JP2014026305A - Data processing device, database system, data processing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To store a large amount of data by reducing a processing load required for data analysis while protecting personal information.SOLUTION: A data distribution server device 104 stores data including three or more attributes, and selects two ore more attributes to be separated from each other as quasi-identifiers from the attributes included in the data. Then, for each quasi-identifier, the data distribution server device 104 generates partial data by combining a value of attribute which is not any of the quasi-identifiers and a value of the quasi-identifier, and stores the two or more pieces of generated partial data in different sub-DBs, respectively.

Description

  The present invention relates to a technique for dividing and storing data.

In the information system field, the amount of data handled is increasing year by year.
Along with this, there is an increasing need for technologies for storing large amounts of data and using them efficiently.
Especially for log data such as access logs and entrance / exit logs, the amount of data increases with time because the data increases every time the data is accessed and the entrance / exit of the building. Under such circumstances, A mechanism that can store all data is required.
Log data is not only stored, but can also be analyzed efficiently because it is used for analysis such as determining the number of weekly accesses and the number of people entering and leaving the room, and detecting illegal behavior such as entering and leaving the room at midnight. Such a mechanism is also required.
Furthermore, the log data may include personal information such as the name and age of the accessor.
For example, log data of an information system in a hospital may include sensitive information such as a patient name and age, a disease name, a medical history, and a family structure.
For this reason, a mechanism for appropriately protecting personal information is also required.
From such a background, in the database field for storing data, methods for efficiently analyzing data and methods for protecting personal information have been considered (for example, Patent Document 1, Patent Document 2, Patent Document 3). .

JP 2011-209974 A Japanese Patent Laid-Open No. 11-15797 Japanese Patent Laid-Open No. 07-182368

Rajeev Motwani and Ying Xu, “Efficient algorithms for masking and finding quasi-identifiers,” VLDB 2007, ACM, 2007.

In the distributed database system described in Patent Document 1, it is disclosed that personal information is protected by dividing one database into a plurality of sub-databases for each attribute and further encrypting them.
However, the distributed database system described in Patent Document 1 is configured such that data analysis can be performed only after all the encrypted encrypted data is decrypted and collected again. There is a problem of high load.
This is a particular problem in the case of the log data described above.

In addition, in the data transfer method described in Patent Document 2, the content of one database is divided into a plurality of databases while overlapping attributes partially, and data analysis is performed on each sub-database, thereby reducing the load of analysis processing. Mitigation is disclosed.
However, a method for analyzing personal information while protecting it is not disclosed, and therefore there is a problem that it cannot be used with peace of mind in a system in which personal information protection is important.

In the data processing system described in Patent Document 3, the content of one database is divided and stored in a plurality of sub-databases, and communication between databases is performed by compressing information in each sub-database during analysis. It is disclosed that the load is reduced and the processing time is shortened.
However, a method for analyzing personal information while protecting it is not disclosed, and therefore there is a problem that it cannot be used with confidence in a system in which personal information protection is important.

  The main object of the present invention is to solve these problems, and it is a main object to store a large amount of data while protecting personal information and avoiding an increase in processing load during data analysis. And

The data processing apparatus according to the present invention
A data storage unit for storing data including three or more items each having item values described therein;
An item selection unit that selects two or more items to be separated from each other as items to be separated among the items included in the data;
For each item to be separated, partial data combining the item value of the item included in the data that is not the item to be separated and the item value of the item to be separated is generated, and partial data corresponding to the number of items to be separated is generated. A partial data generation unit to generate;
And a partial data storage unit that stores two or more partial data generated by the partial data generation unit in different databases.

According to the present invention, by selecting two or more items related to personal information as items to be separated, the item values of two or more items related to personal information can be made different partial data. Can be stored in different databases.
For this reason, personal information can be protected.
In addition, detailed data analysis can be performed by combining the item value of the separation target item in the partial data and the item value of the item that is not the separation target item, and the partial data is a part of the data before the division. As a result, the processing load during data analysis can be kept low.
Further, since the partial data is distributed and stored in different databases, a large amount of data can be stored.

