JP2019153060A - System, method and apparatus for information management - Google Patents

Abstract

To provide a system for information management allowing for utilizing management information while properly managing subtle information.SOLUTION: A system for information management 10 is for executing anonymization processing to anonymize subtle information out of management information and has a legal-regulation requirement storing section 102 that stores a legal-regulation requirement including an attribute of subtle information as an object of anonymization processing, a processing pattern registering section that accepts a registration of a processing pattern for anonymization processing, an anonymization condition generating section 107 that generates an anonymization condition for anonymization processing based on a legal-regulation requirement and a processing pattern, and an anonymizing section 202 that generates anonymization information from management information based on the anonymization condition.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an information management system, an information management method, and an information management apparatus that anonymize sensitive information.

  In recent years, laws and regulations that protect personal information have been strengthened, such as the full enforcement of the revised Personal Information Protection Law in May 2017 and the new enforcement of the General Data Protection Regulation (GDPR) in May 2018. It is being done. In particular, GDPR may impose a fine of 4% of the company's annual sales for the offending company. Compliance with such laws and regulations is a problem for companies that handle personal information.

  In GDPR, each company is obliged to refer to, change, transfer, and delete personal information in response to individual requests. For example, a company that accumulates and analyzes access logs for each individual's Web page and distributes advertisements to specific individuals according to the results of the analysis. There is an obligation to delete identifiable information.

  Further, the GDPR defines a so-called principle of minimizing personal data, in which personal information used for a certain purpose is limited to that required for that purpose. For example, a company that provides Web access to a user may analyze an access log of each individual Web page for the purpose of security operation. Then, according to the result of the analysis processing, the company stops Web access that is highly likely to be a security problem or Web access from a specific network segment. In this case, the processing pattern of the analysis process needs to be restricted to “personal ID”, “IP address”, etc. which are the minimum necessary personal information.

  As a technique for limiting personal information included in certain data, for example, an anonymization technique disclosed in Patent Document 1 is known. In the technique of Patent Document 1, the degree of identification of personal information is calculated, and the degree of concealment of personal information can be adjusted as necessary.

JP 2002-269081 A

  By the way, anonymized information obtained by anonymizing personal information may be identified by matching with other information, for example. In order to avoid such situations, companies and organizations that handle personal information anonymize personal information under anonymization conditions that meet the requirements of laws and regulations, and use range of anonymized information and processing of anonymization processing It is necessary to manage the pattern. The prior art does not disclose a method for managing a usage range and a processing pattern that can hold a non-specific state of anonymized information according to such laws and regulations and a processing pattern.

  The present invention has been made in view of the above problems, and an object of the present invention is to provide a technique capable of utilizing management information while appropriately managing sensitive information.

In order to solve the above-mentioned problem, the information management system according to the present invention is an information management system capable of executing anonymization processing for anonymizing sensitive information in the management information, and is an attribute of sensitive information to be anonymized processing A legal regulation requirement storage unit that stores legal regulation requirements, a processing pattern registration unit that accepts registration of a processing pattern of the anonymization process, and anonymization that generates an anonymization condition based on the legal regulation requirement and the previous process pattern An anonymization unit that generates anonymization information from the management information based on the period anonymization condition.
The information management system is a system that manages information while preventing the information from being identified as specific personal information.

  According to the present invention, management information can be utilized while appropriately managing sensitive information.

The block diagram which shows the software structure of the information management system which concerns on 1st Example. The block diagram which shows the hardware constitutions of the information management system which concerns on 1st Example. The figure which shows the data structure of the original information which concerns on 1st Example. The figure which shows the data structure of the main body information storage part which concerns on 1st Example. The figure which shows the data structure of the legal regulation requirement memory | storage part which concerns on 1st Example. The figure which shows the data structure of the process impossible list which concerns on 1st Example. The figure which shows the data structure of the permission process log | history memory | storage part which concerns on 1st Example. The block diagram which shows the logic structure of the permission process pattern management part which concerns on 1st Example. The figure which shows the data structure of the process pattern memory | storage part which concerns on 1st Example. The block diagram which shows the logic structure of the anonymization condition production | generation part which concerns on 1st Example. The figure which shows the data structure of the anonymization condition memory | storage part which concerns on 1st Example. The figure which shows the data structure of the permission process pattern memory | storage part which concerns on 1st Example. The figure which shows the data structure of the anonymization method list | wrist which concerns on 1st Example. The figure which shows the data structure of the anonymization information which concerns on 1st Example. The figure which shows the data structure of the held information which concerns on 1st Example. The sequence diagram which shows the process pattern registration process which concerns on 1st Example. The sequence diagram which shows the process pattern permission process which concerns on 1st Example. The flowchart which shows the anonymization condition production | generation process which concerns on 1st Example. The flowchart which shows the permission process log | history check process which concerns on 1st Example. The block diagram which shows the software structure of the information management system which concerns on 2nd Example. The figure which shows the data structure of the deposit personal information which concerns on 2nd Example. The figure which shows the data structure of the anonymization condition memory | storage part which concerns on 2nd Example. The figure which shows the data structure of the anonymization information which concerns on 2nd Example.

  In the following description, the information management system may be composed of one or more computers. Information display by the information management system may be to display information on a display device of the information management system, or to transmit display information to a remote display computer (information processing entity). .

  First, regarding anonymization technology, there is an example in which an anonymized data can be identified by matching the data after anonymization with another data. For example, in the United States, when a state executes an anonymization process that removes names from medical data and publishes the data, it is matched with a voter list that has already been released (sold) separately, so There is an example that could be identified.

  Furthermore, in the United States, a DVD rental company released anonymized viewing history data of 500,000 and held a recommendation algorithm development contest. Researchers matched the data of the movie review site to identify individuals. There is a case that could be identified. In this case, the contest organizer was investigated by the supervisory authority, and the subsequent contest was cancelled.

