JP2016146123A - Management apparatus, control method thereof, information processing apparatus, control method thereof, personal number management system, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide access control on personal information associated with a personal number.SOLUTION: A personal number management system includes: a management server 106 for managing a personal number or the like; and an enterprise system 102 that requests the management server for a personal number, to form a document. The management server registers a personal number of a user and a purpose of use, in association with the user, and stores reference right to refer to the purpose of use and the personal number, of an operator of the enterprise system that requests a personal number of the user associated with the document. The enterprise system transmits authentication information of the operator and an operation instruction of the document including the user and the kind of the document associated with the user, to the management server, displays a document forming screen to be transmitted from the management server when the document coincides with the purpose of use of the user and includes personal information and a personal number of the user. When the document includes the personal information and the personal number of the user, the system controls output of the personal number of the user in the document formed in accordance with the reference right of the operator.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a management apparatus and its control method, an information processing apparatus and its control method, a personal number management system, and a program.

  Conventionally, when a company submits a form (statutory record, etc.) relating to an employee to an administrative institution or the like, a form is created by filling in each employee's information. Along with the introduction of the My Number system that assigns numbers to identify each individual person in the nation, it is required to fill in the personal number on each employee's form submitted to the administrative body. The personal number embedded in the form is highly confidential information for identifying an individual, and it is necessary to prevent leakage. Furthermore, the flow related to the creation of forms varies from company to company, and the flow created by a plurality of departments (for example, accounting department, personnel department, etc.) is different, and as a result, there are many flows. It is desirable for companies not to disclose personal numbers of employees in one department to other departments that do not need to disclose it. Patent Document 1 proposes a technique for controlling access to personal information according to the provisions of elements of usable personal information set for each user when specific personal information is detected.

JP 2013-242782 A

  However, in the above-described prior art, access control according to the relationship between a plurality of pieces of personal information is not considered. For example, if a personal number that must be filled in when creating a form is leaked along with general personal information associated with it (for example, name, address, name of dependents, etc.), serious personal information will be leaked. . On the other hand, a personal number is not a meaningful number by itself. Therefore, some customers who introduce a system using a personal number have a need to control access to the personal number only when coexisting with personal information associated with the personal number. Furthermore, depending on the company, a plurality of departments (accounting department, human resources department, etc.) may create forms, and there is a flow in which a form including a personal number is referred to by a plurality of departments. However, as mentioned above, it is desirable not to disclose the personal number to other departments that do not need to be disclosed. Realizing access control to information is an issue.

  An object of the present invention is to solve the above-described problems of the prior art.

  A feature of the present invention is to provide a technique for realizing protection of personal information when a form including both a user's personal number and personal information is operated.

In order to achieve the above object, a personal number management system according to an aspect of the present invention comprises the following arrangement. That is,
A personal number management system including at least a management server for managing personal numbers and a company system for requesting a personal number from the management server and creating a form;
The management server
Registration means for registering the user's personal number and the purpose of use of the personal number in association with the user;
Storage means for storing a purpose of use corresponding to an operator of the enterprise system that requests a personal number of a user related to a form and a reference authority for the personal number;
When the operator of the enterprise system instructs the operation of the form related to the user, it is determined whether or not the form matches the purpose of use corresponding to the operator and includes the personal information and personal number of the user. A determination means;
When the determination means determines that the form matches the purpose of use of the user and includes the user's personal information and personal number, screen information for operating the form is stored in the storage means. Providing means for providing the enterprise system together with the reference authority of
The corporate system is
A first transmitting means for transmitting to the management server an instruction to operate the form including the operator authentication information and the type of form associated with the user and the user;
Display means for receiving the screen information transmitted from the management server in response to the instruction and displaying a form creation screen;
Control means for controlling the output of the user's personal number in the form created via the form creation screen according to the reference authority of the operator when the form includes personal information and personal number of the user; It is characterized by having.

  According to the present invention, it is possible to realize protection of personal information by a form in which personal information exists in association with a personal number.

  Other features and advantages of the present invention will become apparent from the following description with reference to the accompanying drawings. In the accompanying drawings, the same or similar components are denoted by the same reference numerals.

The accompanying drawings are included in the specification, constitute a part thereof, show an embodiment of the present invention, and are used to explain the principle of the present invention together with the description.
The figure explaining the structure of the personal number management system containing the personal number management server (management apparatus) which concerns on embodiment of this invention. The block diagram explaining the hardware constitutions of the enterprise system which concerns on embodiment, a client, and a management server. 1 is a block diagram showing a hardware configuration of an image forming apparatus according to an embodiment. FIG. 3 is a functional block diagram illustrating functions of an image forming apparatus, a corporate system, a client, and a management server according to the embodiment. The figure which shows an example of the template of the form data with a command stored in the form storage part of the company system which concerns on embodiment. The flowchart explaining the process at the time of registering employee information from the enterprise system which concerns on embodiment to a management server. 9 is a flowchart for explaining a processing flow until a user (employee) operates an image forming apparatus and registers the personal number of the user in a management server in the embodiment. The flowchart explaining the registration process of S711 of FIG. 6 is a flowchart for explaining an approval work by an approver executed between the client and the management server according to the embodiment. The flowchart explaining the flow of a process when the enterprise system which concerns on embodiment uses the personal number registered into the management server. 11 is a flowchart for explaining a form creation / editing process performed in response to the form creation / editing instruction in S1013 of FIG. 12 is a flowchart for describing S1102 form display processing in FIG. 11. 12 is a flowchart for explaining the form printing process in S1015 of FIG. 14 is a flowchart for describing personal information management processing in S1202 in FIG. 12 and S1302 in FIG. 15 is a flowchart for explaining personal information handling determination processing in S1401 of FIG. 12 is a flowchart for explaining personal number acquisition processing in S1105 of FIG. The flowchart explaining the process regarding the personal number in the management server which concerns on embodiment. 18 is a flowchart for explaining personal number provision processing in S1704 of FIG. FIG. 4A is a diagram illustrating an example of a login screen displayed on the image forming apparatus or the client according to the embodiment, and FIG. 6 is a diagram showing an example of a screen displayed when an instruction to register a personal number is given by the image forming apparatus according to the embodiment. FIG. The figure which shows an example of the approval request screen displayed with the client which concerns on embodiment. The figure which shows an example of the login screen displayed on the display part of the enterprise system which concerns on embodiment (A), and the figure which shows the example of a screen for the operator of an enterprise system to select the operation | work using a personal number (B) . The figure which shows an example of the form operation screen displayed by the company system which concerns on embodiment.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. The following embodiments do not limit the present invention according to the claims, and all combinations of features described in the embodiments are not necessarily essential to the solution means of the present invention. .

  FIG. 1 is a diagram illustrating a configuration of a personal number management system including a personal number management server (management apparatus) according to an embodiment of the present invention.

  In this system, an image forming apparatus (image processing apparatus) 101, a corporate system 102, and a client 103 exist in an intranet 104, and these communicate with a personal number management server 106 (hereinafter, management server) via the Internet 105. Here, the apparatuses 101 to 103 of the intranet 104 communicate with the management server 106 via a browser or a dedicated application. The management server 106 has a Web service that conforms to a protocol such as HTTP or SOAP. In this Web service, personal number provisional registration from the image forming apparatus 101, employee information registration and personal number acquisition from the corporate system 102, and personal number authorization for approving the personal number from the client 103 are performed. Accept registration contents acquisition request. Although not shown, the management server 106 has a database system and a file system for storing various data.

  FIG. 2 is a block diagram illustrating a hardware configuration of the enterprise system 102, the client 103, and the management server 106 according to the embodiment. The enterprise system 102, the client 103, and the management server 106 can be configured by hardware of a general information processing apparatus (so-called PC). Therefore, FIG. 2 shows a typical configuration example, and this configuration is common to the enterprise system 102, the client 103, and the management server 106.

