the memory 42, and the storage 43. The electronic circuit is a dedicated circuit that realizes the functions of each functional component, the memory 42, and the storage 43.
 電子回路としては、単一回路、複合回路、プログラム化したプロセッサ、並列プログラム化したプロセッサ、ロジックIC、GA(Gate Array)、ASIC(Application Specific Integrated Circuit)、FPGA(Field-Programmable Gate Array)が想定される。
 各機能構成要素を1つの電子回路で実現してもよいし、各機能構成要素を複数の電子回路に分散させて実現してもよい。 As the electronic circuit, a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), and an FPGA (Field-Programmable Gate Array) are assumed. To be done.
Each functional component may be realized by one electronic circuit, or each functional component may be dispersed and realized in a plurality of electronic circuits.
 <変形例5>
 変形例5として、一部の各機能構成要素がハードウェアで実現され、他の各機能構成要素がソフトウェアで実現されてもよい。 <Modification 5>
As a modified example 5, some of the functional components may be realized by hardware, and the other functional components may be realized by software.
 プロセッサ21,31,41とメモリ22,32,42とストレージ23,33,43と電子回路とを処理回路という。つまり、各機能構成要素の機能は、処理回路により実現される。 The processors 21, 31, 41, memories 22, 32, 42, storages 23, 33, 43, and electronic circuits are called processing circuits. That is, the function of each functional component is realized by the processing circuit.
 10 プライバシーリスク分析システム、20 エンティティ分析装置、21 プロセッサ、22 メモリ、23 ストレージ、24 通信インタフェース、211 データ入力部、212 データフロー生成部、213 データフロー入力部、214 契約関係生成部、215 契約関係入力部、216 役割特定部、231 データ入力情報、232 データフロー情報、233 契約関係情報、234 提供形態情報、30 リスク特定装置、31 プロセッサ、32 メモリ、33 ストレージ、34 通信インタフェース、311 リスク特定部、312 分析情報生成部、331 リスク情報、332 分析情報、40 評価装置、41 プロセッサ、42 メモリ、43 ストレージ、44 通信インタフェース、411 リスク計算部、412 出力部、50 伝送路。 10 privacy risk analysis system, 20 entity analysis device, 21 processor, 22 memory, 23 storage, 24 communication interface, 211 data input section, 212 dataflow generation section, 213 dataflow input section, 214 contract relationship generation section, 215 contract relationship Input part, 216 role specifying part, 231, data input information, 232 data flow information, 233 contract relationship information, 234 provision form information, 30 risk specifying device, 31 processor, 32 memory, 33 storage, 34 communication interface, 311 risk specifying part 312 analysis information generation unit, 331 risk information, 332 analysis information, 40 evaluation device, 41 processor, 42 memory, 43 storage, 44 communication interface, 411 risk calculation unit, 412 output unit, 50 transmission line.

Claims (7)

