JP2020003897A - Data management system and node device - Google Patents

Abstract

To provide a data management system and a node device that can appropriately handle sensitive information that requires a specific qualification for access in a network on which information is shared among a plurality of nodes.SOLUTION: A node 10 includes a block generation unit 11, a storage unit 12, a qualification determination unit 13, and a data acquisition unit 14. The block generation unit generates a storage destination block including storage destination information and location information. The storage unit stores all storage destination blocks generated by the plurality of nodes 10. The qualification determination unit determines whether the own current location or a residence place of a user is within a restricted range based on the location information in response to an access request to restricted sensitive information by the user thereof. When it is determined that the own current location or the residence place of the user is within the restricted range, the data acquisition unit acquires the restricted sensitive information on which the access request was made, from a data server that stores the restricted sensitive information on which the access request was made.SELECTED DRAWING: Figure 3

Description

  The present disclosure relates to a data management system and a node device using a blockchain technology.

  There is a demand for a method of suitably managing sensitive information (also referred to as sensitive information). Sensitive information is information that should be handled very carefully, for example, personal thoughts and creeds, and state secrets.

  Depending on the type of sensitive information, for example, a place (geographic range) where the sensitive information can be accessed is predetermined. Examples of such information include, for example, technical information that is restricted from being taken out of a specific country or company, personal information including information that can identify a specific individual (name, address, contact information, etc.), and There are medical information and the like where storage locations and taking out are restricted by law.

  As described above, for example, methods disclosed in Patent Literatures 1 and 2 are methods for managing sensitive information in which accessible locations are predetermined.

  Patent Literature 1 discloses that, when using the mobile terminal with patient information used at the time of home visit to a patient's house, only when the position information of the mobile terminal matches the position information previously associated with the patient information, Disclosed a technology that allows patient information to be downloaded and viewed on a mobile terminal, and that the patient information is deleted from the mobile terminal if the mobile device's location information does not match the location information previously associated with the patient information Have been.

  Further, in Patent Document 2, when the position of the portable terminal is acquired, and the time and position of the portable terminal do not match the scheduled time and position, the information management unit deletes the electronic information from the storage unit. The technology is disclosed.

Japanese Patent No. 6238540 JP-A-2015-184745

  The technologies disclosed in Patent Documents 1 and 2 are systems in which sensitive information is centrally managed by a server device. However, in the case of centrally managing sensitive information, it is necessary to increase the size of the server device when the amount of data is large, and the cost is high. I have. In addition, there is a demand for owners of sensitive information not to deposit information in a server device but to manage the information themselves.

  In recent years, information management using blockchain technology has become widespread as a technology that can meet such demands. In this specification, the blockchain technology is referred to as "a network in which information (blocks) is shared among participating terminals (hereinafter, referred to as nodes), instead of centrally managing information in a specific configuration such as a server". Define. Blockchain technology is resistant to obstacles because information is shared by all nodes, and does not perform centralized unified management, so it meets the information owner's desire to manage the information themselves.

  However, there are some sensitive information that requires specific qualifications to access, and when trying to manage such sensitive information with blockchain technology, there is no centralized management of qualifications, so qualification management is not possible. Have difficulty.

  An object of the present disclosure is to provide a data management system and a node device that can appropriately handle sensitive information that requires a specific qualification for access in a network that shares information among a plurality of nodes.

  A data management system according to an embodiment of the present disclosure includes a network to which a plurality of node devices are connected, and is a data management system that manages data, wherein each of the plurality of node devices has a storage destination in which the data is stored. A block generation unit that generates a storage destination block including storage destination information to be indicated and qualification information relating to a qualification for handling the data; a storage unit that stores all of the storage destination blocks generated by the plurality of node devices; A qualification determining unit that accesses the storage destination block in response to a request to access the data according to the above, and determines whether or not the user or the user has the qualification based on the qualification information; If it is determined that the user has the qualification, the storage destination for storing the data requested to be accessed is It has a data acquisition unit that acquires an access request is made data.

  A data management system according to an embodiment of the present disclosure includes a network to which a plurality of node devices are connected, and is a data management system that manages data. Each of the plurality of node devices includes encrypted data information obtained by encrypting the data. And a block generation unit that generates an encrypted data block including qualification information regarding qualifications for handling the data; a storage unit that stores all the encrypted data blocks generated by the plurality of node devices; A qualification determining unit that accesses the encrypted data block in response to a request for access to the data by a user and determines whether or not the user or the user has the qualification based on the qualification information; If the user is determined to have the qualification, the encrypted data block for which the access request was made. To decrypt the encrypted data information contained in, a data acquisition unit that acquires data.

  The node device according to the present disclosure is a node device connected to a network to which a plurality of node devices are connected, and relates to storage destination information including information indicating a storage destination where data is stored, and a qualification for handling the data. Qualification information, a block generation unit that generates a storage destination block including: a storage unit that stores all the storage destination blocks generated by the plurality of node devices; and a storage unit that stores an access request to the data by its own user. A qualification determination unit that accesses the storage block and determines whether the user or the user has the qualification based on the qualification information, and it is determined that the user or the user has the qualification A data acquisition unit that acquires the requested data from the storage destination that stores the requested data. It has a.

  A node device according to an embodiment of the present disclosure is a node device connected to a network to which a plurality of node devices are connected, and includes encryption data information obtained by encrypting data, and qualification information regarding qualifications for handling the data. A block generation unit that generates an encrypted data block; a storage unit that stores all of the encrypted data blocks generated by the plurality of node devices; A qualification determining unit that accesses a data block and determines whether or not the user or the user has the qualification based on the qualification information, and when it is determined that the user or the user has the qualification, Decrypt the encrypted data information included in the encrypted data block for which the access request was made, and acquire the data. It has a data acquisition unit.

  ADVANTAGE OF THE INVENTION According to this invention, the sensitive information which needs a specific qualification for access can be handled suitably in the network which shares information between several nodes.