  In FIG. 2, the CPU 201 executes a boot program stored in the program ROM of the ROM 203 and develops an OS (operation system) and applications from the external memory 210 such as a hard disk to the RAM 202. In this way, the CPU 201 functions as each processing unit (FIG. 4) that executes processing of each flowchart described later by executing these programs developed in the RAM 202. A RAM 202 is a main memory of the CPU 201, and provides a work area in addition to the program storage area. A keyboard controller 404 controls operation inputs from a keyboard 208 and a pointing device (not shown) (touch pad, touch panel, trackball, etc.). The display control unit 205 controls display on the display unit 209. The disk controller 206 controls access to an external memory 210 such as a hard disk (HD) or a flexible disk (FD) that stores various data. A network controller (NC) 207 is connected to the network and executes communication control with other devices connected to the network.

  FIG. 3 is a block diagram illustrating a hardware configuration of the image forming apparatus 101 according to the embodiment.

  The image forming apparatus 101 includes a control unit 301, an operation unit 304, an authentication unit 305, a NIC 306, an image reading unit 307, a printing unit 308, and a storage unit 312. The control unit 301 includes a CPU 309, a RAM 310, and a ROM 311, controls the entire image forming apparatus 301, and includes an image processing unit 303 that processes image data. The operation unit 304 includes, for example, a soft keyboard, a touch panel, and other input / output devices, and can input and display various setting values. The CPU 309 executes programs such as programs stored in the ROM 311 and applications developed from the storage unit 312 to the RAM 310. A RAM 310 is a main memory of the CPU 309 and provides a work area of the CPU 309 and the like. The image reading unit 307 includes, for example, a scanner and acquires image data of a paper document that is electronic data by reading a paper document (original, document) or the like. The control unit 301 outputs the image data stored in the storage unit 312 to the operation unit 304 for display. Similarly, the control unit 301 can output the image data stored in the storage unit 312 to the printing unit 308 for printing. The printing unit 308 prints an image according to the image data. Further, the image forming apparatus 101 is connected to a network via the NIC 306 so that data can be transmitted / received to / from the network. Data obtained via the NIC 306 can also be displayed on the operation unit 304.

  FIG. 4 is a functional block diagram illustrating functions of the image forming apparatus 101, the corporate system 102, the client 103, and the management server 106 according to the embodiment.

  First, functions of the image forming apparatus 101 will be described.

  The screen display unit 401 displays the markup language (ML) (screen information) acquired from the management server 106 via the communication unit 402 and the information received from the user by the input reception unit 403 on the display unit of the operation unit 304. . The communication unit 402 communicates with the management server 106 and performs login to the management server 106 and provisional registration processing of a personal number. The communication unit 402 receives a print job sent from the company system 102. The document scanning unit 405 reads the document using the image reading unit 307. The document image data read by the document scanning unit 405 is transferred to the character string extraction unit 404. The character string extracting unit 404 determines whether or not the image data obtained by the document scanning unit 405 includes a personal number. If the personal number is included, the character number extracting unit 404 uses the technique such as OCR to determine the personal number. To extract. The character string extraction unit 404 extracts a character string such as a personal number from a print job including form data for printing received from the company system 102. The personal number extracted by the character string extraction unit 404 is displayed on the display unit of the operation unit 304 by the screen display unit 401. The print determination unit 406 determines whether the personal number and document type of the form data received from the company system 102 are consistent with the purpose of use of the personal number via the management server 106, and is consistent. When it is determined, the form data is output to the printing unit 407 and printed.

  Next, functions of each processing unit of the client 103 will be described.

  The client 103 approves the temporarily registered personal number. This approval work is performed, for example, by the person responsible for managing the personal number of the company to which the user of the image forming apparatus belongs. The person responsible for managing the personal number may be, for example, a supervisor of the user, a person who holds the management qualification of the personal number of the company to which the user belongs, or a member of the personnel department. The communication unit 411 acquires an approval request from the management server 106 and transmits an approval result to the management server 106. The screen display unit 412 displays a list of approval requests acquired by the communication unit 411 and the contents of each approval request, and displays a screen for the approver to check the registered contents. The input receiving unit 413 receives an input from the approver via the operation unit such as the keyboard 208.

  Next, functions of each processing unit of the enterprise system 102 will be described.

  The corporate system 102 receives a personal number from the management server 106 and creates a form or the like. The communication unit 421 transmits a request for acquiring a personal number to the management server 106 and a request for authority information for the personal number. Also, a print job is transmitted to the image forming apparatus 101. The screen display unit 422 displays a markup language for acquiring the personal number acquired from the management server 106 and a screen for instructing to edit and print the form data from the input receiving unit 423. The form creation unit 424 creates form data by inputting the data of the employee management table 425 and the personal number received from the management server 106 with respect to form template data with a command to be described later stored in the form storage unit 426. . Further, the display and printing of the form are controlled according to the presence / absence of the personal number and personal information in the form and the authority information for the personal number of the operator who handles the form. The command acquisition unit 427 acquires a request command for acquiring a personal number from form data with a command to be described later. The command insertion position may be specified by holding position information in advance for each form data. Alternatively, the position is calculated from a specific character string in the form data (for example, a character string “personal number” is specified by a technique such as OCR, and a command existing at a predetermined position is acquired therefrom). good. The character string acquisition unit 428 acquires a specific character string from the form data in order to determine the type of the form. The character string acquired here is specified based on information acquired from a form management table (form information storage unit) 453 of the management server 106 described later. As a method of acquisition, a method of matching the character string acquired from the management server 106 with the character string of the form data by a technique such as OCR may be used, or the character string position (coordinate) information acquired from the management server 106 may be specified. You may do it. The form area management table 429 holds an area for personal information and an area for personal number as coordinate information for each form.

  Next, functions of each processing unit of the management server 106 will be described.

  The screen generation unit 431 generates data (for example, HTML) to be displayed on the screen in response to a request from the image forming apparatus 101, the client 103, the corporate system 102, or the like. The login request receiving unit 432 receives a login request including authentication information from the image forming apparatus 101, the client 103, and the corporate system 102. Then, based on data managed in the user management table 434 via the user authentication unit 433, authentication / authorization processing of the user (operator, approver) is performed. Upon receiving a personal number temporary registration request from the image forming apparatus 101 or an approval request from the client 103, the personal number registration processing unit 436 registers data in the personal number management table 437 in response to the request, and Update the data. The personal number request receiving unit 438 notifies the personal number registered in the personal number management table 437 in response to a request from the company system 102 or the like. At this time, with reference to the request URL management table 450, it is checked whether or not the company is a legitimate company registered in advance based on the URL of the company system 102 that transmitted the request. The command analysis unit 439 analyzes the request command received from the company system 102 or the like, and the personal number search unit 440 acquires the personal number of the employee specified in the request. The form confirmation request receiving unit 451 checks through the combination determination unit 452 whether the type of form included in the request from the company system 102 or the like matches the purpose of use stored in the form management table 453. . The employee information registration unit 454 receives a request from the company system 102 and registers employee information in the user management table 434 and the employee information management table 455. Specifically, information corresponding to the data item defined in the employee information management table 455 is added to the data acquired by the operator of the company system 102 from the employee management table 425, and the employee information is registered via the communication unit 421. A registration request is issued to the unit 454. In addition to registering data in the employee information management table 455, the employee information registration unit 454 registers the company code and the employee ID of the employee in the user management table 434. In response to a request from the enterprise system 102, the personal information inquiry reception unit 435 performs processing for returning the user's personal number added to the request information and authority information for the personal information.

  Next, referring to the table, data configuration examples of the employee management table 425, the user management table 434, the personal number management table 437, the request URL management table 450, the form management table 453, and the employee information management table 455 according to the embodiment are referred to. explain.

  Table 1 shows an example of the employee management table 425 managed by the company system 102 according to the embodiment.

  The employee management table 425 includes five elements: employee ID (A1), name (A2), relationship (A3), affiliation (A4), and address (A5). The employee ID (A1) is employee identification information (ID) uniquely assigned in the company. The employee ID (B4) in the user management table 434, the employee ID (D1) in the personal number management table 437, and the employee are described later. Registered in the employee ID (G2) of the information management table 455. The name (A2) is an item indicating the name of the employee, and the relationship (A3) indicates the relationship (the principal, spouse, child, etc.) including the dependent family of the target employee. The affiliation (A4) is an attribute indicating the department to which the target employee belongs in the company. The address (A5) indicates the address where the target employee resides. Table 1 shows an example including the above five elements. However, the present invention is not limited thereto, and other information (for example, a telephone number) indicating employee information may be included.

