JP2010211590A - Data conversion program, data converter and data conversion method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To link data including personal information such that a person to which the personal information belongs cannot be specified. <P>SOLUTION: An acquisition part 20 acquires first personal information and data, and second personal information data. A first encryption part 40 performs reversible encryption processing to an employee NO of the first and second personal information data to generate first and second encryption data. A second encryption part 50 furthermore applies hash processing to the employee NO of the first and second encryption data to generate first and second hash data. A combination part 60 combines the first and second hash data based on the employee NO, and generates analyzing data. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a technique for protecting personal information.

  In-house information includes data including employee personal information such as personnel information and family information. There is also data related to personal information outside the company, such as customer information. Even if these data are handled only within the company without being provided outside the company, there are many cases where these data should not be disclosed to other than the related departments.

  However, data including such personal information may be analyzed in association with general information not including other personal information. For example, when a person in the IT department statistically analyzes the causal relationship between an employee's health status and PC usage time, the health status of each employee and the PC usage time of each employee can be represented by a common employee number. Thus, it is necessary to associate the data into one data.

  In general, employee numbers are commonly used by each department, but data related to the health of employees is owned by the personnel department, and PC usage time is owned by the IT department. Often owned by only.

  In this way, when data including personal information such as health status is linked between different departments, the person of the other department (IT department) must not specify who the personal information belongs to. For example, the person in charge of the human resources department can naturally know the health status of employees in the business, but the person in charge of the IT department only needs to be able to perform overall statistical processing and identify individual employees. You don't have to know your health. In other words, people in the IT department must make it impossible to know who the health data belongs to.

  Here, the following three conventional methods are known as techniques for linking data.

  FIG. 6 is a diagram showing a data flow for explaining the conventional method 1. The conventional method 1 is a method of manually converting the employee number of the personnel data D100 and the employee number of the PC data D200.

  The personnel data D100 is a relational database in which employee numbers of employees belonging to a company are associated with health status data of each employee. The PC data D200 is a relational database in which the employee number of each employee is associated with the PC usage data of each employee.

  Here, data indicating the health status of each employee is adopted as the health status data, and examples include data indicating complaints and diseases such as eye strain, stiff shoulders, and back pain. Further, as the PC data, for example, data indicating the use time of the computer such as annual or monthly for each employee is adopted.

  First, the personnel manager manually converts the employee numbers of the personnel data D100 and the PC data D200 according to a predetermined rule, and creates personnel data D100 ′ and PC data D200 ′ ( Step S100). In this case, employee No. 672351 is converted to 011 km3 according to a certain rule. Note that certain rules are known only to personnel personnel.

  Next, the personnel data D100 ′ and the PC data 200 ′ are merged based on the employee NO converted by the personnel officer in step S100 to generate analysis data D300 (step S200).

  Here, the analysis data D300 is a relational database in which the employee NO converted in step S100 is associated with the health condition data included in the personnel data D100 and the PC usage data included in the PC data D200. Used for statistical processing performed in the IT department.

  FIG. 7 is a diagram showing a data flow for explaining the conventional method 2. The conventional method 2 is a method of encrypting the employee NO of the personnel data D100 and the employee NO of the PC data D200 by a reversible encryption process. For this reversible encryption processing, for example, encryption software such as free software is employed, and when the personnel manager inputs the encryption key, the data is encrypted according to the encryption key. The encrypted data can be decrypted with the encryption key used for encryption.

  First, the personnel officer inputs the encryption key, encrypts the personnel data D100 and the PC data D200, and generates personnel data D100 ′ and PC data D200 ′ (step S110). In this case, employee No. 672351 is encrypted to ab1km3. It is assumed that only the person in charge of personnel knows the encryption algorithm and encryption key.

  Next, the personnel officer merges the personnel data D100 ′ and the PC data D200 ′ based on the employee NO encrypted in step S110, and creates analysis data D300 (step S210).

  FIG. 8A is a diagram showing a data flow for explaining the conventional method 3. FIG. 8B is a diagram for explaining a problem of the conventional method 3. The conventional method 3 is a method of hash-converting the employee numbers of the personnel data D100 and the PC data D200.

