JP3918023B2 - Personal information management system - Google Patents

Description

  The present invention relates to a technique for searching an electronic file including personal information that can identify a specific individual as a personal information file and managing the searched personal information file.

  In recent years, with an increase in awareness of protection of personal information, it has been desired to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information. In addition, along with the enforcement of the Personal Information Protection Law, a business operator handling personal information receives a request for disclosure or correction of personal information from each individual while preventing the leakage, leakage or unauthorized use of personal information. It is obliged to disclose and correct personal information.

  Here, the personal information is information that can identify a specific individual by itself or in combination, and includes, for example, name, date of birth, contact information (address, address, telephone number, e-mail address). Customer information, business partner information, etc. stored and handled in various companies often fall under the category of personal information, and in the future, companies that handle a lot of such personal information will be obligated as above as a personal information handling business operator. Must be fulfilled.

  In order to fulfill the obligations described above, it is essential to centralize personal information by introducing a central management system for personal information. However, in reality, personal information such as customer information and business partner information is dispersed in a company's personal computer (hereinafter sometimes abbreviated as PC) and servers in each department. Often exists. More specifically, individual employees store their personal information (customer information, etc.) on their PCs for their own work, or a central database or a subset of personal information collected by each employee. It exists in various PCs.

  For this reason, when constructing the centralized management system or attempting to fulfill the above obligations in a distributed state, the administrator must first separate the personal information that is scattered within the company. It is necessary to identify what kind of personal information exists in the company, but at present, the personal information is identified by the manager instructing each employee to be a company-wide It will be carried out with the cooperation of the department.

For example, in Patent Document 1 below, in accordance with the enforcement of the Personal Information Protection Law, a technology for providing a personal information protection service that prevents personal information from being leaked or leaked or being used illegally is “processing of a personal information protection service business. Method and apparatus "have been proposed and disclosed. However, the following Patent Document 1 does not disclose any technique related to the identification of personal information as described above.
JP 2002-183367 A

However, when personal information is identified with human cooperation such as reporting from each employee, not only is it time-consuming, but it is difficult to reliably identify all personal information without omission. In particular, when personal information is increasingly distributed, it is extremely difficult to identify personal information.
In addition, if there is an omission in the identification of personal information, not only the above obligations can be fulfilled, but the status of the personal information cannot be managed, and there is a risk of inadvertent leakage or leakage of personal information or unauthorized use of personal information. is there.

Accordingly, it is desired to reliably search and manage all personal information files distributed and distributed in a large number of terminals in the company.
Further, in order to reliably identify a personal information file newly created / added in each terminal, for example, it is necessary to periodically search the personal information file. However, if the above-described periodic search is performed on all data in each terminal, a great amount of processing time is required for each search. For this reason, it is also desired that the personal information file can be efficiently searched by a search method corresponding to each terminal.

  The present invention was devised in view of such a situation, and without obtaining human cooperation and applying a special load to the person in charge, for example, personal information files existing in a distributed manner within a company or the like. Ensures that the information can be explored and managed, so that it can respond to requests for disclosure and correction of personal information, and that personal information is inadvertently leaked and leaked, and that personal information is illegally used. The purpose is to prevent. Another object of the present invention is to make it possible to efficiently and reliably search for a personal information file newly created and added in each terminal.

In order to achieve the above object, a personal information management system according to the present invention is connected to a plurality of client terminals so that they can communicate with each other via a network, and a personal information file in the plurality of client terminals. A personal information management server for managing a personal information search program, and a plurality of client terminals in which a personal information search program for searching a personal information file is resident, and the personal information search program A first personal information search means for searching for a personal information file by executing the personal information search program, and a second client terminal not resident in the first client terminal. Detection means for detecting addition / change of file, and detection means When the addition / change of a file is detected, the personal information search program is activated to perform real-time search for determining whether the added / changed file is a personal information file. And when the first personal information searching means determines that the file is a personal information file, the determination result by the first personal information searching means is sent to the personal information via the network. A transmission means for transmitting to the management server, and the personal information management server searches for a personal information file in the second client terminal via the network by executing the personal information search program. (2) When the personal information file is last searched regularly by the personal information search means and the second personal information search means Of, as the information about the file in the second client terminal, and a file information storage means for storing at least file creation / update date, file size, file name,
The latest information on the file in the second client terminal is compared with the information stored in the file information storage means, and the file creation / update date, file size, and file name as the information are newly added. Add or change a file in which at least one of the file creation / update date / time, file size, and file name as the information has been changed, from the time when the personal information file was last searched until the present time as differencing files, determined the difference extraction means for periodically extracting from the second client terminal via the network, the difference file extracted by said difference extracting means whether the personal information file And a second control means for causing the second personal information search means to execute periodic search. It is characterized in that there.

  In this personal information management system, the first control unit first causes the first personal information search unit to search for a personal information file for all data in the first client terminal, and then It is preferable to execute a real-time search, and the second control unit causes the second personal information search unit to first search a personal information file for all data in the second client terminal. From the above, it is preferable to execute the regular exploration.

Further, the personal information management server, to the client terminals connected to the network, and installation means for installing the private information exploration program in response to a request from the user of the client terminal, the first personal information prospecting A digital signature means for giving a digital signature to the personal information file searched by the means or the second personal information search means may be provided.

  At this time, the personal information management server forcibly collects the personal information file from the client terminal storing the personal information file searched by the first personal information searching means or the second personal information searching means. Alternatively, the collected personal information file may be stored in a folder accessible only to the administrator. In addition, the personal information management server outputs the personal information file to the outside from a client terminal that stores the personal information file searched by the first personal information searching means or the second personal information searching means. May be forcibly prohibited, or warning information may be notified to the client terminal storing the personal information file searched by the first personal information searching means or the second personal information searching means.

  Further, the personal information file searched by the first personal information searching means or the second personal information searching means is monitored in each of the plurality of client terminals, and when access to the personal information file occurs, Access monitoring means for notifying the personal information management server of the fact may be provided.

  The personal information management system further includes a file access management server that is communicably connected to the personal information management server and manages access to the electronic file. The personal information management server further includes the first personal information management server. The file access management server may be configured to manage access to the personal information file searched by the searching means or the second personal information searching means.

  The personal information search program causes the computer to realize a function of determining whether the determination target file is a personal information file having a predetermined number or more of personal information elements that can identify a specific individual. Extraction means for extracting text data included in the determination target file, extraction means for extracting a character section delimited by a delimiter from the text data extracted by the extraction means, and the extraction means Personal information other than the name by determining whether the character string in the extracted character section satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition Determine whether the element is one of the phone number, e-mail address, or address The first determination means, the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and the characters in the character section are kanji Character judging means for judging whether or not there is a character or character string included in the character section and the name of the character section that is judged to be kanji by the character judging means. Collating means for judging whether or not the character section includes the inappropriate character or the inappropriate character string by collating with the inappropriate character or the inappropriate character string preset as no kanji or the Chinese character string, And the number of character sections determined by the first determination means to correspond to any one of a telephone number, an e-mail address, and an address, The number of character sections determined not to include the inappropriate character or the inappropriate character string by the matching unit is counted, and based on the count result, whether the determination target file is a personal information file. The computer may be caused to function as second determination means for determining whether or not.

  At this time, in the first determination means, it is determined whether or not the character string in the character section cut out by the cutting means corresponds to a telephone number, and if it does not correspond to a telephone number, it corresponds to an e-mail address. When it is determined not to be an e-mail address, it is determined whether it corresponds to an address, and when it is determined that it corresponds to any one of a telephone number, an e-mail address, and an address, The determination process for the character string may be terminated.

Further, the second determination means regards the character string in the character section determined not to include the inappropriate character or the inappropriate character string by the matching means as a personal information element corresponding to the name, and It may be determined whether or not the file is a personal information file.
Further, the second determination means and the number of character sections determined by the first determination means as corresponding to any one of a telephone number, an e-mail address, and an address based on the counting result and the collation A determination value that increases as the number of character sections determined not to include the inappropriate character or inappropriate character string by the means increases, and the determination is made when the calculated determination value exceeds a predetermined threshold It may be determined that the target file is a personal information file.

Then, the personal information management server manages the determination target file according to the determination value calculated by the second determination unit, or by the first personal information search unit or the second personal information search unit. The searched personal information file may be a management target, and the personal information file may be managed according to the determination value calculated by the second determination unit.
The personal information management system of the present invention is connected to a plurality of client terminals and the plurality of client terminals so that they can communicate with each other via a network, and manages personal information files in the plurality of client terminals. A first client terminal in which a personal information search program for locating a personal information file is resident and a second client in which the personal information search program is not resident. A first personal information search means for searching for a personal information file by executing the personal information search program, and adding / changing a file in the first client terminal. Detection means for detecting, and addition / addition of files by the detection means A first personal information exploration unit that activates the personal information exploration program to detect whether the added / changed file is a personal information file when a change is detected; When the control unit and the first personal information search unit determine that the file is a personal information file, the determination result by the first personal information search unit is transmitted to the personal information management server via the network. A second personal information search unit configured to search for a personal information file in the second client terminal via the network by executing the personal information search program by the personal information management server. And the second client at the time when the personal information file was last searched by the second personal information searching means. A file information storage means for storing information on the file in the second terminal, the latest information on the file in the second client terminal and the information stored in the file information storage means, and finally a periodic search of the personal information file A file extracted / added from the time of the execution to the present time as a difference file, and periodically extracted from the second client terminal via the network, and extracted by the difference extraction unit And a second control means for causing the second personal information search means to execute a periodic search for determining whether or not the difference file is a personal information file. Is a personal information file that has a predetermined number or more of personal information elements that can identify a specific individual A computer for realizing a function for determining whether or not, an extraction means for extracting text data contained in the file to be determined, the text data extracted by the extraction means, delimited by a delimiter character Cutting means for cutting out character sections, and whether a character string in the character section cut out by the cutting means satisfies any one of preset telephone number determination conditions, e-mail address determination conditions, and address determination conditions The first determination means for determining whether or not one of the telephone number, the e-mail address, and the address, which is a personal information element other than the name, corresponds to the first determination means. The number of characters in the character section that is determined not to correspond to any of the telephone number, e-mail address, or address by Character determining means for determining whether or not a character in the same character section is a kanji, and for the character section determined by the character determining means to be in the predetermined range and to be a kanji, By comparing the included character or character string with an inappropriate character or inappropriate character string preset as a Chinese character or character string that cannot appear in the name, the relevant character section becomes the aforementioned inappropriate character or inappropriate character. A collation unit for determining whether or not a column is included, and a number of character sections determined by the first determination unit to correspond to any one of a telephone number, an e-mail address, and an address, and the collation unit The number of character sections determined not to include the inappropriate character or the inappropriate character string is counted, and based on the counted result, the determination is made. A second determination unit that determines target file whether the personal information file is characterized in that the functioning of the said computer.