  Next, information stored in the user management table 434 of the management server 106 will be described with reference to Tables 2 and 3.

  Table 2 shows an example of account management items in the user management table 434. Table 3 shows an example of control management items in the user management table 434.

  The user management table 434 includes a company code (B1), an account (B2), a password (B3), an employee ID (B4), a purpose of use (B5), an operation (B6), a personal number reference authority (access right to a personal number) ) (B7) 7 elements are included.

  The company code (B1) is an ID for identifying the company, and is associated with the company code (D1) of the request URL management table 450 described later. The account (B2) and password (B3) are an ID and a password that are required when the image forming apparatus 101, the corporate system 102, and the client 103 use the service provided by the management server 106. The employee ID (B4) is a key for associating each employee information in the employee management table 425 of the company system 102 with the account (B2). The purpose of use (B5) indicates what purpose of use the target employee can access (use) the personal number. In the example of Table 2 and Table 3, the employee whose account is “Account 1” is stored in the personal number management table 437 in order to create the withholding slip and payment record (pension, / payment record (dividend / surplus)). The account (B2) is automatically issued to each employee when the employee information registration unit 454 registers information in the user management table 434, and As for the password (B3), it is assumed that the password set in advance by the company is uniformly set.This password can be changed by each employee, but since this method is publicly known, the description thereof is omitted. To do.

  The purpose of use (B5) is set by the administrator of the company system 102 by displaying the setting screen generated by the screen generator 431 on the company system 102 (not shown). The operation (B6) indicates the permitted operation for the form designated by the purpose of use (B5). For example, an employee whose account is “Account 1” can only create a withholding slip, a payment record (pension), and a payment record (dividend / surplus). An employee whose account is “Account 3” can create and approve a withholding slip, a payment record (pension), and a payment record (dividend / surplus).

  The personal number reference authority (B7) indicates authority information for accessing the personal number and personal information at the same time. Since the personal number is a number that is not particularly meaningful if it is a simple substance, even if it is leaked, there is no problem in terms of protecting personal information. However, if the personal number is leaked in association with the personal information, the personal information is leaked. The personal number reference authority (B7) is information indicating the access authority of the personal number when linked with the personal information. The personal number reference authority (B7) can be set for each flow of each form to be created. Accordingly, companies may have different departments for each form to be created, and there is a need to add the authority to refer to the personal number of each department for each form creation flow. Since the creation flow of each form can be identified by the purpose of use (B5), such a configuration is adopted in which the personal number reference authority (B7) is added to the account (B2) and the purpose of use (B5). It is configured to meet your needs.

  Table 4 shows an example of information stored in the personal number management table 437 of the management server 106 according to the embodiment.

  Here, the personal number management table 437 is configured to be held for each company. The personal number management table 437 includes six elements: employee ID (D1), personal number (D2), relationship (D3), purpose of use (D4), image data (D5), and status (D6). The employee ID (D1) is a key for associating employee information with an individual number in the employee management table 425 of the company system 102. The personal number (D2) is the personal number of the employee registered according to the present embodiment. The relationship (D3) is an item indicating a relationship including a dependent of the target employee. The purpose of use (D4) is an item indicating a range in which the company system 102 can use the personal number for the target employee. In this purpose of use (D4), the contents disclosed in advance to the employee when the personal number is collected from the employee are recorded. In the image data (D5), the image data of the document read at the registration work of the personal number is registered. Multiple types of image data of this document can be registered. In the example of Table 4, a plurality of sets of {document type: image data} are registered in the item of image data (D5). However, the configuration may be such that these data are managed in a separate table. . The status (D6) is an item representing the registration status of the personal number. Specifically, when a registration request from the image forming apparatus 101 is received, the registration state of the personal number is a temporary registration state. When an approval from the client 103 is received, the status is changed from temporary registration to main registration. Changed to

  Table 5 shows an example of information in the request URL management table 450 managed by the management server 106 according to the embodiment.

  The request URL management table 450 includes two elements: a company code (E1) and a URL (E2). The company code (E1) is a code indicating a company, and an ID for uniquely identifying an organization that uses the management server 106 is set. This company code ID may be issued at the time of use contract of the management server 106, or a mechanism for automatically assigning an ID may be created separately. This company code (E1) is also associated with the company code (B1) of the user management table 434 and the company code (G1) of the employee information management table 455. The URL (E2) is a URL of the company system 102, and is used to check whether the access is from a valid URL (company) when accessing from the company system 102.

  Table 6 shows an example of information stored in the form management table 453 managed by the management server 106 according to the embodiment.

  The form management table 453 includes five elements: a purpose of use (F1), a form (F2), a determination item (F3), a position (F4), and a character string (F5). The purpose of use (F1) indicates the purpose of the company system 102 using the personal number for the employee. The purpose of use (F1) corresponds to the purpose of use (D4) of the personal number management table 437. The form (F2) indicates the type of form that can be created for the purpose of use (F1). A plurality of forms (F2) are associated with one usage purpose (F1). The determination item (F3) indicates which item in the form data is used for determination when determining whether the form (F2) is suitable for the purpose of use (F1) (in the example of Table 6, It indicates that the character string of the title part of the form data is used). The position (F4) indicates position information (coordinates) in the form data of the determination item (F3) (title here). The character string (F5) indicates a specific character string of an item (here, a title) indicated by the determination item (F3).

  For example, in the example of Table 6, the combination determination unit 452 of the management server 106 uses “Create withholding slip” as the purpose of use from the company system 102 and the character string of the title of the form data selected by the operator (employee). Receive a “payment income withholding slip”. In this case, the “wage income withholding slip” is registered in the form management table 453 of Table 6 as the character string (F5) corresponding to the purpose of use (F1) “Create withholding slip”. It is determined that the requested form is valid.

  Table 7 shows an example of information stored in the employee information management table 455 managed by the management server 106 according to the embodiment.

  The employee information management table 455 has six elements of company code (G1), employee ID (G2), employee mail address (G3), approver ID (G4), approver mail address (G5), and purpose of use (G6). Including. In the company code (G1), an ID for uniquely identifying an organization that uses the management server 106 is set. This company code (G1) is associated with the company code (E1) in the request URL management table 450. The employee ID (G2) is set with an ID for uniquely identifying the employee within the company within the company code (G1). Further, the contact address of the employee is set in the employee email address (G3). A registration notice requesting registration of a personal number is issued to the employee mail address (G3) set here. The approver ID (G4) is identification information of a person (approver) qualified to approve the temporary registration of the employee personal number indicated by the employee ID (G2). In the approver mail address (G5), the mail address of the approver is set. An approval request for requesting approval of temporary registration of an individual number by an employee is notified to the approver mail address (G5) set here. In the usage purpose (G6), information indicating the usage purpose for which the company uses the personal number of the employee is set. When the management server 106 issues a personal number registration notification to the employee email address (G3), the usage purpose (G6) information is also notified.

  Before explaining Table 8, a template of form data with command stored in the form storage unit 426 of the company system 102 according to the embodiment will be described with reference to FIG.

  FIG. 5 is a diagram showing an example of a template of form data with command stored in the form storage unit 426 of the company system 102 according to the embodiment.

  The corporate system 102 creates form data by inputting a personal number and employee information in the form data template, and submits the form data to an administrative organization or the like. The form 501 includes a field 502 for inputting a personal number, and a request command 503 for acquiring the personal number from the management server 106 is embedded in the field 502. The request command 503 includes a URL 511 for accessing the management server 106, a field 512 for inserting a purpose of using a personal number, and a field 513 for inserting a company code in the company system 102. Furthermore, a field 514 for inserting an employee ID for which a personal number is acquired and a field 515 for inserting a relationship are included. The request command 503 is analyzed by the command analysis unit 439 of the management server 106 when the enterprise system 102 requests the management server 106 to acquire a personal number.