  First, the personnel manager performs hash conversion on the employee numbers of the personnel data D100 and the PC data D200 using a predetermined hash algorithm to create personnel data D100 ′ and PC data D200 ′ (step S120). In this case, employee number 672351 is hash-converted to 8a2i3sg. It is assumed that only the personnel manager knows the hash algorithm used for the hash conversion.

  Next, the personnel manager merges the personnel data D100 ′ and the PC data 200 ′ based on the employee NO converted in step S120, and generates analysis data D300 (step S220).

  The following Non-Patent Document 1 is known as a technique related to the present invention.

"Cryptographic Technology Handbook 2nd Edition, March 2000, Electronic Commerce Demonstration Promotion Council, Security WG"

  However, the conventional method 1 has a problem that it takes a lot of work when the number of employees is large because personnel personnel manually convert employee NOs one by one. Moreover, when a conversion rule is simple, there exists a problem that employee NO will be identified easily. Furthermore, since the employee NO is manually converted, different employee NOs may be converted to the same value.

  Further, the conventional method 2 has a problem that the employee NO is easily specified when the encryption key or the encryption method is leaked.

  Further, in the conventional method 3, since the hash conversion is an irreversible process, it is impossible to specify the original employee NO from the employee NO subjected to the hash conversion. However, since there are very few types of hash algorithms, when an employee NO list in which all employee NOs are described is obtained, all types of hashes are obtained for all employee NOs described in the employee list. Employee NO can be specified by obtaining a hash value by applying an algorithm and comparing the obtained hash value with the analysis data D300.

  Specifically, as shown in FIG. 8B, first, i) an employee NO list in which employee NOs of all employees are described is obtained. Next, ii) a hash value is obtained by applying all types of hash algorithms to each employee NO in the acquired employee NO list. Next, iii) A correspondence table is created in which employee numbers of all employees are associated with hash values for each hash algorithm.

  Next, iv) Employee NO of analysis data D300 is compared with each hash value described in the correspondence table, and employee NO of analysis data D300 is found from the correspondence table. In FIG. 8 (b), 8a2i3sg, which is the employee number of the analysis data, is found from the correspondence table.

  Next, v) Identify the employee NO associated with the hash value found from the correspondence table. Thus, vi) the original employee NO can be identified from the hash-converted employee NO. In other words, using this correspondence table, the employee NO can be retroactively identified by the procedures of iv), v), and vi).

  An object of the present invention is to provide a technique capable of linking data including personal information so that it cannot be specified who the personal information belongs to.

  (1) A data conversion program according to one aspect of the present invention includes: first personal information data in which identification information uniquely assigned to each of a plurality of persons and first personal information related to each person are associated; And an acquisition unit for acquiring second personal information data in which the identification information and second personal information related to each person are associated, and first identification information in the identification information of the first and second personal information data A first encryption unit that performs a process, and a second encryption unit that further performs a second encryption process on the identification information of the first and second personal information data subjected to the first encryption process And the first and second personal information data whose identification information is encrypted by the second encryption unit are merged based on the identification information included in the first and second personal information data, As a merger that generates data for analysis Caused to function data, said first and second encryption process, one is the encryption process reversible, and the other is an encryption process irreversible.

  The data conversion device according to another aspect of the present invention provides first personal information data in which identification information uniquely assigned to each of a plurality of persons and first personal information related to each person are associated with each other. , And an acquisition unit that acquires second personal information data in which the identification information and second personal information related to each person are associated with each other, and a first cipher in the identification information of the first and second personal information data A first encryption unit for performing encryption processing, and second encryption for further performing second encryption processing on the identification information of the first and second personal information data subjected to the first encryption processing Merge the first and second personal information data whose identification information has been encrypted by the second encryption unit based on the identification information contained in the first and second personal information data And the first and second encryption processes are One is the encryption process reversible, and the other is an encryption process irreversible.

  According to still another aspect of the present invention, there is provided a data conversion method in which a computer associates identification information uniquely assigned to each of a plurality of persons and first personal information about each person. Personal information data, and second personal information data in which the identification information and second personal information related to each person are associated with each other, and the computer identifies the first and second personal information data. Performing a first encryption process on the information; and a step in which the computer further performs a second encryption process on the identification information of the first and second personal information data subjected to the first encryption process. And the computer uses the identification information included in the first and second personal information data based on the first and second personal information data whose identification information is encrypted by the second encryption unit. And a step of merging Te, the first and second encryption process, one is the encryption process reversible, and the other is an encryption process irreversible.