  According to the personal information management system of the present invention described above, in the first client terminal in which the personal information search program is resident, when the addition / change of a file is detected, the personal information search program is started and real-time search is performed. It is determined whether the file that has been executed and added / changed is a personal information file, and the determination result is transmitted to the personal information management server. On the other hand, the file in the second client terminal that does not have the personal information search program resident is managed by the personal information management server, and the latest information on the file in the second client terminal and finally the personal information file is periodically searched. The difference with the information about the file at the time is regularly monitored, the file corresponding to the difference is extracted from the second client terminal to the personal information management server side (sucked up), and the periodic exploration is executed and sucked up The personal information management server determines whether or not the file is a personal information file.

As a result, the personal information file on the terminal resident in the personal information search program and the personal information file on the terminal non-resident in the personal information search program can be automatically searched and placed under the management of the personal information management server. It becomes possible.
At that time, first, the personal information search program is executed only once for all data in the terminal where the personal information search program is resident, and the personal information management server for the terminal which is not resident for the personal information search program via the network. If the search of the personal information file is executed only once for all the data, after that, as described above, only the search (determination) for the added / changed file or the difference file is performed. Without conducting a search for all data, a personal information file newly created and added in each terminal can be searched very efficiently and reliably.

  Therefore, without obtaining human cooperation and without placing a special burden on the person in charge, for example, it is possible to reliably search and manage personal information files that exist in a distributed manner within a company, etc. The purpose is to ensure that personal information disclosure requests and correction requests can be dealt with, and to prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information.

  At this time, at least the file creation / update date / time, file size, and file name can be used as the file-related information for extracting the difference file in the second client terminal. By simply recognizing the addition, the difference file can be recognized and extracted very easily.

  In addition, by configuring the personal information management server to install a personal information search program in response to a request from the user of the client terminal for the client terminal connected to the network, Since the user can select and set resident / non-resident personal information exploration program, if the user requests non-resident personal information exploration program for reasons such as memory capacity or compatibility with other programs It is possible to respond to the request and the convenience is enhanced. The terminal for which non-resident is selected / set is handled as the above-described second client terminal, and is subject to periodic search by the personal information management server.

  Further, by giving a digital signature to the personal information file searched in the personal information management system of the present invention, it can be ensured that the personal information file has not been tampered with, and counterfeiting by a third party can be prevented. be able to.

  In addition, the personal information file searched in the personal information management system of the present invention is managed by the personal information management server, and the personal information file is forcibly captured and collected from the client terminal, or the collected personal information file is managed by the administrator. Stored in a folder that can be accessed only by the client, forcibly prohibiting the personal information file from being output to the outside from the client terminal, or notifying the client terminal storing the personal information file of warning information The access to the personal information file can be managed by the file access management server, and the inadvertent leakage or leakage of personal information or unauthorized use of personal information can be more reliably prevented.

  Further, each client terminal monitors the searched personal information file, and when an access to the personal information file occurs, by notifying the personal information management server to that effect, the access to the personal information file is It is tracked and managed by the personal information management server, and unauthorized use of personal information can be prevented more reliably.

  On the other hand, in the personal information management system of the present invention, according to the personal information search function realized by executing the personal information search program on a computer, any personal information element (phone number, e-mail address, or address) other than the name is used. Character sections that do not fall under the category (1) and contain improper characters or improper character strings are not considered to be related to personal information, but do not fall under personal information elements other than names and are inappropriate characters or inappropriate Character sections that do not contain character strings are considered to be related to personal information, particularly name.

  Therefore, for character sections determined to correspond to personal information elements other than names (one of phone numbers, e-mail addresses, and addresses), the determination process is terminated when the determination is made and Only character sections that are determined not to be personal information elements are checked against inappropriate characters or inappropriate character strings, and it is determined that even one inappropriate character or inappropriate character string is included in the character section. The collation process can be terminated at the point in time, so that the name collation process can be performed at a higher speed than the conventional method of collating with all the name strings included in the name list, that is, the personal information file is searched. Processing can be performed at high speed. In addition, since all character sections that do not contain inappropriate characters or inappropriate character strings are considered to correspond to names, data aggregates that do not contain inappropriate characters or inappropriate character strings for names, that is, include name information An electronic file that is highly likely to be a personal information file can be reliably searched.

  In addition, by further providing the character determination means, the character section does not correspond to a personal information element other than a name and does not include an inappropriate character or an inappropriate character string, and the number of characters in the character section is within a predetermined range. Can be regarded as information about the name, and the name collation accuracy can be improved, and the name collation process can be performed at high speed. Can do. At this time, by setting the predetermined range to a general (appropriate) number range for the number of characters of the name, for example, 1 to 6, the name collation accuracy can be further improved, and the name collation process Can be performed at a higher speed. In addition, since a long character section exceeding the predetermined range can be excluded from the object to be collated by the collating means, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process. Become.

  Then, the personal information management server manages the determination target file and the personal information file according to the determination value calculated for each determination target file by executing the above-described personal information search program. For each personal information file, it is possible to select and execute a management method according to the judgment value level (high possibility of being a personal information file / the number of personal information elements).

Embodiments of the present invention will be described below with reference to the drawings.
[1] Configuration of Personal Information Management System According to this Embodiment FIG. 1 is a block diagram showing the configuration of a personal information management system as an embodiment of the present invention. As shown in FIG. The management system 1 includes a personal information management server 20 and a file access management server 30 in addition to a plurality of client terminals 10, and these terminals 10 and servers 20, 30 are connected to a network [for example, an in-house LAN (Local Area Network). ]] Are connected to each other via 40.

Each client terminal 10 is constituted by a terminal device such as a personal computer (PC) used by each employee (user) in the company or the like, and has a functional configuration as described later with reference to FIGS. Have.
The personal information management server 20 is connected to a plurality of client terminals 10 and the file access management server 30 via the network 40 so as to be able to communicate with each other, and manages personal information files in each client terminal 10, see FIG. However, it has a functional configuration as described later.

  In the present embodiment, the personal information file holds a predetermined number or more of records including personal information, and the personal information is information that can identify a specific individual by itself or in combination as described above ( Various personal information elements), such as name, date of birth, contact information (address, address, telephone number, mail address), etc. In addition to these, personal information includes titles, basic resident register numbers, account numbers, credit card numbers, license numbers, passport numbers, and the like.

  The file access management server 30 is connected to the plurality of client terminals 10 and the personal information management server 20 via the network 40 so as to be able to communicate with each other, and manages access to an electronic file (a personal information file in this embodiment). 6 has a functional configuration as will be described later with reference to FIG.

  In the present embodiment, as the plurality of client terminals 10, a first client terminal (personal information search program resident terminal) 10A in which a personal information search program (described later) for executing a search for personal information files is resident is provided. And the second client terminal (personal information search program non-resident terminal) 10B not resident in the personal information search program. The first client terminal 10A has a functional configuration as described later with reference to FIGS. 2 and 3, and the second client terminal 10B has a functional configuration as described later with reference to FIG. . In the following description, reference numerals 10A and 10B are used when the first client terminal and the second client terminal need to be specified, respectively, and reference numeral 10 is used when it is not necessary to specify.

[1-1] Functional Configuration of First Client Terminal of the Present Embodiment FIG. 2 is a block diagram showing a functional configuration of the first client terminal (personal information search program resident terminal) 10A of the present embodiment, and is shown in FIG. As described above, the first client terminal 10A according to the present embodiment includes a CPU (Central Processin Unit) 10a that executes various processes and a storage unit 10b that can hold an electronic file including personal information and the like, as well as personal information management. A quarantine table 10c provided from the server 20 and a P mark (privacy level mark; a level indicating a high possibility of being a personal information file) of an electronic file held in the storage unit 10b. P mark table 10d that holds the level), and as will be described later, from personal information management server 20, C Installed personal information exploration program for functioning as the first personal information search unit 11 to be described later U10a.

  Here, the storage unit 10b is a hard disk built in the client terminal 10A (10), a storage device connected to or externally attached to the client terminal 10A (10), such as a flexible disk, CD (CD-ROM, CD-R). , CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-RW, DVD + R, DVD + RW, etc.), magnetic disk, optical disk, magneto-optical disk, IC card, ROM cartridge, magnetic tape, etc. This is a storage device using the recording medium. The quarantine table 10c and the P mark table 10d described above may be held in a RAM (Random Access Memory), a hard disk, or the like that constitutes the client terminal 10A, or may be held in the storage unit 10b.

  The CPU 10a functions as the first personal information exploration means 11, the detection means 12, the first control means 13, the access monitoring means 14, and the transmission / reception means 15. These functions are stored in the personal information as described later by the CPU 10a. It is assumed to be realized by executing a personal information search program installed from the management server 20.

  The first personal information search means 11 functions as a text extraction engine that converts the electronic file stored in the storage unit 10b into a text file by executing a personal information search program installed from the personal information management server 20. The quarantine table 10c functions as a search engine for searching for a personal information file from data in the storage unit 10b. That is, the first personal information exploration means 11 refers to various electronic files existing in the storage unit 10b of the first client terminal 10A according to the condition (quarantine table 10c) instructed from the personal information management server 20, and the personal information file The file determined to be a personal information file is written in a log (local cache database). In the present embodiment, the P mark determined based on the determination result (determination value) obtained by the first personal information searching unit 11 is registered in the P mark table 10d. Details of the functional configuration of the first personal information searching means 11 will be described later with reference to FIG.

The detection means 12 detects a change to an electronic file already stored in the storage unit 10b of the first client terminal 10A and addition of a new electronic file to the storage unit 10b.
The first control means 13 starts with the first personal information search means 11 in the procedure described later with reference to FIG. 7 (first time when the personal information management system 1 is started up / when the personal information search program is installed / first As will be described later with reference to FIG. 8, the detection means is configured to search the personal information file only once for all data in the storage unit 10 b of the first client terminal 10 </ b> A when the client terminal 10 </ b> A is newly connected. 12 each time detects the additional or changed files, the personal information to start the exploration program, real-time probing the first personal information search means judges added or modified file whether the personal information file 11 To be executed.
Personal information management system, characterized by

  The access monitoring unit 14 monitors an electronic file (an electronic file given a P mark) that has been searched by the first personal information searching unit 11 and determined to be a personal information file, and accesses the electronic file (for example, renaming). , Data change due to copying, erasing, moving, etc.) is written as log information and notified to the personal information management server 20 through the transmission / reception means 15.

  The transmission / reception means 15 transmits / receives various information to / from the personal information management server 20 (or the file access management server 30) via the network 40, and the determination result by the first personal information search means 11 is sent to the personal information management server. It functions as a transmission means for transmitting to the network 20. When the transmission / reception unit 15 functions as the transmission unit, a difference between the determination result (link destination information and determination value of the personal information file) and the search result transmitted last time is obtained, and the difference is transmitted to the personal information management server 20. In addition to transmission, information to be transmitted may be encrypted.

