JP2015170169A - Personal information anonymization program and personal information anonymization device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a personal information anonymization technic allowing a user to correctly determining the usefulness of an anonymized data by providing the information loss ratio significant for the user.SOLUTION: The personal information anonymization program sets a boundary between a part of the personal information on which a simple anonymization is made and a part on which the simple anonymization is not made, and calculates information loss ratio by using the former as a reference.

Description

  The present invention relates to a technique for anonymizing personal information.

  With the development of cloud computing and distributed processing technology, it has become possible to analyze and utilize a large amount of data accumulated by companies and organizations so far in a realistic time. On the other hand, in many cases, these data include information that can identify an individual such as a name and address, and information about an individual that cannot be identified, such as age, occupation, and educational background. For example, this includes medication data for patients in the medical field and personal purchase history in the distribution field. Such information is called personal information. When using personal information, there is a concern about privacy infringement, so it is necessary to consider privacy protection.

  The anonymization technique is a technique for preventing leakage of privacy by performing processing such as obscuration on part or all of personal information. Anonymization technology can be broadly divided into two types: simple anonymization and integrated anonymization. Simple anonymization is used to obscure information about individuals in records, such as the removal and replacement of personal information such as health insurance insurer numbers and names, and rounding of age and date information. However, it is generally not quantitatively guaranteed whether or not personal identification is truly lost from data obtained by simply anonymizing personal information. Integrated anonymization blurs information about an individual so that an index indicating whether or not the individual's identity is lost satisfies a predetermined condition.

  It is said that it is not sufficient to protect privacy by simply deleting personal information defined by the Personal Information Protection Law. For example, in the medical field, an individual may be identified by combining attributes such as the age, residence area, occupation, and sex of a patient that cannot be identified by themselves. Such attributes that can be identified by combining them are called quasi-identifiers. k anonymization is a typical technique of integrated anonymization, and attribute values are made ambiguous so that k or more combinations of the same quasi-identifier appear in personal information (referred to as anonymization threshold). For example, the attribute value combination of “31 years old, Kanagawa Prefecture, system engineer” is obscured as “30s, Kanagawa Prefecture, IT”. k anonymization uses a data structure called a generalized hierarchy that obfuscates attribute values of quasi-identifiers of personal information.

  Patent Document 1 below discloses a technique for obtaining a generalized hierarchy that theoretically minimizes information loss by generating a generalized hierarchy using the frequency of appearance of attribute values of quasi-identifiers of personal information. .

WO2011145401 gazette

  Whether or not the information loss due to the k anonymization is acceptable for the user can be determined by presenting the information loss rate due to the k anonymization to the user, for example. At this time, depending on the value presented to the user, the user may not be able to correctly determine whether or not the information loss rate is appropriate. The reason for this will be described below.

  When anonymizing personal information, first anonymization is performed after simple anonymization. That is, in the anonymization of personal information, the anonymization is usually performed after the personal information is deleted or cut off, the date or numerical items are rounded. Therefore, depending on the reference point for calculating the information loss rate, the information may appear to be excessively damaged from the viewpoint of the user, or the anonymization may appear to be insufficient.

  The present invention has been made in view of the above situation, and by providing an information loss rate that is meaningful to the user, the user can correctly determine the usefulness of the anonymized data. The purpose is to provide information anonymization technology.

  The personal information anonymization program of this invention sets the boundary between the part which implements simple anonymization with respect to personal information, and the part which does not implement, and calculates an information loss rate on the basis of the former.

  According to the personal information anonymization program according to the present invention, since the information loss rate is calculated based on the result of filtering unnecessary information by executing simple anonymization in advance, an information loss rate meaningful to the user is presented. can do. Thereby, the user can judge the usefulness of anonymization data more correctly.

