JP2011039710A - Information management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform management without directly joining quasi-subtle information (anonymous information) and information allowing specification of an individual (non-anonymous information) when providing various services based on the quasi-subtle information. <P>SOLUTION: An information management system includes: a first means generating peculiar user identification information to the non-anonymous information received from a user, and registering it into a first storage means; a second means registering a set of the user identification information and service identification information corresponding to a service kind into a second storage means; and a third means registering a set of the service identification information and the anonymous information corresponding to the service identification information into a third storage means. The information management system further includes: a fourth means registering a set of the user identification information and peculiar identification information generated by performing identification of the user into the second storage means; and a means receiving the peculiar identification information from the user oneself, acquiring the user identification information from the second storage means, acquiring the service identification information by the user identification information, acquiring the anonymous information based on the service identification information, and providing it to the user. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention manages non-anonymous information such as name, address, etc. separated from sensitive information (anonymous information) such as individual test results when performing health care or inspection. It relates to an information management system that can be used.

Biological information such as health management information such as height, weight, blood pressure, blood glucose level, and genetic information such as gene sequence and type, is very valuable information for knowing one's own state. However, if they are combined with personal information other than biometric information such as name, address, telephone number, and e-mail address that can identify an individual, it will be treated as sensitive information.
According to the Act on the Protection of Personal Information, “In this law,“ Personal information ”refers to information about a living individual, and identifies a specific individual based on the name, date of birth, and other descriptions contained in the information. (Including those that can be easily collated with other information, thereby identifying a specific individual). ".

  On the other hand, for sensitive information, according to JIS Q 15001, (1) Matters related to thought, creed, and religion, (2) Race, ethnicity, gate, permanent address (excluding information about the prefecture where it is located), body and spirit Disability, criminal record and other matters that cause social discrimination. (3) Matters concerning workers' right to organize, collective bargaining and other acts of collective action. (4) Matters concerning participation in group demonstrations, exercise of petition rights, and exercise of other political rights. (5) Some items such as health care and sex life are listed. There are other things that can be sensitive information (sensitive information), and genetic information, appearance, and hobbies may also be applicable, but there is currently no clear definition.

  However, leakage of sensitive information may cause serious damage to the person's social life based on the information. In addition, when personal information is acquired together with information that does not change throughout the life, such as genetic information, it may lead to providing information with a tremendous risk for individuals to businesses, and such information is handled. In particular, you need to be careful.

From this point of view, the “Guidelines for the Protection of Personal Information in the Business Fields Using Personal Genetic Information in the Economic and Industrial Fields” prohibits the acquisition or use of sensitive information, unless it is based on personal genetic information used in the business and laws. However, many local governments with personal information protection regulations have established regulations on sensitive information. The “European Parliament and EU Council Directive (EU Directive) on the protection and free distribution of individuals related to the processing of personal data” also states that “Member States are racial, ethnic, political views, religions, thoughts. , Processing of personal data that leaks information about the feelings and membership of the labor union, or data processing of health or sex life is prohibited. " As described above, since there are various restrictions on handling of sensitive information, it is not only a big burden to deal with these, but it may be difficult to provide a service using sensitive information.
As a document related to the present invention, there is the following Patent Document 1.

JP 2003-216740 A

  As described above, in order to provide a confidential and secure service using sensitive information, “personal information” and “information that becomes sensitive information when combined with personal information (quasi-sensitive information)” are separated. However, it is important to manage the data so that it is not connected. In actual operation, it is preferable to separate the first database for storing personal information from the second database for storing semi-sensitive information. In addition, by controlling the information that can be viewed for each viewer, and by preventing the connection of personal information and semi-sensitive information, it provides the necessary services without handling sensitive information that can identify individuals. It is necessary to be able to do that.

  However, when personal information and semi-sensitive information are actually separated, it may be difficult to confirm whether the individual related to semi-sensitive information is the person concerned in the face-to-face operation, etc. ) Is distributed or sold to the individual based on the personal information, there is a problem that it is difficult to deliver the personal information and the semi-sensitive information to the individual without indirectly linking them.