[1-2] Functional configuration of the second client terminal of the present embodiment FIG. 3 is a block diagram showing the functional configuration of the second client terminal (personal information search program resident non-terminal) 10B of the present embodiment. As shown, the second client terminal 10B of the present embodiment also includes a CPU 10a and a storage unit 10b similar to those of the first client terminal 10A, but the second client terminal 10B includes the CPU 10a as the first client terminal 10B. The personal information search program for functioning as the personal information search means 11 is not installed, and the CPU 10a of the second client terminal 10B performs the functions as the access monitoring means 14 and the transmission / reception means 15 similar to those described above. It has become. The function is realized by executing a program installed in advance in the second client terminal 10B or a program installed from the personal information management server 20.

  The access monitoring unit 14 of the second client terminal 10B is an electronic file (P) that is searched for by the second personal information searching unit 204 (see FIG. 5) on the personal information management server 20 side and determined as a personal information file, as will be described later. When an access to the electronic file (for example, data change by renaming, copying, erasing, moving, etc.) occurs, the fact is written out as log information and sent through the transmission / reception means 15 The information management server 20 is notified.

  Here, information about the P mark, which is the determination result by the second personal information search means 204 (see FIG. 5), is assigned to each electronic file as a flag, and the access monitoring means 14 refers to the flag to thereby store the personal information. The file (P mark) may be recognized, or a P mark table 10d similar to that of the first client terminal 10A is provided in the second client terminal 10B, and the access monitoring means 14 refers to the P mark table 10d. By doing so, the personal information file (P mark) may be recognized.

  The transmission / reception means 15 of the second client terminal 10B transmits / receives various information to / from the personal information management server 20 (or the file access management server 30) via the network 40, like the first client terminal 10A. As described above, in addition to performing the function of notifying the personal information management server 20 of the access log monitored by the access management means 14, in response to a request from the personal information management server 20, everything in the second client terminal 10 B is performed. Or the difference file described later is transmitted to the personal information management server 20, or the latest information on all files (for example, file creation / update date, file size, file name) in the second client terminal 10B (storage unit 10b). From the file directory It is adapted to perform a function of or send Te.

[1-3] Detailed Functional Configuration of First Personal Information Searching Unit of This Embodiment FIG. 4 is a block diagram showing a detailed functional configuration of the first personal information searching unit 11 in the first client terminal 10A of this embodiment. As shown in FIG. 4, the first personal information searching means 11 of the present embodiment includes an extracting means 111, a cutting means 112, a first determining means 113, a character determining means 114, a collating means 115, and a second determining means. These functions are also realized by the CPU 10a executing a personal information search program installed from the personal information management server 20 as will be described later.

The extraction unit 111 extracts text data [for example, CSV (Comma Separated Value) format data] of an electronic file (determination target file) in the storage unit 10b, and functions as the text extraction engine.
The cutout unit 112 cuts out character sections delimited by delimiters from the text data extracted by the extraction unit 111 and sequentially writes them in a buffer (not shown) as a determination target / collation target. Here, the delimiter is, for example, a half-width space, a half-width comma (half-width comma + half-width space is also regarded as a half-width comma), a tab character (half-width), CR (Carrige Return), or LF (Line Feed).

  In addition, symbols other than alphanumeric characters, katakana, hiragana, and kanji characters, such as hyphens, underbars, and parenthesis symbols, are removed from the character section cut out by the cutting means 112. In the present embodiment, it is assumed that the cutting means 112 has a function of removing the symbol characters as described above.

  The first determination unit 113 uses a personal information element (specifically, in the present embodiment, a telephone) in which a character string (hereinafter simply referred to as a character string) in the character section from which the symbol character has been removed by the cutting unit 112 is removed. In order to determine whether or not any one of a number, an e-mail address, and an address), functions as a telephone number determination unit 113a, an e-mail address determination unit 113b, and an address determination unit 113c are provided. . Note that the first determination unit 113 of the present embodiment performs the character string determination process in order of lighter determination processing load, that is, in the order of telephone number, e-mail address, and address.

  The telephone number determination means 113a determines whether or not the character string corresponds to a telephone number. If the character string satisfies the telephone number determination condition set in the quarantine table 10c, the character string is a telephone number. It judges that it corresponds to a number, notifies that to the 2nd judgment means 116, and ends the judgment processing by the 1st judgment means 113 to the above-mentioned character string. In the present embodiment, it is assumed that the telephone number determination condition includes a 9-15 digit number in the character string.

  The e-mail address determination unit 113b determines whether or not the character string corresponds to a telephone mail address when the telephone number determination unit 113a determines that the character string does not correspond to a telephone number. If the character string satisfies the e-mail address determination condition set in the quarantine table 10c, it is determined that the character string corresponds to the e-mail address, and that is notified to the second determination means 116. The determination process by the first determination unit 113 is terminated. In the present embodiment, the e-mail address determination condition is as follows: “One or more ASCII (American Standard Code for Information Interchange)” + “@ (at sign)” + “One or more ASCII characters” + “. It is assumed that a character string “dot)” + “ASCII of one or more characters” is included. In this case, the shortest e-mail address is “a@a.a”, for example.

  The address determination unit 113c determines whether or not the character string corresponds to an address (residence) when the e-mail address determination unit 113b determines that the character string does not correspond to an e-mail address. When the character string satisfies the address determination condition set in the quarantine table 10c, it is determined that the character string corresponds to the address, and the second determination means 116 is notified of this. In the present embodiment, the address determination condition includes a character string of “one or more double-byte characters” + “city” or “city” or “county” + “one or more double-byte characters” in the character string. Suppose that At this time, if the arithmetic processing capability of the CPU 10a is sufficiently high, it may be added to the address determination condition that a 7-digit number corresponding to the postal code is included in addition to the character string. In addition, the address determination condition is that the character string includes a 7-digit numeric string corresponding to the postal code or “3-digit numeric string” + “− (−” instead of the above-described conditions. Hyphens) ”+“ a digit string of four digits ”may be included.

  The character determination unit 114 sets the character string in the quarantine table 10c when the first determination unit 113 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address. Specifically, it is determined whether the number of characters in the character string is within a predetermined range and whether all the characters in the character string are kanji. In the present embodiment, the character determination condition is that, as described above, the number of characters in the character string is within a predetermined range and all the characters in the character string are kanji characters. Is set to a general (appropriate) number range, for example, 1 to 6 as the number of characters of the name (including only the last name and only the name).

  The collating unit 115 is a character section determined by the first determining unit 113 as not corresponding to any of a telephone number, an e-mail address, and an address, and is further within the predetermined range by the character determining unit 114 and For a character section in which all characters are determined to be kanji, a character / character string included in the character section and an inappropriate character / inappropriate character string preset as a character / character string that cannot appear in the name Is checked to determine whether or not the character section includes an inappropriate character / unsuitable character string, and the result of the verification determination is notified to the second determination means 116.

  Here, the inappropriate character / unsuitable character string is preset in the quarantine table 10c. For example, Tokyo, Osaka, Yokohama, Kyushu, Hokkaido, Kyoto, capital, individual, school, store, stock, prefecture, university , Gakuin, Tokyo Stock Exchange, Research, Administration, General Affairs, Accounting, Sales, Administration, Pharmaceutical, Sales, School, Education, Specialty, Architecture, Machine, Corporation, Factory, Manufacturing, Technology, Commerce, Books, Unknown, Deputy Director, Public, Publication , Advertising, Broadcasting, Target, Wholesale, Retail, Planning, HR, Information, Department, President, Regulatory, General Manager, Section Manager, Section Manager, Officer, Head Office, Branch Office, Business, Business, Education, Precision, Oil, Transportation, Management, Strategy , Materials, engineer, electricity, production, tax, public relations, transportation, chief, computer, finance, office work, development, policy, production, economy, industry, finance, banking, research, English, quality, warranty, equipment, charge, chief , Director, Audit, Support, Design, Insurance, Safe, Business, Representative, Transportation, First, No. , Third, Fourth, Fifth, Sixth, Seventh, Eighth, Ninth, Special Sales, Facility, Name, Mail, Name, Name, City Hall, Affiliation, Characteristic, Childhood, Christianity, Association, Church, Union , Cult, commerce, nationwide, branch, contact, parliament, life, consumption, promotion, city hall, ward office, general, modification, function, overview, composition, company, organization, association, deletion, document, deadline, valid A character / character string that cannot appear in a full name, that is, a character / character string inappropriate as a name.

  The second determination means (determination means) 116 is based on the determination result by the telephone number determination means 113a, the e-mail address determination means 113b and the address determination means 113c in the first determination means 113 and the verification determination result by the verification means 115. It is determined whether or not the determination target file is a personal information file.

  More specifically, the second determination unit 116 receives notification of determination results from the telephone number determination unit 113a, the e-mail address determination unit 113b, and the address determination unit 113c. Counts the number of character sections considered to be applicable, and receives the collation determination result from the collating means 115, and the character section determined by the collating means 115 as not including an inappropriate character / inappropriate character string as the name Count the number.

  Then, the second determination means 116 is based on the counting results (four count values; the number of telephone numbers, the number of e-mail addresses, the number of addresses, the number of names) for each of the telephone number, the e-mail address, the address, and the name. A determination value that increases as these count values increase is calculated. For example, the second determination means 116 may calculate the sum of four count values as the determination value, or set a weighting factor in advance for each of the telephone number, e-mail address, address, and name. The sum of the multiplication results of the weighting coefficient and the count value for the personal information element may be calculated as the determination value, and various methods for calculating the determination value are conceivable.

  When the determination value as described above is calculated, the second determination unit 116 determines whether or not the determination target file is a personal information file based on the determination value. Specifically, when the determination value exceeds a predetermined threshold, it is determined that the determination target file is a personal information file. When making such a determination, the second determination means 116 further assigns a P mark (private level mark) according to the size of the determination value to the determination target file and sets it in the P mark table 10d. Register and rank. As described above, the P mark is a level indicating the high possibility that the determination target file is a personal information file. The larger the determination value, the higher the P mark is set.

  For example, when the determination value is 10 or more, it is determined that the determination target file is a personal information file. When the determination value is 10 or more and less than 100, “P1” is assigned as the P mark, and when the determination value is 100 or more and less than 1000, “P2” is assigned as the P mark. When it is 1000 or more and less than 10,000, “P3” is assigned as the P mark, and when the determination value is 10000 or more, “P4” is assigned as the P mark. The predetermined threshold for determining the personal information file and the reference value for determining the P mark are set as appropriate from the personal information management server 20 (a management console 24 described later). In addition, although the P mark is ranked into four “P1” to “P4” here, the number of ranks is not limited to this.

  The P mark (P mark table 10d) assigned to the determination target file as described above is transmitted to the personal information management server 20 via the transmission / reception means 16 and the network 40, and collected as described later with reference to FIG. The data is stored in the database 20b by the means 23. Then, an electronic file (determination target file / personal information file) to which the P mark is assigned is described later as a personal information file by the personal information management server 20 (personal information management means 208 described later) according to the rank of the P mark. It is managed as it is.

