JP6618093B2 - Information processing system, information processing method, and program - Google Patents

Description

  The present invention relates to an information processing system, an information processing method, and a program.

  Conventionally, methods such as PDS (Personal Data Service or Personal Data Store) are known.

  For example, an individual such as an employee first deposits personal data such as life log data of each person to a server that is an “information bank” via a network. When the individual consents, personal data is disclosed to a predetermined company. Next, when personal data is disclosed, for example, the company analyzes personal data, predicts a service according to each person's life stage, and provides information. A technique for constructing such a business model is known (see, for example, Non-Patent Document 1).

"Started demonstration experiment of information bank using personal data", [online], July 14, 2017, Fujitsu Limited, AEON Financial Service, Ltd., [December 22, 2017], Internet <URL : Http://pr.fujitsu.com/jp/news/2017/07/14.html>

  However, the conventional method is based on the premise that the data depositing company and the company using the data can be trusted not to use the data illegally. Therefore, in the conventional method, personal information or the like may be leaked to a person having an unauthorized purpose.

  In view of the above problems, an object of the present invention is to provide an information processing system, an information processing method, and a program for preventing personal information and the like from leaking to a person having an unauthorized purpose.

In view of the above problems, according to an embodiment of the present invention,
In an information processing system having an information processing terminal operated by a user, and a management device connected to the information processing terminal via a network and operated by an administrator different from the user,
The management device
A receiving unit that receives a request for use to publish, disclose, correct, or use the first data relating to the user from an external device;
When the request satisfies a preset condition, a permission unit that permits the request;
With the permission, a management unit that outputs the first data to the external device or enables access to the first data from the external device;
After the permission, monitoring the period during which the first data is used, and monitoring based on the position where the first data transmitted by the external device is used,
And,
A monitoring unit for indicating a monitoring result to the administrator;
A notification unit that notifies the information processing terminal that the first data has been used based on a setting when the external device makes a notification to use the first data based on the permission. Features.

  It is possible to provide an information processing system, an information processing method, and a program that prevent leakage of personal information or the like to a person having an unauthorized purpose.

1 is a schematic diagram illustrating an example of the overall configuration of an information processing system according to an embodiment of the present invention. It is a block diagram which shows the hardware structural example of the information processing apparatus which concerns on one Embodiment of this invention. It is a sequence diagram which shows the example of the whole process by the information processing system which concerns on one Embodiment of this invention. It is a functional block diagram which shows the function structural example of the information processing system which concerns on one Embodiment of this invention. It is the schematic which shows the example of whole structure of the information processing system of 2nd Embodiment which concerns on one Embodiment of this invention. It is a sequence diagram which shows the example of the whole process by the information processing system of 2nd Embodiment which concerns on one Embodiment of this invention. It is the schematic which shows the example of whole structure of the information processing system of 3rd Embodiment which concerns on one Embodiment of this invention. It is the schematic which shows the example of whole structure of the information processing system of 4th Embodiment which concerns on one Embodiment of this invention. It is the schematic which shows the 1st example of the notification in the information processing system which concerns on one Embodiment of this invention. It is the schematic which shows the 2nd example of the notification in the information processing system which concerns on one Embodiment of this invention. It is the schematic which shows the 1st example of the process by the management apparatus in the information processing system which concerns on one Embodiment of this invention. It is the schematic which shows the 2nd example of the process by the management apparatus in the information processing system which concerns on one Embodiment of this invention. It is the schematic which shows the 3rd example of the process by the management apparatus in the information processing system which concerns on one Embodiment of this invention. It is the schematic which shows the 4th example of the process by the management apparatus in the information processing system which concerns on one Embodiment of this invention. It is the schematic which shows the 1st example of the screen which shows the notification in the information processing system which concerns on one Embodiment of this invention. It is the schematic which shows the 2nd example of the screen which shows the notification in the information processing system which concerns on one Embodiment of this invention.

  Hereinafter, a specific example according to an embodiment of the present invention will be described with reference to the drawings.

<First Embodiment>
<Example of overall configuration>
FIG. 1 is a schematic diagram illustrating an example of the overall configuration of an information processing system according to an embodiment of the present invention. For example, the information processing system 10 is configured to include an information processing terminal 101 and a management apparatus 102 as illustrated. The information processing terminal 101 and the management apparatus 102 are connected via a network or the like, and can exchange data with each other by using the network or the like.

  As illustrated, the information processing terminal 101 is an information processing apparatus operated by a user UR. On the other hand, the management apparatus 102 is an information processing apparatus operated by the administrator ADM.

  The user UR is a so-called general person. On the other hand, the manager ADM is preferably a person or group that is skilled in managing information. For example, the administrator ADM is a lawyer or a lawyer office staff. Note that the administrator ADM is not limited to a lawyer, and may be a person skilled in information laws such as the Act on the Protection of Personal Information (Act No. 57 of May 30, 2003).

  The management apparatus 102 manages data related to the user UR (hereinafter referred to as “first data D1”). For example, the first data D1 is transmitted from the information processing terminal 101 via a network or the like.

  The first data D1 is, for example, personal information (“Personal Information” defined in Article 2, Paragraph 1 of the Act on the Protection of Personal Information (Act No. 57 of May 30, 2003)). Specifically, the first data D1 includes contact information such as address, bank account number, life insurance / non-life insurance, credit card number, points on various point cards (when called "miles", etc.) ), Accounting information, household account book information, information on owned vehicles, ID (Identification), password, personal number (so-called “My Number”), use of a number to identify a specific individual in administrative procedures Law (May 31, 2013 Law No. 27), etc. “Personal number” as defined in Article 2.5, etc.) or a combination thereof.

  In addition, the first data D1 may be data such as a so-called life log. Specifically, the first data D1 is data indicating physical information such as respiration, heart rate, number of steps, or a combination thereof.

  Further, the first data D1 may be medical data or the like. Furthermore, the first data D1 may be a meal record or position data. Such data is obtained, for example, by the user UR individually acquiring or recording data.

  The first data D1 may be image data indicating a photograph or the like. In this case, the first data D1 may further include data such as Exif (registered trademark) (Exchangeable image file format) information included in the image data and position data included in the image data.

