JP2008011360A - Personal information management system, personal information management server and personal information management program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To protect personal information by preventing the careless transmission of contents which is considered as being unnecessary for user and preventing the careless transfer and leakage of personal information, unauthorized use of personal information, and so on. <P>SOLUTION: For each user capable of accessing from a client terminal 20 to a personal information capsule, a filter for regulating user's usable personal information elements is set; and when an access request to the personal information capsule is transmitted from the user, filtering processing for the personal information elements in the personal information capsule is performed, by using the filter set for the user, the user's usable personal information elements are extracted from the personal information capsule, and the extracted personal information elements are transmitted to the client terminal 20, as a personal information file. When the contents of the personal information capsule are changed, a decoding key is changed, to disable the decoding of the personal information file on the client terminal side. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention manages personal information capable of identifying a specific individual as a data set (personal information capsule) composed of a plurality of personal information elements related to the specific individual, and the contents corresponding to each user from the personal information capsule It is related with the technique for implement | achieving the provision service of a personal information which takes out and uses for each user.

For example, the following Patent Document 1 discloses a technique for managing personal information of a mobile terminal such as a mobile phone, a telephone to a personal computer, and an e-mail sender via a network. In the technique disclosed in Patent Document 1, a user uses a network from a transmission terminal, registers personal information such as name, address, telephone number, mail address, and photo in a personal information management server and transmits the information. If the personal information notification permission is set when sending a call or e-mail from the terminal to the receiving terminal, the server receives the telephone number and mail by performing the personal information acquisition operation from the receiving terminal that received the call or e-mail. The sender's personal information is searched using the address as an index, and the searched personal information is transmitted from the server to the receiving terminal.
JP-A-2005-51475

  By the way, in the system that provides personal information to the user as in the technique disclosed in Patent Document 1, the personal information registered in the personal information management server is transmitted as it is to the user who performed the personal information acquisition operation.・ It will be provided.

  There is a growing awareness of the protection of personal information, and it has been desired to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information. Rather than sending / providing personal information with the same content to the user, it is possible to send / provide only personal information according to the user's content. It is desired to prevent inadvertent transmission of elements).

  For example, when a user browses and uses personal information of a specific individual while managing personal information including various personal information elements that can identify a specific individual in a company, etc. If you are a personal supervisor or administrator, you can view and use detailed contents (personal information elements), while if you are a colleague or subordinate, you can view and view only a part of your personal information. It is desired to construct a system that can provide a user with only personal information elements having contents corresponding to the user, such as making it usable.

  In addition, user terminals (PCs) that handle electronic files such as documents can be carried anywhere. Of course, countries subject to export control [for example, white countries not subject to catch-all regulations (as of May 2006) It is also possible to bring it into countries / regions other than 26 countries) or countries / regions that are not permitted by the company to which the user belongs. In such countries and regions, opening and browsing the personal information files of engineers related to technologies subject to export control, etc. is an opportunity for the export of technology subject to export control in countries and regions subject to export control. This is not preferable because it will cause Therefore, it is desired to be able to prohibit the opening of a specific personal information file in a pre-defined country or region.

  Also, in the system that manages the above personal information, it is necessary that a unique electronic file is generated and stored, which is a typographical error that occurs when a character is read by a scanner, or an input at the time of key input. It is absolutely necessary to avoid the occurrence of separate electronic files due to mistakes in kana-kanji conversion, such as “Ichiro Yamada” and “Ichiro Yamada”.

  Similarly, even if the same reading is used, different characters such as “Kazuo Hirose” and “Kazuo Hirose” are used, as in the difference between the new font and the old font. You must also avoid the situation that occurs.

  The present invention was devised in view of such circumstances, and can provide only a personal information element having contents suitable for the user or the user location to a user who uses personal information about a specific individual. In this way, content that seems unnecessary to users is prevented from being inadvertently transmitted, personal information is inadvertently leaked and leaked, and personal information is illegally used. Its purpose is to realize protection.

  In addition, it was created in view of the situation as described above, and it generates personal information about a specific individual, so that only accurate personal information elements can be generated and provided to the user. The purpose is to prevent personal information from being accidentally generated, leaked, leaked, or illegally used.

In order to achieve the above object, the present invention is configured as listed below.
(1) The invention according to claim 1 is a management server that manages personal information capable of identifying a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual. A personal information management system comprising: a client terminal connected to the management server so as to communicate with each other and capable of accessing the personal information capsule and using a personal information element in the personal information capsule; A server may access the personal information capsule generated by the generation unit, a storage unit that stores the personal information capsule generated by the generation unit, and the personal information capsule stored in the storage unit from the client terminal. Filter setting means for setting a filter for defining a personal information element that can be used by the user for each user; An access request receiving means for receiving an access request for the personal information capsule from the user through the client terminal, and the filter setting for the user who has transmitted the access request when the access request is received by the access request receiving means. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing filtering processing of the personal information elements in the personal information capsule using the filter set by the means; Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file; and changing means for changing the content of the personal information capsule stored in the storage means When the content of the personal information capsule is changed by the changing means, the invalidation for invalidating the personal information file extracted from the changed personal information capsule and transmitted to the client terminal before the change And a digital signature for the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means A digital signature assigning means; a personal information searching means for searching for personal information from the data in the client terminal; and a personal signature searched by the personal information searching means with a digital signature by the digital signature giving means The client who holds the personal information A user of a remote terminal wants to register the personal information as a management target of the management server, and registers and stores the personal information as a personal information capsule in the storage unit;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server If it is not desired to register as a management target, the deletion means for deleting the personal information from the client terminal and the personal information file transmitted by the personal information file transmission means in accordance with the client terminal of the transmission destination Encryption using an encryption key to create an encrypted file, and sending the encrypted file as the personal information file to the personal information file transmitting means; and from the client terminal about the encrypted file An authentication information receiving means for receiving authentication information, and the authentication information receiving means. Based on the received authentication information, a determination means for determining whether or not the client terminal is a valid destination of the encrypted file, and a decryption key for decrypting the encrypted file are stored And a decryption key transmission unit configured to transmit the decryption key to the client terminal when the determination unit determines that the client terminal is a valid transmission destination. An access request transmitting means for transmitting an access request for the personal information capsule to the management server; a personal information file receiving means for receiving the personal information file corresponding to the access request from the management server; and the personal information When opening an encrypted file that is the personal information file received by the file receiving means, Authentication information transmitting means for transmitting authentication information about the encrypted file to the management server, decryption key receiving means for receiving a decryption key corresponding to the encrypted file from the management server, and reception by the decryption key receiving means And decrypting means that decrypts the encrypted file using the decrypted key and restores the original personal information file, and the decrypting key storage means has the contents of the personal information capsule changed In this case, the personal information management is characterized in that the personal information file cannot be decrypted on the client terminal side by changing the decryption key in response to the invalidation command from the invalidation means. System.

  (2) In the invention according to claim 2, when the client terminal opens the personal information file at the client terminal, the client terminal transmits a decryption key transmission request as a request to open the personal information file to the management server. An opening request transmission unit is configured, and the management server receives a decryption key transmission request as the opening request from the client terminal, and the opening request receiving unit receives the decryption key transmission request as the opening request. A position detecting means for detecting the location of the client terminal at the time of receiving the decryption key transmission request, and determining whether the location detected by the position detecting means satisfies a predetermined condition; It is determined by the determining means and the determining means that the location is satisfying the predetermined condition The personal information file is permitted to be opened at the client terminal while the personal information file is prohibited from being opened at the client terminal when it is determined that the location does not satisfy the predetermined condition. 2. The personal information file management system according to claim 1, wherein said personal information file management system comprises permission / rejection means.

(3) The invention described in claim 3 is a management server that manages personal information that can identify a specific individual as a data set (hereinafter referred to as a personal information capsule) including a plurality of personal information elements related to the specific individual. A personal information management system comprising: a client terminal connected to the management server so as to communicate with each other and capable of accessing the personal information capsule and using a personal information element in the personal information capsule; A server may access the personal information capsule generated by the generation unit, a storage unit that stores the personal information capsule generated by the generation unit, and the personal information capsule stored in the storage unit from the client terminal. Filter setting means for setting a filter for defining a personal information element that can be used by the user for each user; An access request receiving means for receiving an access request for the personal information capsule from the user through the client terminal, and the filter setting for the user who has transmitted the access request when the access request is received by the access request receiving means. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing filtering processing of the personal information elements in the personal information capsule using the filter set by the means; Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file; and changing means for changing the content of the personal information capsule stored in the storage means When the content of the personal information capsule is changed by the changing means, the invalidation for invalidating the personal information file extracted from the changed personal information capsule and transmitted to the client terminal before the change And a digital signature for the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means A digital signature assigning means; a personal information searching means for searching for personal information from the data in the client terminal; and a personal signature searched by the personal information searching means with a digital signature by the digital signature giving means The client who holds the personal information If the user of the remote terminal wants to register the personal information as a management target of the management server, the personal information is registered and stored in the storage means as a personal information capsule, and the personal information search means A digital signature by the digital signature assigning means is not given to the personal information, and the user of the client terminal holding the personal information registers the personal information as a management target of the management server And deleting means for deleting the personal information from the client terminal, and the generating means is a person who is to newly generate based on a personal information capsule generation request from the client terminal. The information capsule is judged to be similar to the existing personal information capsule stored in the storage means. Confirm the existence of a similar existing personal information capsule. If a similar personal information capsule already exists, request confirmation from the client terminal and generate a new personal information capsule when the confirmation is obtained. This is a personal information management system characterized by that.

(4) In the invention according to claim 4, personal information management for managing personal information capable of identifying a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual. A server for generating the personal information capsule; a storage unit for storing the personal information capsule generated by the generating unit; and accessing the personal information capsule stored in the storage unit from a client terminal. Filter setting means for setting a filter that defines personal information elements available to the user for each possible user, and access request receiving means for receiving an access request for the personal information capsule from the user through the client terminal; When the access request is received by the access request receiving means, the access request is received. By filtering the personal information element in the personal information capsule using the filter set by the filter setting means for the user who transmitted the request, the personal information element usable by the user is Filtering means for extracting from the personal information capsule, personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file, and stored in the storage means A change unit for changing the content of the personal information capsule; and when the content of the personal information capsule is changed by the change unit, the content is extracted from the changed personal information capsule before the change and transmitted to the client terminal Invalidate the personal information file Digital signature is applied to the personal information capsule generated by the effecting means and the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the filtering means. A digital signature giving means for giving, a personal information searching means for searching for personal information from the data in the client terminal, and a digital signature by the digital signature giving means to the personal information searched by the personal information searching means If the user of the client terminal that holds the personal information wants to register the personal information as a management target of the management server, the personal information is stored in the storage means as a personal information capsule. The registration / storage means and the personal information exploration means The inspected personal information is not given a digital signature by the digital signature giving means, and the user of the client terminal holding the personal information registers the personal information as a management target of the management server. If this is not desired, the deletion means for deleting the personal information from the client terminal and the personal information file transmitted by the personal information file transmission means are encrypted using the encryption key corresponding to the client terminal of the transmission destination. To create an encrypted file and send the encrypted file as the personal information file to the personal information file transmitting means, and to receive authentication information about the encrypted file from the client terminal An information receiving means based on the authentication information received by the authentication information receiving means; Determining means for determining whether the client terminal is a valid destination of the encrypted file, a decryption key storage means for storing a decryption key for decrypting the encrypted file, A decryption key transmitting unit configured to transmit the decryption key to the client terminal when the determination unit determines that the client terminal is a valid transmission destination, and the decryption key storage unit includes the personal information Disabling the decryption of the personal information file on the client terminal side by changing the decryption key in response to an invalidation command from the invalidation means when the content of the capsule is changed Is a personal information management server characterized by

  (5) The invention according to claim 5 is an opening request receiving means for receiving a decryption key transmission request as the opening request from the client terminal when the personal information file is opened at the client terminal, and the opening request. A position detecting means for detecting the location of the client terminal at the time of receiving the decryption key transmission request as the opening request by the receiving means; and a predetermined condition in which the location detected by the position detecting means is predetermined. A determination unit that determines whether or not the determination is satisfied, and when the determination unit determines that the location satisfies the predetermined condition, while permitting the client terminal to open the personal information file, The individual at the client terminal when it is determined that the location does not satisfy the predetermined condition It is configured to include the opening permission means for inhibiting opening of the broadcast file, it is the personal information file management server according to claim 4, wherein.

(6) According to the invention described in claim 6, personal information management for managing personal information capable of identifying a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual. A server for generating the personal information capsule; a storage unit for storing the personal information capsule generated by the generating unit; and accessing the personal information capsule stored in the storage unit from a client terminal. Filter setting means for setting a filter that defines personal information elements available to the user for each possible user, and access request receiving means for receiving an access request for the personal information capsule from the user through the client terminal; When the access request is received by the access request receiving means, the access request is received. By filtering the personal information element in the personal information capsule using the filter set by the filter setting means for the user who transmitted the request, the personal information element usable by the user is Filtering means for extracting from the personal information capsule, personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file, and stored in the storage means A change unit for changing the content of the personal information capsule; and when the content of the personal information capsule is changed by the change unit, the content is extracted from the changed personal information capsule before the change and transmitted to the client terminal Invalidate the personal information file Digital signature is applied to the personal information capsule generated by the effecting means and the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the filtering means. A digital signature giving means for giving, a personal information searching means for searching for personal information from the data in the client terminal, and a digital signature by the digital signature giving means to the personal information searched by the personal information searching means If the user of the client terminal that holds the personal information wants to register the personal information as a management target of the management server, the personal information is stored in the storage means as a personal information capsule. The registration / storage means and the personal information exploration means The inspected personal information is not given a digital signature by the digital signature giving means, and the user of the client terminal holding the personal information registers the personal information as a management target of the management server. If not desired, the deletion means for deleting the personal information from the client terminal, and the generation means, for the personal information capsule to be newly generated based on a personal information capsule generation request from the client terminal, Similarity determination is performed with the existing personal information capsule stored by the storage means to confirm the existence of a similar existing personal information capsule, and if a similar personal information capsule already exists, the client terminal is confirmed. A new personal information capsule is generated when confirmation is obtained. It is a broadcast management server.