[1-4] Functional Configuration of Personal Information Management Server of this Embodiment FIG. 5 is a block diagram showing the functional configuration of the personal information management server 20 of this embodiment. As shown in FIG. The information management server 20 includes a CPU 20a that executes various processes, a database (RDB: Relational DataBase) 20b that stores and saves log information and personal information files from each client terminal 10, and a log that is saved in the database 20b. The display unit 20c displays various information including information and personal information.

  The CPU 20a includes client information collection means 201, installation means 202, collection means 203, second personal information search means 204, difference extraction means 205, second control means 206, management console 207, personal information management means 208, display control means 209. These functions are realized by the CPU 20a executing a personal information management server program (including a personal information search program).

  The client information collecting unit 201 transmits and receives data to and from the network 40 when starting the search and management of the personal information file, such as when the personal information management system 1 is started up or when a new client terminal 10 is connected to the network 40. Client information (host information) is collected from the client terminals 10 that are communicably connected via the means 210, and the client terminal 10 to be searched and managed in the personal information file is recognized. At this time, information on whether or not each client terminal 10 requests installation of the personal information search program described above (whether or not the personal information search program is desired to reside) is also collected.

  In response to a request from the user of the client terminal 10 (10B), the installation unit 202 transmits the above personal information search program to the network 40 and the transmission / reception unit for the client terminal 10 (10B) connected to the network 40. It is installed via 210. The client terminal 10 in which the personal information search program is installed by the installation means 202 becomes the first client terminal (personal information search program resident terminal) 10A, and the client terminal 10 in which the personal information search program is not installed is the second client terminal ( Personal information exploration program non-resident terminal) 10B.

  The collection unit 203 receives and collects the personal information file search results (link information, determination value, P mark, etc. of the personal information file) executed by the first client terminal 10A via the network 40 and the transmission / reception unit 210. In addition to performing the function of storing in the database 20b, in order to search for the personal information file in the second client terminal 10B, all files in the second client terminal 10B are transferred via the network 40 and the transmission / reception means 210 during the initial search. The second client terminal 10B has a function of sucking up a difference file (described later) via the network 40 and the transmission / reception means 210, a first search, and a periodic search. The latest in the client terminal 10B The Airu information (described later), a function to suck via the network 40 and the transmitting and receiving unit 210 also fulfills.

  The second personal information search means 204 searches the personal information file in the second client terminal 10B via the network 40 by executing the above-described personal information search program by the CPU 20a. The file extracted from the second client terminal 10B by the means 203 is set as a determination target, and it is determined whether or not the file is a personal information file.

  Similar to the first personal information search unit 11 described above, the second personal information search unit 204 functions as a text extraction engine that converts the determination target file into a text file, and also includes a quarantine table 20b-1 in the database 20b (the above-mentioned first personal information search unit 204). The same as the quarantine table 10c in the first client terminal 10A), and functions as a search engine that searches for the personal information file from the data in the storage unit 10b of the second client terminal 10B. That is, the second personal information search unit 204 searches for a personal information file by referring to various electronic files existing in the storage unit 10b of the second client terminal 10B according to the quarantine table 20b-1, and is a personal information file. A file determined to be written to the log. In the present embodiment, the P mark determined based on the determination result (determination value) obtained by the second personal information exploration means 204 is the P mark table 20b-2 in the database 20b (the first client described above). The same as the P mark table 10d in the terminal 10A).

  The second personal information searching unit 204 has the same functional configuration as that of the first personal information searching unit 11 shown in FIG. 4, but the second personal information searching unit 204 stores it in the extracting unit 111. The collection unit 203 is connected instead of the unit 10b, and the quarantine table 20b-1 and the P mark table 20b-2 are used instead of the quarantine table 10c and the P mark table 10d. In addition, the transmission / reception means 210 is connected to the second determination means 116 instead of the transmission / reception means 16 so that the determination result by the second personal information search means 204 is notified to the second client terminal 10B.

  Here, in the database 20b of the personal information management server 20, the same quarantine table 20b-1 as the quarantine table 10c to be provided to the first client terminal 10A and the determination by the first personal information exploration means 11 of the first client terminal 10 are performed. A P mark table 20b-2 for holding a result (P mark) and a determination result (P mark) by the second personal information searching means 204 and a file information storage means 20b-3 to be described later are provided.

  The file information storage unit 20b-3 stores the latest file information sucked from the second client terminal 10B by the collecting unit 203 at the time of the first search or the periodic search, and finally stores the personal information file by the second personal information search unit 204. The information is stored as information regarding the file in the second client terminal 10B at the time when the periodic search is performed. Here, the file information is information regarding all files in the second client terminal 10B (storage unit 10b), specifically, file creation / update date / time, file size, and file name, as described above.

  The difference extraction unit 205 performs the periodic search for the latest information (latest file information) regarding the file in the second client terminal 10B and the information stored in the file information storage unit 20b-3 (finally the personal information file during the periodic search). The file added and changed between the time when the personal information file was last searched and the current time as a difference file, the network 40, the transmission / reception means 410, and the collection The information is periodically extracted from the second client terminal 10B via the means 203.

  The second control means 206 makes the second personal information search means 204 first (when the personal information management system 1 is started up / when the second client terminal 10B is newly connected) in the procedure described later with reference to FIG. The personal information file search is executed once for all data in the storage unit 10b of the second client terminal 10B, and then the personal information search is performed at the regular search timing as described later with reference to FIG. The program is started, and the second personal information searching unit 204 is caused to execute a periodic search for determining whether or not the difference file extracted by the difference extracting unit 205 is a personal information file.

  The management console 207 sets and manages personal information file determination conditions (the quarantine tables 10c and 20b-1, the predetermined threshold necessary for determining the personal information file and the P mark, and the like). In the quarantine tables 10c and 20b-1, the above-described telephone number determination conditions, e-mail address determination conditions, address determination conditions, character determination conditions (the predetermined range) and inappropriate characters / unsuitable character strings are set.

  The personal information management means 208 manages personal information files in each client terminal 10 (10A, 10B) based on the search results collected by the collection means 203 and stored in the database 20b. An electronic file determined as a personal information file in 204 (an electronic file with a P mark; hereinafter referred to as a personal information file) is a management target.

  This personal information management means 208 gives attention information to the user (holder) of the personal information file according to the judgment value (or P mark) of the personal information file registered in the P mark table 20b-2 of the database 20b. / Notify alert information, forcibly capture / collect personal information file from client terminal 10 storing the personal information file, or output personal information file from client terminal 10 to the outside Is forcibly prohibited, the personal information file is stored in a folder (not shown) accessible only to the administrator, or the file access management server 30 manages access to the personal information file.

  For example, when the rank of the P mark is “P1”, the recommendation by the warning information is not performed, but the fact that the personal information file of “P1” exists is recorded as a log. When the rank of the P mark is “P2”, notice information in a pop-up display is notified in order to call attention to the user of the personal information file. When the rank of the P mark is “P3”, the system administrator is notified by e-mail as warning information that there is a user storing the personal information file, and the personal information file is returned. To the user. When the rank of the P mark is “P4”, the personal information file is forcibly captured / collected from the client terminal 10 and the personal information file is forcibly prohibited from being output from the client terminal 10 to the outside. The personal information file is stored in a folder accessible only to the administrator, or the file access management server 30 manages the access to the personal information file. Even if the P mark rank is not “P4”, if the personal information file of “P3” is left for a predetermined number of days, the rank of the P mark is “P4” for the personal information file. You may make it perform the treatment similar to the case.

Further, the personal information management means 208 has a function of searching the personal information file stored in each client terminal 10 or the database 20b with various accuracy, and a function of causing the display control means 26 to display the search result on the display unit 20c. have.
The display control unit 209 controls the display state of the display unit 20c so that various types of information are displayed on the display unit 20c. The transmission / reception unit 210 transmits various types of information to and from each client terminal 10 via the network 40. Send and receive.

  The digital signature unit 211 gives a digital signature to the personal information file searched by the first personal information search unit 11 or the second personal information search unit 204. Here, the digital signature is encrypted signature information attached to guarantee the authenticity of the digital document, and proves the creator of the digital document (here, the personal information file) by applying public key cryptography. And that the document has not been tampered with. The signer (administrator on the personal information management server 20 side) adds a signature encrypted with his / her private key to the digital document and sends it. The recipient (the user on the client terminal 10 side) decrypts the signature using the signer's public key and confirms whether the content is correct. As a result, it can be used not only to prevent forgery by a third party but also to prove that the signer has created the digital document.

  The personal information file of the first client terminal 10A is transmitted from the first client terminal 10A to the personal information management server 20 via the network 40, and after the digital signature is given by the digital signature means 211, the first client terminal 10A The original personal information file returned to 10A and not given a digital signature is deleted. Also, the personal information file of the second client terminal 10B is given a digital signature by the digital signature means 211 after determination on the personal information management server 20 side, and then returned to the second client terminal 10B, and is given a digital signature. The original personal information file that does not exist will be deleted.

[1-5] Functional Configuration of File Access Management Server of this Embodiment FIG. 6 is a block diagram showing the functional configuration of the file access management server 30 of this embodiment. As shown in FIG. The access management server 30 manages, for example, a personal information file (a personal information file whose P mark rank is “P4”) instructed from the personal information management server 20 (personal information management means 208). As will be described later, a CPU 30a that executes processing and a storage unit 30b that stores an encryption key, a decryption key, and the like are provided. Here, the personal information file whose P mark rank is “P4” is a management target. However, regardless of the P mark rank, all of the personal information search means 11 and 204 determined to be personal information files. The electronic file may be managed by the file access management server 30.

  The CPU 30a functions as a transmission / reception unit 31, a conversion unit 32, an encryption unit 33, and a determination unit 34, which will be described later. These functions are realized by the CPU 30a executing a program for a file access management server. Is done. Further, as will be described later, the storage unit 30b has an encryption key for encrypting the personal information file, a decryption key for decrypting the encrypted personal information file, and an access to the encrypted personal information file. Stores authority (to be described later) and user ID / password of a pre-registered user [registrant (employee) who is permitted to view encrypted files], and is configured by a hard disk or RAM, for example. .

The transmission / reception means 31 is realized by a communication function originally possessed by the file access management server 30, and includes a personal information file reception means 31a, an encrypted file transmission means 31b, an authentication information reception means 31c and a decryption which will be described later. It functions as the key transmission means 31d.
The personal information file receiving means 31 a receives a personal information file to be managed from the personal information management server 20 via the network 30.

  The conversion unit 32 converts the personal information file to be managed received by the personal information file receiving unit 31a into a completed document file such as a PDF (Portable Document Format) file that is difficult to falsify. The conversion means 32 is realized by, for example, a PDF driver. By starting the PDF driver, the personal information file is converted to PDF, and a PDF file as a completed document file is generated.