  Here, in addition to the form 501, the form storage unit 426 holds other forms, but the form storage unit 426 also holds an area in which personal information and a personal number are input in the form. Take the configuration.

  Table 8 shows an example of a form area management table 429 that holds the position of the area of the personal information for each form held by the form storage unit 426 of the company system 102 according to the embodiment and the position of the area of the personal number.

  The purpose of use (H1) indicates the purpose of the company system 102 using the personal number for the employee, and here, the type of form using the personal number is stored. This purpose of use (H1) corresponds to the purpose of use (D4) of the personal number management table 437 and the purpose of use (F1) of the form management table 453. The form (H2) indicates the type of form that can be created for the purpose of use (G1). The personal information area (H3) indicates the coordinate position of the area where the personal information of the form is input. The enterprise system 102 determines whether or not personal information is included in the form 501 based on the personal information area (H3). Details of this processing will be described later. The personal number area (H4) indicates the coordinate position of the area in the form 501 where the personal number is input in the form. The company system 102 determines whether or not the personal number is included in the form based on the personal number area (H4). Details of the processing will be described later.

  Next, in the personal number management system according to the present embodiment, a processing flow from registration of a personal number to the management server 106 to use in the corporate system 102 and printing with the image forming apparatus 101 will be described.

  FIG. 6 is a flowchart for explaining processing when registering employee information from the company system 102 to the management server 106 according to the embodiment. Here, the respective processes of the enterprise system 102 and the management server 106 are realized by the CPU 201 of the enterprise system 102 and the management server 106 shown in FIG. 2 executing a program expanded from the external memory 210 to the RAM 202. The

  First, in step S <b> 601, the CPU 201 of the company system 102 issues an employee information registration request to the management server 106. This request includes information as shown in Tables 1 and 7.

  As a result, in step S <b> 602, the CPU 201 of the management server 106 receives the registration request issued from the enterprise system 102. In step S603, the CPU 201 of the management server 106 registers employee information included in the received registration request in the employee information management table 455 (see Table 7). In step S604, the CPU 201 of the management server 106 transmits an e-mail request for registration of a personal number for requesting to register the personal number of each employee (user) registered in step S603 to the e-mail address of the employee. At this time, the purpose of use of the personal number (the purpose of use (G6) in Table 7) is also notified.

  FIG. 7 is a flowchart for explaining the flow of processing until the user (employee) operates the image forming apparatus 101 and registers the personal number of the user in the management server 106 in the embodiment.

  FIG. 8 is a flowchart for explaining the registration processing in S711 of FIG. Here, the processes of the image forming apparatus 101 and the management server 106 are realized by the CPU 309 of the image forming apparatus 101 and the CPU 201 of the management server 106 executing programs developed in the corresponding RAMs. .

  In FIG. 7, first, in step S <b> 701, the CPU 309 of the image forming apparatus 101 acquires the user ID and password input via the screen of FIG. 19A, and manages using the input user ID and password. A login request is issued to the server 106.

  Accordingly, in step S702, the CPU 201 of the management server 106 performs authentication processing for the user based on the user ID and password of the accepted login request. If the user authentication is successful, the process advances to step S703. If the authentication fails, an error message or the like is output, and the process ends. In step S <b> 703, the CPU 201 of the management server 106 issues a redirect command to the screen display URL so as to display a function list screen as illustrated in FIG. 19B, for example, on the image forming apparatus 101.

  FIG. 19A is a diagram illustrating an example of a login screen displayed on the display unit of the operation unit 304 of the image forming apparatus 101 or the display unit 209 of the client 103.

  Here, the user (or approver) inputs the user ID in the user ID input field 1901, inputs the password in the password input field 1902, and presses the login button 1903.

  FIG. 19B is a diagram illustrating an example of a function list screen displayed on the operation unit 304 of the image forming apparatus 101 or the display unit 209 of the client 103.

  Here, when the user registers the personal number, “personal number registration” is selected, and when the approver approves the client 103, “personal number approval” is selected.

  In step S704, the CPU 309 of the image forming apparatus 101 accesses the management server 106 according to the redirect command. As a result, in step S <b> 705, the CPU 201 of the management server 106 receives the redirected access, that is, a function list screen acquisition request. In step S <b> 706, the CPU 201 of the management server 106 generates a markup language for displaying the requested function list screen and returns it to the image forming apparatus 101.

  In step S707, the CPU 309 of the image forming apparatus 101 displays a function list screen (see FIG. 19B) on the display unit of the operation unit 304 in accordance with the received markup language. In step S708, the CPU 309 detects the selected function based on the user operation via the screen. In step S709, the CPU 309 determines which function is the pressed function. If the pressed function is the personal number registration 1922, the process proceeds to step S711. If not, the process proceeds to step S710. In step S710, the CPU 309 executes processing according to the instructed function, and ends this processing. Here, detailed description of the processing of S710 is omitted. In step S <b> 711, the CPU 309 executes registration processing of the designated personal number in cooperation with the management server 106 and ends this processing.

  FIG. 8 is a flowchart for explaining the registration processing in S711 of FIG.

  First, in step S <b> 801, the CPU 309 of the image forming apparatus 101 displays a list of document types that are valid for personal number registration. As a result, for example, a screen as shown in FIG. In step S <b> 802, the CPU 309 detects the type of document selected by the user on the screen via the input reception unit 403. In step S803, the CPU 309 functions as the document scanning unit 405, and scans and reads the document selected in step S802 set in the image reading unit 307. In step S804, the CPU 309 determines whether the read document is a document on which a personal number is printed. If it is determined that the personal number is a printed document, the process proceeds to S805. If not, the process proceeds to S810.

  In step S805, the CPU 309 functions as the character string extraction unit 404, and extracts a personal number from the image data of the read document acquired in step S803 using a technique such as OCR. Since this technique such as OCR is well-known, its description is omitted. In step S806, the CPU 309 verifies the validity of the number of the personal number extracted in step S805 using a check digit. If it is determined that it is not correct, the process proceeds to S807. If it is determined that it is correct, the process proceeds to S809. In step S807, the CPU 309 displays an alert or the like on the operation unit 304, prompts the user to correct the extracted personal number, and accepts input from the user. At this time, for example, a screen as shown in FIG. 20B is displayed to wait for input from the user.

  FIG. 20A is a diagram illustrating an example of a screen displayed on the operation unit 304 when the user instructs “personal number registration” 1922 on the screen of FIG. 19B.

  This screen allows the user to select the type of document to be scanned to register a personal number. After selecting the type of document to be scanned from these screens via this screen, the user sets the document in the image reading unit 307 and presses an OK button 2002, and scanning of the document is started. When the scanning of the document is completed in this way, a confirmation screen including image data of the scanned document as shown in FIG. 20B is displayed. In FIG. 20A, a personal number notification card is selected as a document to be read, and FIG. 20B shows a case where it is read.

  FIG. 20B shows, for example, a case where a document on which a personal number is written is read. Here, a case where a personal number notification card is read corresponding to the selection on the screen of FIG. Is shown. The personal number is displayed as a character string 2003 of the personal number extracted from the read personal number notification card image data using a technique such as OCR. If the user determines that there is an error in the character string of the personal number extracted here, the user can directly edit this screen and correct the personal number to the correct number notified. In addition, it is possible to display scanned image data 2004 of the personal number notification card on this screen.

  When a document (for example, a driver's license) without a personal number is scanned, the character string 2003 indicating the personal number is not displayed. If the user confirms the content displayed on this screen and then presses an OK button 2005, the screen as shown in FIG. 20A is displayed again, and the next document to be scanned is selected. In addition, when all the documents necessary for registration of the personal number have been scanned, the user presses an all scan completion button 2006. By pressing this, the personal number is registered (temporary registration) in the personal number management table 437.