It is a figure which shows the structure of a personal information anonymization apparatus. It is a screen image of the anonymization main screen 300 which the reception part 200 displays. It is a screen image of the anonymization object data acquisition screen 400. FIG. It is a flowchart explaining the procedure which takes in the anonymization object data 241 via the anonymization object data acquisition screen. It is a screen image of the simple anonymization execution screen 500. 5 is a diagram illustrating an example of a setting gadget 561. FIG. 5 is a diagram illustrating an example of a setting gadget 561. FIG. 5 is a diagram illustrating an example of a setting gadget 561. FIG. 5 is a diagram illustrating an example of a setting gadget 561. FIG. It is a flowchart explaining the procedure of implementing simple anonymization via the simple anonymization execution screen 500. It is a screen image of k anonymization setting screen 600. FIG. 12 is a flowchart for explaining a procedure for setting parameters relating to k anonymization via a k anonymization setting screen 600. 7 is a screen image of a generalized hierarchy editing screen 700. It is a screen image of k anonymization execution screen 800. 10 is a flowchart illustrating a procedure for executing k anonymization via a k anonymization execution screen 800. It is a screen image of the anonymization data output screen 900. FIG. 10 is a flowchart illustrating a procedure for outputting anonymized data 246 via an anonymized data output screen 900. It is a screen image of the calculation setting screen 1000. This is a description example of the calculation definition file 1100. It is a class diagram explaining the implementation rule of the calculation class which implements the procedure which calculates the amount of information. 10 is a flowchart illustrating a procedure for registering a custom calculation class using a calculation setting screen 1000. It is a flowchart explaining the procedure in which the information loss rate calculation part 239 calculates the information amount of each data. It is a figure which shows the structural example of the anonymization management data 243. FIG. It is a figure which shows the structural example of the anonymization attribute management data 244. FIG. It is a figure which shows the structural example of the anonymization object data 241. FIG. 6 is a diagram illustrating a configuration example of generalized hierarchical data 247. FIG.

  Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. However, it should be noted that this embodiment is merely an example for realizing the present invention, and does not limit the technical scope of the present invention. In the present embodiment, questionnaire data is assumed as the anonymization target data, but is not limited thereto.

  FIG. 1 is a diagram showing a configuration of a personal information anonymization apparatus according to the present invention. The personal information anonymization device includes a reception unit 200, a calculation definition setting unit 210, an anonymization device 230, and an information management device 240. The accepting unit 200 is a user interface that instructs the user to set or execute anonymization. The calculation definition setting unit 210 is a user interface that allows a user to define a method for calculating information loss that occurs with anonymization. These devices and functional units are connected by a network 220.

  The anonymization device 230 includes a control unit 231, a data capturing unit 232, a simple anonymization unit 233, a k anonymization unit 234, a k anonymization setting unit 235, a generalized hierarchy editing unit 236, an information amount calculation setting unit 237, and anonymity. A data output unit 238 and an information loss rate calculation unit 239.

  The control unit 231 is an arithmetic function unit that receives a user operation and performs each process. The data capturing unit 232 captures anonymization target data and sets name, attribute information, and the like. The simple anonymization unit 233 performs simple anonymization. The k anonymization unit 234 anonymizes the anonymization target data 241 and outputs it as anonymization data 246. The k anonymization setting unit 235 sets k anonymization parameters to be performed on the data after simple anonymization. The generalized hierarchy editing unit 236 edits and stores the generalized hierarchy of the quasi-identifier specified by the user. The information amount calculation setting unit 237 sets an information amount calculation method based on the setting received by the calculation definition setting unit 210. The anonymized data output unit 238 outputs k anonymized data to a file. The information loss rate calculation unit 239 calculates the information loss rate based on the setting by the information amount calculation setting unit 237.

  The information management device 240 is configured using a storage device such as a hard disk device, and includes anonymization target data 241, calculation origin data 242, anonymization management data 243, anonymization attribute management data 244, simple anonymization data 245, and anonymization. Data 246 and generalized hierarchical data 247 are stored.

  The anonymization target data 241 is original personal information before anonymization processing. The calculation starting point data 242 is data serving as a reference point for calculating the information loss rate. The anonymization management data 243 holds metadata such as a table name for storing an anonymization result and k anonymization setting parameters. The anonymization attribute management data 244 is setting data regarding the attribute information of the anonymization target data 241, the quasi-identifier designation for the attribute, the information amount calculation method, and the like. The simple anonymization data 245 is data obtained by performing simple anonymization on the anonymization target data 241. The anonymization data 246 is data obtained by performing k anonymization on the simple anonymization data 245. The generalized hierarchy data 247 is data defining a generalized hierarchy used in k anonymization.

  The accepting unit 200 may be implemented as, for example, a Web page, or may be implemented as a client server application using SWT (Swing Talkit), which is a Java graphical user interface component. The anonymization device 230 can be implemented by, for example, mounting each functional unit other than the control unit 231 as a software module, and the control unit 231 executing the same, or a similar function can be realized by hardware such as a circuit device. It can also be realized by mounting. The information management device 240 can be implemented, for example, in the form of a relational database, a key-value type distributed database, or the like.

<Reception unit 200>
FIG. 2 is a screen image of the anonymization main screen 300 displayed by the reception unit 200. The anonymization main screen 300 includes a data menu 310, an anonymization menu 320, and a screen display area 330. The data menu 310 is an operation menu that handles data input / output. The anonymization menu 320 is an operation menu that instructs setting and execution of anonymization. The screen display area 330 displays a sub-screen according to the selection contents of each menu.

