JP6995667B2 - Information management system, information management method and information management device - Google Patents

Description

The present invention relates to an information management system, an information management method, and an information management device that anonymize sensitive information.

In recent years, laws and regulations to protect personal information have been strengthened, such as the full enforcement of the revised Personal Information Protection Law in May 2017 and the new enforcement of the EU General Data Protection Regulation (GDPR) in May 2018. Is being done. In particular, the GDPR may impose a fine of up to 4% of the company's total annual sales for the offending company. Compliance with such laws and regulations has become an issue for companies that handle personal information.

The GDPR imposes an obligation on each company to refer to, change, transfer, and delete personal information at the request of the individual. For example, for a company that accumulates and analyzes the access log of each individual's Web page and delivers an advertisement to a specific individual according to the analysis result, the individual is selected from the accumulated data and the analysis result in response to the individual deletion request. There is an obligation to delete identifiable information.

Furthermore, the GDPR stipulates the so-called principle of minimizing personal data, which limits personal information used for a certain purpose to those required for that purpose. For example, a company that provides Web access to a user may analyze and process an access log of each individual's Web page for the purpose of security operation. Then, the company stops Web access that is likely to have a security problem or Web access from a specific network segment, depending on the result of the analysis process. In this case, it is necessary to limit the use of the processing pattern of the analysis process to the minimum necessary personal information such as "personal ID" and "IP address".

As a technique for limiting personal information contained in a certain data, for example, an anonymization technique disclosed in Patent Document 1 is known. In the technique of Patent Document 1, the degree of specificity of personal information is calculated, and the degree of concealment of personal information can be adjusted as necessary.

Japanese Unexamined Patent Publication No. 2002-269081

By the way, personal information may be specified by anonymizing personal information, for example, by collating it with other information. In order to avoid such a situation, companies and organizations that handle personal information anonymize personal information under anonymization conditions that meet the requirements of laws and regulations, and then use the anonymized information and process the anonymization process. It is necessary to manage the pattern. In the prior art, there is no disclosure of a method of managing the range of use and processing patterns that can maintain the non-specific state of anonymized information in accordance with such laws and regulations and processing patterns.

The present invention has been made in view of the above problems, and an object of the present invention is to provide a technique capable of utilizing management information while appropriately managing sensitive information.

In order to solve the above problems, the information management system according to the present invention is an information management system capable of performing anonymization processing for anonymizing sensitive information among management information, and is an attribute of sensitive information to be anonymized. Anonymity that generates anonymization conditions based on the legal and regulatory requirements storage unit that stores the legal and regulatory requirements including It has an anonymization condition generation unit and an anonymization unit that generates anonymization information from the management information based on the period anonymization condition.
The information management system is a system that manages information while preventing it from being identified as information of a specific individual.

According to the present invention, it is possible to utilize the management information while appropriately managing the sensitive information.

The block diagram which shows the software structure of the information management system which concerns on 1st Embodiment. The block diagram which shows the hardware configuration of the information management system which concerns on 1st Embodiment. The figure which shows the data structure of the original information which concerns on 1st Example. The figure which shows the data structure of the subject information storage part which concerns on 1st Example. The figure which shows the data structure of the legal regulation requirement storage part which concerns on 1st Example. The figure which shows the data structure of the unprocessable list which concerns on 1st Embodiment. The figure which shows the data structure of the permission processing history storage part which concerns on 1st Embodiment. The block diagram which shows the logical structure of the permission processing pattern management part which concerns on 1st Embodiment. The figure which shows the data structure of the processing pattern storage part which concerns on 1st Example. The block diagram which shows the logical structure of the anonymization condition generation part which concerns on 1st Example. The figure which shows the data structure of the anonymization condition storage part which concerns on 1st Example. The figure which shows the data structure of the permission processing pattern storage part which concerns on 1st Example. The figure which shows the data structure of the anonymization method list which concerns on 1st Example. The figure which shows the data structure of the anonymization information which concerns on 1st Example. The figure which shows the data structure of the retained information which concerns on 1st Example. The sequence diagram which shows the process pattern registration process which concerns on 1st Example. The sequence diagram which shows the process pattern permission process which concerns on 1st Example. The flowchart which shows the anonymization condition generation processing which concerns on 1st Example. The flowchart which shows the permission process history check process which concerns on 1st Embodiment. The block diagram which shows the software structure of the information management system which concerns on 2nd Embodiment. The figure which shows the data structure of the deposit personal information which concerns on 2nd Example. The figure which shows the data structure of the anonymization condition storage part which concerns on 2nd Example. The figure which shows the data structure of the anonymization information which concerns on 2nd Example.

In the following description, the information management system may be composed of one or more computers. The information display by the information management system may be to display the information on the display device of the information management system, or may be to transmit the display information to a remote display computer (information processing main body). ..

First, regarding the anonymization technology, there is a case where the data after anonymization can be matched with another data to identify an individual. For example, in the United States, when a state released data by performing anonymization processing to delete names etc. from medical data, it was matched with a voter list that had already been published (sold) separately, and it was an individual. There is a case where we were able to identify.

Furthermore, also in the United States, when a DVD rental company released 500,000 anonymized viewing history data and held a recommendation algorithm development contest, researchers collated the data of movie review sites with individuals. There is a case that could be identified. In this case, the contest organizer was investigated by the regulatory agency and the subsequent contest was cancelled.

In addition, when a US Internet provider company released a search history for 650,000 people whose names were anonymized for research and development, researchers identified individuals from search keywords and criticized them from the media and consumer organizations. In response, there is a case where the company's CTO resigned.