FIG. 3 is a diagram illustrating an example of a system configuration according to the first embodiment. FIG. 3 is a diagram illustrating a configuration example of a data distribution server device according to the first embodiment. FIG. 3 is a diagram illustrating an example of log data according to the first embodiment. FIG. 3 is a flowchart showing an operation example of the data distribution server device according to the first embodiment. FIG. 4 shows an example of partial log data according to the first embodiment. FIG. 4 shows an example of partial log data according to the first embodiment. FIG. 4 is a flowchart showing an operation example of the partial analysis apparatus according to the first embodiment. FIG. 6 shows an example of a partial analysis result according to the first embodiment. FIG. 3 is a diagram illustrating a hardware configuration example of the data distribution server device according to the first embodiment.

Embodiment 1 FIG.
In the present embodiment, a configuration in which a large amount of data can be stored in the database field, a processing load at the time of data analysis can be reduced, and personal information can be protected will be described.

In the present embodiment, in order to facilitate the explanation, a case where the present invention is applied to a log management system in a hospital will be described.
However, other systems may of course be used.

  First, the system configuration in the present embodiment will be described with reference to FIG.

In FIG. 1, a data management target system 100 is an abstract representation of a system that is a target of data management.
This is, for example, the entire hospital information system.
Inside the data management target system 100, there are a file server device 101 for storing data files such as electronic medical records, and an entrance / exit management server device 102 for managing entrance / exit of doctors and nurses to / from a hospital. The server is connected to a data collection server device 103 that collects log data of each server device.
The data collection server device 103 is connected to the data distribution server device 104.
Here, the data distribution server device 104 is a server device that performs processing of dividing and storing log data including personal information such as an access log and an entrance / exit log into a plurality of sub-databases according to a method described later.
The data distribution server device 104 corresponds to an example of a data processing device.

In FIG. 1, a data distributed storage analysis system 110 is a system that performs distributed storage of log data and analysis of log data.
This is, for example, a cloud service provider system commissioned by a hospital.
The data distributed storage analysis system 110 is divided into a plurality of data distributed storage analysis subsystems.
Each subsystem includes a sub-database (sub-DB) 111 that stores divided log data and a partial analysis device 114 that performs partial analysis of log data.
The data distributed storage analysis system 110 includes an analysis result totaling server device 117.
The analysis result totaling server device 117 is a server device that totals the partial analysis results obtained in each subsystem and collects the analysis results as the entire log data.
The data distributed storage analysis system 110 corresponds to an example of a database system.

In FIG. 1, a data monitoring system 120 is an abstract representation of a system for monitoring log data.
This is, for example, an information system department in a hospital.
Within the data monitoring system 120, a regular report is created from the analysis results, and suspicious behaviors of doctors and nurses based on the analysis results (for example, browsing the electronic records of celebrities who should not be in charge) Or the like.

  In the following, the data distribution server device 104, the partial analysis devices 114 to 116, and the analysis result totaling server device 117 will be mainly described.

  Next, an internal configuration example of the data distribution server device 104 will be described with reference to FIG.

In FIG. 2, an identifier / quasi-identifier determination unit 201 determines attributes (items) called identifiers and quasi-identifiers in the data.
The identifier / quasi-identifier determination unit 201 corresponds to an example of an item selection unit.
Details of the identifier / quasi-identifier determination unit 201 will be described later.
The identifier and quasi-identifier will also be described in detail in the description of the typical data example in FIG.

The data dividing unit 202 divides the data based on the determination by the identifier / quasi-identifier determining unit.
The data division unit 202 corresponds to an example of a partial data generation unit.
Details of the data dividing unit 202 will also be described later.
The data after being divided by the data dividing unit 202 is referred to as partial data or partial log data.

The identifier encryption unit 203 encrypts a part called an identifier among the divided data.
The identifier encryption unit 203 corresponds to an example of a concealment unit.
Details of the identifier encryption unit 203 will also be described later.

  The data storage unit 204 stores data that is a source of data division.