  The data menu 310 includes a menu 311 for importing the anonymization target data 241 and a menu 312 for outputting the anonymization data 246 as a file. The anonymization menu 320 includes a menu 321 for instructing to execute simple anonymization, a menu 322 for instructing to set a parameter for k anonymization, a menu 323 for starting editing of the generalized hierarchy, and an execution of k anonymization. It has a menu 324 for indicating.

<Anonymization target data capture screen 400>
FIG. 3 is a screen image of the anonymization target data capture screen 400. When the user selects the menu 311 in FIG. 2, the reception unit 200 displays the anonymization target data capture screen 400 in the screen display area 330. The user captures the original data of the anonymization target data 241 using the anonymization target data capture screen 400, and the data name, column information included in the data, columns to be analyzed, information on each column to be analyzed Set the amount calculation method. Each item on the screen will be described in conjunction with FIG.

  FIG. 4 is a flowchart for explaining a procedure for fetching the anonymization target data 241 via the anonymization target data fetch screen 400. Hereinafter, each step of FIG. 4 will be described.

(FIG. 4: Steps S401 to S402)
The user selects the menu 311 (capture) from the data menu 310 of the anonymization main screen 300 (S401). The accepting unit 200 displays the anonymization target data capture screen 400 in the screen display area 330 (S402).

(FIG. 4: Step S403)
The user inputs a data name 410, a data file 420, and column information 430 on the anonymization target data capture screen 400. The data name 410 is a name arbitrarily given to distinguish the data to be captured. The data file 420 is a path name of a data file describing personal information to be imported. The column information 430 is a column for displaying and editing columns included in the data file. The data file 420 may be specified by, for example, opening a file dialog and selecting a data file to be imported.

(FIG. 4: Step S403: Details of the column information 430)
The column information 430 includes a column name 431, a type 432, and an analysis target designation 433. When the captured data file is, for example, a CSV (Comma Separated Value) file, the data file itself describes only raw data and does not describe column attributes. Therefore, the user designates the attribute information on the column information 430 and notifies the anonymization device 230. The column name 431 is the name of each column. A type 432 is a data type of each column. The analysis target designation 433 designates whether or not each column is to be analyzed. An information amount calculation method 434 and a coefficient 435 are further specified for the column for which the analysis target specification 433 is turned on. The information amount calculation method 434 is a field for designating a method for calculating the amount of information included in each column. In addition to the default calculation method, a custom calculation method set via the calculation definition setting unit 210 can be selected. it can. The procedure for specifying the custom calculation method will be described later. The coefficient 435 is a coefficient used in the anonymization process, and specifies a positive real number.

(FIG. 4: Steps S404 to S405)
When the user presses the capture button 440 after inputting each information, the reception unit 200 transmits the data name 410, the main body of the data file 420, and the column information 430 to the anonymization device 230, and the control unit 231 receives them. (S404). The data capturing unit 232 stores the main body of the data file 420 as the anonymization target data 241 (S405).

(FIG. 4: Step S406)
The data capture unit 232 writes the values input on the anonymization target data capture screen 400 in the anonymization management data 243 and the anonymization attribute management data 244. The configuration of these data will be described later. In this step, only the table name and data name are written in the anonymization management data 243, and column information is written in the anonymization attribute management data 244 using the same table name as the anonymization management data 243. As the table name, a name that is unique for the entire personal information anonymization apparatus is automatically set. The same applies to other table names.

(FIG. 4: Steps S407 to S408)
The data fetch unit 232 notifies the control unit 231 of the completion of processing (S407). The control unit 231 notifies the reception unit 200 of the completion of processing via the network 220 (S408).

<Simple anonymization execution screen 500>
FIG. 5A is a screen image of the simple anonymization execution screen 500. When the user selects the menu 321 in FIG. 2, the receiving unit 200 displays the simple anonymization execution screen 500 in the screen display area 330. Using the simple anonymization execution screen 500, the user sets parameters related to simple anonymization and executes simple anonymization based on the setting. Each item on the screen will be described in conjunction with FIG.

  5B to 5E are diagrams illustrating an example of a setting gadget 561 described later. Items that can be set in the setting gadget 561 differ for each simple anonymization method. However, in any method, the point to specify the column to which the method is applied is common.

  FIG. 6 is a flowchart illustrating a procedure for performing simple anonymization via the simple anonymization execution screen 500. Hereinafter, each step of FIG. 6 will be described.

