JP2023141262A - Personal information management system and personal information transfer control method - Google Patents

Abstract

To provide a personal information management system that, when transferring personal information to abroad, controls permission or prohibition of transfer, taking into account transfer states in the past and transfer regulations in each country.SOLUTION: An personal information management system 100 comprises a base server and a management server. The base server sets the configuration information of personal information handled at the local base to first management information and notifies the management server of the set configuration information. The management server updates second management information on the basis of the configuration information having been notified from the base server, and the management server assesses, using data localization information and the second management information, the appropriateness of storage state of personal information by the base server on the basis of the standpoints of domestic retainment regulations applied to the bases of the base server, and notifies the base server of the assessment results. The base server controls permission or prohibition of transfer of personal information to separate base servers crossing a country, on the basis of the assessment results of the appropriateness of storage state of personal information by the management server.SELECTED DRAWING: Figure 1

Description

The present invention relates to a personal information management system and a personal information transfer control method, and is suitable for application to a personal information management system and a personal information transfer control method that control the transfer of personal information between countries from the perspective of personal information protection. It is.

In recent years, laws regarding the protection of personal information have been developed in countries around the world, including Europe's GDPR (General Data Protection Regulation). Businesses that collect, store, refer to, update, etc. personal information are required to comply with these laws. Personal information is defined in many countries as information that can directly identify an individual, or information that can be combined with other information to identify an individual, and is considered to include information such as name and address, for example.

There are strict regulations regarding the handling of personal information, especially regarding the transfer of personal information overseas (crossing borders), and companies operating globally must be careful. Furthermore, in the cloud, which has become rapidly popular in recent years, the location of information is not necessarily in Japan, but there are cases where information is stored in various locations overseas, and in countries that require information to be stored domestically. caution is required. Therefore, when transferring personal information overseas, permission or prohibition of transfer may be controlled as necessary to comply with the regulations of each country mentioned above.

As a publicly known technique for controlling the transfer of personal information overseas, there is, for example, Patent Document 1. According to Patent Document 1, regarding the transfer of personal information from the EU (European Union) to outside the EU, a list is maintained in which countries or companies that can be transferred are registered in advance. When attempting to transfer personal information overseas, please refer to the above list, and if the transfer is to a country or company on the list, allow the transfer, and if the transfer is to a country outside the list, provide information as necessary. Delete or process and transfer.

JP2020-112922A

However, as disclosed in the above-mentioned Patent Document 1, the conventional technology that controls the transfer of personal information by referring to a simple list of registered destinations allows the initial transfer of personal information but prohibits the re-transfer. It was difficult to carry out relocation control according to the previous relocation situation, such as doing so. In addition, even if the transfer destination is permitted, if the source country has domestic retention regulations, the personal information will not be sufficiently protected at the re-transfer destination unless the regulations in the source country are taken into account. However, with the above-mentioned conventional technology, it is not easy to control the transfer in accordance with the regulations of the destination country, and the transfer is possible if the destination is registered in the destination list. There was a problem with permission being granted.

The present invention has been made in consideration of the above points, and it is possible for individuals who can control permission or prohibition of transfer, taking into account the past transfer status and transfer regulations of each country, when transferring personal information overseas. This paper attempts to propose an information management system and a personal information transfer control method.

In order to solve such problems, the present invention provides a personal information management system that manages transfer control of personal information handled at bases in each country, comprising a plurality of first computers that manage personal information handled at each base; A second computer that centrally manages personal information managed by a plurality of first computers is connected via a network, and information regarding personal information handled at the first computer is registered in the first computer. The second computer has first management information, and the second computer has second management information in which information regarding each personal information managed by the plurality of first computers is registered, and domestic data retention regulations established in each country. data localization information indicating, and the first computer sets setting information of predetermined items regarding personal information handled at its own base in the first management information, and transfers the set setting information to the second computer. and the second computer updates the second management information based on the setting information notified from the first computer, and the second computer updates the data localization information and the second management information. 2.Using the management information, determine the appropriateness of the storage status of the personal information by the first computer based on the perspective of domestic retention regulations applied to the base of the first computer, and report the judgment result. The first computer notifies the first computer, and the first computer transfers data to another first computer across countries based on the second computer's determination of the appropriateness of the storage status of the personal information. A personal information management system is provided, which controls permission or prohibition of transfer of the personal information.

Furthermore, in order to solve this problem, the present invention provides a personal information transfer control method using a personal information management system that manages the transfer control of personal information handled at bases in each country, wherein the personal information management system A plurality of first computers that manage the personal information handled and a second computer that centrally manages the personal information managed by the plurality of first computers are connected via a network, and the first computer The computer has first management information in which information related to personal information handled at its own base is registered, and the second computer has first management information in which information related to each personal information managed by the plurality of first computers is registered. 2 management information, and data localization information indicating domestic data retention regulations stipulated in each country, and the first computer manages the setting information of predetermined items regarding personal information handled at its own base under the first management information. a first step of notifying the second computer of the set configuration information, and the second computer based on the configuration information notified from the first computer in the first step; , a second step of updating the second management information, and after the second step, the second computer uses the data localization information and the second management information to update the base of the first computer. a third step of determining the appropriateness of the storage status of the personal information by the first computer based on the perspective of applicable domestic retention regulations, and notifying the first computer of the determination result; Based on the judgment result of the appropriateness of the storage status of the personal information by the second computer in step 3, the first computer determines whether the personal information will be transferred across countries to another first computer. A fourth step of controlling permission or prohibition is provided.

According to the present invention, when personal information is transferred overseas, permission or prohibition of the transfer can be controlled by paying attention to the past transfer situation and the transfer regulations of each country.

1 is a block diagram showing a configuration example of a personal information management system 100 according to a first embodiment of the present invention. 3 is a diagram illustrating an example data structure of base information 161. FIG. 3 is a diagram illustrating an example data structure of personal information management information 162. FIG. 3 is a diagram illustrating an example data structure of transfer management information 163. FIG. 3 is a diagram illustrating an example data structure of data type definition information 164. FIG. 16 is a diagram illustrating an example data structure of relocation type definition information 165. FIG. 3 is a diagram illustrating an example data structure of cloud information 166. FIG. 16 is a diagram illustrating an example data structure of each country localization information 167. FIG. 16 is a diagram illustrating an example data structure of country transfer control information 168. FIG. 16 is a diagram illustrating an example data structure of each country regulation level information 169. FIG. FIG. 3 is a diagram illustrating an example data structure of country adequacy information 170. FIG. 3 is a diagram showing an example of a data structure of each country sensitivity information 171. 17 is a diagram illustrating an example data structure of transfer basis group information 172. FIG. 7 is a diagram illustrating an example data structure of transfer basis information 173. FIG. 3 is a diagram illustrating an example data structure of personal information management information 114. FIG. 3 is a diagram illustrating an example data structure of relocation candidate information 117. FIG. 12 is a flowchart illustrating an example of a processing procedure for setting personal information and transfer candidate information. 12 is a flowchart illustrating an example of a processing procedure for personal information regulation determination processing. 3 is a flowchart illustrating an example of a processing procedure for personal information transfer control processing. FIG. 7 is a sequence diagram illustrating an example of a processing procedure for personal information registration processing after notification of transfer completion. 12 is a flowchart illustrating an example of a procedure for relocation determination processing.

Embodiments of the present invention will be described in detail below with reference to the drawings.

Note that the following description and drawings are examples for explaining the present invention, and are omitted and simplified as appropriate to clarify the explanation. Furthermore, not all combinations of features described in the embodiments are essential to the solution of the invention. The present invention is not limited to the embodiments, and any application examples that match the idea of the present invention are included within the technical scope of the present invention. Those skilled in the art can make various additions and changes to the present invention within the scope of the present invention. The present invention can also be implemented in various other forms. Unless specifically limited, each component may be plural or singular.

In the following explanations, various information may be explained using expressions such as "table", "table", "list", and "data", but various information may be expressed using data structures other than these. good. In order to show that they do not depend on the data structure, "XX table", "XX list", etc. are sometimes called "XX information" or "XX data". When explaining the contents of each piece of information, expressions such as "identification information", "identifier", "name", "ID", and "number" are used, but these can be replaced with each other.

In addition, in the following explanation, when the same type of elements are explained without distinguishing them, reference numerals or common numbers in the reference signs are used, and when the same kind of elements are explained separately, the reference numerals of the elements are used. Alternatively, an ID assigned to the element may be used instead of the reference code.

In addition, in the following explanation, processing performed by executing a program may be explained, but the program is executed by at least one or more processors (for example, a CPU) to store predetermined processing as appropriate. Since the processing is performed using resources (for example, memory) and/or interface devices (for example, communication ports), the main body of the processing may be a processor. Similarly, the subject of processing performed by executing a program may be a controller having a processor, a device, a system, a computer, a node, a storage system, a storage device, a server, a management computer, a client, or a host. The main body (for example, a processor) that performs processing by executing a program may include a hardware circuit that performs part or all of the processing. For example, the main body of processing performed by executing a program may include a hardware circuit that performs encryption and decryption, or compression and expansion. A processor operates as a functional unit that implements a predetermined function by operating according to a program. Devices and systems that include processors are devices and systems that include these functional units.

A program may be installed on a device, such as a computer, from a program source. The program source may be, for example, a program distribution server or a computer-readable storage medium. When the program source is a program distribution server, the program distribution server includes a processor (for example, a CPU) and a storage resource, and the storage resource may further store a distribution program and a program to be distributed. Then, by the processor of the program distribution server executing the distribution program, the processor of the program distribution server may distribute the program to be distributed to other computers. Furthermore, in the following description, two or more programs may be realized as one program, or one program may be realized as two or more programs.

(1) First Embodiment (1-1) System Configuration FIG. 1 is a block diagram showing a configuration example of a personal information management system 100 according to the first embodiment of the present invention. The personal information management system 100 is a computer system that includes one or more base servers 101, one or more client terminals 141, and one or more management servers 151. The base server 101, the client terminal 141, and the management server 151 are connected to a network via respective interfaces (I/Fs 104, 144, and 154) and are configured to be able to communicate with each other.

The base server 101 is a computer such as a server having a memory 102, a CPU 103, an I/F 104, and a storage area 119. The number and locations of the base servers 101 are not particularly limited, but for example, one or more base servers may be installed for each base (or for each country of location) of a business operator that handles personal information using the personal information management system 100. It can be considered that it is installed. For information on bases and countries, please refer to the base information shown in FIG. 2.

