JP7099231B2 - Information processing programs, information management programs, devices, and methods - Google Patents

Description

Disclosure techniques relate to information processing programs, information processing devices, information processing methods, information management programs, information management devices, and information management methods.

Conventionally, a service provider provides a service to a user by using personal information provided by the user. In such services, when collecting personal information, anonymizing it, and utilizing it, collect personal information and identify a specific individual in accordance with the personal information license and privacy policy presented to the user in advance. Process personal information so that it cannot be done. When personal information is utilized, it is utilized in a form in which the personal information cannot be restored.

As a technology for handling personal information, we have proposed a distributed data system that ensures privacy by anonymizing personal information and enables effective use of personal information by associating the personal information of the same person stored in multiple database systems. Has been done. This system confirms the search conditions included in the received personal information transmission request, outputs the post-confirmation search conditions that do not include the conditions that can identify the individual, and based on the post-confirmation search conditions, the individual is sent from the personal information storage unit. Extract information. In addition, this system generates a data ID using the extracted personal information and assigns it to the extracted personal information. Then, this system determines whether or not the individual can be identified from the personal information to which the data ID is assigned, and when it is determined that the individual cannot be identified, the data ID is assigned and the anonymized personal information is transmitted.

In addition, a client system that makes it possible to protect the privacy of personal information and provide customized services for each individual has been proposed. The client in this system stores the personal information of the user of the own system, and when receiving the desired service from the desired server, the client does not send all the personal information to the server, but a part or a process thereof is abstracted. Present the converted user-dependent data. At that time, the client generates user-dependent data from the personal information of the user based on the server-dependent data of the server that is the request destination. Based on this user-dependent data, the server selects the information to be provided to the client from the provided information owned by the server.

Further, a document anonymization device has been proposed in which the concealment of personal information is mechanized to reduce the work cost and the degree of concealment can be adjusted as needed. This device extracts the anonymous target notation from the input document, calculates the specificity to evaluate how strong the extracted anonymous target notation can identify an individual, and inputs with a specificity larger than a predetermined threshold. Anonymize the notation in the document. In addition, this device extracts a person's name and peripheral notation from an input document, and calculates the degree of specificity for evaluating how strong the extracted personal name and peripheral notation can identify an individual. In addition, this device anonymizes a person's name and peripheral notation having a specificity larger than a predetermined threshold value by hiding, generalizing, lowering the specificity, encryption, or the like.

Japanese Unexamined Patent Publication No. 2004-318391 Japanese Patent Application Laid-Open No. 2003-16098 Japanese Unexamined Patent Publication No. 2002-269081

When personal information provided by a user is anonymized and utilized, the lower the anonymity, the higher the economic value of the information, and the easier it is for the user to benefit. However, in the above-mentioned conventional technique, uniform anonymization processing is performed so that an individual cannot be identified. Therefore, the user cannot finely control the personal information provided by the user, and the user cannot intuitively grasp how much the personal information provided is anonymized.

As one aspect, the disclosure technique aims to allow the user to intuitively understand how anonymized the personal information provided by the user is when it is utilized.

As one aspect, the disclosed technique accepts the user's identification information and the user's personal information, and displays a screen that accepts the degree of anonymization of the accepted personal information. Then, a process of anonymizing the personal information according to the degree of acceptance on the screen, and a process of associating the anonymized personal information with the received identification information of the user and storing the personal information in the storage unit. Request to the information management device that manages the personal information.

One aspect is that when the personal information provided by the user is utilized, the user can intuitively understand how much the personal information is anonymized.