(FIG. 6: Steps S601 to S602)
The user selects the menu 321 from the anonymization menu 320 of the anonymization main screen 300 (S601). The accepting unit 200 displays the simple anonymization execution screen 500 in the screen display area 330 (S602).

(FIG. 6: Step S603)
The user inputs the input data name 510. The input data name 510 may be selected from “data names” stored in the anonymization management data 243. The user inputs the name of data to be output as a result of simple anonymization in the output data name 520. The user selects an anonymization method to be applied in simple anonymization from the anonymization method 540 and presses the add button 550. The setting gadget 561 of the selected simple anonymization method is added to the anonymization setting 560.

(FIG. 6: Step S603: Details of Setting Gadget 561)
The setting gadget 561 is a GUI (Graphical User Interface) for setting parameters regarding each simple anonymization method. By clicking the title part of the setting gadget 561, the setting target can be switched. The anonymization method 540 includes a boundary 564 in addition to each anonymization method, and one (or a plurality) can be added to the anonymization setting 560. The calculation starting point data 242 is data obtained as a result of performing simple anonymization from the first column of the anonymization target data 241 to the column before being delimited by the boundary 564. The user can change the order of each anonymization setting and the boundary 564 using the upper button 562 and the lower button 563. When deleting each anonymization setting, the setting gadget 561 to be deleted is selected and the delete button 551 is pressed. When the user completes the setting related to simple anonymization, the user presses the execution button 570.

(FIG. 6: Steps S604 to S605)
The receiving unit 200 transmits a command for instructing to execute simple anonymization to the anonymization device 230 via the network 220 together with the setting parameters input by the user on the simple anonymization execution screen 500. (S604). The control unit 231 receives the command and the setting parameter, and delivers them to the simple anonymization unit 233 (S605).

(FIG. 6: Step S606)
In accordance with the order in which the setting gadget 561 is displayed, the simple anonymization unit 233 performs simple anonymization on the column in the anonymization target data 241 set before the boundary 564, and calculates the result as the calculation origin data. Store as 242. The calculation starting point data 242 is stored in a database table format. The simple anonymization unit 233 writes the table name as the starting table name of the anonymization management data 243.

(FIG. 6: Step S607)
In accordance with the order in which the setting gadget 561 is displayed, the simple anonymization unit 233 performs simple anonymization processing on the columns in the calculation origin data 242 set after the boundary, and uses the result as simple anonymization data. Stored as H.245. The simple anonymization data 245 is stored in a database table format. The simple anonymization unit 233 writes the table name and the data name input on the simple anonymization execution screen 500 as the simple anonymization table name and the simple anonymization data name of the anonymization management data 243, respectively.

(FIG. 6: Step S608)
The information loss rate calculation unit 239 calculates the information loss rate by obtaining the information amounts of the calculation origin data 242 and the simple anonymization data 245, respectively. The information amount calculation procedure will be described later. The information loss rate is obtained by the following formula.

(FIG. 6: Steps S609 to S611)
The simple anonymization unit 233 notifies the control unit 231 of the information loss rate (S609). The control unit 231 notifies the information loss rate to the reception unit 200 via the network 220 (S610). The receiving unit 200 displays the received information loss rate in the processing result of the simple anonymization execution screen 500: the information loss rate 530 (S611).

  The significance of the calculation starting point data 242 will be described. For example, it is assumed that the anonymization target data 241 holds information related to an individual occupation, and the occupation is finely classified according to the type of business. At this time, the analyst does not need to classify the detailed business types included in the anonymization target data 241 and may need a coarser classification level. At this time, if the amount of information is calculated based on the anonymization target data 241, it may appear as if the amount of information is greatly impaired more than the analyst expects. From the analyst's point of view, what is needed is information about the industry at a rough classification level, so even if the industry is generalized to that level, it is appropriate to think that there is no information loss. By calculating the information loss rate on the basis of the calculation starting point data 242, the information loss rate appropriate for the analyst is calculated starting from a state in which the necessary and sufficient level of information is secured from the viewpoint of the analyst. Can do.

<K anonymization setting screen 600>
FIG. 7 is a screen image of the k anonymization setting screen 600. When the user selects the menu 322 in FIG. 2, the reception unit 200 displays the k anonymization setting screen 600 in the screen display area 330. The user uses the k anonymization setting screen 600 to set parameters related to k anonymization. Each item on the screen will be described in conjunction with FIG.

  FIG. 8 is a flowchart for explaining a procedure for setting parameters relating to k anonymization via the k anonymization setting screen 600. Hereinafter, each step of FIG. 8 will be described.