The input unit 205 inputs data stored in the data storage unit 204 from the data collection server device 103.
The input unit 205 inputs an instruction command from a system administrator or the like.

The output unit 206 stores the plurality of partial data divided by the data dividing unit 202 in different sub-DBs in the data distributed storage analysis system 110, respectively.
The output unit 206 corresponds to an example of a partial data storage unit.

  Next, an example of typical data will be described with reference to FIG.

FIG. 3 is an example of log data 301 in a log management system in a hospital.
Data consists of three or more attributes (items).
In FIG. 3, the log data 301 includes “date and time”, “doctor ID”, “operation history”, and “operation result”, among which “operation result” is “patient name” and “age” in more detail. , "Ward", "sick name".
A row is added each time the doctor performs some operation.
For example, a row is added by browsing or filling in an electronic medical record.

In FIG. 3, “Patient Name” is information (ID (Identifier) value) that can uniquely identify a patient.
For example, “Ichiro Suzuki” in hospitals often refers to only one person.
Of course, there is a possibility that there is a person with the same surname and the same name.
In this way, an attribute (item) that can uniquely identify an individual is called an identifier.
That is, “patient name” is an identifier.
An attribute (item) treated as an identifier corresponds to an ID value item.
An attribute (item) treated as an identifier is an item to be concealed and corresponds to an item to be concealed.

On the other hand, in FIG. 3, “age”, “ward”, and “disease name” are not information that can uniquely identify a patient alone.
For example, a 51-year-old patient is considered to have multiple patients in a medium-sized hospital, two hospital wards usually have multiple patients, and lung cancer patients are also medium-sized. It is thought that there are multiple hospitals.
However, when these combinations, that is, for example, a 51-year-old patient in two buildings, can be information that can uniquely identify the patient.
Similarly, patients with lung cancer in two buildings can be information that can uniquely identify the patient.
Similarly, a 51-year-old lung cancer patient can be information that can uniquely identify a patient.
In this way, an attribute that can uniquely identify an individual by itself but can be combined to uniquely identify an individual is called a quasi-identifier.
That is, “age”, “ward”, and “disease name” are quasi-identifiers.
The value of the quasi-identifier is a characteristic value that represents the characteristic of the patient targeted by the identifier “patient name”.
In addition, since attributes (items) treated as quasi-identifiers may be uniquely specified if they are included in the same data, they should be managed separately from each other.
Attributes (items) treated as quasi-identifiers correspond to characteristic value items and separation target items.

In FIG. 3, information other than identifiers and quasi-identifiers, that is, date / time, doctor ID, and operation history are not information that can uniquely identify a patient.
Such information is called other attributes.
Here, the doctor ID cannot uniquely identify the patient, but can uniquely identify the doctor.
However, the subject of protection of personal information is a patient. Therefore, here, only the patient's unique identification is focused on, and the doctor's unique identification is not focused. Treat as an attribute.
As described above, how to determine an identifier, a quasi-identifier, and other attributes depends on the personal information of interest.
Note that attributes (items) treated as other attributes correspond to normal items.

Next, a procedure for distributing and storing data as shown in FIG. 3 in a plurality of sub-databases on the data distribution server device 104 will be described with reference to FIG.
As a premise, it is assumed that the data has already been acquired through the data collection server device 103 in the format shown in FIG.
That is, it is assumed that the input unit 205 of the data distribution server device 104 inputs the log data 301 from the data collection server device 103, and the data storage unit 204 stores the log data 301 in the format of FIG.

  FIG. 4 is a flowchart for explaining the procedure for distributing and storing log data as shown in FIG. 3 in a plurality of sub-databases on the data distribution server device 104.

In FIG. 4, first, in step S401, the identifier / quasi-identifier determination unit 201 determines an identifier and a quasi-identifier among the attributes of the data in FIG.
This can be done either mechanically or by a person such as a system administrator.
A method for mechanical determination is described in Non-Patent Document 1, for example, and is omitted here.
On the other hand, a method designated by a person such as a system administrator is determined and designated based on the attribute of actual data.
The type of attribute is determined at the time of designing the data management target system 100, and what information should not be uniquely specified depends on the personal information focused on as described above. Therefore, it is determined and specified in consideration of the actual usage.