The CPU 103 is, for example, a processor, and controls the base server 101 as a whole. Specifically, for example, the CPU 103 receives an operation request from an external device (base server 101 other than itself, client terminal 141, management server 151, etc.) via the I/F 104, and executes the operation requested from the external device. (data processing), transmitting data processing results to the external device, transmitting a data processing request to the external device, etc.

The memory 102 is, for example, a main storage device, and stores programs and data. Memory 102 is connected to CPU 103 and I/F 104.

As shown in FIG. 1, the memory 102 includes a cooperation unit 105, an information management unit 106, a transfer control unit 107, base information 111, data type definition information 112, transfer type definition information 113, personal information management information 114, transfer basis group It has information 115, relocation basis information 116, relocation candidate information 117, and cloud information 118. Among these components, the cooperation unit 105, the information management unit 106, and the transfer control unit 107 are programs stored in the memory 102, and when the programs are executed by the CPU 103, predetermined functions are realized. The other components shown in the memory 102 are data other than programs.

The storage area 119 is, for example, an auxiliary storage device, and stores information such as a database (specifically, personal information, etc.) held by the base server 101. The storage area 119 may be realized by a cloud, an externally connected storage device, or the like.

The client terminal 141 is a computer having a memory 142, a CPU 143, and an I/F 144. The client terminal 141 is a computer used by the base server 101 or the user to give instructions and operations, and its location is not particularly limited.

The CPU 143 is, for example, a processor, and makes operation requests to external devices (base server 101, management server 151, etc.) and receives operation results from the external devices via the I/F 144. The memory 142 is, for example, a main storage device, and stores programs and data. Memory 142 is connected to CPU 143 and I/F 144. The memory 142 also includes a cooperation unit 145 implemented by a program.

The management server 151 is a computer such as a server having a memory 152, a CPU 153, an I/F 154, and a storage area 174. The management server 151 is a computer that has a function of managing the transfer of personal information held by each base server 101, and its installation location and number of installations are not particularly limited.

The CPU 153 is, for example, a processor, and controls the management server 151 as a whole. Specifically, for example, the CPU 153 receives an operation request from an external device (management server 151 other than itself, client terminal 141, base server 101, etc.) via the I/F 154, and executes the operation requested from the external device. (data processing), transmitting data processing results to the external device, transmitting a data processing request to the external device, etc.

The memory 152 is, for example, a main storage device, and stores programs and data. Memory 152 is connected to CPU 153 and I/F 154.

As shown in FIG. 1, the memory 152 includes a cooperation unit 155, an information management unit 156, a regulation determination unit 157, base information 161, personal information management information 162, transfer management information 163, data type definition information 164, and transfer type definition information. 165, cloud information 166, localization information for each country 167, transfer regulation information for each country 168, regulation level information for each country 169, sufficiency information for each country 170, sensitivity information for each country 171, transfer basis group information 172, and transfer basis information 173. Among these components, the cooperation unit 155, the information management unit 156, and the regulation determination unit 157 are programs stored in the memory 152, and when the programs are executed by the CPU 153, predetermined functions are realized. The other components shown in the memory 152 are data other than programs.

The storage area 174 is, for example, an auxiliary storage device, and stores information such as a database held by the management server 151 (specifically, personal information, etc.). The storage area 174 may be realized by a cloud, an externally connected storage device, or the like.

(1-2) Software Configuration Below, the software configuration of the personal information management system 100 will be explained in detail. Specifically, information stored in the memory 152 of the management server 151, information stored in the memory 102 of the base server 101, and information stored in the memory 142 of the client terminal 141 will be explained in order.

(1-2-1) Data other than programs in the management server 151 First, information other than programs among the information stored in the memory 152 of the management server 151 will be described with reference to FIGS. 2 to 14.

FIG. 2 is a diagram showing an example of the data structure of the base information 161. The base information 161 is information indicating the base of a business operator or the like that handles personal information.

The base information 161 shown in FIG. 2 includes data items such as a base ID 201, a base name 202, and a country of location 203. The base ID 201 indicates an ID that identifies each base. The base name 202 indicates the name of each base. The country of location 203 indicates the country where each base is located. In the description of the present invention, the term "country" is used for simplicity, but the term "country" refers to not only a country but also a region (for example, the European Union). EU)), etc.

FIG. 3 is a diagram showing an example of the data structure of the personal information management information 162. The personal information management information 162 is information for managing personal information in the management server 151, and holds records in units of personal information.

The personal information management information 162 shown in FIG. It is composed of data items.

The management ID 301 indicates an ID by which the management server 151 identifies personal information to be managed (hereinafter referred to as target data in the explanation of FIG. 3). The acquisition country 302 indicates the acquisition country where the target data was acquired. The date and time 303 indicates the acquisition date and time of the target data. The base ID 304 indicates which base the target data belongs to using the base ID (base ID 201 in FIG. 2).

The data ID 305 indicates how the target data is held at the base indicated in the base ID 304. Specifically, the data ID 305 indicates how the target data is held at the base indicated in the base ID 304. Specifically, the data ID 305 indicates the in-base identification ID (data in FIG. ID1501). The data type 306 indicates the data type of target data using a data type ID (data type ID 501 in FIG. 5). The data type is defined by data type definition information 164 shown in FIG.

The data location 307 shows an outline of the storage location of the target data (inside the base, cloud, etc.). Address 308 indicates the details of the storage location of the target data using the storage address. Cloud ID 309 indicates the identification ID of the cloud (cloud ID 701 in FIG. 7) when the target data is stored in the cloud. For example, if the value of the data location 307 is "own base", the target data is stored in the storage area 119 or the like of the base server 101 existing within the own base. Further, if the value of the data location 307 is "backup", the target data is initially saved in a temporary storage area, etc., but after that, as data copying or other processing is performed, the data is indicated at the address 308. This means that the data will be moved to the specified address. The address shown in address 308 is the address of the storage area where the target data is currently stored, but if the data storage location is changed due to backup, it is updated to the address of the backup destination.

Domestic retention 310 indicates whether domestic retention of the target data is required by national laws or the like, and if domestic retention is required, whether it can be handled with the current storage status of the target data. Specifically, for example, if the value of the domestic retention 310 is "-", it means that the target data is not required to be retained domestically. If the domestic retention value is "10", it means that the target data is required to be retained domestically at the base and can be handled with the current data storage status. If the value of domestic retention is "11", it means that the target data is required to be retained domestically at the base, but this cannot be done with the current data storage situation. If the value of domestic retention is "20", domestic retention of the target data is required at a base different from the base concerned (a base that retains the original target data, such as the transfer source of the target data), and the current data is This means that it can be handled depending on the storage situation. If the value of domestic retention is "21", domestic retention of the target data is required at a base different from the base concerned (a base that retains the original target data, such as the transfer source of the target data), but the current data This means that it cannot be handled under the storage conditions.

Original ID 311 indicates whether or not the target data is data brought to the current base due to relocation, and if the target data is data brought to the current base by relocation, it is the identification ID of the original data of the target data. (Management ID 301). Specifically, for example, if the value of the original ID 311 is "-", it means that the target data is not data brought through transfer. In addition, if the value of the source ID 311 is "d5", the target data is the data brought by the transfer, and its source (or the first transfer source if multiple stages of transfer are performed) This means that the data is managed by the management server 151 with the identification ID "d5" (management ID 301).

FIG. 4 is a diagram showing an example of the data structure of the transfer management information 163. The transfer management information 163 is information for managing the history of transfers of personal information, and has a record for each transfer.

The transfer management information 163 shown in FIG. 4 includes a transfer ID 401, a transfer source 402, a transfer source data ID 403, a transfer destination 404, a transfer destination data ID 405, a data type 406, a transfer basis 407, a transfer type 408, a date and time 409, and a transfer number 410. , and management ID 411.

The transfer ID 401 indicates an ID that identifies a transfer to be managed. The transfer source 402 indicates the transfer source base using a base ID (base ID 201 in FIG. 2). The transfer source data ID 403 indicates the in-base identification ID (data ID 1501 in FIG. 15) assigned by the management server 151 when the transferred data was managed at the transfer source base before the transfer. The transfer destination 404 indicates the transfer destination base using a base ID (base ID 201 in FIG. 2). The transfer destination data ID 405 indicates an in-base identification ID (data ID 1501 in FIG. 15) assigned by the management server 151 when the transferred data is managed at the transfer destination base after the transfer. The data type 406 indicates the data type of transfer data using a data type ID (data type ID 501 in FIG. 5). The data type is defined by data type definition information 164 shown in FIG.

The transfer basis 407 indicates the transfer basis of the transfer data using a basis ID (base ID 1401 in FIG. 14). The transfer basis is defined by transfer basis information 173 shown in FIG. 14. The transfer type 408 indicates the transfer type of transfer data using a transfer type ID (transfer type ID 601 in FIG. 6). The relocation type is defined by relocation type definition information 165 shown in FIG. The date and time 409 indicates the date and time when the transfer data was transferred. The number of transfers 410 indicates the number of times transfer data has been transferred in the past. Specifically, for example, if the value of the number of transfers 410 is "0", it means that the target transfer data has not been transferred before and this is the first transfer. If the value of the number of transfers 410 is "1", it means that the target transfer data has been transferred once before this transfer, and this transfer is a re-transfer of the transferred data. do.

The management ID 411 indicates an identification ID (management ID 301 in FIG. 3) managed by the management server 151 corresponding to the transfer source data ID 403 regarding the transfer source data. The management ID 411 is set by the management server 151 when receiving a notice of completion of relocation from the source base, and is then used to compare data between the management server 151 and the destination base (base server 101). be done.

FIG. 5 is a diagram showing an example of the data structure of the data type definition information 164. Data type definition information 164 is information that defines the classification of data held in storage areas 119 and 174 such as databases held by base server 101 or management server 151. Although various information including personal information is stored in the storage areas 119 and 174, each computer (management server 151, base server 101, and client terminal 141) of the personal information management system 100 stores data type definition information 164 and 112. Based on this, it is possible to understand what classification of data is included in the information stored in the storage area.

The data type definition information 164 shown in FIG. 5 includes data items of a data type ID 501 and content 502. The data type ID 501 indicates an ID (data type ID) that identifies the classification of data. Content 502 indicates the content of data classification. For example, in the case of FIG. 5, the data type ID of data including "name" is defined as "p1", and the data type ID of data including "address" is defined as "p2". At this time, if the target information includes a name and address, the data type of the information is assigned a plurality of classifications (data type IDs) such as "p1" and "p2".

