JP2017215868A - Anonymization processor, anonymization processing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information management unit, an information management method and a program capable of optimizing anonymization level of personal information depending on the situation.SOLUTION: An anonymization processor 10 includes: a first anonymization processing part 11 that executes a series of anonymization processing at a preset level a piece of data including pieces of personal information of plural individuals as an object; and a second anonymization processing part 12 that executes a series of anonymization processing again at a newly set level on a piece of data on which the anonymization processing has been executed when a certain condition is satisfied.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an anonymization processing device, an anonymization processing method, and a program for realizing these, for anonymizing personal information.

  In recent years, with the progress of information communication technology, it has become possible to collect and analyze a huge amount of personal information. Moreover, in order to clarify the range handled as personal information and promote the utilization of personal information, the Personal Information Protection Law has been revised in Japan (see Non-Patent Document 1). According to the revised Personal Information Protection Law, data that has been anonymized so as not to include a personal identification code is excluded from personal information. This is possible, and as a result, economic revitalization is expected.

  As a technique for anonymizing personal information, for example, k anonymization processing is known (see Non-Patent Document 2). k Anonymization processing is to process information that can identify an individual (quasi-identifier = information that does not have specificity by itself but produces specificity by multiple combinations) into a common value in multiple records, This is a process of increasing the number of records to k or more. According to the k-anonymization process, personal information can be used while suppressing the loss of information meaning.

Tanizawa, “Revision of the system for protection and effectiveness of personal information”, legislation and survey, April 2015 No. 363 (Edited and issued by the House of Councilors Planning and Coordination Office), p. 32-12 Masami Mima, “Understanding the types and characteristics of privacy-preserving data mining (PPDM) techniques” [online], April 1, 2016, @IT, Internet <URL: http://www.atmarkit.co .jp / ait / articles / 1503/24 / news010_2.html>

  However, in the conventional k anonymization process, the anonymization level cannot be changed. Therefore, when anonymization is pointed out by an individual who provides information, or an anonymization data has been found vulnerable In some cases, there is a problem that cannot be handled.

  An object of the present invention is to provide an information management apparatus, an information management method, and a program that can solve the above-described problems and can optimize the anonymization level of personal information according to the situation.

In order to achieve the above object, an anonymization processing apparatus according to one aspect of the present invention is provided.
A first anonymization processing unit that executes anonymization processing at a set level for data including personal information of a plurality of individuals;
When a certain condition is satisfied, a second anonymization processing unit that executes the anonymization process again at the newly set level for the data on which the anonymization process has been executed,
It is characterized by having.

In order to achieve the above object, the anonymization processing method according to one aspect of the present invention includes:
(A) performing anonymization processing at a set level for data including personal information of a plurality of individuals;
(B) If a certain condition is satisfied, the anonymization process is executed again at the newly set level for the data on which the anonymization process has been executed, and
It is characterized by having.

Furthermore, in order to achieve the above object, a program according to one aspect of the present invention is provided.
On the computer,
(A) performing anonymization processing at a set level for data including personal information of a plurality of individuals;
(B) If a certain condition is satisfied, the anonymization process is executed again at the newly set level for the data on which the anonymization process has been executed, and
Is executed.

  As described above, according to the present invention, the anonymization level of personal information can be optimized according to the situation.

FIG. 1 is a block diagram showing a schematic configuration of an anonymization processing apparatus according to an embodiment of the present invention. FIG. 2 is a block diagram showing a specific configuration of the anonymization processing apparatus according to the embodiment of the present invention. FIG. 3A is a diagram showing the data that has been anonymized in the embodiment of the present invention in a tree structure, and FIG. 3B is the data that has been anonymized again in the embodiment of the present invention. Is a diagram showing a tree structure. FIG. 4 is a flowchart showing an operation during the first anonymization process of the anonymization processing apparatus according to the embodiment of the present invention. FIG. 5 is a flowchart showing the operation of the anonymization processing device again in the embodiment of the present invention during the anonymization processing. FIG. 6 is a diagram illustrating an example of the target data before the anonymization process, the anonymization data obtained by the first anonymization process, and the anonymization data obtained by the second anonymization process. FIG. 7 (a) is a diagram showing the data anonymized in the modification of the embodiment of the present invention in a tree structure, and FIG. 7 (b) is again shown in the modification of the embodiment of the present invention. It is a figure which shows the data by which the anonymization process was carried out with a tree structure. FIG. 8 shows the target data before the anonymization process, the anonymization data obtained by the first anonymization process, and the anonymization obtained by the second anonymization process in the modification of the embodiment of the present invention. It is a figure which shows an example of each data. FIG. 9 is a block diagram illustrating an example of a computer that implements the anonymization processing device according to the embodiment of the present invention.