Next, in step S402, the data dividing unit 202 creates partial log data including only other attributes and identifier 1 in the data.
In the example of FIG. 3, partial log data (first partial data) including only “date and time”, “doctor ID”, “operation history”, and “patient name” is created.

Next, in step S403, the data dividing unit 202 creates partial log data (second partial data) including only other attributes and quasi-identifier 1 among the data.
In the example of FIG. 3, partial log data including only “date and time”, “doctor ID”, “operation history”, and “age” is created.
This is repeated for each quasi-identifier, and in step S405, the data dividing unit 202 creates partial log data (second partial data) including only other attributes and identifier 3 in the data.
In the example of FIG. 3, partial log data including only “date and time”, “doctor ID”, “operation history”, and “disease name” is created.

Next, in step S406, the identifier encryption unit 203 encrypts the identifier.
That is, the identifier value in the partial log data generated in step S402 is encrypted.
It is assumed that the encryption key at this time is managed in the data management target system 100.

Finally, in step S407, the output unit 206 transmits each partial log data to each sub database.
That is, the output unit 206 stores each partial data in different sub-databases.

As described above, in the data distribution server device 104, the identifier / quasi-identifier determination unit 201 selects an attribute to be concealed among the attributes included in the log data 301 as an identifier, and two or more to be separated from each other. Attribute as a quasi-identifier.
The data dividing unit 202 generates partial data (first partial data) in which other attributes and identifiers are combined.
In addition, the data dividing unit 202 generates partial data (second partial data) that combines other attributes and the quasi-identifier for each quasi-identifier.
Further, the identifier encryption unit 203 encrypts the identifier value.
Then, the output unit 206 stores the two or more partial data generated in this way in different sub-databases.

Although FIG. 4 shows a case where there is only one identifier, when there are a plurality of identifiers, step S402 may be repeated for the number of identifiers to create partial data for the number of identifiers.
Moreover, it is good also as a structure which regards the whole several identifier as one identifier, performs once only like FIG. 4, and produces one big partial data.
If the former configuration is adopted, the data monitoring system administrator can change the encryption key for each type of identifier to detect a doctor's suspicious behavior on the data monitoring server device 121 and perform further tracking as described later. There is an advantage that the information disclosed in the above can be finely controlled.
Further, the latter configuration has an advantage that the number of sub-databases can be reduced.

  FIG. 5 is a diagram showing an example of partial data created by the process of FIG.

In FIG. 5, the “patient name” is an identifier, and thus the value is encrypted.
Also, the quasi-identifier information has been removed.
The partial log data 501 is stored in, for example, the sub-database 1 by the process of FIG.

  FIG. 6 is a diagram showing an example of partial data similarly created by the process of FIG.

In FIG. 6, in each partial data, only one quasi-identifier appears in addition to the other attributes.
4, for example, the partial log data 601 is stored in the sub database 2, the partial log data 602 is stored in the sub database 3, and the partial log data 603 is stored in the sub database 4.

Next, an example of a partial analysis method in the partial analysis apparatuses 114, 115, and 116 will be described with reference to FIG.
Hereinafter, the operation of the partial analyzer 114 will be described, but the operations of the partial analyzers 115 and 116 are also the same.

  FIG. 7 is a flowchart showing a partial analysis procedure in the partial analysis apparatus 114.

In FIG. 7, the partial analysis device 114 first specifies an identifier, a quasi-identifier, and other attributes in step S701.
Since this is already specified at the time of data distribution on the data distribution server device 104, an identifier, a quasi-identifier, and other attribute information received from the data distribution server device 104 in advance are used.
Next, in step S702, the partial analyzer 114 determines whether a quasi-identifier is included.
If a quasi-identifier is included, statistical information is extracted from the combination of other attributes and quasi-identifiers in step S703.
If the quasi-identifier is not included, the partial analyzer 114 extracts statistical information from other attributes in step S704.
In step S705, the partial analysis device 114 transmits the extracted statistical information to the analysis result totaling server device 117, and the process ends.