  In addition, an Internet provider company in the United States released a search history for 650,000 people whose names were anonymized for research and development. Researchers identified individuals from search keywords and blamed media and consumer groups. In response, the company ’s CTO has resigned.

  Hereinafter, some embodiments will be described with reference to the drawings.

(1) First Example (1-1) Configuration of Information Management System According to First Example FIG. 1 is a block diagram illustrating a software configuration of an information management system 10 according to a first example. The hardware configuration is shown in FIG.

  The information management system 10 includes an information management device 1. The information management apparatus 1 is connected to an information management entity 2 and an information processing entity 3 via a network 4 such as a LAN (Local Area Network) or a WAN (Wide Area Network). The information management system 10 is a system that manages information while preventing it from being specified as information of a specific individual (in this sense, it may be called a non-specific information management system).

  The information management entity 2 is, for example, a foreign European branch office. The information management entity 2 includes original information 201 as an example of “management information”, an anonymization unit 202, and anonymization information 203.

  The original information 201 includes personal information and trade secrets as an example of “sensitive information” of customers and employees.

  The anonymization unit 202 executes an anonymization process for anonymizing personal information in the original information 201. Specifically, the anonymization unit 202 generates anonymization information 203 from the original information 201 based on anonymization conditions described later, and transmits the generated anonymization information 203 to the information processing entity 3 via the network 4. .

  The anonymization information 203 is information that anonymizes personal information in the original information 201 by anonymization processing and does not anonymize information other than personal information. The anonymized information 203 is transmitted to the information processing main body 3 via the network 4.

  The information management apparatus 1 includes a subject information storage unit 101, a legal requirement storage unit 102, a process disabling list 103 as an example of a “process disabling list storage unit”, a permission processing history storage unit 104, and a permission processing pattern management. Part 105. Furthermore, the information management system 1 includes a processing pattern storage unit 106, an anonymization condition generation unit 107, an anonymization condition storage unit 108, a permission processing pattern storage unit 109 as an example of a “permission information storage unit”, and anonymity. And a conversion method list 110.

  The information processing entity 3 is, for example, a domestic information processing center. The information processing entity 3 includes anonymized information 203, already held information 301, an analysis processing unit 302, and an analysis processing result 303.

  The anonymized information 203 is received from the information management entity 2 via the network 4. The analysis processing unit 302 executes various analysis processes (access log analysis, search, matching, frequency calculation, etc.). For example, the analysis processing unit 302 performs a restoration process for restoring the anonymized information 203 by matching the anonymized information 203 and the already held information 301 based on the processing pattern, and outputs the analysis process result 303. When the processing pattern corresponding to the restoration process to be executed is stored in the permission process pattern management unit 105, the analysis processing unit 302 executes the restoration process. The analysis processing result 303 is the result of the analysis processing unit 302 restoring the anonymization information 203 through the analysis processing.

  FIG. 2 is a block diagram illustrating a hardware configuration of the information management system 10 according to the first embodiment.

  The information management apparatus 1, the information management entity 2, and the information processing entity 3 are information processing apparatuses such as personal computers, smartphones, and server apparatuses, or virtual machines. Each of the information management device 1, the information management entity 2, and the information processing entity 3 includes a CPU, a memory, a disk, a network interface card (NIC), a display device, an input device, and an internal communication line. Is provided.

  FIG. 3 is a diagram illustrating a data structure of the original information 201 according to the first embodiment.

  The original information 201 is stored in the disk or memory of the information management entity 2 and is information including personal information (here, “IP address” and “personal ID”).

  The data items (columns) of the original information 201 may include, for example, “IP address”, “personal ID”, “(access) time”, and “HTTP request”. “IP address” is an access log recorded by the Web proxy server, and is the IP address of the access source terminal when accessing a Web site on the Internet via the Web proxy server. “Personal ID” is an identifier of an individual who has performed Web access using the access source terminal. “(Access) time” is an access time. The “HTTP request” is a request for acquiring a Web page from a Web site.

  For example, in the record 2011, a user whose “personal ID” is “1111” who uses an access source terminal whose “IP address” is “192.168.1.128” and whose “time” is “2018/6/9 10:01: “10” indicates that “HTTP request” issued “GET / def /”.

  FIG. 4 is a diagram illustrating a data structure of the subject information storage unit 101 according to the first embodiment.

  The subject information storage unit 101 is stored in a disk or memory of the information management apparatus 1. The subject information storage unit 101 stores an identifier of each subject (information management subject 2 and information processing subject 3) and information such as a country / region / organization where the subject is located. Information in the subject information storage unit 101 is referred to by the permission processing pattern management unit 105 and the anonymization condition generation unit 107.

  The data items in the subject information storage unit 101 may include, for example, “subject ID”, “subject name”, “subject type”, “country / region”, and “organization name”. “Subject ID” is an identifier of each subject. “Subject name” is the name of the subject. “Subject type” is the type of role of the subject. “Country / Region” is the location of the subject. “Organization name” is the name of the main organization.

  For example, in the record 1011, an entity whose “subject ID” is “1000” and whose “subject name” is “information management entity” is “Data Controller” whose “subject type” is responsible for managing information, Indicates that “Region” is located in “EU” and “Organization Name” is “European Branch”. In the record 1012, the subject whose “subject ID” is “2000” and whose “subject name” is “information processing subject” is “Data Processer” whose information subject processing is “Data Processer”, and “country / region”. Is located in “Japan” and “Organization Name” is “Information Processing Center”.

  FIG. 5 is a diagram illustrating a data structure of the legal requirement storage unit 102 according to the first embodiment.