Conceptual diagram showing the configuration of a data management system according to an embodiment of the present disclosure Conceptual diagram illustrating the structure of individual blocks constituting a block chain shared by a plurality of nodes Diagram for explaining node configuration Flow chart for explaining an operation example of the data management system when new limited sensitive information is stored and managed Flowchart for explaining an operation example of the data management system when a reference process is executed for the stored restricted sensitive information Sequence diagram for explaining a specific example of collection processing Sequence diagram for explaining a specific example of statistical processing

  Hereinafter, embodiments of the present disclosure will be described in detail with reference to the drawings. However, an unnecessary detailed description, for example, a detailed description of a well-known matter or a redundant description of substantially the same configuration may be omitted.

  The following description and the drawings referred to are provided for those skilled in the art to understand the present disclosure, and are not intended to limit the scope of the present disclosure.

<Configuration of Data Management System 1>
FIG. 1 is a conceptual diagram illustrating a configuration of a data management system 1 according to an embodiment of the present disclosure. As shown in FIG. 1, the data management system 1 includes a plurality of nodes 10 and a data server 30. The node 10 is an example of a node device according to the present disclosure, and the data server 30 is an example of a server device according to the present disclosure. In the example of FIG. 1, the data management system 1 includes five nodes 10, but the present disclosure is not limited to this, and the number of nodes 10 may be two or more. Further, the data management system 1 includes two data servers 30, but the present disclosure is not limited to this, and one or three or more data servers 30 may be used.

  As shown in FIG. 1, a plurality of nodes 10 constitute a P2P (peer-to-peer) type distributed network 20. The block network technology is applied to the distributed network 20. In this specification, the blockchain technology is defined as "a network in which information (blocks) is shared between participating nodes 10 instead of managing information in a specific configuration such as a server" as described above. . In this specification, a database structure in which newly generated blocks are connected in a chain while inheriting the contents of the immediately preceding block, which is a recording mechanism used in the block chain technology, is simply referred to as a “block chain”. "To distinguish them.

  Each of the plurality of nodes 10 constituting the distributed network 20 is connected to the data server 30 via a public network 40 such as the Internet. In the present embodiment, it is assumed that each node 10 is a mobile terminal (portable communication terminal) that can perform wireless communication, such as a mobile phone, a smartphone, and a tablet, and that can be carried and carried by a user. ing.

  On the other hand, the data server 30 is a stationary server device. The data server 30 stores sensitive information for which access locations are restricted in advance. Sensitive information, as described above, is information that should be handled very carefully, such as personal thoughts and beliefs, and state secrets. In this embodiment, as specific examples of sensitive information in which access locations are restricted in advance, for example, technical information that cannot be taken out of a specific country or company, personal information including name, address, contact information, etc. It is assumed that medical information and the like are restricted in storage locations and take-out.

  Examples of the sensitive information in which the accessible location is restricted include, for example, the information in which the location where the storage destination (data server 30) to be stored is installed is restricted, and the node 10 which requests the use of the stored sensitive information. And information where the place of residence of the user of the node 10 making a use request for the stored sensitive information is limited. In the following description, sensitive information whose access location is restricted in advance is referred to as restricted sensitive information.

  The plurality of data servers 30 included in the data management system 1 are installed at different locations. Thereby, when the sensitive information in which the location where the data server 30 to be stored is installed is restricted is stored, the restriction is saved by the data server 30 installed within the restricted range. Can be avoided.

  When the data server 30 receives an access request to the restricted sensitive information from any of the plurality of nodes 10 via the public network 40, the data server 30 transmits the requested restricted sensitive information to the requesting node 10.

  In order for each of the nodes 10 to transmit an access request to the restricted sensitive information to the data server 30, information indicating the data server 30 in which the restricted sensitive information requesting the access is stored is required. In the following description, information indicating the data server 30 in which the restricted sensitive information is stored is referred to as storage destination information. A specific example of the storage destination information is, for example, a URL (when the public network 40 is the Internet).

  The plurality of nodes 10 configuring the distributed network 20 to which the block chain technology is applied share the same data structure (block chain). The block chain includes the above-mentioned storage destination information, information on a location where the sensitive information can be accessed, and the like. The technology that makes it difficult to tamper with the blocks by connecting the blocks in a chain shape is not particularly limited in the present disclosure, and a method used in the existing “block chain technology” may be appropriately adopted. For example, using a hash value of a previous block and various nonce values to calculate a hash value that satisfies a certain condition, and including a nonce value used to calculate a hash value that satisfies the condition in a new block. By connecting the new block to the block chain, the block chain may be generated appropriately.

<Structure of block 500>
FIG. 2 is a conceptual diagram illustrating the structure of each block 500 constituting a block chain shared by a plurality of nodes 10. As shown in FIG. 2, the block 500 has a block type 510, location information 520, information type 530, and content information 540.

  The block type 510 is information indicating the type of the block 500. Specific examples of the block type 510 include, for example, “data” indicating that the block 500 includes information indicating the storage destination of the restricted sensitive information, and a block for making a request to another node 10 or the data server 30. A “request” indicating that the block is 500, a “response” indicating that the block is a block 500 for responding to a request from another node 10, and the like. Details of these types will be described later.

  The location information 520 is information indicating a restriction on an accessible location, which is set in advance in the restricted sensitive information. Examples of the type of the place information 520 include, for example, “saveable place” information, “referenceable place” information, “reference place attribute” information, and the like. Among the place information 520, “saveable place” information is an example of the storable place information of the present disclosure, and “referenceable place” information and “reference place attribute” information are examples of the referenceable place information of the present disclosure. .

  The “storage-possible location” information is information indicating the restriction on the installation location of the data server 30 that can store the sensitive information. The “reference-possible place” information is information indicating the restriction on the place of the node 10 or the user of the node 10 that is permitted to access the restricted sensitive information. The “reference location attribute” information is information indicating whether the location restriction in the “reference location information” is the “current location” of the node 10 or the “resident location” of the user of the node 10. .