  That is, the first data D1 may be data indicating information that can identify the user UR, personal circumstances or characteristics related to the user UR, and the like.

  Hereinafter, an example in which all the first data D1 is stored in the management apparatus 102 and is managed by the management apparatus 102 in a centralized manner will be described. Note that all or part of the first data D1 may be stored in another information processing apparatus, and the management apparatus 102 may manage the information processing apparatus that stores the first data D1.

  As shown in the figure, the first data D1 is received with permission, from a government office, utility bill operation, bank, credit sales company, airline, point card operator, insurance company, real estate company, cloud service provider, etc. Used for "businesses").

  For example, the first data D1 includes address registration in various documents, reservation of services, creation of contract documents, reservation of accommodation, reservation of transportation, purchase of various goods, sale of various goods, payment of fees, etc. , Used to receive charges or a combination of these. The first data D1 may be used for marketing or statistical processing. That is, using the first data D1, a company or the like performs various procedures or business activities.

  Hereinafter, as shown in the figure, an example in which there are a first trader C1, a second trader C2, a third trader C3, etc., which are companies or the like will be described. In this example, it is assumed that the first trader C1, the second trader C2, and the third trader C3 want to use the first data D1 to construct their respective databases. It should be noted that the range in which the company or the like can use the first data D1 is a permitted range. In this example, each database is assumed to be operated by the first external device 103, the second external device 104, and the third external device 105 that are operated by each database.

  In addition, the usage method of the 1st data D1 is not restricted to the form to show in figure. That is, a company or the like may have a plurality of databases and use the first data D1 by copying the respective databases. A company or the like may operate a plurality of external devices. Furthermore, a company or the like may jointly operate one database among a plurality of companies.

  Therefore, in this example, the first data D1 is disclosed, disclosed, corrected, used, or a combination thereof by the first external device 103, the second external device 104, the third external device 105, and the like. The use of the first data D1 includes a case where the first data D1 is used together with another person's data or the like or the data format is changed.

  Hereinafter, a configuration as illustrated will be described as an example. The information processing system 10 is not limited to the overall configuration illustrated. For example, the information processing system 10 may have an overall configuration that further includes an information processing apparatus.

<Hardware configuration example>
FIG. 2 is a block diagram illustrating a hardware configuration example of the information processing apparatus according to the embodiment of the present invention. For example, the information processing terminal 101, the management device 102, the first external device 103, the second external device 104, and the third external device 105 have the same hardware configuration. Hereinafter, the information processing terminal 101 will be described as an example, and description of the management device 102, the first external device 103, the second external device 104, and the third external device 105 will be omitted.

  For example, the information processing terminal 101 has a hardware configuration including a CPU (Central Processing Unit) 200, a communication device 201, an interface 202, a storage device 203, an input device 204, and an output device 205. .

  The CPU 200 is an example of an arithmetic device and a control device.

  The communication device 201 is a device that communicates with an external device in a wired or wireless manner. For example, the communication device 201 is a network card or the like.

  The interface 202 is a device that transmits / receives data to / from the outside. For example, the interface 202 is a connector or the like.

  The storage device 203 is, for example, a main storage device. Note that the storage device 203 may include an auxiliary storage device such as a hard disk.

  The input device 204 is a device that inputs a user operation. For example, the input device 204 is a keyboard, a mouse, or a combination thereof.

  The output device 205 is a device that outputs processing results and the like to the user. For example, the output device 205 is a display or the like.

  As illustrated, the information processing terminal 101, the management device 102, the first external device 103, the second external device 104, and the third external device 105 are, for example, a PC (Personal Computer), a server, a notebook PC, a smartphone, or these Such as a combination.

  Note that the hardware configuration is not limited to the illustrated configuration. For example, the information processing terminal 101, the management device 102, the first external device 103, the second external device 104, and the third external device 105 may have different hardware configurations. In addition, there may be a plurality of hardware configurations of each information processing apparatus outside or inside the information processing apparatus.

<Example of overall processing>
FIG. 3 is a sequence diagram showing an example of overall processing by the information processing system according to the embodiment of the present invention. First, the information processing system 10 performs “prior processing” before each processing of “operation” described later. The pre-processing is, for example, processing including step S01 described below. Note that the pre-processing only needs to be performed before the operation, and the pre-processing and the operation processing need not be performed continuously. Hereinafter, assuming that the first external device 103, the second external device 104, and the third external device 105 perform the same processing, the processing performed by the first external device 103 will be described as an example.

<Example of pre-processing>
<Example of Transmission of First Data> (Step S01)
In step S01, the information processing terminal 101 transmits the first data D1 to the management apparatus 102. Thereafter, the management apparatus 102 manages the first data D1. Therefore, the management device 102 is desirably a device that can protect data managed from so-called unauthorized access. That is, it is desirable that the management device 102 is a device with sufficient security. Therefore, it is difficult to illegally access the management apparatus 102, and it is difficult to use the first data D1 in the management apparatus 102 unless the administrator ADM inputs a password or the like to properly access the management apparatus 102. It is desirable. Therefore, since the first data D1 is managed by the management apparatus 102, it is possible to reduce leakage of personal information and the like from the first data D1 due to unauthorized access or the like.

  The first data D1 is not limited to once, and may be transmitted any number of times. For example, when life log data or the like is included in the first data D1, the first data D1 may be added or updated regularly or irregularly.

  In this way, the user UR can have a system in which his / her personal information is stored in the administrator ADM.

<Operation example>
<Example of Request for Use of First Data> (Step S02)
In step S <b> 02, the first external device 103 transmits a use request for the first data D <b> 1 to the management device 102. For example, the first external device 103 transmits a signal indicating a use request to the management device 102. The transmission format of the usage request may be another transmission format. The use request may be operated by a person.

<Use permission example> (step S03)
In step S03, the management apparatus 102 permits the first external apparatus 103 to use the first data D1. Specifically, when the administrator ADM receives the use request in step S02, the administrator ADM investigates what kind of company the first supplier C1 is. The survey method may take any form. Then, based on the investigation result, the administrator ADM determines whether or not the person who correctly handles the personal information of the user UR or the like. That is, if the first trader C1 is not a reliable person, there is a high possibility that the first data D1 will be used illegally or personal information will be leaked.