  According to these configurations, the analysis data is generated by merging the first and second personal information data. The analysis data corresponds to the identification information of the first and second personal information data. The first encryption process and the second encryption process are sequentially executed. Here, either the reversible encryption process or the irreversible encryption process is employed as the first and second encryption processes.

  Therefore, even if the reversible encryption algorithm and encryption key are leaked to a third party, and the third party decrypts the identification information of the analysis data using these algorithms and the encryption key, the analysis is performed. Since the identification information of the business data is subjected to reversible and irreversible encryption processing, the original identification information of the first and second personal information data before the encryption processing cannot be obtained.

  Also, an irreversible encryption processing algorithm and an identification information list including all of the identification information included in the first and second personal information data are leaked to the third party, and the third party is posted in the identification information list. Even if all the identification information is hash-converted using the obtained hash algorithm and compared with the identification information of the analysis data, the obtained hash value is decrypted corresponding to reversible encryption processing. Therefore, it is not possible to specify one having the same value as the identification information of the analysis data. Therefore, it is possible to link the first and second personal information data while protecting personal information more firmly than in the conventional method.

  (2) The irreversible encryption process is preferably a hash process.

  According to this configuration, since hash processing is used as an irreversible process, the first and second personal information data can be linked while protecting personal information more firmly.

  (3) An encryption processing unit that performs irreversible encryption processing among the first and second encryption processing units randomly selects one of the plurality of types of hash algorithms, It is preferable to perform the irreversible encryption process using the selected hash algorithm.

  According to this configuration, since the hash algorithm is selected at random, it becomes more difficult to specify the hash algorithm employed when generating the analysis data.

  (4) Among the first and second encryption processing units, the encryption processing unit that performs the reversible encryption processing is an encryption in which the encryption key used for the reversible encryption processing is written. The encryption processing unit that created the file and performed the irreversible encryption processing among the first or second encryption processing unit has a hash in which information for specifying the selected hash algorithm is written It is preferable to create a file and further cause the computer to function as a file holding unit that holds the encrypted file and the hash file.

  According to this configuration, the encrypted file in which the encryption key used for the encryption process is written and the hash file in which the information for specifying the hash algorithm is written are created. The user who linked the personal information of 2 can easily recognize the encryption key and the hash algorithm used by referring to these files.

  (5) After the processing by the merging unit is completed, it is preferable that the computer further function as a file deleting unit that deletes the encrypted file and the hash file held by the file holding unit.

  According to this configuration, when the processing by the merging unit is finished and the analysis data is generated, the encrypted file and the hash file are deleted, so that the information used when generating the analysis data is leaked. This can prevent the identification of who the personal information belongs to.

(6) The first personal information data is data managed by the first organization,
The second personal information data is preferably data managed by a second organization different from the first organization.

  According to this configuration, it is possible to link personal information data between organizations while protecting personal information more firmly than in the conventional method.

  (7) It is preferable that the first and second organizations are organizations constituting a group, and the identification information is an identification number uniquely assigned to each person in the group.

  According to this configuration, for example, the first and second encryption processes are performed on the employee number assigned to each employee in the company and the student number assigned to each student in the school. When linking personal information data managed by each department of school or school, it can be made difficult to identify who the personal information is.

  According to the present invention, since the identification information included in the analysis data is data subjected to reversible encryption processing and irreversible encryption processing, the encryption key used for the reversible encryption processing, the irreversible encryption Even if the algorithm used for the digitization process leaks to the third party, it is difficult for the third party to obtain the original identification information from the identification information of the analysis data. Therefore, it is possible to link the first and second personal information data while protecting personal information more firmly than in the conventional method.

