GB2549786A - A system and method for storing and controlling access to behavioural data - Google Patents

Abstract

Storing and controlling access to anonymised personalised behavioural data, such as activity data, at a data engine, a registration token generator generates anonymous registration tokens and makes them available to individuals. Each registration token represents an authorisation for registration of one or more individuals as system users by the data engine. A service provider proxy anonymously receives one of the generated registration tokens from an individual, and authenticates the received registration token with the registration token generator, and, upon the authentication being successful, anonymously registers the individual with the data engine as a system user, by obtaining an anonymous user ID for the system user, and providing the anonymous user ID to the system user and to the data engine. An access controller receives data requests for specified anonymised personalised behavioural data stored by the data store, and replies with anonymised personalised behavioural data specified in the received data request which specifies the anonymous user ID.

Description

A System and Method for Storing and Controlling Access to Behavioural Data

The present invention lies in the field of systems for storing and controlling access to behavioural data. In particular, the invention relates to the controlling of access to anonymised personalised behavioural data, and the provision of services utilising said data to a user.

Protocols and schemes exist for generating, personalising, storing, and accessing data which represent actions of an individual in everyday living. A user is able to register for a service with a service provider, which service provider processes data generated by or on behalf of the user as a service. Results may be provided to the user or to a third party.

Such schemes are designed to allow everyone to safely benefit from increased computing capabilities, for example by allowing mobile devices to access service provided by cloud networks when dealing with behavioural data.

Because storing this kind of very detailed personal information is hugely sensitive, it is desirable to enable the user to remain anonymous. Therefore, frameworks involve several parties, in order to enable personalised data to be stored by a party that is ignorant of the identity of the persona whose behaviour (or activity) the data represent, whilst other parties may query the data and process the data as a service to said persona.

In such frameworks, data is stored at a data engine, and a service user about whom personalised data is stored at the data engine cannot be identified by the data engine. This is beneficial because the data so stored cannot be attributed to the service user and therefore is anonymous in its stored state.

Because of the split in the ecosystem, i.e. data engine and service provider must be separate entities (in order to ensure that the service user cannot be identified at the data engine), the ecosystem is restricted in the flexibility of implementation. For example, a service provider without the expertise to design and build complex human behavioural applications cannot easily enter the ecosystem. Conversely, a data engine (or entity providing a data engine) with all the skills to develop human behavioural centric applications cannot enter the ecosystem due to the rules set out to protect the user’s privacy.

Embodiments include a system for storing and controlling access to anonymised personalised behavioural data at a data engine, the system comprising: the data engine; a registration token generator configured to generate anonymous registration tokens and to make the generated registration tokens available to individuals, each registration token representing an authorisation for registration of one or more individuals as system users by the data engine; one or more service provider proxy apparatuses, each configured, for the or each of one or more individuals: to anonymously receive one of the generated registration tokens from an individual, to authenticate the received registration token with the registration token generator, and, conditional upon the authentication being successful, to anonymously register the individual with the data engine as a system user, by obtaining an anonymous user ID for the system user, and providing the anonymous user ID to the system user and to the data engine; the data engine receiving the anonymous user ID and registering the received anonymous user ID as a system user; the data engine further comprising a data store and an access controller, and being configured to receive the anonymised personalised behavioural data of registered system users and to store the received anonymised personalised behavioural data in the data store; the access controller being configured to receive data requests for specified anonymised personalised behavioural data stored by the data store from the one or more service provider proxy apparatus, and to reply with anonymised personalised behavioural data specified in the received data request on condition of the received data request specifying the anonymous user ID with which the specified anonymised personalised behavioural data are anonymously personalised.

Advantageously, the registration token provides a mechanism for the individual to register as a system user without the service provider proxy apparatus knowing the identity of the individual. The possession of the registration token by the individual being in itself a validation of the credentials of the individual. In this way, a service provider, that is, an entity wanting to provide services (behavioural data processing services) to individuals, but which does not have the expertise to provide apps/software/services to do so, can simply obtain registration tokens to distribute to individuals. The service provider proxy apparatus is a separate entity from the service provider, and is a service/application/apparatus provided by a third party (not the individual or the service provider). The service provider proxy apparatus may be operated by, or run software provided by, the same entity as the data engine. The separation of the service provider and the service provider proxy apparatus means that anonymity of the service user at the data engine is not compromised.

Where entities are specified as separate parties/entities the entities may also be considered to be separate legal entities, independent entities, and/or independent legal entities. The separate entities are in distinct computing environments from one another, albeit in data communication with one another over the internet or some other data connection via encrypted connections. Each separate entity has distinct security infrastructure so that a security breach at one entity does not compromise the remaining entities.

The service provider proxy apparatus may be implemented as an application or program running on a communications device such as a mobile phone or tablet. The service provider proxy apparatus has the processing capability to coordinate interaction between the individual, the token generator, and the data engine.

The service provider proxy apparatus may be configured to register the individual with the data engine as a service user by transmitting the registration token received from the user and the obtained anonymous user ID to the data engine. For example, the registration token may be provided to the individual by a service provider, and the individual then inputs the registration token to the service provider proxy apparatus. The registration token represents an authorisation for registration, wherein representing an authorisation for registration is an indication that the data engine is configured to accept the registration token as verification that the individual is authorised for registration as a system user, and hence that the data engine should store behavioural data anonymously personalised with the anonymous user ID received with (associated with/corresponding to/obtained in response to) the registration token. The registration token may be transmitted to the registration token generator for authentication, and to the data engine for registration.

The registration tokens are anonymous. That is to say, the registration token does not identify an individual using the registration token. The registration token provides the individual with anonymous access to the service provider proxy apparatus. The registration token may be used on an ongoing basis as a key by which the system user is able to access the service provided by the service provider proxy apparatus. The system user is anonymous to the service provider proxy apparatus. Once the anonymous user ID has been obtained on behalf of the individual and provided to the individual, the individual (who is by now registered with the data engine and hence a system user) may use the anonymous user ID as a key by which to access the service provided by the service provider proxy apparatus. Optionally, the registration token generator is a component of the data engine. A registration token may be, for example, a code, in which information is encoded. The terms token and registration token are used interchangeably in this document.

The anonymous user ID may be provided by an ID generating apparatus, such as an identity issuing authority, which is a separate entity from the control provider, the data engine, the individual, and the service providers. The anonymous user ID may be referred to as an anonymised user ID.

The anonymous user ID is unique, so that no two individuals are allocated the same anonymous user ID. The ID generation apparatus may be configured to execute an irreversible hash function to map a submitted request (from a service provider proxy apparatus), which may be unique in a request space, for example numbered, onto a much larger anonymous user ID space (i.e. no two requests lead to the same anonymous user ID). A random element may be included in the generation of the anonymous user ID from the submitted personal identifying information. The request for an anonymous user ID made by the service provider proxy apparatus may be termed an anonymised request, and may be generic. In such cases, for example, it may be that the ID generation apparatus extracts time and/or date information from a system clock at the time of generation of the anonymous user ID in response to the received request, and that an irreversible hash function is used which precludes any two different instances of extracted time and/or date information from mapping to the same anonymous user ID.

From the user’s perspective, behavioural data representing the user’s own behaviour can be personalised with a non-identifying (i.e. anonymised) user ID that prevents the physical or legal identity that is the user from being identified. Therefore, the user can upload those behavioural data to the data engine at which they are accessible to one or multiple service provider proxy apparatus without risk of the behavioural data being attributed to the user (i.e. by naming). Thus, the user can benefit from the services of one or more service provider proxy apparatuses which make use of the behavioural data personal to the user, without the user being identifiable.

Behavioural data may represent a measured physical property of the user, or may represent an interaction of the user with infrastructure acting as a source of behavioural data. For example, behavioural data may represent an interaction of the user with a device configured to submit data representing the interaction to the data engine, for example in a data structure which associates the data representing the interaction with the anonymous user ID of the user. The behavioural data are personalised by being linked or associated with a persona, the persona being the user represented by the anonymous user ID. Therefore, the behavioural data stored by the data store are personalised insofar as they are linked to or associated with or attributable to a persona, albeit a persona represented only by an anonymous user ID and thus a persona which can only be linked to an individual user by an entity knowing the mapping of anonymous user ID to user identity. Behavioural data may also be referred to as activity data.

