JP2004318391A - Information providing device, information providing system, and distributed database system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide distributed data system securing privacy of personal information by using anonymity and to use the personal information effectively by relating a plurality of pieces of personal information about the same person stored in a plurality of database systems one another. <P>SOLUTION: A search condition confirmation part 30 checks a search condition included in a received personal information transmission request and outputs a confirmed search condition including no condition, allowing specification of an individual. A personal information extraction part 30 extract the personal information from a personal information storage part 40 on the basis of the confirmed search condition. A data ID generation part 50 generates a data ID by using the personal information extracted by the personal information extraction part 30 to applies it to the extracted personal information. A search result determination part 60 determines whether the individual cannot be specified or not from the personal information with the attached data ID, and when it is determined that the individual cannot be specified, transmits the anonymous personal information with the attached data ID. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a distributed database system. Further, the present invention relates to an information providing apparatus for providing information through a network. For example, the present invention relates to a distributed database system for transmitting personal information. Also, for example, the present invention relates to an information providing device that provides personal information through a network.
[0002]
[Prior art]
In the real world, organizations collect, store, and manage various types of personal information. Much of this personal information includes privacy-related information. Therefore, organizations that hold and manage information have a duty of confidentiality regarding personal information. For this reason, even information that does not include personal information cannot be disclosed. However, personal information has a new meaning and value when analyzed in combination, and has the potential to produce economic effects and academic progress.
However, the duty of confidentiality involved in obtaining actual data largely depends on the relationship of trust between the information provider and the user. In addition, the handling of personal information is regulated by the law for protecting personal information, and disclosure of information accumulated by each organization may be delayed. For this reason, personal information has not been effectively utilized.
[0003]
In the related art (for example, Patent Document 1), a data provider (data provider) having personal information sends personal identification information that is a part of personal information to a trust organization, and the trust organization that has received the personal identification information identifies the personal information. A technology is disclosed in which the personal information is used in a "non-personalized form" (a form that does not reveal the identity of the individual) based on the identifier generated by the trust organization. .
However, if the data provider sends personal information to a third-party trust organization, there is a high possibility that the anonymity (privacy) of the individual cannot be ensured.
If a third-party trust organization is to be established separately, it will need to be maintained and managed.
[0004]
[Patent Document 1]
JP 2000-324094 A
[Patent Document 2]
JP-A-2002-175432
[Patent Document 3]
JP-A-5-63696
[Patent Document 4]
JP-A-10-254807
[0005]
[Problems to be solved by the invention]
An object of the present invention is to provide a distributed database system that ensures the privacy of personal information at a high level and enables effective use of personal information.
Another object of the present invention is to provide a database system that enables effective use of personal information by associating personal information stored in a plurality of database systems.
In addition, the present invention enables effective use of personal information between an information provider that provides personal information and an information user that uses personal information without requiring the intervention of a third party. The purpose is to provide a database system.
[0006]
[Means for Solving the Problems]
An information providing device according to the present invention includes:
An information providing device capable of communicating with an access device via a network and providing information to the access device based on a request from the access device,
A personal information storage unit for storing personal information about an individual,
A receiving unit that receives a personal information transmission request including a search condition for searching for personal information from the access device,
The receiving unit confirms a search condition included in the personal information transmission request received, and when the search condition included in the personal information transmission request includes a condition capable of specifying an individual, a condition capable of specifying the individual Is deleted and the search condition from which the condition capable of identifying the individual is deleted is output as the search condition after confirmation.If the condition capable of identifying the individual is not included in the search condition included in the personal information transmission request, the A search condition checking unit that outputs the search condition included in the personal information transmission request as a search condition after checking the search condition as it is,
A personal information extraction unit that searches the personal information storage unit based on the inputted search condition after confirmation and outputs the personal information based on the inputted search condition after confirmation output by the search condition confirmation unit;
Using the personal information extracted by the personal information extraction unit, a data ID for identifying the extracted personal information is generated according to a predetermined rule, and a data ID generation for giving the generated data ID to the extracted personal information Department and
The personal information extraction unit determines whether or not an individual can be identified from the personal information to which the data ID has been extracted and to which the data ID has been assigned. When it is determined that the individual cannot be identified, the data ID is assigned. And a search result determining unit for transmitting the personal information to the access device.
[0007]
BEST MODE FOR CARRYING OUT THE INVENTION
Embodiment 1 FIG.
In the first embodiment, when there is an access requesting transmission of personal information from an external system to a database system storing personal information, the database system anonymizes the stored personal information (anonymous). And a system that generates a data ID, adds the generated data ID to the anonymized personal information, and returns the data to an external system that has accessed the system.
[0008]
In the real world, working companies, hospitals, and health insurance associations collect, store, and manage various types of personal information on an "organization-by-organization" basis. Since most of this information contains personal information related to privacy, the organization that owns and manages the information is obliged to keep it confidential, and information that does not contain personal information cannot be effectively disclosed to the outside. It is in. However, the information held by each organization can have new meaning and value by performing `` combination '' analysis, etc., which can produce economic effects and academic progress that was not assumed by the organization that owns and manages the information I have a secret.
However, in the academic and research fields, real-world data is handled as sample data in a form that ensures anonymity, but the confidentiality involved in obtaining real data is between the information provider (individual / organization) and the user. There is a great deal of trust. However, the handling of personal information is regulated by the law for protecting personal information, and disclosure of information accumulated by each organization may be delayed.
In order to promote the disclosure of information held by each organization, it is necessary to realize a platform that technically guarantees privacy as well as to have such a platform recognized by the public. By doing so, the development of a new service business can be expected, and the environment itself can be a new service.
The following first embodiment regards securing of privacy as guarantee of anonymity of personal data, and constructs a database system that associates personal information stored in a plurality of database systems while securing privacy. is there.
[0009]
The system according to the first embodiment described below aims at simultaneously realizing two of "securing privacy" and "associating personal information stored in a plurality of databases".
First, "securing privacy" will be described.
In the system according to the first embodiment described below, the platform ensures privacy by guaranteeing anonymity of each data. The anonymity of the data is assured by deleting information that leads to "identification of the individual" from the information passed to the external system. Deletion of information that specifies an individual is performed by each database system-side device, and although basic rules are prepared in advance, each database system-side device determines whether or not information to be positioned to lead to “personal identification”. Add a function that can be set.
It consists of the following three functions.
First, there is a function of deleting a search condition leading to “identification of an individual” from a data search condition to the database system.
Second, there is a function for deleting information related to “identification of an individual” from the search result.
Third, when the number of search results is small (the absolute number is small or the ratio is small), the function is not returned.
Next, "data association" will be described. In order to significantly analyze the data stored in each database system, it is necessary to associate the data stored in a plurality of databases (for example, the information of the individual A stored in the database system 1 with the database system). It is necessary to implement the combination of the information of the individual A stored in 2). However, data association between a plurality of database systems must be realized at the same time as the above-mentioned "ensure privacy".
In the system according to the first embodiment, an identifier (hereinafter, also referred to as a data ID) for specifying an individual who created the data is given to the data to be associated. The purpose of the data ID is not to identify “individual”, but to identify “data” generated from the same individual. Therefore, it is not necessary to generate information that can identify an individual from the data ID, but rather, it cannot be generated.
As a means for generating a data ID, a means for generating from a personal name, a gender, a date of birth, an address, and the like held in each database system according to a predetermined rule is assumed.
[0010]
A configuration example of the system according to the first embodiment will be described below.
FIG. 1 shows an example of the configuration of a system to which the first embodiment is applied. A plurality of database systems 310, 320, 330 and an access device 340 for accessing these database systems are connected on a network 350 capable of exchanging data. Here, the database systems 310, 320, and 330 in FIG. 1 are systems managed or operated by an organization, or a part thereof, and each organization has a database system alone that satisfies information and functions. For example, the database system may be a database system in which a network system is formed by the access terminal 311, the database 313, another database 314, and the network 312, like the database system 310. In each of the database systems 310, 320, and 330, useful information in the organization is stored in a format including personal information. Conventionally, it has not been possible to utilize data including personal information among a plurality of businesses having such database systems.
Here, the network 350 to which each of the database systems 310, 320, and 330 and the access device 340 are connected is not particularly limited, and may be a dedicated line, a public line, the Internet WAN / LAN, or the like. Further, a wired / wireless form can be assumed for each network 350.
[0011]
FIG. 2 is a diagram illustrating an outline of implementation of the system according to the first embodiment. In FIG. 2, an access interface 360 from an external system is defined in each of the database systems 310, 320, and 330, and is open to other systems, and access from the external system is permitted only through the access interface 360. (Even in the agent method described below, the agent 440 uses the access interface 360). The access interface 360 has the following functions.
First, it has a function of removing search conditions related to privacy.
Second, it has a function of generating and assigning a data ID (ID for specifying a data owner while maintaining anonymity).
Third, it has a function to check whether information related to privacy is included in the search result, and a function to delete the corresponding data item (including a function to delete a singular point).
Fourth, it has an access device 340 and an accessor authentication function (if necessary).
Fifth, it has a communication data encryption / decryption function (including a search condition encryption / decryption function). For example, communication data is encrypted with a public key, a secret key, or the like, and is decrypted with a public key, a secret key, or the like.
Sixth, it has an information generation function (only the database system side device is mounted) that can identify an individual from a data ID. Hereinafter, the first to sixth functions will be described.
[0012]
First, the first function will be described. When there is an access requesting the personal information from the external system, the access interface 360 includes a condition that can specify the individual and his / her family, such as a name, a date of birth, and an address, in the search condition from the external system. Is checked by the device on the database system 310, 320, 330 side. If the search condition includes a condition that can specify an individual or his or her family, the access interface 360 deletes the condition or changes the condition to a looser condition. It is assumed that what conditions are deleted and what conditions are converted into what conditions are set in advance in each of the database systems 310, 320, and 330 (each database system 310, The rules can be changed on the side of 320 and 330).
The following is an example of the function for eliminating the search condition related to privacy.
For example, if there is a search condition “Last name is Tanaka”, the condition is deleted. In addition, if there is a search condition such as “address is Hyogo-ku, Hyogo-ku, ○ machi △△ chome □□ address”, the search condition is deleted, or the search condition is changed according to a predetermined rule such as “resident in Kobe”. Convert.
[0013]
Next, a description will be given of a second function of the access interface 360, that is, a function of generating and assigning a data ID (ID for specifying a data owner while maintaining anonymity).
The access interface 360 generates a data ID for specifying an individual who is the source of the data according to a predetermined rule, and assigns it to the corresponding data. As described above, the data ID generating means generates the data ID from the personal name, gender, date of birth, address, and the like according to a predetermined rule.
[0014]
Next, a third function of the access interface 360, that is, a function of checking whether privacy-related information is included from the search result and a function of deleting the corresponding data item will be described.
The search result is likely to include information related to personal privacy in addition to the item used as the search key. Therefore, the access interface 360 checks whether the search result includes an information item that can identify an individual, and deletes the information item from the search result in each database system side device.
Further, when the number of search results is equal to or less than a predetermined number (or ratio), the access interface 360 is considered in consideration that the individual corresponding to the search result is a singular point and the individual may be able to guess. Has a mechanism that does not return the search result.
What information items are to be targeted and what search results are to be singularities are to be set in advance in each database system (each database system 310, 320, 330 side). Can be changed at
[0015]
Next, a fourth function of the access interface 360, that is, an authentication function of the access device 340 and the accessor will be described.
Appropriately manage the access to the database system by the authentication function. The purpose of accesser management is mainly the following two points.
The first is to eliminate unauthorized access devices 340 and accessers.
Second, authority management of the accessor is performed.
[0016]
Next, a fifth function of the access interface 360, that is, a communication data encryption / decryption function (including a search condition encryption / decryption function) will be described.
In the access interface 360, in order to realize protection against data "sniffing", the data is encrypted when the data is sent to another system while ensuring the anonymity of the data. Eavesdropping of data includes data flowing through the network 350, data stored in the access device 340, and data "temporarily" stored due to processing in the other database systems 310, 320, and 330. In addition, not only eavesdropping but also protection against data tampering is considered.
The encryption has the following two features.
First, the search condition is encrypted, and a mechanism is provided that allows the search condition to be referenced only in the database system to be searched.