  As described above, when the administrator ADM can separately investigate and determine the information separately from the user UR, information such as personal information is difficult to leak. In addition, since the administrator ADM is an expert or the like, the manager ADM is often excellent in investigation ability and judgment ability. Therefore, if the configuration can be permitted by the administrator ADM or the like, personal information or the like can be protected from unauthorized use rather than the configuration permitted by the user UR.

  The permission may be conditioned. That is, use of the first data D1 may be permitted when a preset condition is satisfied.

  For example, it is assumed that the conditions can be set in advance by the user UR or the administrator ADM.

  Specifically, among the data included in the first data D1, the type of data permitted to be used may be specified. For example, it is assumed that the first data D1 includes “contact information” information and “bank account” information. Next, it is assumed that the use of “contact” is set to “permitted” and the use of “bank account” is set to “impossible” in the management apparatus 102 in advance. In the case of such a condition, if there is a request to use “contact” in step S02, the management apparatus 102 determines that the condition is satisfied and permits the use. On the other hand, if there is a use request for “bank account” in step S02, the management apparatus 102 determines that the condition is not satisfied and does not permit the use.

  In addition, the condition may specify a permitted partner. For example, first, it is assumed that the use is set to “permitted” for the “office” in the management apparatus 102 and the use is set to “impossible” for the “private enterprise”. In the case of such a condition, when there is a use request for “office” as the transmission source in step S02, the management apparatus 102 determines that the condition is satisfied and permits the use. On the other hand, if there is a use request of “private enterprise” in step S02, the management apparatus 102 determines that the condition is not satisfied and does not permit the use.

  In addition, the condition may specify whether the use is “paid” or “free”. Note that “paid” is a condition in which when the use is permitted, a predetermined fee is paid from the first vendor C1 to the user UR as a usage fee for the first data D1. On the other hand, “free of charge” is a condition in which the usage fee for the first data D1 is not paid to the user UR from the first vendor C1 when the use is permitted. The fee may be a consideration other than money, such as points.

  Therefore, for example, if the usage request is “paid”, the management apparatus 102 is preset to permit the use. In the case of such a condition, if there is a “paid” use request in step S02, the management apparatus 102 determines that the condition is satisfied and permits the use. On the other hand, if there is a “free” use request in step S02, the management apparatus 102 determines that the condition is not satisfied and does not permit the use.

  The conditions may be other than the above items. For example, the condition may specify whether to allow or not depending on the purpose to be used. The purpose is, for example, advertising or market research. In such a case, a condition may be set such that a request for advertising is not permitted. In this way, it is assumed that the item can be selected as the condition.

<Example of Transmission of First Data> (Step S04)
In step S04, the management apparatus 102 transmits the first data D1 to the first external apparatus 103. In other words, the first external device 103 can use the first data D1 after step S04. Therefore, when step S04 is performed, use of the first data D1 by the first trader C1 is started.

  The first data D1 may be in a usable state by step S04. Therefore, for example, when the first trader C1 only has to browse the first data D1, the first data D1 may not be transmitted to the first external device 103. For example, the management device 102 may enable access to the first data D1 on the management device 102 from the first external device 103. After the access, the first external device 103 refers to or processes the first data D1 on the management device 102.

<Monitoring example> (Step S05)
In step S05, the management apparatus 102 monitors the use of the first data D1. It is desirable that monitoring is performed periodically.

  For example, the monitoring checks the position of the first data D1. For example, it is assumed that a program or the like for transmitting a position or the like where data is stored is attached to the first data D1 in advance. In this way, the management apparatus 102 can track what external apparatus the first data D1 is used for after the permission. That is, the monitoring is realized by a so-called traceability function or the like. For monitoring, it is only necessary to know where the first data D1 is used. For example, the management apparatus 102 includes, for example, a URL (Uniform Resource) of a homepage where information indicated by the first data D1 is described. Locator) or document name may be transmitted.

  In addition, the monitoring may check, for example, whether data outside the permitted range has been published or disclosed, or check whether the data has been used beyond the permitted period. The monitoring may be performed by a person. Further, the data to be monitored is not limited to the first data D1, and may include data generated based on the first data D1 or data indicating related contents.

<Notification Example of Use> (Step S06)
Note that after the permission, the first external device 103 preferably performs notification when the first data D1 is actually used or when it is permitted.

  In step S06, the first external device 103 notifies the information processing terminal 101 that the use of the first data D1 is used. For example, when the first data D1 is used, the user UR can be set in advance to notify the used form. When such a setting is made, for example, data generated based on the first data D1 is transmitted to the information processing terminal 101. In this way, the user UR can know how the first data D1 is specifically used. Therefore, for example, the case where the 1st contractor C1 used the usage different from conditions can be discovered early by such notification.

  As described above, the management apparatus 102 is set in advance so that the information processing terminal 101 or the like is notified of the used form. Since the form of use is determined in advance by a contract or the like, the user UR can grasp the specific form of use of the first data D1 if the date and time of the start of use is at a minimum. That is, when the management apparatus 102 notifies the management apparatus 102 that the first external apparatus 103 uses the first data D1, the management apparatus 102 uses the notification as a trigger to set the management apparatus 102 based on the first data D1 set in advance. The notification data generated in this way is notified to the information processing terminal 101. Upon receiving such a notification, the user UR can know the date and time when the first data D1 was used as the first data D1 was set in advance. Further, as in the fourth embodiment described later, various combinations are possible for the notification method, the processing by the management apparatus 102, the message to be notified, and the like.

  However, the management apparatus 102 may send data indicating the contract contents to the information processing terminal 101 in order to remind the user of the contract contents. In addition, the user may want to check whether the user actually uses it as contracted. Therefore, data indicating the result of use may be sent to the first external device 103, or when it is disclosed and used on a homepage or the like, an address indicating the use destination is sent to the first external device 103. It may be allowed.