It is a block diagram which shows the hardware constitutions of the data converter by embodiment of this invention. FIG. 2 shows a functional block diagram of the data conversion apparatus shown in FIG. 1. It is the figure which showed the flow of the data in the data converter by this Embodiment. It is a flowchart which shows operation | movement of the data converter by this Embodiment. It is a flowchart which shows operation | movement of the data converter by this Embodiment. It is the figure which showed the flow of the data for demonstrating the conventional method 1. FIG. It is the figure which showed the flow of the data for demonstrating the conventional method 2. FIG. (A) is the figure which showed the flow of the data for demonstrating the conventional method 3. FIG. (B) is a figure for demonstrating the problem of the conventional method 3. FIG.

  Hereinafter, a data conversion apparatus according to an embodiment of the present invention will be described. FIG. 1 is a block diagram showing a hardware configuration of a data conversion apparatus according to an embodiment of the present invention. The data conversion apparatus is composed of an ordinary computer or the like, and includes an input device 1, a ROM (read only memory) 2, a CPU (central processing unit) 3, a RAM (random access memory) 4, an external storage device 5, and a display device. 6 and a recording medium driving device 7. The input device 1, ROM 2, CPU 3, RAM 4, external storage device 5, display device 6, and recording medium driving device 7 are connected to an internal bus, and various data and the like are input / output via this bus, and the control of the CPU 3 is controlled. Below, various processes are executed.

  The input device 1 includes a keyboard, a mouse, and the like, and is used by a user to input various data. The ROM 2 stores a system program such as BIOS (Basic Input / Output System). The external storage device 5 is composed of a hard disk drive or the like, and stores a predetermined OS (Operating System) and a data conversion program. The CPU 3 reads the OS and the like from the external storage device 5 and controls the operation of each block. The RAM 4 is used as a work area for the CPU 3.

  The display device 6 is composed of a liquid crystal display device or the like, and displays various images under the control of the CPU 3. The recording medium driving device 7 includes a CD-ROM drive, a flexible disk drive, and the like.

  The data conversion program is stored in a computer-readable recording medium 8 such as a CD-ROM and distributed to the market. The user installs the data conversion program in the computer by causing the recording medium driving device 7 to read the recording medium 8. Alternatively, the data conversion program may be installed in a computer by storing the data conversion program in a server on the Internet and downloading it from this server.

  FIG. 2 shows a functional block diagram of the data conversion apparatus shown in FIG. The data conversion apparatus includes an operation unit 10, an acquisition unit 20, an extraction unit 30, a first encryption unit 40, a second encryption unit 50, a merge unit 60, a file deletion unit 70, a data storage unit 110, and a file storage. Section 120 and hash storage section 130.

  These functions are realized by the CPU 3 executing the data conversion program. The operation unit 10 includes the input device 1 illustrated in FIG. 1 and receives various inputs from the user. The functions of the acquisition unit 20 to the file deletion unit 70 are realized by the CPU 3, and the data storage unit 110 to the hash storage unit 130 are realized by the RAM 4 and the external storage device 5.

  The acquisition unit 20 acquires first personal information and data and second personal information data. Here, the first personal information data is configured by a relational database in which identification information uniquely assigned to each of a plurality of persons and first personal information regarding each person are associated with each other.

  The second personal information is constituted by a relational database in which the same identification information as the identification information written in the first personal information data is associated with the second personal information regarding each person.

  In the present embodiment, the first personal information data is data managed by the first organization, and the second personal information data is data managed by a second organization different from the first organization. It is.

  As the first and second organizations, organizations constituting a certain organization are adopted. In the present embodiment, a company is adopted as a certain group, but the present invention is not limited to this. If the group has a plurality of organizations such as schools and political groups, and each member belongs to one of the organizations. Any organization may be employed.

  In the present embodiment, the organization that constitutes the company is adopted as the first and second organizations, the personnel department is adopted as the first organization, and the information processing department (IT department) is adopted as the second organization. Is done.

  As the first personal information, for example, information on the health of each employee constituting the company is adopted, and as the second personal information, information on the use of each employee, for example, a personal computer is adopted. However, this is only an example, and various pieces of personal information such as age, address, hobby, and birthplace may be employed as the first personal information. Further, as the second personal information, various personal information other than the use of the personal computer, such as information on commuting time, overtime hours, information on business results, etc. may be adopted.