Second, a mechanism is provided in which the encryption key is changed for each data field, and information that can be referred to is controlled according to the authority of the operator even in the access device 340 that has received the data.
[0017]
Next, a sixth function of the access interface 360, that is, a function of generating information that can identify an individual from the data ID (only the database system side device is mounted) will be described.
In each of the database systems 310, 320, and 330, a situation in which a data ID is passed as an analysis result from a consulting company or the like can be assumed. At this time, the database systems 310, 320, and 330 may want to specify an individual from the data ID, and this function is required. In the first embodiment, it is assumed that the data ID cannot be converted into information for identifying an individual. Therefore, it is conceivable to use a means such as generating a data ID from all the data according to a predetermined rule and successively comparing them.
However, the function must not be mounted on the access device 340, and an access interface 361 of the access device 340 for performing data search and a mechanism in which the function cannot coexist are embedded.
[0018]
FIG. 3 shows a configuration of the information providing apparatus 100 according to the first embodiment. Each of the database systems 310, 320, 330, and the like in the first embodiment includes the information providing device 100. Each of the database systems 310, 320, 330 and the like can realize the function of the access interface 360 by the function of the information providing apparatus 100.
The information providing apparatus 100 includes a reception unit 10, a search condition confirmation unit 20, a personal information extraction unit 30, a personal information storage unit 40, a data ID generation unit 50, a search result determination unit 60, a rule storage unit 70 And a billing unit 80.
Further, the receiving unit 10 includes an authentication unit 11 and a decryption unit 12. The data ID generation unit 50 includes a comparison ID generation unit 51. The search result determination unit 60 includes a cipher creation unit 61 and a transmission unit 62.
[0019]
FIG. 4 is a diagram showing a flow when the information providing apparatus 100 receives a request for transmitting personal information from the access apparatus 340. Hereinafter, the operation of the information providing apparatus 100 when the database systems 310 and 320 in FIG. 2 receive a request for transmitting personal information will be described with reference to FIG. For example, it is assumed that the information providing apparatus 100 included in the database system 310 receives a request for transmitting personal information.
In S10, the receiving unit 10 of the information providing device 100 receives a request for transmitting personal information (a request for transmitting personal information) from the access device 340. The access device 340 can include a plurality of search conditions for searching for personal information in the transmission request for personal information. Then, each of the included search conditions can be encrypted by different encryption means and transmitted. As an encryption means, a different algorithm is used for each search condition, or a different encryption key is used.
In S20, the authentication unit 11 authenticates a transmission request for personal information. If authenticated, the process proceeds to S30.
In S30, the data reception process starts. When the received data (personal information transmission request) is signed and encrypted, the decryption unit 12 decrypts the received data using a public key, a private key, and the like.
In S40, the authentication unit 11 checks whether the access is from an external system. If the access is from an external system, the process proceeds to S50.
In S50, the search condition check unit 20 checks whether there is a search condition related to privacy. That is, it is confirmed whether or not there is a search condition that can specify an individual among the search conditions of the personal information included in the transmission request of the personal information. If there is a search condition that can specify an individual, the search condition confirmation unit 20 deletes the search condition. In this case, the case where the condition is changed to an unspecified condition is also included in the deletion. It is assumed that the rule of what search condition is deleted is stored in the rule storage unit 70 in advance. If there is no search condition related to privacy to be deleted, or if the search condition confirmation unit 20 deletes a condition related to privacy from the search conditions, the process proceeds to S60.
In S60, the personal information extracting unit 30 extracts personal information according to the search condition with reference to the personal information storage unit 40.
In S70, the search result determination unit 60 checks whether a personal ID (data ID) has been generated for the search result, and if not, generates a data ID (S80). Then, a personal ID (data ID) is assigned to the extracted personal information (S90). Further, the search result determination unit 60 confirms whether the extracted personal information does not include information related to privacy (whether or not information that can specify an individual is not included) (S100). The data ID is generated by the data ID generation unit 50 based on the personal information extracted by the personal information extraction unit 30. The rule for creating the data ID is stored in the rule storage unit 70, and the data ID generation unit 50 refers to the rule. It is also assumed that the rule storage unit 70 stores in advance what information corresponds when the search result determination unit 60 confirms information related to privacy. When the search result determination unit 60 determines that it is impossible to specify an individual from the extracted personal information, the search result determination unit 60 sends the personal information to the access device 340 with the data ID. At this time, if necessary, the encryption creating unit 61 encrypts the personal information to be transmitted (S110). When the anonymized personal information to be transmitted is formed of a plurality of data items, the encryption creation unit 61 of the search result determination unit 60 encrypts each of the data items using a different encryption unit for each data item. It is possible to make. As a different encryption means, it is conceivable to use a different algorithm or to perform encryption using a different encryption key for each data item.
When the search result determination unit 60 determines that the individual can be specified from the extracted personal information, the search result determination unit 60 deletes the data that can specify the individual and transmits the data to the access device 340. Alternatively, if there is data that can specify an individual, transmission to the access device 340 is not performed. The type of processing to be performed can be stored in the rule storage unit 70 as a rule in advance.
When the personal information is transmitted to the access device 340 in S110, the process ends in S120.
[0020]
The case where the access device 340 communicates with one database system has been described above. In the following, in FIG. 2, when the access device 340 communicates with a plurality of database systems 310, 320, and 300, the association of a plurality of pieces of personal information received from the database systems 310, 320, and 330 will be described.
Each of the database systems 310, 320, and 330 includes the information providing device 100. Then, the data ID generation unit 50 of the information providing apparatus 100 provided in each of the database systems 310, 320, and 330 generates a data ID according to the same generation rule. Each of the database systems 310, 320, and 330 attaches the data ID generated according to the same generation rule to the anonymized personal information and transmits the data ID to the access device 340. The access device 340 can know that the personal information transmitted from each of the database systems 310, 320, and 330 is personal information generated from the same individual by the assigned data ID. As described above, the access device 340 can associate a plurality of pieces of personal information with the data IDs generated by the same generation rule in each of the database systems 310, 320, and 330.
Here, the data IDs generated by the same generation rule may be the same, or may not be the same as long as it is known that they are personal information generated from the same individual. .
When the data ID is transmitted from the access device 340, the comparison ID generation unit of the information providing device 100 of FIG. 3 generates a comparison ID using the personal information stored in the personal information storage unit 40. The “contrast ID” is an ID generated for comparison with the data ID transmitted from the access device 340. Since the data ID and the comparison ID are generated according to the same rule, by comparing the data ID and the comparison ID, an individual can be identified from the data ID transmitted from the access device 340. Although the normal data ID and the comparison ID are the same, the data ID and the comparison ID do not have to be the same as long as the data ID and the comparison ID indicate that they relate to the same person.
Further, the information providing apparatus 100 includes a billing unit 80. For example, the charging unit 80 stores a search history from the access device 340, and performs a charging process on the access side based on the number of accesses, the data amount of the search result, and the like.
[0021]
Next, a data collection method for collecting data (personal information) will be described.
A method of collecting data from each of the database systems 310, 320, and 330 when the system is implemented will be described.
In FIG. 2 showing the outline of the implementation of the system, the following two methods are considered as typical methods by which the access device 340 collects data from each of the database systems 310, 320, 330.
First, there is a method in which the database systems 310 and 320 and the access device 340 collect data on a one-to-one basis.
Secondly, an agent method (an agent goes around each database system and collects information and returns to the access device 340 when indicating information to be collected) can be considered. The agent will be described in detail in the fourth embodiment.
In the case of employing the agent method, when the search results are obtained in each of the database systems 310, 320, and 330, the search conditions for the database systems 310, 320, and 330 are discarded. It is also possible to perform processing for improving the degree of security by not transmitting the search result extracted under the search condition.
[0022]
The system shown in FIG. 2 can be applied to the following businesses.
For example, an environment providing service. Provide services such as operation, sales, leasing, and maintenance of platforms that guarantee anonymity.
It is also an intervention service. It connects medical institutions, health insurance unions, and companies to which individuals belong, and provides a service to provide health-related advice to specific groups such as health insurance unions and individuals.
It is also an intervention service evaluation. Provide a service that evaluates the application effect of the intervention service on a group or individual basis to which multiple intervention services are applied.
[0023]
FIG. 5 shows a specific example in which the implementation outline shown in FIG. 2 is applied to an intervention service in the service business described above.
Of the above application examples, more specifically, an intervention service for a certain group of health and a consulting service for the intervention service will be described with reference to FIG.
In FIG. 5, the health insurance union requests a consulting company to analyze and investigate "what kind of individual (not who)" and "what kind of intervention service" should be provided. For the analysis and investigation, the information (reception information (medical remuneration information), etc.) held by the health insurance union database system 370, the information (time attendance information, etc.) held by the company's personnel database system 380, and the industrial physician database system 390 (Health checkup information such as height, weight, blood pressure, disease history, consultation information, etc.) is disclosed to a consulting company (access device 340).
Applicants in this example are a consulting company, a health insurance union that is a subject of intervention service consignment, a company (human resources) that is a provider of information, and an industrial physician.
By applying this system, it is possible to investigate the relationship between medical expenses, working hours, and obesity, etc., for a specific group. It can be expected to analyze the reserve army.
Embodiment 1 is effective for constructing such a system. By applying the first embodiment, it is natural that a consulting company cannot identify an individual owner of data, but it is possible to construct a mechanism in which information held in a certain database system cannot be referred to in another database system. (For example, the receipt information of the health insurance union database system 370 cannot be referenced from the personnel database system 380 or the industrial physician database system 390). Further, in order to analyze the tendency of the entire organization, it is possible to associate the information held by each organization with the individual who is the "source" as the axis.
[0024]
Hereinafter, a process of processing when applied to the intervention service will be described.
The system of the first embodiment is applied to each of the database systems 370, 380, and 390 and the access device 340 in the consulting company. For example, as shown in FIG. 6, a consulting company (access device 340) instructs a personnel database system 380 that "Mitsubishi (man of person) who is 30 years old or older who lives in Tokyo and has less than 10 days of leave off. It is assumed that a search request of “person” is issued. It is assumed that the request information is also encrypted when the search request (including the search condition) is transmitted from the access device 340 to each of the database systems 370, 380, and 390.
If there is no problem in the authentication and the access route (S10 to S40 in FIG. 4), the search condition related to privacy is deleted (S50). Since specifying the name is an infringement of privacy, the search condition by applying Embodiment 1 is as shown in FIG. 7, and as shown in FIG. 7, "an employee who lives in Tokyo and is 30 years or older and has taken leave for 10 days or more. , And the personnel database system 380 is searched using the search condition (S60). Notification to the requester when the search condition related to privacy has been eliminated shall be made when the search result is returned or by a separate means. It is considered that the name, birthday, address, and telephone number are naturally applicable to the search condition relating to privacy, but special illness, prize and punishment are also considered to be in this category. What kind of information should be considered as information related to privacy can be set (changed) on each database system side that provides data.
As a result, it is assumed that information as shown in FIG. 8 is retrieved.
Next, a data ID is generated (S80, S90) and assigned to each data. FIG. 9 shows a case where a data ID is assigned. The data ID may be a number (not dependent on decimal, hexadecimal, etc.), a character such as an alphabet, or a combination of a number and a character. As the means for generating the data ID, the means described in the above-mentioned "Data association" can be considered.
Next, privacy-related information is deleted from the search result (S100). FIG. 10 shows a case where information related to privacy is deleted. Here, as described above, what kind of information should be considered as privacy-related information can be set (changed) at each database system that provides data. However, the information not specified is returned to the search requester. Is done.
The personnel database system 380 returns the information shown in FIG. 10 to the consulting company (the access device 340) as a search result (S110). Here, in the access device 340, the name “Mitsubishi Taro” cannot be generated from the data ID “Dasf104”. However, when the information of “Mitsubishi Taro” is returned from another database system (for example, the industrial physician database system 390) as a search result, “Dasf104” is added and returned as a data ID, so that it is stored in a different database system. Data generated from the same individual. At this time, when the data is returned from the consulting company (the access device 340) to the database system such as the personnel database system 380, it is possible to prevent the contents of the unauthorized data items from being viewed. Data can be encrypted for each field. For example, in a personnel database system, even if the returned data contains disease information, it cannot be decrypted because the user has no authority to view the disease information.