  Note that the use notification sent from the first external device 103 to the management device 102 may also serve as data indicating the position of the first data D1. That is, a configuration may be used in which when the data indicating the position of the first data D1 is sent, the first data D1 is used.

  The data indicating the position of the first data D1 may be, for example, data indicating a physical position, or data specifying a server on the network such as an IP address.

<Functional configuration>
FIG. 4 is a functional block diagram showing a functional configuration example of the information processing system according to the embodiment of the present invention. For example, the information processing system 10 has a functional configuration including a reception unit 10F1, a permission unit 10F2, a management unit 10F3, a monitoring unit 10F4, and the like. The functional configuration shown in the figure will be described below as an example.

  The accepting unit 10F1 performs an accepting procedure for accepting a request REQ for use of the data to be disclosed, disclosed, corrected, or used from the external device. For example, the reception unit 10F1 is realized by the communication device 201, the input device 204, or the like.

  The permission unit 10F2 performs a permission procedure for permitting the request REQ when the request REQ received by the reception unit 10F1 satisfies a preset condition CQ. For example, the permission unit 10F2 is realized by the communication device 201, the output device 205, or the like.

  When the permission unit 10F2 permits, the management unit 10F3 outputs the first data D1 to the external device, or performs a management procedure that enables access to the first data D1 from the external device. For example, the management unit 10F3 is realized by the CPU 200 or the like.

  The monitoring unit 10F4 performs a monitoring procedure for monitoring the use of the first data D1 by the external device after the permission unit 10F2 permits. For example, the monitoring unit 10F4 is realized by the communication device 201 or the like.

<Effect>
With the functional configuration as described above, the first data D1 indicating important information such as personal information can be managed by the management unit 10F3 to prevent leakage due to unauthorized access or the like. On the other hand, if a company or the like transmits a request REQ to the reception unit 10F1, the first data D1 can be used with permission from the permission unit 10F2 when the condition CQ is satisfied. In this way, companies and the like can easily collect personal information and the like. Moreover, since the use of the first data D1 is monitored by the monitoring unit 10F4 even after the permission, it is possible to prevent the first data D1 from being used illegally and leaking personal information or the like.

  The receiving unit 10F1, the permitting unit 10F2, the management unit 10F3, and the monitoring unit 10F4 are important in that the management device 102 is provided in the management device 102 operated by the administrator ADM. For example, when the information processing terminal 101 manages the first data D1, the user UR manages the data, and a data management load is generated. On the other hand, in the configuration as in the present embodiment, personal information or the like can be deposited in the administrator ADM.

  The structure of the prior documents and the like is premised on an organization that can trust a person who deposits personal information to some extent. For example, as in the relationship between the employee and the company where the employee is working, the structure of the prior documents is based on the assumption that there is a strong credit relationship between the user who provides the data and the company where the data is stored. It is. Therefore, it is assumed that there is no unauthorized use of personal information by the depository. On the other hand, there is a person who tries to use personal information illegally. Therefore, when an administrator ADM as in the present embodiment is interposed and managed, information leakage or the like can be prevented.

Second Embodiment
Hereinafter, a description will be given focusing on differences from the first embodiment. Therefore, the same components as those in the first embodiment are denoted by the same reference numerals and description thereof is omitted.

<Example of overall configuration>
FIG. 5 is a schematic diagram illustrating an example of the overall configuration of the information processing system according to the second embodiment of the present invention. For example, in the second embodiment, the information processing system 10 has an overall configuration that further includes a substitute device 106.

  The proxy device 106 has, for example, the hardware configuration shown in FIG. As shown in the figure, the proxy device 106 is an information processing device operated by a proxy ACT.

  The agent ACT is a tax accountant, a certified public accountant, a judicial scrivener, a social insurance worker, an administrative scrivener, a minor (miner), or a staff member of these offices, etc., which is different from the manager ADM. That is, the agent ACT is a person who generates a contract document or the like on behalf of the user UR, for example. Therefore, the agent ACT is preferably a qualified person as described above.

  For example, the information processing system 10 according to the second embodiment performs the following overall processing.

<Example of overall processing>
FIG. 6 is a sequence diagram illustrating an example of overall processing by the information processing system according to the second embodiment of the present invention. Compared to the first embodiment, the second embodiment is different in that processing from step S07 is added. In the following, different processes will be mainly described. As shown in FIG. 5, it is assumed that the first data D1 is also copied to the first external device 103 with permission.

<Example of Transmission of First Data> (Step S07)
In step S07, the first external device 103 transmits the first data D1 to the proxy device 106. For example, it is assumed that a sales contract or the like is concluded between the user UR and the first trader C1. It is assumed that a contract document or the like needs to be created for the contract. Further, items described in the contract document are items indicated by the first data D1. In such a case, the first data D1 permitted to be used in advance is transmitted from the first external device 103 to the proxy device 106 as a material for creating a contract document. In step S07, the first data D1 may be browsed from the proxy device 106.

  In addition, the contract is not limited to a sales contract or the like, and may be a contract renewal that has been made in advance. Furthermore, the contract is not limited to a sales contract or the like, and may be any procedure using the first data D1.

<Example of generating a document based on the first data> (step S08)
In step S08, the proxy device 106 generates a document or the like based on the first data D1. For example, when the name of the user UR or the like is input to the first data D1, the proxy device 106 generates a document or the like that describes the name of the user UR. Note that human operations may be involved in the generation of documents and the like.

<Recommend Notification Example> (Step S09)
In step S09, the proxy device 106 notifies the recommendation. That is, the proxy device 106 notifies the user UR that a contract or the like that should be made has occurred. For example, it is assumed that a contract with a contract deadline is made in advance between the user UR and the first trader C1. When the date when the contract expires is approaching, the proxy device 106 notifies the user to generate a document or the like necessary for the procedure for continuing the contract.

  The notification may not be set by the user UR. For example, the user UR sets the proxy device 106 so as to continue with the same contents in advance in the case of updating or the like. In such a case, the proxy device 106 may automatically generate a document or the like based on the first data D1 without notification.

  Further, the notification may further indicate an incidental contract or a condition that the agent ACT thinks should be accompanied.