FIG. 6 is a diagram showing an example of the data structure of the transfer type definition information 165. Transfer type definition information 165 is information that defines a data transfer method.

The transfer type definition information 165 shown in FIG. 6 includes data items of a transfer type ID 601 and content 602. The transfer type ID 601 indicates an ID (transfer type ID) that identifies the classification of the data transfer method. Content 602 indicates the content of the data transfer method classification. For example, in the case of FIG. 6, the transfer method with the transfer type ID "t1" indicates a transfer method in which data is sent to the transfer destination without leaving it at the transfer source. Furthermore, a transfer method with a transfer type ID of "t2" indicates a transfer method in which data is sent to a transfer destination while remaining at the transfer source by copying or the like.

FIG. 7 is a diagram showing an example of the data structure of the cloud information 166. The cloud information 166 is information for managing various information regarding clouds that can be used by the personal information management system 100 as a data storage destination.

The cloud information 166 shown in FIG. 7 includes data items such as a cloud ID 701, a cloud vendor 702, a service name 703, a contact point 704, and data locations 705 and 706.

Cloud ID 701 indicates the identification ID (cloud ID) of the cloud that stores data. The cloud vendor 702 indicates the vendor of the cloud specified by the cloud ID 701 (hereinafter referred to as the cloud). The service name 703 indicates the type of service provided by the cloud vendor. For example, if the value of the service name 703 is "email", it means that the cloud provides email service, and if the value of the service name 703 is "storage", it means that the cloud is a cloud that provides email services. This means that it is a cloud that provides storage services. The counter 704 indicates the location (for example, country name) of a counter provided for the service provided by the cloud. The data location 705 shows an overview of the data storage location of the service provided in the cloud (for example, a wide area such as Asia or North America), and the data location 706 shows the details of the data storage location (for example, country or city). shows.

FIG. 8 is a diagram showing an example of the data structure of the localization information 167 for each country. “Country localization” refers to regulations on data localization (domestic retention obligations) established by each country. The localization information 167 for each country is information for managing the content of regulations regarding localization for each country.

The localization information 167 for each country shown in FIG. 8 includes data items of country 801 and sensitivity 802 to 805. Country 801 indicates the name of the country. The sensitivities 802 to 805 are data items corresponding to the sensitivities "s1", "s2", "s3", etc. defined in the sensitivity information 171 of each country in FIG. 12, which will be described later. Indicates whether each country has data localization regulations for the applicable data. For example, in the case of Figure 8, the value of sensitivity 803 and 804 is "Yes" in the record where the value of country 801 is "medium", so in China, the data of sensitivity s2 and S3 is localized (domestic retention obligation). It shows that the regulations are in place.

FIG. 9 is a diagram showing an example of the data structure of the country transfer control information 168. "Country Transfer Regulations" means the regulations established by each country regarding the transfer of data. The country transfer regulation information 168 is information for managing the content of this country transfer regulation.

The country transfer control information 168 shown in FIG. 9 includes data items of country 901 and sensitivities 902 to 905. Country 901 indicates the name of the country. The sensitivities 902 to 905 are data items corresponding to the sensitivities "s1", "s2", "s3", etc. defined in the sensitivity information 171 of each country in FIG. 12, which will be described later. Indicate which transfer basis groups each country has regulations on for the relevant data. The transfer basis group is defined by transfer basis group information 172 in FIG. 13, which will be described later.

FIG. 10 is a diagram showing an example of the data structure of each country's regulation level information 169. The country regulation level information 169 is information for managing the degree of regulation regarding personal information protection in each country.

The country regulation level information 169 shown in FIG. 10 is configured to include data items of level 1001 and country 1002. Level 1001 indicates the required level of personal information protection, and in this example, the larger the level value, the higher the required level of personal information protection (that is, the stricter the regulation). A country 1002 indicates a country corresponding to each level of personal information protection.

The control level (value of level 1001) of each country can be automatically calculated by the management server 151 based on the information of each country's localization information 167, each country's transfer restriction information 168, and each country's sensitivity information 171. An example of a specific method for calculating the regulation level is shown below.

Regarding the country localization information 167 shown in FIG. 8, the management server 151 determines a score for each column (for each sensitivity). For example, sensitivity "s1" is set as 1 point, sensitivity "s2" as 2 points, sensitivity "s3" as 3 points, etc. Then, with reference to FIG. 8, the management server 151 counts the above-mentioned points when there are restrictions on sensitivity, and calculates the total score for each row (for each country). In this case, China would receive 6 points and Japan would receive 0 points.

Furthermore, regarding the country sensitivity information 171 shown in FIG. 12, the management server 151 calculates scores based on sensitivity variations. For example, if there is one type of variation, it will be worth 1 point, if there are two types, it will be worth 2 points, if there are three types, it will be worth 3 points, etc. The management server 151 then calculates each country's score with reference to FIG. For example, the United States has only one type of sensitivity, "s1", so it is worth 1 point, and the European sensitivity has two types, "s1" and "s2", so it is worth 2 points.

Furthermore, regarding the country transfer regulation information 168 shown in FIG. 9, the management server 151 determines a score for each column (for each sensitivity). For example, if a restriction exists in each column (that is, a value of any group is registered), one point is added to each column to calculate the total score. In addition, as a modified example of score calculation, it is assumed that the larger the number of elements of transfer grounds that make up a group, the more variations in transferable grounds are available and the easier it is to transfer, and the score is lowered (i.e., it is considered that regulations are weaker). ).

As described above, the management server 151 can calculate scores for each country from the localization information 167 for each country, the transfer control information 168 for each country, and the sensitivity information 171 for each country. Therefore, the management server 151 aggregates these scores calculated from each piece of information to calculate a total score for each country, and according to this total score, sets the regulation level of each country so that the higher the score, the higher the regulation level. Determine the level of regulation.

Note that when calculating the regulation level of each country, in addition to the above-mentioned viewpoints, it is also possible to take into consideration the size of the penalty amount in the event of a violation. In this case, the management server 151 stores, in the memory 152, sanction amount information indicating the sanction amount for each country's violation, and refers to the sanction amount information to select a country with a larger sanction amount for the violation, in order to calculate the regulation level. What is necessary is to perform processing such as adding the scores of .

FIG. 11 is a diagram showing an example of the data structure of the adequacy information 170 for each country. The adequacy information 170 for each country is information indicating the adequacy certification relationship between countries regarding the transfer of personal information. When transferring personal information across countries, sufficiency is determined when the transfer is permitted without special treatment of the personal information (i.e., without changing the handling of the personal information). .

The adequacy information 170 for each country shown in FIG. 11 includes data items for a country 1101 and an adequacy target country 1102. Country 1101 indicates a country, and adequacy target country 1102 indicates a country that has granted adequacy certification to the country shown in country 1101. In other words, for the country shown in country 1101, the country shown in adequacy target country 1102 is a country that is subject to adequacy. For example, in FIG. 11, in a record where the value of country 1101 is "Japan", "England, Europe" is registered as the value of adequacy target country 1102. This record shows that data can be transferred overseas from Japan to the UK and the EU on the basis of an adequacy decision.

FIG. 12 is a diagram showing an example of the data structure of each country sensitivity information 171. “Country sensitivity” means the degree of caution in data handling (data sensitivity) required in each country for each data type defined in the data type definition information 164. The national sensitivity information 171 is information for managing this national sensitivity.

The sensitivity information 171 for each country shown in FIG. 12 includes data items of a country 1201 and data types 1202 to 1205. Country 1201 indicates the country. Data types 1202 to 1205 are data items corresponding to each data type (data type ID 501) "p1", "p2", "p3", etc. defined in the data type definition information 164 in FIG. Yes, indicating the sensitivity of the data for the data type. For example, in the case of Fig. 12, in the record whose value in Fig. 1201 is "Europe" indicating the EU, looking at each value of data types 1202 to 1204, the sensitivity of data of data type "p1" is "s1". , the sensitivity of data of data type "p2" is "s1", and the sensitivity of data of data type "p3" is "s2". Here, assuming that "s2" is more sensitive than "s1", data of data type "p3" requires more careful handling than data of data types "p1" and "p2". It is shown that

FIG. 13 is a diagram showing an example of the data structure of the transfer basis group information 172. The transfer basis group information 172 is information for managing a group (transfer basis group) formed from a combination of transfer grounds defined in the transfer basis information 173 of FIG. 14, which will be described later. The Transfer Basis Group indicates the requirements that must be met for each country's transfer.

The transfer basis group information 172 shown in FIG. 13 is configured with data items of group ID 1301 and content 1302. Group ID 1301 indicates an ID that identifies a transfer basis group. The content 1302 indicates a combination of transfer grounds forming a transfer basis group using a basis ID 1401 shown in FIG. 14 . For example, in FIG. 13, when the value of group ID 1301 is "Gr2", the value of content 1302 is "g1 or g2". This indicates that when the data to be transferred belongs to the transfer basis group of "Gr2", it is necessary to satisfy at least either "g1" or "g2" as the transfer basis.

FIG. 14 is a diagram showing an example of the data structure of the transfer basis information 173. The transfer basis information 173 shown in FIG. 14 includes data items of basis ID 1401 and content 1402. The basis ID 1401 indicates an ID that identifies the transfer basis. Content 1402 indicates the content of the transfer basis. For example, in FIG. 14, when the value of basis ID 1401 is "g1", the value of content 1402 is "agree". This indicates that obtaining consent is one of the conditions for transfer.

(1-2-2) Programs in Management Server 151 Next, the programs stored in the memory 152 of the management server 151 will be described. As described above, the cooperation unit 155, the information management unit 156, and the regulation determination unit 157 are implemented by programs stored in the memory 152.

The cooperation unit 155 exchanges data with other computers (base server 101, client terminal 141, etc.) via the network. In order to simplify the explanation, when the linking unit 155 exchanges data with another computer in response to a request from another functional unit in its own computer, the linking unit 155 does not exchange data with another functional unit. "Department" is sometimes written as the processing entity. This also applies to the cooperation unit 105 of the base server 101.