(Embodiment)
Hereinafter, an anonymization processing device, an anonymization processing method, and a program according to an embodiment of the present invention will be described with reference to FIGS.

[Device configuration]
Initially, the schematic structure of the anonymization processing apparatus in this Embodiment is demonstrated using FIG. FIG. 1 is a block diagram showing a schematic configuration of an anonymization processing apparatus according to an embodiment of the present invention.

  As shown in FIG. 1, the anonymization processing device 10 according to the present embodiment includes a first anonymization processing unit 11 and a second anonymization processing unit 12. The first anonymization processing unit 11 performs anonymization processing at a set level for data including personal information of a plurality of individuals (hereinafter referred to as “target data”). Moreover, the 2nd anonymization process part 12 performs an anonymization process again in the newly set level with respect to the target data by which the anonymization process was performed, when fixed conditions are satisfy | filled.

  Thus, in this Embodiment, it can anonymize again with respect to the data in which anonymization was performed. According to this embodiment, the anonymization level of personal information can be optimized according to the situation.

  Next, the configuration of the anonymization processing device 10 according to the present embodiment will be described more specifically with reference to FIG. FIG. 2 is a block diagram showing a specific configuration of the anonymization processing apparatus according to the embodiment of the present invention.

  As shown in FIG. 2, in the present embodiment, the anonymization processing device 10 is connected to the terminal device 20 of the administrator 21 and the terminal device 30 of the user 31 of the data after anonymization via a network or the like. It is connected. In addition to the first anonymization processing unit 11 and the second anonymization processing unit 12, the anonymization processing device 10 includes a personal information acquisition unit 13, a storage unit 14, and an anonymization data output unit 16. I have.

  The personal information acquisition unit 13 acquires personal information. The personal information has a quasi-identifier having a possibility of specifying an individual, such as an address, name, telephone number, age, nationality, and is composed of a plurality of quasi-identifiers.

  The personal information acquisition unit 13 stores the acquired personal information in the storage unit 14. A set of personal information of each of a plurality of individuals stored in the storage unit 14 becomes target data in the present embodiment. The personal information acquisition unit 13 may individually acquire personal information from a personal terminal or the like, or may acquire personal information collectively from an external server device in which a collection of personal information is stored. good.

  In the present embodiment, the first anonymization processing unit 11 is configured so that, when the set level value is A, the personal information is such that there are A persons who share a quasi-identifier as anonymization processing. Change the contents of the quasi-identifier in each. Specifically, the first anonymization processing unit 11 performs k anonymization processing on the target data stored in the storage unit 14. Thereby, the target data stored in the storage unit 14 becomes anonymized data 15.

  In the present embodiment, the second anonymization processing unit 12 sends the anonymization data 15 to the anonymization data 15 at a newly set level when the administrator 21 requests another anonymization process via the terminal device 20. The anonymization process is executed again. For example, if the individual who provides the personal information requests anonymization processing at a higher level than the initially set level, the administrator 21 determines that the risk of information leakage is high, When a vulnerability is found in the data 15, a second anonymization process is requested.

  For example, it is assumed that the newly set level is B, which is higher than the initially set level A. In this case, the second anonymization processing unit 12 adds dummy personal information to the anonymization data 15 so that there are B individuals who share the same semi-identifier as anonymization processing again. Moreover, the 2nd anonymization process part 12 may substitute some personal information which comprises the anonymization data 15 by dummy personal information as a re-anonymization process.

  Here, the second anonymization process performed by the second anonymization processing unit 12 will be described with reference to FIGS. FIG. 3A is a diagram showing the data that has been anonymized in the embodiment of the present invention in a tree structure, and FIG. 3B is the data that has been anonymized again in the embodiment of the present invention. Is a diagram showing a tree structure.