  These pieces of location information 520 may be information specifying a plurality of locations or ranges, as well as a specific location. More specifically, it is desirable that the storable location or the referenceable location be set as a predetermined range such as "Tokyo" or "Japan". When the accessible location is indicated by a range, the range may include a predetermined margin.

  The information type 530 is information indicating the type of restricted sensitive information related to the included block 500. Examples of the type of the restricted sensitive information include, for example, the “technical information”, “personal information”, and “medical information” described above.

  The content information 540 is information indicating the content of the included block 500. The content information 540 is related to the block type 510, and the content information 540 of the block 500 whose block type 510 is “data” includes storage destination information indicating a storage destination of the restricted sensitive information. Note that one block may include storage destination information of only one piece of sensitive information, or one block may include storage destination information of a plurality of pieces of sensitive information. The content information 540 of the block 500 whose block type 510 is “request” includes information indicating the content of the requested access and the like. Further, the content information 540 of the block 500 whose block type 510 is “response” includes information indicating a response result to the request, and the like.

<Configuration of Node 10>
Next, the configuration of each node 10 will be described. FIG. 3 is a diagram for explaining the configuration of the node 10.

  As illustrated in FIG. 3, the node 10 includes a block generation unit 11, a storage unit 12, a qualification determination unit 13, a data acquisition unit 14, a data storage unit 15, a block extraction unit 16, and a statistical processing unit 17.

  The block generation unit 11 generates blocks connected to a block chain. In the present embodiment, the blocks generated by the block generation unit 11 include a storage destination block indicating a storage destination of the restricted sensitive information, a request block for making a request to another node 10 or the data server 30, and other blocks. Three types of response blocks for responding to a request from the node 10 are assumed. Details of these blocks will be described later.

  The storage unit 12 stores all blocks generated by all nodes connected to the distributed network 20 as a block chain. In order to maintain this state, the storage unit 12 periodically connects to the distributed network 20 and updates the stored blockchain. As a result, all the nodes 10 supply the same block chain.

  When a request to access the restricted sensitive information is made to the node 10, the qualification determination unit 13 determines whether the current location of the node (node 10) or the residence of the user is preset in the restricted sensitive information. It is determined whether or not the information matches the information indicated by the “referenceable location” and the “reference location attribute”.

  When it is determined that the restriction on the location information set in advance in the restricted sensitive information matches the restricted sensitive information, the data acquisition unit 14 requests the restricted sensitive information based on the storage destination information included in the block stored in the storage unit 12. The information is acquired from the data server 30 at the storage destination.

  When new restricted sensitive information is input to the node 10, the data saving unit 15 extracts the data server 30 installed in a place where the information indicating “saveable place” matches among the place information described above. Then, the new restricted sensitive information is stored in any of the extracted data servers 30. Then, the data storage unit 15 generates storage destination information of the newly stored restricted sensitive information.

  The block extracting unit 16 extracts a block according to the purpose from the block chain stored in the storage unit 12. The blocks according to the purpose are specifically as follows. That is, when a user requests a reference to specific restricted sensitive information stored in the data server 30, a storage block including storage destination information for storing the restricted sensitive information is extracted. Also, when another node 10 is connected to a block chain and requests a collection of specific restricted sensitive information or a statistic using the specific restricted sensitive information, the storage destination information for storing the requested restricted sensitive information. Extract the save destination block containing. The determination as to whether a new request block has been connected to the block chain may be made, for example, by determining whether or not a new request block is included when the storage unit 12 updates the block chain. . Details of the operation of the block extraction unit 16 will be described later.

  When a new request block requesting the statistical processing is connected to the block chain, the statistical processing unit 17 performs the statistical processing according to the request. Details of the statistical processing performed by the statistical processing unit 17 will be described later.

  The configuration of the data management system 1 according to the present embodiment and the blocks to be handled have been described above. Hereinafter, the operation of the data management system 1 will be described with a specific example.

<Save processing>
First, an example of the operation of the data management system 1 when new limited sensitive information is stored and managed will be described. FIG. 4 is a flowchart for explaining an operation example of the data management system 1 when new limited sensitive information is stored and managed.

  In step S1, one of the nodes 10 acquires new restricted sensitive information. In the following description of the storage process, a node that is a main component of the operation is referred to as a node 10A (not shown). The new restrictive sensitive information is acquired by a method in which, for example, a user operating the node 10A operates and inputs the node 10A, or is externally input using an interface (not shown) or the like. In the present disclosure, there is no particular limitation on the method of acquiring new restricted sensitive information by the node 10A.

  In step S2, the data storage unit 15 of the node 10A is configured based on the information (“savable place” information) regarding the restriction on the place where the restricted sensitive information can be stored, which is set in advance in the newly acquired restricted sensitive information. , The data server 30 to be saved is determined. More specifically, for example, when the location where the restricted sensitive information can be stored is set to “Japan”, the node 10A causes the data server 30 installed in Japan to store the restricted sensitive information.

  As a method of determining the data server 30 as a storage destination based on the information indicating the location where the sensitive data can be stored by the data storage unit 15 of the node 10A, for example, the following method is available. As one method, the data storage unit 15 inquires each of the data servers 30 about the respective installation locations, and based on the information on the installation locations obtained as a result of the inquiry and the “saveable location” information. There is a method of determining a data server 30 that can be stored. As another method, all the nodes 10 share information about the installation location of each data server 30 in advance, and the data storage unit 15 can save the information based on the information about the installation location and the “saveable location” information. There is a method of determining the data server 30.

  A specific example of information indicating a place where the limited sensitive information can be stored, which is set in advance in the limited sensitive information, will be described. The limited sensitive information assumed in the present embodiment is, as described above, technical information, personal information, and medical information.

  Generally, for example, medical information is personal information. In some cases, taking out medical information outside a predetermined range (for example, outside the country) is prohibited by law. For this reason, when the newly acquired restricted sensitive information is medical information, the node 10A sets the data set within the range prescribed by law and within the range in which the consent of the owner of the information has been obtained in advance. What is necessary is just to determine that storage is possible only in the server 30.