(7) The invention according to claim 7 is a personal information management for managing personal information capable of identifying a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual. A personal information management program for causing a computer to function as a server, wherein the generating unit generates the personal information capsule, the storing unit stores the personal information capsule generated by the generating unit, and the personal information stored in the storing unit For each user who can access the capsule from the client terminal, a filter setting means for setting a filter that defines personal information elements that can be used by the user, and receiving an access request for the personal information capsule from the user through the client terminal Access request receiving means, by the access request receiving means When the access request is received, the user who has transmitted the access request performs the filtering process of the personal information element in the personal information capsule using the filter set by the filter setting means, thereby Filtering means for extracting a personal information element available to the user from the personal information capsule, and a personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file Change means for changing the content of the personal information capsule stored in the storage means; if the content of the personal information capsule is changed by the change means, extract from the changed personal information capsule before the change Sent to the client terminal The invalidation means for invalidating the personal information file, the personal information capsule generated by the generation means, the personal information capsule changed by the changing means, or the individual obtained by the filtering means Digital signature giving means for giving a digital signature to an information file, personal information searching means for searching personal information from data in the client terminal, and digital signature giving means for personal information searched by the personal information searching means If the client terminal user who holds the personal information does not have a digital signature and wants to register the personal information as a management target of the management server, the personal information Means for registering and storing in the storage means as a capsule; The personal information searched by the personal information searching means is not given the digital signature by the digital signature giving means, and the user of the client terminal holding the personal information stores the personal information in the management server If it is not desired to be registered as a management target, the deletion means for deleting the personal information from the client terminal and the personal information file transmitted by the personal information file transmission means are encrypted according to the client terminal of the transmission destination. Encryption using a key to create an encrypted file, and sending the encrypted file as the personal information file to the personal information file transmitting means; authentication information about the encrypted file from the client terminal Received by the authentication information receiving means. Based on the authentication information, determination means for determining whether or not the client terminal is a valid transmission destination of the encrypted file, and a decryption key for decrypting the encrypted file are stored In addition, when the determination unit determines that the client terminal is a valid destination, the decryption key is transmitted to the client terminal, and when the content of the personal information capsule is changed, the invalidation is performed. The computer is caused to function as decryption key storage means that disables decryption of the personal information file on the client terminal side by changing the decryption key in response to an invalidation instruction from the means. Personal information management program.

  (8) The invention according to claim 8 is an opening request receiving means for receiving a decryption key transmission request as the opening request from the client terminal when the personal information file is opened at the client terminal, and the opening request reception Position detecting means for detecting the location of the client terminal at the time when the decryption key transmission request as the opening request is received by the means, and the location detected by the position detecting means satisfies a predetermined condition. A determination unit that determines whether or not the personal information file is opened at the client terminal when the determination unit determines that the location satisfies the predetermined condition. When it is determined that the predetermined condition is not satisfied, the personal information frame at the client terminal is Opening permission means for inhibiting opening of yl, as a personal information management program according to claim 7, characterized in that the functioning of the said computer.

(9) The invention according to claim 9 is a personal information management for managing personal information capable of identifying a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual. A personal information management program for causing a computer to function as a server, wherein the generating unit generates the personal information capsule, the storing unit stores the personal information capsule generated by the generating unit, and the personal information stored in the storing unit For each user who can access the capsule from the client terminal, a filter setting means for setting a filter that defines personal information elements that can be used by the user, and receiving an access request for the personal information capsule from the user through the client terminal Access request receiving means, by the access request receiving means When the access request is received, the user who has transmitted the access request performs the filtering process of the personal information element in the personal information capsule using the filter set by the filter setting means, thereby Filtering means for extracting a personal information element available to the user from the personal information capsule, and a personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file Change means for changing the content of the personal information capsule stored in the storage means; if the content of the personal information capsule is changed by the change means, extract from the changed personal information capsule before the change Sent to the client terminal The invalidation means for invalidating the personal information file, the personal information capsule generated by the generation means, the personal information capsule changed by the changing means, or the individual obtained by the filtering means Digital signature giving means for giving a digital signature to an information file, personal information searching means for searching personal information from data in the client terminal, and digital signature giving means for personal information searched by the personal information searching means If the client terminal user who holds the personal information does not have a digital signature and wants to register the personal information as a management target of the management server, the personal information Means for registering and storing in the storage means as a capsule; The personal information searched by the personal information searching means is not given the digital signature by the digital signature giving means, and the user of the client terminal holding the personal information stores the personal information in the management server If it is not desired to register as a management target, the deletion means for deleting the personal information from the client terminal, the personal information capsule to be newly generated based on the personal information capsule generation request from the client terminal, Similarity determination is performed with the existing personal information capsule stored by the storage means to confirm the existence of a similar existing personal information capsule, and if a similar personal information capsule already exists, the client terminal is confirmed. As a means to generate a new personal information capsule when a confirmation is obtained Is a personal information management program for causing a computer to function.

According to the present invention described above, the following effects can be obtained.
(1) In the invention described in claim 1, personal information capable of identifying a specific individual is centrally managed as a personal information capsule which is a standardized data set in a personal information management server (management server). For each user who can access the personal information capsule from the client terminal, a filter that defines the personal information element that can be used by the user is set. The personal information element in the personal information capsule is filtered using the filter set for the user, and the personal information element usable by the user is extracted from the personal information capsule, and the extracted personal information element Is transmitted to the client terminal as a personal information file. This allows users who use personal information about a specific individual to be provided with only the personal information elements of the content according to the user, so content that seems unnecessary for the user is inadvertent The personal information can be prevented from being transmitted unintentionally, and inadvertent leakage / leakage of personal information and unauthorized use of personal information can be reliably prevented, and personal information can be protected.

  Here, when the personal information file is transmitted from the management server to the client terminal, the personal information file is encrypted using an encryption key corresponding to the destination client terminal, transmitted as an encrypted file, and authenticated by the management server. By configuring the encrypted file so that only authorized users (client terminal users who are valid destinations) can decrypt and access the encrypted information, the personal information file sent from the management server to the client terminal It is possible to reliably prevent the contents from being leaked, leaked or illegally used, and to protect personal information with certainty.

  When the content of the personal information capsule is changed, the decryption key is changed in response to an invalidation command from the invalidation means, thereby making it impossible to decrypt the personal information file on the client terminal side. Disable personal information file.

  That is, in the personal information management server, the content of the personal information capsule is changed by invalidating the personal information file extracted before the change from the changed personal information capsule and transmitted to the client terminal. If this happens, the personal information file before the change will be invalidated and no one will be able to use it. Can be protected.

  (2) In the invention described in claim 2, when the user opens the electronic file at the client terminal, the opening request for the personal information file is transmitted to the management server, and the decryption key transmission request is received as the opening request. In the management server, the location (country country) of the client terminal at the time of opening the personal information file is detected, and whether the detected location satisfies a predetermined condition [predetermined country (for example, white country)] Whether the client terminal is located or not can be confirmed immediately before opening the personal information file at the client terminal. And by permitting the opening of the personal information file only when the location of the client terminal satisfies a predetermined condition (for example, not in the country subject to export restrictions), the contents of the personal information file can be It can be surely prevented from leaking or leaking without the user's knowledge.

Here, after changing the decryption key as described above, the personal information file is invalidated by prohibiting transmission of the decryption key after the change to the client terminal. For this reason, it becomes impossible to decrypt the personal information file before the change, and it is securely invalidated so that no one can use it. And personal information can be reliably protected.

  The means for invalidating the personal information file before the change is, for example, changing the decryption key (key for decrypting the encrypted file) to be transmitted to the client terminal or prohibiting the transmission of the decryption key Or by sending a personal information file deletion command to the client terminal that is the destination of the personal information file based on the transmission history log to delete the personal information file.

  In addition, the management server records the history of the transmission of the personal information file executed in response to the access request for the personal information capsule from the client terminal as a log, and transmits a deletion command from the recorded log as necessary. In addition, access status to personal information capsules is managed, access to personal information files can be tracked and managed as needed, and access can be tracked and invalidated, preventing unauthorized use of personal information more reliably. can do.

  In the above invention, the personal information capsule or personal information file is created by giving a digital signature to the personal information capsule newly generated or changed in the management server or the personal information file. It can be assured that it has not been tampered with, and counterfeiting by a third party can be prevented. At that time, the personal information is searched from the data in the client terminal, and if the digital information is not attached to the searched personal information, the personal information is deleted from the client terminal. Personal information that is not assigned a digital signature at the server is not under the management of the management server, and is judged to be personal information created locally on the client terminal or the like, and is automatically deleted from the client terminal. . As a result, only the personal information managed centrally by the management server exists and is used in the system of the present invention, and the personal information can be reliably managed and reliably protected.

  In the above invention, the management server converts the personal information file into a completed document file having a container function, and encrypts the completed document file with the original personal information file attached using the container function. After that, the personal information file is sent to the client terminal as a personal information file, so that the personal information file is sent as a completed document file that is difficult to falsify. It is also possible to perform operations such as editing using the original file.

  In the above invention, the management server sets the predetermined access authority for the encrypted file according to the user to whom the personal information file is transmitted, and the client terminal is restored by the decryption means. As access to the personal information file, access according to the access authority set by the access authority setting means is permitted, so only users who have been granted access authority to retrieve the original file can be performed, It is possible to reliably prevent the original file from being inadvertently leaked or leaked or unauthorized use of personal information.

In the above invention, the user has set, as the predetermined access authority, the access authority setting means, with the access authority setting means, the authority to extract the original file from the completed document file and the authority to edit the extracted original file. If the user terminal is permitted to edit the original file by the editing means at the client terminal, only the user who has been given the access authority to take out and edit the original file can be performed, It is possible to reliably prevent the original file from being inadvertently leaked or leaked or unauthorized use of personal information.

  In the above invention, since the original file edited by the editing means is prohibited from being saved other than the completed document file in the client terminal, the editing operation can be performed with the authority to retrieve the original file or the editing. Only users who have been granted access rights as an access right can do this, and the original file after editing is prohibited from being saved in files other than the completed document file on the client terminal. It is possible to reliably prevent spills and leaks and unauthorized use of personal information.

  In the above invention, when the personal information file is invalidated, the management server automatically notifies the client terminal to that effect, thereby prompting the user to re-execute the access request for the personal information capsule. The user who has received the notification makes an access request again at his / her discretion, so that the latest personal information file after the change can be obtained, and the convenience of the user can be improved. When the user recognizes that the personal information file can no longer be used because the personal information file has been invalidated, the user can request access again to obtain the latest personal information file after the change. become.

(3) In the invention of claim 3, the personal information capsule to be newly generated based on the personal information capsule generation request from the client terminal is judged to be similar to the existing personal information capsule stored in the storage means. Confirms the existence of a similar existing personal information capsule, and if a similar personal information capsule already exists, requests confirmation from the client terminal, and if a confirmation is obtained, a new personal information capsule is This prevents the creation of an electronic file of incorrect data caused by erroneous characters generated by scanning with the scanner, errors in kana-kanji conversion, incorrect input during key input, etc. A unique electronic file is generated and stored in the managing system.

  At this time, if a similar personal information capsule already exists from the management server to the client terminal, a confirmation request to the client terminal, a similar personal information capsule presence notification and confirmation request to the client terminal, and a similar personal information capsule to the client terminal Any method of notifying the existence of a similar personal information capsule to the client terminal when it exists in the terminal may be used. And based on the confirmation request | requirement with respect to a client terminal, when a confirmation is obtained from a client terminal, it is desirable to produce | generate a new personal information capsule.

  As with the cases (1) to (3), the personal information management server corresponding to the above (1) to (3) can reliably prevent the personal information file from being inadvertently leaked or leaked or illegally used. The personal information can be surely protected, and an electronic file of a unique personal information capsule can be generated.

  In addition, the personal information management program for operating the computer as a personal information management server corresponding to the above (1) to (3) also causes an inadvertent personal information file to be created, as in the cases (1) to (3). Outflow / leakage and unauthorized use can be reliably prevented, personal information can be reliably protected, and an electronic file of a unique personal information capsule can be generated.

Embodiments of the present invention will be described below with reference to the drawings.
[1] Configuration of personal information management system of this embodiment:
[1-1] Overall configuration of personal information management system:
FIG. 2 is a block diagram showing an overall schematic configuration of a personal information management system as an embodiment of the present invention. The personal information management system 1 shown in FIG. It is prepared for. FIG. 1 is a block diagram showing the configuration of each part of the personal information management system as an embodiment of the present invention.

  The personal information management server (management server) 10 is configured with a personal information capsule database 11 and an authentication information / decryption key storage unit 12 to be described later. Personal information that can identify a specific individual is associated with the specific individual. It is managed as a data set composed of a plurality of personal information elements. In the system 1 of the present embodiment, a data set composed of a plurality of personal information elements is standardized and managed as a personal information capsule. For example, one personal information capsule is generated and stored for one employee in a company or the like.