  In step S <b> 808, the CPU 309 functions as the input reception unit 403 and waits to detect that the user presses the OK button 2005 or the all scan completion button 2006. When any button is pressed, the process proceeds to S809, and the personal number extracted in S805 or the personal number corrected in S807 is stored in the RAM 310. In step S810, the CPU 309 stores the image data obtained by scanning in step S803. In step S811, whether or not the all scan completion button 2006 is pressed in step S808 or whether the documents read up to that point satisfy the document type necessary for registration of the personal number, that is, reading of all documents is completed. Judge whether or not. If it is determined that reading of all documents has been completed, the process advances to step S812. If not, the process returns to step S801 and the above-described processing is repeated. In step S812, the CPU 309 functions as the communication unit 402, transmits the image data obtained by the scan and the extracted personal number to the management server 106, and issues a temporary registration request.

  In step S813, the CPU 201 of the management server 106 receives the temporary registration request transmitted from the image forming apparatus 101, and registers the personal number and image data included in the request in the personal number management table 437. In step S814, the CPU 201 acquires the email address of the approver who approves the personal number of the user (employee) from the employee information management table 455, and sends the user (employee) by email to the approver. Request approval of personal number.

  Next, with reference to FIG. 9, the process regarding the approval work by the approver will be described.

  FIG. 9 is a flowchart for explaining the personal number approval work by the approver executed between the client 103 and the management server 106 according to the embodiment. Before the flowchart shown in FIG. 9, processing such as login processing from the client 103 to the management server 106, display of a function list screen, selection of an approval function, and the like are included. Since it is the same as the case of, the explanation is omitted. However, in the login process in this case, the approver needs to log in with the ID of the approver. In FIG. 9, the function list screen (see FIG. 19B) is displayed on the client 103 based on the screen information sent from the management server 106 in response to the login, and “personal number approval” is selected in the screen. This will be described in the subsequent processing flow. Here, the processing of each of the client 103 and the management server 106 is realized by the CPU 201 of the client 103 and the CPU 201 of the management server 106 executing a program developed in each corresponding RAM.

  First, in step S <b> 901, the CPU 201 of the client 103 issues a request for obtaining a list of users who request approval to the management server 106. At this time, the CPU 201 of the client 103 also transmits the approver's ID to the management server 106.

  As a result, in step S902, the CPU 201 of the management server 106 identifies the employee ID corresponding to the approver ID transmitted in step S901 from the employee information management table 455 (Table 7) and the user management table 434. After that, in the personal number management table 437 (see Table 4), data whose status (D6) corresponding to the employee ID is “provisional registration” is acquired. Then, the data (a list of employees who have issued an approval request and need to be approved by the approver) is formed into a markup language for display and returned to the client.

  In step S903, the CPU 201 of the client 103 displays a list (for example, see FIG. 21A) of users (employees) who have issued approval requests on the display unit 209 in accordance with the received markup language. In step S <b> 904, when the CPU 201 of the client 103 detects the user selected by the approver from the displayed list of users who issued the approval request, the CPU 201 sends a request for acquiring the detailed information of the user to the management server 106. Issue.

  In step S <b> 905, the CPU 201 of the management server 106 acquires the user data from the personal number management table 437, shapes the data into a display markup language, and returns the data to the client 103.

  In step S906, the CPU 201 of the client 103 displays an approval request screen as shown in FIG. 21B, for example, according to the received markup language. In step S907, when the CPU 201 of the client 103 detects that the approver has pressed the button on this screen, the CPU 201 determines whether the pressed button is the approval button 2105 or the return button 2104. If the pressing of the approval button 2105 is detected, the process proceeds to S910, and if the pressing of the return button 2104 is detected, the process proceeds to S908. In step S <b> 908, the CPU 201 of the client 103 transmits a mail issuance request that requests the management server 106 to re-register the personal number. In step S909, the CPU 201 of the management server 106 issues an e-mail requesting registration of a personal number to the target employee (user), and the process ends.

  The UI displayed on the client 103 at this time will be specifically described with reference to FIGS.

  When the approver logs in to the management server 106 by operating the client 103, a function list as shown in FIG. 19B is displayed. Here, the approver selects “personal number approval” in the function list, so that a list of users who need personal number approval shown in FIG. 21A is displayed on the display unit 209 of the client 103, for example. Is displayed. In the UI example of FIG. 21A, the request number (employee ID), the request date and time, and the name are displayed, but other items may be displayed, or there is no item. It doesn't matter. When a user who is the object of approval is selected from the list of users displayed on this screen, for example, as shown in FIG. 21B, the screen changes to a screen for performing approval processing.

  In FIG. 21B, information of the user 2101 (Ichiro Ada) selected in FIG. 21A, its personal number 2106, and scanned document images 2102 and 2103 are displayed. Here, an image 2102 shows an image of the user's personal number notification card, and an image 2103 shows an image of the user's driving license. Here, the approver checks whether the name and personal number of the user are the same as the name and personal number included in the scanned image 2102, and presses the approval button 2105 if they are the same. When the approval button 2105 is pressed, the approval result is transmitted from the communication unit 411 of the client 103 to the management server 106. On the other hand, if either the user's name or personal number is different, the approver presses the return button 2104. In this case, since approval has not been obtained, it is returned to the management server 106 that is the issuer of the approval request. In this case, the user (employee) to be approved needs to operate the image forming apparatus 101 again to register the personal number.

  In step S <b> 910, the communication unit 411 of the client 103 transmits an approval result to the management server 106. As a result, in S911, the personal number registration processing unit 436 of the management server 106 changes the status (D6) of the user (employee) in the personal number management table 437 to “main registration” and ends this processing.

  FIG. 10 is a flowchart for explaining the flow of processing when the company system 102 according to the embodiment uses a personal number registered in the management server 106. Here, the processes of the enterprise system 102 and the management server 106 are realized by the CPU 201 of the enterprise system 102 and the CPU 201 of the management server 106 executing programs developed in the corresponding RAMs.

  First, in step S1001, the CPU 201 of the enterprise system 102 functions as the input reception unit 423, and the ID and the ID input by the operator of the enterprise system 102 via the login screen as shown in FIG. Accept password entry. Based on the input ID and password, the operator performs login processing (authentication processing) to the company system 102. When the login is made, the process advances to step S1002, and the CPU 201 has received a form creation instruction (selection of usage purpose) from the operator via the menu screen as shown in FIG. 22B displayed on the screen display unit 422. Determine whether or not.

  FIG. 22A is a diagram illustrating an example of a login screen displayed on the display unit 209 of the company system 102. Here, as in the screen of FIG. 19A, a user ID input field 2201 and a password input field 2202 are included. When the operator inputs these items and presses the login button 2203, the management server 106 is requested to log in.

  FIG. 22B is a screen for the operator of the enterprise system 102 to select a business using a personal number. Here, for example, “Create withholding slip” 2204 is selected.

  If a form creation instruction is accepted, the process advances to step S1003. In step S <b> 1003, the CPU 201 of the enterprise system 102 transmits login information and a purpose of use of the personal number to the login request receiving unit 432 of the management server 106. Here, login information to the management server 106 may be stored in the corporate system 102 in advance, or a login screen (FIG. 19A) to the management server 106 is displayed and the login information is input to the user. You may make it let it. In step S1004, the CPU 201 of the management server 106 functions as the login request reception unit 432, and performs authentication processing for the operator via the user authentication unit 433 based on the login request received from the company system 102. If the authentication is successful, the process proceeds to S1005. If the authentication is not successful, an error message or the like is output and the process ends. In step S <b> 1005, the CPU 201 of the management server 106 determines whether the operator has authority for the purpose of use (for example, creation of a form) based on the purpose of use received from the company system 102 and the authentication information of the operator. Further, it is determined with reference to the personal number management table 437 whether or not the purpose of use of the form matches the purpose of use of the target user. Thus, if it is determined that the operator of the company system 102 is permitted to create a withholding slip using the user's personal number, the process proceeds to S1006, and if not, an error message or the like is output, This process ends. In step S <b> 1006, the CPU 201 of the management server 106 functions as the screen generation unit 431 and issues a redirect instruction to the display URL for the form creation screen to the enterprise system 102.

  In step S1007, the CPU 201 of the enterprise system 102 functions as the communication unit 421, and accesses the management server 106 according to the received redirect command.