The encryption unit 33 encrypts the PDF file obtained by the conversion unit 32 using a predetermined encryption key.
The encrypted file transmission unit 31 b transmits a file encrypted (keyed) by the encryption unit 33 (hereinafter referred to as an encrypted file) to the personal information management server 20 via the network 40.

  In the management by the file access management server 30, the user has various access authorities (permissions such as viewing, printing, copying, etc.) for each encrypted file depending on the policy setting at the time of encryption by the encryption means 33 as described above. Set for each encrypted file. At that time, one type of policy is set in order to simplify the system operation, and the access right at each client terminal 10 for all encrypted files is determined by the policy setting [for example, all the in-houses where the system 1 is installed. As the access authority of all employees / all users (all registered users registered in the file access management server 30), only the viewing authority is set / granted automatically (forced), and access other than browsing, such as printing, It may be possible to prevent access such as copying, saving as another name, and screen capture (screen shot).

  The authentication information receiving unit 31c receives the authentication information transmitted from the client terminal 10 or the personal information management server 20 via the network 40 when the client terminal 10 or the personal information management server 20 accesses the encrypted file. . Here, the authentication information is a file access indicating that the user of the client terminal 10 or the personal information management server 20 who is trying to open the encrypted file is a valid transmission destination (user / registrant) of the encrypted file. This information is necessary for the determination and authentication by the management server 30 and includes the user ID and password registered in advance in the file access management server 30 (storage unit 30b) for the user of the service by the file access management server 30. Yes. These user ID and password are input by the user operating the keyboard and mouse when opening the encrypted file.

  The determination unit 34 determines whether the client terminal 10 / personal information management server 20 that has transmitted the authentication information is a valid transmission destination of the encrypted file, based on the authentication information received by the authentication information reception unit 31c. In practice, it is determined whether or not the user ID and password input by the user match the user ID and password registered and stored in the storage unit 30b of the file access management server 30 in advance. Thus, it is determined and authenticated whether or not the user is a valid registrant.

The decryption key transmitting means 31d reads out the decryption key for decrypting the encrypted file from the storage unit 30b when the determination means 34 authenticates that the user is a valid registrant, and the client terminal 10 or This is transmitted to the personal information management server 20 via the network 40.
When the client terminal 10 or the personal information management server 20 receives the decryption key from the file access management server 30, the decryption key is decrypted using the decryption key to restore the original personal information file. Access (for example, browsing) according to the given access authority is performed on the personal information file thus provided.

[2] Operation of Personal Information Management System of the Present Embodiment Next, the operation of the personal information management system 1 of the present embodiment configured as described above will be described with reference to FIGS.
[2-1] Operation of Personal Information Searching Means In the personal information searching means 11 and 204 of the present embodiment, the frequency of appearance of the telephone number, e-mail address, address and name is quantified as follows, and the personal information file Is being identified and explored. At that time, when the character section cut out by the cutting means 112 includes an inappropriate character / unsuitable character string preset as a character / character string that cannot appear in the personal information, the character section is As a character / character string that cannot be seen in the personal information in advance in the character section cut out by the cutting means 112, it is excluded because it is regarded as not corresponding to the personal information element (name in this embodiment). If the specified inappropriate character / inappropriate character string is not included, the character section is regarded as corresponding to the personal information element constituting the personal information, that is, the personal information element appears. , Count up the number of appearances.

  In the first client terminal 10A or the personal information management server 20 of the present embodiment, a series of procedures for the first personal information file search operation executed by the personal information search means 11 and 204 (personal information search program) described above are performed. A description will be given according to the flowchart (steps S102 to S118) shown in FIG.

  When constructing the personal information management system 1 of the present embodiment, first, a personal information management server program is installed in a computer that should function as the personal information management server 20, and the computer executes the personal information management server program. As a result, the personal information management server 20 functions. When starting the search / management of the personal information file, the personal information management server 20 uses the personal information management server 20 to refer to FIG. 10 (steps S402, S403, S411) and to request the residence of the personal information search program as described later. A personal information search program is installed on the terminal 10 via the network 40. By executing the personal information search program installed in this way by the CPU 10a of the first client terminal 10A, the CPU 10a allows the personal information search means 11, the detection means 12, the first control means 13, the access monitoring means 14, and the transmission / reception means 15 to be transmitted. Serves as a function. When installing the personal information search program, the quarantine table 10c is also transmitted. The personal information search program is included in advance in the personal information management server program. The personal information search program is installed in the client terminal 10 and the personal information search program is executed by the personal information management server 20. As a result, the CPU 20a of the personal information management server 20 functions as the second personal information search means 204.

  7 shows the first personal information search unit 11 in the first client terminal 10A when the personal information management system 1 is started up / when the personal information search program is installed / when the first client terminal 10A is newly connected. In the personal information management server 20, the personal information management server 20 searches for the second personal information search when the personal information management system 1 is started up or when the second client terminal 10B is newly connected. The procedure of the search operation of the first personal information file executed by the means 204 is shown.

  An electronic file that has not yet been determined is selected as a determination target file from all data of the client terminal 10 and read out (step S102), and extraction means (text extraction engine) is extracted from the determination target file. Text data is extracted by 111 (step S103).

  From the text extracted in this way, the character section delimited by the delimiter described above is extracted by the extraction means 112 and sequentially written in a buffer (not shown) as a determination target / collation target (step S104). When cutting out a character section, as described above, the cutting means 112 removes symbols other than alphanumeric characters, katakana, hiragana, kanji characters, such as hyphens, underbars, and parenthesis symbols, from the character section. .

  Whether or not the character string (hereinafter simply referred to as a character string) in the character section from which the symbol character has been removed by the cutting means 112 corresponds to any one of a telephone number, an e-mail address, and an address. Are sequentially determined by the telephone number determination means 113a, the e-mail address determination means 113b, and the address determination means 113c (steps S105, S107, S109).

  First, the telephone number determination means 113a determines whether or not the character string corresponds to a telephone number (step S105). At that time, if the character string satisfies the telephone number determination condition set in the quarantine table 10c, that is, if the character string includes 9 to 15 digits, the character string is converted to the telephone number. (YES route in step S105), the fact is notified to the second determination means 116, and the second determination means 116 increments the count value corresponding to the number of appearances of the telephone number by one. (Step S106), the process proceeds to Step S114.

  If it is determined that the character string does not correspond to a telephone number (NO route of step S105), the e-mail address determination means 113b determines whether or not the character string corresponds to a telephone mail address (step S107). ). At that time, if the character string satisfies the e-mail address determination condition set in the quarantine table 10c, that is, “one or more ASCII” + “@” + “one or more ASCII” + If the character string “.” + “ASCII of one or more characters” is included, it is determined that the character string corresponds to the e-mail address (YES route in step S107), and that is the second determination means. 116, the second determination means 116 increments the count value corresponding to the number of appearances of the e-mail address by 1 (step S108), and the process proceeds to step S114.

  When it is determined that the character string does not correspond to an e-mail address (NO route in step S107), the address determination unit 113c determines whether the character string corresponds to an address (location) (step S109). ). At that time, if the character string satisfies the address determination condition set in the quarantine table 10c, that is, “one or more double-byte characters” + “city” or “city” or “county” + If a character string that is “one or more double-byte characters” is included, it is determined that the character string corresponds to an address (YES route of step S109), and that is notified to the second determination means 116, In this second determination means 116, the count value corresponding to the number of appearances of the address (residence) is incremented by 1 (step S110), and the process proceeds to step S114.

  When it is determined that the character string does not correspond to an address (NO route in step S109), that is, the first determination unit 113 determines that the character string does not correspond to any of a telephone number, an e-mail address, and an address. If the character determination unit 114 determines that the character string satisfies the character determination condition (the number of characters is 1 or more and 6 or less and all characters are kanji characters) set in the quarantine table 10c. Determination is made (step S111). When this character determination condition is not satisfied (NO route in step S111), the process proceeds to step S114.

  On the other hand, if this character determination condition is satisfied (YES route in step S111), the collation means 115 determines whether or not there is a character / character string included in the character section (the character string) and the name set in the quarantine table 10c. The appropriate character / inappropriate character string is collated, and it is determined whether or not the character section includes an inappropriate character / inappropriate character string (step S112). If there is at least one character / character string that matches the inappropriate character / inappropriate character string in the character section (YES route in step S112), matching with the inappropriate character / inappropriate character string at that time The process is immediately terminated, and the process proceeds to step S114.

  If the character section does not include an inappropriate character / unsuitable character string (NO route in step S112), the result of the collation determination is notified to the second determination means 116. In the second determination means 116, The character section is considered to correspond to the name, and the count value corresponding to the number of appearances of the name is incremented by 1 (step S113), and the process proceeds to step S114.

  In step S114, it is determined whether or not there is a character section that has not yet been extracted from the text data extracted from the determination target file. If there is a character segment (YES route), the process returns to step S104, and the same processing as described above (steps S104 to S104). S113) is repeatedly executed. In this way, when all character sections are cut out from the text data and the determination processing, collation processing, counting processing, etc. for all character sections are completed (NO route in step S114), the second determination means 116 uses the telephone number, electronic Based on the count values for each of the mail address, address, and name, the above-described determination value is calculated (step S115).

  Then, the second determination means 116 determines whether or not the determination target file is a personal information file based on the determination value calculated in step S115, and ranks the P mark. (In the present embodiment, four of "P1" to "P4") are performed (step S116).

  Thereafter, it is determined whether or not the personal information has been searched for all the electronic files in the client terminal (step S117). If there are still unsearched electronic files (NO route of step S117), the process returns to step S102. When the same processing as described above is executed, but all the electronic files have been searched (YES route in step S117), the personal information file determination result and the P mark ranking result in step S116 are P mark. It is registered in the table 10d or 20b-2, transmitted to the personal information management server 20 via the transmission / reception means 16 and the network 40, and registered and stored in the database 20b by the collection means 203 in the personal information management server 20 (step S118). ). Further, the determination result and the like of the second client terminal 10B are registered and stored in the database 20b from the second personal information searching means 204 (step S118). After completing the process in step S118, the personal information file search operation is terminated.

[2-2] Operation of First Client Terminal (Personal Information Search Program Resident Terminal) Next, the operation of the first client terminal 10A will be described according to the flowchart (steps S21 to S26) shown in FIG. More specifically, here, a real-time search operation and an access monitoring operation executed by the first client terminal 10A after the first search for the personal information file described above will be described with reference to FIG.

In the first client terminal 10A, the detection unit 12 monitors changes to an electronic file already stored in the storage unit 10b and addition of a new electronic file to the storage unit 10b (step S21). When an addition / change is detected (YES route in step S21), the personal information search program is immediately started by the first control means 13 each time (step S22), and the first personal information search means 11 adds / changes. The determination process in steps S103 to S116 in FIG. 7 is executed with the determined file as the determination target file (step S23). This will realtime exploration judges added or modified file whether the personal information file is executed, the determination result is notified to the personal information management server 20 (step S24).