When returning the data, the data is encrypted. The encryption referred to here is an encryption applied to the entire data in order to prevent a third party from referring to the data in order to transfer the data via the network 350, and an encryption performed on the access device 340 and the operator. It is assumed that only the information permitted (or a combination thereof) can be referred to. For example, in this example, in the personnel database system 380, encryption is performed for each item such as gender, number of vacations, and job class, and the encrypted data is returned to the consulting company (access device 340).
For example, regardless of whether the data from the personnel database system 380 is intentional or not, even if it is sent to the health insurance union database system 370, the data cannot be referenced from the terminal of the health insurance union because the encryption key is different. Furthermore, a mechanism is added to limit the data items that can be referred to in accordance with the authority of the login user even when the data is appropriately returned to the access device 340 in the consulting company.
On each of the database systems 370, 380, and 390, it is possible to specify an individual from the data ID.
In this example, based on the contents of each database system 370, 380, 390, the consulting company designates a member who will be a reserve army for lifestyle-related diseases to the health insurance union which is the subject of the intervention service, and proposes an improvement plan. Procedures such as presentation can be assumed. However, the information that the consulting company can present to the health insurance union is only a data ID and does not specify an individual. Here, the health insurance union presented with the data ID generates a comparison ID from the retained individual data (generated by the comparison ID generation unit 51 in FIG. 3), and compares it with the data ID presented by the consulting company. It is possible to specify an individual from the data ID presented by the consulting company by comparing the ID with the ID. For example, the consulting company notifies the health insurance union that the individual having the data ID of “Dasf104” is a reserve army for lifestyle-related diseases, and presents a measure for improvement. In a consulting company, it is "Dasf104" instead of "Mitsubishi Taro". However, in the health insurance union, it is unclear to whom "Dasf104" the intervention service should be provided. Therefore, the system searches its own database system 370, generates a comparison ID, compares the data ID from the consulting company with the generated comparison ID, and specifies that “Dasf104” is “Mitsubishi Taro”. As a result, it is understood that the intervention service should be performed for "Mitsubishi Taro". If necessary, the health insurance union may outsource the work to a service provider that provides the intervention service, and may provide the intervention service to the individual belonging to the health insurance union via the service provider.
However, the consulting company shall not disclose data obtained from another database system (for example, the personnel database system 380) to the health insurance union by entering into a confidentiality agreement with the organization that refers to the data and by taking a duty of confidentiality. . Further, search conditions related to the contents of other database systems must not be disclosed. (When data is retrieved from each database system by an agent described later, search conditions are encrypted, of course. The used search condition is discarded in the database system, and an implementation means that sends only the search result to another database system is used). The consulting company disclosed the search conditions to the health insurance union as to why "Mitsubishi Taro" was presumed to be a reserve army for lifestyle-related diseases, because registration information of other database systems related to "Mitsubishi Taro" can be inferred. Not be.
[0025]
FIG. 11 is a diagram illustrating the functions of the system according to the first embodiment described above.
By applying the first embodiment, it is easy to construct a system for associating search results between a plurality of database systems 310, 320, 330 and the access device 340 while securing anonymity. is there. In each database system, an individual corresponding to the data ID specified by the access device 340 of a consulting company or the like can be specified (note that an individual can be specified only in each database system).
[0026]
According to the first embodiment, it is possible to guarantee the anonymity (ensure the privacy of an individual) by anonymizing and to effectively utilize personal information. Further, the personal information of the same person existing in each database system is associated with each other, and the anonymity is assured by anonymization (anonymization), so that the personal information can be effectively used.
[0027]
The information providing apparatus 100 according to the first embodiment deletes a data item that can specify an individual, and thus can guarantee anonymity in using personal information. Further, since the personal information is extracted under the search condition from which the data item capable of specifying the individual has been deleted, it is possible to use the personal information while assuring the anonymity.
[0028]
Since the information providing apparatus 100 according to the first embodiment deletes the contents of the data item that can specify an individual, it is possible to guarantee anonymity in using personal information. In addition, since the contents other than the contents of the data items that can identify the individual are used, the personal information can be used.
[0029]
When the information providing device 100 according to the first embodiment determines that the content of the data item of the personal information can identify the individual, the information providing device 100 does not transmit the personal information, so that the anonymity of the personal information can be guaranteed. .
[0030]
Since the information providing apparatus 100 according to the first embodiment does not transmit when the number of extracted personal information is equal to or smaller than a predetermined number, it is possible to prevent a person corresponding to a so-called singularity from being specified, and to perform anonymization. Can be guaranteed.
[0031]
The information providing apparatus 100 according to the first embodiment does not transmit the personal information when the ratio of the number of persons related to the extracted personal information belonging to the predetermined group is a predetermined value. It is possible to prevent the corresponding person from being specified, and to guarantee anonymization.
[0032]
Since the information providing apparatus 100 according to the first embodiment includes the comparison ID generation unit 51, an individual corresponding to the data ID transmitted from the access device 340 can be specified. The results can be used effectively.
[0033]
Since the information providing apparatus 100 according to the first embodiment includes the charging unit 80, a new service and a new business using the anonymized personal information can be developed.
[0034]
According to the first embodiment, since each database system generates a data ID according to the same generation rule, personal information existing in different database systems can be associated with the same person, thereby increasing the use value of personal information. Can be.
[0035]
In the first embodiment, since the personal information output or transmitted outside each database system is anonymized, the anonymization can be guaranteed. Further, when the anonymized personal information transmitted to the outside of the database system includes a plurality of data items, it can be encrypted for each data item, so that the anonymity of the personal information can be enhanced.
[0036]
In the first embodiment, an information provider (individual / organization) that provides personal information and an information user (access device 340) that uses personal information without requiring the intervention of a third party such as a trust organization. ) Can be exchanged between anonymized personal information.
[0037]
In the first embodiment, since the access device 340 can encrypt for each search condition and can decrypt only the database system to be searched, it is possible to enhance the anonymity of the anonymized personal information.
[0038]
Embodiment 2 FIG.
The second embodiment shows a method of performing anonymization (anonymization) in advance in a database system and storing anonymized data (implementation plan 1 described later).
That is, since anonymized personal information is stored in advance, it is possible to quickly respond to access from the access device 340. Further, since the anonymized personal information is stored in advance, the anonymized personal information can be transmitted to the access device 340 regularly or irregularly.
[0039]
FIG. 12 shows an outline of a system configuration assumed in the second embodiment. A plurality of database systems 310, 320, 330 and an access device 340 for accessing these database systems 310, 320, 330 are connected on a network 350 capable of exchanging data. There are no particular restrictions on the network 350 to which each database system and the access device 340 are connected, and a dedicated line, a public line, the Internet WAN / LAN, or the like may be used. Furthermore, a wired / wireless form can be assumed for each. Here, in FIG. 12, the access device 340 and each of the database systems 310, 320, and 330 are described as separate devices, but the device constituting any one of the database systems may be the access device 340.
[0040]
FIG. 13 is a diagram illustrating an implementation 1 according to the second embodiment. In FIG. 13, an access device 340 and a database system 400 are connected via a network.
Implementation plan 1 shows a method of performing anonymous conversion processing in advance in the database system 400 and storing the anonymized data.
In the database system 400, an access database from the access device 340 is prepared, and anonymized data is appropriately stored in the database.
Here, there is no particular limitation on the method of anonymizing each data.
In different database systems, the generation method of the data ID is not particularly limited as long as the generation method can generate the same data ID from the data having the same reference.
There is no particular limitation as to whether the database for the internal system and the database for access from the external system are in the same device or in the same database. (Actually, when selecting the implementation plan, It is desirable that the database for the internal system and the database for access from the external system be separate devices and separate databases from the viewpoint of security.)
The update timing of the access database from the access device 340, which is an external system, can be assumed to be a process at the time of update of the database for the internal system or a scheduled process, but is not particularly limited.
There is no particular limitation on the presence or absence of the access device 340 and the accessor authentication function in FIG.
In communication between the access device 340 and the database system 400 in FIG. 13 or between the database systems (when there are a plurality of database systems 400), encryption / decryption processing for search request information and search conditions and search results is performed. There is no particular limitation on the presence / absence and the encryption method.
[0041]
FIG. 14 is a block diagram illustrating a configuration of an information providing apparatus 200 used for the implementation plan 1 according to the second embodiment.
The database system 400 according to the second embodiment shown in FIG. 13 includes the information providing device 200. The database system 400 can send the anonymized personal information to the access device 340 in FIG. 13 by the function of the information providing device 200.
The database system 400 constitutes the information providing device 200 shown in FIG. The information providing device 200 may be a device, or may be in the form of a network like the database system 400.
[0042]
The information providing device 200 includes a personal information storage unit 110, an anonymization processing unit 120, an anonymized personal information storage unit 130, a reception unit 140, and a transmission unit 150. Further, the anonymization processing unit 120 includes a data ID generation unit 121.
[0043]
Hereinafter, the operation of the information providing apparatus 200 will be described.
The information providing device 200 is configured to appropriately store anonymized personal information in the anonymized personal information storage unit 130 in advance.
Then, when there is a transmission request for personal information from access device 340, information providing device 200 transmits anonymized personal information already stored in anonymized personal information storage unit 130 to access device 340. Also, regardless of the transmission request from the access device 340, the anonymized personal information can be transmitted to the access device 340 periodically or irregularly.
The personal information storage unit 110 stores non-anonymized personal information (non-anonymized data). The anonymization processing unit 120 uses the non-anonymized data stored in the personal information storage unit 110 to generate anonymized personal information that has been anonymized. The anonymized personal information storage unit 130 stores and stores the anonymized personal information generated by the anonymization processing unit 120. Then, for example, when the receiving unit 140 receives a request for transmitting personal information from the access device 340, the information providing apparatus 200 transmits the anonymized personal information stored in the anonymized personal information storage unit 130 to the transmitting unit 150. Via the access device 340.
Further, the data ID generation unit 121 of the anonymization processing unit 120 generates a data ID for identifying personal information when anonymizing personal information, and assigns the generated data ID to the anonymized personal information. Each of the plurality of database systems 310, 320, and 330 in FIG. 12 includes a data ID generation unit 121, and each data ID generation unit 121 generates a data ID according to the same generation rule. This is the same as the function of the data ID generation unit 50 of the information providing apparatus 100 according to the first embodiment.
[0044]
FIG. 15 is a diagram showing another example of the association distributed database system 500 according to the second embodiment. The association distributed database system 500 of FIG. 15 includes a first private database device 600, a second private database device 700, and a database access device 800. 12, the first private database device 600 corresponds to the database system 310, the second private database device 700 corresponds to the database system 320, and the database access device 800 corresponds to the access device in FIG. It can be seen that it corresponds to 340.
[0045]
The first private database device 600 includes a first identifier generation unit 610 that generates a first identifier, a first combination data generation unit 620, and a first storage unit 630. Then, the first combination data creation unit 620 creates the first combination data 621.
The first storage unit 630 stores the first private data 631. The first private data 631 includes first personal identification information and first personal data information.
The second private database device 700 has the same configuration as the first private database device 600, and performs processing of the second private data 731.
The database access device 800 includes an identifier matching unit 810 and a related data storage unit 820. The related data storage unit 820 stores related storage information 821.
[0046]
Next, the operation of the association distributed database system 500 will be described.
The operation of the first private database device 600 will be described first.
The first storage section 630 stores the first personal identification information and the first personal data information as first private data. Here, the personal identification information refers to information that can identify a specific individual or information that has a high possibility of identifying a specific individual. Information that can identify a specific individual includes an insurance card number, a driver's license number, and a resident card code. Information that has a high possibility of identifying a specific individual includes a name (because there is also the same name) and an address.
The personal data information may be, for example, weight or blood pressure when the result of the health check is stored and stored in a database. In addition, there are various things such as educational background, medical history, dental treatment history (excluding personally identifiable or identifiable information).
The first identifier generation unit 610 generates a first identifier that cannot identify an individual based on a predetermined rule from the first individual identification information. Here, the identifier is an example of the data ID described above.