  The legal requirement storage unit 102 is stored in a disk or memory of the information management apparatus 1. The legal / requirement requirement storage unit 102 stores legal / regulatory requirements such as the definition of personal information such as the country, region, and organization in which each entity is located.

  The data items of the legal regulation requirement storage unit 102 may include, for example, “legal regulation requirement ID”, “country / region”, “legal regulation name”, and “personal information data item”. “Legal regulation requirement ID” is an identifier of legal regulation requirements for each country / region. “Country / Region” holds the country / region name. “Legal regulation name” is the name of the legal regulation. “Personal information data item” is a data item group as an example of “attributes of sensitive information” that each law and regulation considers as personal information.

  For example, the record 1021 defines a legal regulation requirement having a “legal regulation requirement ID” of “1”. The legal and regulatory requirements for “Regulatory Requirement ID” is “1”, “Country / Region” is “Japan”, “Law and Regulatory Name” is “Revised Personal Information Protection Law”, “Personal Information Data Item” is “Name, It indicates the date of birth, personal identification number, race (personal information that requires consideration), medical history (personal information that requires consideration), etc.

  The record 1022 defines a legal regulation requirement whose legal regulation requirement ID is “2”. The legal regulation requirements with “regulatory requirement ID” “2” are “country / region” “EU”, “regulatory name” “GDPR”, “personal data item” “name, identification number, location Data, professional email address, online identifier (IP address) ", etc.

  FIG. 6 is a diagram illustrating a data structure of the unprocessable list 103 according to the first embodiment.

  The unprocessable list 103 is stored in the disk or memory of the information management apparatus 1. The non-processable list 103 holds a process pattern having a high possibility of re-identification extracted from a case where the anonymization information 203 has been re-identified (re-identified) in the past. The processing pattern may include an input data item, an output data item, and a processing type.

  The data items of the unprocessable list 103 may include, for example, “anonymized information type”, “anonymized data item”, “original information data item”, “respecifying process type”, and “additional data item”. . “Type of anonymized information” is the name of the anonymized information 203 that has been re-specified. “Anonymized data item” is a data item that has been anonymized in the anonymized information 203. The “original information data item” is a data item that remains the original information in the anonymized information 203. The “type of respecifying process” is the type of process performed for respecifying. The “additional data item” is an additional data item used for re-specific processing.

  For example, the record 1301 defines the processing pattern of the anonymization information 203 whose “type of anonymization information” is “medical data”. This processing pattern deletes “name” of “anonymized data item” by anonymization (deletion), and includes “gender, date of birth, address, disease name” in “original information data item”, and “re-specific processing” "Matching" is used for "type" and "name and address" is used for "additional data item". This record 1301 indicates a processing pattern in which the “name” of a specific individual is re-specified by collating with “name and address” included in another name list as “additional data item”.

  Further, the record 1302 is a processing pattern of the anonymization information 203 whose “type of anonymization information” is “search history”. In this processing pattern, the “name” of the “anonymized data item” is pseudonymized by anonymization (a pseudonymization), the “original information data item” includes “search keyword, search result”, and the “type of respecifying process” "Search keyword analysis" is used. This record 1502 is a processing pattern in which “name” of a specific individual is re-specified by using “search keyword analysis” as “type of re-specific processing”.

  FIG. 7 is a diagram illustrating a data structure of the permission processing history storage unit 104 according to the first embodiment.

  The permission processing history storage unit 104 is stored in the disk or memory of the information management apparatus 1. The permission processing history storage unit 104 stores a response to a permission processing request from each entity (information management entity 2 and information processing entity 3) and a transmission / reception history of anonymized information 203 between the entities.

  Data items in the permission processing history storage unit 104 include, for example, “permission processing history ID”, “permission response date / time”, “permission processing ID”, “anonymization information address”, “provider source transmission date / time”, and “providing destination reception”. Date ". “Permission processing history ID” is an identifier of each history. The “permission response date / time” is a date / time when a permission inquiry response unit 1052 (to be described later) of the permission processing pattern management unit 105 responds with a permission. “Permission processing ID” is an identifier of a permission processing pattern corresponding to a permission response. The “anonymized information address” is an address where the anonymized information is obtained at the same date and time. The “provider transmission date and time” records the date and time when the information management entity 2 transmitted the anonymization information 203 in response to a request from the information processing entity 3. “Provision destination reception date” records the date and time when the information processing entity 3 received the anonymization information 203.

  For example, in the record 1041, a permission processing history having “permission processing history ID” “1” is defined. The permission processing history of “1” indicates that “permission response date / time” is “2018/6/29 3:00:00” and the corresponding “permission processing ID” is “1”. Further, in the permission processing history of “1”, “anonymized information address” at the same date and time is “https: //xyz/access.log”, and “provider transmission date and time” is “2018/6/29 3:05: “00”, “providing destination reception date” is “2018/6/29 3:10: 00”.

  FIG. 8 is a block diagram illustrating a logical configuration of the permission process pattern management unit 105 according to the first embodiment.

  The permission processing pattern management unit 105 is stored in the disk or memory of the information management apparatus 1. The permission processing pattern management unit 105 manages the use permission range of the anonymization information 203. The permission processing pattern management unit 105 includes a processing pattern registration unit 1051 and a permission inquiry response unit 1052.

  The process pattern registration unit 1051 accepts registration of a process pattern from the information processing entity 3. The process pattern registration unit 1051 may accept registration of a permission process pattern from a permission process pattern registration unit 1073 described later of the anonymization condition generation unit 107. When there is a permission inquiry for executing a specific processing pattern from the information processing entity 3, the permission inquiry response unit 1052 responds to the information processing entity 3 as to whether or not there is permission.

  FIG. 9 is a diagram illustrating a data structure of the processing pattern storage unit 106 according to the first embodiment.