  As the identification information, an employee number uniquely assigned to each employee of the company is employed.

  In this embodiment, the person in charge of the personnel department causes the data conversion apparatus to generate analysis data from the first personal information data and the second personal information data, and passes it to the person in charge of the IT department. The person in charge of the IT department performs statistical processing using the analysis data.

  The acquisition unit 20 may acquire the first and second personal information data by reading the first and second personal information data stored in advance in the data storage unit 110 from the data storage unit 110. Then, by reading the first and second personal information stored in advance in the recording medium 8 from the recording medium 8, the first and second personal information data may be acquired or connected via a network. The first and second personal information data may be acquired by receiving the first and second personal information data transmitted from another computer.

  The extraction unit 30 performs pre-processing of the first encryption process, and each of the first and second personal information data according to the extraction condition input by the personnel affairs person using the operation unit 10. Extract data that satisfies the extraction condition from. Here, the extraction unit 30 may extract data according to, for example, SQL.

  FIG. 3 is a diagram showing a data flow in the data conversion apparatus according to the present embodiment. The first personal information data D1 shown in FIG. 3 indicates data that has been extracted by the extraction unit 30, and includes one record that includes a field of employee NO and a field of health status data as first personal information. Alternatively, it can be seen that a plurality of pieces are assembled.

  Further, the second personal information data D2 shown in FIG. 3 indicates data that has been subjected to extraction processing by the extraction unit 30, and a record including a field of employee NO and PC usage data as second personal information. It can be seen that one or a plurality are assembled.

  In FIG. 3, only one type of data is shown as the first and second personal information. However, this is an example, and other types of data are included as the first and second personal information. May be.

  Returning to FIG. 2, the first encryption unit 40 performs the first encryption processing on the employee NO of the first and second personal information data, and generates the first and second encrypted data. Here, as the first encryption process, a reversible encryption process that can encrypt data using the encryption key and decrypt the encrypted data using the encryption key may be adopted. it can. In the present embodiment, the first encryption unit 40 may perform a reversible encryption process using the same method as the encryption process used for encryption software such as ED. Moreover, the 1st encryption part 40 should just acquire an encryption key by making a personnel affairs officer input an encryption key using the operation part 10, for example.

  Further, the first encryption unit 40 creates an encrypted file in which the encryption key used for the first encryption process is written, and stores the encrypted file in the file holding unit 120. Further, the first encryption unit 40 stores the first and second encrypted data in the file holding unit 120.

  As a result of this first encryption processing, the employee ID of the first personal information data D1 shown in FIG. 3 is encrypted as the first encrypted data D11, and the second personal information data D2 is stored as the employee NO. Is encrypted into second encrypted data D21. In FIG. 3, it can be seen that “672351”, which is the employee number of the first and second personal information data D1, D2, is encrypted to “ab1km3”.

  Returning to FIG. 2, the second encryption unit 50 further applies a second encryption process to the employee NO of the first and second encrypted data to generate first and second hash data. Here, as the second encryption process, an irreversible encryption process can be employed, and in the present embodiment, for example, a hash process is employed.

  Here, the second encryption unit 50 randomly selects one hash algorithm from a plurality of types of hash algorithms stored in advance in the hash storage unit 130, and uses the selected hash algorithm to select the second hash algorithm. It is preferable to perform the encryption process. This makes it more difficult to specify the hash algorithm used.

  For example, hash algorithms such as MD2, MD4, MD5, and SHA-1 are stored in advance in the hash storage unit 130, and the second encryption unit 50 selects any one of these hash algorithms. One hash algorithm should be selected.

  Further, the second encryption unit 50 creates a hash file in which information for specifying the type of the selected hash algorithm is written. Further, the second encryption unit 50 stores the generated first and second hash data and the hash file in the file holding unit 120.

  As a result of this second encryption processing, employee NO is hash-transformed into the first encrypted data D11 shown in FIG. 3 to be the first hash data D12, and the second encrypted data D21 is employee NO. The hash conversion is performed to obtain the second hash data D22. In FIG. 3, it can be seen that “abkm3”, which is the employee number of the first and second encrypted data D11 and D21, has been hash-converted to “ss0912”.