  As shown in FIG. 3A, it is assumed that the first anonymization processing unit 12 executes the first anonymization process with the level set to 3 (k = 3) for the target data. In this case, it is assumed that two of the individuals providing personal information request level 4 (k = 4).

  In this case, as shown in FIG. 3 (b), the second anonymization processing unit 12 sets the anonymization data 15 so that there are four individuals having the same quasi-identifier for the individual who requested level 4. On the other hand, dummy personal information is added, and specific personal information is replaced with dummy personal information.

  The anonymized data output unit 16 outputs the anonymized data 15 to the terminal device 30 when the user 31 requests the use of the anonymized data 15 via the terminal device 30. Thereby, utilization of anonymization data is achieved.

[Device operation]
Next, operation | movement of the anonymization processing apparatus 10 in this Embodiment is demonstrated using FIG.4 and FIG.5. In the following description, FIGS. 1 to 3 are referred to as appropriate. Furthermore, in this Embodiment, the anonymization processing method is implemented by operating the anonymization processing apparatus 10. Therefore, the description of the anonymization processing method in the present embodiment is replaced with the following description of the operation of the anonymization processing device 10.

  First, the first anonymization process by the anonymization processing apparatus 10 will be described. FIG. 4 is a flowchart showing an operation during the first anonymization process of the anonymization processing apparatus according to the embodiment of the present invention.

  As shown in FIG. 4, first, the personal information acquisition unit 13 acquires personal information from the outside, and stores the acquired personal information in the storage unit 14 (step A1). Specifically, the personal information acquisition unit 13 acquires personal information from a personal terminal device or a server device in which a collection of personal information is stored.

  Next, the first anonymization processing unit 11 performs anonymization processing on the data stored in the storage device 14 at a preset level (for example, k = 3) (step A2). By step A2, the target data stored in the storage unit 14 becomes anonymized data 15.

  Then, the re-anonymization process by the anonymization processing apparatus 10 is demonstrated. FIG. 5 is a flowchart showing the operation of the anonymization processing device again in the embodiment of the present invention during the anonymization processing.

  As shown in FIG. 5, the second anonymization processing unit 12 determines whether or not the anonymization process is requested again from the administrator 21 (step B1). As a result of the determination in step B1, when the second anonymization process is not requested, the second anonymization processing unit 12 enters a standby state, and executes step B1 again after the set time has elapsed.

  On the other hand, as a result of the determination in step B1, when the second anonymization process is requested, the second anonymization processing unit 12 instructs the target data stored in the storage unit 14 to the designated level. Then, the anonymization process is executed again (step B2). Specifically, the second anonymization processing unit 12 adds dummy personal information and replaces dummy personal information.

  Here, specific examples of steps A1 and A2 shown in FIG. 4 and steps B1 and B2 shown in FIG. 5 will be described with reference to FIG. FIG. 6 is a diagram illustrating an example of the target data before the anonymization process, the anonymization data obtained by the first anonymization process, and the anonymization data obtained by the second anonymization process.

  As shown in FIG. 6, data A is target data before being anonymized. If the level is set to 2 for data A (k = 2) and anonymization processing is executed, data B is obtained. At this time, no. Suppose that 6 individuals ask for the level to be greater than or equal to k = 3.

  In this case, the administrator 21 requests the second anonymization processing unit 12 for anonymization again through the terminal device 20. Thereby, the 2nd anonymization process part 12 is No.2, as shown in the data C, for example. The personal information of the individual 6 is replaced with dummy personal information, and the anonymization process is executed again. Further, as shown in the data D, the second anonymization processing unit 12 can also execute the anonymization process again by adding dummy personal information. In FIG. 6, “disease state” is not quasi-identifier but sensitive information.

[Effects of the embodiment]
As described above, in the present embodiment, anonymization processing can be performed again on the anonymized data, and the anonymization level is optimized even for personal information that has been anonymized once. . For this reason, when it is pointed out that anonymization is not enough from the individual who provides the information, it is possible to cope with the case where a vulnerability is found in the anonymized data, and the utilization of personal information is promoted.