Based on the information regarding personal information notified from the base server 101, the information management unit 156 registers information for understanding the personal information within the management server 151, and registers information from one base server 101 to another base server 101. Register information to understand the transferred personal information. The registration destination of this information is data other than the program in the memory 152, which was detailed in (1-2-1).

The regulation determining unit 157 receives a request from the base server 101 and determines whether regulations are necessary for the personal information to be transferred. More specifically, the regulation determination unit 157 determines whether or not localization is applied to the personal information to be transferred, determines whether the storage status of the data is appropriate, and determines whether or not the data should be re-transferred. Make judgments, etc.

(1-2-3) Data other than programs in the base server 101 Next, information other than programs among the information stored in the memory 102 of the base server 101 will be explained.

The information held in the memory 102 by the base server 101 includes a plurality of data similar to the information with the same name (at least data having the same data structure) held in the memory 152 by the management server 151 described above, and these information will omit detailed explanation. Specifically, the base information 111 is similar to the base information 161 illustrated in FIG. 2, the data type definition information 112 is similar to the data type definition information 164 illustrated in FIG. 6, the transfer basis group information 115 is the same as the transfer basis group information 172 illustrated in FIG. 13, and the transfer basis information 116 is the same as the transfer basis information 173 illustrated in FIG. 14. The cloud information 118 is similar to the cloud information 166 illustrated in FIG. 7 .

These pieces of information include, for example, information with the same name defined or held in the management server 151 (base information 161, data type definition information 164, relocation type definition information 165, cloud information 166, relocation basis group information 172, relocation basis information 173). ) may be distributed to each base, and the base server 101 of each base may store it in the memory 102 and use it. Regarding the transfer basis group information 115, the management server 151 does not distribute the same contents as the transfer basis group information 172 to each base, but only transfer basis groups related to personal information held individually by each base. The management server 151 may distribute information narrowed down to the base server 101. In addition, for example, information collected independently by the base server 101 may be aggregated in the management server 151, and after consistency is ensured in the management server 151, it may be distributed to the base servers 101 of each base as appropriate. .

Information that the base server 101 independently holds in the memory 102 includes personal information management information 114 and relocation candidate information 117.

FIG. 15 is a diagram showing an example of the data structure of the personal information management information 114. The personal information management information 114 is similar to the personal information management information 162 (see FIG. 3) held by the management server 151, but in that it is information for managing personal information handled at your own base, all This differs from personal information management information 162, which is information for aggregating and centrally managing personal information of bases.

The personal information management information 114 shown in FIG. 15 includes the following data items: data ID 1501, country of acquisition 1502, date and time 1503, data type 1504, data location 1505, address 1506, cloud ID 1507, domestic retention 1508, management ID 1509, and transfer ID 1510. It is composed of: Acquisition country 1502, date and time 1503, data type 1504, data location 1505, address 1506, cloud ID 1507, and domestic retention 1508 are similar to the data items of the same name included in the personal information management information 162 in FIG. The explanation will be omitted.

The data ID 1501 indicates an ID for identifying personal information to be managed by the base server 101 (hereinafter referred to as target data in the explanation of FIG. 15).

The management ID 1509 indicates the management ID of the target data by the management server 151. The management ID 1509 is assigned by the management server 151 and corresponds to the management ID 301 included in the personal information management information 162 in FIG. For example, the management ID is assigned by the management server 151 when the base server 101 notifies the management server 151 of information regarding the outline of the target data (personal information), and is returned to the base server 101 and set as the management ID 1509. .

Transfer ID 1510 indicates a transfer ID for identifying transfer of target data. For example, the transfer ID is assigned by the management server 151 when the base server 101 notifies the management server 151 of information regarding the completion of the transfer of target data (personal information), is sent back to the base server 101, and is set as the base ID 1510. be done.

FIG. 16 is a diagram showing an example of the data structure of the relocation candidate information 117. The relocation candidate information 117 is information for managing relocation candidates of personal information held at one's own base to another base.

The relocation candidate information 117 shown in FIG. 16 includes data items such as a candidate ID 1601, a target ID 1602, a relocation destination 1603, a data location 1604, an address 1605, a cloud ID 1606, a relocation basis group 1607, and a purpose 1608.

Candidate ID 1601 indicates an identification ID of a relocation candidate. The target ID 1602 indicates the identification ID of the personal information to be transferred as an in-base identification ID (data ID 1501 in FIG. 15). The transfer destination 1603 indicates the transfer destination base using the base ID (base ID 201 in FIG. 2). The data location 1604 shows an outline of the storage location of the personal information at the transfer destination (inside the base, cloud, etc.). The address 1605 indicates the details of the storage location of the transfer destination personal information by the storage address. Cloud ID 1606 indicates the identification ID of the cloud (cloud ID 701 in FIG. 7) when the personal information to be transferred is stored in the cloud. The relocation basis group 1607 indicates a relocation basis group consisting of a combination of relocation grounds to be satisfied in the relocation, using its identification ID (group ID 1301 shown in FIG. 13). Purpose 1608 indicates the purpose of handling personal information regarding relocation (for example, information storage at a location other than one's own location, analysis, etc.).

(1-2-4) Programs in the base server 101 Next, the programs stored in the memory 102 of the base server 101 will be explained. As described above, the cooperation unit 105, the information management unit 106, and the transfer control unit 107 are implemented by programs stored in the memory 102.

The cooperation unit 105 exchanges data with other computers (management server 151, client terminal 141, etc.) via the network.

The information management unit 106 registers information for understanding the personal information within the base server 101 based on the information regarding the personal information notified from the client terminal 141.

The transfer control unit 107 cooperates with the management server 151, client terminal 141, etc., and allows or prohibits the transfer of personal information related to its own base (that is, personal information managed by the base server 101) by the management server 151. The transfer will be controlled in accordance with the decision of the

(1-2-5) Programs in Client Terminal 141 Next, the programs stored in the memory 142 of the client terminal 141 will be described. As described above, the cooperation unit 145 is implemented by a program stored in the memory 142.

The cooperation unit 145 cooperates with an external computer such as the base server 101 and transmits a request for setting, protecting, or extracting personal information in response to a user's operation. The cooperation unit 145 also receives response results from external computers.

(1-3) Processing Below, the processing executed by the personal information management system 100 according to the present embodiment will be explained based on the above-mentioned hardware configuration and software configuration. The process described below is executed when the client terminal 141 requests the base server 101 to execute a setting process related to personal information.

(1-3-1) Processing for setting personal information and transfer candidate information FIG. 17 is a flowchart showing an example of a processing procedure for setting personal information and transfer candidate information. The process shown in FIG. 17 is a process executed by the base server 101 when, for example, a user operates the client terminal 141 to register certain personal information in the base server 101 of his own base. In the process shown in FIG. 17, when requesting registration of personal information, registration of transfer candidate information regarding the transfer candidate is requested, but the transfer candidate information registration request is made at a different timing from the personal information registration request. May be done. In that case, among the various processes described below, the process related to registration of transfer candidate information may be separately executed. Further, the process shown in FIG. 17 can also be applied when changing (updating) the contents of registered personal information or transfer candidate information.

According to FIG. 17, first, the cooperation unit 105 receives a request regarding the setting (registration, update, etc.) of personal information and its transfer candidate information from the client terminal 141 (step S101). In step S<b>101 , the cooperation unit 105 also receives personal information to be set and transfer candidate information from the client terminal 141 .

Next, based on the request in step S501, the information management unit 106 updates the information (personal information management information 114, transfer candidate information 117) stored in the memory 102 using the received personal information and transfer candidate information. At the same time, information regarding the update is transmitted to the management server 151 (step S102). The management server 151 that has received the information transmitted in step S102 executes the process shown in FIG. 18, which will be described later.

The processing content of the information management unit 106 in step S102 will be explained in detail.

For example, when registration of personal information is requested, in the personal information management information 114 of FIG. A new identification ID (data ID 1501) is assigned to the personal information, and the country from which the data was acquired (country of acquisition 1502), the date and time of acquisition (date and time 1503), the type of data (data type 1504), and the summary of the storage location ( Information such as the data location 1505) and the detailed address of the storage location (address 1506) are registered.

For example, when registration of relocation candidate information is requested, the base server 101 (information management unit 106), in the relocation candidate information 117 of FIG. A new identification ID (candidate ID 1601) is assigned to the candidate information, and regarding the transfer candidate information, the transfer target (target ID 1602), the transfer destination (transfer destination 1603), the summary of the data storage location of the transfer destination (data location 1604), and the storage Register information such as the detailed address (address 1605). Then, the updated (registered) information and the base information of the base server 101 are sent from the base server 101 to the management server 151, and the information on the management server 151 side is updated by the process shown in FIG. 18, which will be described later. .

Next, the information management unit 106 updates predetermined data items in the personal information management information 114 and transfer candidate information 117 based on the response information from the management server 151 (step S103). The predetermined data items are, for example, domestic retention 1508 and management ID 1509 in the personal information management information 114, and transfer basis group 1607 in the transfer candidate information 117.

To explain in detail, for the personal information management information 114 in FIG. 15, the information management unit 106 sets the result of whether data localization support is necessary determined by the management server 151 in the domestic retention 1508. The necessity of supporting data localization is determined by the management server 151 based on the values of the acquisition country 1502 and data type 1504 received from the base server 101 in step S102, and the determination result is notified to the base server 101 ( Steps S205, S208, and S209 in FIG. 18, which will be described later). Further, the information management unit 106 sets the value of the management ID 301 assigned to the target personal information by the management server 151 in the process of FIG. 18 to the management ID 1509.

Furthermore, for the transfer candidate information 117 in FIG. 16, the information management unit 106 sets the transfer basis group determined by the management server 151 as the transfer basis group 1607. The relocation basis group is determined by the management server 151 based on the value of the acquisition country 1502 and information on relocation candidates received from the base server 101 in step S102, and the determination result is notified to the base server 101 (described later). (Steps S205, S208, S209 in FIG. 18).

By executing the process shown in FIG. 17 as described above, the base server 101 can appropriately set the requested personal information and transfer destination candidate information in its own memory 102 while cooperating with the management server 151. can.

(1-3-2) Personal Information Restriction Judgment Processing FIG. 18 is a flowchart showing an example of a processing procedure for personal information restriction judgment processing. The process shown in FIG. 18 is a process executed by the management server 151 when receiving notification of personal information or relocation candidate information (step S102 in FIG. 17) from the base server 101, and is a process that We will determine whether or not the personal information is stored properly and the appropriateness of the storage status of personal information.