The first combination data creation unit 620 combines the first identifier generated by the first identifier generation unit 610 with the first personal data information stored in the first storage unit 630, and outputs the first combination data 621. When outputting the first combination data 621, the first combination data creating unit 620 may encrypt and output the first personal data information. Further, when the first personal data information is formed of a plurality of data items, the data items may be encrypted by different encryption means. As a different encryption unit for each data item, a different algorithm is used, or encryption is performed using a different encryption key for each data item. The same applies to the case where the second combination data creation unit 720 described later outputs the second combination data 721.
The second private database device 700 operates in the same manner, but its features will be described.
The second storage unit 730 stores second personal identification information and second personal data information. Here, the second personal identification information has the same contents as the first personal identification information. On the other hand, the second personal data information is different from the first personal data information. For example, the first personal data information is the attendance information in the personnel affairs of the company, and the second personal data information is the case such as the health examination information of an industrial doctor.
The second identifier generation unit 710 generates a second identifier based on the same rules as the first identifier generation unit 610 using the second personal identification information.
The second combination data creation unit 720 creates the second combination data 721 by combining the second identifier generated by the second identifier generation unit 710 with the second personal data information stored in the second storage unit 730. Output.
The database access device 800 receives the first combination data 621 output from the first private database device 600 and the second combination data 721 output from the second private database device 700.
The identifier matching unit 810 refers to whether or not the first identifier of the first combination data 621 matches the second identifier of the second combination data 721. Then, the matching first personal data information of the first combination data 621 is associated with the second personal data information of the second combination data 721.
The related data storage unit 820 stores data associated with the identifier matching unit 810.
[0047]
As another example different from the realization plan 1, a realization plan 2 is shown.
FIG. 16 shows a realization plan 2 according to the second embodiment. The realization plan 2 has both the “method of returning anonymized personal information when accessed from an external system” and the “method of performing anonymized processing in advance and storing anonymized data”. It is a plan. This is a system in which the first embodiment and the implementation plan 1 of the second embodiment are mixed. FIG. 16A shows the relationship.
The “method of returning anonymized personal information when accessed from an external system” is realized by the access interface 360 and the database system 416 in FIG. The “method of storing anonymized data by performing anonymization processing in advance” is realized by the anonymized database system 415 in FIG. The anonymized database system 415 is similar to the database system 400 of FIG.
[0048]
As described above, in the realization plan 1 according to the second embodiment, since the anonymized personal information is stored in advance, it is possible to quickly respond to the access from the access device 340. Further, since the anonymized personal information is stored in advance, the anonymized personal information can be transmitted to the access device 340 periodically or irregularly regardless of the presence or absence of access.
[0049]
In the information providing apparatus 200 according to the second embodiment, the data ID is generated by the data ID generation unit, and the generated data ID is added to the anonymized personal information. Therefore, the anonymized personal information based on the data ID is used. Can be used.
[0050]
The associative distributed database system 500 according to the second embodiment can associate personal information with different contents while guaranteeing anonymity with respect to personal information with different contents about the same person, and therefore, the utility value of personal information can be reduced. Can be enhanced.
[0051]
In the distributed association database system 500 according to the second embodiment, when personal data information is formed of a plurality of data items, the first combination data creation unit 620 and the second combination data creation unit 720 respectively output the data. Since the respective data items of the first personal data information and the second personal information data are encrypted by different encryption means, it is possible to secure the anonymity of the personal information and to ensure that the individual personal information held by different database systems is maintained. Information can be used effectively by associating it.
[0052]
Embodiment 3 FIG.
Embodiment 3 is a configuration of the system shown in Embodiments 1 and 2 including a search device (an example of a management device) in order to improve convenience. That is, the third embodiment has a configuration in which a new function is added to the first and second embodiments. Therefore, the description is continued as the third implementation following the second implementation of the second embodiment. .
[0053]
Hereinafter, a realization plan 3 according to the third embodiment will be described.
FIG. 17 shows an implementation plan 3 of the distributed data system according to the third embodiment. FIG. 17 is a diagram illustrating the realization plan 4 and the realization plan 5 as well. First, implementation plan 3 will be described with reference to FIG.
FIG. 17 includes a search device 420 (an example of a management device) that manages “type information” indicating which database system stores information required by a searcher. Here, the “type information” means, for example, information that the personal information of the database system 310 relates to personal medical expenses, and the personal information of the database system 320 relates to attendance information in personnel management of a company. Means
It is difficult for the accessor (access device 340) to grasp all of the type information indicating what data is stored in which database system. In order to deal with such a problem, a search device 420 (an example of a management device) that manages which database system stores information required by a searcher is installed in the distributed database system. When the access device 340 specifies information (data) to be searched for in the search device 420, the search device 420 returns to the access device 340 which database system stores the information to be searched. Here, as a means for the search device 420 to manage which database system stores the search target data, a search table such as an address book (to be searched) and a correspondence table of the database system storing the data are used. It can be realized by management.
Here, a plurality of search devices 420 may be installed in the system.
[0054]
Next, as another example, implementation plan 4 will be described.
In the realization plan 3, when the search device 420 has the above-mentioned correspondence table, it is assumed that maintenance of the correspondence table becomes difficult. Therefore, in the realization plan 4, in order to deal with such a problem, in the system shown in FIG. 17, when the access device 340 requests the search device 420 to search the database systems 310, 320, and 330, the search device 420 Inquires of each database system whether or not there is data to be searched, and returns the result to the access device 340.
[0055]
Next, as another example, implementation plan 5 will be described.
In the realization plan 4, when the search request to the database systems 310, 320, and 330 is issued from the access device 340 to the search device 420, the search device 420 makes an inquiry to each of the database systems 310, 320, and 330. It is assumed that the search processing of the database system by the device 420 takes time.
For this reason, in FIG. 17, in the realization plan 5, when a search request for the database systems 310, 320, and 330 is issued from the access device 340, the search device 420 first refers to an internal table provided in the search device 420. If "correspondence between the contents to be searched and the database system storing the data" is registered in the internal table, the registered contents are returned to the access device 340. If not registered in the internal table, the search device 420 makes an inquiry to each of the database systems 310, 320, and 330, returns a result of the inquiry to the access device 340, and updates the internal table of the search device 420. According to the above procedure, the search processing of the database systems 310, 320, and 330 is speeded up, and the maintenance work of the internal table of the search device 420 is made more efficient.
[0056]
Next, as another example, implementation plan 6 will be described.
Implementation plan 6 (not shown) includes target database systems 310 and 320 when the target system is implementation plan 2 (embodiment 1 and implementation plan 1 mixed (FIG. 16A)). An access device which discloses what interface (for example, whether to access using a specific API (Application Program Interface) or to access using a general-purpose API such as SQL (Structured Query Language)) is disclosed. This is a system that the 340 side is aware of. In order to reduce the load on the access device 340, the realization plan 6 adds a management function of the interface information of the database systems 310, 320, and 330 to the realization plan 3 to the realization plan 5.
[0057]
Next, as another example, implementation plan 7 will be described.
FIG. 18 shows implementation plan 7. The realization plan 7 adds a data search function to the search devices 420 of the realization plans 3 to 6, and is positioned as a portal device 430 (an example of a management device). That is, the portal device 430 has a data search function and also has type information indicating what type of personal information the database systems 310, 320, and 330 have.
The access device 340 transmits a search request (an example of a first personal information transmission request) to the portal device 430. Upon receiving the search request, the portal device 430 requests a predetermined database system for a search request (first request) based on the type information of the portal device 430 and the search request received from the access device 340 (an example of a first personal information transmission request). 2) is transmitted. In FIG. 18, the portal device 430 transmits a search request to the database system 310 as a predetermined database system. This is because according to the type information of the portal device 430, it has been found that the database system 310 owns the corresponding information. The database system 310 includes, for example, the information providing apparatus 100 shown in FIG. The information providing apparatus 100 receives a search request (second personal information transmission request) from the portal apparatus 430. The information providing apparatus 100 extracts personal information stored in the personal information storage unit 40 in response to the search request. The data ID generation unit 50 generates a data ID and adds it to the extracted personal information. Then, the transmitting unit 62 transmits the anonymized personal information to the portal device 430. A plurality of portal apparatuses 430 may be installed in the distributed database system.
As described above, in response to the search request received from the access device 340, the portal device 430 searches the database systems 310, 320, and 330 that store the target data, and searches for the target data. , 320, and 330, and returns the search result to the access device 340.
As described above, the portal apparatus 430 has the data search function and stores the type information, so that it is possible to quickly know what personal information is held in which database system. Can be collected.
[0058]
Next, as another example, implementation plan 8 will be described.
In the realization plan 8 (not shown), in the realization plan 7, when a search request for data requiring an inquiry to a plurality of database systems 310, 320, and 330 is made at once, the data ID is assigned to the search result. Is an anonymous distributed database system characterized in that a merge process is provided as a process in the portal apparatus 430.
[0059]
In the third embodiment, since the search device 420 (an example of the management device) is provided, it is possible to efficiently search the personal information from the access device 340 to the database system.
[0060]
Embodiment 4 FIG.
The fourth embodiment is a mode in which an agent function for autonomously patroling each of the database systems 310, 320, and 330 is added to the first to third embodiments in order to improve convenience. Therefore, since additional functions are added to the first to third embodiments, the description is continued as a realization plan 9 following the realization plan 8 of the third embodiment.
[0061]
Hereinafter, implementation plan 9 in the fourth embodiment will be described.
FIG. 19 shows a distributed database system of implementation 9 according to the fourth embodiment. In the following, the realization plans 9 to 13 will be described as a fourth embodiment. The distributed database system of the realization plans 9 to 13 is realized by an agent 440 that autonomously traverses a search for anonymous data. It is characterized by. There is no particular limitation on the processing when the agent 440 detects an abnormality (a path abnormality to the target database system 310, 320, 330, a target database down, etc.).
There is no particular limitation on the processing when the search processing by the agent 440 exceeds a predetermined time.
[0062]
Next, a realization plan 10 will be described as another example of the fourth embodiment.
FIG. 20 shows another realization plan 10 according to the fourth embodiment.
In Implementation 9 above, the agent 440 would need to traverse (worst) all database systems. In order to solve such a problem, in FIG. 20, a function for managing which database system stores information necessary for a searcher (managing the “type information”), The portal device 430 provided with the function of planning the traveling route plan of the agent 440 using the agent 440 is installed in the system.
Here, whether communication between the access device 340 and the portal device 430 is performed by the agent 440 is not particularly limited.
[0063]
Next, as another example, implementation plan 11 will be described.
The realization plan 11 (not shown) does not create a route plan based on only the data to be searched and the database systems 310, 320, and 330 for the above-described realization plan 10, but sends it to the target database systems 310, 320, and 330. This is an anonymous distributed database system characterized by adding a traveling route planning function to the portal apparatus 430 in consideration of a system state (abnormality) at the time of search such as a path abnormality or a database down. However, there is no particular limitation on the means for detecting and updating the configuration control information.
[0064]
Next, as another example, the realization plan 12 will be described.
The realization plan 12 (not shown) is obtained by requesting the realization plan 10 and the realization plan 11 for data that requires inquiries to a plurality of database systems 310, 320, and 330 at one time. An anonymous distributed database system characterized in that an agent 440 performs a merge process on a search result by a data ID.
[0065]
Next, as another example, the realization plan 13 will be described.
The realization plan 13 (not shown) is an anonymous distributed database system in which the functions of the realization plan 10 or the realization plan 11 are provided to the agent 440.
[0066]
In the fourth embodiment, since the agent system is employed as described above, the efficiency of searching for personal information from access device 340 can be improved.
[0067]
As described above, various functions have been described in the first to fourth embodiments. However, “functions that need to be realized when constructing an anonymous (anonymized) database system” and more convenient by realizing Functions and functions leading to efficiency improvement "are summarized below and listed as functions that can be realized in the first to fourth embodiments.
[0068]
1. Anonymous data management
Each of the database systems 310, 320, and 330 is an anonymous distributed database system that manages and controls data in consideration of multiple levels of anonymization levels. For example, based on the following rules, the anonymization processing unit 120 in FIG. 14 anonymizes the personal information stored in the personal information storage unit 110 into different levels, stores the information in the anonymized personal information storage unit 130, and manages the information. I do. In the following cases, “anonymization” includes a case where anonymization is not performed.