  In step S1008, the CPU 201 of the management server 106 functions as the screen generation unit 431 and receives a redirected access, that is, a request for acquiring a screen for creating a form. In step S <b> 1009, the CPU 201 of the management server 106 generates a screen display markup language for creating a form and returns it to the company system 102.

  In step S1010, the CPU 201 of the enterprise system 102 functions as the screen display unit 422, and displays a form operation screen as shown in FIG. 23, for example, according to the received markup language.

  FIG. 23 is a diagram illustrating an example of a form operation screen displayed on the company system 102 according to the embodiment.

  An operation 2301 is an item for designating an operation for the form, and includes “creation / edit”, “display”, “print”, and “request (form creation request)”. Is an e-mail address indicating the request destination. A form 2303 indicates the type of the target form. Option 2303 is used to select whether or not the dependent information is input to the target form. When an OK button 2304 is pressed here, an instruction to operate this form is input. The operation end button 2305 is a button for instructing the end of the form operation using the personal number of the employee.

  In step S1011, the CPU 201 of the enterprise system 102 determines whether there is an operation instruction for the form by the operator via the form operation screen. The presence / absence of this operation instruction determines whether or not the OK button 2304 has been pressed after the operator has set the form operation screens 2301 to 2303 in FIG. If it is determined here that there is an operation instruction, the process proceeds to S1012. If there is no operation instruction, the process proceeds to S1011 again. In step S1012, the CPU 201 of the enterprise system 102 functions as the screen display unit 422, and determines which operation instruction is the operation instruction performed in step S1011. If “Create / Edit” is specified on the screen of FIG. 23, the process proceeds to S1013. If “Display” is specified, the process proceeds to S1014. If “print” is designated, the process advances to step S1015. Further, if “request” is designated, the process proceeds to S1016. If it is determined that the operation end button 2305 has been pressed, this process ends.

  In step S <b> 1013, the CPU 201 of the enterprise system 102 functions as the form creation unit 424, and executes processing for editing operation on the form data designated by the form 2302 in FIG. 23. Details of the editing operation in S1013 will be described later. In step S <b> 1014, the CPU 201 of the company system 102 executes processing for display operation on the form data designated by the form 2302. Details of this display operation will be described later with reference to S1102 of FIG. In step S <b> 1015, the CPU 201 of the company system 102 executes processing for printing operation on the form data designated by the form 2302. Details of this printing operation will be described later. In step S <b> 1016, the CPU 201 of the company system 102 executes processing for request operation on the form data specified in the form 2302. This requesting operation is a process of requesting to continue the creation process for the form data created by the operator. The form data created in this way is held in the form storage unit 426. Then, e-mail is sent to the user designated by the address 2306 in FIG. 23 together with the location information of the created form data, and the e-mail information to be requested to be created subsequently.

  With the processing shown in FIG. 10, when creating a form relating to an employee, the company system 102 can acquire the employee's personal number from the management server 106 and assign it to the form. At that time, the purpose of using the employee's personal number is restricted so that only forms registered in advance in association with the employee can be created.

  FIG. 11 is a flowchart illustrating the form creation / editing process performed in response to the form creation / editing instruction in S1013 of FIG.

  In step S1101, the CPU 201 of the company system 102 functions as the form creation unit 424, and acquires the form data specified by the form 2302 in FIG. In step S1102, the CPU 201 performs a form display process based on the form data acquired in step S1101. In this form display processing, the CPU 201 determines whether or not a personal number and personal information exist in the form instructed to be displayed. If it is determined that both the personal number and the personal information exist, it is determined that the form is highly confidential information, and control is performed so that only a predetermined user can be referred to. In this case, the operator makes an inquiry to the management server 106 as to whether the operator can refer to both the personal number and personal information of the user (employee), and controls the display of the form according to the result. Process. A detailed description of the processing of S1102 will be described later.

  Next, proceeding to S1103, the CPU 201 accepts an editing process for the electronic data of the form requested to be created / edited. As the editing process accepted here, an instruction for inserting a personal number into a form, an editing process for a form other than the insertion of a personal number, or an instruction to end editing of a form is accepted. The process advances to step S1104, and the CPU 201 determines the type of edit processing for the form accepted in step S1103. If it is determined here that the instruction is to insert a personal number, the process proceeds to S1105. In the case of editing other than the insertion of the personal number, the process proceeds to S1106. If it is an instruction to finish editing the form, this process is terminated.

  In step S <b> 1105, the CPU 201 requests the management server 106 to acquire a personal number in response to an instruction for inserting the personal number by the operator. Details of the processing in S1105 will be described later. In step S <b> 1106, the CPU 201 performs editing processing other than insertion of a personal number for the form data. In this case, the editing process includes processes such as input, change, and deletion of information on the form, and the form data is edited according to the editing instruction instructed by the operator as in the normal electronic data editing process.

  FIG. 12 is a flowchart for explaining the display processing of the S1102 form in FIG.

  First, in step S1201, the CPU 201 of the corporate system functions as the form creation unit 424, and acquires the form data to be displayed designated by the form 2302 in FIG. In step S1202, the CPU 201 performs personal information management processing for the form designated in step S1101. The management process described here determines whether both the personal number and the personal information exist in the form instructed to be displayed as described above. If it is determined that both the personal number and the personal information exist, it is determined that the form is highly confidential information, and only a predetermined operator is allowed to refer to it. Actually, the form data acquired in S1201 is displayed as it is for the authorized operator with respect to the form data displayed in S1203. On the other hand, for an unpermitted operator, a non-referenceable portion (for example, a portion where a personal number is described) is masked and displayed with respect to the form data acquired in S1201. A detailed description of this process will be described later. In step S1203, the CPU 201 functions as the screen display unit 422, and performs processing for displaying the form data.

  By this process, when both personal number and personal information exist in the form, only a predetermined operator is allowed to refer to it, and for other operators, the part that cannot be referred to is masked and an image of the form is displayed. Will be displayed.

  FIG. 13 is a flowchart for explaining the form printing process in S1015 of FIG.

  First, in step S1301, the CPU 201 of the enterprise system 102 functions as the form creation unit 424, and acquires form data to be printed designated by the form 2302 in FIG. In step S1302, the CPU 201 performs management processing related to personal information for the form designated in step S1301. The management processing described here determines whether both the personal number and the personal information exist in the form instructed to be printed. If both the personal number and personal information exist, it is determined that the form is highly confidential information, and only a predetermined user is allowed to print. Specifically, the authorized user is permitted to print the form data to be printed acquired in S1301. On the other hand, for a user who is not permitted, the form data acquired in S1301 is masked for a part that cannot be referred to (for example, a part of a personal number), and the part is masked and printed. A detailed description of this process will be described later. In step S1303, the CPU 201 instructs the image forming apparatus 101 to print the form data and causes the image forming apparatus 101 to print the form data.

  FIG. 14 is a flowchart for explaining personal information management processing in S1202 in FIG. 12 and S1302 in FIG.

  First, in step S1401, the CPU 201 of the company management system 102 functions as a form creation unit 424, and performs a determination process related to handling of personal information for the form data acquired in step S1301 or S1201. Specifically, it is determined whether both the personal number and the personal information exist in the form. If both the personal number and personal information exist, it is determined that the form is highly confidential information, and it is determined that it is necessary to confirm the authority for handling personal information. On the other hand, if both the personal number and personal information do not exist, it is determined that it is not necessary to confirm the authority for handling personal information when handling the form. Details of this processing will be described later. Next, the processing proceeds to S1402, and the CPU 201 determines whether or not it is necessary to confirm the personal number reference authority based on the determination processing in S1401. If it is determined that the reference authority needs to be confirmed, the process advances to step S1403. If it is determined that the reference authority is not necessary, the process ends. In step S <b> 1403, the CPU 201 confirms the authority to reference the personal number of the user (employee) with respect to the management server 106. Specifically, the CPU 201 of the company management system 102 confirms the management server 106 with the purpose of using the form acquired in S1002 of FIG. As a result, the management server 106 passes the personal number reference authority (B7) information for the account (B2) and the purpose of use (B5) in the user management table 434 of Table 3 to the enterprise system 102.