Hereinafter, some embodiments will be described with reference to the drawings.

(1) First Example (1-1) Configuration of Information Management System According to First Example FIG. 1 is a block diagram showing a software configuration of the information management system 10 of the first embodiment. The hardware configuration is shown in FIG.

The information management system 10 includes an information management device 1. The information management device 1 is connected to the information management main body 2 and the information processing main body 3 via a network 4 such as a LAN (Local Area Network) or a WAN (Wide Area Network). The information management system 10 is a system that manages information while preventing it from being identified as information of a specific individual (in this sense, it may be called a non-specific information management system).

The information management entity 2 is, for example, an overseas branch office in Europe. The information management subject 2 has the original information 201 as an example of "management information", the anonymization unit 202, and the anonymization information 203.

The original information 201 includes personal information and trade secrets as an example of "sensitive information" of customers and employees.

The anonymization unit 202 executes an anonymization process for anonymizing personal information among the original information 201. Specifically, the anonymization unit 202 generates anonymization information 203 from the original information 201 based on the anonymization condition described later, and transmits the generated anonymization information 203 to the information processing entity 3 via the network 4. ..

The anonymization information 203 is information that anonymizes personal information among the original information 201 by anonymization processing and does not anonymize information other than personal information. The anonymization information 203 is transmitted to the information processing subject 3 via the network 4.

The information management device 1 includes a main information storage unit 101, a legal and regulatory requirement storage unit 102, a processing impossible list 103 as an example of a “processing impossible list storage unit”, a permission processing history storage unit 104, and permission processing pattern management. It has a portion 105. Further, the information management system 1 includes a processing pattern storage unit 106, an anonymization condition generation unit 107, anonymization condition storage unit 108, a permission processing pattern storage unit 109 as an example of the “permission information storage unit”, and anonymity. It has a conversion method list 110.

The information processing subject 3 is, for example, a domestic information processing center. The information processing subject 3 has anonymization information 203, retained information 301, an analysis processing unit 302, and an analysis processing result 303.

The anonymization information 203 is received from the information management entity 2 via the network 4. The analysis processing unit 302 executes various analysis processes (access log analysis, search, matching, frequency calculation, etc.). For example, the analysis processing unit 302 executes a restoration process for reconstructing the anonymization information 203 by matching the anonymization information 203 and the retained information 301 based on the processing pattern, and outputs the analysis processing result 303. The analysis processing unit 302 executes the restoration process when the processing pattern corresponding to the restoration process to be executed is stored in the permission processing pattern management unit 105. The analysis processing result 303 is the result of the analysis processing unit 302 restoring the anonymization information 203 by the analysis processing.

FIG. 2 is a block diagram showing a hardware configuration of the information management system 10 according to the first embodiment.

The information management device 1, the information management main body 2, and the information processing main body 3 are information processing devices such as personal computers, smartphones, and server devices, or virtual machines. The information management device 1, the information management main body 2, and the information processing main body 3 each have a CPU, a memory, a disk, a network interface card (NIC), a display device, an input device, and an internal communication line. To prepare for.

FIG. 3 is a diagram showing a data structure of the original information 201 according to the first embodiment.

The original information 201 is stored in the disk or memory of the information management subject 2, and is information including personal information (here, “IP address” and “personal ID”).

The data item (column) of the original information 201 may include, for example, an “IP address”, an “individual ID”, a “(access) time”, and an “HTTP request”. The "IP address" is an access log recorded by the Web proxy server, and is an IP address of an access source terminal when accessing a website on the Internet via the Web proxy server. The "personal ID" is an identifier of an individual who has executed Web access using the access source terminal. "(Access) time" is the time of access. The "HTTP request" is a request for acquiring a web page from a website.

For example, in record 2011, a user whose "personal ID" is "1111" who uses an access source terminal whose "IP address" is "192.168.1.128" has a "time" of "2018/6/9 10:01: 10 ”indicates that the“ HTTP request ”issued“ GET / def / ”.

FIG. 4 is a diagram showing a data structure of the main information storage unit 101 according to the first embodiment.

The main information storage unit 101 is stored in the disk or memory of the information management device 1. The subject information storage unit 101 stores the identifiers of each subject (information management subject 2 and information processing subject 3) and information on the country / region / organization in which the subject is located. The information in the subject information storage unit 101 is referred to by the permission processing pattern management unit 105 and the anonymization condition generation unit 107.

The data item of the subject information storage unit 101 may include, for example, a "subject ID", a "subject name", a "subject type", a "country / region", and an "organization name". The "subject ID" is an identifier of each subject. The "subject name" is the name of the subject. The "subject type" is the type of the role of the subject. The "country / region" is the location of the subject. "Organization name" is the name of the main organization.

For example, in record 1011 the subject whose "subject ID" is "1000" and whose "subject name" is "information management subject" is a "Data Controller" whose "subject type" is responsible for information management, and is "country / country / Indicates that the "region" is located in the "EU" and the "organization name" is the "European branch office". In record 1012, the subject whose "subject ID" is "2000" and whose "subject name" is "information processing subject" is the "Data Processer" whose "subject type" is responsible for information analysis processing, and is "country / region". Is located in "Japan" and the "organization name" is "information processing center".

FIG. 5 is a diagram showing a data structure of the legal and regulatory requirement storage unit 102 according to the first embodiment.

The legal and regulatory requirement storage unit 102 is stored in the disk or memory of the information management device 1. The legal and regulatory requirement storage unit 102 stores legal and regulatory requirements such as the definition of personal information of the country, region, organization, etc. in which each entity is located.