  The personal information elements included in the personal information capsule include, for example, name, gender, age, date of birth, blood type, home information (home address, telephone number, fax number, e-mail address, etc.), workplace information (work (Name, department, job title, work address / phone number / fax number / email address, etc.), family structure, basic resident register number, account number, credit card number, license number, passport number, hospital history, In addition to medical history, medication information, medical history, image information and audio information related to the person.

  The client terminal 20 is a personal computer or the like operated by each employee (user) in a company or the like, and is connected to the personal information management server 10 via a network 30 such as the Internet, an intranet, or an in-house LAN (Local Area Network). The personal information capsules managed by the personal information management server 10 can be accessed and the personal information elements in the personal information capsule can be used in response to user operations. The user uses the provision of the personal information management service provided by the personal information management server 10 through the client terminal 20 and the network 30. For example, the user creates / changes his / her own personal information capsule, A personal information capsule of each employee in the information management server 10 can be accessed to acquire a personal information element, and the personal information element can be edited to create a name list or address book.

[1-2] Configuration of personal information management server:
As shown in FIG. 1, the personal information management server 10 of this embodiment is provided with the personal information capsule database 11 and the authentication information / decryption key storage unit 12 as described above, and various units 101 to 119 described later. It is configured with. The functions as these means 101 to 119 are realized by causing a CPU (Central Processing Unit) of a computer to function as a server to execute a predetermined application program (personal information management program).

  The personal information capsule database (storage unit) 11 stores the personal information capsule generated by the generation unit 102 to be described later, and filters set by the filter setting unit 103 to be described later for each user of the personal information capsule. Also, a function of storing the personal information capsule in association with the user is also achieved.

  The authentication information / decryption key storage unit 12 stores user authentication information (identification number and password) registered in advance to use the service provided by the personal information management server 10 of the present embodiment, and an encryption unit described later. It also fulfills the function of storing a decryption key for decrypting the encrypted file obtained by 107.

The personal information capsule generation / change request receiving means 101 receives a personal information capsule generation request and a personal information capsule change request together with authentication information (identification number and password) from the client terminal 20 via the network 30, or manages personal information. A personal information capsule generation request and a personal information capsule change request are received together with authentication information (identification number and password) through an input device (keyboard, mouse, etc.) of the server 10. At that time, a plurality of types of personal information elements to be stored as the contents of the personal information capsule or the contents of changes to the already registered personal information capsule are also input and received by the personal information capsule generation / change request receiving means 101. Shall be. In other words, each employee (each individual) may input the personal information element and the changed content from the client terminal 20, or an administrator in a company or the like that manages the personal information of the employee directly with the personal information management server 10. You may enter. The user can input personal information elements and changes by operating an input device such as a keyboard or mouse, or by scanning character information (such as business cards or name lists) or image information printed or written on paper. You may carry out by reading by.

  Further, the personal information capsule generation / change request receiving means 101 of the present embodiment is based on the authentication information (identification number and password) input by the user, and the user is an authorized user of the personal information management service. It is assumed that an authentication determination function for performing authentication determination as to whether or not is also provided. Specifically, by determining whether or not the identification number and password input by the user match the identification number and password registered and stored in the authentication information / decryption key storage unit 12 in advance, Whether or not the user is a valid user is determined and authenticated.

  When the authentication unit function of the personal information capsule generation / change request receiving unit 101 determines that the user 102 is a valid user, the generation unit 102 receives a plurality of types of personal information elements input / received for each individual as described above. Is generated as a personal information capsule.

  Note that the generation unit 102 determines the similarity of the personal information capsule to be newly generated based on the personal information capsule generation request from the client terminal 20 with the existing personal information capsule stored in the personal information capsule database 11. To confirm the existence of a similar existing personal information capsule. If a similar personal information capsule already exists, the client terminal 20 is requested to confirm, and if the confirmation is obtained, a new individual is obtained. It has a function of generating an information capsule.

  The filter setting means 103 sets a filter that defines personal information elements that can be used by the user for each user who can access the personal information capsule stored in the personal information capsule database 11 from the client terminal 20. is there. Here, different filters may be set for each personal information capsule or for each individual, or the same filter may be set for users belonging to the same group. For example, it is a filter to perform user ranking such as a level for publishing all personal information including image information, a level for publishing personal information other than image information, and a level for publishing only name and contact information. Can be set. Also, for example, in a company or the like, when a user is a supervisor or manager of a specific employee, detailed contents (personal information elements) can be viewed and used while the user is a colleague or a subordinate. In some cases, a filter can be set so that only a part of personal information can be viewed and used.

In the present embodiment, the filter set by the filter setting unit 103 is stored in the personal information capsule database 11. At this time, the filter is stored in association with each personal information capsule or each user, or in association with the rank or job title of the user. The contents of the filter set for each user may be instructed from the client terminal 20 by the user who has requested the generation of the personal information capsule, or the administrator may instruct the management server 10. In addition, it may be instructed by selecting a preset filter pattern, or it may be automatically set according to the rank / title, etc., by recognizing the rank, job title, etc. of the filter setting target user. .

  The access request receiving unit 104 receives an access request for the personal information capsule from the user through the client terminal 20 and the network 30 together with authentication information (identification number and password). Similarly to the personal information capsule generation / change request receiving means 101, the access request receiving means 104 is also authorized by the user based on the authentication information (identification number and password) entered by the user. It is also assumed that an authentication determination function for determining whether or not the user is an authentic user is also provided.

  When the authentication determination function of the access request receiving unit 104 determines that the filtering unit 105 is a valid user, the filtering unit 105 displays the personal information capsule to be accessed and the filter set for the user as a personal information capsule database. The personal information element that can be used by the user is stored as a personal information file by performing a filtering process on the personal information element in the read personal information capsule using the filter that is read from 11 and read out. Extract from capsules.

  The conversion unit 106 converts the personal information file extracted by the filtering unit 105 into a completed document file having a container function [here, a PDF (Portable Document Format) file that is difficult to falsify].

  The encryption unit 107 attaches and stores the original file of the personal information file to the PDF file using the container function, and then encrypts the PDF file with an encryption key corresponding to the destination client terminal 20 To create an encrypted file. Note that conversion to a PDF file is performed by, for example, a PDF driver, and by starting the PDF driver, the management target file is converted to PDF and a PDF file file is generated.

  Also, the decryption key [the key for decrypting the encrypted file (plain culture)] corresponding to the encryption key used for encryption is stored in the authentication information / decryption key storage means 12 by the user or It is assumed that it is stored in association with an encrypted file (personal information file). The authentication information / decryption key storage means 12 constitutes the decryption key storage means in the claims, and changes the decryption key in response to an invalidation command in a predetermined case, so that the client terminal 20 side Disable decryption of personal information files.

  The access authority setting means 108 sets a predetermined access authority for the encrypted file according to the user to whom the personal information file is transmitted. With this access authority setting means 108, for users who access the encrypted file, access authority to the encrypted file (for example, viewing, annotation, printing, copying, taking out the original file attached by the container function, It is assumed that the setting of the authority to execute the one selected from access such as editing of the retrieved file is automatically performed or according to the instruction of the user (administrator). As a result, in the client terminal 20, the user is allowed access according to the access authority set by the access authority setting unit 108 as access to the personal information file restored by the decryption unit 226 as described later. It has become.

  The personal information file transmission unit 109 transmits the encrypted file obtained by the encryption unit 107 (the original file is a personal information file including a personal information element extracted from the personal information capsule by the filtering unit 105) via the network 30 to the client terminal. 20 is transmitted.

  The log recording means 110 transmits a personal information file transmission history (transmission date and time, transmission destination information, information for specifying a transmitted file, etc.) executed in response to an access request to the personal information capsule from the client terminal 20. Is recorded as a log.

  The authentication information receiving unit 111 receives authentication information (identification number and password) about the encrypted file transmitted from the client terminal 20 when the encrypted file transmitted from the management server 10 is used in the client terminal 20. Is. At this time, the authentication information receiving unit 111 also receives a request for transmitting a decryption key as a request for opening for decrypting the encrypted file together with the authentication information from the client terminal 20. is doing. Since the authentication information (identification number and password) for the encrypted file is set for each encrypted file, the authentication determination function of the above-described personal information capsule generation / change request receiving means 101 and access request receiving means 104 It is assumed that the authentication information for the encrypted file is also stored in the authentication information / decryption key storage unit 12, which is different from the authentication information required for the user authentication according to the above.

  The determination unit 112 performs the same function as the authentication determination function of the personal information capsule generation / change request reception unit 101 and the access request reception unit 104 described above, and is based on the authentication information received by the authentication information reception unit 111. Determining whether or not the client terminal 20 is a valid transmission destination of the encrypted file (whether or not the user accessing the encrypted file through the client terminal 20 is a valid user of the personal information management service) Authentication determination).

  When the determination unit 112 determines that the client terminal 20 is a valid transmission destination, the decryption key transmission unit 113 stores an authentication information / decryption key storage key as a decryption key for decrypting the encrypted file to be accessed. The information is read from the means 12 and transmitted to the client terminal 20 via the network 30.

  The decryption key transmission unit 113 permits the client terminal 20 to open the personal information file when the determination unit 112 determines that the location of the user satisfies a predetermined condition as described later. On the other hand, when it is determined that the location does not satisfy the predetermined condition as will be described later, it also serves as an open / close permit means for prohibiting the transmission of the decryption key and prohibiting the client terminal 20 from opening the personal information file. .

  When the authentication unit function of the personal information capsule generation / change request receiving unit 101 determines that the changing unit 114 is a legitimate user, the changing unit 114 follows the content of the change to the personal information capsule input / received as described above. The contents of the personal information capsule to be changed stored in the personal information capsule database 11 are changed.

  When the content of the personal information capsule is changed by the changing unit 114, the invalidating unit 115 invalidates the personal information file extracted from the changed personal information capsule and transmitted to the client terminal 20 before the change. Is.

As an invalidation method by the invalidation means 115, a decryption key (stored in the authentication information / decryption key storage means 12) for decrypting the encrypted file corresponding to the personal information file is changed to a new one. A method of generating a decryption key, a method of prohibiting transmission of the decryption key by the decryption key transmission means 113 even when an access request (authentication information) to an encrypted file corresponding to the personal information file is received and user authentication is performed, A method of transmitting a deletion command of the file to the client terminal 20 that is the transmission destination of the encrypted file corresponding to the personal information file based on the log recorded by the log recording unit 110 and causing the client terminal 20 to delete the personal information file Etc. are used.

  When the invalidating unit 115 invalidates the personal information file (encrypted file), the notifying unit 116 has been invalidated by notifying the client terminal 20 by e-mail or the like via the network 30. This prompts the user to re-execute an access request for the personal information capsule corresponding to the personal information file (encrypted file).

  The digital signature giving means 117 gives a digital signature to the personal information capsule generated by the generating means 102, the personal information capsule changed by the changing means 114, and the personal information file obtained by the filtering means 105. is there. Here, a digital signature is encrypted signature information attached to guarantee the validity of a digital document, and a digital document (here, a personal information capsule or a personal information file) is created by applying a public key cryptosystem. The document is certified and the document is guaranteed not to be tampered with. The signer (administrator on the management server 10 side) sends the digital document with a signature encrypted using its own private key. The recipient (the user on the client terminal 20 side) decrypts the signature using the signer's public key and confirms whether the content is correct. As a result, it can be used not only to prevent forgery by a third party but also to prove that the signer has created the digital document.

  The personal information searching means 118 searches for personal information or a personal information file from data in the client terminal 20, and the search may be performed by sucking the data of the client terminal 20 to the management server 10 side. A personal information search program for realizing a personal information search tool is installed in each client terminal 20 by the information search means 118, and the personal information search program is executed on each client terminal 20, thereby allowing personal information and personal information files to be stored. The self-exploration may be executed and the result of the self-exploration may be received from each client terminal 20.

  Here, as a search method for the personal information file, any one of the two search methods described later can be used. In the present embodiment, the condition of the personal information file is a file that holds a predetermined number or more of records including personal information elements, and the personal information element is a character string that can identify a specific individual alone or in combination. For example, name, date of birth, contact information (address, residence, telephone number, e-mail address), etc. In addition to these, personal information elements include title, basic resident register number, account number, credit card number, license number, passport number, and the like.

  The deleting unit 119 deletes the personal information and the personal information file from the client terminal 20 when the personal information or personal information file searched by the personal information searching unit 118 has not been given the digital signature by the digital signature adding unit 117. The deletion unit 119 may also be provided on the management server 10 side and transmit a deletion instruction from the management server 10 via the network 30 to the client terminal 20, or in order to realize the function as the deletion unit 119. This program may be installed in each client terminal 20 together with the personal information search program, and the function as the deleting means 119 may be realized on the client terminal 20 side.

Before deleting the personal information or personal information file by the deleting means 119, an inquiry is made as to whether or not to register the personal information or personal information file found by the search as a personal information capsule to be managed by the management server 10. A function may be provided. When registering, the generating unit 102 generates a personal information capsule based on the searched personal information or personal information file, and registers and stores it in the personal information capsule database 11. On the other hand, when not registering, the searched personal information or personal information file may be deleted by the deleting unit 119, or when a fixed period is set and not registered within the predetermined period, the deleting unit 119 The searched personal information or personal information file may be automatically deleted. The searched personal information and personal information file can be forcibly deleted immediately by the deleting means 119 without using the inquiry function as described above.