  In the corporate system 102, there are cases where the related departments differ for each form to be created. Therefore, there is a need to add a reference authority for each employee's personal number to each department for each form creation flow. To do. Therefore, the management server 106 can meet the needs of the company system 102 by passing the personal number reference authority (B7) for the account (B2) and the purpose of use (B5) to the company system 102.

  In step S1404, the CPU 201 of the enterprise system 102 determines whether or not the operating operator has the authority to refer to the personal number confirmed in step S1403. If it is determined that the operator does not have the authority, the process advances to step S1405. If it is determined that the operator has the authority, the process ends. In step S <b> 1405, the CPU 201 performs a process of masking an area where the personal number in the form exists so that the operator cannot refer to the area. Here, for example, the CPU 201 overwrites the areas indicated by the personal number areas (X1, Y1) and (X2, Y2) of the form area management table 429 held by the form storage unit 426 shown in Table 8 with black objects. The operator prevents the personal number from being referred to. Further, here, the mask process is performed by overwriting a black object, but it may be configured such that the reference cannot be made by another method.

  As described above, when the operator of the company system 102 obtains the personal number of a certain employee and creates a form relating to the employee, if the operator who performs the operation does not have the authority to refer to the personal number, the form is included in the form. Disable printing or display of the personal number area. In this way, it is possible to prevent a person without reference authority from browsing a form containing personal information and a personal number.

  FIG. 15 is a flowchart illustrating the personal information handling determination process in S1401 of FIG.

  First, in step S1501, the CPU 201 of the enterprise system 102 functions as the form creation unit 424, and checks whether a personal number exists in the form data acquired in step S1201 or S1301. Specifically, the presence or absence of a personal number can be determined by determining whether or not an object exists in the area indicated by the personal number area (H4) of the form area management table 429 shown in Table 8. Here, when there is no object, it is determined that the personal number does not exist, and when the object exists, it is determined that the personal number exists. In step S1502, the CPU 201 determines whether a personal number exists based on the personal number search process in step S1501. If it is determined that the personal number exists, the process proceeds to S1503. If it is determined that the personal number does not exist, the process proceeds to S1506. In step S1503, the CPU 201 checks whether personal information exists in the form data acquired in step S1201 or S1301. Personal information here refers to information such as employee name, address, and dependent information. Specifically, it is determined whether or not an object exists in the area indicated by the personal information area (H3) of the form area management table 429 shown in Table 8. Here, when there is no object, it is determined that no personal information exists, and when there is an object, it is determined that personal information exists. In step S1504, the CPU 201 determines whether personal information exists based on the result of the personal information search process in step S1503. If it is determined that personal information exists, the process proceeds to S1505. If it is determined that personal information does not exist, the process proceeds to S1506. In step S <b> 1505, the CPU 201 determines that both the personal number and the personal information exist. Therefore, the CPU 201 determines that the form is highly confidential information, and determines that it is necessary to check the personal number reference authority. On the other hand, in step S1506, the CPU 201 determines that this form is not highly confidential information because there is no personal number or personal information in this form, and it is not necessary to confirm the reference authority for the personal number. To do.

  FIG. 16 is a flowchart for explaining the personal number acquisition process in S1105 of FIG.

  First, in step S <b> 1601, the CPU 201 of the company system 102 functions as the form creation unit 424, and searches the form data specified in the form 2302 in FIG. 23 from the form data stored in the form storage unit 426. In step S1602, the CPU 201 determines whether form data is found in step S1601. If found, the process proceeds to step S1603. If not found, an error message or the like is output, and this process ends. In step S1603, the CPU 201 acquires information on determination items and positions (F3 and F4 in Table 6) in the target form data managed in the form management table 453 of the management server 106 via the communication unit 421. The CPU 201 functions as a character string acquisition unit 428 to acquire a target character string (here, a character string of a title) of form data. In step S1604, the CPU 201 functions as the form creation unit 424, and transmits the character string acquired in step S1603 and the purpose of use selected in step S1002 (FIG. 22B) to the management server 106. In step S <b> 1605, the CPU 201 determines whether the character string of the form data matches the purpose of use, that is, whether it is valid, from the determination result of the consistency between the purpose of use and the form received from the management server 106. . If it is determined to be valid, the process proceeds to S1606. If not, an error message or the like is output, and this process ends.

  In step S <b> 1606, the CPU 201 of the company system 102 functions as the command acquisition unit 427 to acquire a request command for acquiring a personal number embedded in the form data template. The process advances to step S1607, and the CPU 201 transmits the request command acquired in step S1606 to the management server 106. In step S1608, the CPU 201 determines whether the personal number has been acquired by the request command issued in step S1607. At this time, the CPU 201 of the management server 106 determines whether or not the personal number requested by the CPU 201 of the enterprise system 102 can be provided, and notifies that it is provided or cannot be provided. In this way, the CPU 201 of the enterprise system 102 determines whether or not the personal number has been successfully acquired in S1608. If it is determined that the personal number has been acquired, the process advances to step S1609. If it is determined that the personal number has not been acquired, the process ends. In step S1609, the CPU 201 of the company system 102 inputs the received personal number into the form data and creates a form including the personal number.

  In this way, the corporate system can access the management server from the template of a form to be processed by a certain employee and acquire the personal number of the employee to be given to the form.

  FIG. 17 is a flowchart for describing processing relating to a personal number in the management server 106 according to the embodiment.

  In step S <b> 1701, the CPU 201 of the management server 106 determines whether there is an instruction to end the system to the management server 106. If it is determined that an end instruction has been given, the process is terminated. If it is determined that an end instruction has not been given, the process advances to step S1702. In step S <b> 1702, the CPU 201 of the management server 106 functions as the personal number request receiving unit 438 and determines whether a personal number is requested from the company system 102. If it is determined that a personal number is requested, the process proceeds to S1703. If it is determined that there is no request, the process proceeds to S1701. In step S1703, the CPU 201 of the management server 106 determines what the request for the personal number was. If the request is for providing a personal number, the process advances to step S1704. If the inquiry is for personal information, the process advances to step S1705. In S1704, the CPU 201 of the management server 106 determines whether or not the requested personal number can be provided, and provides the personal number according to the determination result. Detailed description thereof will be described later.

  On the other hand, in step S1705, the CPU 201 of the management server 106 causes the enterprise system 102 to confirm whether the request is from an operator who can handle both the personal number and personal information. Whether or not both the personal number and personal information can be handled is indicated by the personal number reference authority (B7) for the account (B2) in the user management table 434 shown in Table 3 managed by the management server 106. Then, processing for notifying this information to the enterprise system 102 is performed.

  At this time, the management server 106 may control the presentation of the personal number to the company system 102 according to the personal number reference authority.

  FIG. 18 is a flowchart illustrating the personal number providing process in S1704 of FIG.

  In S1801 and S1802, the CPU 201 of the management server 106 functions as the form confirmation request receiving unit 451, and determines whether the combination of the character string of the form data received from the company system 102 and the purpose of use is valid. At this time, the CPU 201 functions as the combination determination unit 452 to determine whether or not the combination of the purpose of use (F1) and the character string (F5) in the form management table 453 of Table 6 matches, and the determination result is obtained. Notify the enterprise system 102. In step S1803, the CPU 201 of the management server 106 determines whether the combination of the character string of the form data and the purpose of use matches the form management table 453 based on the determination result in step S1802. If it matches here, that is, if it is determined that the purpose of use is valid, the process proceeds to S1804. If not, an error message or the like is output, and this process ends.

  In step S <b> 1804, the CPU 201 of the management server 106 determines whether a personal number request has been received from the company system 102. If it is determined that the request has been received, the process advances to step S1805. If not, the process of step S1804 is executed. In step S1805, the CPU 201 of the management server 106 refers to the request URL management table 450 and determines whether the URL of the company system 102 that transmitted the request is a registered URL. If it is determined that the URL is a registered URL, the process advances to step S1806. If not, an error message or the like is output, and the process ends. In step S1806, the CPU 201 of the management server 106 combines the employee ID and usage purpose of the request command received in step S1804 in the personal number management table 437 (employee ID (D1) and usage purpose (D4) in Table 4). It is determined whether or not they match. If it is determined that they match, the process advances to step S1807. If not, an error message or the like is output and the process ends. In step S <b> 1807, the CPU 201 of the management server 106 transmits the requested employee (user) personal number (personal number (D2) in Table 4) registered in the personal number management table 437 to the company system 102.