  If the newly obtained sensitive information is personal information that is not medical information, the node 10A stores the information only in the data server 30 installed within a range in which the consent of the owner of the information is obtained in advance. May be determined to be possible.

  Also, if the newly acquired sensitive information is technical information, the information will be transferred to technology that is prohibited from being taken out of the country under the Foreign Exchange and Foreign Trade Law and its related laws (hereinafter, the Foreign Exchange Law). May be applicable. In such a case, the node 10A first determines whether or not the newly acquired restricted sensitive information is the applicable technology, and if it is the applicable technology, determines whether or not permission has been obtained from the Minister of Economy, Trade and Industry. I do. If the technology is applicable and the permission of the Ministry of Economy, Trade and Industry has been obtained, the node 10A is the data set within the range specified in advance by the Foreign Exchange Act and the range obtained by the permission of the Minister of Economy, Trade and Industry. What is necessary is just to determine that storage is possible only in the server 30. If the technology is applicable and the permission of the Ministry of Economy, Trade and Industry has not been obtained, it is assumed that the node 10A can be stored only in the data server 30 installed within a range determined in advance by the Foreign Exchange Law. Judge it.

  In the case where there are a plurality of data servers 30 at the installation locations where the newly acquired restricted sensitive information can be stored, the node 10A may set the storage destination of the information as one of the storage destinations. . Note that the present disclosure is not limited to this, and the node 10A may divide and store the data in a plurality of data servers 30 determined to be storable.

  Returning to the description of FIG. In step S3, the data storage unit 15 of the node 10A transmits the newly acquired restricted sensitive information to the data server 30 of the storage destination determined in step S2, and stores it. At this time, the data storage unit 15 generates storage destination information (for example, URL) indicating a storage destination where the information is stored.

  In step S4, the node 10A generates a new block including the storage destination information of the restricted sensitive information newly stored in step S3. The contents of the new block generated in step S4 are, for example, as follows. In step S4, since a block including the storage destination information of the restricted sensitive information is generated, the block type is “data”. Further, as the location information, information indicating the restriction of the accessible location (“referenceable location” information and “reference location attribute” information) set in advance in the restricted sensitive information is included as it is. The information type includes the type of the newly stored restricted sensitive information (any of technical information, personal information, and medical information). Further, the content information includes the content of the newly stored restricted sensitive information and the storage destination information indicating the storage destination where the restricted sensitive information is stored. As an example of the content of the limited sensitive information, for example, a value of “HbA1c” which is medical information regarding a certain user, and the like are given. Note that, in this specification, the block newly generated in step S4 is a block including information indicating a storage destination of the restricted sensitive information, and thus is described as a storage destination block.

  In step S5, the storage unit 12 of the node 10A stores the storage destination block generated in step S4. More specifically, the storage unit 12 connects the new storage destination block to the block chain.

  By performing the above-described operation by the node 10A, new limited sensitive information is stored in the data server 30 of the data management system 1. As described above, in the data management system 1, the limited sensitive information itself is stored in the data server 30, and the block chain including the storage destination information in the block is shared by all the nodes 10. Since all the blocks generated in the past are shared by all the nodes 10 as a blockchain, the storage destination information of all the limited sensitive information stored in the past is shared by all the nodes 10. Will be.

<Reference processing>
Next, an operation example of the data management system 1 in a case where one of the plurality of nodes 10 performs a reference process on the stored and managed restricted sensitive information will be described. FIG. 5 is a flowchart for explaining an operation example of the data management system 1 when a reference process is performed on the stored restricted sensitive information.

  In step S11, one of the nodes 10 (node 10A) acquires a reference request. This reference request is acquired by, for example, the user of the node 10A operating the node 10A. More specifically, for example, the node 10A displays a list of the limited sensitive information stored in the data management system 1 on a display unit (not shown) or the like, and when the user selects any of them, the node 10A May be obtained by referring to the selected restricted sensitive information.

  In step S12, the block extraction unit 16 of the node 10A extracts, from all the blocks of the block chain stored in the storage unit 12, a block including the storage destination information of the restricted sensitive information requested to be referenced in step S11. .

  In step S13, the qualification determination unit 13 of the node 10A refers to the “reference location attribute” information among the location information of the blocks extracted in step S12 (see FIG. 2). As described above, the “reference location attribute” information is information indicating whether the location restriction in the “reference available location” information is “current location” or “living location”. If the reference location attribute indicated by the “reference location attribute” information is “current location”, the process proceeds to step S14, and if “reference location”, the process proceeds to step S15.

  Then, in step S14, the qualification determination unit 13 of the node 10A acquires the current location information indicating the current location of the node 10A. The method by which the node 10A acquires the current location information is not particularly limited in the present disclosure, but the current location information may be acquired using, for example, a GPS (Global Positioning System) or the like of the node 10A.

  On the other hand, in step S15, the qualification determination unit 13 of the node 10A acquires the residence information indicating the residence of the user of the node 10A. The method by which the node 10A acquires the residence information is not particularly limited in the present disclosure. For example, the node 10A may acquire the residence information by causing the user to input information indicating the residence via an operation unit (not shown). Just fine. Alternatively, the residence information may be obtained by reading a document (such as a passport) proving the residence of the user using a camera or the like.

  Then, in step S16, the qualification determination unit 13 of the node 10A determines whether the current location information or the residence information acquired in step S14 or S15 is restricted to the location indicated by the "referenceable location" information predetermined in the restricted sensitive information. It is determined whether it is included in the range. If it is determined in step S16 that it is within the limit range (step S16: YES), the process proceeds to step S17; otherwise (step S16: NO), the process proceeds to step S19.

  In step S17, the data acquisition unit 14 of the node 10A determines that the user or the user of the node 10A can refer to the restricted sensitive information, and based on the storage destination information, transmits a transmission request of the restricted sensitive information to the storage destination data. It is transmitted to the server 30.

  In step S18, the data acquisition unit 14 acquires the restricted sensitive information transmitted by the data server 30.