<Notification Example of Accepting Recommendation> (Step S10)
In step S <b> 10, the information processing terminal 101 notifies the proxy device 106 of accepting the recommendation. That is, when the user UR approves the contract shown in step S09, the information processing terminal 101 generates a document and notifies the agency device 106 to execute the contract. Note that when there is a request for change or the like, the information processing terminal 101 may further notify the request or the like by the user UR.

<Example of monitoring by proxy device> (step S11)
In step S11, the proxy device 106 monitors the use of the first data D1. Note that step S11 is not limited to after step S10, and may be performed at another timing.

  For example, the monitoring is a process of performing the same contents as step S05 independently of the management apparatus 102. In this way, a so-called double check system in which the monitoring by the management apparatus 102 and the monitoring by the proxy apparatus 106 are performed in duplicate can be achieved. Therefore, even if there is a fraud by the management apparatus 102, a monitoring mistake or a permission mistake, the leakage of personal information or the like can be discovered at an early stage by the monitoring by the proxy apparatus 106. Therefore, such a system can further prevent leakage of personal information and the like.

<Third Embodiment>
Hereinafter, a description will be given focusing on differences from the first embodiment. Therefore, the same components as those in the first embodiment are denoted by the same reference numerals and description thereof is omitted.

<Example of overall configuration>
FIG. 7 is a schematic diagram showing an example of the overall configuration of an information processing system according to the third embodiment of the present invention. Compared with the first embodiment, the third embodiment is different in that the data constituting the first data D1 or part of the first data D1 is dispersed.

  For example, data such as a life log may be periodically generated by measuring the user UR by a sensor or peripheral device included in the information processing terminal 101 or the like. In such a case, each time data is generated, the newly generated data is transmitted to the management apparatus 102, and the management apparatus 102 adds or updates the first data D1 managed in advance by the management apparatus 102. May be.

  In addition, as shown in the figure, when the first data D1 is transmitted to the first external device 103 after the use of the first data D1 is permitted by the overall processing shown in FIG. Each time data is generated without going through 102, the information processing terminal 101 may transmit the newly generated data to the first external device 103.

  In addition to the first data D1, the management apparatus 102 permits use of data relating to the user UR or data generated based on the first data D1 (hereinafter referred to as “second data D2”). Good.

  For example, the second data D2 is data indicating a purchase history of the user UR at an internet shop or the like. In the example shown in the figure, it is assumed that the user UR makes a purchase at an internet shop operated by the second trader C2. In such a case, the second data C2 relating to the user UR such as purchase history is often generated and managed by the second vendor C2 in part or in whole. Therefore, even the data related to the user UR may be data that is not data provided by the user UR, unlike the first data D1, like the second data D2. Therefore, it is assumed that data indicating a purchase history is stored in the second external device 104 as the second data D2.

  And in marketing etc., the 1st trader C1 wants to check the purchase history of user UR. That is, the first trader C1 wants to use the second data D2 stored in the second external device 104.

  In such a case, similarly to the first data D1, the second external device 104 transmits a use request for the second data D2 to the management device 102. That is, the same process as step S02 is performed on the second data D2. In this case, the request may be made to the management apparatus 102 even when one of the first data D1 and the second data D2 that are data relating to the user UR is to be used. Therefore, with the configuration as shown in the figure, it is possible to unify the window of requests for using data related to the user UR.

  Further, the second data D2 may not be data generated by a company or the like such as a purchase history. For example, the second data D2 may be disclosed by the user UR on a homepage or SNS (Social Networking Service). That is, the second data D2 is data indicating a so-called user UR profile or an image taken by the user UR.

  In the illustrated example, the second data D2 is stored in the server 107. That is, in this example, when the user UR uploads the second data D2 to the server 107, the second data D2 is announced on the server 107 in the form of a homepage or the like. Then, it is assumed that the first trader C1 wants to use the second data D2 by looking at the published second data D2. Specifically, if the second data D2 is a copyrighted work, the first trader C1 needs permission under the copyright law to use it.

  Even in such a case, similarly to the first data D1, the second external device 104 transmits a use request for the second data D2 to the management device 102. That is, the same process as step S02 is performed on the second data D2. In this way, even when it is desired to obtain permission for the second data D2 by the user UR, the request may be made to the management apparatus 102. Therefore, with the configuration as shown in the figure, it is possible to unify the window of requests for using data related to the user UR.

  In addition, when there is such a request and the use of the second data D2 is permitted, the use of the second data D2 is desirably monitored.

  As described above, the data to be permitted may be stored in a device other than the management device 102. That is, the data may be a so-called block chain type. Even in such a case, the company or the like may permit use of the management apparatus 102. With such a configuration, data related to the user UR can be centrally managed.

<Application example>
This embodiment can be applied to, for example, VRM (Vendor Relationship Management) or PLR (Personal Life Repository). That is, in CRM (Customer Relationship Management), data such as personal information is managed by a company or the like. On the other hand, in VRM or PLR, data is managed by an individual or a household. Compared to companies, individuals, etc. often have insufficient management systems. Therefore, it is desirable to adopt the above-described configuration and a system for managing data with the help of experts and the like.

  In addition, with the configuration as described above, use of data related to individuals and the like is easily promoted. Furthermore, it becomes easier for companies to establish a system that gives so-called points or the like as consideration for using data related to individuals. With such a system, it becomes easier for companies to collect information.

<Fourth embodiment>
For example, this embodiment may have the following overall configuration.

  FIG. 8 is a schematic diagram showing an example of the overall configuration of the information processing system according to the fourth embodiment of the present invention. The overall configuration shown in the figure is more detailed about the notification to the user UR, the processing by the management device 102, and the notification from the first external device 103 in the overall configuration of the information processing system 10 specified as the first embodiment. It is a specific example. Hereinafter, the same components as those in the first embodiment are denoted by the same reference numerals, and detailed description thereof is omitted.