The access controller is configured to control access to the personalised behavioural data by requiring that data access requests from service providers specify the anonymous user ID with which the behavioural data are personalised in order to access the behavioural data.

The access controller is configured to make stored personalised behavioural data accessible to service providers upon receipt of a request for data from one of the service provider proxy apparatuses specifying the anonymous user ID with which the requested data are anonymously personalised. The access controller is configured only to accept data requests for the behavioural data anonymously personalised with a particular anonymous user ID from service provider proxy apparatuses, wherein the access controller may be configured to verify that the service provider proxy apparatus is authorised by an authorising entity to access the data. The authorising entity may provide an authentication service so that a certificate or signature is included in the data request from the service provider proxy apparatus, and the access controller can submit the certificate or signature to the authorising entity for validation, upon validation, the access controller can reply to the service provider proxy apparatus with requested anonymised personalised behavioural data.

The data request may also be considered to be a data access request or a data read request.

Optionally, the data engine may process the stored anonymised personalised behavioural data in response to a data request. For example, the data engine may be configured to process the anonymised personalised behavioural data requested in the data request and to output a result of the processing to the service provider proxy apparatus, the result including the anonymised personalised behavioural data.

For example, the data engine may be configured to run programs which analyse or otherwise process the stored anonymised personalised behavioural data, so that the form of the anonymised personalised behavioural data included in the reply to the data request is a processed form. Examples of a processed form include images, charts, calendars, timelines, maps etc. Such a processed form may be a screen image for display on the screen of the requesting service provider proxy apparatus. The system user can access the processed form of the data via the service provider proxy apparatus. In that way, the system user receives a behavioural data processing service via the service provider proxy apparatus. Alternatively, the anonymised personalised behavioural data may be stored by the data engine and provided in an unprocessed or “raw” format in reply to a data request, with data processing performed at the service provider proxy apparatus.

It is assumed that a reply to a data request is a transmission to the entity submitting the request.

Optionally, the service provider proxy apparatus is configured to process the anonymised personalised behavioural data received from the data engine in response to the data access request and to anonymously output a result of the processing to the user.

The process performed on the anonymised personalised behavioural data by the data engine or the service provider proxy apparatus may be, for example, a behavioural data processing service, from which outputs are generated and provided to the system user (for example via a website to which the system user can log in using the respective anonymous user ID). The process may include accessing proprietary data held by or otherwise made accessible to the service provider proxy apparatus. The processing entity may be configured to process the anonymised personalised behavioural data of a user by processing the data to generate analysis outcomes such as graphs, charts, tables, and summaries, the analysis outcomes being output to the system user. The processing entity may be configured to process the anonymised personalised behavioural data of a user by processing the data to generate alerts to the user when the processing indicates a health risk to the user.

As a further alternative, the system user may login, using the anonymous user ID, via an application or to a website or other remote access service run by the service provider proxy apparatus, and the service provider proxy apparatus outputs the processing result to the system user, for example, by publishing the processing result to an area of the website/remote access service to which login is required. Login at least requires the anonymous user ID, and may also include password protection.

Anonymously output is taken to mean output in the absence of information revealing the identity of the recipient, the recipient instead being identified by an anonymous user ID.

Optionally, the service provider proxy apparatus is configured to obtain the anonymous user ID on behalf of the user by submitting an ID request corresponding to the received registration token to an ID generation apparatus, and to receive the anonymous user ID in return. Furthermore, the system may include the ID generation apparatus, which is configured to create the anonymous user ID by executing an irreversible process in response to receiving the request, and to output the anonymous user ID to the service provider proxy apparatus.

The request corresponding to the received identifying information may simply be a nonidentifying request that is, for example, totally generic, so that all requests are alike at the ID generation apparatus. Alternatively, it may be that some or all information from the token (i.e. the token itself) is included in the request. For example, it may be that the ID generation apparatus uses the token or partial information therefrom to attribute the generation of the anonymous user ID to an entity, in order to maintain a count of generated user IDs per entity, for example for accounting purposes. For example, it may be that an entity (which may be referred as a service coordinating entity) has a token enabling a prescribed number of anonymous user IDs to be generated (and a prescribed number of system users to be registered at the data engine).

The ID generation apparatus may be realised as a stateless entity and in that case does not retain any record of having generated an anonymous user ID. Alternatively, in order to ensure uniqueness of generated anonymous user IDs, the ID generation apparatus may retain a record of generated anonymous user IDs, and generating an anonymous user ID includes generating an anonymous user ID that does not exist in the record of generated anonymous user IDs.

The system may also include one or more service coordinating entities, each configured to receive one or more registration tokens from the registration token generator, and to distribute the one or more registration tokens to one or more individuals; the registration token generator being configured to make the registration tokens available to individuals by transferring the registration tokens to the one or more service coordinating entities. Furthermore, the or each of the one or more service coordinating entities may be separate entities from the or each of the one or more service provider proxy apparatus, so that the individuals to whom the registration tokens are distributed are identifiable by the service coordinating entities and are anonymous to the service provider proxy apparatuses. A service coordinating entity is an entity to which registration tokens are issued. For example, registration tokens may be exchanged for money or in some other way traded. The service coordinating entity obtains registration tokens on behalf of individuals, so that the individuals can anonymously register with the service provider proxy apparatus and data engine. The service coordinating entity effectively appoints the service provider proxy apparatus as a proxy to provide a service to the individuals. For example, the service coordinating entity (such as an employer) may not have the expertise to provide services based on personalised behavioural data.

In a scenarios such as a workplace health improvement scheme, some aspects that people would very much want to address cannot be addressed in an open data system. For example addressing over-drinking (i.e. intake of alcoholic drink) among staff lowering productivity. Uptake of a scheme that monitors employee behaviour by gathering and processing behavioural data representing drinking by individual employees is significantly limited by the lack of true anonymity within existing systems. If anonymity of the system users (in this case the employees) at the data engine is to be ensured, then the service cannot also be provided by the data engine, because the employees need to use personal identifying information to register for the service. Advantageously, the separation of the roles of service coordinating entity (in the scenario, the employer) and service provider proxy apparatus, the service coordinating entity can issue registration tokens allowing individuals to register for a service provider proxy apparatus and data engine account. The individuals can register for a service provided by the data engine and the service provider proxy apparatus, the registration be provided by the service coordinating entity, but the service coordinating entity does not need the expertise to provide the service itself, and the anonymity of the service users at the data engine (and service provider proxy apparatus) is assured.

Optionally, the registration token includes information identifying the service coordinating entity to which the registration token was issued by the registration token generator.

For example, the registration token may be a code encoding information identifying the service coordinating entity and/or information indicating an account number at the data engine, the account number belonging to the service coordinating entity. The information identifying the service coordinating entity enables the use of the registration token to be recorded in association with an account associated with the service coordinating entity at the data engine, so that the data engine can track the number of registrations per service coordinating entity. For example, the data engine may disable registrations for tokens identifying the service coordinating entity when a maximum number of registrations is reached.

Optionally, the data engine is configured to register associations between multiple registered anonymous user IDs and a common group ID, for one or more common group IDs; and the access controller is configured to receive a data request for anonymised personalised behavioural data from one of the one or more service provider proxy apparatuses, the data request specifying a query range, and an anonymous user ID, the access controller being configured to reply to the data request with data satisfying the query range from among the anonymous personalised behavioural data stored by the data store and anonymously personalised with the specified anonymous user ID, and, if the data request also specifies the common group ID, and the specified anonymous user ID is among the different anonymous user IDs registered in association with the common group ID at the data engine, the access controller is configured to also include in the reply data satisfying the query range from among the anonymous personalised behavioural data stored by the data store and anonymously personalised with each of the other anonymous user IDs registered in association with the common group ID.

Furthermore, the one or more service provider proxy apparatuses may be each configured to submit a group registration request to the data engine, the group registration request specifying the anonymous user ID of a system user and a group ID; the data engine being configured to receive a plurality of said group registration requests from service provider proxy apparatuses, the plurality of said group registration requests specifying, as a group ID, one of the one or more common group IDs, and respective different anonymous user IDs, and to register an association between the specified different anonymous user IDs and the common group ID.

Advantageously, system users can join a ‘Group’ (via the service provider proxy apparatus) without identifying themselves in order to address specific health challenges. Analysis of the system user’s own behaviour may be enhanced by presenting data processing results (i.e. the service provided by the service provider proxy apparatus) with reference to other group members/group averages/group data processing results. Current anonymised personalised behavioural data storage and analysis systems do not provide such functionality.