  On the other hand, in step S19, the node 10A determines that the node 10A or its own user cannot refer to the restricted sensitive information, and cancels the reference request for the restricted sensitive information. Specifically, for example, a display indicating that the requested restricted sensitive information cannot be referred to is displayed on the display unit or the like.

  As described above, in the reference processing, the current location of the node 10A itself or the place of residence of the user of the node 10A is within the restricted range of the location indicated by the “referenceable location” information preset in the restricted sensitive information. Only when there is, obtain the limited sensitive information. As a result, sensitive information whose storage and / or reference location is restricted can be suitably handled in a network that shares information among a plurality of nodes.

<Collecting process>
Next, an operation example of the data management system 1 in a case where one of the nodes 10 performs a collection process on the stored and managed restricted sensitive information will be described. In this specification, the term "collection" means to collect specific limited sensitive information.

  FIG. 6 is a sequence diagram for describing a specific example of the collection process. More specifically, FIG. 6 illustrates an operation example of the data management system 1 when a certain node 10A requests collection of specific restricted sensitive information. In FIG. 6, one requesting node 10 is referred to as a “node 10A”, and the other nodes 10 (a plurality of nodes 10) other than the node 10A are referred to as a “node 10B”.

  In step S21, the node 10A acquires a collection instruction from its own user. In the following description, as an example of the collection instruction, the user of a certain node 10A instructs the node 10A to collect a value for a certain period (for example, one year) for “HbA1c” which is one of the items of medical information. The explanation will be made assuming that it has been input.

  In step S22, the block generation unit 11 of the node 10A generates a new block related to the collection instruction specified in step S21. The contents of the new block generated in step S22 are as follows, for example. The block type is “request” because it is a response request to another node 10B. The location information includes information indicating the current location of the user or the place of residence of the user. Further, “medical information” is included as the information type. Further, as the content information, the request type (collection request), the content of the requested restricted sensitive information (the HbA1c value for one year), the filter information (the condition attached to the collection value: for example, date) , Gender, specific organizations such as hospitals, specific individuals, etc.). In the present specification, the block newly generated in step S22 is a block including a request for another node 10B, and is therefore described as a request block.

  In step S23, the storage unit 12 stores the new request block generated in step S22. As a result, the new request block is connected to the block chain. With this as a trigger, each of the other nodes 10B executes the following processes from step S24 to step S211.

  In step S24, the block extraction unit 16 of the node 10B refers to the location information of the new request block from among all the storage destination blocks included in the block chain, and stores the storage destination block regarding the restricted sensitive information matching the location information. Is extracted. More specifically, based on the information indicating the current location of the node 10A or the residence of the user of the node 10A included in the request block, the location information satisfying the restriction (“referenceable location” information and “reference location attribute” "Information").

  In step S25, the block extraction unit 16 of the node 10B selects, from the storage destination blocks detected in step S24, a block indicating the storage destination in which the limited sensitive information (here, the HbA1c value for one year) to be collected is stored. Extract.

  In step S26, the block extraction unit 16 of the node 10B determines whether or not the number extracted in step S25 is larger than a predetermined threshold. The predetermined threshold is, for example, 0.

  If it is determined that the number of extractions is greater than the predetermined threshold (step S26: YES), in step S27, the node 10B requests the restricted sensitive information stored in the storage destination block extracted in step S25 from the request source (node 10A The user inquires of his / her own user for permission to disclose the request to determine whether permission has been obtained. This determination shows, for example, a list or a breakdown of the extracted restricted sensitive information to the user, displays that another node requests disclosure of the information, and indicates whether to permit the user. What is necessary is just to make it input whether or not.

  On the other hand, if it is determined that the number of extractions is equal to or less than the predetermined threshold (step S26: NO), the node 10B determines that it cannot provide information that meets the request of the node 10A, and proceeds to the statistical processing described below (FIG. 6 and FIG. 7A). In the collection process, based on the current location of the requesting node 10A or the residence of the user of the node 10A, whether or not the location is within the limited range of the location information preset in the restricted sensitive information requested to be collected is determined. This is because the determination is not performed in the statistical processing. Details of the statistical processing will be described later.

  If the permission of the user has been obtained (step S27: YES), in step S28, the data storage unit 15 of the node 10B stores the collection result in an arbitrary storage destination. At this time, the data storage unit 15 can store the collection result based on the installation location of the data server 30 at the storage destination and the “saveable location” information included in the collection result, similarly to the above-described storage processing. Save to the save destination. On the other hand, when the permission of the user is not obtained (step S27: NO), the node 10B discards the collection result and ends the collection processing.

  In step S210, the block generation unit 11 of the node 10B generates a new block including the storage destination where the collection result is stored in step S28. The contents of the new block generated in step S210 are as follows, for example. The block type is “response” because it is a response to the requesting node 10A. Then, as the location information, “reference-possible location” information and “reference location attribute” information preset in the limited sensitive information of the collection result are included. This prevents a situation in which a node other than the request source and whose current location is outside the referenceable location range refers to the collection result. Then, the content information includes the response type (collection), the content of the response (collection of HbA1c values for one year), and the like. Note that, in this specification, the block newly generated in step S210 is a block relating to a response to the node 10A, and thus is described as a response block.

  In step S211, the storage unit 12 stores the new response block generated in step S210. As a result, the new response block is connected to the block chain. In response to this, the requesting node 10A acquires the collection result in step S212. More specifically, a collection result is obtained based on the response blocks of the plurality of nodes 10B and the storage destination information included in each response block. This collection result is the HbA1c value for one year of the users of the plurality of nodes 10B.

<Statistical processing>
Next, an operation example of the data management system 1 in a case where one of the plurality of nodes 10 performs statistical processing on the stored and managed restricted sensitive information will be described. In this specification, the term “statistics” means that specific limited sensitive information is collected, and then the tendency, characteristics, and the like of the group are quantitatively expressed.

  FIG. 7 is a sequence diagram for describing a specific example of the statistical processing. More specifically, FIG. 7 illustrates an operation example of the data management system 1 when a certain node 10A requests statistics regarding specific restricted sensitive information. In FIG. 7, one request source node 10 is described as “node 10A”, and the other nodes 10 (plural nodes 10) other than node 10A are described as “node 10B”.