The data item of the legal regulation requirement storage unit 102 may include, for example, a “legal regulation requirement ID”, a “country / region”, a “legal regulation name”, and a “personal information data item”. "Legal and regulatory requirement ID" is an identifier of legal and regulatory requirement for each country / region. "Country / region" retains the name of the country / region. "Legal name" is the name of the law. The "personal information data item" is a group of data items as an example of "attributes of sensitive information" that each law and regulation regards as personal information.

For example, record 1021 defines a legal and regulatory requirement whose "legal and regulatory requirement ID" is "1". The legal and regulatory requirements for the "legal and regulatory requirement ID" of "1" are "Japan" for "country / region", "revised personal information protection law" for "legal and regulatory name", and "name" for "personal information data item". Date of birth, personal identification number, race (personal information requiring consideration), medical history (personal information requiring consideration), etc.

Record 1022 defines a legal and regulatory requirement with a legal and regulatory requirement ID of "2". The legal and regulatory requirements for the "legal and regulatory requirement ID" of "2" are "EU" for "country / region", "GDPR" for "legal and regulatory name", and "name, identification number, location" for "personal information data item". It indicates that it is data, professional mail address, online identifier (IP address), etc.

FIG. 6 is a diagram showing a data structure of the unprocessable list 103 according to the first embodiment.

The unprocessable list 103 is stored in the disk or memory of the information management device 1. The unprocessable list 103 holds a processing pattern with a high possibility of re-identification extracted from a case or the like in which the anonymization information 203 has been re-identified (re-identified) in the past. The processing pattern may include input data items, output data items and processing types.

The data items in the unprocessable list 103 may include, for example, "anonymization information type", "anonymization data item", "original information data item", "respecification processing type", and "additional data item". .. The “type of anonymization information” is the name of the anonymization information 203 that is the target of respecification. The “anonymized data item” is a data item that has been anonymized in the anonymized information 203. The “original information data item” is a data item of the anonymized information 203 that remains the original information. The "type of re-specification process" is the type of process performed for re-specification. An "additional data item" is an additional data item used for respecific processing.

For example, record 1301 defines a processing pattern of anonymization information 203 whose "type of anonymization information" is "medical data". In this processing pattern, the "name" of the "anonymized data item" is deleted by anonymization (deletion), the "original information data item" includes "gender, date of birth, address, disease name", and "respecific processing". It is shown that "matching" is used for "type of" and "name, address" is used for "additional data item". This record 1301 shows a processing pattern in which the "name" of a particular individual is respecified by collating it with a "name, address" contained in another list as an "additional data item".

Further, the record 1302 is a processing pattern of the anonymization information 203 whose "type of anonymization information" is "search history". In this processing pattern, the "name" of the "anonymized data item" is pseudonymized by anonymization (pseudonymization), the "original information data item" includes "search keywords and search results", and the "type of respecific processing". "Search keyword analysis" is used as. This record 1502 is a processing pattern in which the "name" of a specific individual is re-specified by using "search keyword analysis" as the "type of re-specification processing".

FIG. 7 is a diagram showing a data structure of the permission processing history storage unit 104 according to the first embodiment.

The permission processing history storage unit 104 is stored in the disk or memory of the information management device 1. The permission processing history storage unit 104 stores the response to the permission processing request from each subject (information management subject 2 and information processing subject 3) and the transmission / reception history of the anonymization information 203 between each subject.

The data items of the permission processing history storage unit 104 are, for example, "permission processing history ID", "permission response date and time", "permission processing ID", "anonymization information address", "provider transmission date and time", and "provider reception date and time". The date and time may be included. The "permission processing history ID" is an identifier for each history. The “permission response date and time” is the date and time when the permission inquiry response unit 1052, which will be described later, of the permission processing pattern management unit 105 has made a permission response. The “permission processing ID” is an identifier of the permission processing pattern corresponding to the response of the permission. The "anonymized information address" is the address from which the anonymized information is obtained as of the same date and time. The "provider transmission date and time" records the date and time when the information management subject 2 transmits the anonymization information 203 in response to the request of the information processing subject 3. The "provided destination reception date and time" records the date and time when the information processing subject 3 receives the anonymization information 203.

For example, the record 1041 defines a permission processing history in which the “permission processing history ID” is “1”. The permission processing history of "1" indicates that the "permission response date and time" is "2018/6/29 3:00: 00" and the corresponding "permission processing ID" is "1". Furthermore, in the permission processing history of "1", the "anonymization information address" is "https://xyz/access.log" and the "provider transmission date and time" is "2018/6/29 3:05:" at the same date and time. It indicates that "00" and "destination received date and time" are "2018/6/29 3:10: 00".

FIG. 8 is a block diagram showing a logical configuration of the permission processing pattern management unit 105 according to the first embodiment.

The permission processing pattern management unit 105 is stored in the disk or memory of the information management device 1. The permission processing pattern management unit 105 manages the use permission range of the anonymization information 203. The permission processing pattern management unit 105 includes a processing pattern registration unit 1051 and a permission inquiry response unit 1052.

The processing pattern registration unit 1051 receives registration of a processing pattern from the information processing subject 3. The processing pattern registration unit 1051 may accept registration of the permission processing pattern from the permission processing pattern registration unit 1073 described later in the anonymization condition generation unit 107. When the information processing subject 3 receives an inquiry for permission to execute a specific processing pattern, the permission inquiry response unit 1052 responds to the information processing subject 3 with or without permission.

FIG. 9 is a diagram showing a data structure of the processing pattern storage unit 106 according to the first embodiment.

The processing pattern storage unit 106 is stored in the disk or memory of the information management device 1. The processing pattern storage unit 106 stores the processing pattern registered from the information processing subject 3.