[Modification]
Subsequently, a modified example in the present embodiment will be described. In this modification, the second anonymization processing unit 12 is a person who has a common quasi-identifier as a second anonymization process when the newly set level is B greater than the first anonymization level A. The concept represented by the quasi-identifier in each personal information is changed to a higher concept so that there are B people.

  This modification will be specifically described with reference to FIGS. FIG. 7 (a) is a diagram showing the data anonymized in the modification of the embodiment of the present invention in a tree structure, and FIG. 7 (b) is again shown in the modification of the embodiment of the present invention. It is a figure which shows the data by which the anonymization process was carried out with a tree structure. FIG. 8 shows the target data before the anonymization process, the anonymization data obtained by the first anonymization process, and the anonymization obtained by the second anonymization process in the modification of the embodiment of the present invention. It is a figure which shows an example of each data.

  As shown in FIG. 7A, it is assumed that the first anonymization processing unit 12 executes the first anonymization process with the level set to 2 (k = 2) for the target data. In the example of FIG. 7A, since the level is k = 2, the concept of the quasi-identifier “address” includes “chome”.

  In this case, as shown in FIG. 7B, the second anonymization processing unit 12 increases the number of individuals having the same quasi-identifier (increases the level value). The concept of “address” is converted into a higher-level concept, that is, a concept including “ku”. As a result, the level in the anonymized data is 8.

  Specifically, as shown in FIG. 8, the data a is data before being anonymized. If the level is set to 2 for data a (k = 2) and anonymization processing is executed, data b is obtained. In this case, when the second anonymization processing unit 12 changes the concepts of the semi-identifiers “address” and “age” to higher concepts, data c is obtained. In the data c, the level is 4 (k = 4). In FIG. 8, “condition” is not quasi-identifier but sensitive information.

  Thus, also in a modification, optimization of the anonymization level of anonymization data is attained. Further, according to the modification, it is not necessary to create dummy data for addition or replacement, so that the processing burden on the apparatus can be reduced.

[program]
The program in the present embodiment may be a program that causes a computer to execute steps A1 to A2 shown in FIG. 4 and steps B1 to B2 shown in FIG. By installing and executing this program on a computer, the anonymization processing 10 and the anonymization processing method in the present embodiment can be realized. In this case, the CPU (Central Processing Unit) of the computer functions as the first anonymization processing unit 11, the second anonymization processing unit 12, the personal information acquisition unit 13, and the anonymization data output unit 16, and performs processing. Do.

  Note that the program in the present embodiment may be executed by a computer system constructed by a plurality of computers. In this case, for example, each computer functions as one of the first anonymization processing unit 11, the second anonymization processing unit 12, the personal information acquisition unit 13, and the anonymized data output unit 16, respectively. Also good.

  Here, the computer which implement | achieves the anonymization processing apparatus 10 by running the program in this Embodiment is demonstrated using FIG. FIG. 9 is a block diagram illustrating an example of a computer that implements the anonymization processing device according to the embodiment of the present invention.

  As shown in FIG. 9, the computer 110 includes a CPU 111, a main memory 112, a storage device 113, an input interface 114, a display controller 115, a data reader / writer 116, and a communication interface 117. These units are connected to each other via a bus 121 so that data communication is possible.

  The CPU 111 performs various calculations by developing the program (code) in the present embodiment stored in the storage device 113 in the main memory 112 and executing them in a predetermined order. The main memory 112 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory). Further, the program in the present embodiment is provided in a state of being stored in a computer-readable recording medium 120. Note that the program in the present embodiment may be distributed on the Internet connected via the communication interface 117.

  Specific examples of the storage device 113 include a hard disk drive and a semiconductor storage device such as a flash memory. The input interface 114 mediates data transmission between the CPU 111 and an input device 118 such as a keyboard and a mouse. The display controller 115 is connected to the display device 119 and controls display on the display device 119.

  The data reader / writer 116 mediates data transmission between the CPU 111 and the recording medium 120, and reads a program from the recording medium 120 and writes a processing result in the computer 110 to the recording medium 120. The communication interface 117 mediates data transmission between the CPU 111 and another computer.

  Specific examples of the recording medium 120 include general-purpose semiconductor storage devices such as CF (Compact Flash (registered trademark)) and SD (Secure Digital), magnetic storage media such as a flexible disk, or CD- An optical storage medium such as ROM (Compact Disk Read Only Memory) can be used.