(FIG. 8: Steps S801 to S802)
The user selects the menu 322 from the anonymization menu 320 of the anonymization main screen 300 (S801). The accepting unit 200 displays the k anonymization setting screen 600 in the screen display area 330 (S802).

(FIG. 8: Step S803)
The user inputs the processing target data name 610. The processing target data name 610 may be selected from “simple anonymized data names” stored in the anonymization management data 243. The user inputs k anonymization threshold 620 (an integer of 2 or more). The user selects a column to be used as a quasi-identifier by a check box of the quasi-identifier 634, and inputs a priority 635 for the selected column. The serial number 631, the name 632, and the mold 633 are read-only. The priority order 635 is a priority order for storing values before anonymization processing when k anonymization is executed. In other words, when replacing values by the generalized hierarchy, quasi-identifiers that want to make the number of hierarchy levels to be transitioned as small as possible are specified in order of priority. The value of the quasi-identifier is an integer greater than or equal to 1, and the lower the value, the higher the priority. When the user inputs all values, the user presses the setting button 640.

(FIG. 8: Step S804)
The receiving unit 200 transmits an instruction to record the setting parameters to the anonymization device 230 via the network 220 together with the setting parameters input by the user on the k anonymization setting screen 600. To do. The control unit 231 receives the command and the setting parameter, and passes them to the k anonymization setting unit 235.

(FIG. 8: Step S805)
The k anonymization setting unit 235 writes the k anonymization setting parameters input by the user on the k anonymization setting screen 600 in each data. Specifically, it is as follows. The k anonymization threshold 620 is written in the k value of the anonymization management data 243. For the column selected by the quasi-identifier 634, the priority 635 is written in the priority of the anonymized attribute management data 244. For columns not selected by the quasi-identifier 634, 0 (zero) is written in the priority order of the anonymized attribute management data 244.

(FIG. 8: Step S806)
The generalized hierarchy editing unit 236 automatically generates a generalized hierarchy for the column selected by the semi-identifier 634 and writes it as generalized hierarchy data 247. As a specific procedure, for example, the technique disclosed in Patent Document 1 can be used.

(FIG. 8: Steps S807 to S808)
The k anonymization setting unit 235 notifies the control unit 231 of the completion of k anonymization setting (S807). The control unit 231 notifies the accepting unit 200 of the completion of the k anonymization setting via the network 220 (S808).

<Generalized hierarchy editing screen 700>
FIG. 9 is a screen image of the generalized hierarchy editing screen 700. When the user selects the menu 323 in FIG. 2, the receiving unit 200 displays the generalized hierarchy editing screen 700 in the screen display area 330. Using the generalized hierarchy editing screen 700, the user edits the generalized hierarchy 247 so as to obtain anonymized data 246 suitable for analysis, and stores it again in the generalized hierarchy data 247.

<K anonymization execution screen 800>
FIG. 10 is a screen image of the k anonymization execution screen 800. When the user selects menu 324 in FIG. 2, reception unit 200 displays k anonymization execution screen 800 in screen display area 330. The user executes k anonymization using the k anonymization execution screen 800 and outputs the result as anonymized data 246. Each item on the screen will be described in conjunction with FIG.

  FIG. 11 is a flowchart illustrating a procedure for executing k anonymization via the k anonymization execution screen 800. Hereinafter, each step of FIG. 11 will be described.

(FIG. 11: Steps S1101 to S1102)
The user selects the menu 324 from the anonymization menu 320 of the anonymization main screen 300 (S1101). The accepting unit 200 displays the k anonymization execution screen 800 in the screen display area 330 (S1102).

(FIG. 11: Step S1103)
The user inputs a processing target data name 810. The processing target data name 810 can be selected from “simple anonymized data names” held in the anonymization management data 243. The user inputs the data name 820 of the anonymized data 246 to be output and presses the execution button 840.

(FIG. 11: Step S1104)
The receiving unit 200 instructs the anonymization device 230 to instruct to perform k anonymization together with the processing target data name 810 and the output data name 820 input on the k anonymization execution screen 800 by the user. Transmit via the network 220. The control unit 231 receives the command and each data name, and delivers it to the k anonymization unit 234.

(FIG. 11: Step S1105)
The k anonymization unit 234 specifies a record whose simple anonymized data name matches the processing target data name 810 from among the records of the anonymization management data 243. The k anonymization unit 234 calculates a combination of layers in the generalized hierarchy that satisfies the k value (k anonymization threshold) of the record.