The data item of the processing pattern storage unit 106 may include, for example, a “processing pattern ID”, a “processing purpose”, a “processing data item”, and a “processing type”. The "processing pattern ID" is an identifier of each processing pattern. “Processing purpose” is the purpose of each processing. The "processed data item" is a data item used by each process. The "process type" is the content of the process such as matching and frequency calculation.

For example, the record 1061 defines a processing pattern in which the “processing pattern ID” is “Y1”. In the processing pattern of "Y1", "security operation" is input / output as "processing purpose", "IP address, personal ID, time, HTTP request, harmful URL list" are input / output as "processing data item", and "processing type". Indicates the process of "matching, frequency calculation".

FIG. 10 is a block diagram showing a logical configuration of the anonymization condition generation unit 107 according to the first embodiment.

The anonymization condition generation unit 107 is stored in the disk or memory of the information management device 1. The anonymization condition generation unit 107 generates anonymization conditions that satisfy at least the legal and regulatory requirements based on the retained information 301, the processing pattern, and the legal and regulatory requirements. The anonymization condition generation unit 107 includes a matching unit 1071, an anonymization method determination unit 1072, and a permission processing pattern registration unit 1073.

The matching unit 1071 inputs the processing pattern of the analysis processing unit 302, the legal and regulatory requirements of the legal and regulatory requirement storage unit 102, the data items of the unprocessable list 103, and the data items of the permission processing history storage unit 104, respectively. Performs collation processing between data items and each requirement. The anonymization method determination unit 1072 inputs each data item found to require anonymization based on the processing result of the matching process in the matching unit 1041 and anonymization condition candidates of legal and regulatory requirements, and each data. Select anonymization conditions for the item. The permission processing pattern registration unit 1073 registers the permission processing pattern consisting of each data item and the processing pattern after the anonymization processing in the permission processing pattern management unit 105.

FIG. 11 is a diagram showing a data structure of the anonymization condition storage unit 108.

The anonymization condition storage unit 108 is stored in the disk or memory of the information management device 1. The anonymization condition storage unit 108 stores the anonymization condition generated by the anonymization condition generation unit 107.

The data item of the anonymization condition storage unit 108 may include, for example, an "anonymization condition ID", an "anonymization data item", an "original information data item", and a "non-matchable data item". The "anonymization condition ID" is an identifier of the anonymization condition corresponding to a certain processing pattern. The "anonymized data item" is pair information of the data item targeted for the anonymization process and the anonymization method. The "original information data item" is a data item that the information processing subject 2 sends to the information processing subject 3 as the original information without anonymization. The “non-matchable data item” is a data item that can reidentify an individual when collated with the anonymized information in the retained information 301.

For example, record 1081 defines an anonymization condition in which the "anonymization condition ID" is "X1". The anonymization conditions for "X1" are "IP address (anonymization method: anonymization), personal ID (anonymization method: anonymization), and HTTP request (anonymization method: anonymization)" for each "anonymization target data item". (Delete search keyword) ”indicates that anonymization is performed by each method. Further, the anonymization condition of "X1" is to generate the anonymization information 203 together with the "time" as the "original information data item", and to keep the non-specific state among the data items of the retained information 301, "match". Indicates that the "impossible data item" is a "personal ID, HTTP request".

FIG. 12 is a diagram showing a data structure of the permission processing pattern storage unit 109 according to the first embodiment.

The permission processing pattern storage unit 109 is stored in the disk or memory of the information management device 1. The permission processing pattern storage unit 109 stores the processing pattern for which processing is permitted.

The data items of the permission processing pattern storage unit 109 are, for example, "permission processing ID", "permission date", "permission deadline", "anonymization information address", "provider entity ID", "provider entity ID", An "anonymization condition ID" and a "processing pattern ID" may be included. The “permission process ID” is an identifier of the permitted process. The "permission date" is the date of permission. The "permit deadline" is the expiry date of the permit. The "anonymization information address" is an address (URL or the like) from which the anonymization information 203 is obtained. The “provider subject ID” is the subject ID that is the provider of the anonymization information 203. The "provider subject ID" is the subject ID to which the anonymization information 203 is provided. The “anonymization condition ID” is an identifier of the anonymization condition of each data item of the anonymization information 203. The “processing pattern ID” is an identifier of a processing pattern that is permitted to be processed in combination with the anonymization information 203.

For example, record 1091 defines a permission processing pattern in which the permission processing ID is “1”. In this permission processing pattern, the "permission date" is "2018/5/31", the "permission deadline" is "2018/12/31", the "provider entity ID" of the anonymization information 203 is "1000", and the destination. The subject ID is "2000", and the "anonymization information address" to be permitted is "https://xyz/access.log". In this permission processing pattern, the anonymization information 203 whose "anonymization condition ID" is anonymized by the anonymization condition of "X1" is used for the anonymization information 203, and the "processing pattern ID" is "Y1". Indicates that the processing pattern of is feasible.

FIG. 13 is a diagram showing a data structure of the anonymization method list 110 according to the first embodiment.

The anonymization method list 110 is stored in the disk or memory of the information management device 1. The anonymization method list 110 accepts registration of anonymization methods (deletion, pseudonymization, generalization, k-anonymization, etc.) of the anonymization process.

The data items in the anonymization method list 110 may include, for example, an "anonymization method ID" and an "anonymization method". The "anonymization method ID" is an identifier of the anonymization method. "Anonymization method" is a type of anonymization method.

For example, record 1101 indicates that the "anonymization method ID" is "1" and the "anonymization method" is "deletion".