According to FIG. 18, first, the cooperation unit 155 receives personal information and relocation candidate information from the base server 101 (step S201).

Next, the information management unit 156 updates the personal information management information 162 based on the information received in step S201 (step S202). Specifically, for the personal information management information 162 shown in FIG. ) and set it as the management ID 301. Further, the information management unit 156 sets the data items 302 to 309 of the record in which the new management ID is set based on the personal information received in step S201. Note that the value of the identification ID (data ID 1501 in FIG. 15) used by the base server 101 to identify the personal information is set in the data ID 305.

Next, the regulation determination unit 157 determines whether the personal information notified from the base server 101 needs to be retained domestically based on the country of acquisition 302, data type 306, data location 307, and original ID 311. (Step S203). The value of the domestic hold 310 is determined and set through a plurality of processes starting from step S203.

The process of step S203 will be specifically explained in detail. First, the regulation determination unit 157 identifies which sensitivity the type of personal information (data type 306) corresponds to in the country of acquisition (country of acquisition 302) by referring to the sensitivity information 171 of each country in FIG. . For example, when the acquisition country is "Japan" and the type is "p1", according to FIG. 12, the sensitivity is specified to be "s1". Next, the regulation determining unit 157 identifies whether or not the identified sensitivity data requires localization in the acquiring country, with reference to the country transfer regulation information 168 in FIG. For example, when the acquisition country is "Japan" and the sensitivity is "s1" as in the above example, the corresponding value is "-" according to FIG. 8, and it is determined that localization support is not necessary. Note that if the corresponding value is "Yes" in FIG. 8, it is determined that localization support is necessary.

As described above, if the regulation determining unit 157 determines that localization support (domestic retention) is unnecessary (NO in step S203), "-" is set in the domestic retention 310, and the process advances to step S209, which will be described later. On the other hand, if the regulation determination unit 157 determines that localization support (domestic retention) is necessary (YES in step S203), "Yes" is set in the domestic retention 310, and the process advances to step S204.

In step S204, the regulation determining unit 157 determines whether the storage status of the personal information notified from the base server 101 is appropriate. If it is determined that the storage status of personal information is appropriate (YES in step S204), the process proceeds to step S205, and if it is determined that the storage status of personal information is not appropriate (NO in step S204), the process proceeds to step S205. Proceed to S209.

The process of step S204 will be specifically explained in detail. The regulation determining unit 157 first checks whether or not the original ID 311 is registered, and performs the following processing depending on the check result.

If the value of the original ID 311 is unregistered, the regulation determining unit 157 determines that the data (personal information) is not data brought through transfer but newly registered data. At this time, the regulation determination unit 157 identifies the country where the data is located based on the information of the base ID 304, data location 307, and cloud ID 309. If the country of residence matches the data acquisition country (acquisition country 302), the regulation determination unit 157 determines that localization is necessary for the own base and cannot be done with the current data storage status. It is determined that it is (YES in step S204), and a value of "10" is set in the domestic retention field 310. Note that when the value of the data location 307 is "cloud", the regulation determination unit 157 can identify the country where the data is located by referring to the value of the data location 706 in FIG. 7 using the cloud ID 309 as a key. . On the other hand, if the country where the specified data is located does not match the data acquisition country (acquisition country 302), the regulation judgment unit 157 determines that localization is necessary for the own base, but the current data storage situation does not allow for localization. It is determined that the response has not been completed (NO in step S204), and a value of "11" is set in the domestic retention 310.

That is, if the value of the original ID 311 is unregistered, the regulation determination unit 157 determines whether the current storage location of the personal information held at the base (own base) notified in step S201 is domestic retention. By checking whether it conforms to the viewpoint, it is determined whether the current data storage status is appropriate or not, and if it is determined that it is appropriate, a value of "10" is set in the domestic retention 310. If the setting is determined to be inappropriate, a value of "11" is set in the domestic retention 310.

If the value of the original ID 311 has been registered, the regulation determining unit 157 determines that the data (personal information) is data brought through transfer. At this time, the regulation determining unit 157 uses the same method as when the value of the original ID 311 is unregistered to check whether the storage location of the data brought through the transfer conforms to the viewpoint of domestic retention. Furthermore, the regulation judgment unit 157 periodically checks the data storage location (data location 307) for the base that holds the data indicated by the source ID 311 (i.e., the base that holds the personal information of the source of the transfer, etc.). etc., and uses the result of the inquiry to determine whether or not data localization is required using the same method as explained in the case where the value of the original ID 311 is unregistered. This judgment confirms whether or not the data from the transfer source needs to be retained domestically.

Then, the regulation judgment unit 157 determines whether the current storage status of the data is appropriate based on the confirmation result of whether the storage location of the data brought through the transfer conforms to the viewpoint of domestic retention. Then, the value to be set in the domestic retention 310 is determined based on the confirmation result of whether domestic retention is necessary for the transfer source data.

Specifically, the regulation determination unit 157 determines that the current storage status of the data is appropriate if the storage location of the data brought through the transfer is compatible with the viewpoint of domestic retention (step S204). YES). At this time, if the regulation determination unit 157 confirms that domestic retention is necessary for the data at the transfer source, it sets a value of "20" in the domestic retention 310 and indicates that domestic retention is not necessary for the data at the transfer source. If it is confirmed that there is, a value of "10" is set in the domestic retention 310. Further, the regulation determination unit 157 determines that the current storage status of the data is inappropriate if the storage location of the data brought through the transfer does not conform to the viewpoint of domestic retention (NO in step S204). . At this time, if the regulation determination unit 157 confirms that domestic retention is necessary for the data at the transfer source, it sets a value of "21" in the domestic retention 310 and indicates that the data at the transfer source does not require domestic retention. If it is confirmed that there is, a value of "11" is set in the domestic retention 310.

Note that the original ID 311 is registered (set) when the personal information to be managed is data brought through transfer, and its value is the value that is used to manage the source data held by the transfer source base server 101. The identification ID assigned by the server 151 for management purposes (ie, the data ID 301 of the transfer source data) is set.

Specifically, the management server 151 (information management unit 156 or regulation determination unit 157) determines the transfer destination of the transfer management information 163 in FIG. 404 and the transfer destination data ID 405, it is determined whether there is any matching data. If matching data is registered in the transfer management information 163, the value of the management ID 411 corresponds to the identification ID in the transfer source base server 101 of the data to be registered this time, so the management server 151 , and sets the value of this management ID 411 to the original ID 311.

The description of the processing after step S204 will be continued. To summarize the explanation so far, it has been determined that the personal information notified in step S201 requires domestic retention (YES in step S203) and that the current data storage status is appropriate (YES in step S204). In this case, the process of step S205 is performed. On the other hand, regarding the personal information notified in step S201, at least one of the following is determined: domestic retention is not necessary (NO in step S203), or the current data storage status is inappropriate (NO in step S204). If it is determined, the process of step S209 is performed.

In step S205, the management server 151 (information management unit 156 or regulation determination unit 157) sends the value of domestic retention 310 (domestic retention flag) and information on the basis of transfer to the base server 101 that sent the personal information in step S201. Send.

The above-mentioned "information on the basis of transfer" is information collected on the basis of transfer when there is a possibility that the personal information in question may be transferred in the future. Specifically, the management server 151 determines whether the data ID (data ID 305, data ID 1501) of the personal information received from the base server 101 in step S201 matches the target ID 1602 of the relocation candidate information received from the base server 101. If so, it can be determined that the personal information may be transferred in the future. In this case, the management server 151 collects the basis information for the relocation and transmits it to the base server 101. More specifically, the management server 151 determines the sensitivity of the data based on the personal information management information 162 in FIG. 3 (particularly the country of acquisition 302 and data type 306) and the country sensitivity information 171 in FIG. The transfer grounds necessary for the specified sensitivity are specified from the transfer control information 168 of each country in Figure 9 and the transfer basis group information 172 of Figure 13, and information indicating the identification results (for example, basis group such as "Gr2") is specified. value) is sent to the base server 101.

After the processing in step S205, the regulation determination unit 157 periodically updates data such as the data storage location (data location 307) to the base that holds the personal information (such as the original transfer source base). The storage status is inquired and the status is monitored (step S206). Then, the regulation determining unit 157 that has obtained the result of the inquiry determines the appropriateness of the storage status using the same procedure as step S204 described above (step S207). When determining that the storage status is appropriate (YES in step S207), the regulation determining unit 157 returns to step S206 and continues monitoring. On the other hand, if it is determined that the storage status is inappropriate (NO in step S207), the regulation determination unit 157 notifies the base server 101 that the storage status is corrected or the transfer of the data is prohibited (step S208). . At this time, the regulation determining unit 157 may update the value of the domestic retention 310 (domestic retention flag) of the target data to a specific value that suits the situation. Further, in step S208, a flag or the like indicating the content of the notification may be transmitted, or a value corresponding to the content of the notification may be transmitted.

The processes in steps S206 and S207 are for continuously monitoring whether data that requires data localization is stored in an appropriate storage condition. This means that even if the current storage status is determined to be appropriate (YES) in step S204, it is necessary to check to ensure that the storage status does not change until the data is transferred, and even after the data is transferred, the original This is because it is necessary to check the storage status of data.

In addition, in step S209, similarly to step S205, the management server 151 (information management section 156 or regulation judgment section 157) transmits the value of domestic retention 310 and information on the basis of transfer to the base that sent the personal information in step S201. Send to server 101.

By executing the process shown in FIG. 18 as described above, the management server 151 enables storage of personal information corresponding to data localization of each country with respect to personal information stored in each base server 101.

(2) Second Embodiment A second embodiment of the present invention will be described using the personal information management system 100 described in the first embodiment. In this embodiment, when transferring personal information overseas, it is possible to judge whether or not to transfer personal information by taking into consideration the past transfer status and the transfer regulations of each country, and based on the above judgment results, controls such as permission or prohibition of transfer can be implemented. Make it executable.

In the personal information management system 100 according to the present embodiment, when receiving a personal information transfer request from the client terminal 141, the base server 101 determines whether the requested transfer is a re-transfer, and determines whether the requested transfer is a re-transfer. If so, permission or prohibition of the transfer is controlled in cooperation with the management server 151. The details of the process for performing such control will be described below.