The access controller is configured to accept the specification of the anonymous user ID in the data request as a key enabling access to data anonymously personalised with the specified anonymous user ID. The access controller is configured to accept the specification of the group ID as a key enabling access to data anonymously personalised with anonymous user IDs having registered associations with the group ID (i.e. group members), with an additional barrier to access being the requirement that the anonymous user ID of an anonymous user ID having a registered association with the group ID (i.e. a group member) is specified in the same data request. Effectively, this limits access to the group data to service provider proxy apparatuses able to access the anonymously personalised behavioural data of a system user belonging to the group (having a registered association of the respective anonymous user ID to the group ID at the data engine).

Optionally, the anonymised personalised behavioural data of the other anonymous user IDs registered in association with the single common group ID (which may be referred to as “other group member anonymised personalised behavioural data” or “other group member data”) may be provided to the service provider proxy apparatus in a modified form. The modified form may replace the anonymous user ID with which the other group member data is anonymously personalised with a corresponding pseudo ID, the pseudo ID enabling the other group member data of the different anonymous user IDs (that have a registered association with the group ID) to be distinguished from one another, but do not reveal the anonymous user ID. For example, the pseudo ID may simply be “user 1”, “user 2”, and so on, or may be a hash of the anonymous user ID. There is a one:one correspondence between anonymous user IDs and pseudo IDs, so that the number of system users whose behaviour is represented by the anonymised personalised behavioural data anonymously personalised with an anonymous user ID having a registered association with the group ID (which data may also be referred to as “all group member anonymised personalised behavioural data”, or “all group member data”) is preserved, and the service provider proxy apparatus can analyse the behavioural data of the system user whose anonymous user ID is specified (which user may be referred to as the specified user) in the data request relative to other system users (specifically other members of the group).

The data engine may process the anonymised personalised behavioural data of all group members in order to generate reports or outcomes representing the group collectively, and optionally also representing the behaviour of individual system users within the group. Where individual system users are represented, it may be that they are identified by pseudo IDs. The reports or outcomes so generated may be provided in reply or response to a group data request.

In particular, the system may further comprise: one or more service coordinating entities, each configured to receive one or more registration tokens from the registration token generator, and to distribute the one or more registration tokens to one or more individuals; the registration token generator being configured to make the registration tokens available to individuals by transferring the registration tokens to the one or more service coordinating entities; the access controller being configured to receive from one of the one or more service coordinating entities a group data request specifying a query range and a group ID, and to reply with data satisfying the query range from among the anonymous personalised behavioural data stored by the data store and anonymously personalised with each of the anonymous user IDs registered in association with the specified group ID, wherein the anonymous user IDs are not derivable from the data included in the reply. The data satisfying the query range may be the reports or outcomes generated by, at the data engine, processing the anonymised personalised behavioural data stored in association with the group ID at the data engine.

In this particular system, a service coordinating entity, which obtains registration tokens on behalf of individuals, is not able to monitor the behaviour of an individual user, but is able to monitor the collective behaviour of a group, by specifying the group ID in a query to the data engine. As above, it may be that the data engine provides the all group member data to the service providing entity with pseudo IDs replacing the anonymous user IDs.

Optionally, upon receipt of the group data request from the service coordinating entity, the access controller is configured to determine the number of anonymous user IDs registered in association with the specified group ID, and to reply with data satisfying the query range from among the anonymous personalised behavioural data stored by the data store and anonymously personalised with each of the anonymous user IDs registered in association with the specified group ID on condition of the number being greater than one and equal to or above a predetermined threshold minimum.

The specification of a predetermined threshold minimum, which may be a configurable setting stored by the access controller, is a mechanism to preserve the anonymity of group members. The fewer members there are in the group, the easier it is to attribute behavioural data to a particular individual.

Optionally, the or each of the one or more service coordinating entities is configured to distribute a common group ID to multiple system users.

Advantageously, the service coordinating entity may wish to set up a group to provide a means to monitor the collective behaviour of group members.

Optionally, the data engine is configured, for each of a plurality of group IDs, to allocate multiple registered anonymous user IDs to the group ID, and to register the association between the group ID and the multiple registered anonymous user IDs; and to inform the service provider proxy apparatus of each of the multiple registered anonymous user IDs of the respective group ID.

For example, the allocation may be random. The data engine may allocate anonymous user IDs to bins by executing a hash function with a number of bins corresponding to the number of group IDs in the plurality of group IDs, with each bin corresponding to a different group ID. In this manner, anonymous user IDs are effectively randomly allocated group IDs. The service provider proxy apparatus providing the service to the system user to which the anonymous user ID belongs is notified of the group ID to which the anonymous user ID is allocated, so that the service provider proxy apparatus can query the group ID and obtain comparable behavioural data, which can be used to enhance the service provided to the system user.

Systems may also include a behavioural data source device configured to interact with plural system users, to generate personalised behavioural data representing the interaction with each of the plural system users, and to transmit the generated personalised behavioural data to an intermediate user device of the respective system user; for each of the plural system users, an intermediate user device configured to receive the generated personalised behavioural data from the behavioural data source device, to anonymously personalise the personalised behavioural data with the anonymous user ID of the respective system user, and to transmit the anonymised personalised behavioural data to the data engine for storage in the data store.

Optionally, the behavioural data source device specifies a group ID, the group ID is included in the generated personalised behavioural data and in the anonymised personalised behavioural data, and the data engine, upon receiving the anonymised personalised behavioural data, is configured to register an association between the anonymous user ID with which the received anonymised personalised behavioural data are anonymously personalised, and the group ID as one of the one or more common group IDs.

Advantageously, plural system users who all use a common behavioural data source device, such as a smart toaster, can link their respective anonymised personalised behavioural data in the data engine with the group ID. The anonymised personalised behavioural data of the group can be accessed by the service provider proxy apparatus of the individual group members so that the service provided to the system user by the service provider proxy apparatus can include a comparison of the system user’s own behaviour with that of the other group members.

Embodiments also include a method in a system for storing and controlling access to anonymised personalised behavioural data at a data engine, comprising: at a registration token generator, generating anonymous registration tokens and making the generated registration tokens available to individuals, each registration token representing an authorisation for registration of one or more individuals as system users by the data engine. The method further comprises, at one or more service provider proxy apparatuses: receiving one of the generated registration tokens from an individual, authenticating the received registration token with the registration token generator, and, conditional upon the authentication being successful, anonymously registering the individual with the data engine as a system user, by obtaining an anonymous user ID for the system user, and providing the anonymous user ID to the system user and to the data engine. The method further comprises, at the data engine: receiving the anonymous user ID and registering the received anonymous user ID as a system user; receiving the anonymised personalised behavioural data of the or each system user and storing the received anonymised personalised behavioural data; and receiving data requests for specified stored anonymised personalised behavioural data from the one or more service provider proxy apparatus, and replying with anonymised personalised behavioural data specified in the received data request on condition of the received data request specifying the anonymous user ID with which the specified anonymised personalised behavioural data are anonymously personalised.

Preferred features of the present invention will now be described, purely by way of example, with reference to the accompanying drawings, in which:- FIGURE 1 illustrates a system of an embodiment; FIGURE 2 illustrates a system of another embodiment; FIGURE 3 illustrates a process performed by a system of an embodiment; FIGURE 4 illustrates another process performed by a system of an embodiment; and FIGURE 5 illustrates a hardware configuration of components of the systems.

Figure 1 illustrates a system of an embodiment. The system comprises a data engine 20, which includes a data store 22 and an access controller 24. The system further comprises one or more service provider proxy apparatus 30. It is assumed that, whilst the service provider proxy apparatuses may vary in terms of the particular service that they offer, their precise processing capabilities, geographical locations, and in other implementation details, the discussion in this document of features of a single service provider proxy apparatus 30 applies to the or each of the one or more service provider proxy apparatuses in a system. Similarly, the individual/system user 40 may be discussed singularly, but it is assumed that the discussion applies to plural individuals/system users 40. The system is a system of hardware, and hence the individual/system user 40 is not considered a component part of the system, but is illustrated to demonstrate utility of the system. The system further comprises a registration token generator 26. In Figure 1 the registration token generator 26 is illustrated as a component of the system that is distinct from the data engine 20. This is optional, and the registration token generator 26 may be realised as a component of the data engine 20.