It is a block diagram which shows the schematic structure of the information bank system which concerns on this embodiment. It is a functional block diagram of a user terminal. It is a figure which shows an example of an input screen. It is a figure which shows an example of a home screen. It is a figure which shows an example of the anonymization degree designation screen. It is a figure which shows an example of the anonymization degree designation screen. It is a functional block diagram of an information management device. It is a figure which shows an example of a personal information database (DB). It is a figure which shows an example of the use service DB. It is a figure which shows an example of a selection service DB. It is a block diagram which shows the schematic structure of the computer which functions as a user terminal. It is a block diagram which shows the schematic structure of the computer which functions as an information management apparatus. It is a flowchart which shows an example of the user terminal information processing. It is a flowchart which shows an example of anonymization degree designation processing. It is a flowchart which shows an example of the personal information reception process. It is a flowchart which shows an example of a transmission process. It is a flowchart which shows an example of information management processing. It is a flowchart which shows an example of a processing process. It is a figure which shows another example of the anonymization degree specification screen. It is a figure which shows another example of the anonymization degree specification screen.

Hereinafter, an example of the embodiment according to the disclosed technique will be described with reference to the drawings.

In this embodiment, an information banking system including an information processing device and an information management device according to the disclosed technique will be described.

With an information bank, personal information including information such as behavior history and purchase history is deposited by the user, matching between the service provider and the user, provision of personal information to the service provider after anonymization, and deposit. A system or business that centrally manages personal information. The benefits of providing and utilizing personal information are returned directly or indirectly to the user who provided the personal information from the service provider who received the personal information from the information bank.

As shown in FIG. 1, the information bank system 100 according to the present embodiment includes a plurality of user terminals 10 and an information management device 20. Each of the user terminals 10 and the information management device 20 are connected via a network such as the Internet. Further, the information management device 20 is also connected to each of the plurality of data holder servers 40 and the plurality of service provider servers 45 via the network. The user terminal 10 is an example of an information processing device according to the disclosed technique.

The data holder server 40 is a server that holds information that is a resource of personal information entrusted to the information bank system 100 by the user. The data holder server 40 is, for example, a server such as a bank system that holds data such as a user's deposit / savings amount and deposit / withdrawal history, and an administrative system that holds data such as a user's resident card. Further, the data holder server 40 is an SNS (Social Networking) that holds images and text data posted by the user or a person related to the user, and information posted by others such as images and text data that the user is interested in. It may be a server of Service).

The service provider server 45 is a server of a service provider that provides a service to a user by using personal information provided by the user. The service provider server 45 receives personal information provided by the user in the information bank system 100, performs processing using the personal information for the service provided to the user, and provides the service to the user.

The user terminal 10 is an information processing terminal used by a user who uses the service of the information bank system 100, and is realized by, for example, a personal computer, a smartphone, a tablet terminal, or the like. In the user terminal 10, an application for using the service of the information bank system 100 is provided via a web browser mounted on the user terminal 10 or installed on the user terminal 10.

Further, the user terminal 10 includes a display unit such as a display for displaying information and an operation unit such as a touch panel for inputting information. The display unit and the operation unit may be combined to form a touch panel display. Further, the user terminal 10 has a function of communicating with the information management device 20 and peripheral devices of the user terminal 10 and exchanging data. Peripheral devices include, for example, wearable devices that are attached to the user and detect biometric information such as the user's pulse and blood pressure, and HEMS (Home Energy Management System) that detects the amount of energy used at home. For communication with peripheral devices, wireless communication such as Bluetooth (registered trademark) can be used. Further, the user terminal 10 may be provided with a camera, a microphone, a GPS (Global Positioning System) and the like.

As shown in FIG. 2, the user terminal 10 functionally includes a personal information reception unit 12, an anonymization degree reception unit 14, a selection unit 16, and a request unit 18. The personal information reception unit 12 is an example of a reception unit of the disclosure technology, and the anonymization degree reception unit 14 is an example of a display control unit of the disclosure technology.

The personal information receiving unit 12 receives personal information input from the user. Specifically, the personal information receiving unit 12 displays an input screen for accepting input of personal information on the display unit provided in the user terminal 10, and receives personal information input to the input screen.

FIG. 3 shows an example of the input screen 101. In the example of FIG. 3, the input screen 101 includes an input box 102 such as a text box and a select box for receiving the content of the personal information for each item of the personal information. The items of personal information received on the input screen 101 include basic information such as name, date of birth, address, and gender, family information about the user's family, information about the user's preference, and the like. Further, depending on the item of personal information, personal information may be accepted by the user's selection for the presented option by using a radio button or a check box.