FIG. 14 is a diagram showing a data structure of anonymization information 203 according to the first embodiment.

The anonymization information 203 is stored in the disk or memory of each of the information management subject 2 and the information processing subject 3. The anonymization information 203 is information obtained by anonymizing the original information 201.

The data items of the anonymization information 203 may include, for example, an "anonymization IP address", an "anonymization personal ID", a "time" and an "anonymization HTTP request". The "anonymized IP address" is an IP address in which the "IP address" column of the original information 201 is anonymized.
The "anonymized personal ID" is an identifier in which the "personal ID" column of the original information 201 is anonymized, and the "time" is the same time as the "time" of the original information 201. The "anonymized HTTP request" is a request in which the "HTTP request" column of the original information 201 is anonymized.

For example, in the record 2031, the record 2012 of the original information 201 is anonymized by the anonymization condition of the anonymization condition ID “X1” described above. Record 2031 indicates that the "anonymized IP address" is "yyy.yyy.yyy", the "anonymized personal ID" is "9efeau", and the "time" is "2018/6/9 10:01:30". show. Further, record 2031 indicates that the corresponding HTTP request is the above-mentioned "HTTP request (search keyword deletion)" anonymization condition. Therefore, the record 2012 is information in which the keyword "Tokyo-Osaka Shinkansen" included in the "HTTP request" is deleted and anonymized as the anonymized HTTP request "GET / solr / select? / Q =".

FIG. 15 is a diagram showing a data structure of the retained information 301 according to the first embodiment.

The retained information 301 is stored in the disk or memory of the information processing subject 3. The retained information 301 is information used in the analysis process of the anonymization information 203.

The retained information 301 is composed of data having a table structure called "Web packet limit release list 3010". The data items in the Web packet limit release list 3010 may include, for example, a "personal ID" and an "HTTP request". The "personal ID" is an identifier of an individual. The "HTTP request" is an HTTP request to a website that an individual indicated by the "personal ID" needs to access without limitation on the amount of Web packets. The Web packet limit release list 3010 is the original information 201 that is not anonymized for the purpose of releasing the packet limit of Web access for the "HTTP request" that can identify the individual having the "personal ID". There is up to.

FIG. 16 is a sequence diagram showing a processing pattern registration process according to the first embodiment.

First, the information management subject 2 inputs the subject information (subject name, type of subject, location country / region, organization name, etc.) of the information management subject 2 and the information processing subject 3 to the subject information storage unit 101 of the information management device 1. Register in (S101).

Next, the information management device 1 notifies the information processing subject 3 that the subject information has been registered by the information management subject 2 (S102).

The information processing subject 3 registers a processing pattern (processing purpose, processing data item, processing type, etc.) in the processing pattern storage unit 106 of the information management device 1 (S103).

Next, the information management device 1 generates an anonymization condition based on the subject information registered in S101 and the processing pattern registered in S103 by the anonymization condition generation unit 107, and notifies the information management subject 2. (S104). It should be noted that FIGS. 18 and 19 detail the flow of processing of the anonymization condition generation unit 107 in S104.

Next, the information management subject 2 generates anonymization information 203 from the original information 201 based on the anonymization condition notified in S104 (S105).

Next, the information management entity 2 registers the anonymization information 203 in a WEB server or the like accessible to the information processing entity 3, and transmits the acquisition destination address (URL or the like) of the registered anonymization information 203 to the information management device 1. (S106).

Finally, the permission processing pattern registration unit 1051 of the information management device 1 has a permission processing ID, a permission date, a permission deadline, an anonymization information address, a provider subject ID, a provider subject ID, an anonymization condition ID, and a processing pattern ID. Generate a record of permission processing pattern consisting of etc. The permission processing pattern registration unit 1051 registers the generated record of the permission processing pattern in the permission processing pattern storage unit 109, and notifies the information processing entity 3 that the processing pattern and the anonymization information have been registered (S107).

FIG. 17 is a sequence diagram showing a processing pattern permission process according to the first embodiment.

First, the information processing subject 3 transmits an inquiry request for processing pattern permission including information on the processing pattern to the information management device 1 (S201).

Next, the information management device 1 confirms whether or not the processing pattern included in the inquiry request is stored in the permission processing pattern storage unit 109 by the permission inquiry response unit 1052. When the processing pattern included in the inquiry request is stored in the permission processing pattern storage unit 109, the information management device 1 responds to the information processing subject 3 with the permission of processing and the acquisition address of the corresponding anonymization information 203. When the processing pattern included in the inquiry request is not stored in the permission processing pattern storage unit 109, the information management device 1 responds to the information processing subject 3 with a processing disapproval and a processing pattern registration instruction (S202).

When the information processing entity 3 receives the response from S202 and has permission for processing, the information processing entity 3 sends the anonymization information to the source address of the anonymization information (eg, the URL of the anonymization information on the WEB server of the information management entity 2). Request acquisition. On the other hand, if the processing is not permitted, the information processing subject 3 executes S103 of the processing pattern registration process of FIG. 16, receives the registration completion notification of S107, and then returns to S201 (S203).

When the information management entity 2 receives a request for acquisition of anonymization information from the information processing entity 3, the information management entity 2 transmits the anonymization information 203 to the information processing entity 3 (S204).

Next, the information management entity 2 registers the date and time when the anonymization information 203 is transmitted to the information processing entity 3 in the "provider transmission date and time" column of the permission processing history storage unit 104 of the information management device 1 (S205).

When the reception of the anonymized information 203 from the information processing subject 2 is completed, the information management entity 3 registers the reception date and time in the "provider reception date and time" column of the permission processing history storage unit 104 of the information management device 1. (S206).