The data engine 20 is configured to register a plurality of system users. The data engine comprises a data store 22 and an access controller 24, and is configured to receive the anonymised personalised behavioural data of the plurality of system users and to store the received anonymised personalised behavioural data in the data store 22. The interconnection between the system user 40 and the data store 22 represents the submission to the data store 22 of anonymised personalised behavioural data representing the behaviour of the system user and anonymously personalised with the anonymous user ID of the system user. Access (read access) to the stored anonymised personalised behavioural data is controlled by the access controller 24. The access controller 24 is configured to receive data requests for specified anonymised personalised behavioural data stored by the data store 22 from the one or more service provider proxy apparatus 30, and to reply with anonymised personalised behavioural data specified in the received data request on condition of the received data request specifying the anonymous user ID with which the specified anonymised personalised behavioural data are anonymously personalised. The interconnection between the service provider proxy apparatus 30 and the access controller 24 represents the transmission of data requests by the service provider proxy apparatus 30 to the access controller 24, and the requested anonymised personalised behavioural data sent in reply by the access controller 24 to the service provider proxy apparatus 30. The interconnection between the access controller 24 and the data store 22 represents the retrieval of requested data by the access controller 24 from the data store 22 for inclusion in a reply to a data request from a service provider proxy apparatus 30.

The data engine 20 may be realised by a single server or by a network of servers. In particular, the access controller 24 may be a single server, with the data store 22 being a plurality of interconnected storage units. Alternatively, the access controller 24 may be a service performed by a plurality of data storage servers operating in cooperation with one another, and thus the plurality of data storage servers are the date engine 20, performing the function of both the data store 22 and the access controller 24.

The data engine comprises a secure data store 22. The data engine 20 provides a mechanism for anonymously registering system users (via an anonymous user ID). The identity of a system user 40 is not known to the data engine 20. The data engine 20, upon receipt of an anonymous user ID, and optionally upon validation of the anonymous user ID with an issuing authority such as an ID generation apparatus, is configured to register the anonymous user ID. Registration may be, for example, maintaining a list/register of anonymous user IDs at the data engine, and restricting storage of behavioural data in the data store 22 to behavioural data anonymously personalised with an anonymous user ID on the register. A user account may be created including, for example, a dedicated physical storage location may be reserved on behalf of the registered anonymous user ID in the data store 22. The data engine 20 may store certain configurable settings on behalf of each registered anonymous user ID, which settings may determine how long anonymised personalised behavioural data anonymously personalised with the anonymous user ID are stored for, and optionally how access to them is controlled by the access controller 24.

Once an anonymous user ID is registered (as representing a system user), the data engine 20 is configured to store behavioural data representing the behaviour/activity of the system user in the data store 22. The behavioural data are anonymously personalised with the anonymous user ID. Personalised behavioural data may be written to the data store 22, either via the access controller 24 or via some other interface, at the request of an individual and possibly via a behavioural data source device and/or an intermediate device connectable to the data engine 20, for example, via the internet. The data engine 20 includes a mechanism for receiving anonymised personalised behavioural data, verifying that the anonymous user ID with which the anonymised personalised behavioural data are anonymously personalised has been registered at the data engine 20 as representing a system user, and writing the received anonymised personalised behavioural data to the data store 22. The anonymised personalised behavioural data are stored in the data store in a manner in which the anonymous user ID with which they are anonymously personalised is part of the data, for example, as metadata.

The anonymised personalised behavioural data may be stored by the data engine 20 in association with metadata specifying a value of one or more parameters from among data receipt time, data generation time, data generation location, data type, activity, data generation device model information. A data range or query range specified by or otherwise included in a data request from a service provider proxy apparatus 30 may be a specified range of values of at least one of the one or more parameters, the reply to the data query including all anonymised personalised behavioural data anonymously personalised with the specified anonymous user ID and being stored in association with a value of the at least one parameter falling within the respective specified range.

The one or more storage units forming the data store 22 are a controlled access environment, meaning that parties wishing to access the data stored therein must authenticate themselves, for example, using passwords, authentication codes, or other techniques. In that way, the data engine 20 is able to control which parties can access the personalised behavioural data stored in the data store 22, and in particular can restrict access only to authorised service provider proxy apparatuses 30. Furthermore, the access controller 24 is configured to restrict access so that even authorised service providers that have passed authentication can only access particular personalised behavioural data if the anonymous user ID with which those particular personalised behavioural data are personalised is known by the service provider proxy apparatus 30 and submitted in a data request. The anonymous user ID is therefore utilised by the access controller 24 as a key by which to grant access to behavioural data (anonymously personalised with the user ID) stored by the data store 22, with the optional further condition being authentication of the data request as being from an authorised service provider proxy apparatus 30. The data engine 20, or a higher system authority, may maintain a list of authorised service provider proxy apparatuses 30.

The access controller 24 may provide an interface for data requests from service provider proxy apparatuses 30. Each data request may specify a data range (which may also be referred to as a query range) in addition to the anonymous user ID, the data range defining a range of a particular parameter of or pertaining to the data that is to be included in the reply to the data request. The available parameters are implementation-specific, but it may be, for example, date at which the anonymised personalised behavioural data are generated or uploaded to the data engine, a specific activity which the anonymised personalised behavioural data represent, or some other limitation on the anonymised personalised behavioural data anonymously personalised with the specified anonymous user ID that are to be include in the reply to the data request.

The data engine may be configured to execute processing on stored anonymised personalised behavioural data, and to output the result of the processing as the reply to a data request from a service provider proxy apparatus. The anonymised personalised behavioural data are included in the result of the processing, but may be presented, for example, in the form of a graph, chart, image, timeline, or in some other way.

As a particular example of the functionality of the access controller 24, the access controller 24 may be configured to maintain a list of service provider proxy apparatuses 30 authorised to access the data store 22, to determine whether or not a received data request is from one of the listed service provider proxy apparatuses 30, and if not, to block the data request (i.e. provide either no response or a null response). The list provides a mechanism to keep track of service provider proxy apparatuses 30 that are granted access to data stored by the system. An authentication scheme such as a PKS may be used to verify that requests originate from the service provider proxy apparatuses 30 that they purport to. Service provider proxy apparatuses 30 can be added to and removed from the list according to agreements with the body responsible for operating the system. In other words, the service provider proxy apparatuses 30 are registered with the data engine 20, and the data engine 20 can authenticate the origin of the data access request, verify that the origin is a registered service provider proxy apparatus 30, and reply with anonymised personalised behavioural data from the data store 22 only in the event of successful validation.

The registration token generator 26 is configured to generate anonymous registration tokens and to make the generated registration tokens available to individuals, each registration token representing an authorisation for registration of one or more individuals 40 as system users 40 by the data engine 20. The illustrated interconnection between the registration token generator 26 and the individual 40 represents the registration token generator making a generated registration token available to the individual 40. It may be that the making available is via an intermediate entity such a service coordinating entity.

The registration token generator 26 may be embodied as a computing apparatus such as a server or a network of servers operating in cooperation with one another. The registration token generator 26 may be a component of the data engine 20. The registration token generator 26 is authorised by the service provider proxy apparatuses 30 and by the data engine 20 to generate registration tokens that the service provider proxy apparatus 30 will recognise as an instruction to carry out a process on behalf of an individual 40 submitting the registration token to the service provider proxy apparatus 30. The illustrated interconnection between the service provider proxy apparatus 30 and the individual 40 represents the individual 40 submitting the registration token to the service provider proxy apparatus 30. The illustrated interconnection between the service provider proxy apparatus 30 and the individual 40 also represents the anonymous user ID obtained on behalf of the individual 40 by the service provider proxy apparatus 30 being provided to the system user 40, noting that the providing may be to a user communication device (which may also be referred to as an intermediate user device). The registration token also entitles the individual 40 to register for a service provided by the service provider proxy apparatus 30, for which registration the anonymous user ID obtained by the service provider proxy apparatus 30 is identifying information (i.e. identifying the individual 40 as a system user, not revealing the identity of the system user 40). The anonymous user ID is registered at the data engine 20 via the service provider proxy apparatus 30, and therefore the registration token also entitles the individual 40 to store behavioural data, anonymously personalised with the respective anonymous user ID, at the data engine 20.