  The purpose of the present invention is to manage personally identifiable information (non-anonymous information) and quasi-sensitive information (anonymous information) without directly linking them when providing various services based on quasi-sensitive information It is to provide an information management system capable of

In order to achieve the above object, the information management system according to the present invention receives non-anonymous information of a user who receives a service, and then generates unique user identification information for the received non-anonymous information, First means for notifying the user and registering the set of the non-anonymous information and the user identification information in a first storage means;
Second means for registering a set of service identification information corresponding to a service type provided to a user and the user identification information in a second storage means;
A third means for registering a set of the service identification information and anonymous information corresponding to the service identification information in a third storage means;
A set of unique identification information generated by confirming the identity of the user to access the anonymous information and the user identification information is registered in the second storage means and is notified to the user. Means of
The unique identification information is received from the user himself / herself, the user identification information is obtained from the second storage means by the unique identification information, and the service identification information is obtained from the third storage means by the user identification information. Means for acquiring, anonymizing information registered in the third storage means corresponding to the service identification information, and providing it to the user.
Further, the anonymous information is sensitive information such as a health check result, and the non-anonymous information is personal information that can identify a user.
Further, the set of the unique identification information and user identification information registered in the second storage means is encrypted by a predetermined encryption means.
In addition, after receiving the non-anonymous information of the user who receives the service provision, unique user identification information is generated for the received non-anonymous information, and the user is notified and the non-anonymous information and the use First means for registering a set of person identification information in the first storage means;
Second means for registering a set of service identification information corresponding to a service type provided to a user and the user identification information in a second storage means;
A third means for registering a set of the service identification information and anonymous information corresponding to the service identification information in a third storage means;
A fourth means for generating unique identification information corresponding to the object that is the basis of the anonymous information, and registering the set of the unique identification information and the user identification information in a fourth storage means;
Fifth means for receiving the object to which the unique identification information is added and acquiring the user identification information from the fourth storage means by the unique identification information added to the received object; ,
Sixth means for acquiring the non-anonymous information from the first storage means by the acquired user identification information;
And a seventh means for sending the object to the user specified by the non-anonymous information acquired from the first storage means.
Further, the anonymous information is sensitive information such as a health check result, and the non-anonymous information is personal information that can identify a user.
Further, the set of the unique identification information and user identification information registered in the second storage means is encrypted by a predetermined encryption means.

According to the present invention, when providing various services based on semi-sensitive information, it can be managed without directly linking non-anonymous information that can identify an individual and anonymous information such as semi-sensitive information. The service in the present invention is a service for a user that receives data such as an object such as a specimen or health check result from a user, performs inspection, analysis, appraisal, evaluation, etc. on the received object or data. As provided. Specifically, there are services that examine genes and body measurement information, and services that acquire and store body measurement information via devices, etc., and access forms include one-time access and registration The form used for is considered.
In addition, the service identification information may be generated each time on the system side, or may be generated in advance, but any form may be used in the present invention.

The best mode for carrying out the present invention will be described below in detail with reference to the drawings.
FIG. 1 is a system configuration diagram showing the overall configuration of an embodiment of an information management system according to the present invention.
This system includes a subject terminal 102 composed of a personal computer used by a subject who receives a service such as physical information measurement (a user who receives a service) 101, a window organization 103 that accepts a service request (inspection request), and a test. The service providing organization 104 stores the test result data separately from the personal information such as the name of the subject.
The window organization 103 includes a window terminal 1031 and a first database 1032 for registering personal information of the subject 101.

The service providing organization 104 includes an inspection device 1041 for inspecting the specimen 1052, an information read / write device 1042 for registering a set of the inspection result and the service ID 1051 in the second database 1045, and a service ID corresponding to the user ID specified from the subject terminal 102. The information providing apparatus 1043 that retrieves the test result (anonymous information) from the second database 1045 and sends it back to the test subject terminal 102.
The subject terminal 102 includes an input device (not shown) for inputting various data, and a display device 1021 for displaying data received from the window organization 104.

Here, when the subject 101 wants to receive a service such as physical information measurement, the subject 101 offers an examination request to the staff of the window terminal 1031. Then, the attendant causes the subject 101 to operate the window terminal 1031 to input personal information such as the subject's address and name.
When the input of the personal information is completed, the window terminal 103 automatically generates unique identification information (hereinafter referred to as a user ID) for each user, displays it on the screen and notifies the subject 101, as well as the user ID and the individual. The information and the window ID are associated with each other and registered in the first database 1032.
When the user registration is completed, the attendant at the window terminal 1031 passes the sample collection instrument 105 for measuring physical information to the subject 101. Identification information (hereinafter referred to as service ID) 1051 indicating the service type is printed in advance on the sample collection device 105.
The subject stores the specimen 1052 in the specimen collection device 105 and submits it to the service providing organization 104. In the service providing organization 104, the sample collection device 105 containing the sample 1052 is transferred to the inspection apparatus 1041, and the inspection is performed.
The subject terminal 102 and the service providing organization 104 are connected via a communication network such as the Internet.