  The processing pattern storage unit 106 is stored in the disk or memory of the information management apparatus 1. The processing pattern storage unit 106 stores a processing pattern registered from the information processing main body 3.

  The data items of the processing pattern storage unit 106 may include, for example, “processing pattern ID”, “processing purpose”, “processing data item”, and “processing type”. “Processing pattern ID” is an identifier of each processing pattern. “Processing purpose” is the purpose of each process. The “process data item” is a data item used by each process. “Processing type” is the content of processing such as matching and frequency calculation.

  For example, in the record 1061, a processing pattern having “processing pattern ID” “Y1” is defined. The processing pattern of “Y1” is that “processing purpose” is “security operation”, and “processing data item” is “IP address, personal ID, time, HTTP request, harmful URL list”, and “processing type” Shows the process of “matching and frequency calculation”.

  FIG. 10 is a block diagram illustrating a logical configuration of the anonymization condition generation unit 107 according to the first embodiment.

  The anonymization condition generation unit 107 is stored in the disk or memory of the information management apparatus 1. The anonymization condition generation unit 107 generates an anonymization condition that satisfies at least the legal regulation requirement based on the already held information 301, the processing pattern, and the legal regulation requirement. The anonymization condition generation unit 107 includes a matching unit 1071, an anonymization method determination unit 1072, and a permission processing pattern registration unit 1073.

  The matching unit 1071 receives the processing pattern of the analysis processing unit 302, the legal regulation requirements of the legal regulation requirement storage unit 102, the data items of the processing disabling list 103, and the data items of the permission processing history storage unit 104 as input. Execute the matching process between the data item and each requirement. The anonymization method determination unit 1072 receives each data item that has been found to be anonymized based on the processing result of the matching process in the matching unit 1041 and anonymization condition candidates for legal requirements, and inputs each data Select anonymization conditions for items. The permission process pattern registration unit 1073 registers the permission process pattern including each data item and the process pattern after the anonymization process in the permission process pattern management unit 105.

  FIG. 11 is a diagram illustrating a data structure of the anonymization condition storage unit 108.

  The anonymization condition storage unit 108 is stored in a disk or memory of the information management device 1. The anonymization condition storage unit 108 stores the anonymization condition generated by the anonymization condition generation unit 107.

  The data items in the anonymization condition storage unit 108 may include, for example, “anonymization condition ID”, “anonymization data item”, “original information data item”, and “non-matchable data item”. The “anonymization condition ID” is an anonymization condition identifier corresponding to a certain processing pattern. The “anonymization data item” is pair information of the data item that is the target of the anonymization process and the anonymization method. The “original information data item” is a data item that the information processing entity 2 sends to the information processing entity 3 as it is without being anonymized. The “non-matching data item” is a data item that can re-identify an individual when matching with anonymized information in the already held information 301.

  For example, the record 1081 defines an anonymization condition having an “anonymization condition ID” of “X1”. The anonymization condition of “X1” is “IP address (anonymization method: pseudonymization)”, personal ID (anonymization method: pseudonymization), HTTP request (anonymization method: for each “anonymization target data item”). Indicates that anonymization is performed by each method of “search keyword deletion”). Furthermore, the anonymization condition of “X1” is to generate anonymization information 203 together with “time” as “original information data item”, and “match” to keep the non-specific state among the data items of already held information 301 This indicates that the “impossible data item” is “personal ID, HTTP request”.

  FIG. 12 is a diagram illustrating a data structure of the permission process pattern storage unit 109 according to the first embodiment.

  The permission processing pattern storage unit 109 is stored in a disk or memory of the information management apparatus 1. The permission processing pattern storage unit 109 stores processing patterns for which processing is permitted.

  The data items in the permission processing pattern storage unit 109 include, for example, “permission processing ID”, “permission date”, “permission expiration date”, “anonymization information address”, “providing source entity ID”, “providing destination entity ID”, “Anonymization condition ID” and “processing pattern ID” may be included. “Permitted process ID” is an identifier of a permitted process. “Permitted date” is a permitted date. The “permission expiration date” is the expiration date of the permission. “Anonymized information address” is an address (URL or the like) where the anonymized information 203 is obtained. The “provider source ID” is a subject ID that is the provider of the anonymized information 203. “Providing entity ID” is an entity ID that provides the anonymization information 203. “Anonymization condition ID” is an identifier of the anonymization condition of each data item of the anonymization information 203. “Processing pattern ID” is an identifier of a processing pattern permitted to be processed in combination with the anonymization information 203.

  For example, in the record 1091, a permission process pattern whose permission process ID is “1” is defined. In this permission processing pattern, the “permitted date” is “2018/5/31”, the “permitted date” is “2018/12/31”, the “providing entity ID” of the anonymization information 203 is “1000”, and the provision destination The subject ID is “2000” and the “anonymized information address” to be permitted is “https: //xyz/access.log”. This permission processing pattern uses the anonymization information 203 anonymized with the anonymization condition “X1” for the anonymization information 203, and the “processing pattern ID” is “Y1”. This indicates that the processing pattern can be executed.

  FIG. 13 is a diagram illustrating a data structure of the anonymization method list 110 according to the first embodiment.

  The anonymization method list 110 is stored in the disk or memory of the information management apparatus 1. The anonymization method list 110 accepts registration of anonymization methods (deletion, pseudonymization, generalization, k-anonymization, etc.) of anonymization processing.

  The data items of the anonymization method list 110 may include, for example, “anonymization method ID” and “anonymization method”. “Anonymization method ID” is an identifier of the anonymization method. “Anonymization method” is a type of anonymization method.

  For example, the record 1101 indicates that “anonymization method ID” is “1” and “anonymization method” is “delete”.