Further, the personal information received on the input screen 101 includes information such as a user's identification information and a password for accessing each of the data holder servers 40. Such information may be accepted as image information taken by a camera such as a driver's license or my number card.

In addition, the personal information receiving unit 12 communicates with the peripheral device and accepts the data detected by the peripheral device as personal information. Further, the personal information reception unit 12 obtains personal information such as action history and purchase history from log data of other applications such as shopping sites and transportation IC cards and GPS positioning results recorded by the user terminal 10. accept.

The personal information reception unit 12 delivers the received personal information to the request unit 18.

The degree of anonymization reception unit 14 receives the degree of anonymization indicating the degree of anonymization of personal information for each personal information deposited in the information bank system 100. Specifically, the anonymization degree receiving unit 14 displays an anonymization degree designation screen for accepting the anonymization degree on the display unit provided in the user terminal 10, and follows the user's operation on the anonymization degree designation screen. , Accepts the degree of anonymization for each personal information.

More specifically, the anonymization degree reception unit 14 displays the home screen of the application on the display unit when the application for using the service of the information bank system 100 is started on the user terminal 10. FIG. 4 shows an example of the home screen 110. In the example of FIG. 4, the home screen 110 includes an icon image 112 such as a photograph or an illustration of a user, an indicator 114 indicating an input rate of personal information, and a user name display 116. The input rate of personal information is the number of input items with respect to the total number of items of personal information input by the input screen 101.

Further, the home screen 110 shown in FIG. 4 includes a mark 118 indicating a data holder server 40 that can be linked. In the example of FIG. 4, the mark 118 indicating the linked data holder server 40 is represented by the active display (white), and the mark 118 indicating the unlinked data holder server 40 is represented by the inactive display (shaded). Whether or not the linkage has been completed is determined by, for example, whether or not the information for accessing the corresponding data holder server 40 is input on the input screen 101 and the authentication has been completed via the information management device 20. Can be done.

Further, the home screen 110 shown in FIG. 4 includes a category button 120 which is a button selected when transitioning to the anonymization degree designation screen and is prepared for each category of personal information. The category of personal information is, for example, the above-mentioned basic information, family information, information on preference, and the like. In the example of FIG. 4, the category button 120 displays a category name of each category, and a numerical value and an indicator indicating an input rate of personal information included in the category.

Further, the home screen 110 shown in FIG. 4 includes a service button 122 whose display is controlled by the selection unit 16, but details of the service button 122 will be described later.

When any of the category buttons 120 is selected on the home screen 110, the anonymization degree reception unit 14 shifts the screen displayed on the display unit to the anonymization degree designation screen. FIG. 5 shows an example of the anonymization degree designation screen 130. In the example of FIG. 5, for each item included in the personal information category corresponding to the selected category button 120, the content display 132 indicating the content of the personal information and the slide bar 134 for specifying the degree of anonymization are provided. included.

In the slide bar 134, the first end is associated with the minimum degree of anonymity, the second end is associated with the maximum degree of anonymization, and the first end and the second end are associated with each other. Each position in between is associated with a degree of anonymization that gradually increases from the first end to the second end. In the present embodiment, the degree of anonymization is represented by 0 to 100, and the degree of anonymization 0 indicates that the content has not been anonymized.

Specifically, the anonymization degree reception unit 14 acquires the personal information registered for the corresponding user from the information management device 20. The anonymization degree reception unit 14 acquires the content of the anonymized personal information and the anonymization degree specified for the personal information for the personal information that has been anonymized. When the personal information has not been anonymized, the anonymization degree reception unit 14 displays the personal information that has not been anonymized as the content display 132, as shown in FIG. do. Further, the anonymization degree reception unit 14 arranges the knob of the slide bar 134 at a position (here, 0) indicating that the anonymization degree is the lowest. On the other hand, for the personal information for which the anonymization degree is specified, the anonymization degree reception unit 14 displays the anonymized personal information as the content display 132, and the knob of the slide bar 134 is set to the specified anonymization degree. Place in the position indicated by.