(FIG. 11: Step S1106)
The k anonymization unit 234 creates a record in which the attribute value of the quasi-identifier of the simple anonymization data 245 is replaced according to the calculated combination, and writes it in the anonymization data 246. A combination of layers in the generalized hierarchy that satisfies the k anonymization threshold can be obtained using a known technique. Anonymized data 246 is stored in a database table format. The k anonymization unit 234 writes the table name and the output data name 820 input on the k anonymization execution screen 800 as the anonymization table name and the anonymization data name of the anonymization management data 243, respectively.

(FIG. 11: Step S1107)
The information loss rate calculation unit 239 calculates the information loss rate by obtaining the information amounts of the calculation starting point data 242 and the anonymized data 246, respectively. The information amount calculation procedure will be described later. The information loss rate is obtained by the following formula.

(FIG. 11: Steps S1108 to S1110)
The k anonymization unit 234 notifies the control unit 231 of the information loss rate (S1108). The control unit 231 notifies the information loss rate to the reception unit 200 via the network 220 (S1109). The accepting unit 200 displays the received information loss rate in the processing result of the k anonymization execution screen 800: information loss rate 830 (S1110).

<Anonymized data output screen 900>
FIG. 12 is a screen image of the anonymized data output screen 900. When the user selects the menu 312 in FIG. 2, the receiving unit 200 displays the anonymized data output screen 900 in the screen display area 330. Using the anonymized data output screen 900, the user outputs anonymized data 246 (for example, CSV format) for which k anonymization has been completed. Each item on the screen will be described in conjunction with FIG.

  FIG. 13 is a flowchart for explaining the procedure for outputting the anonymized data 246 via the anonymized data output screen 900. Hereinafter, each step of FIG. 13 will be described.

(FIG. 13: Steps S1301 to S1303)
The user selects the menu 312 from the data menu 310 of the anonymization main screen 300 (S1301). The accepting unit 200 displays the anonymized data output screen 900 in the screen display area 330 (S1302). The user inputs the output target data name 910 and presses the output button 920 (S1303). The output target data name 910 may be selected from the name of the anonymized data 246 for which k anonymization has been completed.

(FIG. 13: Step S1304)
The receiving unit 200 transmits a data output command to the anonymization device 230 via the network 220 together with the output target data name 910 input on the anonymized data output screen 900 by the user. The control unit 231 receives the command and the output target data name 910 and passes them to the anonymized data output unit 238.

(FIG. 13: Steps S1305 to S1307)
The anonymized data output unit 238 reads the record of the anonymized data 246 designated by the output target data name 910 and outputs the file (S1305). The anonymized data output unit 238 returns the output file to the control unit 231 (S1306). The control unit 231 transfers the file received from the anonymized data output unit 238 to the reception unit 200 via the network 220 (S1307).

(FIG. 13: Step S1308)
The accepting unit 200 receives the transferred file and opens a file save dialog on the anonymized data output screen 900. The user designates a file save destination on the file save dialog. The accepting unit 200 saves the file with the specified file name.

<Calculation setting screen 1000>
FIG. 14 is a screen image of the calculation setting screen 1000. The calculation definition setting unit 210 can be implemented as a Web application, for example, as with the receiving unit 200. The calculation definition setting unit 210 provides a calculation setting screen 1000. The calculation setting screen 1000 is a screen used for registering a custom calculation module that implements a procedure for calculating the amount of information. Each item on the screen will be described in conjunction with FIG.

<Calculation definition file 1100>
FIG. 15 is a description example of the calculation definition file 1100. The calculation definition file 1100 is a text file that describes the name of the information amount calculation method and the Java class name that implements the calculation method. The name of the calculation method is obtained by concatenating the name of the calculation method 1010 input on the calculation setting screen 1000 to “anonymize.calculation.class.”. The Java class that implements the calculation method implements an ICalculator interface, which will be described later, and is described with a fully qualified name.

<Calculation class implementation rules>
FIG. 16 is a class diagram for explaining an implementation rule of a calculation class that implements a procedure for calculating an information amount. The calculation class needs to implement an ICalculator interface that defines a method for calculating the amount of information. This interface has a method calculate. This method receives the table name and column name as arguments, calculates the information amount of the table: column specified by the argument, and returns it as a double-precision floating point number. The DefaultCalculator class is a class that implements a predetermined calculation method after implementing the ICalculator interface. For columns that are not designated to use the custom calculation method, the information amount calculation setting unit 237 calculates the information amount by using the DefaultCalculator class.

<Operation of calculation setting screen 1000>
FIG. 17 is a flowchart illustrating a procedure for registering a custom calculation class using the calculation setting screen 1000. Hereinafter, each step of FIG. 17 will be described.