In the procedure of FIG. 7, the statistical information extraction method in step S703 and step S704 differs depending on the data contents and the request of the administrator of the data monitoring system 120.
FIG. 8 is a diagram showing an example of the extraction result of the statistical information.

In FIG. 8, in the partial analysis result 801 of the subsystem 1, the number of operations and operation types for each doctor in 12/03/26 pm are obtained as statistical information from the doctor ID and the operation history.
This is obtained by extracting necessary lines from the “date and time” attribute in the partial log data of FIG. 5 and then obtaining statistics from “doctor ID” and “operation history”.
In the partial analysis result 802 of the subsystem 2, the number of hospitalized patients on 12/03/26 pm is obtained as statistical information.
This is because, in the partial log data 601 in FIG. 6, necessary lines are extracted based on the “date and time” attribute, “chart creation” is further narrowed down from “operation history”, and the inpatient age is extracted from “age”. Can be obtained.
In the partial analysis result 803 of the subsystem 3, the number of times the medical charts of each ward and the patients in the ward are viewed are obtained as statistical information.
This is obtained by extracting a necessary line by the “date and time” attribute in the partial log data 602 of FIG. 6 and viewing the “ward” attribute.
In the partial analysis result 804 of the subsystem 4, the doctor ID and the disease type of the patient in charge are obtained as statistical information.
This is obtained by extracting necessary lines from the “date and time” attribute in the partial log data 603 of FIG. 6 and then obtaining statistics from the “doctor ID” and “disease name”.

  The partial analysis results as shown in FIG. 8 obtained by the procedure of FIG. 7 are aggregated by the analysis result aggregation server device 117 and sent to the data monitoring server device 121.

In the data monitoring server device 121, the following can be understood from the received partial analysis result.
On 12/03/26 pm, four doctors browse and create medical records.
There is only one hospitalized patient in his 70s.

Further, in the data monitoring server device 121, for example, the following can be understood from the received partial analysis result.
In this hospital, it is assumed that a medical practice such as browsing an electronic medical record usually at midnight does not occur.
In this case, it can be seen from the partial analysis result 1 that the doctor “FG82096” performed unauthorized browsing twice on 12/03/26 pm.
In addition, this doctor “FG82096” is supposed to be in charge of patients with heart disease, but if this doctor “FG82096” was originally a psychiatric doctor, this history should be more and more original It becomes clear that it is not medical practice.

As described above, when an illegal behavior is found, the administrator of the data monitoring system 120 can further investigate by collecting log data of the date and time from each sub-database.
Further, by receiving a key stored in the data management target system 100 and decrypting the data of the identifier, it is possible to further check the patient name.

The system according to the present embodiment has been described above.
With the above configuration, a large amount of data can be stored because large data as shown in FIG. 3 is divided into small partial data as shown in FIGS. 5 and 6 and stored in a plurality of sub-databases. There is an effect.

  In addition, each sub-database only needs to analyze only small partial data to obtain statistical information, so that it is possible to reduce the processing load during data analysis.

Moreover, the analysis result totaling server apparatus totals statistical information, not the partial data itself.
For this reason, the amount of communication in the data distributed storage analysis system is small.
Therefore, there is an effect that the amount of communication at the time of data aggregation can be reduced.

  Further, fine data analysis can be performed by combining the quasi-identifier value in the partial data with the values of other attributes.

  Further, in each sub-database, the identifier is encrypted, and the quasi-identifier is divided, so that it is not possible to uniquely identify an individual with only partial data, so that personal information can be protected.

The embodiments of the present invention have been described above.
However, the present invention is not limited to this embodiment, and it will be apparent to those skilled in the art that various applications are possible.
For example, a configuration may be adopted in which a subsystem is further provided below the subsystem, or a configuration in which a plurality of subsystems are integrated within a range where the quasi-identifier does not lead to identification of an individual.
In addition, the data management target system collects data from both the file server device and the entry / exit management server device and then distributes the data. However, each server device independently stores the data in the data distribution storage analysis system. It is good.