In the above configuration, the process from when the subject 101 makes a service provision request (inspection request) to when the test result is viewed on the subject terminal 102 will be described with reference to the sequence diagram of FIG.
First, the subject 101 makes an examination request for body measurement information such as his / her own gene to the window organization 103.
The staff member of the window terminal 1031 having received the inspection request causes the subject 101 to operate the window terminal 1031 and input personal information such as the address and name of the subject (step 201).
When the input of the personal information is finished, the window terminal 1031 automatically generates a user ID, displays it on the screen, notifies the subject 101, and associates the user ID with the personal information in the first database 1032. Register (step 202).
Personal information includes information such as name, address, telephone number, etc. that can identify an individual.

When the user registration is completed, the attendant at the window terminal 1031 passes the sample collection device 105 for measuring physical information to the subject 101 (step 203). A service ID 1051 for identifying the service type is printed in advance on the sample collection device 105.
The subject stores the sample 1052 in the sample collection device 105 and submits it to the service providing organization 104 (step 204).
The service providing organization 104 receives the sample collection instrument 105 and the service ID.
In the service providing organization 104, the sample collection instrument 105 containing the sample 1052 is transferred to the inspection apparatus 1041, and the inspection is performed (step 205).
The inspection device 1041 adds the service ID to the inspection result data and transfers it to the information read / write device 1042 (step 206).
The information read / write device 1042 registers the set of the inspection result and service ID in the second database 1045 (step 207).

Next, if a user ID and a service ID are input by a browsing operation (result confirmation operation) on the subject terminal 101 and transmitted to the information read / write device 1042, the same user as the input user ID is input to the input service ID. It is additionally registered in the ID group (step 209).
In this case, if a service ID group having the same user ID as the input user ID does not exist, a new group is created.

Thereafter, when registering other inspection result data of the same user ID, the service ID of the inspection result data is additionally registered in the service ID group of the same user ID.
The second database 1044 in FIG. 1 shows an example in which three service IDs are registered for one user ID.
When the registration of the service ID is completed, the information read / write device 1041 transfers the service ID to the information providing device 1043 (step 210).
The information providing apparatus 1043 searches the test result data registered in the second database 1044 in association with the same service ID as the received service ID (step 211), and transmits it to the subject terminal 102 (step 212).
The subject terminal 102 displays the received test result data on the display screen (step 213).

As described above, the test subject can sequentially add and register a plurality of types of test result data to the test result data registered first.
When browsing, if only a user ID is specified, inspection result data corresponding to all service IDs registered in association with the user ID are retrieved and displayed.
When only the service ID is designated, the inspection result data corresponding to only the service ID is retrieved and displayed.
As described above, the test result data of the user can be viewed on the subject terminal 102.

Next, a case where health guidance is requested based on test result data will be described.
FIG. 3 is a diagram showing a system configuration when the subject 101 goes to a medical institution and receives health guidance from a doctor. A doctor terminal 105 is newly added to the configuration of FIG. In FIG. 3, only the portions necessary for receiving health guidance are shown, and the other portions are omitted.
FIG. 4 is a sequence diagram showing processing of each unit when receiving health guidance.
First, the subject 101 submits a health guidance request and identification information (driver's license, health insurance card, etc.) to the window organization 103 (step 401).
Then, the person in charge at the window organization 103 confirms whether or not the person is the person based on the submitted identity confirmation data (step 402). If the person is confirmed, the ID is generated (step 403). Is printed and handed to the subject 101.
Here, the ID that has been confirmed to be the identity is generated each time the identity is confirmed, and even if it is the same person, it is desirable that the ID is randomly different each time. For example, the same ID may be used. Below, the case where different ID (random ID) is used at random every time identity verification is performed will be described.
The subject 101 gives the printed matter of the random ID and his / her user ID notified in advance to the doctor in charge of the doctor terminal 105 (step 404).