  FIG. 14 is a diagram illustrating a data structure of the anonymization information 203 according to the first embodiment.

  The anonymized information 203 is stored in the respective disks or memories of the information management entity 2 and the information processing entity 3. Anonymized information 203 is information obtained by anonymizing the original information 201.

The data items of the anonymization information 203 may include, for example, “anonymization IP address”, “anonymization personal ID”, “time”, and “anonymization HTTP request”. “Anonymized IP address” is an IP address obtained by anonymizing the “IP address” column of the original information 201.
“Anonymized personal ID” is an identifier obtained by anonymizing the “personal ID” column of the original information 201, and “time” is the same time as “time” of the original information 201. The “anonymized HTTP request” is a request in which the “HTTP request” column of the original information 201 is anonymized.

  For example, the record 2031 is obtained by anonymizing the record 2012 of the original information 201 under the anonymization condition of the anonymization condition ID “X1” described above. Record 2031 indicates that “anonymized IP address” is “yyy.yyy.yyy”, “anonymized personal ID” is “9efeau”, and “time” is “2018/6/9 10: 0: 30”. Show. Further, the record 2031 indicates that the corresponding HTTP request is the anonymization condition of “HTTP request (search keyword deletion)” described above. Therefore, the record 2012 is information in which the keyword “Tokyo Osaka Shinkansen” included in the “HTTP request” is deleted and anonymized HTTP request “GET / solr / select? / Q =” is anonymized.

  FIG. 15 is a diagram illustrating a data structure of the already held information 301 according to the first embodiment.

  The already held information 301 is stored in a disk or memory of the information processing main body 3. The already held information 301 is information used for the analysis processing of the anonymized information 203.

  The held information 301 includes data having a table structure of “Web packet limit amount release list 3010”. The data items of the Web packet limit release list 3010 may include, for example, “personal ID” and “HTTP request”. “Personal ID” is an identifier of an individual. The “HTTP request” is an HTTP request to a Web site that the individual indicated by the “personal ID” needs to access without limitation on the amount of Web packets. This Web packet limit amount release list 3010 includes the original information 201 that is not anonymized for the purpose of releasing the limit on the packet amount of Web access for an “HTTP request” that can identify an individual having “person ID”. It remains.

  FIG. 16 is a sequence diagram illustrating a process pattern registration process according to the first embodiment.

  First, the information management entity 2 obtains entity information (subject name, entity type, country / region where the entity is located, organization name, etc.) of the information management entity 2 and the information processing entity 3 from the entity information storage unit 101 of the information management apparatus 1. (S101).

  Next, the information management apparatus 1 notifies the information processing entity 3 that the entity information has been registered by the information management entity 2 (S102).

  The information processing entity 3 registers the processing pattern (processing purpose, processing data item, processing type, etc.) in the processing pattern storage unit 106 of the information management device 1 (S103).

  Next, the information management apparatus 1 uses the anonymization condition generation unit 107 to generate anonymization conditions based on the subject information registered in S101 and the processing pattern registered in S103, and notify the information management subject 2 (S104). In addition, in FIG.18 and FIG.19, the flow of a process of the anonymization condition production | generation part 107 in S104 is explained in full detail.

  Next, the information management entity 2 generates anonymization information 203 from the original information 201 based on the anonymization condition notified in S104 (S105).

  Next, the information management entity 2 registers the anonymization information 203 on a WEB server or the like accessible by the information processing entity 3, and transmits the acquisition address (URL, etc.) of the registered anonymization information 203 to the information management apparatus 1. (S106).

  Finally, the permission process pattern registration unit 1051 of the information management apparatus 1 includes a permission process ID, a permission date, a permission deadline, an anonymized information address, a provider principal ID, a provider principal ID, an anonymization condition ID, and a process pattern ID. A record of a permission processing pattern consisting of, etc. is generated. The permission processing pattern registration unit 1051 registers the generated permission processing pattern record in the permission processing pattern storage unit 109, and notifies the information processing entity 3 that the processing pattern and anonymization information have been registered (S107).

  FIG. 17 is a sequence diagram illustrating a process pattern permission process according to the first embodiment.

  First, the information processing entity 3 transmits a processing pattern permission inquiry request including processing pattern information to the information management apparatus 1 (S201).

  Next, the information management apparatus 1 uses the permission inquiry response unit 1052 to check whether the processing pattern included in the inquiry request is stored in the permission processing pattern storage unit 109. When the processing pattern included in the inquiry request is stored in the permission processing pattern storage unit 109, the information management device 1 responds to the information processing entity 3 with the processing permission and the acquisition address of the corresponding anonymized information 203. If the processing pattern included in the inquiry request is not stored in the permission processing pattern storage unit 109, the information management device 1 responds to the information processing entity 3 with processing disapproval and a processing pattern registration instruction (S202).

  If the information processing entity 3 receives the response in S202 and has permission to process, the information processing entity 3 sends the anonymized information to the acquisition address of the anonymized information (eg, URL of anonymized information on the WEB server of the information management entity 2). Request acquisition. On the other hand, if the processing is not permitted, the information processing entity 3 executes S103 of the process pattern registration process of FIG. 16 and receives a registration completion notification in S107, and then returns to S201 (S203).

  When the information management entity 2 receives a request for obtaining anonymized information from the information processing entity 3, the information management entity 2 transmits the anonymization information 203 to the information processing entity 3 (S204).

  Next, the information management entity 2 registers the date and time when the anonymized information 203 is transmitted to the information processing entity 3 in the “provider transmission date and time” column of the permission processing history storage unit 104 of the information management device 1 (S205).

  When the reception of the anonymized information 203 from the information processing entity 2 is completed, the information management entity 3 registers the received date and time in the “providing destination reception date” column of the permission processing history storage unit 104 of the information management device 1. (S206).