  1.  パーソナルデータの提供関係にある2つのエンティティの間の前記パーソナルデータに関する契約の有無と、前記パーソナルデータの利用目的を決定するエンティティと、前記2つのエンティティにおける前記パーソナルデータの利用目的の一致状況とに応じて、前記2つのエンティティそれぞれを特定対象として、特定対象のエンティティの役割を特定する役割特定部と、
     前記役割特定部によって特定された前記特定対象のエンティティの前記役割に基づき、前記特定対象のエンティティのリスク行為を特定するリスク特定部とを備えるプライバシーリスク分析システム。     Whether or not there is a contract regarding the personal data between two entities that are in a personal data providing relationship, an entity that determines the purpose of use of the personal data, and the coincidence status of the purpose of use of the personal data in the two entities Accordingly, a role specifying unit that specifies the roles of the specified entities by specifying the two entities as specific targets,
    A privacy risk analysis system, comprising: a risk identification unit that identifies a risk action of the entity of the identification target based on the role of the entity of the identification target identified by the role identification unit.
  2.  前記プライバシーリスク分析システムは、さらに、
     前記2つのエンティティそれぞれを計算対象として、前記リスク特定部によって特定された前記計算対象のエンティティの前記リスク行為に基づき、前記計算対象のエンティティの前記パーソナルデータについてのリスクの大きさを計算するリスク計算部
    を備える請求項1に記載のプライバシーリスク分析システム。     The privacy risk analysis system further comprises:
    A risk calculation for calculating the risk magnitude for the personal data of the calculation target entity based on the risk action of the calculation target entity specified by the risk specifying unit, with each of the two entities as a calculation target The privacy risk analysis system according to claim 1, further comprising a section.
  3.  前記役割特定部は、複数のエンティティのうちの前記パーソナルデータの提供関係にある2つのエンティティの各組合せを対象として、対象の組合せの2つのエンティティの役割を特定し、前記リスク計算部は、前記複数のエンティティそれぞれを計算対象として、前記各組合せにおいて、計算対象のエンティティについて特定された前記リスク行為に基づき、前記計算対象のエンティティの前記パーソナルデータについてのリスクの大きさを計算する
    請求項2に記載のプライバシーリスク分析システム。     The role specifying unit specifies, for each combination of two entities having a relationship of providing the personal data among a plurality of entities, a role of two entities of the target combination, and the risk calculating unit is configured to The risk magnitude for the personal data of the entity to be calculated is calculated based on the risk action specified for the entity to be calculated in each combination, with each of a plurality of entities as the object to be calculated. The privacy risk analysis system described.
  4.  前記リスク計算部は、前記複数のエンティティそれぞれについての前記リスクの大きさを合計して、前記複数のエンティティ全体についてのリスクの大きさである全体リスクを計算し、前記計算対象のエンティティのリスクの大きさが前記全体リスクに対して占める割合を前記計算対象のエンティティの責任の大きさとして計算する
    請求項3に記載のプライバシーリスク分析システム。     The risk calculation unit sums the magnitudes of the risks for each of the plurality of entities to calculate an overall risk that is the magnitude of the risk for the plurality of entities as a whole, and calculates the risk of the entities to be calculated. The privacy risk analysis system according to claim 3, wherein the ratio of the size to the overall risk is calculated as the size of the responsibility of the entity to be calculated.
  5.  前記契約は、委託と、第三者提供と、共同利用とのいずれかである
    請求項1から4までのいずれか1項に記載のプライバシーリスク分析システム。     The privacy risk analysis system according to any one of claims 1 to 4, wherein the contract is one of outsourcing, provision by a third party, and shared use.
  6.  役割特定部が、パーソナルデータの提供関係にある2つのエンティティの間の前記パーソナルデータに関する契約の有無と、前記パーソナルデータの利用目的を決定するエンティティと、前記2つのエンティティにおける前記パーソナルデータの利用目的の一致状況とに応じて、前記2つのエンティティそれぞれを特定対象として、特定対象のエンティティの役割を特定し、
     リスク特定部が、前記役割特定部によって特定された前記特定対象のエンティティの前記役割に基づき、前記特定対象のエンティティのリスク行為を特定するプライバシーリスク分析方法。     The role specifying unit determines whether or not there is a contract regarding the personal data between two entities that are in a personal data providing relationship, an entity that determines a purpose of using the personal data, and a purpose of using the personal data in the two entities. According to the matching status of, the role of the specified entity is specified by setting each of the two entities as a specified target.
    A privacy risk analysis method in which a risk identification unit identifies a risk action of the entity of the identification target based on the role of the entity of the identification target identified by the role identification unit.
  7.  パーソナルデータの提供関係にある2つのエンティティの間の前記パーソナルデータに関する契約の有無と、前記パーソナルデータの利用目的を決定するエンティティと、前記2つのエンティティにおける前記パーソナルデータの利用目的の一致状況とに応じて、前記2つのエンティティそれぞれを特定対象として、特定対象のエンティティの役割を特定する役割特定処理と、
     前記役割特定処理によって特定された前記特定対象のエンティティの前記役割に基づき、前記特定対象のエンティティのリスク行為を特定するリスク特定処理とを行うプライバシーリスク分析装置としてコンピュータを機能させるプライバシーリスク分析プログラム。     Whether or not there is a contract regarding the personal data between two entities that are in a personal data providing relationship, an entity that determines the purpose of use of the personal data, and the coincidence status of the purpose of use of the personal data in the two entities Accordingly, a role specifying process for specifying a role of the entity of the specific target, with each of the two entities as the specific target,
    A privacy risk analysis program that causes a computer to function as a privacy risk analysis device that performs risk identification processing that identifies a risk action of the identification target entity based on the role of the identification target entity identified by the role identification processing.
PCT/JP2019/000155 2019-01-08 2019-01-08 Privacy risk analysis system, privacy risk analysis method, and privacy risk analysis program WO2020144735A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2020558643A JP6914454B2 (en) 2019-01-08 2019-01-08 Privacy risk analysis system, privacy risk analysis method and privacy risk analysis program
PCT/JP2019/000155 WO2020144735A1 (en) 2019-01-08 2019-01-08 Privacy risk analysis system, privacy risk analysis method, and privacy risk analysis program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/000155 WO2020144735A1 (en) 2019-01-08 2019-01-08 Privacy risk analysis system, privacy risk analysis method, and privacy risk analysis program