Further, the anonymization degree receiving unit 14 changes the content display 132 to an anonymized display according to the anonymization degree designated by the user operating the slide bar 134. Specifically, when the anonymization degree reception unit 14 detects that the position of the knob of the slide bar 134 has been changed, the anonymization degree reception unit 14 provides information for specifying the anonymization degree and personal information items indicated by the changed position. Hand over to the requesting department 18. The information for specifying the item of the personal information is, for example, the identification number or the item name of the item, and the case where the item name is used will be described in this embodiment.

The anonymization degree reception unit 14 acquires personal information anonymized according to the anonymization degree from the information management device 20 via the request unit 18, and changes the content display 132. On the anonymization degree designation screen 130 shown in FIG. 6, the slide bar 134 corresponding to the personal information of the item "age" is operated to specify the anonymity degree, and the content display 132 is changed from "26 years old" to "20s". A modified example is shown (dashed line P). Similarly, the slide bar 134 corresponding to the personal information of the item "address" is operated to specify the degree of anonymization, and the content display 132 is changed from "1-2-3, Setagaya-ku, Tokyo" to "23-ku, Tokyo". An example is shown (dashed line part Q).

The selection unit 16 accepts selection of a service to be used by the user from among a plurality of services provided to the user by using personal information.

Here, the home screen 110 shown in FIG. 4 includes a service button 122 for selecting a service that the user wants to use. The service button 122 is prepared for each service available in the information bank system 100, and in the example of FIG. 4, the service name is displayed on each button.

When any service button 122 is selected by the user on the home screen 110 shown in FIG. 4, the selection unit 16 changes the selected service button 122 to a display mode in which it can be identified that the service button 122 has been selected. In the example of FIG. 4, a check mark is displayed on the service button 122 of the corresponding service. Further, the selection unit 16 passes information for identifying the service indicated by the selected service button 122 to the request unit 18. The information for specifying the service is, for example, a service identification number or a service name, and the case where the service name is used will be described in the present embodiment.

Further, on the home screen 110, the selection unit 16 can identify a service that can be provided by using the personal information deposited in the information bank system 100 among a plurality of services provided to the user by using the personal information. Display on. Specifically, the selection unit 16 acquires information that can or cannot be provided for each service from the information management device 20 when the home screen 110 is displayed, and displays the service button 122 depending on whether it can be provided or not. Different aspects. In the example of FIG. 4, the service button 122 corresponding to the service that can be provided is represented by the active display (white), and the service button 122 corresponding to the service that cannot be provided is represented by the inactive display (shaded).

When the personal information is delivered from the personal information receiving section 12, the requesting unit 18 receives the passed personal information and the user's identification information for using the service of the information bank system 100 (hereinafter referred to as "user ID"). ), And the information is transmitted to the information management device 20. It is assumed that the user ID entered by the user at the time of logging in to the application has been acquired in advance. The requesting unit 18 requests the information management device 20 to transmit the personal information and to store the personal information in the personal information database (DB) (details will be described later) of the information management device 20.

Further, when the request unit 18 receives the anonymization degree designated by the slide bar 134 and the item name of the personal information from the anonymization degree reception unit 14, the corresponding personal information is delivered according to the designated anonymization degree. The information management device 20 is requested to perform the process of anonymizing. The request unit 18 acquires the anonymized personal information from the information management device 20 and hands it over to the anonymization degree reception unit 14.

Further, when the service name of the service selected from the selection unit 16 is delivered, the request unit 18 transmits the service selection information in which the user ID is associated with the service name to the information management device 20, and the information management device 20 of the information management device 20 sends the service selection information. Request the process to update the selection service DB (details will be described later).

Functionally, as shown in FIG. 7, the information management device 20 includes a transmission unit 22, an acquisition unit 24, a processing unit 26, and an update unit 28. Further, the personal information DB 32, the usage service DB 34, and the selection service DB 36 are stored in the predetermined storage area 30 of the information management device 20. The processing unit 26 is an example of an anonymization unit and a memory control unit of the disclosed technique.