That is, the anonymization level is controlled from the authority of the access device 340 or the accessor, the purpose of use, and the like. Here, there is no need for the database systems 310, 320, 330 to manage personal information at the same level of anonymization. For example, the following three anonymization management levels can be considered.
Level 1 is data used in each of the database systems 310, 320, and 330, and has not been subjected to anonymization processing.
Level 2 is anonymized data assuming that it is processed by an external system, but in an internal system, it is data that can identify an individual from a data ID.
Level 3 is anonymized data on the assumption that it is processed by an external system. The anonymized data is data that cannot identify an individual even in the internal system (for example, it is assumed that the data is used as data for performing statistical processing). The level of anonymization is divided into levels 1 to 3 as an example, but is not limited to this, and the level of anonymization can be freely set.
As described above, by dividing personal information into anonymized levels, anonymity can be ensured, and the usability of personal information can be improved.
[0069]
2. Confirmation of securing anonymity
When there are a plurality of access devices 340, the search histories (search conditions and search results) from all the access devices 340 or the accessor are stored, and the access histories are checked based on a rule base. This is an anonymous distributed database system that checks whether anonymity is maintained.
Here, there is no particular limitation on the storage period of the search history and the check period (regular / irregular) of the access history.
[0070]
3. Billing system
Search histories (search conditions and search results) from a plurality of access devices 340 or accessors are stored, and the number of accesses to each of the database systems 310, 320, and 330 or the amount of data of the search results is charged on the access side. This is an anonymous distributed database system that performs calculations.
Similarly, the search history is used to calculate an information provision fee to an information provider (individual / organization) (each database system 310, 320, 330).
[0071]
4. Security
Each device constituting the system has an authentication function and is an anonymous distributed database system characterized by encrypting data flowing on the network 350. For example, communication data is encrypted with a public key, a secret key, or the like, and is decrypted with a public key, a secret key, or the like.
[0072]
5. Function 1 for ensuring anonymity
This is an anonymous distributed database system characterized by adding a function of excluding a search condition leading to “identification of an individual” from data search conditions. A rule base that defines what conditions are excluded is arranged as a function in the access interface 361 of the access device 340, the portal device 430, and the database systems 310, 320, and 330.
[0073]
6. Function 2 for ensuring anonymity
The data returned from each of the database systems 310, 320, and 330 is encrypted using a different key or a different encryption unit for each data item, and the access device 340 or the accessor's authority for the data and the data This is an anonymous distributed database system characterized by providing a mechanism for controlling data items that can be referred to according to the purpose of use. For example, different algorithms or different encryption keys.
In order to realize the function, the access device 340 in the system and the authentication function for the access person are required.
[0074]
7. Function 3 for ensuring anonymity
Giving a unique key to each of the database systems 310, 320, 330, and encrypting search request information (search conditions, etc.) (an example of a personal information transmission request) sent from the access device 340 to the database systems 310, 320, 330. Thus, there is provided an anonymous distributed database system in which a mechanism capable of decrypting search conditions encrypted only in the database systems 310, 320, and 330 to be searched using the unique key is provided. When there are a plurality of search conditions, each condition is encrypted by a different encryption method. For example, different algorithms or different encryption keys. In the case of encryption, encryption may be performed for each search condition as described above, or different encryption may be performed for each database system.
There is no particular limitation on the technology used for encryption / decryption.
[0075]
8. Function 4 for ensuring anonymity
An anonymous distributed database system characterized by adding a mechanism for deleting data search conditions from information held in an agent 440 in exchange for data search results (personal information) when collecting data by the agent method. It is. This will be described with reference to FIG. In FIG. 19, access device 340 sets a plurality of search requests (an example of search conditions) for searching for personal information. Then, the access device 340 generates an agent 440 that circulates the database systems 310, 320, and 330 (an example of a plurality of information providing devices) and collects personal information, and assigns the plurality of search requests to the generated agent 440. And outputs the agent 440. Then, the access device 340 causes the output agent to collect personal information from any of the database systems 310, 320, and 330. When the agent 440 collects personal information from the database system, the agent 440 deletes the search condition used for collecting personal information of the database system.
As described above, the personal information can be efficiently collected by causing the agent 440 to collect the personal information. Further, when the portal device 430 collects personal information, the agent 440 deletes the search condition for collecting the personal information. Therefore, the agent 440 must own the search result and the search condition used for the search result at the same time. Therefore, even when the agent 440 collects personal information, anonymity can be ensured.
[0076]
9. Function 5 for ensuring anonymity
Judging the number of data in the search result, if the number is less than or equal to the predetermined number, or if the number is less than the predetermined number, there is a possibility that anonymity cannot be guaranteed, so an anonymous distributed database system characterized by not returning the search result is there.
The predetermined number is set in each of the database systems 310, 320, 330.
[0077]
10. Function 6 for ensuring anonymity
Determine the data ratio of the search results, if the ratio is less than the predetermined ratio, or if less than the predetermined ratio, there is a possibility that anonymity can not be guaranteed, so anonymous distributed database system characterized by not returning the search results is there.
Here, the setting of the population as a base of the ratio and the predetermined ratio can be set in each of the database systems 310, 320, and 330.
[0078]
11. Function 7 for ensuring anonymity
An anonymous distributed database characterized in that “9. Function 5 for ensuring anonymity” and “10. Function 6 for ensuring anonymity” are simultaneously provided to database systems 310, 320, and 330. System.
[0079]
12. Function 8 for ensuring anonymity
Anonymous distribution characterized by a mixture of database systems 310, 320 and 330 having the functions of "9. Function 5 for ensuring anonymity" to "11. Function 7 for ensuring anonymity". It is a database system.
[0080]
13. Function 9 for ensuring anonymity
This is an anonymous distributed database system that does not return the search result itself if the predetermined data item of the search result contains predetermined specific data, since anonymity may not be guaranteed. For example, if "leukemia" is included as a data item of the medical history, it may be assumed that it is not returned.
Here, in each of the database systems 310, 320, and 330, what data item is to be excluded when what data is included is set.
[0081]
14． Function 10 for ensuring anonymity
If the specified data item in the search result contains specified specific data, anonymity may not be guaranteed, so the anonymized data is returned after deleting the relevant data from the search result. It is an anonymous distributed database system.
Here, in each of the database systems 310, 320, and 330, what data item is to be excluded when what data is included is set.
[0082]
15. Function 11 for ensuring anonymity
This will be described with reference to FIG. This function is an additional function to the function of the portal device 430 described in the realization plan 7. In FIG. 18, the portal device 430 can secure anonymity of the search results (anonymized personal information) sent from the database systems 310, 320, and 330 in FIG. It is a function to determine whether or not there is.
Specifically, the portal device 430 (an example of a management device) in FIG. 18 performs the functions of “9. Function 5 for ensuring anonymity” to “14. Function 10 for ensuring anonymity”. Have. When the portal apparatus 430 receives a search result (anonymized personal information) from the database systems 310, 320, 330, etc., the portal apparatus 430 receives the search results from the respective database systems 310, 320, 330 using the above-described functions. For each search result, whether or not anonymity can be guaranteed is determined based on a predetermined criterion. If the portal device 430 determines that anonymity can be guaranteed, the portal device 430 transmits the search result to the access device 340. This is an anonymous distributed database system characterized by the above. With the above function, when the portal apparatus 430 receives a plurality of search results (anonymized personal information) from the plurality of database systems 310, 320, 330, etc., the anonymity of the personal information from each database system is ensured. can do.
In addition, for the search result (anonymized personal information) transmitted from each of the database systems 310, 320, and 330, which is a function of the portal apparatus 430 described above, anonymity can be secured for each search result. "Determining whether or not it is possible" can be provided to the agent 440 of the implementation plans 9 to 13 described above. That is, when the agent 440 collects the search results (anonymized personal information) from the database systems 310, 320, 330, etc., the above-mentioned “9. Function 5 for ensuring anonymity” to “14. For each search result collected from each of the database systems 310, 320, and 330, it is determined based on a predetermined criterion whether or not anonymity can be guaranteed, using the respective functions of the "function 10 for ensuring sex". If the agent 440 determines that anonymity can be guaranteed, the agent 440 transmits the search result to the access device 340.
[0083]
16. Function 12 for ensuring anonymity
This will be described with reference to FIG. This function is an additional function of the portal apparatus 430 in the realization plan 7, similarly to the above “15. Function 11 for ensuring anonymity”. In FIG. 18, the portal apparatus 430 associates search results (anonymized personal information) from a plurality of database systems 310, 320, and 330, and checks whether the anonymity can be ensured as a result of the association. For example, anonymity can be ensured if the search result is only the database system 310, but anonymity may not be ensured if a plurality of search results of the database system 310 and the database system 320 are associated with each other. It is a function that assumes this.
If the anonymity cannot be secured, the portal device 430 does not return the search result to the access device 340, and is an anonymous distributed database system. Any search result or combination of data items for which anonymity cannot be ensured can be freely set.
With the above functions, personal information can be efficiently used by associating personal information with each other while ensuring anonymity of search results (anonymized personal information) from a plurality of database systems.
It should be noted that the function of the portal apparatus 430 described above is "associating search results (anonymized personal information) from a plurality of database systems 310, 320, and 330, and checking whether anonymity can be ensured as a result of the association. This can be provided to the agents 440 of the realization plans 9 to 13 described above.
[0084]
17. Function 13 for ensuring anonymity
This function is also an additional function of the portal device 430 in the realization plan 7 shown in FIG. The above-mentioned “16. Function 12 for ensuring anonymity” is that the portal device 430 checks the search results obtained from the database systems 310, 320, 330 in association with each other. The “17. Function 13 for ensuring anonymity” is a function in which the portal device 430 checks the anonymity assurance by associating search results obtained from the database system 310 or the like around a certain time. That is, the portal device 430 (an example of the management device) stores, as a history, search results (anonymized personal information) received in the past from the database system 310 or the like. When a new search result that is not a history is received from the database system 310 or the like, the search result that is not a history is associated with the history. If the portal device 430 determines that the anonymity of the newly received search result can be ensured also by associating, the portal device 430 newly receives the search request (first personal information transmission request) by the access device. Send search results (anonymized personal information). For example, as described in “16. Function 12 for securing anonymity”, it is possible to assume that anonymity cannot be secured by associating search results of the database systems 310, 320, and 330, This is because it is possible to assume that anonymity cannot be ensured by associating the search result only with the database system 310 with a past search result (search history).
As described above, since the portal apparatus 430 stores the search results received in the past as a history and determines whether or not the anonymity can be secured in association with the newly received search results, the anonymity is secured including the past search history. be able to.
[0085]
18. Data ID generation means 1
The data ID is an ID for specifying data based on a certain standard such as a data source, and is a key for associating data retrieved from the multiple database systems 310, 320, and 330. Therefore, information that can identify an individual must not be generated from the data ID. Here, anonymous data is generated by converting the information (personal name, gender, date of birth, address, etc.) held in each of the database systems 310, 320, 330 equally according to a predetermined rule and generating a data ID. Is a simple distributed database system.
[0086]
19. Data ID generation means 2
As the conversion target item of the data ID (and one item thereof) or the data conversion key (and one item thereof), some time information (data search request time is assumed. An example of unique information) is included. This is an anonymous distributed database system.
[0087]
20. Data ID generation means 3
As a data ID conversion target item (and one item thereof) or a data conversion key (and one item), a data search request terminal (an example of an access sender ID) or a search requester ID (An example of an access sender ID) is included in the anonymous distributed database system.
[0088]
21. Data ID generation means 4
An anonymous distributed database system is characterized by a data ID generating means in which the data ID generating means 2 and the data ID generating means 3 are combined.
[0089]
22. Data ID generation means 5
This is an anonymous distributed database system characterized in that a plurality of data ID generating means exist in one system.
Although it is physically one distributed database system, it is realized by treating it as a plurality of logical subsystems.
[0090]
23. Processing means 1 in the case of mixed use of personal information for other purposes
This is an anonymous distributed database system that requires permission for other purposes of personal information and does not return any personal information without permission (even if anonymized). Here, “other purpose use” means a case where the purpose is different from the originally planned use and is used for another purpose. For example, there is a case where personal information that is to be used to check the transition of medical expenses of a group is used for another purpose such as personal health guidance.