  In addition, when a personal information or personal information file that has a digital signature but is not encrypted is searched, a function is provided for inquiring whether or not to convert the personal information or personal information file into an encrypted file. You may prepare. When converting to an encrypted file, the searched personal information or personal information file may be converted into an encrypted file by the conversion means 106 or the encryption means 107 described above. On the other hand, when not converting to an encrypted file, the searched personal information or personal information file may be deleted by the deleting means 119, or when a fixed period is set and the converted file is not converted into the encrypted file within the fixed period The searched personal information or personal information file may be automatically deleted by the deleting means 119. The searched personal information and personal information file can be immediately forcibly converted into an encrypted file by the converting means 106 and the encrypting means 107 without using the inquiry function as described above.

  The position detecting unit 121 detects the location of the client terminal 20 at the time when the authentication information receiving unit 111 receives a decryption key transmission request as an opening request. More specifically, in this embodiment, the position detection unit 121 determines the country where the client terminal 20 is located from the connection environment of the client terminal 20 when the authentication information reception unit 111 receives the decryption key transmission request as the opening request. It is detected as a location. For example, the location detecting unit 121 detects the country where the client terminal 20 is located by referring to the global IP address of the access point or provider to which the client terminal 20 is first connected as the connection environment of the client terminal 20. It is possible. In this case, by referring to the global IP address assigned to the provider, it is possible to specify the country where the country is located and the general region within the country where the country is located.

When the client terminal 20 has a GPS (Global Positioning System) function, the location information (latitude / longitude information) of the client terminal 20 obtained by the GPS function is transmitted from the client terminal 20 through the network 30. By receiving, the position detecting means 121 may be configured to detect the location / country country of the client terminal 20 from the latitude / longitude information.

  In this case, it is desirable for the client terminal 20 side to periodically acquire the position information by the GPS function, and the periodically acquired location information or the final location information is transmitted to the position detection means 121 via the network 30. In this case, it is desirable that not only the latest location information but also the waypoints (via country) before that are subject to the judgment of permission for opening.

  Note that the position detection unit 121 invalidates the position information of the client terminal 20 when a certain period of time has elapsed since the position information of the client terminal 20 cannot be acquired. That is, the latest position of the client terminal 20 is treated as unknown.

  In addition, even when the location information of the client terminal 20 by the GPS function is invalidated as described above, when the IP address information and access point information of the major provider can be acquired, the position detection unit 121 The location information of the client terminal 20 is treated as valid.

In addition, as described above, when the location information of the client terminal 20 by the GPS function is invalidated and the IP address information and access point information of the small and medium providers can be acquired, or the IP address by the company server or the like If you can get the address information,
Since the reliability of the location information of the client terminal 20 obtained from the server is low, it is desirable that the position detection unit 121 treats the location information of the client terminal 20 as invalid.

  The functions as the personal information capsule generation / change request receiving means 101, the access request receiving means 104, the personal information file transmitting means 109, the authentication information receiving means 111, the decryption key transmitting means 113, the notifying means 116, etc. 10 is realized by using a transmission / reception function that 10 originally has.

  Also, authentication information / decryption key storage unit 12, conversion unit 106, encryption unit 107, access authority setting unit 108, personal information file transmission unit 109, log recording unit 110, authentication information reception unit 111, determination unit 112, decryption key The function as the transmission means 113 is also provided in the personal information management server 10 in this embodiment, but is separate from the personal information management server 10 and communicates with the personal information management server 10 via the network 30 or directly. You may implement | achieve by the file access management server connected so as to be possible.

  Similarly, the functions as the personal information search unit 118 and the deletion unit 119 are also provided in the personal information management server 10 in this embodiment, but are separate from the personal information management server 10 and directly or via the network 30. It may be realized by another server that is communicably connected to the personal information management server 10, and at that time, the management of personal information files by the P mark described later is further executed by the other server. Also good.

[1-3] Configuration of client terminal:
As shown in FIG. 1, the client terminal 20 of the present embodiment includes various means 202, 203, 221 to 227 described later. These functions as means are realized by causing a control means 220 of a computer to function as a client terminal to execute a predetermined application program. In the client terminal 20, various operations and inputs from the user are input from the operation unit 202. In the client terminal 20, various displays are performed on the display unit 203.

  The access request transmission unit 221 uses the contents of the personal information capsule managed by the management server 10 in the client terminal 20 (personal information element) when the user creates, for example, a name list or address book. The access request to the management server 10 is transmitted to the management server 10 via the network 30 together with the authentication information (identification number and password).

  The personal information file receiving unit 222 receives a personal information file corresponding to the access request transmitted by the access request transmitting unit 221 from the management server 10 via the network 30.

The personal information file storage unit 223 stores the personal information file received from the management server 10 by the personal information file receiving unit 222.
The authentication information transmission unit 224 manages the authentication information (identification number and password) about the encrypted file via the network 30 when opening the encrypted file that is the personal information file stored in the personal information file storage unit 223. This is transmitted to the server 10.

  The authentication information transmission unit 224 includes an opening request transmission unit that transmits a decryption key transmission request as a request for opening the personal information file to the personal information management server 10 when the client terminal 20 opens the personal information file. Also serves.

The decryption key receiving unit 225 receives a decryption key corresponding to the encrypted file from the management server 10 via the network 30.
The decrypting means 226 decrypts the encrypted file using the decryption key received by the decryption key receiving means 225 and restores the original personal information file.

  The editing unit 227 edits the original file extracted from the PDF file, which is the personal information file restored by the decryption unit 226, and the user using the client terminal 20 sets the access authority of the management server 10. If the extraction authority to extract the original file from the PDF file and the editing authority to the extracted original file are set as the predetermined access authority by the means 108, the editing means 227 is permitted to edit the original file. . In the client terminal 20, the original file edited by the editing unit 227 is prohibited from being stored other than the PDF file from which the original file is extracted. That is, the edited original file can be stored only in the PDF file from which the original file is extracted.

[1-4] Personal information file search method:
Here, two search methods used when searching for a personal information file by the personal information search means 118 of this embodiment will be described.

(1-4-1-A) First exploration method:
In the first exploration method, the appearance frequency of an address, a telephone number, an e-mail address, and a name is quantified and the personal information file is specified as follows.

  First, a character or character string included in a certain file in the client terminal 20 is collated with a character / character string preset as a character / character string that characteristically appears in personal information, Count the number of times the characteristic character string appears in the file. However, if collation / recognition using character strings is performed, the load on the CPU becomes extremely large. Therefore, collation / recognition for each character is performed. Therefore, as the condition, characteristic characters are set one by one. In addition, when the arithmetic processing capability of the CPU is sufficiently high, collation / recognition by a character string may be performed.

  Then, the characters extracted from the file (text file) are collated one by one with the characteristic character set as the condition, and if they match, it is determined that the characteristic character has appeared. The count value of the characteristic character is incremented by “1”. Thus, after counting the number of appearances of characteristic characters in all the characters included in the file, the personal information file is identified based on the count result (determination of whether the file is a personal information file). ).

  Here, the characteristic character set in advance as the condition will be specifically described. In general personal information, an address is usually required. Therefore, a character that appears characteristically in an address in Japan is set and registered in the above condition as a characteristic character. For example, the address information may include “city”, “road”, “fu”, “prefecture”, “city”, “ward”, “town”, “village”, “county”, etc. In the case of “Tokyo”, the characters “East” and “Kyo” appear in ordinary documents, but in the case of address information, they will appear in combination with “City”. It becomes possible to regard the number of appearances as the number of addresses. Similarly, “prefecture”, “prefecture”, and “road” are considered as address information, and “@” can be used as e-mail address information.

Specifically, the following characteristic characters and points are set as the conditions.
(1-4-1-A1) “East”, “Kyo”, “City”, “Large”, “
“Osaka”, “Fu”, “North”, “Sea”, “Road” are set, and the total of the count values of these characteristic characters is counted and calculated as address point 1.

  (1-4-1-A2) As presumed address information (characters), prefecture names other than address point 1, ie “mountain”, “form”, “god”, “na”, “river”, “saki “,” “Ball”,..., “Fortune”, “oka”, “prefecture”, etc. are set, and the total of the count values of these characteristic characters is counted and calculated as address point 2.

(1-4-1-A3) “City”, “District”, “Town”, “Village”, and “County” are set as address disregard information (feature characters), and the sum of the count values of these feature characters Is calculated as the address point 3.
(1-4-1-A4) “@” is set as the e-mail address disregard information (characteristic character), and the count value of “@” is used as the mail address point.

(1-4-1-A5) “N” (numeric string with a predetermined number of digits consisting of numbers and hyphens) is set as the telephone number disregard information (characteristic character string), and the counted value is used as the telephone number point. It is done. More specifically, the phone numbers are “090-XXXX-XXXX”, “03-XXXX-XXXX”, “048-XXX-XXXX”
In this way, a specific numeric string “090”, “03”, “048” corresponding to the mobile phone area code or area code is followed by an 8-digit or 7-digit numeric string. When a numeric string appears, the telephone number point is incremented by “1”. At this time, the count-up is performed regardless of the presence or absence of a hyphen in the numeric string.

  (1-4-1-A6) As name disregard information (characteristic characters), for example, the characters “sa”, “wisteria”, “ta”, “middle”, “high” included in the 50 best surnames in Japan , “Bridge”,..., “Mountain”, “field” are set, and the sum of the count values of these characteristic characters is calculated as a name point.

(1-4-1-A7) As the total points, the total value of each point of the items (1-4-1-A1) to (1-4-1-A6) described above is counted and calculated.
In addition, when calculating the appearance rate of each prefecture name based on the counting result (number of appearances) obtained as described above, handling when there are duplicate characters will be described. For example, if “Tokyo” and “Kyoto Prefecture” are mixed in a text file, “Metropolitan” is duplicated. It will be mixed. Since “Fu” in “Kyoto” overlaps with “Fu” in “Osaka”, first calculate the appearance rate of “Osaka”, and subtract that appearance rate from the appearance rate of “Fu”. It is possible to predict the appearance rate of “fu”. By subtracting the appearance rate of “Kyoto Prefecture” predicted in this way from the appearance rate of “Metropolitan”, the appearance rate of “Tokyo” can be obtained. In addition, if the prefecture name and city name overlap (for example, Osaka City, Osaka Prefecture), the appearance rate of “Osaka” will double, but based on the Japanese address book published by the Ministry of Posts and Telecommunications. It is possible to estimate the actual appearance rate by calculating the duplication rate for each prefecture name and adjusting the appearance rate based on the calculated duplication rate.

  Furthermore, the handling when there is no state display will be described. In the file, when the title header is used for the prefecture name, or when the address display using the government-designated city or the postal code is used, the appearance rate of “city”, “road”, “prefecture”, “prefecture” is extremely high. Will be reduced. Instead, since the name appearance rate such as the prefecture name becomes high, it is possible to specify that the file is a personal information file including address information from the name appearance rate.

  In the above conditions, characters / character strings that appear characteristically in addresses, e-mail addresses, telephone numbers, and names are set as characteristic characters / character strings, but the present invention is not limited to these. Character / character string that appears characteristically in the date of birth, title, personal identification information (for example, Basic Resident Register Number, Account Number, Credit Card Number, License Number, Passport Number, etc.) It may be set as a character string.

Based on the counting result obtained as described above, a determination value for determining whether or not the file is a personal information file is calculated. As the judgment value, the value of (a) quarantine total points (see item (1-4-1-A7) above) may be used as it is, or (b) the appearance rate of feature characters / feature character strings is high. The determination point that becomes larger may be calculated as the determination value, or (c) the appearance pattern of the characteristic character / characteristic character string in the target file is obtained based on the counting result obtained for each characteristic character / characteristic character string. The degree of coincidence indicating the degree of coincidence between the found appearance pattern and the feature appearance pattern preset as the appearance pattern of the feature character / feature character string may be calculated as the determination value, or (d) these 3 Two or more of the types of determination values may be combined, and a value calculated by substituting two or more determination values into a predetermined function may be used as the determination value.

  At this time, if there are characteristic characters / characteristic strings related to multiple types of information (for example, four types of address, e-mail address, telephone number, and name) in the file, the target file relates to one type of information. The count result is weighted so that the determination value is larger than when a characteristic character / characteristic character string exists. In other words, when a data file includes a plurality of types of information that can identify an individual, the possibility that the data file is a personal information file includes only one type of information that can identify an individual. Therefore, weighting is performed so that the determination value (importance) for the data file becomes large. Further, weighting may be performed so that the determination value increases as the number of types of information increases. This makes it possible to specify the personal information file more reliably.

  When the determination value as described above is calculated, it is determined whether or not the file is a personal information file based on the determination value. For example, if the determination value exceeds a predetermined threshold, it is determined that the target file is a personal information file.

  When making such a determination, in this embodiment, a P mark (private level mark) corresponding to the size of the determination value is further assigned to the file and set and registered in the P mark table (not shown). , Ranking may be performed. As described above, the P mark is a level indicating the high possibility that the target file is a personal information file, and the higher the determination value, the higher the P mark is set.

  For example, when the determination value is 10 or more, it is determined that the file is a personal information file, that is, the file is determined to be a management target file. When the determination value is 10 or more and less than 100, “P1” is assigned as the P mark, and when the determination value is 100 or more and less than 1000, “P2” is assigned as the P mark. When it is 1000 or more and less than 10,000, “P3” is assigned as the P mark, and when the determination value is 10000 or more, “P4” is assigned as the P mark.