(FIG. 17: Steps S1701 to S1702)
The user inputs a calculation method name 1010, a calculation module 1020, and a calculation class name 1030 (S1701). The calculation method name 1010 is an identification name of the custom calculation method, and corresponds to the information amount calculation method 434. The calculation module 1020 is a jar file including a Java class that implements a calculation method. The calculation class name 1030 is a fully qualified name of the Java class that includes the calculation method and is included in the jar file. The user inputs each item and presses the registration button 1040 (S1702).

(FIG. 17: Step S1703)
The calculation definition setting unit 210 transfers each item to the anonymization device 230 via the network 220. The information amount calculation setting unit 237 adds the file specified by the calculation module 1020 to the Java class library of the anonymization device 230.

(FIG. 17: Step S1704)
The information amount calculation setting unit 237 adds an entry to the calculation definition file 1100. The key of the entry is anonymous. calculation. class. <Calculation method name 1010>. The value of the entry is a calculation class name 1030.

(FIG. 17: Steps S1705 to S1706)
The information amount calculation setting unit 237 notifies the control unit 231 of the completion of processing (S1705). The control unit 231 notifies the calculation definition setting unit 210 of the completion of processing via the network 220 (S1706).

<Custom calculation class implementation example>
Hereinafter, an implementation example of the method “calculate” of the CustomCalculator class will be described. For example, in the medical field, age is a meaningful item for analysis, and thus can be considered as an information amount calculation target. On the other hand, when considering the simple anonymization that rounds off the numerical value of the age, the number of values that the numerical value of the age takes after the simple anonymization is about 1/10 of that before the anonymization. If the amount of information is calculated under these conditions, information loss may become too large. Therefore, consider an information amount that incorporates the age error before and after anonymization into the information amount. From the viewpoint of the growth of the body, the error is considered to be smaller as the age increases even with the same age difference, so the following information amount can be considered using the reciprocal of age. The log in this equation is a logarithmic function with 2 as the base, but any real number exceeding 1 may be used as the base as long as it is unified throughout the personal information anonymization apparatus.

<Procedure for calculating the amount of information>
FIG. 18 is a flowchart for explaining a procedure by which the information loss rate calculation unit 239 calculates the information amount of each data. Hereinafter, each step of FIG. 18 will be described.

(FIG. 18: Step S1801)
The information loss rate calculation unit 239 obtains the information amount calculation method for each column from the anonymized attribute management data 244. For example, when calculating the amount of information for the anonymized data 246, the table name storing the calculation target data is obtained from the anonymized management data 243 using the table name of the corresponding anonymized data 246 as a key, and the table name As a key, a record is acquired from the anonymized attribute management data 244.

(FIG. 18: Steps S1802 to S1803)
The information loss rate calculation unit 239 initializes the information amount value to 0 (S1802). The information loss rate calculation unit 239 performs Steps S1804 to S1807 for each column acquired from the anonymized attribute management data 244 (S1803).

(FIG. 18: Steps S1804 to S1805)
The information loss rate calculation unit 239 reads the table name, attribute name, calculation method, and coefficient from the record of the anonymized attribute management data 244 (S1804). The information loss rate calculation unit 239 acquires the fully qualified name of the class implementing the calculation method from the calculation definition file 1100 using the calculation method read in step S1804 as a key (S1805).

(FIG. 18: Step S1806)
The information loss rate calculation unit 239 acquires an instance of a custom calculation class that implements the ICalculator interface using the fully qualified name of the class acquired in step S1805.

(FIG. 18: Step S1807)
The information loss rate calculation unit 239 passes the table name and attribute name acquired in step S1804 to the instance, and obtains a calculation result. The information loss rate calculation unit 239 adds a value obtained by multiplying the result by the coefficient acquired in step S1804 to the current information amount value.

(FIG. 18: Step S1808)
The information loss rate calculation unit 239 returns the final information amount value after the loop processing from step S1804 to step S1807 is completed.

<Table configuration>
FIG. 19 is a diagram illustrating a configuration example of the anonymization management data 243. Each data such as the anonymization target data 241 is preferably stored in a table format of a relational database for convenience of processing. Each functional unit of the anonymization device 230 automatically generates a unique table name for storing these data, and stores each data in the table. The anonymization management data 243 is used for managing which data is stored in which table.

  FIG. 20 is a diagram illustrating a configuration example of the anonymized attribute management data 244. The anonymization attribute management data 244 is a table for managing parameters set on the anonymization target data capture screen 400 and the k anonymization setting screen 600.