[0091]
24. Processing means 2 in the case where permission for use of personal information for another purpose is mixed
An anonymous distributed database system characterized by controlling an anonymization level (anonymization level in "1. Anonymous data management means") to be returned to the access device 340 depending on whether or not permission is granted for another use of personal information. It is. For example, the personal information storage unit 110 of the information providing apparatus 200 in FIG. 14 stores both personal information for which use of personal information has been licensed and personal information for which use has not been licensed. . The anonymization processing unit 120 performs a predetermined level of anonymization processing depending on the presence or absence of a license. If the license is granted, an anonymization process such as level 2 in the above-mentioned “1. Anonymous data management means” is performed. Alternatively, if the personal information is licensed to use freely without any restrictions, the anonymization process is performed as in Level 1 of “1. Anonymous data management means” described above. It may be transmitted to the access device 340 without performing. On the other hand, when the license has not been received, the level of anonymization is increased, and for example, the information is used only as statistical information as in level 3 in “1. Anonymous data management means” described above. In this respect, this is different from the above-mentioned "23. Processing means 1 in a case where the presence / absence of permission for use of personal information for another purpose is mixed" where personal information without permission is not returned.
As described above, by changing the level of the anonymization process depending on whether or not the use of the personal information is permitted, the personal information can be widely and effectively utilized while ensuring the anonymity of the personal information.
[0092]
25. Means to identify individuals from data ID
Each of the database systems 310, 320, and 330 is an anonymous distributed database system characterized by having a mechanism for specifying an individual from a data ID.
An individual is specified by means for searching for data that can generate a data ID equal to a given data ID for data stored in a database system in a data ID generation process.
[0093]
26. Means 1 for non-authorized persons to identify individual from data ID
An anonymous distributed database system (extended function of "25. Means for specifying an individual from a data ID") characterized in that a function for specifying an individual from a data ID cannot be installed in the same device as the data search function. .
[0094]
27. Means 2 for non-authorized persons to identify individual from data ID
Select a unit that generates a data ID using items that do not exist in each of the database systems 310, 320, and 330, such as a search request time (an example of unique information) and an identifier for identifying a search requester (an example of unique information). In addition, an anonymous distributed database system is characterized in that data items that are essential when generating these data IDs are encrypted and transmitted to the database system. By adding unique information possessed only by the access device 340 side, for example, "search request time" or "identifier for identifying a search requester", a predetermined database system or a user other than a predetermined operator in the database system is added. Makes it impossible to identify an individual from the data ID.
That is, in each of the database systems 310, 320, 330, etc., data items of personal information used for generating a data ID include a personal name, gender, date of birth, address, and the like. In addition, information such as the search request time, which is possessed only by the access device 340, is added as a data item for generating a data ID.
Specific application will be described by taking the “process of application to intervention service” described in the first embodiment as an example. Hereinafter, the data ID generation and the comparison ID generation will be mainly described with reference to FIGS. 3 and 5.
(1) In FIG. 5, the health insurance union requests a consulting company (access device 340) to analyze and investigate what kind of individual and what kind of health promotion intervention service should be provided. . Based on this request, the consulting company transmits a request for transmitting personal information of personal information such as, for example, receipt information to the health insurance union database system 370. This personal information transmission request includes a search condition for searching for personal information and a search request time at the time of transmission (an example of unique information).
(2) The information providing apparatus 100 (FIG. 3) of the health insurance union database system 370 extracts the personal information when receiving the personal information transmission request, and the data ID generation unit 50 generates the data ID. In the data ID generation by the data ID generation unit 50, the search request time (an example of unique information) received from the access device 340 is an essential data item for data ID generation. The information providing apparatus 100 adds a data ID to personal information (reception information in FIG. 5) and transmits the personal information to the access device 340. The transmitted personal information includes the receipt information of “Dasf104”, which is a data ID of “Taro Mitsubishi”.
(3) The access device 340 sends a search request for attendance information to the personnel database system 380 in order to analyze and investigate in association with the anonymized receipt information collected from the health insurance union database system 370. The personnel database system 380 transmits the anonymized attendance information to the access device 340 in response to the search request. The anonymized attendance information transmitted by the personnel database system 380 includes attendance information of “Dasf104”.
(4) The access device 340 analyzes the receipt information of the health insurance union database system 370 and the attendance information of the personnel database system 380. Then, "Dasf104" is determined as a reserve for lifestyle-related diseases. The access device 340 holds this analysis result as analysis information. Then, the consulting company (the access device 340) transmits the analysis information (an example of the access device information) to the health insurance union database system 370 in order to respond to the analysis and survey request from the health insurance union. The analysis information includes the search request time previously transmitted at the time of the search request from the access device 340 to the health insurance union database system 370.
(5) In the information providing apparatus 100 of the health insurance union database system 370, the comparison ID generation unit 51 uses the personal information storage unit 40 to identify the “Dasf104” received from the access device 340 as an individual. Using the personal information to be stored and the search request time included in the analysis information (an example of the access device information), a comparison ID for identifying the individual is generated in comparison with “Dasf104”. In this case, the search request time included in the analysis information is indispensable data for generating the comparison ID, and the comparison ID cannot be generated without the search request time. For example, when the comparison ID is determined to be “Dasf104” based on the personal information of “Mitsubishi Taro” and the search request time, it is determined that the individual who needs intervention is “Mitsubishi Taro”.
As described above, according to the present means, it is possible to ensure the anonymity of personal information by preventing a person other than a predetermined database system or a predetermined operator from specifying a data ID.
[0095]
28. Means 3 for non-authorized persons to identify individual from data ID
The above-mentioned “26. Means 1 for non-authorized persons to identify individuals from data ID” and “27. Non-authorized persons cannot identify individuals from data ID” Means 2 in combination with the above means 2.
[0096]
29. Means 4 for non-authorized persons to identify individual from data ID
An anonymous distributed database system characterized in that, when a data ID is generated by a request other than a search request from the access device 340, data of an individual who is not permitted to use the personal information for another purpose cannot be generated. .
[0097]
Embodiment 5 FIG.
Embodiment 5 will be described with reference to FIGS. In the fifth embodiment, five application examples in which the system described in the first to fourth embodiments is applied to a system in a specific business will be described.
[0098]
First, a sample data providing system will be described below as an application example of the first to fourth embodiments. FIG. 21 is a diagram showing an outline of the sample data providing system.
FIG. 21 shows a model in which personal information of the real world accumulated by the information collector 454 is anonymized and provided to information users 453 such as research institutions and consulting companies. The sample data providing system includes five users: an information user 453, an information collector 454, an information provider 455 (licenser) (individual / organization), a company 452, and a system operator (constructor) 451.
The information user 453 is assumed to be an individual or an organization who wants real-world data when conducting research or the like. As shown in FIG. 21, the information user 453 pays an information providing fee to the information collector 454 and a system usage fee to the system operator (constructor) 451 as a price for obtaining the information. As each cost, a pay-as-you-go system and a flat-rate system can be considered.
The information collector 454 originally collects and accumulates personal information only for the purpose of proceeding with his / her own work. By applying the first to fourth embodiments to the stored information, it is possible to guarantee anonymity and to provide anonymized personal information to other organizations. The information collector 454 can receive an information provision fee from the information user 453 as a price for providing information. Here, as the means for calculating the information provision fee, a pay-as-you-go system based on the amount of information of the provided data and the number of times of searching by the accessor and a flat-rate system for connection to the system itself can be considered. Further, as indirect advantages, it is conceivable that the relationship with the information user 453 is strengthened, and the provision of information to the information user 453 itself can be used for commercial advertisement.
When the individual who is the information provider 455 (licenser) and the organization to which the individual belongs perform some social activity, personal information is accumulated by the information collector 454. In the case of this example, since the anonymization of personal information is guaranteed by applying the first to fourth embodiments, it is considered that individual consent for the purpose use of data is unnecessary. In the sample data providing system, there is no explicit return to the information provider 455 (licenser) (individual / organization).
The company 452 in the sample data providing system is assumed to be a for-profit organization that provides devices and services related to the information user 453. By providing corporate advertisements on search screens, search result display screens, e-mails, etc., we will provide opportunities for sales expansion. The company 452 pays the advertisement fee as the price. A similar advertisement may be given to the information collector 454 and the information provider 455.
The system operator (constructor) 451 provides the platform to the four parties. The system usage fee will be collected in return. In addition, an advertisement fee is collected by providing the company 452 with a sales expansion opportunity. Further, an information providing fee is collected from the information user 453 and distributed to the information collector 454. It is also assumed that the platform will be built using public funds such as grants, subsidies, and consignments.
[0099]
As described above, in the application example of the sample data providing system, the protection of personal information can be solved by applying the first to fourth embodiments.
For the construction of the billing function, a billing rule is created. If necessary, a mechanism for counting the number of accesses to each database system 310 or the like by the portal device 430 is constructed, or a mechanism for counting the amount of data retrieved from each database system 310 or the like by the portal device 430 is constructed. It is also possible to do.
The information presentation means such as advertisements is realized by a function of displaying an advertisement as a burner on a search request screen (Web screen image), a function of displaying an advertisement as a burner on a search result download screen (Web screen image), and the like. be able to.
[0100]
Next, two types of health care systems will be described below as a second application example of the first to fourth embodiments. First, a health care system example 1 will be described as a first application example. FIG. 22 is a diagram showing an outline of the first example of the health care system.
A first example of a health care system, which is a first example of the health care system, will be described with reference to FIG.
FIG. 22 is a diagram for analyzing various information of an individual and an organization to which the individual belongs to evaluate the health of the individual and the organization, and to improve the health of the individual and the organization, or A model for implementing an intervention service to maintain In the first example of the health care system, the main purpose is to improve the health of the group such as the health insurance union, mainly by the information collector 454 of the health insurance union.
Unlike the sample providing system described with reference to FIG. 21, the analysis result is fed back to the individual in some form, so that the individual is required to use the personal information for another purpose and to provide the intervention service.
Examples of the healthcare system 1 include an information user 453 (consulting company), an information collector 454, an information provider 455 (licenser) (individual / organization), an information provider 457 (non-licensor), and service provision. Six persons, a company 458 and a system operator 451, appear.
A health insurance union, a company (human resources), an industrial physician, and the like are assumed as the information collector 454 in the first example of the health care system. By getting the intervention service on track, the health insurance union, which is the information collector 454, can benefit from reducing medical expenses, and companies can benefit from more efficient work. In operating the healthcare system example 1, each information collector 454 uses personal information for other purposes from all information providers 455 (licensers) (individuals) (however, information use is limited to healthcare-related purposes). ) And the need to obtain permission for the implementation of intervention services. The information collector 454 sends the anonymized data to a consulting company (information user 453), which is a third party, and requests data analysis. Representatives of the analysis are health assessments and trends of individuals and organizational units within a company, as well as surveys of disease reserves. Here, the personal information for which the use of the personal information for another purpose is not obtained is used only as statistical information.
The information collector 454 (for example, assuming a health insurance union) transmits a data ID of a person who is a reserve sick force from a consulting company (organization) that is the information user 453, and when the data ID is transmitted to any individual, In order to specify whether the data ID indicates the data ID, a data ID is generated based on personal information held by the user, the generated data ID is collated with the transmitted data ID, and a matching individual is specified. The identified individuals will be provided with a health promotion service (excluding non-licensors) in order to take measures to improve the reserve illness. Here, the health promotion service may be outsourced to the service providing company 458, and in this case, information on the illness reserve is provided to the service providing company 458.
That is, the consulting company (organization) as the information user 453 analyzes the anonymized data based on the request from the information collector 454 (for the time being a health insurance union is assumed). As a result of the analysis, the health evaluation of the organization and the health evaluation of the individual are returned to the information collector 454. In other words, the consulting company (organization) examines whether there is a reserve army for diseases such as lifestyle-related diseases and adult diseases, and if it is determined that there is a reserve army, sends the target person to the information collector 454 by data ID. Report. Considering that the anonymization may not be guaranteed, the consulting company (organization) should not disclose to the requester (in this case, the health insurance union) the reasons for selecting a reserve illness, etc. Shall not.