  In the first client terminal 10A, the personal information file (that is, the electronic file given the P mark / the electronic file determined to be a personal information file by the first personal information searching means 11) by the access monitoring means 14 is used. Is monitored (step S25), and access to the personal information file (for example, data change by renaming, copying, erasing, moving, etc.) occurs (NO route in step S21 to YES route in step S25), to that effect Is written as log information, transmitted to the personal information management server 20 via the transmission / reception means 15 and the network 40 (step S26), and registered and stored in the database 20b by the collection means 203 in the personal information management server 20. .

[2-3] Operation of Second Client Terminal (Personal Information Search Program Non-Resident Terminal) Next, the operation of the second client terminal 10B will be described according to the flowchart (steps S31 to S36) shown in FIG. More specifically, the file / file information transmission operation and the access monitoring operation executed by the second client terminal 10B after the first personal information file search described above will be described with reference to FIG.

  In the second client terminal 10B, the file information transmission request from the personal information management server 20 is monitored by the transmission / reception means 15 (step S31). When the file information transmission request is received (YES route in step S31), the file directory , The latest file information (for example, file creation / update date / time, file size, file name) of all files is transmitted to the personal information management server 20 via the transmission / reception means 15 and the network 40 (step S32).

  Further, in the second client terminal 10B, the transmission / reception means 15 monitors the transmission request for the differential file from the personal information management server 20 during the periodic search (step S33), and when the file transmission request is received (step S31). The difference file corresponding to the transmission request is read from the storage unit 10b and transmitted to the personal information management server 20 via the transmission / reception means 15 and the network 40 (step S34). .

  Further, in the second client terminal 10B, as in the first client terminal 10A, the access monitoring means 14 makes the personal information file (that is, the second personal information search means of the electronic file / personal information management server 20 to which the P mark is given). The electronic file determined to be a personal information file by 204 is monitored (step S35), and access to the personal information file (for example, data change by renaming, copying, erasing, moving, etc.) occurs (step S35). From the NO route of S33 to the YES route of step S35), the fact is written out as log information and transmitted to the personal information management server 20 via the transmission / reception means 15 and the network 40 (step S36). In the database by the collecting means 203. It is registered and stored in the 20b.

[2-4] Operation of Personal Information Management Server Next, the operation of the personal information management server 20 will be described according to the flowchart shown in FIG. 10 (steps S401 to S428) and the flowchart shown in FIG. 11 (steps S501 to S511).
When the personal information management server 20 starts up the personal information management system 1 or recognizes a new connection of the client terminal 10 to the network 40 (YES route in step S401), the client information collection unit 201 causes the network 40 to Client information is collected from the client terminals 10 that are communicably connected to each other (step S402).

  The presence or absence of the client terminal 10 that has issued the installation request for the personal information search program is recognized from the collected client information (step S403), and there is no client terminal 10 that has issued the installation request (NO in step S403). Route), all files in the storage unit 10b of the second client terminal 10B from one of the second client terminals 10B not installed with the personal information search program via the network 40, the transmission / reception means 210 and the collection means 203 The received file is received together with the latest file information in the second client terminal 10B (step S404).

  Thereafter, the first personal information file search for all the files of the second client terminal 10B is executed according to the procedure of steps S102 to S117 shown in FIG. 7 (step S405), and the determination result and P mark obtained thereby. Are registered and stored in the database 20b from the second personal information searching means 204 (steps S406 and S117). At this time, the latest file information transmitted from the second client terminal 10B is registered and stored in the file information storage unit 20b-3 of the database 20b as file information at the time of the last periodic search (step S407).

  Then, it is determined whether or not the first exploration has been completed for all the second client terminals 10B (step S408). If there is still an unexplored second client terminal 10B (NO route in step S408), the process proceeds to step S404. Returning, the same processing as described above is executed, but when the first search for all the second client terminals 10B is completed (YES route in step S408), the search result registered and stored in the database 20b [here, the P mark level ( In accordance with (Rank)], the personal information management means 208 manages and operates each personal information file (step S409). Details of management and operation by the personal information management means 208 will be described later with reference to FIG.

  On the other hand, if there is a client terminal 10 that has issued an installation request (YES route in step S403), the personal information search program is installed on the client terminal 10 via the network 40 by the installation unit 202 (step S403). S410). When the personal information search program is installed, the presence or absence of the client terminal 10 (that is, the second client terminal 10B) that has not issued the installation request for the personal information search program is recognized (step S411), and the second client terminal 10B exists. (YES route of step S411), the same process as the above-described steps S404 to S408 is executed, and the first search for the second client terminal 10B is executed (step S412).

  When the second client terminal 10B does not exist (NO route of step S411), or after the initial search in step S412 is completed, the personal information search program is executed in the first client terminal 10A in which the personal information search program is installed. The result of the initial search of the personal information file (link destination information of personal information file, determination value, P mark, etc.) received and collected by the collecting means 203 via the network 40 and the transmitting / receiving means 210, Waiting to be registered / saved in the database 20b (step S413), and when the first search result of the first client terminal 10A is obtained (YES route in step S413), the search result registered / saved in the database 20b is used. Personal information management means 208 More, management and operation for each personal information file as described later is performed (step S409).

  When the personal information management server 20 recognizes that the real-time search result has been received from the first client terminal 10A (NO route in step S401 to YES route in step S414), the real-time search result registered and stored in the database 20b. In response to this, the personal information management means 208 manages / operates each personal information file as described later (step S409).

  Furthermore, when the personal information management server 20 recognizes the timing for executing the periodic search for the second client terminal 10B (from the NO route in step S414 to the YES route in step S415), the personal information management server 20 A file information transmission request is issued so as to transmit the latest file information, and the latest file information about all the files in the second client terminal 10B (from the second client terminal 10B via the network 40, transmission / reception means 210 and collection means 203) ( File creation / update date / time, file size, file name) are acquired (step S416).

  Then, the latest file information acquired in step S416 by the difference extraction unit 205 and the previous (finally) personal information file at the time of periodic exploration are stored in the file information storage unit 20b-3. The file information about the second client terminal 10B is compared, and it is determined whether or not the file creation / update date / time, file size, and file name have changed (step S417). As a result, files with these information newly added, files with at least some of these information changed, that is, additions / changes between the last periodic search of personal information files and the present This file is recognized as a difference file (step S418).

  When it is recognized that the difference file exists (YES route in step S418), a file transmission request is issued to the second client terminal 10B so as to transmit the added / changed file (difference file). A difference file is received / extracted from the second client terminal 10B via the network 40, the transmission / reception means 210 and the collection means 203 (step S419).

  Thereafter, the personal information search program is started by the second control means 206 (step S420), and the determination process in steps 103 to S116 in FIG. 7 is executed by the second personal information search means 204 using the difference file as a determination target file. (Step S421). Thereby, the periodic search for determining whether or not the difference file is a personal information file is executed, and the determination result (periodic search result) is registered and stored in the database 20b (step S422).

At this time, the latest file information acquired in step S416 is registered and stored in the file information storage unit 20b-3 of the database 20b as file information at the time when the personal information file was last searched regularly (step S416). S423).
Then, according to the periodic search result registered / saved in the database 20b, the personal information management means 208 manages / operates each personal information file as described later (step S409).

  On the other hand, when the personal information management server 20 receives a request for installing a personal information search program from the second client terminal 10B already connected to the network 40 (from the NO route in step S415 to the YES route in step S424), 2 The personal information search program is installed on the client terminal 10B by the installation unit 202 via the network 40 (step S425).

  As a result, the personal information search program resides in the second client terminal 10B, and will be treated as the first client terminal 10A thereafter. At this time, the P mark table 20b-2 corresponding to the first client terminal 10A stored in the database 20b is transferred to the first client terminal 10A as the P mark table 10d (step S426).

  Further, when the personal information management server 20 receives the access log information (log information notified in step S25 in FIG. 8 or step S36 in FIG. 9) from the client terminal 10 (from the NO route in step S424 to the YES route in step S427). The access log information is recorded / saved in the database 20b (step S428).

Next, the management / operation for each personal information file performed by the personal information management unit 208 in step S409 will be described with reference to FIG.
The personal information management means 208 refers to the initial search result, the real-time search result, and the periodic search result (P mark table 20b-2) in the database 20b, and determines whether or not there is a personal information file (file with a P mark). (Step S501).

  If a personal information file exists (YES route in step S501), a digital signature is given to the personal information file by the digital signature giving means 211 (step S502), and then the personal information file search result [in this case P In accordance with the mark level (rank)], the personal information management means 208 manages / operates each personal information file as follows (steps S503 to S511).

  First, it is determined whether or not there is a personal information file of P mark level “P1” (step S503). If there is a personal information file of P mark level “P1” (YES route of step S503), access monitoring of the personal information file is performed. It is set and registered as a target (access log recording target) (step S504).

  When there is no personal information file of P mark level “P1” (NO route of step S503), or after registration in step S504, it is determined whether or not there is a personal information file of P mark level “P2” (step S505). If there is a personal information file of P mark level “P2” (YES route in step S505), the personal information file is set and registered as an access monitoring target, and the user of the personal information file is cautioned. Attention information by pop-up display is notified (step S506).

  When there is no personal information file of P mark level “P2” (NO route of step S505), or after the notice information is notified in step S506, it is determined whether or not there is a personal information file of P mark level “P3” (step S507). ) If there is a personal information file of P mark level “P3” (YES route in step S507), the personal information file is set and registered as an access monitoring target, and the user who stores the personal information file The fact that it exists is notified to the system administrator by e-mail or the like as warning information, and the user is instructed to return the personal information file (step S508).

  If there is no personal information file of P mark level “P3” (NO route of step S507), or after issuing an alarm information notification and a return instruction in step S508, whether there is a personal information file of P mark level “P4”. If there is a personal information file of P mark level “P4” (YES route in step S509), the personal information file is forcibly captured and collected from the client terminal 10 (step S510). Then, the personal information file is placed under the management of the file access management server 30, and the file access management server 30 manages access to the personal information file (step S511). If there is no personal information file with the P mark level “P4” (NO route in step S509), or after the process in step S511 ends, the process ends.

  As described above, with respect to the personal information file of the P mark level “P4”, the personal information file is forcibly prohibited from being output from the client terminal 10 to the outside, or only the administrator can It may be stored in an accessible folder. Further, when a personal information file having a P mark level “P3” is left for a predetermined number of days, the same processing as that for a personal information file having a P mark level “P4” may be executed. Furthermore, all of the personal information files of the P mark levels “P1” to “P4” may be placed under the management of the file access management server 30.

[2-5] Operation of File Access Management Server Next, the operation of the file access management server 30 will be described with reference to FIGS.
First, the file conversion operation by the file access management server 30 of this embodiment will be described with reference to the flowchart shown in FIG. 12 (steps S61 to S64).