  In step S31, the node 10A acquires a statistical instruction from its own user. In FIG. 7, as an example of the collection instruction, the user of a certain node 10 </ b> A calculates a statistical value based on the values of a plurality of users in a certain period (for example, one year) regarding “HbA1c” which is one of the items of medical information. The description will be made assuming that the instruction to acquire is input to the node 10A. The statistical value includes, for example, an average value, a frequency distribution, a standard deviation, a parameter, and the like.

  In step S32, the block generation unit 11 of the node 10A generates a new request block related to the statistical instruction specified in step S31. The contents of the new request block generated in step S32 are as follows, for example. The block type is “request” because it is a response request to another node 10B. Further, “medical information” is included as the information type. Also, as the content information, the request type (statistics), the content of the requested restricted sensitive information (the HbA1c value for one year), the filter information (conditions attached to the collected values: for example, date and gender) , Specific organizations such as hospitals, specific individuals, etc.).

  In step S33, the storage unit 12 of the node 10A stores the new request block generated in step S32. As a result, the new request block is connected to the block chain. With this as a trigger, each of the other nodes 10B executes the following processes from step S34 to step S310.

  In step S34, the block extraction unit 16 of the node 10B refers to the content information of the new request block and extracts a storage destination block including the requested restricted sensitive information. Thereby, information indicating the HbA1c value for one year of the user is acquired. When it is determined that collection is not possible in the collection process (step S26 in FIG. 6: NO), the process shifts from this step S34 to the statistical process.

  In step S35, the statistical processing unit 17 of the node 10B calculates a statistical result according to the format of the requested statistical value. For example, when an average value is requested as a statistical value, the statistical processing unit 17 calculates the average value based on the value obtained in step S34.

  In step S36, the node 10B requests permission of its own user to disclose the statistical value calculated in step S35 to the request source (node 10A), and determines whether the permission has been obtained. Do. This determination is similar to the above-mentioned collection processing, for example, showing the list and the breakdown of the extracted restricted sensitive information to the user, and displaying that another node has requested disclosure of the statistical value information. Then, it may be performed by allowing the user to input whether or not to permit.

  When the permission of the user is obtained (step S36: YES), in step S37, the data storage unit 15 stores the statistical value calculated in step S35 in a predetermined storage destination. Here, the predetermined storage destination is, for example, the data server 30 designated by the requesting node 10A.

  On the other hand, if the user's permission has not been obtained (step S36: NO), in step S38, the node 10B discards the calculated statistic and ends the statistic processing.

  In step S39, the block generation unit 11 of the node 10B generates a new block including the statistical value calculated in step S35. The contents of the new block generated in step S37 are, for example, as follows. The block type is “response” because it is a response to the requesting node 10A. Then, the content information includes a response type (statistic), a response content (statistical value of the HbA1c value for one year), and the like.

  In step S310, the storage unit 12 of the node 10B stores the new response block generated in step S37. As a result, the new response block is connected to the block chain. In response to this, the data acquisition unit 14 of the requesting node 10A acquires the calculated statistical values of the plurality of nodes 10B in step S311.

  Then, in step S312, the statistical processing unit 17 of the node 10A calculates an overall statistical value based on the individual statistical values. The individual statistic is a statistic generated by each node 10B, and the overall statistic is a statistic calculated by integrating statistic values obtained from all the nodes 10B.

  As described above, when the user of a certain node 10A collects the restricted sensitive information possessed by another node 10B or requests statistics using the restricted sensitive information, the other node 10B responds to the request block by responding to the request block. Responds to this request by generating For this reason, compared to a data management system in which information is centrally managed, for example, the load is distributed to each node 10, so that processing can be executed with a low load.

  In the collection process, the node 10B determines whether the current location of the requesting node 10A or the residence of the user of the node 10A is within the restricted range of the location information based on the location information preset in the restricted sensitive information. Is determined. For this reason, the collection process can be suitably performed even for sensitive information in which a referenceable place is restricted. On the other hand, in the statistical processing, since individual restricted sensitive information is not handled, a determination based on location information preset in the limited sensitive information is not performed. As described above, according to the data management system 1 of the present embodiment, the handling in the case of handling restricted sensitive information in which a reference location is limited in advance depending on whether the requested operation is collection or statistics is flexibly changed. Because it is possible, it is convenient.

<Action and effect>
As described above, the data management system 1 according to the embodiment of the present disclosure includes the distributed network 20 to which the plurality of nodes 10 (node devices) are connected, and manages the limited sensitive information (data). 1, each of the plurality of nodes 10 stores storage destination information including information indicating a storage destination in which the restricted sensitive information is stored and storage information including location information (qualification information) indicating a location where the restricted sensitive information can be accessed. A block generation unit 11 for generating a destination block; a storage unit 12 for storing all storage destination blocks generated by a plurality of nodes 10; and a storage destination block in response to a user's own access request to the restricted sensitive information. A qualification determination unit 13 that accesses and determines whether the current location or the user's residence is within a restricted range based on the location information; If it is determined that the current location or the user's place of residence is within the restricted range, the restricted sensitive information for which the access request was made is transmitted from the data server 30 (storage destination) that stores the restricted sensitive information for which the access request was made. And a data acquisition unit 14 to acquire.

  As described above, in the data management system 1, the limited sensitive information itself is stored in the data server 30, and the block chain including the storage destination information in the block is shared by all the nodes 10. Therefore, it is possible to avoid a situation in which the restricted sensitive information is shared by all the nodes, and the information is also shared by nodes outside the restricted range. Since all the blocks generated in the past are shared by all the nodes 10 as a blockchain, the storage destination information of all the limited sensitive information stored in the past is shared by all the nodes 10. Will be.