  As described above, according to the embodiment, the management server registers the personal number of the user (employee) together with the purpose of use, and when the personal number is requested, the management server uses the personal number for the purpose of use. In response, it is possible to control whether the personal number is provided to the requestor.

  In addition, when a personal number is requested in connection with the creation of a form containing personal information, depending on the operator (operator) 's authority to reference the personal number, the form can be displayed with the personal number as it is or masked. Can be printed or displayed.

  In the embodiment described above, the management server 106 has the employee information management table 455 and the user management table 434. However, the company server 102 may have the employee information management table 455. In that case, based on the purpose of using the personal number set by the operator and the purpose of using the personal number set by the user (employee), the company server 102 itself sets the purpose of acquiring the user (employee) personal number. It can be determined whether the conditions are met.

(Other embodiments)
The present invention supplies a program that realizes one or more functions of the above-described embodiments to a system or apparatus via a network or a storage medium, and one or more processors in a computer of the system or apparatus read and execute the program This process can be realized. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

  The present invention is not limited to the above-described embodiment, and various changes and modifications can be made without departing from the spirit and scope of the present invention. Therefore, in order to make the scope of the present invention public, the following claims are attached.

  DESCRIPTION OF SYMBOLS 101 ... Image forming apparatus, 102 ... Corporate system, 103 ... Client, 106 ... Management server, 201,309 ... CPU, 304 ... Operation part

Claims (16)

A management device for managing personal numbers,
Registration means for registering the user's personal number and the purpose of use of the personal number in association with the user;
Storage means for storing the purpose of use of the personal number corresponding to the operator who requests the personal number of the user in relation to the form and the authority to refer to the personal number;
When the operator instructs an operation on a form related to the user, the form matches the purpose of use of the user registered in the registration unit and the purpose of use corresponding to the operator stored in the storage unit. Determining means for determining whether to do;
A control means for controlling to provide the operator with a personal number of a user related to the form registered in the registration means when the determination means determines that they match;
A management apparatus comprising:   When the determination unit determines that the form coincides with the purpose of use of the user and the purpose of use corresponding to the operator, it further includes a presentation unit that presents a screen for creating the form to the operator. The management device according to claim 1.   The determination means is provided for the purpose of use corresponding to the operator stored in the storage means and the purpose of use of the user registered in the registration means for the character string included in a predetermined area of the form. 3. The management apparatus according to claim 1, wherein, if included, the management device determines that the form matches a purpose of use corresponding to the operator.   The management apparatus according to claim 3, further comprising a form information storage unit that stores position information indicating the predetermined area of the form in association with the form. When the operator is instructed to create a form related to the user, the operator further includes a determination unit that determines whether the operator is an operator registered in advance.
4. The management apparatus according to claim 1, wherein the control unit further performs control so as not to accept an instruction from an operator that is determined not to be registered by the determination unit. 5.   6. The form creation instruction related to the user by the operator is made through the form template including a command requesting acquisition of the personal number of the user. The management device according to item. An information processing apparatus that is operated by an operator, acquires a user's personal number from a management apparatus that manages the personal number, and creates a form related to the user,
Transmitting means for transmitting operator authentication information and form type to the management device;
Display means for receiving screen information for form creation transmitted from the management device in response to transmission by the transmission means and displaying the screen for form creation;
Accepting means for accepting an operation by the operator via the form creation screen;
An acquisition means for acquiring a personal number of a user related to the form from the management device in response to the operation received by the reception means;
When the form includes personal information and personal number of the user, confirmation means for confirming the access right to the personal number of the user possessed by the operator;
When the confirmation means confirms that the operator does not have access to the personal number of the user, a control means for controlling to output the data of the form masking the user's personal number in the form;
An information processing apparatus comprising:   Corresponding to each form, the information processing apparatus further includes storage means for storing the position information of the personal number in the form, and the control means stores the personal information of the user based on the position information of the personal number stored in the storage means. The information processing apparatus according to claim 6, wherein the number is masked. A determination means for determining whether or not the purpose of use of the personal number set by the operator includes the form;
When the determination unit determines that the determination unit includes the form, the acquisition unit transmits a request command for acquiring a personal number embedded in a template of the form data to the management apparatus to transmit the personal number of the user related to the form The information processing apparatus according to claim 7 or 8, wherein A personal number management system including at least a management server for managing personal numbers and a company system for requesting a personal number from the management server and creating a form;
The management server
Registration means for registering the user's personal number and the purpose of use of the personal number in association with the user;
Storage means for storing a purpose of use corresponding to an operator of the enterprise system that requests a personal number of a user related to a form and a reference authority for the personal number;
When the operator of the enterprise system instructs the operation of the form related to the user, it is determined whether or not the form matches the purpose of use corresponding to the operator and includes the personal information and personal number of the user. A determination means;
When the determination means determines that the form matches the purpose of use of the user and includes the user's personal information and personal number, screen information for operating the form is stored in the storage means. Providing means for providing the enterprise system together with the reference authority of
The corporate system is
First transmitting means for transmitting to the management server an instruction to operate the form including the operator authentication information and the user, and a form type related to the user;
Display means for receiving the screen information transmitted from the management server in response to the instruction and displaying a form creation screen;
Control means for controlling the output of the user's personal number in the form created via the form creation screen according to the reference authority of the operator when the form includes personal information and personal number of the user; ,
A personal number management system comprising: The corporate system further comprises:
First acquisition means for acquiring a template of the form;
Second acquisition means for acquiring a character string included in a predetermined area of the template acquired by the first acquisition means;
Second transmission means for transmitting a command requesting the form to the management server when the character string acquired by the second acquisition means includes a purpose of use corresponding to the operator stored in the storage means;
The personal number management system according to claim 10, further comprising receiving means for receiving the personal number of the user transmitted from the management server in response to the command.   12. The personal number according to claim 10, wherein the control unit outputs the form in a state where the personal number of the user in the form is not visible when the operator does not have authority to refer to the personal number. Management system. A control method for controlling a management device that manages personal numbers,
A registration step in which the registration means registers the user's personal number and the purpose of use of the personal number in association with the user;
A storage step in which the storage means stores the purpose of use of the personal number corresponding to the operator who requests the personal number of the user in relation to the form and the authority to refer to the personal number;
When the determination unit is instructed by the operator to operate the form related to the user, the form corresponds to the use purpose of the user registered in the registration step and the operator stored in the storage step. A determination step of determining whether or not it matches the purpose of use;
A control step for controlling to provide the operator with a personal number of a user related to the form registered in the registration step when the control means is determined to match in the determination step;
A control method for a management apparatus, comprising: A method for controlling an information processing apparatus that is operated by an operator, acquires a user's personal number from a management apparatus that manages the personal number, and creates a form related to the user,
A transmitting step for transmitting the authentication information of the operator and the type of the form to the management device;
A display step for receiving the form creation screen information transmitted from the management device in response to the transmission by the transmission step and displaying the form creation screen;
An accepting step for accepting an operation by the operator via the screen for creating the form;
An acquisition step in which an acquisition unit acquires a personal number of a user related to the form from the management device in response to the operation received in the reception step;
A confirmation step for confirming an access right to the personal number of the user possessed by the operator when the form includes the personal information and personal number of the user;
Control means for controlling to output the form data masked with the user's personal number in the form when the operator confirms in the confirmation step that the operator does not have access to the personal number of the user When,
A method for controlling an information processing apparatus, comprising:   The program for functioning a computer as each means of the management apparatus of any one of Claims 1 thru | or 6.   The program for functioning a computer as each means of the information processing apparatus of any one of Claims 7 thru | or 9.

Images