As described above, according to the level (rank) of the P mark given to the file, the management server 10 may manage the file as a management target file as follows.
For example, when the rank of the P mark is “P1”, the recommendation based on the warning information is not performed, but the fact that the management target file of “P1” exists is recorded as a log. When the rank of the P mark is “P2”, notice information in a pop-up display is notified to call attention to the user of the management target file. When the rank of the P mark is “P3”, an instruction to return the management target file is given. When the rank of the P mark is “P4”, the management target file is forcibly captured and collected from the client terminal 20. Even if the rank of the P mark is not “P4”, if the data file of “P3” is left for a predetermined number of days, the data file may be forcibly captured and collected from the client terminal 20.

(1-4-1-B) Second exploration method:
In the second exploration method, the personal information file is specified as follows.
First, text data (for example, CSV (Comma Separated Value) format data) of a file in the client terminal 20 is extracted, and character sections delimited by delimiters are extracted from the extracted text data to be determined / verified. Are sequentially written in a buffer (not shown). Here, the delimiter is, for example, a half-width space, a half-width comma (half-width comma + half-width space is also regarded as a half-width comma), a tab character (half-width), CR (Carrige Return), or LF (Line Feed). Alphanumeric characters, katakana,
Symbols other than hiragana and kanji, for example, symbol characters such as hyphens, underbars, and parenthesis symbols are removed.

  A character string (hereinafter simply referred to as a character string) in a character section from which symbol characters have been removed as described above is a personal information element other than a name (specifically, in this embodiment, a telephone number, an e-mail address, and an address). It is determined whether it corresponds to any one of them. Here, the character string determination process is performed in the order of the lighter determination process load, that is, in the order of the telephone number, the e-mail address, and the address.

  First, it is determined whether or not the character string corresponds to a telephone number. Specifically, if the character string satisfies the telephone number determination condition set as the condition, it is determined that the character string corresponds to the telephone number. In the present embodiment, it is assumed that the telephone number determination condition includes a 9-15 digit number in the character string.

  Next, when it is determined that the character string does not correspond to a telephone number, it is determined whether or not the character string corresponds to an e-mail address. Specifically, when the character string satisfies the e-mail address determination condition set as the condition, it is determined that the character string corresponds to the e-mail address. In the present embodiment, the e-mail address determination condition is as follows: “One or more ASCII (American Standard Code for Information Interchange)” + “@ (at sign)” + “One or more ASCII characters” + “. It is assumed that a character string “dot)” + “ASCII of one or more characters” is included. In this case, the shortest e-mail address is “a@a.a”, for example.

  Further, when it is determined that the character string does not correspond to an e-mail address, it is determined whether or not the character string corresponds to an address (residence), and the character string is set as the condition. When the address determination condition is satisfied, it is determined that the character string corresponds to the address. In the present embodiment, the address determination condition includes a character string of “one or more double-byte characters” + “city” or “city” or “county” + “one or more double-byte characters” in the character string. Suppose that At this time, if the CPU has sufficiently high processing capability, it may be added to the address determination condition that a 7-digit number corresponding to the postal code is included in addition to the character string. In addition, the address determination condition is that the character string includes a 7-digit numeric string corresponding to the postal code or “3-digit numeric string” + “− (−” instead of the above-described conditions. Hyphens) ”+“ a digit string of four digits ”may be included.

When it is determined that the character string does not correspond to any of a telephone number, an e-mail address, and an address, whether or not the character string satisfies the character determination condition set as the condition, Specifically, it is determined whether or not the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji. In the present embodiment, the character determination condition is that, as described above, the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji characters. Is a general (appropriate) number range for the number of characters in a full name (including last names only and names only)
For example, it is set to 1 or more and 6 or less.

  Thereafter, a character section determined not to correspond to any of a telephone number, an e-mail address, and an address, and further, a character section within the predetermined range and all characters determined to be kanji By comparing the character / character string included in the character section with an inappropriate character / unsuitable character string preset as a character / character string that cannot appear in the name, the character section is determined to be an inappropriate character. / Judge whether or not to include an inappropriate character string.

  Here, inappropriate characters / inappropriate character strings are set in advance as the above-mentioned conditions. For example, Tokyo, Osaka, Nagoya, Yokohama, Kyushu, Hokkaido, Kyoto, capital, individual, school, store, stock, prefecture, University, academy, TSE, research, management, general affairs, accounting, sales, supervision, pharmaceutical, sales, school, education, specialization, architecture, machine, corporation, factory, manufacture, technology, commerce, books, unknown, deputy director, disclosure, Publication, Advertising, Broadcasting, Target, Wholesale, Retail, Planning, Human Resources, Information, Department, President, Regulatory, General Manager, Section Manager, General Manager, Officer, Head Office, Branch Office, Business, Business, Education, Precision, Petroleum, Transportation, Management, Strategy, material, engineer, electricity, production, tax, public relations, transportation, chief, computer, finance, office work, development, policy, production, economy, industry, finance, bank, research, English, quality, warranty, equipment, charge, President, Director, Audit, Support, Design, Insurance, Safe, Business, Representative, Transportation, First, Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, Ninth, Special Sales, Facility, Name, Mail, Name, Name, City Hall, Affiliation, Characteristic, Childhood, Christianity, Association, Church, Union, cult, commerce, nationwide, branch, contact, assembly, life, consumption, promotion, city hall, ward office, general, modification, function, overview, composition, company, organization, association, deletion, document, deadline, validity, etc. A character / character string that cannot appear in a typical name, that is, a character / character string that is inappropriate as a name.

  Then, based on the above-described telephone number determination result, e-mail address determination result, address determination result, and inappropriate character / inappropriate character string collation determination result, it is determined whether or not the target file is a personal information file. . More specifically, the number of character sections considered to correspond to each of a telephone number, an e-mail address, and an address is counted, and an inappropriate character / unsuitable character string matching determination result is received. / The character section determined not to contain an inappropriate character string is regarded as corresponding to the name, and the number is counted.

  Based on the counting results (four counting values; the number of telephone numbers, the number of e-mail addresses, the number of addresses, the number of names) for each of the telephone number, e-mail address, address, and name, the larger the counting value, the larger the count value. A judgment value is calculated. For example, the sum of four count values may be calculated as the determination value, or a weighting factor is set in advance for each of the telephone number, e-mail address, address, and name, and the weighting factor for each personal information element The sum of multiplication results of the count value and the count value may be calculated as the determination value, and various methods for calculating the determination value are conceivable.

  When the determination value as described above is calculated, it is determined whether the target file is a personal information file based on the determination value. Specifically, when the determination value exceeds a predetermined threshold, it is determined that the target file is a personal information file. At this time, as described in the first exploration means, a P mark may be assigned, and management according to the P mark may be performed by the management server 10.

  In the second exploration method described above, the case where the personal information elements other than the name are the three elements of the telephone number, the e-mail address, and the address has been described. However, the present invention is not limited to this. As the personal information element other than the name, for example, the date of birth, the basic resident register number, the account number, the credit card number, the license number, the passport number, etc. may be used.

Using the first search method or the second search method as described above, the personal information search means 11
8, the personal information file is searched, and according to the search result, deletion and various inquiries by the deletion means 119 are executed as described above.

[2] Operation of the Personal Information Management System of the Present Embodiment Next, the operation of the personal information management system 1 of the present embodiment configured as described above will be described with reference to FIG.

  3, 4 and 5 are flowcharts for explaining the operation of the personal information management server 10 in this embodiment, and FIG. 6 is a flowchart for explaining the operation of the client terminal 20 in this embodiment.

[2-1] Operation of personal information management server:
First, the operation of the personal information management server 10 of the present embodiment will be described according to the flowchart shown in FIG. 3 (steps S10 to S14, S20 to S26, S30 to S39, S40 to S46).

  When the personal information capsule generation / change request receiving means 101 receives a personal information capsule generation request together with a plurality of types of personal information elements to be stored as authentication information (identification number and password) and the contents of the personal information capsule ( YES route of step S10), the user who made the personal information capsule generation request based on the authentication information (identification number and password) by the authentication determination function of the personal information capsule generation / change request receiving means 101 performs the personal information management. An authentication determination as to whether or not the user is a valid user of the service is executed (step S11). That is, the personal information capsule generation / change request receiving unit 101 searches the authentication information / decryption key storage unit 12 by the identification number, reads the registration password corresponding to the identification number from the authentication information / decryption key storage unit 12, and authenticates. The password included in the information is compared with the registered password read from the authentication information / decryption key storage unit 12, and it is determined whether or not these passwords match.

  If these passwords match and it is authenticated that the user who made the personal information capsule generation request is a valid user (YES route in step S11), the personal information capsule generation / change request receiving unit 101 receives the password. Based on the plurality of types of personal information elements, the generation unit 102 generates a personal information capsule (a data set of a predetermined format) (step S12). At this time, a digital signature is attached to the generated personal information capsule by the digital signature attaching means 117.

  Here, in this system, an electronic file of a unique personal information capsule needs to be generated and saved, and a typographical error that occurs when a character is read by a scanner, or an input or a pseudonym at the time of key input. Errors in Kanji conversion, mistakes in old and new fonts, etc., for example, errors such as “Ichiro” and “Ichiro”, or “Hirose” and “Hirose” cause separate electronic files. That must be avoided.

  Therefore, the generation unit 102 generates a personal information capsule to be newly generated (step S12 in FIG. 3) based on the personal information capsule generation request from the client terminal according to the subroutine shown in FIG. Similarity determination is made with the existing personal information capsule stored in FIG. 4 to confirm the existence of a similar existing personal information capsule (step S121 in FIG. 4). As the similarity determination, a method similar to the above-described search method can be used.

If it is not recognized by the above similarity determination that there is similarity between the personal information capsule to be newly generated and the existing personal information capsule (NO in step S122 in FIG. 4).
Route), a new personal information capsule based on the personal information capsule generation request is generated (step S128 in FIG. 4). Then, the process returns to the main routine of FIG.

  In this embodiment, “similarity of personal information capsule” means that the electronic file that should originally be the same is a separate electronic file due to the above-mentioned typographical omission, which is contrary to the principle of uniqueness. It means the state that exists as a file.

  On the other hand, if it is recognized by the above similarity determination that there is a similarity between the personal information capsule to be newly generated and the existing personal information capsule (YES route in step S122 in FIG. 4), the generating means 102 Notifies the client terminal 20 that a similar personal information capsule already exists in the personal information capsule database 11 (step S123 in FIG. 4). Upon receiving this notification, the client terminal 20 displays on the display means 203 that the similar personal information capsule already exists in the personal information capsule database 11.

  Here, the generating unit 102 searches with the personal information searching unit 118 whether there is a similar personal information capsule in the client terminal 20 (step S124 in FIG. 4). If a similar personal information capsule exists in the client terminal 20 (YES route in step S124 in FIG. 4), the file name of the electronic file in the client terminal 20 corresponding to the similar personal information capsule is notified to the client terminal 20, It is displayed on the display means 203 (step S125 in FIG. 4).

  Further, if necessary, the generation unit 102 notifies the client terminal 20 of the difference between the similar personal information capsule and the personal information capsule to be newly generated, and displays it on the display unit 203 of the client terminal 20 (FIG. 4 in step S127). In this case, it is desirable to notify only a minimum difference from the management server 10 so as not to correspond to leakage of personal information.

  Then, the generation unit 102 requests the client terminal 20 to confirm whether or not a personal information capsule to be newly generated is to be generated (step S127 in FIG. 4). That is, a predetermined confirmation message is displayed on the display unit 203 of the client terminal 20. For example, in the case of the typographical error described above, an operation for canceling the generation of a new personal information capsule by the user is input from the operation unit 202.

  Also, if you have similar people, such as “Ichiro Yamada” and “Jiro Yamada”, but another person, such as a brother, exists at the same address, you will be willing to generate a new personal information capsule. The user inputs, for example, continue generation from the operation unit 202.

  Upon receiving the above operation for continuing the generation from the operation unit of the client terminal 20 (YES route in step S128 in FIG. 4), the generation unit 102 generates a new personal information capsule based on the personal information capsule generation request (FIG. 4 in step S129), this subroutine is terminated, and the process returns to the main routine of FIG. On the other hand, the generation unit 102 that has received the operation for canceling the generation from the operation unit of the client terminal 20 (NO route in step S128 in FIG. 4) ends this subroutine without generating a new personal information capsule. Returning to the main routine of FIG.

  The above operation prevents the creation of electronic files with incorrect data due to erroneous characters generated by scanning with the scanner, errors in kana-kanji conversion, input errors during key input, etc., and management of personal information A unique electronic file is generated and stored in the system.

  When the personal information capsule is generated by the generation unit 102, the filter setting unit 103 sets, for each user who can access the personal information capsule, a filter that defines the personal information element that can be used by the user. (Step S13). The personal information capsules and filters generated and set as described above are stored in the personal information capsule database 11 in association with, for example, personal information capsules and users (step S14), and the process returns to step S10.

  When the personal information capsule is generated by the generation unit 102, the filter setting unit 103 sets, for each user who can access the personal information capsule, a filter that defines the personal information element that can be used by the user. (Step S13). The personal information capsules and filters generated and set as described above are stored in the personal information capsule database 11 in association with, for example, personal information capsules and users (step S14), and the process returns to step S10.

  When the personal information capsule generation / change request receiving means 101 receives the personal information capsule change request together with the authentication information (identification number and password) and the contents of the change to the already registered personal information capsule (NO in step S10). From the route (YES route in step S20), the authentication determination function of the personal information capsule generation / change request receiving means 101 performs the same authentication determination as in step S11 (step S21).