  In the file access management server 30, a personal information file (electronic file to be managed) instructed to be placed under the management of the file access management server 30 is sent from the personal information management server 20 (personal information management means 208) via the network 40. When the personal information file is received by the personal information file receiving means 31a (YES route of step S61), the personal information file is converted into a PDF file by the converting means 32 (step S62), and further, the encryption means 33 performs a predetermined encryption. Encryption processing (keying processing) is performed using the key (step S63). Then, the encrypted file is transmitted to the personal information management server 20 via the network 40 by the encrypted file transmitting means 31b (step S64).

Next, an authentication operation by the file access management server 30 according to the present embodiment will be described with reference to the flowchart shown in FIG. 13 (steps S71 to S75).
When the user of the client terminal 10 or the user (administrator) of the personal information management server 20 tries to view the contents of the encrypted file, the authentication information is input by the user and transmitted to the file access management server 30. The When the authentication information is received by the authentication information receiving unit 31c via the network 40 (YES route in step S71), the determination unit 34 searches the storage unit 30b with the user ID included in the authentication information, and the user The registration password corresponding to the ID is read from the storage unit 30b, the password included in the authentication information is compared with the registration password read from the storage unit 30b, and it is determined whether or not these passwords match (client authentication) Step S72) is performed.

  When these passwords match and it is authenticated that the user of the client terminal 10 or the personal information management server 20 is a valid registrant (legal transmission destination) (YES route in step S73), the decryption key transmission means By 31d, a decryption key for decrypting the encrypted file is read from the storage unit 30b and transmitted to the client terminal 10 or the personal information management server 20 via the network 40 (step S74).

  When the client terminal 10 or the personal information management server 20 receives the decryption key, the encrypted file is decrypted using the decryption key to restore the original personal information file. , Access according to the access authority given in advance is executed. For example, when only the viewing authority is given as the access authority as described above, the user can browse the contents of the restored personal information file, but access other than browsing, for example, print output by a printer, Access to copy to other recording media, screen copy (screen capture), and alias saving is not possible at all.

  On the other hand, if the determination unit 34 of the file access management server 30 determines that the passwords do not match, or if the registered password corresponding to the user ID is not registered in the storage unit 30b, the user is authorized. The file access management server 30 notifies the client terminal 10 or the personal information management server 20 of an error via the network 40 (step S75). ).

[3] Effect of the Personal Information Management System of the Present Embodiment As described above, according to the personal information management system 1 as an embodiment of the present invention, the first client terminal 10A in which the personal information search program is resident is When the addition / change of a file is detected, a personal information search program is started and a real-time search is executed to determine whether the added / changed file is a personal information file. It is transmitted to the personal information management server 20. On the other hand, the file in the second client terminal 10B that does not have the personal information search program resident is managed by the personal information management server 20, and the latest information on the file in the second client terminal 10B and finally the periodic search of the personal information file. The difference with the information about the file at the time of performing is periodically monitored, and the file corresponding to the difference is extracted (sucked up) from the second client terminal 10B to the personal information management server 20 side and the periodic search is executed. Then, the personal information management server 20 determines whether or not the sucked-up file is a personal information file.

Thus, the personal information file in the terminal 10A resident in the personal information search program and the personal information file in the terminal 10B non-resident in the personal information search program are automatically searched and managed by the personal information management server 20. It becomes possible to put.
At that time, first, the personal information search program resident terminal 10A performs the search of the personal information file only once for all the data, and the personal information management server 20 performs the network for the non-resident personal information search program terminal 10B. If the search of the personal information file is executed only once for all data via 40, after that, only the search (determination) for the added or changed file or the difference file is performed as described above. Thus, the personal information file newly created and added in each terminal 10 can be searched extremely efficiently and reliably without searching for all data every time.

  Therefore, it is possible to ensure personal information files (electronic files that are likely to be personal information files) that exist in a distributed manner, for example, within a company, without obtaining human cooperation and without placing a special burden on the person in charge. Can be explored and managed. Accordingly, it is an object of the present invention to make it possible to reliably respond to requests for disclosure and correction of personal information and to reliably prevent inadvertent leakage and leakage of personal information and unauthorized use of personal information.

  At this time, at least file creation / update date / time, file size, and file name can be used as file information for extracting the difference file in the second client terminal 10B. By simply recognizing the addition, the difference file can be recognized and extracted very easily.

  Further, the personal information management server 20 is configured to install the personal information search program in response to a request from the user of the client terminal 10 to the client terminal 10 connected to the network 40, so that the client terminal 10 Every 10th, the user can select and set the resident / non-resident personal information exploration program, so the user can make the personal information exploration program non-resident for reasons such as memory capacity and compatibility with other programs. When requested, it is possible to meet the request and the convenience is enhanced. The terminal for which non-resident is selected / set is handled as the second client terminal 10B described above, and is subject to regular exploration by the personal information management server 20.

  Furthermore, by giving a digital signature to the personal information file searched in the personal information management system 1 of this embodiment, it can be ensured that the personal information file has not been tampered with, and counterfeiting by a third party can be ensured. Can be prevented.

  Further, the personal information file searched in the personal information management system 1 of the present embodiment corresponds to the personal information management server 20 (personal information management means 208) according to the P mark (rank / level) given to each personal information file. The personal information file is compulsorily captured and collected from the client terminal 10 (storage unit 10b), the collected personal information file is stored in a folder accessible only to the administrator, Forcibly prohibiting output from the client terminal 10 (storage unit 10b) to the outside, sending notice information / warning information to the user (owner) of the personal information file and the system administrator, and personal information It is possible to allow the file access management server 30 to manage access to the file, and inadvertent flow of personal information. Such as the unauthorized use of, loss and personal information can be more reliably prevented.

  Further, each client terminal 10 monitors an electronic file determined by the access monitoring unit 14 as a personal information file (in this embodiment, a file given a P mark) and accesses the electronic file (for example, renaming, If data changes due to copying, erasing, moving, etc.), the fact is transmitted as log information to the personal information management server 20 and registered and stored in the database 20b. Access to the file (operation / change history) is tracked and managed (tracked) by the personal information management server 20, and unauthorized use of personal information can be more reliably prevented.

  On the other hand, in the personal information management system 1 of the present embodiment, according to the personal information search function realized by executing the personal information search program by the computer (CPU 10a, 20a), the second determination means 116 uses the telephone number, Character sections that do not correspond to either an e-mail address or an address and contain inappropriate characters / inappropriate character strings are considered not to be related to personal information, but to either a phone number, e-mail address, or address. Character sections that do not apply and do not contain inappropriate characters / unsuitable character strings are considered to be related to names.

  Therefore, for the character section determined to correspond to any one of the telephone number, the e-mail address, and the address by the first determination means 113, the determination process is terminated when the determination is made, and the telephone number, the e-mail Only a character section determined not to correspond to either an address or an address is subjected to a matching process with an inappropriate character / unsuitable character string, and the matching unit 115 also includes one inappropriate character / unsuitable character string. However, when it is determined that it is included in the character section, the collation process can be terminated, so the name collation process is faster than the conventional method that collates with all name strings in the name list. In other words, the personal information file search process can be performed at high speed.

At this time, in the first determination unit 113, the determination process is performed at a higher speed by performing the determination process of the character string in the character section in order from the lighter determination process load, that is, in the order of the telephone number, the e-mail address, and the address. Can be executed efficiently.
In addition, since the second determination unit 116 regards all character sections that do not include inappropriate characters / unsuitable character strings as corresponding to names, electronic files that do not include inappropriate characters / unsuitable character strings for names, It is possible to reliably search for an electronic file that is likely to contain name information and is likely to be a personal information file. That is, the number of electronic files that are determined to be personal information files according to the present embodiment is larger than that of the conventional method, and an electronic file that is likely to be a personal information file (suspicious electronic file) is reliably identified. be able to.

  Furthermore, in this embodiment, the character determination means 114 determines whether the number of characters in the character section is 1 or more and 6 or less and all the characters in the character section are kanji characters, and the characters satisfying this character determination condition. Since only the section is a collation target by the collation means 115, the character section to be collated by the collation means 115 is narrowed down to a character section having a higher possibility of a name, and the collation accuracy of the name can be improved. At the same time, name verification processing can be performed at high speed. In addition, since a long character section having more than 6 characters is excluded from the collation target by the collation means 115, it contributes to further speeding up the name collating process, that is, further speeding up the personal information file search process. Become.

  The personal information management server 20 manages the determination target file and the personal information file according to the determination value (P mark) calculated for each determination target file by executing the above-described personal information search program. For each determination target file and personal information file, a management method corresponding to the determination value level (high possibility of being a personal information file / large number of personal information elements) can be selected and executed.

[4] Others The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the spirit of the present invention.
For example, in the above-described embodiment, the case where the personal information file is searched and managed has been described. However, the present invention also applies to the case where the confidential information (information with confidentiality obligation) is searched and managed in a company or the like. It is possible to obtain the same operational effects as in the above-described embodiment, and to reliably prevent inadvertent outflow / leakage of confidential information and unauthorized use of confidential information. In that case, as an inappropriate character or inappropriate character string, a character or a character string that cannot appear in the confidential information is set.

  In the above-described embodiment, the case where the personal information elements other than the name are the three elements of the telephone number, the e-mail address, and the address has been described. However, the present invention is not limited to this, and other than the name. As the personal information element, for example, date of birth, basic resident register number, account number, credit card number, license number, passport number, etc. may be used.

  Further, while the search (search for all electronic files stored in the storage unit 10b) by the personal information search means 11 and 204 of each client terminal 10 is not completed, the electronic files in the storage unit 10b of the client terminal 10 are not processed. Access (for example, data change by renaming, copying, erasing, moving, etc .; more specifically, output to an external recording medium, mail attachment, etc.) may be prohibited. In this case, the presence or absence of an electronic file determined to be a personal information file is confirmed, and the electronic file determined to be a personal information file is placed under the management of the personal information management server 20 (or file access management server 30). Up to this point, access to the electronic file in the storage unit 10b of the client terminal 10 is prohibited, so that it is possible to prevent the leakage and leakage of personal information more reliably.

  By the way, the functions as the first personal information search means 11, the detection means 12, the first control means 13, the access monitoring means 14 and the transmission / reception means 15 in the first client terminal 10A (all or a part of the functions of each means). ) Is realized by a computer (including a CPU, an information processing device, and various terminals) executing a predetermined application program (personal information search program) installed from the personal information management server 20 as described above.

  In the personal information management server 20, the client information collection means 201, installation means 202, collection means 203, second personal information search means 204, difference extraction means 205, second control means 206, management console 207, personal information As described above, the computer (including a CPU, an information processing device, and various terminals) functions as the management unit 208, the display control unit 209, the transmission / reception unit 210, and the digital signature unit 211 (all or part of the functions of each unit). This is realized by executing a predetermined application program (personal information management server program).