  FIG. 21 is a diagram illustrating a configuration example of the anonymization target data 241. Here, the data format after being stored in the table format is illustrated. The calculation starting point data 242, the simple anonymization data 245, and the anonymization data 246 have the same configuration. The configuration of these tables differs depending on the number of columns of data to be captured.

  FIG. 22 is a diagram illustrating a configuration example of the generalized hierarchy data 247. As illustrated in FIG. The generalized hierarchy data 247 is data for recording the configuration of the generalized hierarchy exemplified in FIG.

  The present invention is not limited to the embodiments described above, and includes various modifications. The above embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to the one having all the configurations described.

  Each of the above-described configurations, functions, processing units, processing means, and the like may be realized in hardware by designing a part or all of them, for example, with an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

  In the present embodiment, an example in which only one boundary 564 is added has been described, but a plurality of boundaries 564 may be set. In this case, for example, on the simple anonymization execution screen 500, a column that is the target of the calculation origin data 242 and a column that is not so may be selected.

  200: reception unit, 210: calculation definition setting unit, 230: anonymization device, 231: control unit, 232: data capture unit, 233: simple anonymization unit, 234: k anonymization unit, 235: k anonymization setting 236: Generalized hierarchy editing unit 237: Information amount calculation setting unit 238: Anonymized data output unit 239: Information loss rate calculation unit 240: Information management device 241: Anonymization target data 242: Calculation Origin data, 243: Anonymized management data, 244: Anonymized attribute management data, 245: Simple anonymized data, 246: Anonymized data, 247: Generalized hierarchical data.

Claims (6)

A program for causing a computer to execute processing for anonymizing personal information, wherein the computer
A simple anonymization step for outputting simple anonymization data obtained by performing simple anonymization on the personal information;
K anonymization step for outputting k anonymization data obtained by performing k anonymization on the simple anonymization data;
Information amount calculation setting step for setting a reference point for calculating a loss rate of information lost by carrying out anonymization,
An information loss rate calculating step for calculating the loss rate;
And execute
In the information amount calculation setting step, in the computer,
In the personal information, in the simple anonymization step, the boundary between the portion that performs simple anonymization and the portion that does not perform is set as the reference point,
In the information loss rate calculating step, the computer
When calculating the loss rate in the k anonymization step, between the information amount of the calculation origin data obtained by carrying out simple anonymization according to the reference point and the information amount of the k anonymization data The personal information anonymization program characterized by calculating said loss rate based on a ratio. In the information loss rate calculating step, the computer
When calculating the loss rate in the simple anonymization step, the amount of information of the calculation origin data and the simple anonymization obtained by performing simple anonymization on the entire personal information regardless of the boundary The personal information anonymization program according to claim 1, wherein the loss rate is calculated based on a ratio between the amount of data information. The simple anonymization data or the k anonymization data has one or more columns,
The personal information anonymization program is stored in the computer.
The personal information anonymization program according to claim 1, wherein a calculation procedure defining step for defining a procedure for calculating an information amount of the simple anonymization data or an information amount of the k anonymization data is executed for each column. . In the calculation procedure definition step, the computer
4. The personal information according to claim 3, wherein an instruction to specify a custom calculation program module that implements the procedure for each column is received and a step of reflecting the custom calculation program module in the procedure is executed according to the instruction. Anonymization program. The personal information anonymization program includes a calculation program module that implements a process for calculating the information amount of the simple anonymization data or the information amount of the k anonymization data,
The calculation program module implements a program interface for calling a process for calculating the information amount of the simple anonymized data or the information amount of the k anonymized data, and a process for executing a prescribed calculation procedure via the program interface. A default calculation program module, and
In the calculation procedure definition step, the computer
The custom calculation program in which the processing for calculating the information amount of the simple anonymization data or the information amount of the k anonymization data is implemented via the program interface is used instead of the default calculation program module. The personal information anonymization program according to claim 4. A device for anonymizing personal information,
A simple anonymization unit that outputs simple anonymization data obtained by performing simple anonymization on the personal information;
K anonymization unit that outputs k anonymization data obtained by performing k anonymization on the simple anonymization data;
An information amount calculation setting unit that sets a reference point for calculating a loss rate of information that is impaired by anonymization,
An information loss rate calculation unit for calculating the loss rate,
With
The information amount calculation setting unit sets, as the reference point, a boundary between a portion of the personal information where the simple anonymization unit performs simple anonymization and a portion where it is not performed,
The information loss rate calculation unit
When calculating the loss rate by the k anonymization unit, between the information amount of the calculation origin data obtained by carrying out simple anonymization according to the reference point, and the information amount of the k anonymization data The personal information anonymization device, wherein the loss rate is calculated based on a ratio.

Images