Finally, the information management subject 3 executes the analysis process according to the process pattern for which permission has been obtained (S207).

FIG. 18 is a flowchart showing the anonymization condition generation process according to the first embodiment.

First, the anonymization condition generation unit 107 acquires information on the processing pattern to be anonymized from the processing pattern storage unit 106. Specifically, the anonymization condition generation unit 107 is responsible for the data items of the information management subject 2, the already-retained information 301 already held by the information processing entity 3, and the analysis processing result 303, and the analysis processing of the analysis processing unit 303. Acquire the type (search, matching, frequency calculation, etc.) (S301).

Next, the matching unit 1071 selects each data item acquired in S301 and a data item defined as personal information in the country where the information management entity 2 and the information processing entity 3 are located from the legal and regulatory requirement storage unit 102. By collating, a data item that is personal information is specified, and it is designated as an anonymization target data item group G (S302).

Next, the matching unit 1071 has each data item and processing acquired in S301 based on the process impossible list 103 that holds the processing pattern with high respecification extracted from the case where the personal information is respecified from the anonymization information 203. Check if there is a processing pattern that includes the type of. When there is a processing pattern, the matching unit 1071 adds a data item that is an element of the processing pattern to the anonymization target data item group G (S303).

Next, the anonymization method determination unit 1072 has been acquired from the permission processing history storage unit 104, the permission processing pattern storage unit 109, and the anonymization condition storage unit 108 from the information processing subject 2 of the retained information 301 in the past. Get the data item. The anonymization method determination unit 1072 collates the history with the data item of the newly registered processing pattern, determines whether or not a specific individual can be re-identified, and if it can be re-identified, it causes re-specification. Let the data item be a non-matchable data item F (S304). The detailed processing contents of this permission processing history check processing will be described in detail with reference to FIG.

Next, the anonymization method determination unit 1072 anonymizes the anonymization method (deletion, pseudonymization, generalization, k-anonymization, etc.) to be executed for each data item of the anonymization target data item group G. Obtained from the method list 110, the pair information of each data item and the anonymization method is generated. Then, it is registered in the anonymization condition storage unit 108 together with the anonymization condition ID, the original information data item to be acquired as the original information, and the non-matchable data item F (S305).

Finally, the permission processing pattern registration unit 1073 generates a permission processing ID, and stores the permission date, permission deadline, provider subject ID, provider subject ID, anonymization condition ID, and processing pattern ID in the permission processing pattern storage unit 109. Is registered in, and the process is terminated (S306).

FIG. 19 is a flowchart showing a permission processing history check process according to the first embodiment.

First, the anonymization method determination unit 1072 counts the number of records in the permission processing history storage unit 104, proceeds to S402 if the number of records is larger than 0 (YES), and if the number of records is 0 (NO), the present The process ends (S401).

Next, in S402, the anonymization method determination unit 1072 acquires the value of the "permission processing ID" column from the permission processing history storage unit 104 (S402).

Next, the anonymization method determination unit 1072 searches the permission processing pattern storage unit 109 based on the permission processing ID acquired in S402, and acquires the anonymization condition ID from the records matching the permission processing ID (S403). ..

Next, the anonymization method determination unit 1072 searches the anonymization condition storage unit 108 based on the acquired anonymization condition ID, and data from the "original information data item" column of the record having the matching anonymization condition ID. Items are extracted and added to the retained data item group D (S404).

Next, the anonymization method determination unit 1072 extracts the data items acquired from the information management subject 2 from the processing pattern acquired in S301, and adds them to the newly acquired data item group DN (S405).

Next, the anonymization method determination unit 1072 counts the number of data items common to the retained data item group D acquired in S404 and S405 and the newly acquired data item group DN. The anonymization method determination unit 1072 proceeds to S407 when the count is 0 or more (YES), and ends this process when the count is 0 (NO) (S406).

Next, in S407, the anonymization method determination unit 1072 is a data item of personal information included in a table in the retained information 301 including a data item common to the retained data item group D and the newly acquired data item group DN. Count the number. The anonymization method determination unit 1072 proceeds to S408 when the count is 0 or more (YES), and ends this process when the count is 0 (NO) (S407).

Next, the anonymization method determination unit 1072 cannot collate the data item group consisting of the data items common to the retained data item group D and the newly acquired data item group DN and the data items of the personal information counted in S407. It is output as a data item group F, and the process is terminated (S408).

For example, in S304, it is assumed that the information processing subject 3 already holds the Web packet limit release list 3010 (see FIG. 15) as the retained information 301. The information processing subject 3 may have a pair of a personal ID that has not been anonymized for the application for release control of the Web packet limit and a data item of the HTTP request. In this case, when the anonymized information 203 of the access log including the anonymized personal ID and the HTTP request with the original information 201 is received and compared with the already held non-anonymized personal ID and the HTTP request, , The anonymized personal ID is reidentified. Therefore, in order to prevent such re-specification, the non-anonymized personal ID and the data item of the HTTP request can be extracted as the non-matchable data item F by the permission processing history check process.

The information management system 10 of the first embodiment has been described above with reference to FIGS. 1 to 19.

(1-2) Effect of the first embodiment

As described above, the information management entity 2 such as a company or an organization uses the anonymized information 203 as information processing of an information processing center or the like for the purpose of analysis processing such as security operation or marketing analysis, based on legal and regulatory requirements. Refer to the information processing entity 3 responsible for processing. In this case, since the use permission range of the anonymization information 203 is managed after anonymization under the anonymization condition satisfying the legality requirement, the non-specific state of the anonymization information 203 can be maintained. Therefore, it is possible to avoid a situation in which the anonymized data is matched with another data or an unexpected analysis process is performed to identify an individual.