  When the passwords match and it is authenticated that the user who made the personal information capsule change request is a valid user (YES route in step S21), the changing means 114 changes the personal information capsule to be changed into the personal information. The content of the personal information capsule to be changed is changed according to the changed content (change of address, telephone number, etc.) taken out from the capsule database 11 (step S22) and received by the personal information capsule generation / change request receiving means 101. (Step S23). The personal information capsule whose contents have been changed is newly given a digital signature by the digital signature giving means 117 and then stored in the personal information capsule database 11 (step S24).

  When the contents of the personal information capsule are changed as described above, the invalidation means 115 invalidates the personal information file extracted from the changed personal information capsule and transmitted to the client terminal 20 before the change. (Step S25).

  The invalidation means changing the decryption key (stored in the authentication information / decryption key storage means 12) for decrypting the encrypted file corresponding to the encryption of the personal information file as described above. The decryption key transmitting unit 113 prohibits the transmission of the decryption key after the change to disable the decryption, or receives an access request (authentication information) to the encrypted file corresponding to the personal information file and performs user authentication. The client terminal 20 prohibits the transmission of the decryption key by using the log recording means 110 or transmits a deletion command of the file to the client terminal 20 that is the destination of the encrypted file corresponding to the personal information file based on the log recorded by the log recording unit 110. 20 is performed by deleting the personal information file at the client terminal 20 in any case. It is that the is a condition not to refer to the contents of the le.

  Then, the notification means 116 notifies the client terminal 20 by e-mail or the like via the network 30 that the personal information file (encrypted file) has been invalidated (step S26). After prompting the user to re-execute the access request for the personal information capsule corresponding to (encrypted file), the process returns to step S10.

When the access request receiving unit 104 receives an access request for the personal information capsule together with the authentication information (identification number and password) (NO route in step S10, NO route in step S20 to YES route in step S30), the access request is received. The authentication determination function of the means 104 performs an authentication determination similar to step S11 (step S31).

  If the passwords match and it is authenticated that the user who made the access request is a valid user (YES route in step S31), the filtering means 105 causes the personal information capsule to be accessed and the user to be requested. The set filter is extracted from the personal information capsule database 11 (step S32), and the filtering process of the personal information element in the personal information capsule to be accessed is executed using the filter, and the user can use it. A personal information element is extracted from the personal information capsule as a personal information file (step S33). A digital signature is attached to the personal information file extracted from the personal information capsule by the digital signature attaching means 117.

  The personal information file with the digital signature is converted into a PDF file having a container function by the converting means 106 (step S34), and the original file of the personal information file is attached to the PDF file using the container function. Thereafter (step S35), the PDF file is encrypted with an encryption key corresponding to the destination client terminal 20, and an encrypted file is created (step S36). At this time, for the user who accesses the encrypted file, for example, access authority (for example, viewing authority and original file extraction authority / edit authority) for the encrypted file is set by the access authority setting means 108 ( Step S37).

  The encrypted file created as described above is transmitted to the client terminal 20 via the network 30 by the personal information file transmission means 109 (step S38). At that time, the log recording unit 110 records the transmission history of the encrypted file (transmission date and time, destination information, information for specifying the transmitted file, etc.) as a log (step S39), and then step The process returns to S10.

  When the authentication information receiving unit 111 receives a decryption key transmission request as an opening request together with authentication information (identification number and password) for the encrypted file (NO route in step S10, NO route in step S20, NO in step S30). Based on the authentication information (identification number and password) about the encrypted file by the determination means 112, the user who made the transmission request for the decryption key (use to access the encrypted file) Authentication determination is performed as to whether or not the user is a legitimate registrant (legal destination) (step S41).

  Also in this case, as in step S11, the determination unit 112 searches the authentication information / decryption key storage unit 12 by the identification number, reads the registration password corresponding to the identification number from the authentication information / decryption key storage unit 12, and authenticates. The password included in the information is compared with the registered password read from the authentication information / decryption key storage unit 12, and it is determined whether or not these passwords match.

  When these passwords match and it is authenticated that the user is a valid transmission destination (YES route in step S41), the position detection unit 121 causes the authentication information reception unit 111 to perform a decryption key transmission request as the opening request. The country in which the client terminal 20 is located is detected from the connection environment of the client terminal 20 at the time of receiving (step S42).

Here, in the determination unit 112, based on the file ID or user authentication information received by the authentication information receiving unit 111, the user who is trying to open the electronic file to be managed by the client terminal 20 is a valid user. The user authentication determination as to whether or not there is performed, and the position determination as to whether or not the location detected by the position detection means 121 satisfies a predetermined condition is performed (step S43).

  For example, in the present embodiment, position determination as to whether or not the user's location country is a predetermined country specified in advance, position determination as to whether or not the user's location area is a predetermined area specified in advance. Etc. are executed.

  At this time, when the user authentication is determined by the determining unit 112, as described above, the registered user ID corresponding to the file ID received by the authentication information receiving unit 111 is read from the storage unit (database) and read. When the issued registered user ID includes the user ID received by the authentication information receiving unit 111, the registered password corresponding to the registered user ID is read from the storage unit (database). The read registration password and the password received by the authentication information receiving unit 111 are compared, and if they match, the user is authenticated as a valid user.

  When the determination unit 112 authenticates that the user is a valid user and determines that the location of the client terminal 20 satisfies the predetermined condition (YES route in step S44), the client terminal 20 The decryption key for decrypting the encrypted file that is the electronic file to be managed is extracted from the authentication information / decryption key storage unit 12 (step S45), and the decryption key transmission unit 113 sends the network to the network. 30 to the client terminal 20 (step S46). Thereafter, the process returns to step S10.

  On the other hand, when the determination unit 112 determines that the user is not a valid user, or when it is determined that the location of the client terminal 20 does not satisfy the predetermined condition (NO route of step 44), By not transmitting the decryption key, the opening of the electronic file at the client terminal 20 is prohibited. Instead, the notification means 116 informs the user of the client terminal 20 or the system administrator of an error (alert). ) (Step S50).

  It should be noted that when it is determined that the passwords do not match by the authentication determination function of the personal information capsule generation / change request receiving unit 101 and the access request receiving unit 104 or the determination unit 112, or the registration password corresponding to the identification number is the authentication information. / If it is not registered in the decryption key storage means 12, or if it is determined that the location of the client terminal 20 does not satisfy the predetermined condition, the user is an authorized user or an authorized transmission destination. (NO route of steps S11, S21, S31, S41, and S44), an error notification is sent from the management server 10 to the client terminal 20 via the network 30 (step S50), and the process returns to step S10. . When a personal information capsule generation request is input from the management server 10, the error notification is sent to the user or administrator who made the personal information capsule generation request at the management server 10. If NO is determined in step S40, the process returns to step S10.

[2-2] Personal information search operation of personal information management system:
The personal information search operation in the personal information management system 1 of the present embodiment will be described with reference to the flowchart shown in FIG. 5 (steps S51 to S58).

In the personal information management system 1, the personal information search operation by the personal information search means 118 is executed at a preset cycle or a predetermined start timing (when the system is started).

  When the personal information search unit 118 is activated (YES route in step S51), in this embodiment, as described above, the personal information search unit 118 uses the personal information for realizing the personal information search tool on each client terminal 20 as described above. A search program is installed, and the personal information search program is executed by each client terminal 20 to execute self-search of personal information and a personal information file (step S52), and the result of the self-search is received from each client terminal 20. (Step S53).

  When the management server 10 confirms the existence of the client terminal 20 that holds the personal information / personal information file based on the result of self-exploration (YES route in step S54), the stored personal information / personal information It is determined whether or not a digital signature is given to the file by the management server 10 (step S55). If there is no client terminal 20 that holds the personal information / personal information file (NO route of step S54) or if a digital signature is given (YES route of step S55), the process returns to step S51.

  If the digital signature has not been given (NO route of step S55), whether or not the personal information / personal information file is registered in the management server 10 as a personal information capsule is stored in the personal information / personal information file. An inquiry is made to the user of the client terminal 20 (step S56). When the user desires to register (YES route of step S56), the management server 10 generates a personal information capsule based on the searched personal information / personal information file by the generation means 102 and stores it in the personal information capsule database 11. Register and save (step S57). Thereafter, the process returns to step S51.

  If the user does not want to register (NO route of step S56), the deletion means 119 deletes the personal information / personal information file that has not been digitally signed from the client terminal 20 (step S58). The process returns to S51. At this time, as described above, when a fixed period is set and the user does not register the personal information / personal information file within the predetermined period, the deleted personal information or personal information file is deleted by the deletion unit 119. You may make it delete automatically.

  Here, the personal information / personal information file that can determine the presence or absence of the digital signature is naturally not encrypted by the encryption means 107, and is given a digital signature by the digital signature assignment means 117 for some reason. However, it is considered that the data leaked to the client terminal 20 without being encrypted. Therefore, when a personal information / personal information file that has a digital signature but is not encrypted is searched (YES in step S55), as described above, the personal information / personal information file is encrypted. Inquires whether or not to convert to a file, and when the user desires to convert to an encrypted file, the above-described conversion means 106 and encryption means 107 convert the searched personal information or personal information file into an encrypted file. On the other hand, if it is not desired to convert to an encrypted file, the personal information / personal information file may be deleted by the deleting means 119.

[2-3] Operation of client terminal:
The operation of the client terminal 20 of the present embodiment will be described with reference to the flowchart shown in FIG. 6 (steps S60 to S63, S70 to S81).

In the client terminal 20, when the user issues an access request to create, for example, a directory or address book using the contents (personal information elements) of the personal information capsule managed by the management server 10 (YES in step S60). Route), an access request for the personal information capsule is transmitted to the management server 10 via the network 30 together with the authentication information (identification number and password) by the access request transmitting means 221 (step S61).

  In response to this access request, the personal information file receiving unit 222 has received a personal information file (encrypted file) corresponding to the access request transmitted from the management server 10 by the access request transmitting unit 221 via the network 30. In the case (file route in step S62), the received personal information file is stored in the personal information file storage means 223 (step S63), and the process returns to step S60. On the other hand, if an error notification is received instead of the personal information file in response to the access request (error route in step S62), an error is displayed on the display of the client terminal 20 (step S80), and the process in step S60 Return to.

  When the user performs file access (decryption key transmission request) to open an encrypted file that is a personal information file stored in the personal information file storage unit 223 (YES in step S60 to YES in step S70). Root), the authentication information transmission means 224 transmits a decryption key transmission request as an unsealing request to the management server 10 via the network 30 together with the authentication information (identification number and password) for the encrypted file (step S71).

  In response to the opening request (decryption key transmission request), the decryption key receiving unit 225 receives a decryption key corresponding to the encrypted file to be accessed from the management server 10 via the network 30 (YES in step S72). Route), the decryption unit 226 decrypts the encrypted file using the decryption key received by the decryption key reception unit 225 to restore the original personal information file (PDF file) (step S73), and the client terminal 20 Is displayed on the display (step S74). On the other hand, if an error notification is received instead of the decryption key in response to the decryption key transmission request (error route in step S72), an error is displayed on the display of the client terminal 20 (step S80), and then in step S60. Return to processing.

  After the personal information file is displayed, if the user wants to edit the original file attached to the restored PDF file (YES route in step S75), the user has the authority to extract and edit the original file. (Step S76), if not set (NO route of step S76), after displaying an error to that effect (step S81), the process returns to the process of step S60 while being set If it exists (YES route of step S76), the editing process for the original file is executed by the editing means 227 (step S77). If the user does not want to edit the original file (NO route in step S75), the process returns to step S60.

  When the editing process is ended (YES route in step S78), the original file edited by the editing unit 227 is prohibited from being saved other than the PDF file from which the original file was extracted. The extracted PDF file is saved (step S79). Thereafter, the process returns to step S60.

[3] Effects of the personal information management system of this embodiment:
(3-1) According to the personal information management system 1 of the above embodiment, in the personal information management server 10, personal information that can identify a specific individual is unified as a personal information capsule that is a standardized data set. Managed. Then, for each user who can access the personal information capsule from the client terminal 20, a filter that defines personal information elements that can be used by the user is set, and when the user requests access to the personal information capsule The personal information element in the personal information capsule is filtered using the filter set for the user, and the personal information element usable by the user is extracted from the personal information capsule, and the extracted personal information The element is transmitted to the client terminal 20 as a personal information file. This allows users who use personal information about a specific individual to be provided with only the personal information elements of the content according to the user, so content that seems unnecessary for the user is inadvertent The personal information can be prevented from being transmitted unintentionally, and inadvertent leakage / leakage of personal information and unauthorized use of personal information can be reliably prevented, and personal information can be protected.

  Here, when the personal information file is transmitted from the personal information management server 10 to the client terminal 20, the personal information file is encrypted using an encryption key corresponding to the destination client terminal 20, and transmitted as an encrypted file. The personal information management server is configured such that only the authorized user authenticated by the personal information management server 10 (the user of the client terminal 20 that is a valid transmission destination) can access the decrypted encrypted file. Thus, the content of the personal information file transmitted from the client 10 to the client terminal 20 can be reliably prevented from being inadvertently leaked, leaked, or illegally used, and the personal information can be reliably protected.

  When the content of the personal information capsule is changed, the decryption key is changed in response to the invalidation command from the invalidation means, thereby making it impossible to decrypt the personal information file on the client terminal 20 side. Disable the personal information file with.

  That is, the personal information management server 10 is configured to invalidate the personal information file extracted before the change from the changed personal information capsule and transmitted to the client terminal 20, thereby enabling the contents of the personal information capsule to be invalidated. If the personal information file is changed, the personal information file before the change is invalidated and no one can use it. Can be reliably protected.