  The personal information management server program including the personal information search program is, for example, a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD-). (RW, DVD + R, DVD + RW, etc.) and the like are provided in a form recorded on a computer-readable recording medium. In this case, the computer reads the personal information management server program from the recording medium, transfers it to the internal storage device or the external storage device, and uses it. Further, the program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  Here, the computer is a concept including hardware and an OS (operating system), and means hardware operating under the control of the OS. Further, when the OS is unnecessary and the hardware is operated by the application program alone, the hardware itself corresponds to the computer. The hardware includes at least a microprocessor such as a CPU and means for reading a computer program recorded on a recording medium.

  The personal information search program and the application program as the personal information management server program are stored in the computer as described above, the personal information search means 11, the CPU usage rate monitoring means 12, the input / output monitoring means 13, the control means 14, and the access. Monitoring means 15, transmission / reception means 16, client information collection means 201, installation means 202, collection means 203, second personal information exploration means 204, difference extraction means 205, second control means 206, management console 207, personal information management means 208 , A program code for realizing the functions of the display control unit 209, the transmission / reception unit 210, and the digital signature unit 211. Some of the functions may be realized by the OS instead of the application program.

  Furthermore, as a recording medium in the present embodiment, in addition to the flexible disk, CD, DVD, magnetic disk, optical disk, and magneto-optical disk described above, an IC card, ROM cartridge, magnetic tape, punch card, computer internal storage device (RAM) In addition, various computer-readable media such as an external storage device or a printed matter on which a code such as a barcode is printed can be used.

It is a block diagram which shows the structure of the personal information management system as one Embodiment of this invention. It is a block diagram which shows the function structure of the 1st client terminal (personal information search program resident terminal) of this embodiment. It is a block diagram which shows the function structure of the 2nd client terminal (personal information search program resident non-terminal) of this embodiment. It is a block diagram which shows the detailed functional structure of the 1st personal information search means in the 1st client terminal of this embodiment. It is a block diagram which shows the function structure of the personal information management server of this embodiment. It is a block diagram which shows the function structure of the file access management server of this embodiment. It is a flowchart for demonstrating operation | movement of the personal information search means of this embodiment. It is a flowchart for demonstrating operation | movement of the 1st client terminal of this embodiment. It is a flowchart for demonstrating operation | movement of the 2nd client terminal of this embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server of this embodiment. It is a flowchart for demonstrating operation | movement of the personal information management server of this embodiment. It is a flowchart for demonstrating the file conversion operation | movement by the file access management server of this embodiment. It is a flowchart for demonstrating the authentication operation | movement by the file access management server of this embodiment.

Explanation of symbols

1 Personal Information Management System 10 Client Terminal 10A First Client Terminal (Personal Information Search Program Resident Terminal)
10B Second client terminal (personal information exploration program non-resident terminal)
10a CPU
10b Storage unit 10c Quarantine table 10d P mark table 11 First personal information search means (search engine, text extraction engine)
DESCRIPTION OF SYMBOLS 111 Extraction means 112 Extraction means 113 1st determination means 113a Telephone number determination means 113b E-mail address determination means 113c Address determination means 114 Character determination means 115 Verification means 116 2nd determination means 12 Detection means 13 First control means 14 Access monitoring Means 15 Transmission / reception means (transmission means)
20 Personal information management server 20a CPU
20b Database 20b-1 Quarantine table 20b-2 P mark table 20b-3 File information storage unit 20c Display unit 201 Client information collection unit 202 Installation unit 203 Collection unit 204 Second personal information search unit (search engine, text extraction engine)
205 Difference extraction means 206 Second control means 207 Management console 208 Personal information management means 209 Display control means 210 Transmission / reception means 211 Digital signature means 30 File access management server 30a CPU
30b Storage unit 31 Transmission / reception means 31a Personal information file reception means 31b Encrypted file transmission means 31c Authentication information reception means 31d Decryption key transmission means 32 Conversion means 33 Encryption means 34 Determination means 40 Network (in-house LAN)

Claims (15)

Multiple client devices,
A plurality of client terminals are communicably connected to each other via a network, and a personal information management server that manages personal information files in the plurality of client terminals is provided.
The plurality of client terminals include a first client terminal in which a personal information search program for executing a search for a personal information file is resident, and a second client terminal in which the personal information search program is not resident,
The first client terminal is
First personal information search means for searching for a personal information file by executing the personal information search program;
Detecting means for detecting addition / change of a file in the first client terminal;
When the addition / change of a file is detected by the detection means, the personal information search program is started, and real-time search is performed to determine whether the added / changed file is a personal information file. First control means to be executed by the information search means;
Transmitting means for transmitting the determination result by the first personal information search means to the personal information management server via the network when the first personal information search means determines that the file is a personal information file; Composed,
The personal information management server
Second personal information search means for searching for a personal information file in the second client terminal via the network by executing the personal information search program;
File information for storing file creation / update date / time, file size, and file name as information related to the file in the second client terminal at the time when the personal information file was last searched by the second personal information search means Storage means;
The latest information on the file in the second client terminal is compared with the information stored in the file information storage means, and the file creation / update date, file size, and file name as the information are newly added. Add or change a file in which at least one of the file creation / update date / time, file size, and file name as the information has been changed, from the time when the personal information file was last searched until the present time Difference extraction means for periodically extracting from the second client terminal via the network as a difference file,
And a second control means for causing the second personal information search means to execute a periodic search for determining whether or not the difference file extracted by the difference extraction means is a personal information file. Characteristic personal information management system.   The first control means causes the first personal information search means to first search the personal information file for all data in the first client terminal and then execute the real-time search. The personal information management system according to claim 1.   The second control means causes the second personal information search means to first search the personal information file for all data in the second client terminal and then execute the periodic search. The personal information management system according to claim 1 or 2. The personal information management server
2. An installation means for installing the personal information search program in response to a request from a user of the client terminal to a client terminal connected to the network. The personal information management system according to any one of claims 3 to 4.   The personal information management server forcibly collects the personal information file from a client terminal storing the personal information file searched by the first personal information searching means or the second personal information searching means. The personal information management system according to any one of claims 1 to 4. Each of the plurality of client terminals
Access for monitoring the personal information file searched by the first personal information searching means or the second personal information searching means, and notifying the personal information management server when access to the personal information file occurs 6. The personal information management system according to claim 1, further comprising a monitoring unit. A file access management server connected to the personal information management server so as to be able to communicate with each other and managing access to the electronic file;
The personal information management server causes the file access management server to manage access to a personal information file searched by the first personal information search means or the second personal information search means. The personal information management system according to claim 6. The personal information exploration program is
In order for a computer to realize a function of determining whether a determination target file is a personal information file having a predetermined number or more of personal information elements that can identify a specific individual,
Extraction means for extracting text data included in the determination target file;
Cutting means for cutting out character sections delimited by delimiters from the text data extracted by the extracting means;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character judging means for judging,
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for determining whether or not the character section includes the inappropriate character or the inappropriate character string by verifying the appropriate character or the inappropriate character string, and
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. The number of character sections determined is counted, and the computer is caused to function as second determination means for determining whether the determination target file is a personal information file based on the count result. The personal information management system according to any one of claims 1 to 7. Multiple client devices,
A plurality of client terminals are communicably connected to each other via a network, and a personal information management server that manages personal information files in the plurality of client terminals is provided.
The plurality of client terminals include a first client terminal in which a personal information search program for executing a search for a personal information file is resident, and a second client terminal in which the personal information search program is not resident,
The first client terminal is
First personal information search means for searching for a personal information file by executing the personal information search program;
Detecting means for detecting addition / change of a file in the first client terminal;
When the addition / change of a file is detected by the detection means, the personal information search program is started, and real-time search is performed to determine whether the added / changed file is a personal information file. First control means to be executed by the information search means;
Transmitting means for transmitting the determination result by the first personal information search means to the personal information management server via the network when the first personal information search means determines that the file is a personal information file; Composed,
The personal information management server
Second personal information search means for searching for a personal information file in the second client terminal via the network by executing the personal information search program;
File information storage means for storing information about the file in the second client terminal at the time when the personal information file was last searched by the second personal information search means;
The latest information on the file in the second client terminal is compared with the information stored in the file information storage means, and the personal information file was added or changed from the time when the personal information file was last searched until the present time. Differential extraction means for periodically extracting a file as a differential file from the second client terminal via the network;
Comprising a second control means for causing the second personal information exploration means to perform periodic exploration for determining whether or not the difference file extracted by the difference extraction means is a personal information file;
The personal information exploration program is
In order for a computer to realize a function of determining whether a determination target file is a personal information file having a predetermined number or more of personal information elements that can identify a specific individual,
Extraction means for extracting text data included in the determination target file;
Cutting means for cutting out character sections delimited by delimiters from the text data extracted by the extracting means;
By determining whether or not the character string in the character section cut by the cutting means satisfies any one of the preset telephone number determination condition, e-mail address determination condition, and address determination condition, First determination means for determining whether or not any one of a telephone number, an e-mail address, and an address, which is a personal information element other than a name,
Whether or not the number of characters in the character section determined not to correspond to any of the telephone number, the e-mail address, and the address by the first determination means is within a predetermined range, and whether or not the character in the character section is a Chinese character Character judging means for judging,
A character section that is determined by the character determining means to be within the predetermined range and to be a kanji character is a character or character string included in the character section and a kanji or kanji character string that is not set in advance in the name. Collating means for determining whether or not the character section includes the inappropriate character or the inappropriate character string by verifying the appropriate character or the inappropriate character string, and
The number of character sections determined to correspond to any one of a telephone number, an e-mail address, and an address by the first determination means and the inappropriate character or inappropriate character string is not included by the matching means. The number of character sections determined is counted, and the computer is caused to function as second determination means for determining whether the determination target file is a personal information file based on the count result. A personal information management system.   The first control means causes the first personal information search means to first search the personal information file for all data in the first client terminal and then execute the real-time search. The personal information management system according to claim 9.   The second control means causes the second personal information search means to first search the personal information file for all data in the second client terminal and then execute the periodic search. The personal information management system according to claim 9 or 10. The personal information management server
10. The apparatus according to claim 9, further comprising installation means for installing the personal information search program in response to a request from a user of the client terminal connected to the network. The personal information management system according to any one of claims 11 to 11.   The personal information management server forcibly collects the personal information file from a client terminal storing the personal information file searched by the first personal information searching means or the second personal information searching means. The personal information management system according to any one of claims 9 to 12. Each of the plurality of client terminals
Access for monitoring the personal information file searched by the first personal information searching means or the second personal information searching means, and notifying the personal information management server when access to the personal information file occurs The personal information management system according to claim 9, further comprising a monitoring unit. A file access management server connected to the personal information management server so as to be able to communicate with each other and managing access to the electronic file;
The personal information management server causes the file access management server to manage access to the personal information file searched by the first personal information search means or the second personal information search means. The personal information management system according to claim 14.

Images