  First, as described in the first embodiment, in step S04, the management apparatus 102 sends the first data D1 to the first external apparatus 103. The management device 102 may be configured to permit the first external device 103 to access the first data D1. Hereinafter, an example in which the first data D1 is sent will be described. For example, the management apparatus 102 records that the first data D1 has been sent, that is, permission, and stores it as data for management (hereinafter referred to as “management data D3”). In addition, the management device 102 in the management data D3 allows the use of the user UR, the first data D1, the first external device 103, and the first data D1 (hereinafter referred to as “use period”) and the first external device. The permitted contents and the like for 103 are stored in association with each other. Then, the management apparatus 102 periodically notifies the information processing terminal 101 of a message MES or the like during the usage period.

  The message MES may be in a text format such as an email or a message. Alternatively, the message MES may be in a form that conveys voice or the like by telephone.

  In addition, the management apparatus 102 sends the first data D1 during the usage period. That is, after the usage period has elapsed, the management apparatus 102 prevents the first data D1 from being used after the usage period has elapsed, for example, by terminating the sending of the first data D1.

  Further, the management apparatus 102 sends a portion of the first data D1 according to the permitted content. Therefore, the management apparatus 102 monitors so that the first external apparatus 103 does not use the first data D1 beyond the permitted content.

  For example, when there is a request or use for contents that are not permitted as a result of monitoring, the management apparatus 102 sends a message MES that notifies the contents of the request or an image indicating the used form.

  Specifically, for example, the notification is performed as follows.

  FIG. 9 is a schematic diagram illustrating a first example of notification in the information processing system according to the embodiment of the present invention. Hereinafter, it is assumed that the first data D1 including the personal information of the user UR is permitted to be used and sent to the first external device 103 in step S04. In this example, the first external device 103 generates and uses a name list D4 including personal information of the user UR based on the first data D1.

  During the usage period, the management apparatus 102 periodically receives a notification that the name list D4 is being used from the first external apparatus 103. If there is such a notification, the management apparatus 102 can monitor whether the use period of the first data D1 has passed. The monitoring result and the like are notified by the management apparatus 102 to the information processing terminal 101 by a message MES.

  Note that the management apparatus 102 may perform processing as follows when performing the notification.

  FIG. 10 is a schematic diagram illustrating a second example of notification in the information processing system according to the embodiment of the present invention. As in the first example, the second example is an example in which the first external device 103 generates and uses a name list D4 including the personal information of the user UR based on the first data D1.

  However, in the second example, among the personal information included in the first data D1, information on the item “name” is permitted, but information on the item “address” is not permitted. To do. On the other hand, it is assumed that the first external device 103 generates and uses a name list D4 including information of “name” and “address” based on the first data D1, as illustrated. That is, for the “address” portion, it is assumed that the first external device 103 uses the first data D1 beyond the permitted content range.

  First, in the second example, the first external device 103 copies the name list D4 and sends it to the management device 102. Then, the management apparatus 102 collates the contents of the sent name list D4 with the permitted contents recorded in the management data D3. When such collation is performed, the management apparatus 102 can be understood that the “address” information is used even though it is not permitted. That is, the management device 102 can monitor the contract violation of the first external device 103.

  The collation may be a process of extracting a word or the like included in the name list D4 and determining whether or not it matches the permitted content recorded in the management data D3. On the other hand, in the collation, the administrator ADM or the like may confirm the information described in the name list D4 and input the collation result based on the permitted contents recorded in the management data D3.

  In such a case, the management apparatus 102 notifies the information processing terminal 101 that the used form, that is, data indicating the name list D4 and that there is a contract violation as a result of monitoring. When notified in this way, the user UR can easily understand that there is a breach of contract, a specific form of how it was used, and what point is a breach of contract.

<First Example of Processing by Management Device>
For example, the management apparatus 102 desirably performs the following processing. Further, it is desirable that the processing result is notified to the information processing terminal 101 and recorded in the management apparatus 102.

  The management apparatus 102 desirably monitors whether the first external apparatus 103 is not using the first data D1 after the usage period has elapsed. That is, after the usage period has elapsed, the management apparatus 102 monitors whether the first external apparatus 103 has the first data D1.

  It is assumed that the management apparatus 102 is set to have authority to access the first external apparatus 103 in advance.

  When the first external device 103 uses the first data D1 after the usage period has elapsed, for example, the management device 102 desirably performs the following processing.

  FIG. 11 is a schematic diagram illustrating a first example of processing by the management apparatus in the information processing system according to the embodiment of the present invention. Hereinafter, as in FIG. 9, an example in which the first external device 103 uses the first data D1 in the form of a name list D4 will be described. Similarly to FIG. 9, when there is management data D3, it is assumed that the management apparatus 102 knows that the personal information of the user is included in the name list D4. For example, when the user logs in to the first external device 103 and searches the first external device 103 using the user's personal information as a keyword, the management device 102 can know the presence and location of data including the user's personal information. .

  When the management device 102 finds the name list D4 including the personal information of the user, the management apparatus 102 deletes the name list D4. If such processing is performed, even if there is data used for breach of contract, the outflow of information can be stopped promptly.

<Second Example of Processing by Management Device>
FIG. 12 is a schematic diagram illustrating a second example of processing by the management apparatus in the information processing system according to an embodiment of the present invention.

  First, when permission is given, the management apparatus 102 records the permitted content as management data D3. As shown in the figure, the permission content is, for example, an item that is subject to permission (or an item that prohibits use) among data items of the first data D1, use period, disclosure format, or These are combinations. By summing up such permission contents, the user UR can assume a usage pattern by the first external device 103.

  Therefore, when there is a notification of use from the first external device 103, the management device 102 notifies the message that the first external device 103 uses the first data with a message MES.

  Furthermore, the management apparatus 102 notifies the information processing terminal 101 of the permission content set in the management data D3. If there is such a notification, the user UR can know the usage pattern by the first external device 103.

  Note that the user UR may use the information processing terminal 101 to visually confirm the actual usage pattern by the first external device 103. Specifically, when the first external device 103 discloses the personal information of the user UR on a homepage or the like, a URL (Uniform Resource Locator) to be disclosed in advance is transmitted to the user UR. If there is a notification, the user UR knows the position to be disclosed, that is, the URL, and therefore can access the site indicated by the URL to know the form used by the first external device 103. .