Further, the information management system 10 includes a non-processable list 103 that stores a processing pattern having a high risk of re-specification based on a case of re-specification of personal information among the processing patterns. As a result, in the unprocessable list check process S303, the unprocessable list 103 is referred to, and the anonymization of the data item of the processing pattern having a respecific case is included in the anonymization condition. The risk can be reduced.

Further, the information management system 10 holds the past permission processing pattern for the information processing entity 3 and the history of the anonymization information 203 in the permission processing history storage unit 104. Moreover, the information management system 10 anonymizes the data item that identifies the individual by collating the information processing entity 3 with the portion of the original information of the anonymization information that has been obtained in the past in the permission processing history check processing S304. Information processing is included in the anonymization conditions. This makes it possible to prevent re-identification of an individual by matching with the past retained information 301.

Further, in the information management system 10, when the anonymization information 203 is transmitted to the permission processing history storage unit 104 (S204), the information management entity 2 on the transmitting side registers the transmission history (S205), and the information on the receiving side is received. The processing subject 3 registers the reception history (S206). As a result, the transfer history of information between organizations can be stored in detail, and the transfer history and transfer range of information can be easily grasped at the time of audit or deletion.

(2) Second Example (2-1) Configuration of Information Processing System According to Second Example

FIG. 20 is a block diagram showing a software configuration of the information management system 20 according to the second embodiment. The hardware configuration of the information management system 20 is the same as that shown in FIG. Hereinafter, the same elements as those in the first embodiment will be omitted.

In the information management system 20 in the second embodiment, the information management entity 12 assumes an information bank that manages the deposited personal information 1201 deposited by an individual. The information processing subject 13 assumes a personal information utilization organization that analyzes and utilizes the anonymized information 1203 that the information bank 12 has anonymized. The information management system 20 anonymizes the anonymization conditions that satisfy the legal requirements for personal information of the countries, regions, organizations, etc. where each entity 12 and 13 are located, based on the processing pattern of the information processing entity 13 and the retained information 301. It is generated by the condition generation unit 107. The information management system 20 transmits the generated anonymization condition to the information management entity 12, and manages the usage permission range of the anonymization information 1203 by the permission processing pattern management unit 105. Then, the information management system 20 responds to the inquiry of the processing permission of the information processing subject 13 only in the case of the processing pattern registered in the permission processing pattern management unit 105. As a result, the information management system 20 provides a function of maintaining the non-specific state of the anonymized information 1203 in the personal information utilization organization.

Hereinafter, the deposited personal information 1201, the anonymization condition description unit 1108, and the anonymization information 1203, which are different from those in the first embodiment, will be described in the second embodiment with reference to the drawings.

FIG. 21 is a diagram showing a data structure of the deposited personal information 1721 according to the second embodiment.

The deposited personal information 1201 is stored in the disk or memory of the information management subject 2. The deposited personal information 1201 is personal information deposited by an individual with a personal information depositing business such as an information bank. The data items of the deposited personal information 1201 may include, for example, "personal ID", "name", "date of birth", "address", "hobby", "physical condition" and "family structure". The "personal ID" is an identifier of an individual. "Name" is the name of an individual. "Date of birth" is the date of birth of an individual. An "address" is an individual's address. A "hobby" is an individual hobby. "Physical condition" is an individual's physical condition. "Family composition" is an individual family composition.

For example, in record 12011, the "personal ID" is "1111", the "name" is "Ichiro Yamada", the "date of birth" is "1973/1/1", the hobby is "reading", and the current "physical condition". "Headache" indicates that the "family structure" is a family of four, "wife, eldest son, and second son."

FIG. 22 is a diagram showing a data structure of the anonymization condition storage unit 1108 according to the second embodiment.

The data item (column) configuration of the anonymization condition storage unit 1108 is the same as that of the anonymization condition storage unit 108 of FIG.

For example, record 11081 defines an anonymization condition in which the "anonymization condition ID" is "Z1". Record 11081 contains "personal ID (anonymization method: deletion), name (anonymization method: deletion), date of birth (anonymization method: generalization: year of birth)" for each "anonymization data item" to be anonymized. , Address (anonymization method: generalization: prefecture) indicates anonymization. And record 11081 is the data item of the deposited personal information 1201 "hobby" "physical condition" "family structure". In addition, the conditions for generating the anonymization information 1203 are shown.

FIG. 23 is a diagram showing the data structure of the anonymized information 1203 according to the second embodiment.

The anonymized information 1203 is an anonymized "date of birth" column in which the "date of birth" column is anonymized after deleting the "personal ID" column and the "name" column of the deposited personal information 1201 from the deposited personal information 1201. And include an "anonymized address" column, which is an anonymized "address" column. That is, other than that, the anonymized information 1203 includes the same "hobby" column, "physical condition" column, and "family structure" column as the deposited personal information 1721.

For example, in the record 12031, the record 12011 of the deposited personal information 1201 is anonymized by the anonymization condition of the above-mentioned "anonymization condition ID" and "Z1". Record 12011 includes "1973 (generalization: youth)" for "anonymization date of birth" and "Tokyo (generalization: prefecture)" for "anonymization address". Record 12031 shows that the non-anonymized information "hobby" is "reading", "physical condition" is "headache", and "family structure" is "wife, eldest son, second son".

In the above, the information management system 20 of the second embodiment has been described with reference to FIGS. 20 to 23, focusing on the difference from the information management system 10 of the first embodiment.