On the other hand, the window terminal 1031 transfers the user ID and random ID to the information read / write device 1402, and registers the set of user ID and random ID in the second database 1044 (step 405).
The doctor in charge opens the inspection result data browsing screen on the doctor terminal 105 (step 406), inputs the random ID printed on the printed matter and the user ID, and issues a browsing instruction.
Then, the doctor terminal 105 transfers the input random ID and user ID to the information providing apparatus 1043 (step 407).
The information providing apparatus 1043 searches the user ID registered in the second database 1044 corresponding to the input random ID (step 408), and the user ID input from the doctor terminal 105 based on the user ID of the search result. Is verified (step 409).

If the user ID input from the doctor terminal 105 is the same as the user ID registered in the second database 1044, the verification is OK, but if the user ID is different, the verification is NG.
The verification NG is a case where a printed matter with a random ID is mistaken for another person's. In that case, error information is transmitted to the doctor terminal 105, and an error message is displayed on the doctor terminal 105 (step 411).
If the verification is OK, the information providing apparatus 1043 acquires the service ID registered in the second database 1044 corresponding to the verified user ID, and the service ID (corresponding search result is displayed in the second database 1044). (Step 413), the test result data is transferred to the doctor terminal 105 (step 414) and displayed (step 415).

In this way, it is confirmed whether or not the subject 101 who requested the health instruction is the person himself / herself, a random ID generated according to the confirmation result is presented to the doctor terminal 105, and the test result data of the user himself / herself is stored in the second database. Since the search result data is displayed in the presence of the user himself / herself, the test result data is displayed in the presence of the user, and even if the user himself / herself is absent, Inspection result data cannot be viewed.
As a result, it is possible to eliminate anxiety that the inspection result data is seen by a third party in an environment where the user is not present, and to the sub-sensitive information registered in the second database 1044. Improves trust.

By the way, although the random ID generated by the window terminal 1031 is directly registered in the second database 1044 together with the user ID, it is encrypted by the encryption / decryption device 106 as shown in another embodiment of FIG. 3 When it is registered in the database 107 and read out, it can be decrypted by the encryption / decryption device 106 and returned to the information providing device 1043.
The key used for the encryption / decryption process in this case is not leaked from the encryption / decryption device 106 to the outside. As a result, even from the doctor terminal 102, the test result data cannot be accessed unless the random ID of the subject 101 is input, and the information leakage countermeasure becomes more robust.

  By the way, it is necessary to temporarily return the sample 1052 to the subject 101 for the reason that the amount of the sample 1052 submitted by the subject 101 at the service providing organization 104 is insufficient, and to provide a new sample 1052 again. There is a case.

FIG. 6 is a sequence diagram showing processing at the time of re-examination when the sample 1052 is once returned to the subject 101 and a new sample 1052 is provided again. When the sample 1052 is returned to the subject 101 once, the sample 1052 After removing the service ID attached to the storage bag, a random ID corresponding to the sample is generated (step 601), and a set of the user ID and the random ID corresponding to the sample is registered in the third database (step 602). ).

Thereafter, the random ID and the sample storage bag are transferred to the window organization 103 (step 603).
When receiving the random ID and the sample storage bag, the counter organization 103 searches the third database 107 by the random ID and acquires the user ID (step 604).
Next, the first database 1032 is searched by the user ID, personal information is acquired, and a printed matter in which the address and name in the personal information are printed is created (step 605).
Then, a printed matter on which the address and name are printed is pasted on the sample storage bag and mailed (step 606).

The subject himself / herself collects a new specimen 1052 and submits it with the user ID added to the window organization 103 (step 607).
The window organization 103 searches the third database by the user ID and acquires a random ID (step 608). Then, a random ID is added to the sample for retesting and sent to the service providing organization 104 (step 609).
The service providing organization 104 searches the third database 107 using the sent random ID and obtains the user ID (step 610).
Next, the second database 1044 is searched with the user ID, and the service ID is acquired (step 611).
Then, a service ID whose test result data is not registered is searched, and the test result data is registered in the second database 1044 in association with the service ID (step 612).