Here, if any one of the consulting company (organization) and the information collector 454 matches, it is necessary to impose a confidentiality obligation on the organization in charge of the analysis and / or the person in charge by contract or the like. In the consulting company (organization), the fee for the analysis request from the information collector 454 becomes income.
The service provider 458 entrusted by the information collector 454 performs an intervention service for the individual and the organization to which the individual belongs according to the target person information obtained from the information collector 454. Exercise guidance, nutrition guidance, smoking cessation guidance, and the like are assumed for the intervention service, and there are cases where costs are collected from individuals according to the content of the provided service. In addition, as part of the intervention service, mediation of athletic gyms, mediation of catering companies, etc. are performed, and kickbacks from these companies can be assumed as sources of income.
In addition, when it is clear that the medical cost of the health insurance and the improvement of the work efficiency are obvious, it is possible to assume that a predetermined ratio of the reduction is used as the performance reward.
The system operator 451 is entrusted by the information collector 454 or the service provider 458, and operates a system that performs anonymization of personal information and the like. However, the system operator 451 may be the same as the information collector 454 or the service provider 458.
The information provider 455 (licenser) (individual / organization) is assumed to be an individual who is permitted to use personal information for another purpose and to provide an intervention service. Since the organization that is the information provider 455 (licenser) in the healthcare system example 1 is assumed to match the information collector 454 (or a part thereof), the organization rarely denies it. Conceivable. Individuals can obtain information on health improvement and maintenance at low cost (or free of charge), and can expect a discount on exercise gyms and catering companies, etc., which were provided by the intervention service, and a part of the cost of health insurance unions.
It is assumed that the information provider 457 (non-licensor) is an individual who has not permitted the use of personal information for another purpose and the provision of the intervention service.
[0101]
As described above, in the application example of the first example of the health care system, the assurance of anonymity for the actual data provided by the information collector 454 can be solved by applying the first to fourth embodiments.
The means for associating anonymized data from a plurality of information collectors 454 can be solved by applying the first to fourth embodiments.
The function for specifying an individual from the data ID and the means for securing anonymity at that time need to be realized when constructing the “anonymous (anonymization) / database system” described in the fourth embodiment. And 25. Means for specifying an individual from a data ID, and 26. Individuals other than authorized persons from a data ID. Means for preventing the identification of the individual from the data ID "," 27. means 2 for the individual other than the authorized person to identify the individual from the data ID "," 28. Means 3 for the individual other than the authorized person to identify the individual from the data ID "," 29. This can be solved by using means such as "Means 4 for preventing anyone other than the authorized person from identifying the individual from the data ID."
As for the health evaluation means, there is “health degree” as a health evaluation means for an individual, and it is assumed that the health degree is applied. When applying health to a group, it is assumed that the health of individuals is accumulated.
As for the means of evaluating the effect of applying the intervention service, a consulting company (organization) is periodically requested to analyze the health of the organization. In addition, it manages the provision history of the intervention service (reporting obligation from the service providing company 458 and accumulation thereof). The information is analyzed by a consulting company (organization).
Regarding the handling of personal data that does not consent to the provision of information, and the construction of a function to handle mixed data, it is necessary to realize the "anonymous (anonymized) database system" described in the fourth embodiment. And “Functions that will be more convenient and more efficient when implemented” and “Processing means 1 when mixed use of personal information for other purposes” and “24. This can be solved by using the "processing means 2 in the case where permission / non-use of information for other purposes is mixed".
In addition, there is no particular limitation on an evaluation method for indirect merits such as reduction of medical expenses and improvement of productivity.
[0102]
Hereinafter, a second example of the healthcare system, which is the second case in which the first to fourth embodiments are applied to healthcare, will be described. FIG. 23 is a diagram illustrating a system of a health care system example 2. The health care system example 2 assumes a case where an individual requests a consulting company. In this example, in the past, the intervention policy for individuals was determined based on the know-how held by the consulting company, but in addition to that, it became possible to obtain information such as the characteristics of the organization to which the individual belongs and the medical history of the individual, The consulting company (corresponding to the information user 453; the same applies hereinafter) can provide detailed advice in consideration of these information. By analyzing the health status of a group belonging to the same organization, a consulting company investigates the presence or absence of external factors that are often unattractive for individuals, and expands the opportunity to discover factors that were not previously noticed.
The health care system example 2 includes five persons: a requester 460, an information user 453 (consulting company), an information collector 454, an information provider 455 (licenser) (individual / organization), and a system operator 451. I do.
The client 460 requests a consulting company (organization) to provide services related to health and the like. Here, it is assumed that the requester 460 is a member of the information provider 455 (licenser) (individual / organization).
The consulting company (organization), which is the information user 453, analyzes the individual client and the organization to which the client 460 belongs based on the request from the client 460. According to the analysis result, a policy of intervention to the client 460 or advice is determined.
In the case of using the healthcare system example 2, the consulting company may cause a cost increase, such as payment of a system usage fee to the system operator 451 and payment of an information provision fee to the information collector 454. Since significant information to be analyzed, such as personal information, can be obtained, the accuracy of know-how held as a consulting company can be expected to be improved, and medical cost reduction and the like can be expected.
The system operator 451 collects a system usage fee from a consulting company (organization) and operates and maintains the system. The position of the system operator 451 is not much different from the sample data providing system.
The information collector 454 collects an information provision fee as a consideration for providing anonymized information to the consulting company. Here, the information provided to the consulting company is anonymized actual data and used as statistical data, and is information of the client 460 himself, and the information provider 455 (licensor) (all members) is not permitted to use other purposes. We think it is unnecessary.
The information provider 455 (licenser) receives a service that the information collector 454 performs as a normal task, and personal information is accumulated in the information collector 454.
[0103]
As described above, in the application example of the healthcare system example 2, assurance of anonymity for the actual data provided by the information collector 454 can be solved by applying the first to fourth embodiments.
Means for associating anonymized data from a plurality of information collectors 454 can be solved by applying the first to fourth embodiments.
The construction of the billing function is the same as that of the sample data providing system. That is, for the construction of the billing function, a billing rule is created. If necessary, a mechanism for counting the number of accesses to each database system 310 or the like by the portal device 430 is constructed, or a mechanism for counting the amount of data retrieved from each database system 310 or the like by the portal device 430 is constructed. It is also possible to do.
[0104]
Next, two types of intervention service evaluation systems will be described as other application examples of the first to fourth embodiments. First, a first example of an intervention service evaluation system example 1, which is a first example, will be described. FIG. 24 shows an outline of the first example of the intervention service evaluation system.
The effectiveness of intervention services and the like is evaluated by managing the history of the health status (health evaluation results) of the group or individual. Embodiments 1 to 4 are used for acquiring data for evaluating an intervention service. 24 is a service providing company 458, an information collector 454 (consignment source), an information provider 455 (licenser) (individual / organization), a system operator 451, and a service evaluating company 461. 5 people appear.
As in the first example of the health care system, the information collector 454 entrusts an intervention service for the individual to the service provider 458. Further, the information collector 454 requests the service evaluation company 461 to evaluate the service provided by the service provider 458. The service evaluation company 461 is provided with anonymized data of the information provider 455 (licenser) (individual / organization). Since there is no need to specify the individual from the data, it is considered that the information provider 455 (licenser) (individual) does not need to grant personal information for other purposes.
The information provider 455 (licenser) (individual / organization) receives the service from the service provider 458.
The service providing company 458 provides an intervention service to an individual in accordance with a consignment from the information collector 454.
The service evaluation company 461 periodically obtains anonymized information of the information provider 455 (licenser) (individual / organization) from the information collector 454, and analyzes and evaluates a trend of a health condition as a group or an individual. I do. The result is presented to the information collector 454 as an evaluation of the service provider 458.
The system operator 451 provides a platform for anonymizing data communication between the information collector 454 and the service evaluation company 461. A system usage fee is collected from the service evaluation company 461 as a consideration for the operation and maintenance of the system.
[0105]
As described above, in the application example of the first example of the intervention service evaluation system, the assurance of anonymity for the actual data provided by the information collector 454 can be solved by applying the first to fourth embodiments.
Means for associating anonymized data from a plurality of information collectors 454 can be solved by applying the first to fourth embodiments.
In the construction of the function of evaluating the degree of health for a group, there is “health degree” as a means of evaluating health for an individual, and application of the degree of health is assumed. As for the health of a group, it is assumed that the health of individuals is accumulated.
The means for evaluating the effect of applying the intervention service accumulates the health of the group and evaluates trends.
[0106]
A second intervention evaluation service system to which the first to fourth embodiments are applied will be described below.
FIG. 25 shows an example of the structure of the intervention service evaluation system 2. In FIG. 25, the service evaluation company 461 performs not only the evaluation of the service providing company 458 but also the consulting to the service providing company 458. The basic mechanism required for the intervention service evaluation system 2 is the same as that of the intervention service evaluation system 1 in FIG.
The service evaluation company 461 evaluates the effectiveness of an intervention service or the like by managing the health state (health evaluation result) of the service providing group of the service providing company 458 and its history. The service evaluation company 461 presents, to the service provider 458, the presence / absence of the ineffective item based on the result and the content, and advises on the countermeasure.
Embodiments 1 to 4 are used for acquiring data for evaluating an intervention service. The intervention service evaluation system 2 includes a service provider 458, an information collector 454 (consignment source), an information provider 455 (licensor) (individual / organization), a system operator 451, and a service evaluation company 461. To appear.
The information collector 454 provides the service evaluation company 461 with anonymized data of the information provider 455 (licenser) (individual / organization). As a price, an information provision fee can be collected. Since there is no need to specify the individual from the data, it is considered that the information provider 455 (licenser) (individual) does not need to grant personal information for other purposes.
The information provider 455 (licenser) (individual / organization) receives the service from the service provider 458.
Service provider 458 provides intervention services to individuals. The service providing company 458 requests the service evaluation company 461 for consulting on a service provided by the service providing company 458.
The service evaluation company 461 periodically obtains anonymized information of the information provider 455 (licenser) (individual / organization) from the information collector 454, and analyzes and evaluates the trend of the health condition as a group. Here, an information provision fee is paid to the information collector 454 as a price for obtaining the information. Based on the result, consulting is performed to the service providing company 458.
The system operator 451 provides a platform for anonymizing data communication between the information collector 454 and the service evaluation company 461. A system usage fee is collected from the service evaluation company 461 as a consideration for the operation and maintenance of the system.
[0107]
As described above, in the application example of the intervention service evaluation system example 2, assurance of anonymity with respect to actual data provided by the information collector 454 can be solved by applying the first to fourth embodiments.
The means for associating anonymized data from a plurality of information collectors 454 can be solved by applying the first to fourth embodiments.
As for the construction of a function for evaluating the degree of health for a group, there is “health degree” as a means of evaluating health for an individual, and application of the degree of health is assumed. However, as for the health of the group, it is assumed that the health of individuals is accumulated.
As for the means of evaluating the effect of applying the intervention service, the health of the group is accumulated and the trend is evaluated.
[0108]
In the fifth embodiment, a new service based on the use of personal information is provided by applying a system that can promote the use of personal information to a business by guaranteeing anonymization and associating personal information with business. New business can be provided.
[0109]
【The invention's effect】
ADVANTAGE OF THE INVENTION According to this invention, privacy regarding personal information is highly ensured and personal information can be used effectively. In addition, by associating personal information about the same person stored in a plurality of database systems, it is possible to effectively use personal information.
[Brief description of the drawings]
FIG. 1 is a diagram illustrating an example of a system configuration according to a first embodiment;
FIG. 2 is a diagram showing an outline of implementation of the first embodiment.
FIG. 3 is a diagram showing a configuration of an information providing apparatus 100 according to the first embodiment.
FIG. 4 is a diagram showing a flow when a transmission request for personal information is received.
FIG. 5 is a diagram illustrating a system application example in which the first embodiment is applied to an intervention service.
FIG. 6 is a diagram showing an example of a search condition.
FIG. 7 is a diagram in which a part of a search condition is deleted.
FIG. 8 is a diagram showing search results from a database.
FIG. 9 is a diagram showing assignment of a data ID.
FIG. 10 is a diagram illustrating how privacy-related information is deleted.
FIG. 11 is a diagram showing functions of a system according to the first embodiment.
FIG. 12 is a diagram showing an outline of a system configuration according to a second embodiment.