(2-1) Personal information transfer control processing FIG. 19 is a flowchart showing an example of a processing procedure for personal information transfer control processing. The process shown in FIG. 19 is executed by the base server 101 at the current base when a user operates the client terminal 141 to transfer (move or copy) certain personal information from the current base to another base. This is the process of Note that the process in FIG. 19 can be executed when the processes shown in FIGS. 17 and 18 in the first embodiment have been completed. In addition, in the following explanation, in order to avoid confusion between the base servers 101, the base server 101 at the current base that is the transfer source will be referred to as the "base server 101A", and the base server 101 at the new base will be referred to as the "base server 101B". , is sometimes written as .

According to FIG. 19, first, the cooperation unit 105 of the base server 101A receives a personal information transfer request from the client terminal 141 (step S301). In the transfer request received in step S301, the personal information to be transferred and the transfer method thereof are specified. The relocation method is indicated, for example, by the value of the relocation type ID 601 described with reference to FIG. 6 in the first embodiment.

Next, the base server 101A (for example, the information management unit 106) determines whether the personal information specified in the transfer request is compatible with data localization (step S302). Specifically, the base server 101A refers to the domestic retention 1508 of the personal information management information 114 stored in its own memory 102 (see FIG. 15), and determines the domestic retention 1508 of the personal information specified in the transfer request. If the value is "-" or "20", or if the value of domestic retention 1508 of personal information specified in the transfer request is "10" and the transfer type specified in the transfer request is "t2", etc. If the transfer method leaves the data in Japan (the transfer source), it is determined that data localization is possible. In addition, if the value of the domestic retention 1508 of personal information specified in the transfer request is "11" or "21", and if the value of the domestic retention 1508 of personal information specified in the transfer request is If the transfer method is "10" and the transfer type specified in the transfer request is "t2" and the data does not remain in the country (transfer source), it is determined that data localization is not possible.

If it is determined in step S302 that data localization is not possible (domestic retention NG) (NO in step S302), the base server 101A notifies the client terminal 141 of the rejection of the transfer and an alternative transfer method. is presented (step S309), and the process is completed. Presentation of alternative transferable methods refers to, for example, presenting transfer types such as "t2" or "t3" as alternatives when it is determined that the transfer is refused in a transfer request in which the transfer type of "t1" is specified. It is.

If it is determined in step S302 that data localization is possible (domestic retention is OK) (YES in step S302), the base server 101A determines whether there is any problem with the transfer from a perspective other than data localization (step S303). . Specifically, the base server 101A (for example, the information management unit 106) determines whether the basis for relocation specified in the current relocation request is appropriate. The determination of suitability is made based on the information in the relocation candidate information 117 in FIG. 16. For example, in FIG. 16, the transfer target (target ID 1602) of "02" needs to satisfy the transfer basis group "Gr2" in the transfer. Here, according to the transfer basis group information 115 in FIG. 13, the transfer basis group "Gr2" is composed of the transfer grounds "g1" or "g2". Therefore, if the relocation basis specified in the current relocation request is "g1" or "g2", the base server 101A can determine that the current relocation basis is appropriate (there is no problem).

If it is determined in step S303 that there is a problem with the relocation (relocation NG) (NO in step S303), the base server 101A requests the client terminal 141 to reject the relocation with reasons such as the grounds for relocation being inappropriate. Furthermore, an alternative basis for relocation is presented to enable relocation (step S309), and the process ends.

If it is determined in step S303 that there is no problem with the relocation (relocation OK) (YES in step S303), the base server 101A determines whether the requested relocation corresponds to relocation (step S304). A determination as to whether re-transfer is applicable can be made with reference to the personal information management information 114. Specifically, if transfer ID 1510 has been registered in the record with data ID 1501 that corresponds to the transfer target, it is determined that this is a re-transfer of the data brought in during the transfer, and if it is not registered, it is determined that it is not a re-transfer. do.

If re-transfer is not applicable in step S304 (NO in step S304), the base server 101A (transfer control unit 107) executes the transfer of personal information in accordance with the transfer request (step S307).

If relocation is applicable in step S304 (YES in step S304), the base server 101A inquires of the management server 151 whether relocation is appropriate (step S305). The management server 151 that received the inquiry in step S305 executes relocation determination processing, which will be described later with reference to FIG. 21, and returns the determination result to the base server 101A.

The base server 101A checks whether the response from the management server 151 permits relocation (step S306). If a response indicating that the relocation is OK is received from the management server 151 (YES in step S306), the base server 101A (transfer control unit 107) executes the transfer of personal information in accordance with the transfer request (step S307). If a response indicating that the relocation is OK is not received from the management server 151 (NO in step S306), the base server 101A notifies the client terminal 141 of the rejection of the relocation and presents an alternative relocation method (step S309). ), the process ends.

After the transfer of personal information in step S307 is completed, the base server 101A notifies the client terminal 141, the management server 151, and the transfer destination base server 101B of the completion of the transfer (step S308), and processes end.

By executing the process shown in FIG. 19 as described above, the base server 101A, which has received the transfer request from the client terminal 141, cooperates with the management server 151 to determine whether the personal information to be transferred can be transferred. If it is determined that the transfer is possible, the personal information can be transferred to the base server 101B.

(2-2) Information registration process after notification of completion of transfer FIG. 20 is a sequence diagram illustrating an example of the processing procedure of personal information registration processing after notification of completion of transfer. The process shown in FIG. 20 is a process executed by the management server 151 and the transfer destination base server 101B after the transfer completion notification is sent from the base server 101A in step S309 in FIG. Although details will be explained below, the management server 151 and the base server 101B that have received the notification of the end of personal information transfer update the information that they manage.

According to FIG. 20, first, the transfer source base server 101A sends a transfer completion notification to the transfer destination base server 101B and the management server 151 (step S401). Step S401 corresponds to step S309 in FIG. 19.

In the transfer completion notification in step S401, the base server 101A sends the base server 101B information about the transferred data (data ID 1501, domestic retention 1508 among the records of the corresponding data in the personal information management information 114 in FIG. 15). , values of data items other than transfer ID 1510) are transmitted. These data are inherited by the personal information management information 114 held by the base server 101B, and the values of predetermined items are changed and updated as necessary, as will be described later.

In addition, in the transfer completion notification in step S401, the base server 101A sends personal information management information to the management server 151 as information necessary for the management server 151 to generate transfer management information 163 regarding the transferred data. 114, information such as the identification ID (data ID 1501) and management ID (management ID 312) of the transferred data is transmitted.

In the base server 101B, when the cooperation unit 105 receives the transfer completion notification, it waits until it receives notification of the transfer ID and management ID from the management server 151 (step S402).

On the other hand, in the management server 151, when the cooperation unit 155 receives the transfer completion notification (step S403), the information management unit 156 updates the transfer management information 163 managed by itself based on the received information (step S403). S404). Specifically, the information management unit 156 allocates a new relocation ID (relocation ID 401) for the current relocation in the relocation management information 163 in FIG. Newly register values of data items other than data ID 405.

Here, regarding the number of transfers 410, the information management unit 156 checks whether the data registered in the current transfer (data identified from the transfer source 402 and transfer source data ID 403) has been transferred before this time. It is determined and derived based on the values of the transfer destination 404 and transfer destination data ID 405 of the information 163. For example, if the already registered transfer destination 404 and transfer destination data ID 405 contain data that matches the data registered for this transfer (transfer source 402, transfer source data ID 403), then It can be determined that the data is being transferred. In this case, a value obtained by adding "1" to the value of the number of relocations 410 registered for the matched data (relocation destination 404, relocation destination data ID 405) as described above is set as the number of relocations. As a result, for example, if "1" is set in the number of relocations 410, this indicates that relocation was performed once before the current relocation.

Regarding the management ID 411, the information management unit 156 stores the personal information management information 114 that is managed in association with the data ID to be transferred (data ID 1501) that was sent from the base server 101A at the time of notification of the completion of the transfer. The value of the management ID 312 is set to the management ID 411.

As described above, when the update of the transfer management information 163 regarding the currently transferred data is completed, the information management unit 156 transmits the updated values of the transfer ID 401 and the management ID 411 to the transfer destination base server 101B (step S405). .

Next, the information management unit 106 of the base server 101B assigns a new identification ID (data ID 1501) for managing the data transferred this time at its own base, and in step S402, the information management unit 106 Based on this, values of data items other than domestic retention 1508 to transfer ID 1510 of personal information management information 114 are set. Further, the information management unit 106 sets the value of the transfer ID 401 received from the management server in step S405 to the transfer ID 1510. Note that the information management unit 106 may temporarily set the value of the management ID 411 received from the management server 151 in step S405 as the management ID 1509. The value of the official management ID 1509 is set in step S410, which will be described later.

Then, if there is no change request from the client terminal 141 regarding the information set as described above, the base server 101B updates the personal information management information 114 with the set information and updates the updated information (for example, data ID 1501, etc.). It is transmitted to the management server 151 (step S407). When there is a change request from the client terminal 141 for a predetermined data item, the base server 101B sets the requested value in the data item, updates the personal information management information 114, and then sends the request to the management server 151. Submit updated information.

Next, in the management server 151, the information management unit 156 updates the transfer management information 163 and the personal information management information 162 based on the information received from the base server 101B in step S407 (step S408).

Specifically, regarding the update of the transfer management information 163, the information management unit 156 updates the transfer management information 163 based on the above-mentioned updated transfer ID 401 and the newly assigned identification ID (data ID 1501) in the base server 101B. In the record of the transfer management information 163 in which the value of the transfer ID 401 is set, the value of the identification ID is set in the transfer destination data ID 405.

In addition, regarding the update of the personal information management information 162, the information management unit 156 allocates a new identification ID (management ID 301) in the personal information management information 162 for the transferred data managed by the transfer destination base server 101B, New information is registered based on the information received from the base server 101B in step S407. At this time, the information received from the base server 101B in step S407 may be set for each data item of the country of acquisition 302 to cloud ID 309, and the information received from the base server 101B in step S407 may be set, and the information received from the base server 101B in step S102 and step S103 in FIG. It can be determined and set as appropriate using the same procedure as described above.

Then, the management server 151 notifies the base server 101B of at least the management ID 301 newly assigned to the personal information management information 162 and the value of the domestic retention 310 (domestic retention flag) among the information updated in step S408. (Step S409), the process on the management server 151 side ends.