  At this time, for example, users are ranked such as a level at which all personal information including image information etc. is disclosed, a level at which personal information other than image information is disclosed, and a level at which only name and contact information are disclosed. By setting the filter, personal information corresponding to the rank can be provided. Also, for example, when a user browses / uses personal information of a specific individual while managing personal information including various personal information elements that can identify the specific individual in a company, for example, as described above. If the user is a supervisor or administrator of a specific individual, detailed contents (personal information elements) can be viewed and used while the user is a colleague or subordinate. In some cases, only a part of the personal information can be browsed and used, and only the personal information element with the content corresponding to the user can be provided to the user.

  (3-2) According to the personal information management system 1 of the above embodiment, when the user opens the electronic file at the client terminal 20, a request to open the personal information file is transmitted to the personal information management server 10. In response to the decryption key transmission request as the opening request, the personal information management server 10 detects the location (location country) of the client terminal 20 at the time of opening the personal information file, and the detected location is determined according to a predetermined condition [ It is determined whether or not a predetermined country (for example, a white country) is satisfied, and the location of the client terminal 20 can be confirmed immediately before opening the personal information file on the client terminal 20. Then, by permitting the opening of the personal information file only when the location of the client terminal 20 satisfies a predetermined condition (for example, not in the country subject to export control), the content of the personal information file is changed to the country or region subject to export control, etc. Therefore, it is possible to reliably prevent leakage or leakage without the user's knowledge.

Further, according to the personal information management system 1 of the above embodiment, after changing the decryption key as described above, by prohibiting transmission of the decryption key after the change to the client terminal 20, the personal information file is stored. Invalidated. For this reason, it becomes impossible to decrypt the personal information file before the change, and it is securely invalidated so that no one can use it. And personal information can be reliably protected.

  Further, according to the personal information management system 1 of the above embodiment, the personal information management server 10 uses the history of transmission of the personal information file executed in response to the access request for the personal information capsule from the client terminal 20 as a log. By recording and sending a delete instruction from the log record as necessary, the access status to the personal information capsule is managed, and the access to the personal information file can be tracked and managed as needed. Since invalidation is also possible, unauthorized use of personal information can be prevented more reliably.

  (3-3) In addition, according to the personal information management system 1 of the above embodiment, a personal information capsule newly generated in the personal information management server 10, a personal information capsule that has been changed, or a personal information file By giving a digital signature, it can be ensured that the personal information capsule or personal information file has not been tampered with, and counterfeiting by a third party can be prevented. At that time, by searching for personal information from the data in the client terminal 20 and when the digital information is not attached to the searched personal information, the personal information is deleted from the client terminal 20. The personal information that has not been given a digital signature in the personal information management server 10 is determined to be non-regular personal information that is not under the management of the personal information management server 10 and is created locally on the client terminal 20 or the like. It is automatically deleted from the client terminal 20. As a result, only the personal information managed centrally by the personal information management server 10 exists and is used in the system of the present invention, and the personal information can be reliably managed and reliably protected. it can.

  (3-4) Also, according to the personal information management system 1 of the above embodiment, the personal information management server 10 converts the personal information file into a completed document file having a container function, and uses the container function. By encrypting the completed document file with the original personal information file attached and sending it to the client terminal 20 as a personal information file, the personal information file is sent as a completed document file that is difficult to falsify. It is also possible to perform operations such as editing using the original file attached by the container function while preventing tampering and unauthorized use.

  That is, in the management server 10, the personal information file is converted into a PDF file having a container function, and the PDF file is encrypted with the original file of the personal information file attached using the container function. By transmitting to the client terminal 20, the personal information file is transmitted as a PDF file that is difficult to falsify, and the personal information file is prevented from being falsified and used illegally, while using the original file attached by the container function. It is also possible to perform operations such as editing.

  At this time, however, editing and other operations can be performed only by the user granted by the access authority setting means 108 with the original file retrieval authority and editing authority as the access authority, and the client terminal 20 performs the post-editing operation. By prohibiting the original file from being stored other than the PDF file from which the original file was extracted, it is possible to reliably prevent the original file from being inadvertently leaked or leaked or illegal use of personal information.

(3-5) Also, according to the personal information management system 1 of the above embodiment, the personal information management server 10 gives the predetermined access authority to the encrypted file according to the user of the transmission destination of the personal information file. Since the client terminal 20 is permitted to access the personal information file restored by the decryption means according to the access authority set by the access authority setting means 108, the client terminal 20 Only a user who has been given the access right as the access right can perform this operation, and it is possible to reliably prevent the original file from being inadvertently leaked or leaked, or illegal use of personal information.

  (3-6) Also, according to the personal information management system 1 of the above embodiment, the user can use the access authority setting means 108 to extract the original file from the completed document file, and the extracted original file. If the file editing authority is set as the predetermined access authority, the client terminal 20 is allowed to edit the original file by the editing means 227. Therefore, the original file take-out authority and editing authority are given. Only users who have been granted access authority can do so, and the original file can be prevented from being accidentally leaked or leaked or illegal use of personal information.

  (3-7) Further, according to the personal information management system 1 of the above embodiment, the client terminal 20 is prohibited to store the original file edited by the editing unit 227 other than the completed document file. Therefore, operations such as editing can be performed only by a user who has been given the access authority to retrieve and edit the original file, and the original file after editing in the client terminal 20 can be other than the completed document file. By prohibiting storage, it is possible to reliably prevent the original file from being inadvertently leaked or leaked or illegal use of personal information.

  (3-8) According to the personal information management system 1 of the above embodiment, when the personal information file is invalidated, the personal information management server 10 automatically notifies the client terminal 20 of the fact. The user can be prompted to re-execute the access request for the personal information capsule, and the user who receives the notification can obtain the latest personal information file after the change by requesting access again at his / her discretion. It is possible to improve user convenience. When the user recognizes that the personal information file can no longer be used because the personal information file has been invalidated, the user can request access again to obtain the latest personal information file after the change. become.

  (3-9) Moreover, according to the personal information management system 1 of the above embodiment, in the above-described first search method, based on the number of appearances of characteristic characters and characteristic character strings for each file in each client terminal 20 The judgment value determines whether or not the file is a personal information file (or confidential information file), and the personal information file can be automatically identified and searched without any human cooperation. In addition, for example, the management server 10 or the like is surely searched and identified for personal information files (data files that are likely to be personal information files) that exist in a distributed manner in a company or the like, without imposing a special load on the person in charge. Can be put in a manageable state. Accordingly, it is possible to reliably respond to requests for disclosure and correction of personal information, and to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information.

(3-10) In the second exploration method described above, a character section that does not correspond to any of a telephone number, an e-mail address, and an address and includes an inappropriate character / unsuitable character string relates to personal information. On the other hand, a character section that does not correspond to any of a telephone number, an e-mail address, and an address and does not include an inappropriate character / inappropriate character string is considered to be related to a name. Therefore, for the character section determined to correspond to any one of the telephone number, e-mail address, and address, the determination process is terminated when the determination is made, and any of the telephone number, e-mail address, or address is terminated. Is also checked for inappropriate characters / unsuitable character strings only for character sections determined to be not applicable, and it is determined that even one inappropriate character / unsuitable character string is included in the character section. At that point, the collation process can be terminated, so that the name collation process can be performed at a higher speed than the conventional method that collates with all name strings contained in the name list. Processing can be performed at high speed.

  At this time, it is possible to execute the determination process more quickly and efficiently by performing the determination process of the character string in the character section in the order of the light load of the determination process, that is, in the order of the telephone number, the e-mail address, and the address. It becomes possible.

  (3-11) Since all character sections that do not include inappropriate characters / unsuitable character strings are regarded as corresponding to names, electronic files that do not contain inappropriate characters / unsuitable character strings for names, It becomes possible to reliably search for an electronic file that is highly likely to contain name information and is likely to be a personal information file. That is, the number of electronic files that are determined to be personal information files according to the present embodiment is larger than that of the conventional method, and an electronic file that is likely to be a personal information file (suspicious electronic file) is reliably identified. be able to.

  Further, since it is determined whether or not the number of characters in the character section is 1 or more and 6 or less and all the characters in the character section are kanji characters, only the character section that satisfies this character determination condition is the target of verification. Are narrowed down to character sections that are more likely to be names, so that the matching accuracy of names can be improved and the name matching process can be performed at high speed. In addition, since a long character section having more than 6 characters is excluded from the object to be collated, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process.

  In this way, the personal information file can be automatically identified and searched by the second exploration method, so that, for example, a company can be obtained without obtaining human cooperation and applying a special load to the person in charge. Disclosure of personal information files (electronic files that are likely to be personal information files) that are distributed within the company, etc., can be surely searched and placed in a state that can be managed by the management server 10 etc. Requests and correction requests can be handled with certainty, and personal information can be prevented from being inadvertently leaked or leaked or unauthorized use of personal information.

  (3-12) Also, the personal information file is managed by the management server 10 or the like according to the P mark (rank / level) given to each personal information file, and attention is paid to the user (owner) of the personal information file. Information / warning information can be notified, personal information files can be forcibly captured and collected from the client terminal 20, and personal information files can be stored in a folder accessible only to the administrator. It is possible to more reliably prevent inadvertent leakage / leakage of personal information and unauthorized use of personal information.

  (3-13) According to the present embodiment, the existing personal information capsule to be newly generated based on the personal information capsule generation request from the client terminal 20 is stored in the personal information capsule database 11. Similarity determination with the personal information capsule is performed to confirm the existence of a similar existing personal information capsule. If a similar personal information capsule already exists, the client terminal 20 is requested to confirm and the confirmation is obtained. In this case, a new personal information capsule is generated, and an electronic file of incorrect data is generated due to an error in reading with a scanner, an error in kana-kanji conversion, an error in key input, etc. In the system that manages personal information, a unique electronic file is generated and stored. So as to.

  At this time, if a similar personal information capsule already exists from the management server to the client terminal, a confirmation request to the client terminal, a similar personal information capsule presence notification and confirmation request to the client terminal, and a similar personal information capsule to the client terminal Any method of notifying the existence of a similar personal information capsule to the client terminal when it exists in the terminal may be used. And based on the confirmation request | requirement with respect to a client terminal, when a confirmation is obtained from a client terminal, it is desirable to produce | generate a new personal information capsule. This makes it possible to generate and manage an electronic file of a unique personal information capsule more reliably.

[4] Other embodiment (modification):
The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the present invention.

  For example, in the above-described embodiment, it is realized by one type of personal information management server 10, but the management server that accesses the personal information capsule database 11 and the management server that accesses the authentication information / decryption key storage unit 12 are used. It may be realized separately.

  In addition, when there is insurance that pays insurance money against unauthorized access, information leakage, data damage, etc., it is expected that the risk will be greatly reduced by using the above embodiment. In the client terminal 20 that handles personal information in the state authenticated by the personal information management server 10 in the form, the insurance information is transferred from the personal information management server 10 to the server of the insurance company and confirmed by the insurance company side. It is also possible to discount the premium. In this case, the personal information management server 10 only transfers the data that has been authenticated and the information of the client terminal 20 to the insurance company, and does not require significant improvement of the system. Also, the insurance company can receive the data that has been authenticated, and can reduce the fee (insurance premium) while ensuring a certain state.

  Further, the functions (all or a part of the functions of each means) as the means 101 to 119 and 21 to 27 described above are performed by a computer (including a CPU, an information processing apparatus, and various terminals) by a predetermined application program (personal information management). This is realized by executing a program.

  The program is, for example, a computer such as a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.). It is provided in a form recorded on a readable recording medium. In this case, the computer reads the control program for the distributed storage system from the recording medium, transfers it to the internal storage device or the external storage device, and uses it. Further, the program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  Here, the computer is a concept including hardware and an OS (operating system), and means hardware operating under the control of the OS. Further, when the OS is unnecessary and the hardware is operated by the application program alone, the hardware itself corresponds to the computer. The hardware includes at least a microprocessor such as a CPU and means for reading a program recorded on a recording medium. The application program as the personal information management program includes a program code for causing the computer as described above to realize the functions as the means 101 to 119 and 21 to 27. Also, some of the functions may be realized by the OS instead of the application program.

  Furthermore, as a recording medium in the present embodiment, in addition to the flexible disk, CD, DVD, magnetic disk, optical disk, and magneto-optical disk described above, an IC card, ROM cartridge, magnetic tape, punch card, computer internal storage device (RAM) In addition, various computer-readable media such as an external storage device or a printed matter on which a code such as a barcode is printed can be used.

It is a block diagram which shows the structure of the personal information management system as one Embodiment of this invention. It is a block diagram which shows the whole schematic structure of the personal information management system as one Embodiment of this invention. It is a flowchart for demonstrating operation | movement of the personal information management server in this embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server in this embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server in this embodiment. It is a flowchart for demonstrating operation | movement of the client terminal in this embodiment.