Finally, the information management entity 3 executes an analysis process based on the approved process pattern (S207).

  FIG. 18 is a flowchart illustrating anonymization condition generation processing according to the first embodiment.

  First, the anonymization condition generation unit 107 acquires information on a processing pattern to be anonymized from the processing pattern storage unit 106. Specifically, the anonymization condition generation unit 107 includes the data items of the already held information 301 and the analysis processing result 303 already held by the information management entity 2 and the information processing entity 3, and the analysis processing of the analysis processing unit 303. The type (search, matching, frequency calculation, etc.) is acquired (S301).

  Next, the matching unit 1071 obtains each data item acquired in S301 and the data item defined as personal information in the country where the information management entity 2 and the information processing entity 3 are located from the legal requirement storage unit 102. The data item which is personal information is specified, and it is set as the anonymization object data item group G (S302).

  Next, the matching unit 1071 determines each data item and process acquired in S301 based on the unprocessable list 103 that holds a process pattern with high re-specification extracted from a case where personal information is re-specified from the anonymized information 203. The presence or absence of the processing pattern including the type of is confirmed. When there is a processing pattern, the matching unit 1071 adds a data item that is an element of the processing pattern to the anonymization target data item group G (S303).

  Next, the anonymization method determination unit 1072 has acquired in the past from the information processing entity 2 in the already held information 301 from the permission processing history storage unit 104, the permission processing pattern storage unit 109, and the anonymization condition storage unit 108. Get the data item. The anonymization method determination unit 1072 matches the history with the data item of the newly registered processing pattern, determines whether or not a specific individual can be re-specified, and if it can be specified again, causes re-specification. The data item is set as a non-matchable data item F (S304). Detailed processing contents of the permission processing history check processing will be described in detail with reference to FIG.

  Next, the anonymization method determination unit 1072 anonymizes the anonymization method (deletion, pseudonymization, generalization, k-anonymization, etc.) to be executed for each data item of the anonymization target data item group G. It acquires from the method list | wrist 110, and produces | generates the pair information of each data item and anonymization method. And it registers with the anonymization condition storage unit 108 together with the anonymization condition ID, the original information data item acquired as the original information, and the unmatchable data item F (S305).

  Finally, the permission process pattern registration unit 1073 generates a permission process ID, and the permission process pattern storage unit 109 generates a permission date, a permission deadline, a provider entity ID, a provider entity ID, an anonymization condition ID, and a process pattern ID. And the process ends (S306).

  FIG. 19 is a flowchart showing the permission process history check process according to the first embodiment.

  First, the anonymization method determination unit 1072 counts the number of records in the permission processing history storage unit 104. If the number of records is greater than 0 (YES), the process proceeds to S402. If the number of records is 0 (NO), The process ends (S401).

  Next, in S402, the anonymization method determination unit 1072 acquires the value of the “permitted process ID” column from the permitted process history storage unit 104 (S402).

  Next, the anonymization method determination unit 1072 searches the permission process pattern storage unit 109 based on the permission process ID acquired in S402, and acquires the anonymization condition ID from the record with the matching permission process ID (S403). .

  Next, the anonymization method determination unit 1072 searches the anonymization condition storage unit 108 based on the acquired anonymization condition ID, and stores data from the “original information data item” column of the record having the matching anonymization condition ID. Items are extracted and added to the already-held data item group D (S404).

  Next, the anonymization method determination unit 1072 extracts the data item acquired from the information management entity 2 from the processing pattern acquired in S301, and adds it to the newly acquired data item group DN (S405).

  Next, the anonymization method determination unit 1072 counts the number of data items common to the already held data item group D and the newly acquired data item group DN acquired in S404 and S405. When the count is 0 or more (YES), the anonymization method determination unit 1072 proceeds to S407, and when the count is 0 (NO), the process ends (S406).

  Next, in S407, the anonymization method determination unit 1072 performs the data item of the personal information included in the table in the stored information 301 including the data items common to the stored data item group D and the newly acquired data item group DN. Count the number. If the count is 0 or more (YES), the anonymization method determination unit 1072 proceeds to S408, and if the count is 0 (NO), the process ends (S407).

  Next, the anonymization method determination unit 1072 cannot match the data item group including the data item common to the already held data item group D and the newly acquired data item group DN and the data item of the personal information counted in S407. The data item group F is output, and the process ends (S408).

  For example, it is assumed that the information processing entity 3 already holds the Web packet limit release list 3010 (see FIG. 15) as already held information 301 in S304. The information processing entity 3 may have a pair of a personal ID that has not been anonymized and an HTTP request data item for an application for release control of the Web packet limit amount. In this case, when the anonymized information 203 of the access log including the anonymized personal ID and the HTTP request as the original information 201 is received and matched with the non-anonymized personal ID already held and the HTTP request The anonymized personal ID is re-specified. Therefore, in order to prevent such re-specification, the personal ID that is not anonymized and the data item of the HTTP request can be extracted as the non-matchable data item F by the permission processing history check process.

  The information management system 10 according to the first embodiment has been described above with reference to FIGS.

  (1-2) Effects of the first embodiment

  As described above, the information management entity 2 such as a company or an organization uses the anonymized information 203 based on legal and regulatory requirements for information processing centers and other information for the purpose of analysis processing such as security operations and marketing analysis. The information processing entity 3 responsible for processing is referred to. In this case, since the use permission range of the anonymization information 203 is managed after anonymizing under anonymization conditions that satisfy the legality requirement, the non-specification state of the anonymization information 203 can be maintained. Therefore, it is possible to avoid a situation in which the individualized data is identified by matching the data after anonymization with another data or by an unexpected analysis process.