Next, in the base server 101B, based on the information sent from the management server 151 in step S409, the information management unit 106 determines the data items of the personal information management information 114 that have not been set or have been provisionally set in step S407. is updated (step S410). Specifically, the information management unit 106 sets the value of the newly assigned management ID 301 in the management server 151 to the management ID 1509 as an official value, and sets the value of the domestic retention 310 (domestic (retention flag) is set to domestic retention 1508.

By executing the process shown in FIG. 20 as described above, the transfer destination base server 101B and management server 151 can check the transfer status (transfer source and transfer status) regarding the personal information transferred from the base server 101A to the base server 101B. You can newly register management information on your own computer while understanding the relationship with the other party, number of transfers, etc.) and whether or not it is held domestically.

(2-3) Relocation Judgment Processing FIG. 21 is a flowchart showing an example of a procedure for relocation judgment processing. The process shown in FIG. 21 is a process executed by the management server 151 (mainly the regulation determination unit 157) when receiving an inquiry from the base server 101A about whether or not to re-locate in step S305 of FIG.

According to FIG. 21, first, the management server 151 receives an inquiry from the transfer source base server 101A as to whether or not to relocate again (step S501). The process in step S501 corresponds to the process in step S305 in FIG.

Next, the regulation determination unit 157 of the management server 151 determines whether domestic retention is necessary for the data queried in step S501, that is, the data to be re-transferred, based on the value of the domestic retention 310 of the personal information management information 162. It is determined whether or not (step S502). If it is determined that domestic retention is not necessary (NO in step S502), the process proceeds to step S504, which will be described later. If it is determined that domestic retention is necessary (YES in step S502), the process advances to step S503.

In step S503, the regulation determining unit 157 determines whether the storage status of the data queried in step S501, that is, the data to be re-transferred, is appropriate. If it is determined that the storage status of the data is inappropriate (NO in step S503), the process advances to step S511, which will be described later. If it is determined that the storage status of the data is appropriate, the process advances to step S504.

In step S503, the regulation determining unit 157 can determine the appropriateness of the storage status of the data using a method similar to that described in S204 of FIG. 18. Specifically, the regulation determination unit 157 identifies the original data based on the value of the original ID 311 associated with the data to be re-transferred (in the personal information management information 162, the management ID 301 is set to “original ID 311 ), and continues to hold the data of the source as before for the base server 101 (base ID 304 of the specified record) that holds the data of the source. Inquire whether the If the base server 101 associated with the source data continues to hold the source data, the regulation determining unit 157 determines that the storage status of the data to be re-transferred is appropriate ( (YES in step S502). On the other hand, if the base server 101 associated with the source data does not continue to hold the source data, the regulation judgment unit 157 determines that the storage status of the data to be re-transferred is inappropriate. (NO in step S502).

If it is determined that the storage status of the data to be re-transferred is appropriate, the regulation determination unit 157, based on the inquiry information received in step S501, provides information on the basis for the previous transfer and the current transfer, as well as the initial Information on the regulation level of the country of origin and the country of final destination is extracted (step S504).

Specifically, the regulation judgment unit 157 determines which data of the previous transfer destination data (identified from the combination of the transfer destination 404 and transfer destination data ID 405 of the transfer management information 163 shown in FIG. 4). By identifying whether relocation is being attempted and by referring to the value of the relocation basis 407 associated with the identified relocation destination data, the previous relocation basis is extracted. For example, if the data that you are trying to re-transfer this time is data ID "6001" of base "k6", the information of the relocation data that matches this (the combination of relocation destination 404 and relocation data ID 405 matches) is , corresponds to the record in which the transfer ID "i1" is set in the transfer management information 163 in FIG. Therefore, this relocation data is identified as data that was brought from the relocation source base "k5" to the relocation base "k6" on the basis of relocation "g1" before the current relocation. Furthermore, the regulation determination unit 157 identifies the first transfer source country based on the value of the acquisition country 302 managed by the management server 151 for the data that is about to be transferred again this time, and determines the final transfer destination country. is specified from the relocation destination information specified in the inquiry from the base server 101 as to whether relocation is appropriate. Then, the regulation determining unit 157 specifies the regulation level of each country, based on the country regulation level information 169 shown in FIG. 10, for the relocation source country and the relocation destination country identified as described above. For example, if the destination country is the UK, the restriction level is determined to be 4.

Next, the regulation determining unit 157 determines whether or not to re-transfer the data to be queried, based on the information specified in step S504 (step S505). Specifically, when the transfer basis for this re-transfer is "sufficiency" (according to the transfer basis information 173 in FIG. 14, the basis ID is "g3"), the regulation judgment unit 157 Referring to the adequacy information 170 for each country shown in 11, it is determined whether the country to which the re-transfer is to be transferred is included as an adequacy country for the first transfer source country, based on the adequacy country 1102.

If the country to which the relocation is to be made is included in the countries subject to adequacy, the regulatory determination unit 157 determines that the relocation is appropriate (YES in step S505), and the base that inquired about the pros and cons of the relocation The server 101 is notified that relocation is OK (step S506).

On the other hand, if the current relocation destination country is not included in the countries subject to adequacy, the regulation determination unit 157 determines that if the regulatory level of the final transfer destination country is lower than the regulation level of the first transfer source country. , it is determined that the relocation is inappropriate (NO in step S505), and the base server 101 that inquired about the pros and cons of the relocation is informed that the relocation is NG, the reason, and any necessary corrections for the relocation. The measure is notified (step S507). The base server 101 that received the notification in step S507 may transfer the notification content to the client terminal 141 and request that necessary corrective measures be taken. When execution of necessary corrective measures is instructed by the client terminal 141 and executed by the base server 101, the base server 101 notifies the management server 151 of completion of implementation of the corrective measures.

After sending the notification in step S507, the regulation determining unit 157 checks whether necessary corrective measures are taken at the base server 101 (step S508). If the necessary corrective measures have been implemented in the base server 101 (YES in step S508), the process advances to step S506, and the regulation determination unit 157 notifies the base server 101 that relocation is OK. If the necessary corrective measures are not implemented in the base server 101 (NO in step S508), the process advances to step S511, which will be described later.

Here, we will provide a supplementary explanation regarding the notification of corrective measures. Specifically, the management server 151 identifies the base that holds the original data of the data to be re-transferred. The management server 151 then sends the identification ID of the data to be transferred (the data ID 305 of the personal information management information 162) and the transfer purpose (the purpose of the transfer candidate information 117 provided from the base server) to the base server 101 of the base server. 1608), and requests that an agreement such as a contract be concluded with the final relocation destination based on the provided information as a notification of corrective measures (step S507). After that, if the above-mentioned response that agreeable is received from the base server 101 that holds the original data, the management server 151 determines that "correction is required" (YES in step S508), and inquires whether relocation is possible. The base server 101 that made the relocation is notified that the relocation is OK (step S506).

In addition, in the above description, the implementation of the corrective action was determined based on the response result of agreeable, but the management server 151 may determine the implementation of the corrective action using other methods. For example, the management server 151 creates a template contract document that includes a description of the data to be transferred (information including the identification ID of the data, etc.), the purpose of the transfer, and rules for handling after the transfer, and manages it. Send the created contract document from the server 151 to the base server 101 that holds the original data and the base server 101 of the final destination base, and receive the electronic signature stamp from these base servers 101. In this case, it is also possible to determine YES in step S508 and notify that the relocation is OK.

In addition, if the transfer basis for this re-transfer is other than "sufficiency" (according to the transfer basis information 173 in Figure 14, the basis ID is "g2" etc.), the first transfer basis and the last transfer basis are In the same way as described above, the regulation judgment unit 157 determines the regulatory level of the final transfer destination country and Re-relocation is determined to be inappropriate if the regulatory level of the final destination country is lower than the regulatory level of the final destination country by comparing the strength and weakness of the regulations with the original country of origin. (NO in step S505), and notifies the base server 101, which made the inquiry about the pros and cons of relocation, that the relocation is NG, the reason thereof, and corrective measures necessary for relocation (step S507). Thereafter, if the correction has been made (YES in step S508), the management server 151 notifies the base server 101, which has inquired about the pros and cons of relocation, that the relocation is OK (step S506).

After step S506, the management server 151 periodically monitors the storage status of the original data of the data to be re-transferred and checks the appropriateness of the storage status in the same way as steps S206 to S208 in FIG. A determination is made (steps S509, S510), and if the storage status is inappropriate (NO in step S510), the base server 101 is notified of prohibition of data transfer (step S511).

By executing the process shown in FIG. 21 as described above, the management server 151 determines whether or not relocation is possible, taking into account the relocation status across multiple countries and the regulations of the source country. can be notified to the base server 101 that is the source of the inquiry. Specifically, for example, if the source country has strict regulations regarding the protection of personal information, but the relocation destination does not have such strict regulations, Taking regulations into account, it will be possible to control whether transfers are permitted or prohibited, so that personal information is adequately protected at the re-transfer destination.

(3) Other Embodiments Below, modified examples of the personal information management system 100 according to the first and second embodiments of the present invention described above will be described. In this modification, when regulatory information such as localization regulations for each country is changed, the management server 151 requests the base server 101 of the affected base to change the personal information settings.

Specifically, for example, when new data localization regulations are added in a certain country, the management server 151 stores data whose data acquisition country corresponds to the above country in the personal information management information 162 shown in FIG. Identification is based on the country of acquisition 302.

Regarding the identified data, if the original ID 311 is not registered in the corresponding record of the personal information management information 162, the management server 151 extracts the data from the personal information management information 162 in the same manner as step S204 in FIG. After determining the appropriateness of the storage situation, if there is a change in the domestic retention based on the determination result, the domestic retention flag of the new determination result is set in the domestic retention 310, and the base server 101 of the base that stores the identified data is set. A new domestic retention flag is transmitted to request the information to be updated, and the transfer control is requested to be performed based on the updated domestic retention flag.