  Returning to FIG. 2, the merging unit 60 merges the first and second hash data based on the employee NO to generate analysis data. Here, as shown in FIG. 3, the merging unit 60 merges the records having the same employee NO in the first hash data D12 and the second hash data D22 into one record. Analysis data D3 is generated.

  When the data for analysis is generated by the merging unit 60, the file deleting unit 70 stores the first and second encrypted data, the first and second hash data, and the encrypted file stored in the file holding unit 120. And delete the hash file.

  The data storage unit 110 stores the first and second personal information data and the analysis data generated by the merging unit 60.

  The file holding unit 120 stores an encrypted file and a hash file. Further, the file holding unit 120 stores the first and second encrypted data D11 and D21 and the first and second hash data D12 and D22. The hash storage unit 130 stores a plurality of types of hash algorithms in advance.

  Next, the operation of the data conversion apparatus shown in FIG. 2 will be described. 4 and 5 are flowcharts showing the operation of the data conversion apparatus according to this embodiment.

  First, the extraction unit 30 performs an extraction process on the first and second personal information data D1 and D2 acquired by the acquisition unit 20 according to the extraction condition input by the personnel manager (step S1). . Here, as the extraction condition, for example, personal information of employees belonging to a specific organization is extracted, or personal information of employees having an even number of employee NO is extracted.

  Next, the second encryption unit 50 randomly selects one of the hash algorithms stored in the hash storage unit 130 (step S2).

  Next, the first encryption unit 40 acquires the encryption key input by the person in charge of personnel using the operation unit 10, and creates an encrypted file in which the acquired encryption key is written (step S3). ). Next, the second encryption unit 50 creates a hash file in which the type of the hash algorithm selected in step S2 is written (step S3). Here, the created encrypted file and hash file are stored in the file holding unit 120.

  Next, the first encryption unit 40 uses the encryption key written in the encrypted file to store the employee numbers of the first and second personal information data D1, D2 that have been extracted. Is subjected to reversible encryption processing to generate first and second encrypted data D11 and D21 (step S4).

  Next, the 2nd encryption part 50 performs a hash process with respect to each of the employee NO of 1st and 2nd encryption data D11 and D12 using the hash algorithm written in the hash file. First and second hash data D12 and D22 are generated.

  Next, the merging unit 60 merges the first and second hash data D12 and D22 according to the employee number, generates analysis data D3 (step S6), and stores the data in the data storage unit 110.

  The analysis data D3 is transferred to, for example, the IT department, and a person in charge of the IT department performs various data analysis using the analysis data D3. In this case, the person in charge of the IT department performs data analysis such as the average value of PC usage time for the entire company or each department, overtime hours, and the like.

  Next, the file deletion unit 70 deletes the first and second encrypted data D11 and D12, the hash data D21 and D22, the encrypted file, and the setting file held in the file holding unit 120 (step S7). ).

  As described above, according to the data conversion apparatus according to the present embodiment, the analysis data is sequentially subjected to the first and second encryption processes for the employee numbers of the first and second personal information data. Has been generated. Here, a reversible encryption process is employed as the first encryption process, and a hash process, which is an irreversible encryption process, is employed as the second encryption process.

  Therefore, even if the reversible encryption processing algorithm and the encryption key are leaked to a third party, and the third party decrypts the employee NO of the data for analysis using these algorithms and the encryption key, Since the employee data NO of the analysis data is sequentially subjected to reversible encryption processing and hash processing, the employee NO of the original first and second personal information data before the encryption processing cannot be obtained.

  In addition, the employee NO list including all of the employee NO included in the hash algorithm and the first and second personal information data is leaked to the third party, and all employees whose third party is listed in the employee NO list Even if the member NO is hash-transformed using the obtained hash algorithm and compared with the employee NO of the analysis data, the obtained hash value is decrypted corresponding to the reversible encryption processing. Therefore, it is not possible to obtain data having the same value as the employee number in the analysis data. Therefore, it is possible to link the first and second personal information data at the same time as protecting personal information more firmly than in the conventional method.

  In addition, since the hash algorithm is selected at random, it becomes more difficult to specify the hash algorithm employed when generating the analysis data.