Authentication of the registration token by the service provider proxy apparatus 30 may be conducted by submitting the received registration token, or information derived therefrom, to the registration token generator 26. The illustrated interconnection between the service provider proxy apparatus 30 and the registration token generator 26 represents the transfer of the received token by the service provider proxy apparatus 30 to the registration token generator 26, and the transfer of the result of the authentication from the registration token generator 26 to the service provider proxy apparatus 30. As an alternative, it may be that the service provider proxy apparatus 30 is able to authenticate the received (from the individual 40) registration token, for example, using an authentication script generated by the registration token generator 26. The registration token generator 26 may, for example, be configured to confirm the provenance of the registration token (as being from the registration token generator 26) and optionally to inform the service provider proxy apparatus 30 of an account to which the registration is attributable. For example, certain legal entities (service coordinating entities) may have accounts for a certain number of users with the data engine 20 (i.e. to have the data engine 20 store and process anonymised personalised behavioural data on behalf of the users) and hence the registration token generator may generate tokens that contain information allowing the registration token (or the individual submitting the registration token) to be allocated to a particular account.

The service provider proxy apparatus 30 is configured to perform a process in response to receiving a registration token from an individual 40, the process including the obtaining of an anonymous user ID on behalf of the user, and the registering of the anonymous user ID with the data engine 20 so that the individual 40 becomes a system user 40.

The service provider proxy apparatus 30 is configured to register the obtained anonymous user ID with the data engine 20. The data engine 20 being configured to receive and store anonymised personalised behavioural data anonymously personalised with registered anonymous user IDs only. In other words, the storage of anonymised personalised behavioural data received by the data engine is conditional upon the anonymous user ID with which the anonymised personalised behavioural data are anonymously personalised being registered (as belonging to a system user) at the data engine 20.

The service provider proxy apparatus may be, for example, an application or other software running on a mobile phone or other communications device. The service provider proxy apparatus provides a portal for interaction between the system user, the token generator, and the data engine. Processing of anonymised personalised behavioural data as a service to the user may be performed by the service provider proxy apparatus, by the data engine, or by both entities in cooperation with one another.

The generated registration tokens may include encrypted and/or encoded information. For example, a generated registration token may reference (via encrypted data) a particular account at the data engine 20, so that the registration of the individual 40 to is linked to the particular account at the data engine 20, for example, an account held by an organisation (such as the employer of the individual 40). The generated registration token may reference (via encrypted data) a particular account with the service provider proxy apparatus 30, so that the registration of the individual 40 at the data engine 20 by the service provider proxy apparatus 30 is linked to the particular account.

Registration tokens may be tied to a particular data engine or a particular data engine processing service, so that a registration token entitles an individual in possession of the registration token to register as a system user with the particular data engine and to initiate provision of a service to the system user by the data engine. A registration token may be considered to be a manifestation of a user licence, the user licence being for the data engine and the service provider proxy apparatus.

Data exchange over the internet or other network between entities of the system and/or entities external to the system may be encrypted.

The service provider proxy apparatus 30 is configured, for the or each of one or more individuals, to anonymously receive a registration token from the individual 40, to authenticate the received registration token with the registration token generator 26, and, conditional upon the authentication being successful, to anonymously register the individual 40 with the data engine as a system user 40, by obtaining an anonymous user ID with which the system user 40 can anonymously personalise behavioural data, and providing the anonymous user ID to the system user 40 and to the data engine 20 for registration. For example, authentication may be achieved by watermarking, by signature verification, or by maintaining a list of generated registration tokens at the registration token generator.

The service provider proxy apparatus 30 is apparatus providing ongoing data services to system users 40 (for example, by providing a system user with the result of data processing performed by the data engine), and providing an interface and functionality to register individuals as system users (via an anonymous registration token). The service provider proxy apparatus 30 is illustrated as distinct from the data engine 20, however, the service provider proxy apparatus 30 may be an application developed by the same organisation responsible for the data engine 20. The service provider proxy apparatus 30 may be a server connectable to the data engine 20 via a network, for example the internet, over a connection that may be encrypted. A PKS system or alternative may be operated on behalf of the data engine 20 to authenticate the identity of the service provider proxy apparatus 30. The service provider proxy apparatus 30 is apparatus providing access to behavioural data-based services to system users 40. The service provider proxy apparatus 30 possesses a mechanism for registering system users 40 (via an anonymous registration token), a mechanism for accessing the data stored in the data store 22 (via the access controller 24), and a mechanism for either processing the accessed data or for obtaining processing results of the data from the data engine, and for outputting the result of said processing either to another service provider proxy apparatus 30, to the system user 40, or to some other destination.

Figure 2 illustrates a system of an embodiment. There are certain features present in the system of Figure 2 that are not illustrated in Figure 1: (i) The registration token generator 26 is included as a component of the data engine 20; (ii) The system includes an ID generation apparatus 12; (iii) The system includes a service coordinating entity 50; (iv) The system includes a behavioural data source device 42; (v) The system includes an intermediate user device 44.

Although the features (i) to (v) are illustrated in combination in Figure 2, they are independent of one another, and none, any, all, or any combination, of features (i) to (v) may be included in embodiments.

Like reference numerals indicate the commonality of system components between illustrated embodiments. The discussion of the system illustrated in Figure 2 is restricted to those features differing from the Figure 1 system. (i) The registration token generator 26 is a component of the data engine 20. A single apparatus is therefore configured to store the data, control access to the data, and generate registration tokens for registering system users with the data engine 20 and the service provider proxy apparatus 30. The service provider proxy apparatus 30 may be a mobile phone or other user communication device running an application or program provided by the same organisation or legal entity as the data engine 20. (ii) The ID generation apparatus 12 is configured to receive a request for an anonymous user ID from a service provider proxy apparatus 30, the request is an anonymised request for an anonymous user ID from the service provider proxy apparatus 30, that is to say, the identity of the individual 40 is not known to the service provider proxy apparatus 30 or to the ID generation apparatus 12. The ID generation apparatus 12 may be configured to respond to the received request by creating an anonymous user ID corresponding to the received request by executing an irreversible process on the received request, and to output the anonymous user ID to the user via the control provider 14.

The ID generation apparatus 12 is a server or other networked computing device that is accessible to the service provider proxy apparatus 30 and to the data engine 20, for example, over a secure network. The service provider proxy apparatus 30 may be certified with the ID generation apparatus 12. The ID generation apparatus 12 may be accessible to more than one service provider proxy apparatus 30, so that more than one different entity (for example, plural mobile phone devices) can fulfil the role of service provider proxy apparatus 30. The server performing the role of ID generation apparatus 12 has network I/O functionality, a memory, a processor configured to execute a program to realise the ID generation apparatus functionality, and a storage unit configured at least to store the program (in encoded form). The program may be an algorithm that maps a short message (the received request) onto a much larger message space (representing the anonymous user IDs) using a cryptographic hash function. No two received requests will result in the same anonymous user ID, so clashes are avoided. In some embodiments a randomised element may be incorporated so that the mapping of request to a particular anonymous user ID is at least partially randomised and hence not reliably reproducible. The ID generation apparatus 12 may be configured to perform its functionality as a stateless method.