  In addition, the first external device 103 sends information such as a URL indicating the copy of the generated data and the disclosed location to the management device 102 together with the usage notification from the first external device 103 as shown in the figure. Also good. The message MES may be generated so that such information enters the message MES.

<Third example of processing by management device>
In addition, the management apparatus 102 may perform the following processing.

  FIG. 13 is a schematic diagram illustrating a third example of processing by the management apparatus in the information processing system according to an embodiment of the present invention.

  First, as in the second example, the first external device 103 notifies the management device 102 of the use of the first data. When there is such a notification, the management apparatus 102 searches the network NW. The network NW is, for example, a location such as the Internet. Note that the search range may include the first external device 103. The search key used for the search is determined by, for example, permitted contents. Specifically, when “name” is permitted information, search processing is performed using characters indicating “name”.

  In this way, the management apparatus 102 monitors whether or not information is leaked from other places due to the start of data by the first external apparatus 103. That is, after the first external device 103 acquires the first data, the personal information of the user UR, etc. due to intentional outflow from the first external device 103 or a security defect of the first external device 103, Information may leak from the first external device 103. Therefore, after the data use of the first external device 103 is started, the management device 102 monitors whether there is personal information on the network NW. In this way, the management apparatus 102 can detect information leakage from the first external apparatus 103 at an early stage.

  The search key may be set. For example, it may be possible to set the search so that information with a high degree of risk is searched mainly when information leakage such as the “name” of the user UR occurs. Then, the management apparatus 102 may monitor whether or not information with high risk is leaked by so-called crawling or the like. Furthermore, the management apparatus 102 may notify the information processing terminal 101 of the search result. In this way, the user UR can notice information leakage early.

<Fourth Example of Processing by Management Device>
For example, the management apparatus 102 may perform processing using the following data.

  FIG. 14 is a schematic diagram illustrating a fourth example of processing by the management apparatus in the information processing system according to an embodiment of the present invention. Compared to the first example, the second example, and the third example, the fourth example is different in that data indicating the reliability set by the administrator ADM or the like (hereinafter referred to as “credit rating data D5”) is used.

  The reliability data D5 is set in the management apparatus 102 in advance as shown in the figure, for example. Specifically, the trustworthiness data D5 indicates the trustworthiness of a site that is the first external device 103 or a company that manages the first external device 103. For example, the credit rating is a numerical value or the like indicating a result evaluated stepwise from “high” to “low”. For example, a “public organization” with a high credit rating is an example of a company or the like that is evaluated as having the lowest risk of information leakage or unauthorized use of information. That is, the reliability data D5 is data indicating a result of evaluating a risk when the first data D1 is used for an external device.

  As shown in the figure, the degree of trust may be set in various categories such as the type of company, the type of service provided by the first external device 103, the type of site, and the like. For example, the reliability is determined by a host name or the like in the URL. However, the trustworthiness only needs to correspond to information that can be specified or classified by the first external device 103 that is the usage destination of the first data D1. For example, if the domain is “.go.jp” or the like, the management apparatus 102 can classify the first external apparatus 103 as “public organization”. Similarly, if an IP address or the like is registered in advance, the management apparatus 102 can specify the first external apparatus 103. As described above, the classification and identification method is a method using the setting value of the first external device 103 or the like.

  Further, the credit rating may be set by, for example, the past number of violations. In other words, the first external device 103 such as a company that has frequently been violated in the past is set to have a low reliability.

  Therefore, the trustworthiness data D5 may be generated by inputting a value by the administrator ADM, or may be generated by analyzing the data by the management apparatus 102 or the like.

  The message MES may notify such reliability. When the credit level is low or the credit level is unknown, the user UR may transmit data for requesting the credit level check to the management apparatus 102 via the message MES or the like.

  A configuration in which information for estimating risk such as information leakage is used, such as reliability, is desirable. When notification based on such credit data D5 is performed, the user UR can estimate the risk of using personal information.

<First example of notification screen>
The information processing terminal 101 displays the following screen, for example, as a result of the notification.

  FIG. 15 is a schematic diagram illustrating a first example of a screen indicating notification in the information processing system according to the embodiment of the present invention. For example, the information processing terminal 101 displays the message MES on a notification screen as illustrated.

  Specifically, the message MES notifies the “status”, “confirmation date / time”, and the like, as in the “data in-use notification” display (hereinafter referred to as “use notification display P1”). As shown in the figure, the usage notification display P1 is an example showing information that can be understood if there is a notification from the first external device 103.

  In addition, the message MES informs the items permitted in the contract and the use destination of data to be notified in advance, such as the “permitted content” display (hereinafter referred to as “permitted content notification display P2”) in the figure. In this example, the permission content notification display P2 indicates an item permitted to be used with a “◯” mark among items of information known from the first data D1, and an item prohibited to be used with an “X” mark. That is, information such as “name” and “age” is disclosed.

  The permission content notification display P <b> 2 indicates the content set in the management apparatus 102. That is, the information indicated by the permission content notification display P2 is a matter determined at the time of contract or the like. Therefore, such contents can be set in advance to be notified.

  When such a notification is given, the user UR can know that the data has been used. The notification may include an “attached file”. That is, the notification may include information other than that illustrated depending on the setting or the like.

<Second example of notification screen>
The notification screen may be the following screen, for example.

  FIG. 16 is a schematic diagram illustrating a second example of a screen indicating notification in the information processing system according to an embodiment of the present invention. Compared to the first example, the second example is a GUI (Graphical) for displaying the result of the management device 102 performing processing such as monitoring (hereinafter referred to as “check result display P21”) and for performing an operation on the check result display P21. User Interface (hereinafter referred to as “operation display P22”) is different.

  The check result display P21 is an example of a display for reporting that there has been unauthorized use as a result of monitoring. As described above, the check result display P21 is a display for informing the user UR of the result of the processing performed by the management apparatus 102. Further, as shown in the figure, the check result display P21 may display a link such as a URL so that the user UR can easily confirm directly by visual observation or the like. That is, the user UR can easily confirm a site or the like determined to have unauthorized use by clicking on the URL.