In the description of the present embodiment, the case where the present invention is applied to a log management system in a hospital has been described for ease of explanation.
However, the range of applications such as log management systems in factories and log management systems in buildings is extremely wide.
It is obvious to those skilled in the art that the present invention can be applied not only to the log management system but also to a general data management system.

Finally, a hardware configuration example of the data distribution server device 104 shown in the present embodiment will be described.
FIG. 9 is a diagram showing an example of hardware resources of the data distribution server device 104 shown in the present embodiment.
The configuration in FIG. 9 is merely an example of the hardware configuration of the data distribution server device 104, and the hardware configuration of the data distribution server device 104 is not limited to the configuration described in FIG. There may be.

In FIG. 9, the data distribution server device 104 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, a processing unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907. Further, instead of the magnetic disk device 920, a storage device such as an SSD (Solid State Drive), an optical disk device, or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
The “data storage unit 204” described in the present embodiment is realized by the RAM 914, the magnetic disk device 920, and the like.
A communication board 915, a keyboard 902, a mouse 903, a scanner device 907, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

The communication board 915 is connected to the network.
For example, the communication board 915 is connected to a LAN (local area network), the Internet, a WAN (wide area network), a SAN (storage area network), and the like.

The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.

The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the data distribution server device 104 is activated, the BIOS program in the ROM 913 and the boot program in the magnetic disk device 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.

  The program group 923 stores programs for executing functions described as “˜unit” (except for “data storage unit 204” in the following) in the description of the present embodiment. The program is read and executed by the CPU 911.

In the description of the present embodiment, the file group 924 includes “determination of”, “generation of”, “creation of”, “encryption of”, “setting of”, and “selection of”. , Information, data, signal values, and variable values indicating the results of the processing described as “input of”, “output of”, etc. are stored as files on a storage medium such as a disk or memory.
The encryption key / decryption key, random number value, and parameter may be stored as a file in a storage medium such as a disk or memory.
The “˜file” and “˜database” are stored in a storage medium such as a disk or a memory.
Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit.
The read information, data, signal value, variable value, and parameter are used for CPU operations such as extraction, search, reference, comparison, calculation, calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, the arrows in the flowchart described in this embodiment mainly indicate input / output of data and signals.
Data and signal values are recorded on a storage medium such as a memory of the RAM 914, a flexible disk of the FDD 904, a compact disk of the CDD 905, a magnetic disk of the magnetic disk device 920, other optical disks, a Blu-ray (registered trademark) disk, and a DVD.
Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

In addition, what is described as “˜unit” in the description of the present embodiment may be “˜circuit”, “˜device”, “˜device”, and “˜step”, “˜”. “Procedure” and “˜Process” may be used.
That is, the “data processing method” according to the present invention can be realized by the steps, procedures, and processes shown in the flowchart described in the present embodiment.
Further, what is described as “˜unit” may be realized by firmware stored in the ROM 913.
Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware.
Firmware and software are stored as programs in a storage medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a Blu-ray (registered trademark) disk, and a DVD.
The program is read by the CPU 911 and executed by the CPU 911.
In other words, the program causes the computer to function as “to part” of the present embodiment. Alternatively, the procedure or method of “˜unit” in the present embodiment is executed by a computer.

As described above, the data distribution server device 104 shown in the present embodiment includes a CPU that is a processing device, a memory that is a storage device, a magnetic disk, a keyboard that is an input device, a mouse, a communication board, and a display device that is an output device, and a communication board. Etc. are computers provided with the above.
Then, as described above, the functions indicated as “˜units” are realized using these processing devices, storage devices, input devices, and output devices.