On the other hand, if the original ID 311 is registered in the corresponding record of the personal information management information 162 for the data identified above, the management server 151 determines that the value of the management ID 301 matches the value of the original ID 311 in the personal information management information 162. Regarding the records, that is, the records of the original data, judge the appropriateness of the storage status of the original data in the same way as above, and if there is a change in the domestic retention as a result of the judgment, the domestic retention of the new judgment result will be changed. Set the retention flag to domestic retention 310, and set a new domestic retention flag in the same manner as above for the base server 101 of the base that stores data where the same value as the original ID 311 described above is registered in the original ID 311. In addition to requesting information update, the request also requests that transfer control be performed based on the updated domestic retention flag. Furthermore, the management server 151 transmits a new domestic retention flag in the same manner as above to the base server 101 that stores the original data, and also indicates that the content of the domestic retention flag is not compatible with domestic retention. If this is the case, request corrections to the data storage status, such as backing up the data to your own base. After that, if there is a response for correction from the base server 101 that stores the original data, the management server 151 determines that the data storage status is appropriate and generates a domestic retention flag corresponding to the correction content, Sending the generated domestic retention flag to the base server 101 that stores the original data and computers related to the base server 101 (for example, the base server 101 that stores data transferred from the base server 101), A request is made to update the domestic retention 1508 in the personal information management information 114 held by each base server 101.

By executing the process of this modification as described above, in the personal information management system 100, when regulatory information such as localization regulations of each country is changed, the management server 151 is affected by the change of the regulatory information. It is possible to request the base server 101 to change the settings of personal information and also update the settings of information managed by the management server 151 itself.

According to each embodiment of the present invention described above, the configuration includes, for example, a client terminal (client terminal 141), a first computer (base server 101), and a second computer (management server 151). In a computer system (personal information management system 100), a first computer has base information (base information 111) that defines the base of its own computer or another computer, and a data type definition that defines the type of information held by the computer. information (data type definition information 112), transfer type definition information (transfer type definition information 113) that defines the information transfer method, and personal information management information (personal information management information 114), transfer basis group information (transfer basis group information 115) consisting of a combination of transfer grounds, transfer basis information that defines the transfer grounds (transfer basis information 116), and defines data that may be transferred in the future. It includes relocation candidate information (relocation candidate information 117) and cloud information (cloud information) that defines the cloud used by the computer. The second computer stores base information (base information 161) that defines the base of its own computer or other computers, data type definition information (data type definition information 164) that defines the type of information held by the computer, and information From the combination of transfer type definition information (transfer type definition information 165) that defines the transfer method, personal information management information (personal information management information 162) for managing personal information held by other computers, and transfer grounds. transfer basis group information (transfer basis group information 172), transfer basis information that defines the transfer basis (transfer basis information 173), cloud information that defines the cloud used by the computer (cloud information 166), and computer data. Transfer management information that manages transfers (transfer management information 163), localization information for each country that manages domestic retention regulations (data localization) (localization information for each country 167), and transfer regulation information for each country that manages transfer regulations (data localization) for each country. Each country's transfer regulation information 168), each country's regulation level information (country's regulation level information 169) that defines the regulation level of each country, and each country's adequacy information that defines each country's adequacy certification information (country's adequacy information 170), Each country's sensitivity information (each country's sensitivity information 171) that defines the sensitivity of information for each country is provided.

In such a computer system, the first computer sets personal information and transfer candidates based on a request from a client terminal, notifies the second computer of this information, and transfers the information to the second computer. Based on the received information and the regulatory information of each country, the computer determines the appropriateness of the storage status of the personal information of the first computer, and notifies the first computer of the determination result. The first computer sets the judgment result from the second computer in the personal information management information of the first computer, and controls permission/prohibition of transfer of the data according to the judgment result. . In addition, the second computer periodically monitors the storage status of personal information stored in the first computer that needs to be retained domestically, and if the storage status becomes inappropriate, it may not be transferred. Notify of prohibition, etc. In addition, the first computer inquires of the second computer whether or not to re-transfer the personal information, and the second computer receives the information based on the relationship between the basis of the transfer and the regulatory information of the country from which the personal information was acquired. If it is determined that the re-transfer is inappropriate, the first computer will be notified of the prohibition of the re-transfer, or the computer that holds the original data of the data to be transferred and the final The first computer is notified of consensus regarding the transfer to computers that are to be transferred, and based on the response results from these computers, a decision is made to prohibit or permit the transfer, and the result of the decision is notified to the first computer. Then, the first computer controls permission or prohibition of retransfer of the data based on the determination result of the second computer.

By having the above-mentioned configuration, the computer system (personal information management system 100) of the present invention can control the transfer in consideration of the past transfer situation and the regulations of the transfer source country when transferring personal information overseas. Even in the case of relocation across multiple countries, it becomes possible to perform appropriate transfer control.

100 Personal information management system 101 Base server 102,142,152 Memory 103,143,153 CPU
104, 144, 154 I/F
105,145,155 Cooperation Department 106,156 Information Management Department 107 Transfer Control Department 111,161 Base Information 112,164 Data Type Definition Information 113,165 Transfer Type Definition Information 114,162 Personal Information Management Information 115,172 Transfer Basis Group Information 116,173 Transfer basis information 117 Transfer candidate information 118,166 Cloud information 119,174 Storage area 141 Client terminal 151 Management server 157 Regulation judgment department 163 Transfer management information 167 Localization information for each country 168 Transfer regulation information for each country 169 Regulation level information for each country 170 Each country Adequacy information 171 Sensitivity information for each country

Claims (9)

A personal information management system that manages the transfer control of personal information handled at bases in each country,
A plurality of first computers that manage personal information handled at the own base and a second computer that centrally manages personal information managed by the plurality of first computers are connected via a network,
The first computer has first management information in which information regarding personal information handled at its own base is registered,
The second computer has second management information in which information regarding each personal information managed by the plurality of first computers is registered, and data localization information indicating domestic data retention regulations established in each country. have,
The first computer sets setting information of predetermined items regarding personal information handled at its own base in the first management information, and notifies the second computer of the set setting information,
The second computer updates the second management information based on the setting information notified from the first computer,
The second computer uses the data localization information and the second management information to store the personal information by the first computer based on the domestic retention regulations applicable to the base of the first computer. determines the appropriateness of the storage status of the computer, and notifies the first computer of the determination result;
The first computer may permit or prohibit the transfer of the personal information across countries to another first computer based on the second computer's determination of the appropriateness of the storage status of the personal information. A personal information management system characterized by controlling. The personal information setting information that the first computer notifies the second computer includes at least information indicating the country of acquisition of the personal information, the type of the personal information, and the storage location of the personal information. Re,
The second computer uses the data localization information to determine whether or not the data at the base of the first computer needs to be held domestically, and if the data needs to be held domestically, the second computer further transmits the second management information. The appropriateness of the storage status of the personal information by the first computer is determined by determining whether the first computer stores the personal information in a form that complies with domestic retention regulations. The personal information management system according to claim 1, characterized in that the personal information management system makes a judgment. The second calculator is
Either the data does not need to be retained domestically at the base of the first computer, or it is necessary to retain the data domestically at the base of the first computer, but the first computer complies with domestic retention regulations. determines that the storage status of the personal information by the first computer is appropriate;
If it is determined that the data needs to be retained domestically at the base of the first computer, but it is determined that the first computer does not store the personal information in a form that complies with domestic retention regulations, The personal information management system according to claim 2, wherein the computer determines that the storage status of the personal information is inappropriate. When the first computer is requested to transfer the personal information it manages to the other first computer,
Based on the judgment result of the appropriateness of the storage status of the personal information by the second computer and whether the requested transfer is a transfer type in which data is left at the transfer source, the personal information is stored at the own base. A request characterized in that the transfer of the personal information is permitted if it is determined that domestic retention is unnecessary, or if it is determined that domestic retention of the personal information is necessary and possible at the own base. Personal information management system described in Section 3. When the transfer of personal information to the other first computer is requested, the first computer determines whether the specified transfer of personal information corresponds to re-transfer, and determines whether the transfer corresponds to re-transfer. If you wish to do so, please contact the second computer regarding the pros and cons of relocation.
The second computer that received the inquiry will determine the pros and cons of re-transfer, and if the personal information to be transferred needs to be retained domestically and it is possible to do so, the second computer will We will check the storage status of the personal information of the transfer source with respect to the specific first computer that manages the information, and if the storage status is appropriate, we will determine that the re-transfer is appropriate. and notify the first computer of the determination result,
The first computer may permit the transfer of the personal information to the other first computer when receiving a judgment result from the second computer that the re-transfer is appropriate. The personal information management system according to claim 3. The second calculator is
Calculate each country's regulatory level regarding the transfer of personal information based on the presence or absence of domestic retention regulations in each country, the number of types of personal information, and the presence or absence of transfer regulations.
In determining the pros and cons of the re-transfer, we will further consider the basis for the re-transfer, the country where the personal information was acquired, the regulations in the country of acquisition, and the strength and weakness of the regulatory levels between the country of acquisition and the country where the re-transfer is located. , determine the suitability of relocation;
Even if it is determined that the re-transfer is inappropriate, for the specific first computer that manages the personal information of the previous transfer source and the first computer of the re-transfer destination, 6. The personal information management system according to claim 5, wherein the personal information management system determines that retransfer is appropriate when a request is made to form an agreement regarding the handling of personal information and a response is received that the agreement can be formed. The second computer periodically determines the appropriateness of the storage status of the personal information by the first computer, and if it is determined to be inappropriate, prohibits the transfer of the personal information to the first computer. 3. The personal information management system according to claim 2, wherein the personal information management system notifies the computer. The second computer periodically checks the appropriateness of the storage status of the personal information by the first computer and the appropriateness of the storage status of the personal information of the previous transfer source by the specific first computer. 7. The personal information management system according to claim 6, wherein the personal information management system determines based on the following. A personal information transfer control method using a personal information management system that manages transfer control of personal information handled at bases in each country,
The personal information management system includes a plurality of first computers that manage personal information handled at their own bases, and a second computer that centrally manages personal information managed by the plurality of first computers, which are networked. connected via
The first computer has first management information in which information regarding personal information handled at its own base is registered,
The second computer has second management information in which information regarding each personal information managed by the plurality of first computers is registered, and data localization information indicating domestic data retention regulations established in each country. have,
a first step in which the first computer sets setting information of predetermined items related to personal information handled at its own base in the first management information and notifies the second computer of the set setting information;
a second step in which the second computer updates the second management information based on the setting information notified from the first computer in the first step;
After the second step, the second computer uses the data localization information and the second management information to obtain the first computer based on the domestic retention regulations applicable to the base of the first computer. a third step of determining the appropriateness of the storage status of the personal information by the first computer and notifying the first computer of the determination result;
Based on the judgment result of the appropriateness of the storage status of the personal information by the second computer in the third step, the first computer transfers the personal information to another first computer across countries. a fourth step of controlling permission or prohibition of transfer;
A personal information transfer control method comprising:

Images