  The operation display P22 is an example showing a coping method for the monitoring result indicated by the check result display P21. Specifically, as illustrated, the operation display P22 is a GUI that can be selected by checking the coping method displayed in the “coping method”. The coping method is processing that the management apparatus 102 performs next. Specifically, as shown in the figure, when the coping method “warn the user” is selected, the management apparatus 102 displays a message indicating contents such as prohibiting unauthorized use to the first external apparatus 103. Send it. Further, for example, when the coping method “inspect whether there is any other unauthorized use” is selected, the management apparatus 102 starts processing as shown in FIG. Furthermore, for example, when the coping method “deleting data” is selected, the management apparatus 102 starts processing as shown in FIG.

  As described above, the notification screen displays a screen for selecting a type of monitoring performed by the management apparatus 102 and a screen for transmitting a signal serving as a trigger for starting monitoring to the management apparatus 102. With such a notification screen, the user UR can quickly take action even when data is used illegally.

  The notification screen is not limited to the format shown in the figure. That is, the notification may be an application, an email, an attached file attached to the email, or the like.

<Modification>
In addition, AI (Artificial Intelligence) etc. may be used for a search, a search, and the setting of a credit rating. That is, the management device performs machine learning or the like using past data as learning data. For example, based on this learning result, the management apparatus may estimate the tendency of causing a violation, that is, estimate the level of credit and set it.

<Other embodiments>
Each device may not be realized by one device. That is, each device may be composed of a plurality of devices. For example, each device may include a plurality of information processing devices and perform each process in a distributed, parallel, or redundant manner.

  Note that all or part of each processing according to the present invention is described in a low-level language such as an assembler or a high-level language such as an object-oriented language, and may be realized by a program for causing a computer to execute an information processing method. Good. That is, the program is a computer program for causing a computer such as an information processing apparatus or an information processing system to execute each process.

  Therefore, when the information processing method is executed based on the program, the calculation device and the control device included in the computer perform calculation and control based on the program in order to execute each process. In addition, a storage device included in the computer stores data used for processing based on a program in order to execute each processing.

  The program can be recorded and distributed on a computer-readable recording medium. The recording medium is a medium such as a magnetic tape, a flash memory, an optical disk, a magneto-optical disk, or a magnetic disk. Furthermore, the program can be distributed through a telecommunication line.

  As mentioned above, although preferable embodiment of this invention was explained in full detail, this invention is not limited to embodiment etc. which were demonstrated above. Therefore, various modifications or changes can be made to the embodiments within the scope of the gist of the present invention described in the claims.

10 Information processing system ADM Administrator UR User D1 First data D2 Second data D3 Management data D4 List D5 Reliability data MES Message 101 Information processing terminal 102 Management device 103 First external device 104 Second external device 105 Third external device

Claims (12)

An information processing system having an information processing terminal operated by a user, and a management device connected to the information processing terminal via a network and operated by an administrator different from the user,
The management device
A receiving unit that receives a request for use to publish, disclose, correct, or use the first data relating to the user from an external device;
When the request satisfies a preset condition, a permission unit that permits the request;
With the permission, a management unit that outputs the first data to the external device or enables access to the first data from the external device;
After the permission, monitoring the period during which the first data is used, and monitoring based on the position where the first data transmitted by the external device is used,
And,
A monitoring unit for indicating a monitoring result to the administrator;
An information processing unit including a notification unit that notifies the information processing terminal that the first data has been used based on a setting when the external device makes a notification to use the first data based on the permission; system.   The information processing system according to claim 1, wherein the first data includes personal information of the user.   The information processing system according to claim 1, wherein the monitoring unit further monitors second data relating to the user stored in a device different from the management device. It further includes a proxy device different from the management device,
The proxy device is:
The information processing system according to claim 1, wherein a document is generated based on the first data.   The information processing system according to claim 4, wherein the proxy device further monitors the first data separately from the management device.   The information processing system according to claim 1, wherein the condition includes a determination as to whether the condition is paid or free. The monitoring unit
After the period in which the first data is used it has elapsed, monitoring the use of the first data definitive to said external device,
The information processing system according to claim 1, wherein the first data is deleted when the first data is used in the external device. The monitoring unit
The information processing system according to any one of claims 1 to 7, wherein a search is performed to monitor whether or not the first data is being used at a location different from the external device. The management device
Having creditworthiness data indicating a result of evaluating a risk when the external device uses the first data;
The notification unit
The information processing system according to any one of claims 1 to 8 notifies the information for estimating the risk of based rather information leaked to the credibility data to the information processing terminal. The notification unit
The information processing system according to claim 1, wherein the monitoring result and a coping method for the monitoring result are notified. An information processing method performed by an information processing system having an information processing terminal operated by a user and a management device connected to the information processing terminal via a network and operated by an administrator different from the user,
A procedure for accepting a request for use of the management device from an external device to publish, disclose, correct or use the first data relating to the user;
When the management device satisfies the request satisfies a preset condition, an authorization procedure for permitting the request;
A management procedure for allowing the management device to output the first data to the external device or to access the first data from the external device when the permission is given;
The management device performs monitoring based on a position where the first data transmitted from the external device is used, and monitoring of a period during which the first data is used after the permission,
And,
A monitoring procedure indicating the monitoring result to the administrator;
When the management device makes a notification that the external device uses the first data based on the permission, the information processing terminal indicates that the management device has used the first data based on a setting. An information processing method including a notification procedure for notifying a user. A program for causing a computer having an information processing terminal operated by a user and a management device connected to the information processing terminal via a network and operated by an administrator different from the user to execute the information processing method There,
A procedure for accepting a request for use of the management device from an external device to publish, disclose, correct or use the first data relating to the user;
When the management device satisfies the request satisfies a preset condition, an authorization procedure for permitting the request;
A management procedure for enabling the management device to output the first data to the external device or to access the first data from the external device when the permission is given;
The management device performs monitoring based on a position where the first data transmitted from the external device is used, and monitoring of a period during which the first data is used after the permission,
And,
A monitoring procedure indicating the monitoring result to the administrator;
When the management device makes a notification that the external device uses the first data based on the permission, the information processing terminal indicates that the first data is used based on the setting. A program for executing a notification procedure to notify a user.

Images