Explanation of symbols

1 Personal Information Management System 10 Personal Information Management Server (Management Server)
11 Personal Information Capsule Database (Storage)
12 Authentication Information / Decryption Key Storage Means 101 Personal Information Capsule Generation / Change Request Receiving Means 102 Generating Means 103 Filter Setting Means 104 Access Request Receiving Means 105 Filtering Means 106 Conversion Means 107 Encryption Means 108 Access Authority Setting Means 109 Personal Information File Transmission Means 110 Log recording means 111 Authentication information receiving means 112 Judging means 113 Decryption key sending means 114 Changing means 115 Invalidating means 116 Notifying means 117 Digital signature giving means 118 Personal information searching means 119 Deleting means 121 Position detecting means 20 Client terminal 202 Operation Means 203 Display means 221 Access request transmission means 222 Personal information file reception means 223 Personal information file storage means 224 Authentication information transmission means 225 Decryption key reception means 226 Means 227 editing means 30 network (internal LAN)

Claims (9)

A management server that manages personal information that can identify a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual, and is connected to the management server so that they can communicate with each other A personal information management system comprising a client terminal that can access the personal information capsule and use a personal information element in the personal information capsule,
The management server is
Generating means for generating the personal information capsule;
Storage means for storing the personal information capsule generated by the generation means;
Filter setting means for setting a filter for defining a personal information element available to the user for each user who can access the personal information capsule stored in the storage means from the client terminal;
Access request receiving means for receiving an access request for the personal information capsule from a user through the client terminal;
When the access request is received by the access request receiving means, filtering of the personal information element in the personal information capsule is performed using the filter set by the filter setting means for the user who transmitted the access request. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing,
Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file;
Changing means for changing the content of the personal information capsule stored in the storage means;
When the contents of the personal information capsule are changed by the changing means, the invalidating means for invalidating the personal information file extracted before the change from the changed personal information capsule and transmitted to the client terminal When,
Giving a digital signature to the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means Means,
Personal information exploration means for exploring personal information from data in the client terminal;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server Means for registering and storing the personal information as a personal information capsule in the storage means,
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server A deletion means for deleting the personal information from the client terminal if it is not desired to register as a management target of
The personal information file transmitted by the personal information file transmitting means is encrypted using an encryption key corresponding to the client terminal of the transmission destination to create an encrypted file, and the encrypted file is used as the personal information file. Encryption means for causing the personal information file transmission means to transmit;
Authentication information receiving means for receiving authentication information about the encrypted file from the client terminal;
Determination means for determining whether or not the client terminal is a valid destination of the encrypted file based on the authentication information received by the authentication information receiving means;
Decryption key storage means for storing a decryption key for decrypting the encrypted file;
A decryption key transmission unit configured to transmit the decryption key to the client terminal when the determination unit determines that the client terminal is a valid transmission destination;
The client terminal is
Access request transmitting means for transmitting an access request for the personal information capsule to the management server;
Personal information file receiving means for receiving the personal information file in response to the access request from the management server;
Authentication information transmitting means for transmitting authentication information about the encrypted file to the management server when opening an encrypted file that is the personal information file received by the personal information file receiving means;
Decryption key receiving means for receiving a decryption key corresponding to the encrypted file from the management server;
Decryption means for decrypting the encrypted file using the decryption key received by the decryption key receiving means and restoring the original personal information file,
The decryption key storage means changes the decryption key in response to an invalidation instruction from the invalidation means when the content of the personal information capsule is changed, so that the personal information on the client terminal side is changed. Disable file decryption,
A personal information management system characterized by that. The client terminal is
When opening the personal information file in the client terminal, the client terminal is configured to include a decryption request transmission means for transmitting a decryption key transmission request as a request to open the personal information file to the management server,
The management server is
An opening request receiving means for receiving a decryption key transmission request as the opening request from the client terminal;
Position detecting means for detecting the location of the client terminal at the time when the decryption key transmission request as the opening request is received by the opening request receiving means;
Determining means for determining whether or not the location detected by the position detecting means satisfies a predetermined condition;
When the determination unit determines that the location satisfies the predetermined condition, the client terminal allows the personal information file to be opened, and determines that the location does not satisfy the predetermined condition. And an opening permission / refusal means for prohibiting the opening of the personal information file at the client terminal when
The personal information file management system according to claim 1. A management server that manages personal information that can identify a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual, and is connected to the management server so that they can communicate with each other A personal information management system comprising a client terminal that can access the personal information capsule and use a personal information element in the personal information capsule,
The management server is
Generating means for generating the personal information capsule;
Storage means for storing the personal information capsule generated by the generation means;
Filter setting means for setting a filter for defining a personal information element available to the user for each user who can access the personal information capsule stored in the storage means from the client terminal;
Access request receiving means for receiving an access request for the personal information capsule from a user through the client terminal;
When the access request is received by the access request receiving means, filtering of the personal information element in the personal information capsule is performed using the filter set by the filter setting means for the user who transmitted the access request. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing,
Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file;
Changing means for changing the content of the personal information capsule stored in the storage means;
When the contents of the personal information capsule are changed by the changing means, the invalidating means for invalidating the personal information file extracted before the change from the changed personal information capsule and transmitted to the client terminal When,
Giving a digital signature to the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means Means,
Personal information exploration means for exploring personal information from data in the client terminal;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server Means for registering and storing the personal information as a personal information capsule in the storage means,
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server And deleting means for deleting the personal information from the client terminal if it is not desired to be registered as a management target,
The generation unit is similar to a personal information capsule to be newly generated based on a personal information capsule generation request from the client terminal by performing similarity determination with an existing personal information capsule stored in the storage unit Confirm the existence of the existing personal information capsule,
If a similar personal information capsule already exists, request confirmation from the client terminal, and generate a new personal information capsule if confirmation is obtained.
A personal information management system characterized by that. A personal information management server that manages personal information that can identify a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual,
Generating means for generating the personal information capsule;
Storage means for storing the personal information capsule generated by the generation means;
Filter setting means for setting a filter that defines personal information elements available to the user for each user who can access the personal information capsule stored in the storage means from a client terminal;
Access request receiving means for receiving an access request for the personal information capsule from a user through the client terminal;
When the access request is received by the access request receiving means, filtering of the personal information element in the personal information capsule is performed using the filter set by the filter setting means for the user who transmitted the access request. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing,
Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file;
Changing means for changing the content of the personal information capsule stored in the storage means;
When the contents of the personal information capsule are changed by the changing means, the invalidating means for invalidating the personal information file extracted before the change from the changed personal information capsule and transmitted to the client terminal When,
Giving a digital signature to the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means Means,
Personal information exploration means for exploring personal information from data in the client terminal;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server Means for registering and storing the personal information as a personal information capsule in the storage means,
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server A deletion means for deleting the personal information from the client terminal if it is not desired to register as a management target of
The personal information file transmitted by the personal information file transmitting means is encrypted using an encryption key corresponding to the client terminal of the transmission destination to create an encrypted file, and the encrypted file is used as the personal information file. Encryption means for causing the personal information file transmission means to transmit;
Authentication information receiving means for receiving authentication information about the encrypted file from the client terminal;
Determination means for determining whether or not the client terminal is a valid destination of the encrypted file based on the authentication information received by the authentication information receiving means;
Decryption key storage means for storing a decryption key for decrypting the encrypted file;
A decryption key transmission unit configured to transmit the decryption key to the client terminal when the determination unit determines that the client terminal is a valid transmission destination;
The decryption key storage means changes the decryption key in response to an invalidation instruction from the invalidation means when the content of the personal information capsule is changed, so that the personal information on the client terminal side is changed. Disable file decryption,
A personal information management server characterized by that. When the personal information file is opened at the client terminal, an opening request receiving means for receiving a decryption key transmission request as the opening request from the client terminal;
Position detecting means for detecting the location of the client terminal at the time when the decryption key transmission request as the opening request is received by the opening request receiving means;
Determining means for determining whether or not the location detected by the position detecting means satisfies a predetermined condition;
When the determination unit determines that the location satisfies the predetermined condition, the client terminal allows the personal information file to be opened, and determines that the location does not satisfy the predetermined condition. And an opening permission / refusal means for prohibiting the opening of the personal information file at the client terminal when
The personal information file management server according to claim 4. A personal information management server that manages personal information that can identify a specific individual as a data set (hereinafter referred to as a personal information capsule) composed of a plurality of personal information elements related to the specific individual,
Generating means for generating the personal information capsule;
Storage means for storing the personal information capsule generated by the generation means;
Filter setting means for setting a filter that defines personal information elements available to the user for each user who can access the personal information capsule stored in the storage means from a client terminal;
Access request receiving means for receiving an access request for the personal information capsule from a user through the client terminal;
When the access request is received by the access request receiving means, filtering of the personal information element in the personal information capsule is performed using the filter set by the filter setting means for the user who transmitted the access request. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing,
Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file;
Changing means for changing the content of the personal information capsule stored in the storage means;
When the contents of the personal information capsule are changed by the changing means, the invalidating means for invalidating the personal information file extracted before the change from the changed personal information capsule and transmitted to the client terminal When,
Giving a digital signature to the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means Means,
Personal information exploration means for exploring personal information from data in the client terminal;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server Means for registering and storing the personal information as a personal information capsule in the storage means,
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server A deletion means for deleting the personal information from the client terminal if it is not desired to register as a management target of
The generation unit is similar to a personal information capsule to be newly generated based on a personal information capsule generation request from the client terminal by performing similarity determination with an existing personal information capsule stored in the storage unit Confirm the existence of the existing personal information capsule,
If a similar personal information capsule already exists, request confirmation from the client terminal, and generate a new personal information capsule if confirmation is obtained.
A personal information management server characterized by that. A personal information management program that causes a computer to function as a personal information management server that manages personal information that can identify a specific individual as a data set (hereinafter referred to as a personal information capsule) that includes a plurality of personal information elements related to the specific individual. There,
Generating means for generating the personal information capsule;
Storage means for storing the personal information capsule generated by the generation means;
Filter setting means for setting, for each user who can access the personal information capsule stored in the storage means from a client terminal, a filter that defines personal information elements available to the user;
Access request receiving means for receiving an access request for the personal information capsule from a user through the client terminal;
When the access request is received by the access request receiving means, filtering of the personal information element in the personal information capsule is performed using the filter set by the filter setting means for the user who transmitted the access request. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing,
Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file;
Change means for changing the content of the personal information capsule stored in the storage means;
When the contents of the personal information capsule are changed by the changing means, the invalidating means for invalidating the personal information file extracted before the change from the changed personal information capsule and transmitted to the client terminal ,
Giving a digital signature to the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means means,
Personal information exploration means for exploring personal information from data in the client terminal;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server Means for registering and storing the personal information as a personal information capsule in the storage means,
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server Deleting means for deleting the personal information from the client terminal if it is not desired to register as a management target of
The personal information file transmitted by the personal information file transmitting means is encrypted using an encryption key corresponding to the client terminal of the transmission destination to create an encrypted file, and the encrypted file is used as the personal information file. Encryption means for causing the personal information file transmission means to transmit;
Authentication information receiving means for receiving authentication information about the encrypted file from the client terminal;
Determination means for determining whether or not the client terminal is a valid transmission destination of the encrypted file based on the authentication information received by the authentication information receiving means; and
A decryption key for decrypting the encrypted file is stored, and when the determination unit determines that the client terminal is a valid transmission destination, the decryption key is transmitted to the client terminal, and When the content of the personal information capsule is changed, the decryption key is changed in response to an invalidation instruction from the invalidation means, thereby making it impossible to decrypt the personal information file on the client terminal side Decryption key storage means,
A personal information management program for causing the computer to function as: An opening request receiving means for receiving a decryption key transmission request as the opening request from the client terminal when the personal information file is opened at the client terminal;
Position detecting means for detecting the location of the client terminal at the time of receiving a decryption key transmission request as the opening request by the opening request receiving means;
Determination means for determining whether or not the location detected by the position detection means satisfies a predetermined condition;
When the determination unit determines that the location satisfies the predetermined condition, the client terminal allows the personal information file to be opened, and determines that the location does not satisfy the predetermined condition. Opening permission / refusal means for prohibiting the opening of the personal information file at the client terminal when
The personal information management program according to claim 7, wherein the computer is caused to function as: A personal information management program that causes a computer to function as a personal information management server that manages personal information that can identify a specific individual as a data set (hereinafter referred to as a personal information capsule) that includes a plurality of personal information elements related to the specific individual. There,
Generating means for generating the personal information capsule;
Storage means for storing the personal information capsule generated by the generation means;
Filter setting means for setting, for each user who can access the personal information capsule stored in the storage means from a client terminal, a filter that defines personal information elements available to the user;
Access request receiving means for receiving an access request for the personal information capsule from a user through the client terminal;
When the access request is received by the access request receiving means, filtering of the personal information element in the personal information capsule is performed using the filter set by the filter setting means for the user who transmitted the access request. Filtering means for extracting personal information elements available to the user from the personal information capsule by performing,
Personal information file transmitting means for transmitting the personal information element extracted from the personal information capsule by the filtering means to the client terminal as a personal information file;
Change means for changing the content of the personal information capsule stored in the storage means;
When the contents of the personal information capsule are changed by the changing means, the invalidating means for invalidating the personal information file extracted before the change from the changed personal information capsule and transmitted to the client terminal ,
Giving a digital signature to the personal information capsule generated by the generating means, the personal information capsule changed by the changing means, or the personal information file obtained by the filtering means means,
Personal information exploration means for exploring personal information from data in the client terminal;
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server Means for registering and storing the personal information as a personal information capsule in the storage means,
The personal information searched by the personal information searching means is not given a digital signature by the digital signature giving means, and a user of a client terminal holding the personal information receives the personal information from the management server Deleting means for deleting the personal information from the client terminal if it is not desired to register as a management target of
The personal information capsule to be newly generated based on the personal information capsule generation request from the client terminal is similar to the existing personal information capsule stored in the storage unit and similar to the existing personal information capsule. Means for requesting confirmation from the client terminal if a similar personal information capsule already exists, and generating a new personal information capsule if confirmation is obtained,
A personal information management program for causing the computer to function as:

Images