  Furthermore, the information management system 10 includes an unprocessable list 103 that stores processing patterns having a high respecification risk based on respecification cases of personal information among the processing patterns. Thereby, since the anonymization condition includes the anonymization condition of the data item of the processing pattern having the re-specific case in the non-processable list check process S303, the anonymization condition includes the anonymization condition of the data item of the processing pattern with the re-specific case. Risk can be reduced.

  Further, the information management system 10 holds the permission processing pattern for the information processing entity 3 in the past and the history of the anonymized information 203 in the permission processing history storage unit 104. In addition, the information management system 10 determines the anonymity of the data item that identifies the individual by matching the original information of the anonymized information obtained in the past by the information processing entity 3 in the permission processing history check process S304. Is included in the anonymization condition. As a result, it is possible to prevent re-identification of an individual due to a match with past held information 301.

  Further, in the information management system 10, when the anonymization information 203 is transmitted to the permission processing history storage unit 104 (S204), the information management entity 2 on the transmission side registers the transmission history (S205), and information on the reception side The processing entity 3 registers the reception history (S206). Thereby, the transfer history of information between organizations can be memorized in detail, and the transfer history and transfer range of information can be easily grasped at the time of audit or deletion.

(2) Second embodiment (2-1) Configuration of information processing system according to the second embodiment

  FIG. 20 is a block diagram illustrating a software configuration of the information management system 20 according to the second embodiment. The hardware configuration of the information management system 20 is the same as that shown in FIG. Hereinafter, description of the same elements as those in the first embodiment is omitted.

  In the information management system 20 in the second embodiment, the information management entity 12 is assumed to be an information bank that manages deposit personal information 1201 deposited by individuals. The information processing entity 13 assumes a personal information utilization organization that analyzes and utilizes the anonymized information 1203 anonymized by the information bank 12. The information management system 20 anonymizes anonymization conditions that satisfy the legality requirements regarding the personal information of the country, region, organization, etc. where each of the entities 12 and 13 is located, based on the processing pattern of the information processing entity 13 and the existing information 301 Generated by the condition generation unit 107. The information management system 20 transmits the generated anonymization condition to the information management entity 12, and the permission processing pattern management unit 105 manages the use permission range of the anonymization information 1203. The information management system 20 responds to the processing permission only in the case of the processing pattern registered in the permission processing pattern management unit 105 in response to the processing permission query of the information processing entity 13. Thereby, the information management system 20 provides a function of maintaining the non-specification state of the anonymized information 1203 in the personal information utilization organization.

  Hereinafter, the deposit personal information 1201, the anonymization condition recording unit 1108, and the anonymization information 1203 which are different from the first example in the second example will be described with reference to the drawings.

  FIG. 21 is a diagram showing a data structure of deposit personal information 1721 according to the second embodiment.

  Deposit personal information 1201 is stored in the disk or memory of information management entity 2. Deposit personal information 1201 is personal information deposited by a personal information depositor such as an information bank. The data items of the deposit personal information 1201 may include, for example, “personal ID”, “name”, “date of birth”, “address”, “hobby”, “physical condition”, and “family composition”. “Personal ID” is an identifier of an individual. “Name” is the name of an individual. “Date of birth” is the date of birth of the individual. “Address” is a personal address. “Hobby” is a personal hobby. “Physical condition” is an individual's physical condition. “Family structure” is an individual family structure.

  For example, in record 12011, “personal ID” is “1111”, “name” is “Ichiro Yamada”, “birth date” is “1973/1/1”, hobby is “reading”, currently “physical condition” "Has a headache" and "Family composition" is a family of four, "Wife, eldest son, second son".

  FIG. 22 is a diagram illustrating a data structure of the anonymization condition storage unit 1108 according to the second embodiment.

  The data item (column) configuration of the anonymization condition storage unit 1108 is the same as that of the anonymization condition storage unit 108 of FIG.

  For example, the record 11081 defines an anonymization condition having an “anonymization condition ID” of “Z1”. Record 11081 includes “personal ID (anonymization method: deletion), name (anonymization method: deletion), date of birth (anonymization method: generalization: year of birth) for each“ anonymization data item ”to be anonymized. , The address (anonymization method: generalization: prefecture) indicates that the anonymization is performed, and the record 11081 is “hobby”, “physical condition”, “family composition”, which is a data item of the deposit personal information 1201. And the conditions for generating the anonymization information 1203 are shown.

  FIG. 23 is a diagram illustrating a data structure of anonymized information 1203 according to the second embodiment.

  Anonymized information 1203 is an “anonymized date of birth” column obtained by deleting the “personal ID” column and the “name” column of the deposited personal information 1201 from the deposited personal information 1201 and then anonymizing the “birth date” column. And an “anonymized address” column obtained by anonymizing the “address” column. In other words, the anonymized information 1203 includes the same “hobby” column, “physical condition” column, and “family structure” column as the deposit personal information 1721.

  For example, the record 12031 is obtained by anonymizing the record 12011 of the deposit personal information 1201 under the anonymization condition of “anonymization condition ID” “Z1” described above. The record 12011 includes “1973 (generalization: youth)” for “anonymization date of birth” and “Tokyo (generalization: prefecture)” for “anonymization address”. The record 12031 indicates that the information is a non-anonymized “hobby” is “reading”, “physical condition” is “headache”, and “family composition” is a family of four, “wife, eldest son, second son”.

  The information management system 20 of the second embodiment has been described above with reference to FIGS. 20 to 23, focusing on differences from the information management system 10 of the first embodiment.