  In addition, the anonymization processing apparatus 10 in this Embodiment is realizable also by using the hardware corresponding to each part instead of the computer in which the program was installed. Further, a part of the anonymization processing device 10 may be realized by a program, and the remaining part may be realized by hardware.

  As described above, according to the present invention, the anonymization level of personal information can be optimized according to the situation. The present invention is useful in a field where utilization of personal information is required.

DESCRIPTION OF SYMBOLS 10 Anonymization processing apparatus 11 1st anonymization processing part 12 2nd anonymization processing part 13 Personal information acquisition part 14 Storage part 15 Anonymization data 16 Anonymization data output part 20 Terminal apparatus 21 Administrator 30 Terminal apparatus 31 Use 110 Computer 111 CPU
112 Main Memory 113 Storage Device 114 Input Interface 115 Display Controller 116 Data Reader / Writer 117 Communication Interface 118 Input Device 119 Display Device 120 Recording Medium 121 Bus

Claims (12)

A first anonymization processing unit that executes anonymization processing at a set level for data including personal information of a plurality of individuals;
When a certain condition is satisfied, a second anonymization processing unit that executes the anonymization process again at the newly set level for the data on which the anonymization process has been executed,
An anonymization processing device characterized by comprising: Each of the personal information has a quasi-identifier with the possibility of identifying the individual,
In the case where the first anonymization processing unit has a set level value of A, as the anonymization processing, the individuals in the quasi-identifier have A person in common, and the personal information in each of the personal information Change the contents of the quasi-identifier,
The anonymization processing apparatus according to claim 1. In the case where the second anonymization processing unit is a newly set level B that is greater than the A, as anonymization processing again, there are B individuals who share the quasi-identifier, Performing one or both of adding dummy personal information to the data and replacing the data with dummy personal information in a part of the data;
The anonymization processing device according to claim 2. In the case where the second anonymization processing unit is a newly set level B that is greater than the A, as anonymization processing again, there are B individuals who share the quasi-identifier, Changing the concept represented by the quasi-identifier in each of the personal information to a higher concept,
The anonymization processing device according to claim 2. (A) performing anonymization processing at a set level for data including personal information of a plurality of individuals;
(B) If a certain condition is satisfied, the anonymization process is executed again at the newly set level for the data on which the anonymization process has been executed, and
The anonymization processing method characterized by having. Each of the personal information has a quasi-identifier with the possibility of identifying the individual,
In the step (a), when the set level value is A, as the anonymization process, the quasi-identifier in each of the personal information is such that there are A persons who share the quasi-identifier. Change the contents of
The anonymization processing method according to claim 5. In the step (b), when the newly set level is B greater than the A, the data is set so that there are B individuals who share the quasi-identifier as the anonymization process again. One or both of adding dummy personal information to and replacing dummy personal information in part of the data,
The anonymization processing method according to claim 6. In the step (b), when the newly set level is B greater than the A, the person who has the same quasi-identifier as the person who has the same quasi-identifier exists as the anonymization process again. Changing the concept represented by the quasi-identifier in each piece of information to a higher level concept,
The anonymization processing method according to claim 6. On the computer,
(A) performing anonymization processing at a set level for data including personal information of a plurality of individuals;
(B) If a certain condition is satisfied, the anonymization process is executed again at the newly set level for the data on which the anonymization process has been executed, and
A program that executes Each of the personal information has a quasi-identifier with the possibility of identifying the individual,
In the step (a), when the set level value is A, as the anonymization process, the quasi-identifier in each of the personal information is such that there are A persons who share the quasi-identifier. Change the contents of
The program according to claim 9. In the step (b), when the newly set level is B greater than the A, the data is set so that there are B individuals who share the quasi-identifier as the anonymization process again. One or both of adding dummy personal information to and replacing dummy personal information in part of the data,
The program according to claim 10. In the step (b), when the newly set level is B greater than the A, the person who has the same quasi-identifier as the person who has the same quasi-identifier exists as the anonymization process again. Changing the concept represented by the quasi-identifier in each piece of information to a higher level concept,
The program according to claim 10.