FIG. 13 is a diagram showing a realization plan 1;
FIG. 14 is a diagram showing a configuration of an information providing apparatus 200.
FIG. 15 is a diagram showing a configuration of an association distributed database system 500.
FIG. 16 is a diagram showing a realization plan 2;
FIG. 17 is a diagram illustrating implementation plans 3 to 5;
FIG. 18 is a diagram showing a realization plan 7;
FIG. 19 is a diagram showing a realization plan 9;
FIG. 20 is a diagram showing a realization plan 10;
FIG. 21 is a diagram showing a configuration of a sample data providing system.
FIG. 22 is a diagram illustrating a configuration of a health care system example 1;
FIG. 23 is a diagram illustrating a configuration of a health care system example 2;
FIG. 24 is a diagram illustrating a configuration of an example 1 of an intervention service evaluation system.
FIG. 25 is a diagram showing a configuration of an intervention service evaluation system example 2.
[Explanation of symbols]
Reference Signs List 10 receiving unit, 11 authentication unit, 12 decryption unit, 20 search condition confirmation unit, 30 personal information extraction unit, 40 personal information storage unit, 50 data ID generation unit, 51 comparison ID generation unit, 60 search result determination unit, 61 encryption Creation unit, 62 transmission unit, 70 rule storage unit, 80 charging unit, 100 information providing device, 110 personal information storage unit, 120 anonymization processing unit, 121 data ID generation unit, 130 anonymized personal information storage unit, 140 reception unit , 150 transmitting unit, 200 information providing device, 310, 320, 330 database system, 340 access device, 350 network, 360, 361 access interface, 370 health insurance union database system, 380 human resources database system, 390 industrial physician database system, 400, 410 database system, 41 Anonymous database system, 416 database system, 420 search device, 430 portal device, 440 agent, 450 country, 451 system operator, 452 company, 453 information user, 454 information collector, 455 information provider, 457 information provision 458 service provider company, 460 requester, 461 service evaluation company, 500 association distributed database system, 600 first private database device, 610 first identifier generation unit, 620 first combination data creation unit, 630 first storage unit, 700 second private database device, 710 second identifier generation unit, 720 second combination data generation unit, 730 second storage unit, 800 database access device, 810 identifier verification unit, 820 Over data storage unit.

Claims (26)

An information providing device capable of communicating with an access device via a network and providing information to the access device based on a request from the access device,
A personal information storage unit for storing personal information about an individual,
A receiving unit that receives a personal information transmission request including a search condition for searching for personal information from the access device,
The receiving unit confirms a search condition included in the personal information transmission request received, and when the search condition included in the personal information transmission request includes a condition capable of specifying an individual, a condition capable of specifying the individual Is deleted and the search condition from which the condition capable of identifying the individual is deleted is output as the search condition after confirmation.If the condition capable of identifying the individual is not included in the search condition included in the personal information transmission request, the A search condition checking unit that outputs the search condition included in the personal information transmission request as a search condition after checking the search condition as it is,
A personal information extraction unit that searches the personal information storage unit based on the inputted search condition after confirmation and outputs the personal information based on the inputted search condition after confirmation output by the search condition confirmation unit;
Using the personal information extracted by the personal information extraction unit, a data ID for identifying the extracted personal information is generated according to a predetermined rule, and a data ID generation for giving the generated data ID to the extracted personal information Department and
The personal information extraction unit determines whether or not an individual can be identified from the personal information to which the data ID has been extracted and to which the data ID has been assigned, and determines that the individual cannot be identified. An information providing device, comprising: a search result determining unit that transmits the personal information to the access device. The personal information storage unit,
Storing personal information comprising at least one data item for an individual,
The search result determination unit includes:
When it is determined that the extracted personal information includes a data item capable of identifying an individual, the data item capable of identifying the individual is deleted and the personal information is transmitted to the access device. The information providing device according to claim 1, wherein The personal information storage unit,
Storing personal information comprising at least one or more data items having predetermined contents with respect to an individual,
The search result determination unit includes:
2. The method according to claim 1, wherein when it is determined that the content of the data item of the personal information extracted by the personal information extraction unit can specify an individual, the content of the data item is deleted and transmitted to the access device. Information providing device. The personal information storage unit,
Storing personal information comprising at least one or more data items having predetermined contents with respect to an individual,
The search result determination unit includes:
2. The information providing apparatus according to claim 1, wherein when the personal information extracting unit determines that the content of the data item of the personal information extracted can identify the individual, the extracted personal information is not transmitted to the access device. apparatus. The search result determination unit includes:
When the personal information extracting unit extracts the personal information of a plurality of persons, when the number of the extracted personal information of the plurality of persons is equal to or less than a predetermined number, the personal information of the plurality of persons is not transmitted to the access device. The information providing device according to claim 1, wherein: The personal information storage unit,
Memorize personal information about individuals belonging to a given group,
The search result determination unit includes:
When the personal information extraction unit extracts the personal information of a plurality of persons, the number of the extracted personal information of the plurality of persons is converted into a ratio to the total number of the group to which the plurality of persons belong, and the converted value is a predetermined value. 2. The information providing apparatus according to claim 1, wherein the extracted personal information of the plurality of persons is not transmitted to the access device in the following cases. The data ID generation unit includes:
A comparison ID generation unit configured to generate a comparison ID to be compared with a data ID generated using the personal information extracted by the personal information extraction unit by using the personal information stored in the personal information storage unit. 2. The information providing apparatus according to claim 1, wherein: The information providing device further includes:
The information providing apparatus according to any one of claims 1 to 7, further comprising: a charging unit configured to store a personal information transmission request received from the access device as a search history and charge based on the stored search history. . The personal information storage unit,
Storing personal information formed from a plurality of data items,
The search result determination unit includes:
2. The information providing apparatus according to claim 1, further comprising: an encryption creating unit that encrypts each of a plurality of data items forming the personal information with different encrypting means for the personal information transmitted to the access device. apparatus. The receiving unit,
Receiving a personal information transmission request including a search condition for searching for personal information from the access device and unique information that the access device has,
The data ID generation unit includes:
2. The information providing apparatus according to claim 1, wherein a data ID is generated using the unique information received by the receiving unit and the personal information extracted by the personal information extracting unit. The specific information is
Claims: It includes at least one of time information indicating a time at which a personal information transmission request is transmitted from the access device and an access sender ID for identifying a sender transmitting the personal information transmission request from the access device. Item 10. The information providing device according to Item 10. The receiving unit,
Receiving access device information held by the access device including the specific information transmitted as a personal information transmission request from the access device,
The data ID generation unit includes:
In order to compare the unique information included in the personal information transmission request with the data ID generated using the personal information extracted by the personal information extracting unit, the unique information included in the access device information received by the receiving unit. A comparison ID generation unit configured to generate a comparison ID to be compared with the data ID using information and the personal information stored in the personal information storage unit, and to compare the generated comparison ID with the data ID; The information providing apparatus according to claim 10, wherein: A plurality of information providing devices according to claim 1 are provided,
An access device for requesting personal information by transmitting a personal information transmission request including a search condition for searching for personal information to the information providing device according to claim 1 via a network,
Each data ID generation unit provided in the plurality of information providing apparatuses according to claim 1,
An information providing system for generating a data ID according to the same generation rule. The access device,
14. The information providing system according to claim 13, wherein each of the search conditions including a plurality of search conditions included in the personal information transmission request is encrypted by different encryption means, and the personal information transmission request is transmitted. The information providing system further includes:
14. The information providing system according to claim 13, further comprising a management device that stores and manages a type of personal information held by each of the information providing devices. An information providing device capable of communicating with an access device via a network and providing information to the access device,
A personal information storage unit for storing personal information about an individual,
An anonymization processing unit that performs an anonymization process to prevent identification of an individual with respect to the personal information stored in the personal information storage unit and generates anonymized personal information,
An anonymized personal information storage unit that stores anonymized personal information generated by the anonymization processing unit,
A transmitting unit that transmits the anonymized personal information stored in the anonymized personal information storage unit to the access device via a network. The anonymization processing unit,
17. The information providing apparatus according to claim 16, wherein a predetermined level of anonymization processing is performed on the personal information based on a predetermined rule to generate anonymized personal information. The personal information storage unit,
Memorize the personal information with the license and the personal information without the license for the use of personal information,
The anonymization processing unit,
17. The information providing device according to claim 16, wherein anonymized personal information is generated by performing a predetermined level of anonymization processing on the personal information based on whether or not use of the personal information is permitted. The anonymization processing unit,
When performing anonymization processing on the personal information stored in the personal information storage unit, a data ID generation unit that generates a data ID for identifying the anonymized personal information and adds the generated data ID to the anonymized personal information is provided. 17. The information providing apparatus according to claim 16, further comprising: The first personal identification information and the first personal data information are stored as first private data, and a first identifier that cannot identify an individual is generated from the first personal identification information based on a predetermined rule. A first private database device that combines the generated first identifier and the first personal data information and outputs the combined data as first combined data;
The second personal identification information having the same content as the first personal identification information of the first private database device and the second personal data information having a content different from the first personal data information are stored as second private data. Then, a second identifier that cannot identify an individual is generated from the second personal identification information based on the same rule as the predetermined rule, and the generated second identifier and the second personal data information are combined. A second private database device for combining and outputting as second combination data;
The first combination data output by the first private database device is input, the second combination data output by the second private database device is input, the first identifier of the first combination data and the second combination data are input. A database access device that stores the first personal data information of the first combination data and the second personal data information of the second combination data in which the second identifier of the combination data matches with the second identifier of the combination data A distributed database system, characterized in that: The first private database device is
The first personal data information formed from the plurality of data items is stored, and each of the plurality of data items forming the first personal data information included and output in the first combination data is differently encrypted by different encryption means. Encrypt and output,
The second private database device is
The second personal data information formed from the plurality of data items is stored, and each of the plurality of data items forming the second personal data information included in the second combination data and output is differently encrypted. 21. The distributed database system according to claim 20, wherein the data is output after being encrypted. An access device for transmitting a first personal information transmission request for requesting personal information;
It has a personal information storage unit for storing a predetermined type of personal information, receives a second personal information transmission request for requesting personal information, and stores it in the personal information storage unit in response to the received second personal information transmission request. A plurality of information providing devices for anonymizing and transmitting anonymized personal information as anonymized personal information,
A first personal information transmission request received and received by receiving and receiving a first personal information transmission request transmitted by the access device, wherein the type of personal information stored by each of the plurality of information providing devices is stored and managed as type information. An information providing system, comprising: a management device that transmits a second personal information transmission request to the plurality of information providing devices based on the information and the type information. The plurality of information providing devices,
Transmitting the anonymized personal information to the management device in response to the received second personal information transmission request;
The management device,
Anonymized personal information is received from at least one of the plurality of information providing devices, and whether the received anonymized personal information can be anonymized to prevent identification of an individual is determined based on a predetermined rule. 23. The information providing system according to claim 22, wherein, when it is determined that the anonymization can be secured, the received anonymized personal information is transmitted to the access device. The plurality of information providing devices,
Transmitting the anonymized personal information to the management device in response to the received second personal information transmission request;
The management device,
A predetermined rule for receiving anonymized personal information from at least two information providing devices of the plurality of information providing devices and determining whether or not anonymization that prevents identification of an individual by associating the received anonymized personal information can be ensured; 23. The information providing system according to claim 22, wherein the information providing system transmits the received anonymized personal information to the access device when it is determined that the anonymization can be secured. The management device,
Whether anonymization can be ensured by storing the received anonymized personal information as a history and associating the anonymized personal information stored as a history with the anonymized personal information not received as a history received from the information providing apparatus. 24. The information providing system according to claim 23, wherein the information providing system determines whether or not the anonymization is possible based on a predetermined rule, and transmits the received anonymized personal information to the access device when it is determined that the anonymization can be ensured. An access device that collects personal information from a plurality of information providing devices that provide personal information,
The access device,
A plurality of search conditions for searching for personal information are set, an agent for traveling around the plurality of information providing devices and collecting personal information is generated, and the plurality of search conditions are assigned to the generated agent and the agent is output. An access device for causing an output agent to collect personal information from any of the information providing devices and delete a search condition used for collecting the personal information.

Images