  100 data management target system, 101 file server device, 102 entrance / exit management server device, 103 data collection server device, 104 data distribution server device, 110 data distributed storage analysis system, 111 sub DB1, 112 sub DB2, 113 sub DBn, 114 Partial analysis device, 115 Partial analysis device, 116 Partial analysis device, 117 Analysis result totaling server device, 120 Data monitoring system, 121 Data monitoring server device, 201 Identifier / quasi-identifier determination unit, 202 Data division unit, 203 Identifier encryption unit 204 Data storage unit 205 Input unit 206 Output unit

Claims (9)

A data storage unit for storing data including three or more items each having item values described therein;
An item selection unit that selects two or more items to be separated from each other as items to be separated among the items included in the data;
For each item to be separated, partial data combining the item value of the item included in the data that is not the item to be separated and the item value of the item to be separated is generated, and partial data corresponding to the number of items to be separated is generated. A partial data generation unit to generate;
A data processing apparatus comprising: a partial data storage unit that stores two or more partial data generated by the partial data generation unit in different databases. The data storage unit
An ID value item in which an ID (Identifier) value is described is included, and two or more characteristic value items in which a characteristic value representing the characteristic of the target object is described in the ID value of the ID value item. Remember the data contained,
The item selection unit includes:
The data processing apparatus according to claim 1, wherein each of the characteristic value items is selected as a separation target item. The item selection unit includes:
An item whose item value should be concealed is selected as an item to be concealed from items included in the data, and two or more items from items other than the item to be concealed among items included in the data are selected. Select as the item to be separated,
The partial data generation unit
Generating partial data combining the item value of the normal item and the item value of the concealment target item that is neither the concealment target item or the separation target item among the items included in the data as the first partial data,
For each separation target item, partial data combining the item value of the normal item and the item value of the separation target item is generated as second partial data, and second partial data corresponding to the number of separation target items is generated. ,
The data processing device further includes:
A concealment unit for concealing the item value of the concealment target item;
The partial data storage unit
The first partial data after the item value of the item to be concealed is concealed and two or more second partial data are stored in different databases, respectively. The data processing apparatus described in 1. The item selection unit includes:
Two or more items may be selected as items to be concealed,
The partial data generation unit
When two or more items are selected as a concealment target item by the item selection unit, first part data is generated for each concealment target item, and the first part corresponding to the number of concealment target items is generated. Generate data,
The concealment unit
When two or more items are selected as a concealment target item by the item selection unit, conceal the item value of each concealment target item,
The partial data storage unit
Two or more first partial data after the item value of each concealment target item is concealed and two or more second partial data are stored in different databases, respectively. The data processing apparatus according to claim 3. The data storage unit
An ID value item in which an ID (Identifier) value is described is included, and two or more characteristic value items in which a characteristic value representing the characteristic of the target object is described in the ID value of the ID value item. Remember the data contained,
The item selection unit includes:
The data processing apparatus according to claim 3 or 4, wherein the ID value item is selected as a concealment target item, and each of the characteristic value items is selected as a separation target item.   6. A database system comprising a plurality of databases for distributing and storing the partial data according to claim 1. The database system further includes:
A plurality of partial analysis devices arranged for each database and analyzing partial data stored in the target database;
The database system according to claim 6, further comprising an analysis result totaling server device that collects analysis results from the plurality of partial analysis devices and outputs the collected analysis results to a predetermined external device. A computer that stores data including three or more items each having item values described therein,
An item selection step of selecting two or more items to be separated from each other as items to be separated among the items included in the data;
For each item to be separated, partial data combining the item value of the item included in the data that is not the item to be separated and the item value of the item to be separated is generated, and partial data corresponding to the number of items to be separated is generated. A partial data generation step to generate;
A partial data storage step of storing two or more partial data generated by the partial data generation unit in different databases, respectively. In a computer that stores data including three or more items each having item values described therein,
An item selection step of selecting two or more items to be separated from each other as items to be separated among the items included in the data;
For each item to be separated, partial data combining the item value of the item included in the data that is not the item to be separated and the item value of the item to be separated is generated, and partial data corresponding to the number of items to be separated is generated. A partial data generation step to generate;
A program for executing a partial data storage step of storing two or more partial data generated by the partial data generation unit in different databases.

Images