When the home screen 110 is displayed on the user terminal 10, the transmission unit 22 acquires the personal information associated with the user ID of the corresponding user from the personal information DB 32 and transmits the personal information to the user terminal 10.

FIG. 8 shows an example of the personal information DB 32. In the example of FIG. 8, the "category" of personal information, the "item" indicating the item name of personal information, the "input data", the "degree of anonymization", and the "processed data" are stored in association with each user ID. Has been done. "Input data" is data of personal information that has not been anonymized, and "processed data" is anonymization of personal information stored in "input data" in "degree of anonymization". The data is anonymized according to the degree.

Further, the transmission unit 22 transmits information to the user terminal 10 whether or not the service can be provided to the corresponding user for each service. Specifically, the transmission unit 22 can determine whether or not the service can be provided depending on whether or not all the personal information necessary for using each service is deposited in the information bank system 100.

More specifically, the transmission unit 22 refers to the service DB 34 used to specify the personal information required for each service. FIG. 9 shows an example of the service DB 34 used. In the example of FIG. 9, in the matrix of the service and the item of personal information, the upper limit of the degree of anonymization is defined in the mass of personal information required for providing each service. If the space is blank, it means that the relevant personal information is not required for the relevant service.

For example, in order to use the service related to "learning school", the personal information of the item "household composition" is stored with an anonymization degree of 80 or less, and the personal information of the item "household annual income" is stored with an anonymization degree of 20 or less. Indicates that it needs to be remembered. The transmission unit 22 is "providable" when all the personal information required for the specified service for the corresponding user is stored in the personal information DB 32, and when any one of them is not stored, the transmission unit 22 is not stored. Information of "cannot be provided" is transmitted to the user terminal 10.

Further, when the home screen 110 is displayed on the user terminal 10, the transmission unit 22 acquires information on the service selected by the user from the selection service DB 36 and transmits the information to the user terminal 10. FIG. 10 shows an example of the selection service DB 36. In the example of FIG. 10, the service name of the selected service is stored in the "selected service" column in association with the user ID.

The acquisition unit 24 acquires the personal information associated with the user ID transmitted from the user terminal 10. Further, the acquisition unit 24 accesses the data holder server 40 by the API (Application Programming Interface) and acquires the personal information by using the information included in the acquired personal information for accessing the data holder server 40. The acquisition unit 24 performs normalization such as name identification processing and data cleansing on the personal information acquired from the user terminal 10 and the data holder server 40, and stores the personal information in the personal information DB 32. Here, the acquisition unit 24 stores the personal information in the "input data" column associated with the user ID of the corresponding user in the personal information DB 32.

When the processing unit 26 receives the item name and the degree of anonymization of the personal information from the user terminal 10, the processing unit 26 performs a processing process of anonymizing the personal information corresponding to the received item name according to the received anonymization degree. Specifically, the processing unit 26 performs processing according to an anonymization rule according to the degree of anonymization, which is predetermined for each item of personal information. Anonymization rules include the deletion, replacement, aggregation, and abstraction of at least a portion of personal information.

For example, regarding the personal information of the item "name", it is assumed that an anonymization rule is set such that the anonymization degree 0 is the full name, the anonymization degree 50 is substitution or abstraction, and the anonymization degree 100 is "unknown". In addition, "unknown" means that although personal information is input, the content is 100% anonymized. In this case, the personal information "Hanako Yamada" when the anonymization degree is 0 is processed into the data "A" when the anonymization degree 50 is specified, and "Unknown" when the anonymization degree 100 is specified. It is processed into the data.

For example, regarding the personal information of the item "age", the anonymization degree 0 is the current full age calculated from the date of birth, the anonymization degree 40 is aggregated in units of 5 years, and the anonymization degree 60 is in units of 10 years. It is assumed that the anonymization rule of aggregation in units of 20 years old is stipulated in the aggregation and anonymization degree of 80. Further, it is assumed that the anonymization degree 100 is "unknown". In this case, the personal information "26 years old" when the anonymization degree is 0 is, for example, "25 to 30 years old" when the anonymization degree 40 is specified, and "20s" when the anonymization degree 60 is specified. When the anonymization degree of 80 is specified, the data is processed into "20 to 40 years old". Further, when the anonymization degree 100 is specified, the data is processed into "unknown".