With this configuration, the service ID and user ID used in the service providing organization 104 are returned to the subject himself / herself without the knowledge of the service ID and user ID being used by a third party, and the subject himself / herself is returned to the subject. The test result data of the sample 1052 thus registered can be registered.
The random ID may not be an ID generated for each inspection request, but may be an ID that is statically assigned to an individual such as a personal identification number.
Further, the user ID and random ID registered in the third database 107 can be encrypted and written, and when read, the user ID and the random ID can be decrypted and passed to each part of the window organization 103.

  By the way, in the above embodiment, the test result data is disclosed to the subject terminal 102 via the Internet. However, the test result data is printed in a tabular form and posted at the testing organization's window. The inspection result data corresponding to the service ID known by can be viewed.

  Moreover, when browsing a test result or using service ID, it can comprise so that a user authentication may be implemented as needed whether a test subject is the regular user who registered as a user beforehand. The technique of user authentication is not limited to that using IDs or passwords, and techniques such as electronic tally and finger vein authentication may be used.

Moreover, although the example in the case of test | inspecting a sample was demonstrated, it can apply also when accepting the test result data of a medical examination and providing services, such as a doctor's health guidance data and dietary life improvement data with respect to this.
In addition, the method of providing the sample collection device and device to the user may be a method of directly applying to a service providing organization or a method of purchasing at a store or the like.

1 is a system configuration diagram showing an embodiment of an information management system according to the present invention. FIG. 2 is a sequence diagram showing the operation of each part of the system in FIG. 1. It is a block diagram of the principal part in the case of browsing test result data from a doctor terminal. It is a sequence diagram of operation of each part when browsing examination result data from a doctor terminal. It is a system block diagram which shows other embodiment of this invention comprised so that the group of random ID and user ID might be encrypted and registered in an independent database in FIG. It is a sequence diagram which shows the example of a process when the resubmission of a sample becomes necessary.

DESCRIPTION OF SYMBOLS 101 Test subject 102 Test subject terminal 103 Counter organization 104 Service providing organization 105 Sample collection instrument 106 Encryption / decryption device 107 Third database 108 Doctor terminal 1031 Counter terminal 1041 Inspection device 1032 First database 1044 Second database

Claims (6)

After receiving the non-anonymous information of the user who receives the service, the user-specific identification information is generated for the received non-anonymous information, and the non-anonymous information and the user identification are notified to the user. First means for registering a set of information in a first storage means;
Second means for registering a set of service identification information corresponding to a service type provided to a user and the user identification information in a second storage means;
A third means for registering a set of the service identification information and anonymous information corresponding to the service identification information in a third storage means;
A set of unique identification information generated by confirming the identity of the user to access the anonymous information and the user identification information is registered in the second storage means and is notified to the user. Means of
The unique identification information is received from the user himself / herself, the user identification information is obtained from the second storage means by the unique identification information, and the service identification information is obtained from the third storage means by the user identification information. An information management system comprising: means for obtaining, and obtaining anonymous information registered in the third storage means corresponding to the service identification information and providing it to a user.   The information management system according to claim 1, wherein the anonymous information is sensitive information such as a health check result, and the non-anonymous information is personal information that can identify a user.   The information management system characterized in that a set of the unique identification information and user identification information registered in the second storage means is encrypted by a predetermined encryption means. After receiving the non-anonymous information of the user who receives the service, the user-specific identification information is generated for the received non-anonymous information, and the non-anonymous information and the user identification are notified to the user. First means for registering a set of information in a first storage means;
Second means for registering a set of service identification information corresponding to a service type provided to a user and the user identification information in a second storage means;
A third means for registering a set of the service identification information and anonymous information corresponding to the service identification information in a third storage means;
A fourth means for generating unique identification information corresponding to the object that is the basis of the anonymous information, and registering the set of the unique identification information and the user identification information in a fourth storage means;
Fifth means for receiving the object to which the unique identification information is added and acquiring the user identification information from the fourth storage means by the unique identification information added to the received object; ,
Sixth means for acquiring the non-anonymous information from the first storage means by the acquired user identification information;
And a seventh means for sending the object to a user specified by the non-anonymous information acquired from the first storage means.   5. The information management system according to claim 4, wherein the anonymous information is sensitive information such as a health check result, and the non-anonymous information is personal information that can identify a user.   5. The information management system according to claim 4, wherein a set of the unique identification information and user identification information registered in the second storage means is encrypted by a predetermined encryption means.

Images