  (2-2) Effects of the second embodiment

  As described above, in the information management system 20 of the second embodiment, the information management entity 12 such as an information bank is responsible for managing and operating the deposited personal information 1201 deposited by individuals based on laws and regulations. is there. In the information management system 20, when the anonymized information 1203 is referred to the information processing entity 13 such as a personal information use organization utilized for the purpose of analysis processing such as marketing analysis, the information management system 20 is anonymous under the anonymization condition satisfying the legal requirement. And manage the scope of permission to use anonymized information. As a result, the de-identification state is maintained, and the anonymized information is re-identified by matching with other data or unexpected analysis processing, and the information bank and the personal information using company are violated by laws and regulations. And avoiding adverse effects on the business.

  As described above in (1-1) to (2-2), companies and organizations that handle personal information satisfy the requirements of legality based on information and processing patterns that match anonymized information at the time of use. After anonymizing under anonymization conditions, manage the use permission range of anonymized information. As a result, the personal information can be kept in a non-specific state, and anonymized data is prevented from being identified by being matched with other data or subjected to unexpected analysis processing. be able to.

  The present invention is not limited to the above-described embodiments, and includes various modifications and equivalent configurations within the scope of the appended claims. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and the present invention is not necessarily limited to those having all the configurations described. A part of the configuration of one embodiment may be replaced with the configuration of another embodiment. Moreover, you may add the structure of another Example to the structure of a certain Example. In addition, for a part of the configuration of each embodiment, another configuration may be added, deleted, or replaced.

  In addition, each of the above-described configurations, functions, processing units, and the like may be realized in hardware by designing a part or all of them, for example, with an integrated circuit, etc., and a program for the processor to realize each function. It may be implemented in software by interpreting and executing.

  Information such as programs, tables, and files that realize each function can be stored in a storage device such as a memory, a hard disk, or an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

  Further, the control lines and information lines indicate what is considered necessary for the explanation, and do not necessarily indicate all control lines and information lines necessary for mounting. In practice, it can be considered that almost all the components are connected to each other.

  In addition to personal information, the present invention uses non-specific information that is highly sensitive, such as trade secrets, and is restricted from being disclosed outside the company by internal rules, etc., and uses processing services of external organizations. In addition, a similar effect can be obtained.

  The present invention maintains an unspecified state by anonymizing personal information and confidential business information in accordance with legal and regulatory requirements and internal rules in multiple organizations that handle personal information such as customer information and medical information, and sensitive information such as confidential business information. The present invention can be widely applied to information processing systems that provide functions.

DESCRIPTION OF SYMBOLS 1 ... Information management apparatus, 2 ... Information management main body, 12 ... Information management main body, 10 ... Information management system, 20 ... Information management system, 102 ... Legal regulation requirement memory | storage part, 103 ... Process impossible list | wrist, 104 ... Permit processing log | history storage , 1051... Processing pattern registration unit, 107... Anonymization condition generation unit, 109... Permitted processing pattern storage unit, 201... Original information, 202 ... Anonymization unit, 302 ... Analysis processing unit, 1201.

Claims (8)

An information management system capable of executing anonymization processing for anonymizing sensitive information among management information,
A legal and regulatory requirement storage unit that stores legal and regulatory requirements including attributes of sensitive information that is the target of the anonymization process;
A process pattern registration unit that accepts registration of the process pattern of the anonymization process;
An anonymization condition generation unit that generates anonymization conditions of the anonymization process based on the legal regulation requirements and the processing pattern;
An information management system including an anonymization unit that generates anonymization information from the management information based on the anonymization condition. A permission information storage unit that stores a permission processing pattern that is permitted to execute the anonymization process among the processing patterns, the anonymization condition, and the anonymization information;
The information management system according to claim 1. Further comprising an analysis processing unit for executing a restoration process for restoring the anonymized information based on the processing pattern,
The analysis processing unit executes the anonymization process when a permission process pattern corresponding to the restoration process to be executed is stored in the permission information storage unit.
The information management system according to claim 2. A processing disabling list storage unit that stores a processing disabling pattern with a high re-specification risk of the sensitive information among the processing patterns,
The anonymization condition generation unit generates the anonymization condition based on the legal regulation requirements, the processing pattern, and the non-processable pattern.
The information management system according to claim 3. A permission processing history storage unit that stores a transfer history of the anonymization information;
The transfer history includes data items for which the anonymization process has not been performed, and data items to be re-specified,
The anonymization condition generation unit generates the anonymization condition based on the legal regulation condition, the processing pattern, and the transfer history.
The information management system according to claim 3. The permission processing history storage unit further stores a reception history of the anonymization information,
When the analysis processing unit receives the anonymization information of the anonymization process to be executed, the analysis processing unit stores the reception history of the anonymization information of the anonymization process to be executed in the permission process history storage unit.
The information management system according to claim 5. An information management method capable of executing anonymization processing for anonymizing sensitive information among management information,
Stores the legal and regulatory requirements including the attributes of sensitive information subject to the anonymization process,
Accepting registration of the processing pattern of the anonymization process,
Generate anonymization conditions for the anonymization process based on the regulatory requirements and the processing pattern,
Generate anonymization information from the management information based on the anonymization conditions,
The permission process pattern in which the execution of the anonymization process is permitted among the process patterns, the anonymization condition, and the anonymization information are stored,
Of the restoration processing for restoring the anonymization information based on the processing pattern, when the permission processing pattern corresponding to the restoration processing to be executed is stored, the anonymization information is restored based on the processing pattern An information management method for executing restoration processing. An information management device capable of generating anonymization conditions for anonymization processing for anonymizing sensitive information among management information managed by an information management entity,
A legal and regulatory requirement storage unit that stores legal and regulatory requirements including attributes of sensitive information that is the target of the anonymization process;
A process pattern registration unit that accepts registration of the process pattern of the anonymization process;
The information management apparatus which has an anonymization condition production | generation part which produces | generates the anonymization conditions of the said anonymization process based on the said regulatory requirements and the said process pattern.

Images