  In the above description, the encryption key is input by the person in charge of personnel, but the present invention is not limited to this, and the first encryption unit 40 may automatically generate the encryption key. In this case, the 1st encryption part 40 should just generate | occur | produce an encryption key by determining the digit and symbol string of a predetermined digit at random, for example.

  In the above description, the first encryption unit 40 performs reversible encryption processing, and the second encryption unit 50 executes hash processing. However, the present invention is not limited to this, and the first encryption unit The order of the reversible encryption process and the hash process may be interchanged such that 40 executes the hash process and the second encryption unit 50 performs the reversible encryption process.

  Further, in the above description, the merging unit 60 merges the first and second hash data encrypted by the second encryption unit 50, but is not limited to this, and the extraction unit 30 performs the extraction process. Merge the first and second personal information data before the first encryption is performed, or merge the first and second personal information data before the first encryption process is performed by the first encryption unit 40 May be.

DESCRIPTION OF SYMBOLS 10 Operation part 20 Acquisition part 30 Extraction part 40 1st encryption part 50 2nd encryption part 60 Merger part 70 File deletion part 110 Data storage part 120 File holding part 130 Hash storage part

Claims (9)

Identification information uniquely assigned to each of a plurality of persons, first personal information data associated with first personal information about each person, and second personal information about the identification information and each person; An acquisition unit for acquiring second personal information data associated with
A first encryption unit that performs a first encryption process on the identification information of the first and second personal information data;
A second encryption unit for further performing a second encryption process on the identification information of the first and second personal information data subjected to the first encryption process;
The first and second personal information data, whose identification information is encrypted by the second encryption unit, are merged based on the identification information contained in the first and second personal information data for analysis. Let the computer function as a merger to generate data,
One of the first and second encryption processes is a reversible encryption process, and the other is an irreversible encryption process.   The data conversion program according to claim 1, wherein the irreversible encryption processing is hash processing.   Among the first and second encryption processing units, the encryption processing unit that performs irreversible encryption processing randomly selects one of the plurality of types of hash algorithms, and selects the selected hash The data conversion program according to claim 2, wherein the irreversible encryption processing is performed using an algorithm. Of the first and second encryption processing units, the encryption processing unit that performs the reversible encryption process creates an encrypted file in which the encryption key used for the reversible encryption process is written. And
Of the first or second encryption processing unit, the encryption processing unit that has performed the irreversible encryption processing creates a hash file in which information for specifying the selected hash algorithm is written,
4. The data conversion program according to claim 3, further causing a computer to function as a file holding unit that holds the encrypted file and the hash file.   5. The data conversion program according to claim 4, further comprising: causing the computer to function as a file deletion unit that deletes the encrypted file and the hash file held by the file holding unit after the processing by the merging unit is completed. The first personal information data is data managed by a first organization,
6. The data conversion program according to claim 1, wherein the second personal information data is data managed by a second organization different from the first organization. The first and second organizations are organizations constituting a group,
7. The data conversion program according to claim 6, wherein the identification information is an identification number uniquely given to each person in the organization. Identification information uniquely assigned to each of a plurality of persons, first personal information data associated with first personal information about each person, and second personal information about the identification information and each person; An acquisition unit for acquiring second personal information data associated with
A first encryption unit that performs a first encryption process on the identification information of the first and second personal information data;
A second encryption unit for further performing a second encryption process on the identification information of the first and second personal information data subjected to the first encryption process;
A merger for merging the first and second personal information data whose identification information is encrypted by the second encryption unit based on the identification information included in the first and second personal information data; Prepared,
One of the first and second encryption processes is a reversible encryption process, and the other is an irreversible encryption process. The computer includes identification information uniquely assigned to each of the plurality of persons, first personal information data associated with the first personal information about each person, and second information about the identification information and each person Obtaining second personal information data associated with personal information;
A step of performing a first encryption process on the identification information of the first and second personal information data;
A computer further performing a second encryption process on the identification information of the first and second personal information data subjected to the first encryption process;
A step of merging the first and second personal information data whose identification information is encrypted by the second encryption unit based on the identification information included in the first and second personal information data. And
One of the first and second encryption processes is a reversible encryption process, and the other is an irreversible encryption process.

Images