In addition to generating the anonymous user IDs, the ID generation apparatus 12 may provide an authentication or validation service. That is to say, the data engine 20, upon receipt of an anonymous user ID for registration as the anonymous user ID of a system user 40 at the data engine 20, the data engine 20 may be configured to submit the anonymous user ID for validation to a validation service at the ID generation apparatus. The validation service may generate a validation success or validation failure message in response to the submission of the anonymous user ID, in dependence upon the outcome of validation. The validation is a process for verifying that the anonymous user ID was generated by the ID generation apparatus 12. (iii) It may be that the making available of the registration token by the registration token generator is via an intermediate entity such a service coordinating entity 50. The service coordinating entity 50 may also be referred to as a service provider, since the service coordinating entity 50 is responsible for obtaining the registration tokens from the registration generator 26 on behalf of individuals 40, thus enabling the individuals 40 to become system users 40, and thus to receive a behavioural-data-based service from the data engine 20 via the service provider proxy apparatus 30, by generating behavioural data and submitting the behavioural data in an anonymously personalised format to the data store 22, at which it can be processed as a service, the result of the processing being accessible by the service provider proxy apparatus 30, in order to provide the result of the processing to the system user 40 as a service. In other words, the service coordinating entity 50 is a party seeking to provide a service to individuals 40, and (by the obtaining and distribution of registration tokens) enlisting the service provider proxy apparatus 30 to enable the system user to access the service, which service is in turn provided by the data engine 20. The service coordinating entity 50 cannot access individual data (i.e. behavioural data attributable to a single system user) from the data engine 20, however, in certain embodiments the service coordinating entity 50 is able to obtain behavioural data representing the behaviour of a group (of more than one) of system users 40. (iv) & (v) The anonymised personalised behavioural data are received at the data store 22 from the system user 40, however the system user 40 may utilise a behavioural data source device 42 to generate the behavioural data recording an interaction between the system user 40 and the behavioural data source device 42, and optionally an intermediate user device 44 to anonymously personalise the generated behavioural data with the anonymous user ID of the system user 40. The behavioural data source device 42 does not necessarily belong to the system user 40, but is configured to generate behavioural data attributable to the system user 40 to represent an interaction with the system user 40, which generated behavioural data are anonymously personalised, either by the behavioural data source device 42 or by an intermediate user device 44, and submitted to the data store 22 for storage.

The service provider proxy apparatus 30 is configured to obtain an anonymous user ID on behalf of the individual 40 and to provide the anonymous user ID to the individual 40. The providing may be by sending a message to the individual 40, or by publishing a message in a data location securely accessible by the individual 40. The providing may be by the service provider proxy apparatus 30 providing an intermediate user device 44 (which may be a device with which the individual submitted the registration token to the service provider proxy apparatus, and which may be a user communications device) with software configured to cause, when executed, the intermediate user device to anonymously personalise behavioural data stored on the user communications device with the anonymous user ID, and to submit the anonymised personalised behavioural data to the data engine, the behavioural data representing behaviour of the user. Providing with software may mean downloading software from a server to the intermediate user device 44, authorising such a download, or configuring/customising existing software to operate accordingly (i.e. to device to anonymously personalise behavioural data stored on the intermediate user device with the anonymous user ID and to submit the anonymised personalised behavioural data to the data store 22). Optionally, the service provider proxy apparatus 30 and the intermediate user device 44 may be the same device, or may be services realised by software running on the same device.

Figure 3 illustrates an exemplary procedure in a system of an embodiment.

The hardware illustrated in Figure 3 is in accordance with that in Figure 2. An exemplary procedure carried out by the system will be detailed.

In step S1, the service coordinating entity, which in this example is referred to as a service provider 50, provides a token to the individual 40. It is noted that token is used as shorthand for registration token here and elsewhere in this document.

At step S2, the token is submitted to the service provider proxy apparatus 30 by the individual 40. The token contains a reference to account information associated to both the data engine 20 and the ID generation apparatus 12 to allow the service provider proxy apparatus 30 to obtain an anonymous user ID from the ID generation apparatus 12 and register it with the data engine 20 under the service providers’ account at the data engine 20.

At step S3, a request for an anonymous user ID is submitted to the ID generation apparatus by the service provider proxy apparatus 30. The individual 40 is anonymous to the service provider proxy apparatus 30, and the request, whilst distinguishable from other requests for anonymous user IDs, does not contain any personal identifying information of the individual 40.

At step S4 the ID generation apparatus 12 responds to the request from the service provider proxy apparatus 30 by transmitting an anonymous user ID and a signature verifying the anonymous user ID to the service provider proxy apparatus 30.

At step S5 the service provider proxy apparatus 30 submits the anonymous user ID to the data engine 20 for registration, so that the data engine 20 will receive (from the individual 40) and store behavioural data anonymously personalised with the anonymous user ID. The registration is conditional upon successful validation in step S6.

At step S6 the data engine 20 validates the anonymous user ID received from the service provider proxy apparatus 30 with the validation service in the ID generation apparatus 12, if the validation is successful, the data engine 20 is notified, and the anonymous user ID is registered with the data engine as belonging to a system user.

At step S7 the service provider proxy apparatus 30 provides the individual 40, as a registered system user, with the anonymous user ID. This providing may be by sending the anonymous user ID to an intermediate user device 44 belonging to the user, the intermediate user device 44 configured to receive behavioural data and format the behavioural data for storage in the data engine 20, in particular anonymously personalising the behavioural data with the anonymous user ID.

The system user 40 interacts with a behavioural data source device 42. At step S8 the behavioural data source device 42 transmits data representing the interaction to the intermediate user device 44 as behavioural data.

By formatting at the intermediate user device 44, the behavioural data becomes anonymously personalised behavioural data, and at step S9 the anonymously personalised behavioural data is transmitted from the intermediate user device 44 to the data engine 20 for storage in the data store 22.

At step S10, the service provider proxy apparatus 30 transmits a query for data to the data engine 20. The query, which may be referred to as a data request, is processed by the access controller 24. The query specifies an anonymous user ID, and the access controller is configured to retrieve from the data store 22 anonymised personalised behavioural data stored by the data store 22 anonymously personalised with the specified anonymous user ID and satisfying the query. At step S11 the retrieved data is sent to the service provider proxy apparatus 30 as a reply to the query. The retrieved data may be in a processed form, as a consequence of processing performed by the data engine 20. Said processing may be executed in response to receiving the query. For example, the processed form may be screen images for display on a user communications device (i.e. the service provider proxy apparatus).

The service provider proxy apparatus 30 either performs analysis of the data received from the data engine 20 and at step S12 outputs a result of the analysis to the individual 40 as a service, or the service provider proxy apparatus 30 receives the data from the data engine in a processed form (for example as a screen image) which is simply displayed, thereby providing a service to the user.

Figure 4 illustrates an exemplary process that may be performed using the system of an embodiment. The individual 40 is a system user registered with the data engine 20 and receiving a personalised service from the data engine 20 via the service provider proxy apparatus 30.

The service coordinating entity 50, optionally in correspondence with the data engine 20 and/or the service provider proxy apparatus 30, determines a unique group ID. The unique group ID does not contain personal identifying information of a system user. For example, the group ID may be “SDHGTR56HG”. The service coordinating entity may publish the group ID to plural system users 40, for example via a website 52. At step S101, the service coordinating entity 50 publishes the group ID to plural system users 40, for example, via an intranet. The group ID may be published in association with a stated behavioural aim, for example, “stop smoking”. At step S102, the system user 40 receives or becomes aware of the group ID, and at step S103 registers their membership of the group with their respective service provider proxy apparatus 30 by submitting the group ID to the service provider proxy apparatus. The service provider proxy apparatus 30 stores the association between the system user 40 (specifically the anonymous user ID of the system user) and the group ID.

At step S104, the service provider proxy apparatus 30 registers the association between the anonymous user ID and the group ID at the data engine 20. The group ID may be a common group ID, that is, plural anonymous user IDs may have a registered association with the same (i.e. common) group ID. The data engine 20 maintains a register of associations between group ID and anonymous user IDs.

An association between a group ID and an anonymous user ID represents membership of the system user to which the anonymous user ID belongs in the group represented by the group ID. Membership of a group is a partial data sharing arrangement, enabling behavioural data of individual group members over time (i.e. progress) to be compared to one another, via the respective service provider proxy apparatuses 30 of group members.

At step S105, the service provider proxy apparatus 30 submits a query to the access controller 24. The query specifies a query range, an anonymous user ID, and a group ID. At step S106 the access controller 24 obtains from the data store 22, and replies to the query with, anonymised personalised behavioural data within the query range anonymously personalised with the specified anonymous user ID. For example, the query may also initiate the data engine 20 to process the anonymised personalised behavioural data as a service, the result of the processing being an image for display to the user by the service provide proxy apparatus 30. The access controller 24 also obtains from the data store 22, and replies to the query with, a version of the anonymised personalised behavioural data within the query range for other (i.e. other than the specified anonymous user ID) anonymous user IDs having a registered association with the group ID. The data engine 20 may be configured, in response to the query, to process the anonymised personalised behavioural data of all anonymous user IDs having a registered association with the group ID. For example, the processing may generate a result or outcome of the data collectively in which result or outcome the anonymised personalised behavioural data of individual system users are indistinguishable from one another. The result or outcome may mask the anonymous user ID from the data, or may replace the anonymous user ID with a pseudo ID.