(2-2) Effect of the second embodiment

As described above, in the information management system 20 of the second embodiment, the information management entity 12 such as an information bank is responsible for managing and operating the deposited personal information 1201 deposited by an individual based on laws and regulations. be. In the information management system 20, when the anonymized information 1203 is referred to the information processing entity 13 such as a personal information utilization organization used for the purpose of analysis processing such as marketing analysis, it is anonymous under the anonymization condition that satisfies the requirements of legality. After making it, manage the scope of permission to use the anonymized information. As a result, the non-specific state is maintained, the anonymized information is re-identified by matching with other data and unexpected analysis processing, and information banks and personal information users violate laws and regulations. It is possible to avoid a situation where the business is adversely affected.

As described above, as described in (1-1) to (2-2), companies and organizations that handle personal information satisfy the requirements for legality based on the information and processing patterns that match anonymized information at the time of use. After anonymizing with the anonymization condition, the scope of permission to use the anonymized information is managed. As a result, it is possible to maintain the non-specific state of personal information, and avoid the situation where the anonymized data is identified as an individual by collating with other data or performing unexpected analysis processing. be able to.

It should be noted that the present invention is not limited to the above-mentioned examples, but includes various modifications and equivalent configurations within the scope of the attached claims. For example, the above-described examples have been described in detail in order to explain the present invention in an easy-to-understand manner, and the present invention is not necessarily limited to those having all the described configurations. Further, a part of the configuration of one embodiment may be replaced with the configuration of another embodiment. Further, the configuration of another embodiment may be added to the configuration of one embodiment. In addition, other configurations may be added / deleted / replaced with respect to a part of the configurations of each embodiment.

Further, each configuration, function, processing unit, etc. described above may be realized by hardware by designing a part or all of them by, for example, an integrated circuit, and a program in which a processor realizes each function may be realized. It may be realized by software by interpreting and executing it.

Information such as programs, tables, and files that realize each function can be stored in a memory, a hard disk, a storage device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

Further, the control lines and information lines indicate what is considered necessary for explanation, and do not necessarily indicate all the control lines and information lines necessary for mounting. In practice, it can be considered that almost all configurations are interconnected.

Further, in the present invention, in addition to personal information, when sensitive information such as business confidentiality, which is highly sensitive and whose disclosure to the outside is restricted by internal rules, is non-specified and the processing service of an external organization is used. The same effect can be obtained.

The present invention maintains an unspecified state by anonymizing personal information and business confidential information in accordance with legal and regulatory requirements and internal rules in a plurality of organizations that handle personal information such as customer information and medical information, and sensitive information such as business confidentiality. It can be widely applied to information processing systems that provide functions.

1 ... Information management device, 2 ... Information management entity, 12 ... Information management entity, 10 ... Information management system, 20 ... Information management system, 102 ... Legal and regulatory requirement storage unit, 103 ... Unprocessable list, 104 ... Permission processing history storage Unit, 1051 ... Processing pattern registration unit, 107 ... Anonymous condition generation unit, 109 ... Allowed processing pattern storage unit, 201 ... Original information, 202 ... Anonymization unit, 302 ... Analysis processing unit, 1201 ... Deposited personal information

Claims (6)

It is an information management system that can execute anonymization processing that anonymizes sensitive information among management information.
A legal and regulatory requirement storage unit that stores legal and regulatory requirements including attributes of sensitive information subject to the anonymization process,
The processing pattern registration unit that accepts the registration of the processing pattern of the anonymization processing,
An anonymization condition generation unit that generates anonymization conditions for the anonymization process based on the legal and regulatory requirements and the processing pattern.
Anonymization unit that generates anonymization information from the management information based on the anonymization condition ,
Among the processing patterns, the permission processing pattern in which the execution of the anonymization process is permitted, the anonymization condition, and the permission information storage unit for storing the anonymization information.
Information management system with. It further has an analysis processing unit that executes a restoration process that restores the anonymized information based on the process pattern.
The analysis processing unit executes the restoration process when the permission processing pattern corresponding to the restoration process to be executed is stored in the permission information storage unit.
The information management system according to claim 1 . Further, it has a non-processable list storage unit for storing a non-processable pattern having a high risk of re-specification of the sensitive information among the above-mentioned processing patterns.
The anonymization condition generation unit generates the anonymization condition based on the legal and regulatory requirements, the processing pattern, and the non-processing pattern.
The information management system according to claim 2 . It also has a permission processing history storage unit that stores the transfer history of the anonymized information.
The transfer history includes data items for which the anonymization process has not been executed and data items to be respecified.
The anonymization condition generation unit generates the anonymization condition based on the legal and regulatory requirements , the processing pattern, and the transfer history.
The information management system according to claim 2 . The permission processing history storage unit further stores the reception history of the anonymization information.
When the analysis processing unit receives the anonymization information of the anonymization process to be executed, the analysis processing unit stores the reception history of the anonymization information of the anonymization process to be executed in the permission processing history storage unit.
The information management system according to claim 4 . It is an information management method that allows the information management system to execute anonymization processing that anonymizes sensitive information among the management information.
Memorize the legal and regulatory requirements including the attributes of sensitive information subject to the anonymization process.
Accepting the registration of the processing pattern of the anonymization process,
Anonymization conditions for the anonymization process are generated based on the legal and regulatory requirements and the process pattern.
Anonymization information is generated from the management information based on the anonymization condition,
Among the processing patterns, the permission processing pattern in which the execution of the anonymization processing is permitted, the anonymization condition, and the anonymization information are stored.
An information management method for executing the restoration process when a permission processing pattern corresponding to the restoration process for restoring the anonymization information based on the processing pattern is stored.

Images