Publications (1)

Publication Number Publication Date
WO2020144735A1 true WO2020144735A1 (en) 2020-07-16

Family

ID=71521510

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/000155 WO2020144735A1 (en) 2019-01-08 2019-01-08 Privacy risk analysis system, privacy risk analysis method, and privacy risk analysis program

Country Status (2)

Country Link
JP (1) JP6914454B2 (en)
WO (1) WO2020144735A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006344156A (en) * 2005-06-10 2006-12-21 Nec Corp Personal information distribution management system, personal information distribution management method, personal information providing program and personal information using program
WO2013121790A1 (en) * 2012-02-17 2013-08-22 日本電気株式会社 Information processing device for handling privacy information, information processing system for handling privacy information, and information processing method and program for handling privacy information
WO2014041761A1 (en) * 2012-09-13 2014-03-20 日本電気株式会社 Risk analysis device, risk analysis method and program
JP2015141642A (en) * 2014-01-30 2015-08-03 株式会社日立製作所 Use agreement management device
JP2018142284A (en) * 2017-02-28 2018-09-13 日本電信電話株式会社 Risk calculation device, risk determination device mounted with risk calculation device and risk calculation method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006344156A (en) * 2005-06-10 2006-12-21 Nec Corp Personal information distribution management system, personal information distribution management method, personal information providing program and personal information using program
WO2013121790A1 (en) * 2012-02-17 2013-08-22 日本電気株式会社 Information processing device for handling privacy information, information processing system for handling privacy information, and information processing method and program for handling privacy information
WO2014041761A1 (en) * 2012-09-13 2014-03-20 日本電気株式会社 Risk analysis device, risk analysis method and program
JP2015141642A (en) * 2014-01-30 2015-08-03 株式会社日立製作所 Use agreement management device
JP2018142284A (en) * 2017-02-28 2018-09-13 日本電信電話株式会社 Risk calculation device, risk determination device mounted with risk calculation device and risk calculation method

Also Published As

Publication number Publication date
JPWO2020144735A1 (en) 2021-02-18
JP6914454B2 (en) 2021-08-04

Similar Documents

Publication Publication Date Title
Kumar et al. Adversarial machine learning-industry perspectives
US8655787B1 (en) Automated detection of defined input values and transformation to tokens
CN110489985B (en) Data processing method and device, computer readable storage medium and electronic equipment
US9716704B2 (en) Code analysis for providing data privacy in ETL systems
Davis Building cyber-resilience into supply chains
CN113821810A (en) Data processing method and system, storage medium and electronic device
Guttman et al. Information flow in operating systems: Eager formal methods
JP6636226B2 (en) Countermeasure planning support device, countermeasure planning support method, and countermeasure planning support program
Buccafurri et al. An analytical processing approach to supporting cyber security compliance assessment
US11314892B2 (en) Mitigating governance impact on machine learning
WO2020144735A1 (en) Privacy risk analysis system, privacy risk analysis method, and privacy risk analysis program
Wortman et al. A framework for evaluating security risk in system design
US20210165907A1 (en) Systems and methods for intelligent and quick masking
JP2017107405A (en) Security countermeasure planning support system
Lyvas et al. A hybrid dynamic risk analysis methodology for cyber-physical systems
WO2018163274A1 (en) Risk analysis device, risk analysis method and risk analysis program
Chabani et al. The role of blockchain technology in enhancing security management in the supply chain
JP2022102062A (en) Method, apparatus and system for data privacy management
CN113744068A (en) Financial investment data evaluation method and system
WO2020261430A1 (en) Information processing device, information processing method, and information processing program
Pumvarapruek et al. Classifying cloud provider security conformance to cloud controls matrix
Ranjbar Alvar et al. NFT-Based Data Marketplace with Digital Watermarking
US20230029190A1 (en) Data Privacy Enhancing Technique Selection
JP6695511B1 (en) Anonymization method derivation device, anonymization method derivation method, anonymization method derivation program, and anonymization method derivation system
Šindelář et al. The future of audit: Literature review of possibilities of automation and blockchain technology

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19908358

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020558643

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19908358

Country of ref document: EP

Kind code of ref document: A1