An optional extension to the process is illustrated as steps S107 and S108. These steps may be performed instead of or in addition to steps S105 to S106. At step S107, the service coordinating entity 50, which does not have knowledge of any anonymous user IDs, submits a query to the access controller 24. The query specifies the group ID, and may also specify a query range. At step S108, the access controller 24 obtains from the data store 22, and replies to the query with, a version of the anonymised personalised behavioural data within the query range for anonymous user IDs having a registered association with the group ID. The access controller may mask the anonymous user IDs from the version of the data provided to the service coordinating entity, or may replace the anonymous user IDs with respective pseudo IDs. The reply to the query may be conditional on a minimum number of anonymous user IDs having a registered association with the group ID, since anonymity may be compromised by group data for a small group. The minimum number may be a predetermined setting at the data engine 20.

As a particular implementation example, assume a wearables company wants to offer full fitness tracking service to a government department according to the rules of the an ecosystem which provides personalised services to users in a framework that stores personalised data anonymously. The wearables company has all the technology needed to effectively implement the service, i.e. the bands (exemplary of a behavioural data source device) for detecting activity level, the data engine technology for safe behavioural data storage and analysis, and the application development skills to present meaningful data analysis outcomes (as the data processing service) to both the system users and the government department. In this example, the wearables company is the entity providing the data engine, and the government department is the service coordinating entity.

The problem is that in many frameworks for providing personalised behavioural data services, for example the Coelition framework, a single entity cannot be both service provider and data engine. The government department wants to run the service, but does not want the wearables company having any idea who the users actually are.

The government department want the users to be anonymous at the data engine, but this is not feasible if the users must register with the wearables company in order to have their personalised behavioural data analysed by the wearables company and to receive the analysis outcomes.

In the framework of the embodiments, the wearables company can provide an application (i.e. a service using a service provider proxy apparatus) that, based on a registration token obtained on behalf of the users by their employer (the government department), enables a system user to benefit from the data processing services associated with a service provider in existing models such as the Coelition framework, but provided by the data engine. Therefore, in embodiments, the anonymity of the user at the data engine is maintained in spite of a single entity being responsible for the data storage and processing.

The government department can then create both random teams and goal specific groups by publishing group IDs and users could choose to sign up with them on a voluntary basis. As individuals, employees could use feedback to improve their performance against the goals. With large enough groups, individuals and the employer can monitor the progress of the scheme as a whole and the progress on specific groups. /

Optionally, the embodiment may be realised as an extended version of the Coelition framework. In such an embodiment, the ID generation apparatus 12 is a Coeltion IDA, the anonymised personalised behavioural data are atoms, the anonymous user ID is a ConsumerlD, and the data engine is a Coelition compliant data engine. FIGURE 5 is a block diagram of a computing device, such as a data storage server, which may implement one or more components of a system of an embodiment, and which may be used to implement a method of an embodiment. The computing device comprises a processor 993, and memory, 994. Optionally, the computing device also includes a network interface 997 for communication with other computing devices, for example with other computing devices of invention embodiments.

The data engine 20, service provider proxy apparatus 30, ID generation apparatus 12, service coordinating entity 50, intermediate user device 44 and/or registration token generator 26, may be embodied by one or more computing devices such as that illustrated in Figure 5.

For example, an embodiment may be composed of a network of such computing devices. Optionally, the computing device also includes one or more input mechanisms such as keyboard and mouse 996, and a display unit such as one or more monitors 995. The components are connectable to one another via a bus 992.

The memory 994 may include a computer readable medium, which term may refer to a single medium or multiple media (e.g., a centralized or distributed database and/or associated caches and servers) configured to carry computer-executable instructions or have data structures stored thereon. Computer-executable instructions may include, for example, instructions and data accessible by and causing a general purpose computer, special purpose computer, or special purpose processing device (e.g., one or more processors) to perform one or more functions or operations. Thus, the term “computer-readable storage medium” may also include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methods of the present disclosure. The term “computer-readable storage medium” may accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media. By way of example, and not limitation, such computer-readable media may include non-transitory computer-readable storage media, including Random Access Memory (RAM), Read-Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disk storage, magnetic disk storage or other magnetic storage devices, flash memory devices (e.g., solid state memory devices).

The processor 993 is configured to control the computing device and execute processing operations, for example executing code stored in the memory to implement the various different functions of functional components described here and in the claims. The memory 994 stores data being read and written by the processor 993. As referred to herein, a processor may include one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. The processor may include a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or a processor implementing other instruction sets or processors implementing a combination of instruction sets. The processor may also include one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. In one or more embodiments, a processor is configured to execute instructions for performing the operations and steps discussed herein.

The display unit 997 may display a representation of data stored by the computing device and may also display a cursor and dialog boxes and screens enabling interaction between a user and the programs and data stored on the computing device. The input mechanisms 996 may enable a user to input data and instructions to the computing device.

The network interface (network l/F) 997 may be connected to a network, such as the Internet, and is connectable to other such computing devices via the network. The network l/F 997 may control data input/output from/to other apparatus via the network. Other peripheral devices such as microphone, speakers, printer, power supply unit, fan, case, scanner, trackerball etc may be included in the computing device. A service coordinating entity 50 of Figures 3 to 4 may be (or may operate) a processor 993 executing processing instructions (a program, script, or compiled program) stored on memory 994 and transmitting data via a network l/F in order to provide a registration to an individual in step S1 of Figure 3. The processor may also execute processing instructions to perform step S101 of Figure 4. The service coordinating entity may also comprise a website 52 of Figure 4 hosted on a web server having a processor 993 executing processing instructions (a program, script, or compiled program) stored on memory 994 and transmitting data via a network l/F, which processor 993 performs the steps S101 and S102 of Figure 4. A service provider proxy apparatus 30 of Figures 1 to 4 may be a processor 993 executing processing instructions (a program) stored on a memory 994 and exchanging data via a network l/F 997, and displaying information to a system user via a display 995, and accepting inputs from the system user via an input 996. . In particular, the processor 993 executes processing instructions to receive the registration token at step S2 of Figure 3, to transmit a request for an anonymous user ID to the ID generation apparatus at step S3 of Figure 3, and to receive an anonymous user ID from the ID generation apparatus at step S4 of Figure 3. The processor 993 may also execute processing to submit the anonymous user ID to the data engine 20 at step S5 of Figure 3. The processor 993 may also execute processing instructions to transmit, via the network l/F 997, a query to the data engine 20 at step S10 of Figure 3. The processor 993 may also execute processing instructions to provide the individual with the anonymous user ID at step S7 of Figure 3. The processor 993 may also execute processing instructions to provide the system user with the processed anonymised personalised behavioural data via, for example, the display 995, at step S12 of Figure 3. The processor 993 may also execute processing instructions to perform the steps S103, S104, S105, and S106 of Figure 4. A data engine 20 of Figures 1 to 4 may be a processor 993 (or plurality thereof) executing processing instructions (a program) stored on a memory 994 and exchanging data via a network l/F 997. In particular, the processor 993 executes processing instructions to receive, via the network l/F, an anonymous user ID from the service provider proxy apparatus 30 and register the individual as a system user at the data engine in step S5 of Figure 3. Furthermore, the processor 993 may execute processing instructions to transmit, via the network l/F 997, the anonymous user ID to the ID generation apparatus 12 for validation at step S6 of Figure 3. The processor 993 may also execute processing instructions to receive the query at step S10, generate a response to the query by accessing the data store of the memory 994, optionally process the retrieved data on the processor 993, and transmit the result as a reply to the query via the network l/F at step S11 of Figure 3. The processor 993 may also execute processing instructions to perform steps S107 & S108 of Figure 4.

An ID generation apparatus 12 of Figures 2 to 3 may be a processor 993 executing processing instructions (a program, script or compiled program) stored on a memory 994 and exchanging data via a network l/F 997. For example, the processor may execute processing instructions to receive the request and generate the anonymous user ID in response to the request, and transmit the response to the service provider proxy apparatus at steps S3 and S4 of Figure 3, and to execute the validation service at step S6 of Figure 3. A behavioural data source device 42 of Figures 3 to 4 may be a processor 993 executing processing instructions (a program, script or compiled program) stored on a memory 994 and exchanging data via a network l/F 997. In particular, the processor 993 may execute processing instructions to perform the step S8 of Figure 3 of transmitting to the intermediate user device, via the network l/F, data representing an interaction with the system user.