  For this reason, in the data management system 1 that manages the restricted sensitive information in which the storage location is restricted, since each node 10 does not hold the restricted sensitive information itself, the node 10 can move freely. . Further, when a reference request to the information is issued from the movable node 10, whether the current position of the node 10 or the residence of the user of the node 10 is included in the restricted range is determined based on the type of the restriction. Is determined, and it can be referred to only when the information is included, so that the restriction on the location of the restricted sensitive information is not broken. Therefore, sensitive information whose storage and / or reference location is restricted can be suitably handled in a network that shares information among a plurality of nodes.

  Further, in the data management system 1 according to the present embodiment, the block generation unit 11 of a certain node 10 </ b> A requests the user to collect a plurality of pieces of restricted sensitive information stored in the data server 30, In response to a request to obtain statistics using a plurality of stored restricted sensitive information, request information indicating a request for statistics using the collection of restricted sensitive information or data to another node 10B, referenceable location information, Generate a request block containing

  Then, the storage unit 12 of the node 10A stores all the request blocks generated by the plurality of nodes 10, and when the request block is newly stored in the storage unit 12 of the node 10B, the block extraction unit 16 12, a storage destination block corresponding to the limited sensitive information used for collection or statistics indicated by the request information included in the newly stored request block is extracted from all the storage destination blocks stored in the newly stored request block. If the included request information indicates a request for collection, the qualification determination unit 13 determines whether the current location of the requesting node 10A or the requesting user is within the restricted range indicated by the location information of the restricted sensitive information. When it is determined that the data is within the restricted range, the block generation unit 11 newly generates a storage destination block including the storage destination information of the requested restricted sensitive information.

  Furthermore, when the request information included in the request block indicates a request for statistics, the block extraction unit 16 extracts the data server 30 that stores the limited sensitive information used for statistics from the storage destination block, and the statistical processing unit 17 The data storage unit 15 calculates a statistical value by a requested statistical method using the data obtained from the data server 30, the data storage unit 15 stores the statistical value in a predetermined data server 30, and the block generation unit 11 A storage destination block including the stored storage destination information is newly generated.

  As described above, when the user of a certain node 10A requests the collection of the sensitive sensitive information possessed by the other node 10B or requests the statistics using the limited sensitive information, the other node 10B generates the response block responding to the request block. To meet this demand. For this reason, as compared with a data management system in which information is centrally managed, for example, a load for responding to a request is distributed to each node 10, so that processing can be executed with a low load.

  In the collection process, the node 10B determines whether the current location of the requesting node 10A or the residence of the user of the node 10A is within the restricted range of the location information based on the location information preset in the restricted sensitive information. Is determined. For this reason, the collection process can be suitably performed even for sensitive information in which a referenceable place is restricted. On the other hand, in the statistical processing, since individual restricted sensitive information is not handled, it is not necessary to make a determination based on location information preset in the limited sensitive information. As described above, according to the data management system 1 of the present embodiment, the handling in the case of handling restricted sensitive information in which a reference location is limited in advance depending on whether the requested processing is collection or statistics is flexibly changed. Because it is possible, it is convenient.

<Modification>
Although various embodiments have been described with reference to the drawings, the present disclosure is not limited to such examples. It will be apparent to those skilled in the art that various changes or modifications can be made within the scope of the claims, and these naturally belong to the technical scope of the present disclosure. I understand. Further, each component in the above embodiment may be arbitrarily combined without departing from the spirit of the disclosure.

  In the above-described embodiment, the data server 30 is a stationary server device. However, the data server 30 may be a cloud server realized by a cloud service implemented in a specific area. Although not shown in FIG. 1, a backup server for backing up the data server 30 itself may be connected to the public network 40. In this case, depending on the installation location of the backup server, there is a possibility that the restricted sensitive information cannot be backed up. Therefore, a backup server that can be backed up is appropriately selected based on the location information included in the limited sensitive information and the installation location of the backup server. What should I do?

  Further, the data server 30 may be realized by blockchain technology. For example, when there are a plurality of block chains in units of restricted sensitive information or units of location information, these may be candidates for the data server 30 that can store them.

  In the above-described embodiment, the data management system 1 deals with only limited sensitive information in which access places are limited, but the present disclosure is not limited to this. For example, general information that does not have a restriction on an accessible place may be handled. In this case, "general information" is described as type information in a block generated in association with a general block, and when general information is handled, determination regarding a location may not be performed.

  In the above-described embodiment, the qualification determination for accessing the restricted sensitive information is not particularly performed except for the location information set in advance in the restricted sensitive information, but another qualification determination may be performed. For example, the data server 30 may execute an authentication process using a user ID or the like, and may access specific restricted sensitive information only to the node 10 having the specific ID. In addition, when the data server 30 includes the contact information (e-mail address, etc.) of the owner of the information, and when there is a request to access the restricted sensitive information stored in the data server 30, an inquiry is made to the owner. May be.

  In the above embodiment, the other node 10B that responds to the request from the requesting node 10A responds by generating a response block including a response result, but the present disclosure is not limited to this. For example, the node 10B may directly transmit the response result to the requesting node 10A.

  In the above embodiment, the limited sensitive information is stored in the data server 30 that is not included in the distributed network 20, but the present disclosure is not limited to this. For example, the restricted sensitive information may be shared and stored in the storage unit 12 of each node 10 depending on the type of the restricted sensitive information. Examples of the type of restricted sensitive information in this case include, for example, technical information which does not require permission for information disclosure by an individual and has no restriction on a storable location. Also, in this case, when there is a reference request for information, in addition to the restriction on the current location of the requesting node 10 or the place of residence of the user, a qualification determination based on a specific authority or condition may be performed. Good. In this case, since the data server 30 and the public network 40 of the data management system 1 illustrated in FIG. 1 are not required, the system can be simplified.

  A specific example in the case where the restricted sensitive information is shared and stored by a plurality of nodes will be described. Assuming that the node 10 that newly stores the restricted sensitive information is the node 10A, the block generation unit 11 of the node 10A generates a new block (encrypted data block) whose block type 510 (see FIG. 2) is “data”. The content information 540 of the encrypted data block includes encrypted data information obtained by encrypting the restricted sensitive information. Although the encryption method is not particularly limited in the present disclosure, for example, a public key encryption method (RSA encryption) or the like may be employed. Further, in the location information 520 of the encrypted data block, only “referenceable location” information and “referenceable attribute” information are stored. The encrypted data blocks generated in this way are connected to the block chain by the storage unit 12, so that the encrypted restricted sensitive information is shared among the plurality of nodes 10.

  In the case where the limited sensitive information itself is included in the encrypted data block and is shared among the plurality of nodes 10 as described above, the processing when another node 10B tries to refer to the limited sensitive information is as follows. Except for this point, the process is the same as the reference process described with reference to FIG. The difference is that, in steps S17 and S18 in FIG. 5, the data acquisition unit 14 transmits a request for obtaining a decryption key to the node 10A instead of transmitting a request for transmitting restricted sensitive information to the data server 30, The point is that after obtaining the decryption key, the encryption of the encrypted data information is decrypted and the limited sensitive information is obtained. However, the method of decrypting the encryption is not limited to such a method. If the determination in step S16 of FIG. 5 is YES, the data acquisition unit 14 can encrypt the encrypted data information by any method. There may be.

  Alternatively, the newly acquired limited sensitive information may be stored only in the storage unit 12 of the own node 10. In such a case, the storage destination information of the restricted sensitive information is the own node 10, which can be freely referred to by itself. However, when there is a reference request from another node 10, permission is obtained from the user. Only in such a case, operations such as disclosure of the information can be performed.

  The present disclosure is useful for a data management system using blockchain technology.

1 Data Management System 10, 10A, 10B Node 11 Block Generation Unit 12 Storage Unit 13 Qualification Judgment Unit 14 Data Acquisition Unit 15 Data Storage Unit 16 Block Extraction Unit 17 Statistical Processing Unit 20 Distributed Network 30 Data Server 40 Public Network

Claims (9)

A data management system including a network to which a plurality of node devices are connected and managing data,
Each of the plurality of node devices includes:
A block generation unit that generates a storage destination block including storage destination information indicating a storage destination where the data is stored and qualification information regarding a qualification for handling the data,
A storage unit that stores all the save destination blocks generated by the plurality of node devices,
In response to an access request to the data by its own user, accessing the storage block, a qualification determination unit that determines whether or not the user or the user has the qualification based on the qualification information,
When the user or the user is determined to have the qualification, from the storage destination that saves the data that the access request was made, a data acquisition unit that acquires the data for which the access request was made,
A data management system. The qualification information includes the current location of the node device to which access to the data is allowed, or referenceable location information indicating a restriction on the residence of the user who is allowed to access the data,
The qualification determination unit, when the current location of the user is included in the current location indicated by the referenceable location information, or when the residence of the user is included in the residence indicated by the referenceable location information, Determine that he is qualified,
The data management system according to claim 1. The storage destination is a server device outside the network, the qualification information includes storable location information indicating a restriction on the installation location of the server device that can store the data,
Further comprising a data storage unit that stores the data in an external server device installed at a location that matches the storable location information,
The data management system according to claim 1. The block generation unit, in response to a request by the user to collect a plurality of the data stored in the storage destination, or a request to take statistics using a plurality of the data stored in the plurality of storage destinations, Generating a request block including request information indicating a request for statistics using the data collection or the data for the node device, and the referenceable location information,
The data management system according to claim 2. The storage unit stores all the request blocks generated by the plurality of node devices,
When the request block is newly stored in the storage unit, from among all the storage destination blocks stored in the storage unit, collection or statistics indicated by the request information included in the newly stored request block Further comprising a block extraction unit for extracting a storage destination block corresponding to the data used for
When the request information included in the request block indicates a request for collection, the qualification determination unit determines whether the requesting node device or the requesting user has the qualification, and determines the qualification. When determined to have, the block generation unit newly generates a storage destination block including storage destination information of the requested data,
The data management system according to claim 4. When the request information included in the request block indicates a request for statistics, based on the storage destination block including the storage destination of the data used for the statistics extracted by the block extraction unit, Further comprising a statistical processing unit that calculates a statistical value using data obtained from the storage destination,
The data storage unit stores the statistical value in a predetermined storage destination,
The block generation unit newly generates a storage destination block including storage destination information in which the statistical value is stored,
The data management system according to claim 4. A data management system including a network to which a plurality of node devices are connected and managing data,
Each of the plurality of node devices includes:
A block generation unit that generates an encrypted data block including encrypted data information obtained by encrypting the data, and qualification information regarding qualifications for handling the data;
A storage unit that stores all the encrypted data blocks generated by the plurality of node devices,
In response to an access request to the data by its own user, accessing the encrypted data block, a qualification determination unit that determines whether or not the user or the user has the qualification based on the qualification information,
When it is determined that the user or the user has the qualification, the data acquisition that decrypts the encrypted data information included in the encrypted data block for which the access request was made and obtains the data Department and
A data management system. A node device connected to a network to which a plurality of node devices are connected,
A block generation unit that generates a storage destination block including storage destination information including information indicating a storage destination where data is stored, and qualification information regarding a qualification for handling the data,
A storage unit that stores all the save destination blocks generated by the plurality of node devices,
In response to an access request to the data by its own user, accessing the storage block, a qualification determination unit that determines whether or not the user or the user has the qualification based on the qualification information,
When it is determined that the user or the user has the qualification, from the storage destination that saves the data for which the access request was made, a data acquisition unit that acquires the data for which the access request was made,
A node device comprising: A node device connected to a network to which a plurality of node devices are connected,
A block generation unit that generates an encrypted data block including encrypted data information obtained by encrypting data, and qualification information regarding qualifications for handling the data;
A storage unit that stores all the encrypted data blocks generated by the plurality of node devices,
In response to an access request to the data by its own user, accessing the encrypted data block, a qualification determination unit that determines whether or not the user or the user has the qualification based on the qualification information,
When it is determined that the user or the user has the qualification, the data acquisition that decrypts the encrypted data information included in the encrypted data block for which the access request was made and obtains the data Department and
A node device comprising:

Images