An intermediate user device 44 of Figures 3 to 4 may be a processor 993 executing processing instructions (a program, script or compiled program) stored on a memory 994 and exchanging data via a network l/F 997, and displaying information to a system user via a display 995, and accepting inputs from the system user via an input 996. In particular, the processor 993 may execute processing instructions to perform the step S9 of Figure 3 of anonymously personalising the behavioural data and transmitting them via a network l/F 997 to the data engine 20.

Methods embodying the present invention may be carried out on a computing device such as that illustrated in Figure 5. Such a computing device need not have every component illustrated in Figure 5, and may be composed of a subset of those components. A method embodying the present invention may be carried out by a single computing device in communication with one or more data storage servers via a network. A method embodying the present invention may be carried out by a plurality of computing devices operating in cooperation with one another. One or more of the plurality of computing devices may be a data storage server storing at least a portion of the anonymised personalised behavioural data.

Claims (18)

1. A system for storing and controlling access to anonymised personalised behavioural data at a data engine, the system comprising: the data engine; a registration token generator configured to generate anonymous registration tokens and to make the generated registration tokens available to individuals, each registration token representing an authorisation for registration of one or more individuals as system users by the data engine; one or more service provider proxy apparatuses, each configured, for the or each of one or more individuals: to anonymously receive one of the generated registration tokens from an individual, to authenticate the received registration token with the registration token generator, and, conditional upon the authentication being successful, to anonymously register the individual with the data engine as a system user, by obtaining an anonymous user ID for the system user, and providing the anonymous user ID to the system user and to the data engine; the data engine receiving the anonymous user ID and registering the received anonymous user ID as a system user; the data engine further comprising a data store and an access controller, and being configured to receive the anonymised personalised behavioural data of registered system users and to store the received anonymised personalised behavioural data in the data store; the access controller being configured to receive data requests for specified anonymised personalised behavioural data stored by the data store from the one or more service provider proxy apparatus, and to reply with anonymised personalised behavioural data specified in the received data request on condition of the received data request specifying the anonymous user ID with which the specified anonymised personalised behavioural data are anonymously personalised.

2. A system according to claim 1, wherein the data engine is configured to process the anonymised personalised behavioural data requested in the data request and to output a result of the processing to the service provider proxy apparatus, the result including the anonymised personalised behavioural data.

3. A system according to claim 1, wherein the service provider proxy apparatus is configured to obtain the anonymous user ID on behalf of the user by submitting an ID request corresponding to the received registration token to an ID generation apparatus, and to receive the anonymous user ID in return.

4. A system according to claim 3, further comprising: the ID generation apparatus, which is configured to create the anonymous user ID by executing an irreversible process in response to receiving the request, and to output the anonymous user ID to the service provider proxy apparatus.

5. A system according to any of claims 1 to 4, further comprising: one or more service coordinating entities, each configured to receive one or more registration tokens from the registration token generator, and to distribute the one or more registration tokens to one or more individuals; the registration token generator being configured to make the registration tokens available to individuals by transferring the registration tokens to the one or more service coordinating entities.

6. A system according to claim 5, wherein the or each of the one or more service coordinating entities are separate entities from the or each of the one or more service provider proxy apparatus, so that the individuals to whom the registration tokens are distributed are identifiable by the service coordinating entities and are anonymous to the service provider proxy apparatuses.

7. A system according to claim 5 or 6, wherein the registration token includes information identifying the service coordinating entity to which the registration token was issued by the registration token generator.

8. A system according to any of claims 1 to 7, wherein the data engine is configured to register associations between multiple registered anonymous user IDs and a common group ID, for one or more common group IDs; and the access controller is configured to receive a data request for anonymised personalised behavioural data from one of the one or more service provider proxy apparatuses, the data request specifying a query range, and an anonymous user ID, the access controller being configured to reply to the data request with data satisfying the query range from among the anonymous personalised behavioural data stored by the data store and anonymously personalised with the specified anonymous user ID, and, if the data request also specifies the common group ID, and the specified anonymous user ID is among the different anonymous user IDs registered in association with the common group ID at the data engine, the access controller is configured to also include in the reply data satisfying the query range from among the anonymous personalised behavioural data stored by the data store and anonymously personalised with each of the other anonymous user IDs registered in association with the common group ID.

9. A system according to claim 8, wherein the one or more service provider proxy apparatuses are each configured to submit a group registration request to the data engine, the group registration request specifying the anonymous user ID of a system user and a group ID; the data engine is configured to receive a plurality of said group registration requests from service provider proxy apparatuses, the plurality of said group registration requests specifying, as a group ID, one of the one or more common group IDs, and respective different anonymous user IDs, and to register an association between the specified different anonymous user IDs and the common group ID.

10. A system according to claim 8 or 9, further comprising one or more service coordinating entities, each configured to receive one or more registration tokens from the registration token generator, and to distribute the one or more registration tokens to one or more individuals; the registration token generator being configured to make the registration tokens available to individuals by transferring the registration tokens to the one or more service coordinating entities; the access controller being configured to receive from one of the one or more service coordinating entities a group data request specifying a query range and a group ID, and to reply with data satisfying the query range from among the anonymous personalised behavioural data stored by the data store and anonymously personalised with each of the anonymous user IDs registered in association with the specified group ID, wherein the anonymous user IDs are not derivable from the data included in the reply.

11. A system according to claim 10, wherein upon receipt of the group data request from the service coordinating entity, the access controller is configured to determine the number of anonymous user IDs registered in association with the specified group ID, and to reply with data satisfying the query range from among the anonymous personalised behavioural data stored by the data store and anonymously personalised with each of the anonymous user IDs registered in association with the specified group ID on condition of the number being greater than one and equal to or above a predetermined threshold minimum.

12. A system according to claim 10 or 11, wherein the or each of the one or more service coordinating entities is configured to distribute a common group ID to multiple system users.

13. A system according to any of claims 8 to 12, wherein the data engine is configured, for each of a plurality of group IDs, to allocate multiple registered anonymous user IDs to the group ID, and to register the association between the group ID and the multiple registered anonymous user IDs; and to inform the service provider proxy apparatus of each of the multiple registered anonymous user IDs of the respective group ID.

14. A system according to any of the preceding claims, further comprising: a behavioural data source device configured to interact with plural system users, to generate personalised behavioural data representing the interaction with each of the plural system users, and to transmit the generated personalised behavioural data to an intermediate user device of the respective system user; for each of the plural system users, an intermediate user device configured to receive the generated personalised behavioural data from the behavioural data source device, to anonymously personalise the personalised behavioural data with the anonymous user ID of the respective system user, and to transmit the anonymised personalised behavioural data to the data engine for storage in the data store.

15. A system according to claim 14, wherein the behavioural data source device specifies a group ID, the group ID is included in the generated personalised behavioural data and in the anonymised personalised behavioural data, and the data engine, upon receiving the anonymised personalised behavioural data, is configured to register an association between the anonymous user ID with which the received anonymised personalised behavioural data are anonymously personalised, and the group ID as one of the one or more common group IDs.

16. A method in a system for storing and controlling access to anonymised personalised behavioural data at a data engine, comprising: at a registration token generator, generating anonymous registration tokens and making the generated registration tokens available to individuals, each registration token representing an authorisation for registration of one or more individuals as system users by the data engine; at one or more service provider proxy apparatuses: receiving one of the generated registration tokens from an individual, authenticating the received registration token with the registration token generator, and, conditional upon the authentication being successful, anonymously registering the individual with the data engine as a system user, by obtaining an anonymous user ID for the system user, and providing the anonymous user ID to the system user and to the data engine; at the data engine: receiving the anonymous user ID and registering the received anonymous user ID as a system user; receiving the anonymised personalised behavioural data of the or each system user and storing the received anonymised personalised behavioural data; receiving data requests for specified stored anonymised personalised behavioural data from the one or more service provider proxy apparatus, and replying with anonymised personalised behavioural data specified in the received data request on condition of the received data request specifying the anonymous user ID with which the specified anonymised personalised behavioural data are anonymously personalised.

17. Software which, when executed, causes interconnected computing devices to perform a method according to claim 16.

18. A non-transitory computer-readable storage medium storing the software according to claim 17.