Further, for example, regarding the personal information of the item "household composition", an anonymization rule is defined such that the anonymization degree 0 is each relationship of the members, the anonymization degree 50 is the number of members, and the anonymization degree 100 is "unknown". Suppose you are. In this case, the personal information "father, mother, eldest son, eldest daughter, second daughter (person)" when the anonymization degree is 0 is, for example, "family of 5" when the anonymization degree 50 is specified, and the anonymization degree is 100. If is specified, the data will be processed as "unknown".

The processing unit 26 stores the data of the personal information that has undergone the anonymization processing process for the personal information for which the degree of anonymization is specified in the "processing data" column of the personal information DB 32, and also stores the data in the "processing data" column. Stores the specified degree of anonymization. Further, the processing unit 26 transmits the anonymized personal information data to the user terminal 10.

When the update unit 28 receives the service selection information from the user terminal 10, the update unit 28 updates the selection service DB 36 based on the received service selection information.

The user terminal 10 can be realized by, for example, the computer 50 shown in FIG. The computer 50 includes a CPU (Central Processing Unit) 51, a memory 52 as a temporary storage area, and a non-volatile storage unit 53. Further, the computer 50 includes an input / output device 54 such as an input unit and a display unit, and an R / W (Read / Write) unit 55 that controls reading and writing of data to the storage medium 59. Further, the computer 50 includes a communication interface (I / F) 56 connected to a network such as the Internet. The CPU 51, the memory 52, the storage unit 53, the input / output device 54, the R / W unit 55, and the communication I / F 56 are connected to each other via the bus 57.

The storage unit 53 can be realized by an HDD (Hard Disk Drive), an SSD (Solid State Drive), a flash memory, or the like. The information processing program 60 for making the computer 50 function as the user terminal 10 is stored in the storage unit 53 as a storage medium. The information processing program 60 includes a personal information reception process 62, an anonymization degree reception process 64, a selection process 66, and a request process 68.

The CPU 51 reads the information processing program 60 from the storage unit 53, expands the information processing program 60 into the memory 52, and sequentially executes the processes included in the information processing program 60. The CPU 51 operates as the personal information receiving unit 12 shown in FIG. 2 by executing the personal information receiving process 62. Further, the CPU 51 operates as the anonymization degree reception unit 14 shown in FIG. 2 by executing the anonymization degree reception process 64. Further, the CPU 51 operates as the selection unit 16 shown in FIG. 2 by executing the selection process 66. Further, the CPU 51 operates as the request unit 18 shown in FIG. 2 by executing the request process 68. As a result, the computer 50 that has executed the information processing program 60 functions as the user terminal 10. The CPU 51 that executes the program is hardware.

The information management device 20 can be realized by, for example, the computer 70 shown in FIG. The computer 70 includes a CPU 71, a memory 72 as a temporary storage area, and a non-volatile storage unit 73. Further, the computer 70 includes an input / output device 74, an R / W unit 75 that controls reading and writing of data to the storage medium 79, and a communication I / F 76. The CPU 71, the memory 72, the storage unit 73, the input / output device 74, the R / W unit 75, and the communication I / F 76 are connected to each other via the bus 77.

The storage unit 73 can be realized by an HDD, SSD, flash memory, or the like. The storage unit 73 as a storage medium stores an information management program 80 for causing the computer 70 to function as the information management device 20. The information management program 80 includes a transmission process 82, an acquisition process 84, a machining process 86, and an update process 88. Further, the storage unit 73 has an information storage area 90 in which information constituting each of the personal information DB 32, the utilization service DB 34, and the selection service DB 36 is stored.

The CPU 71 reads the information management program 80 from the storage unit 73, expands the information management program 80 into the memory 72, and sequentially executes the processes included in the information management program 80. The CPU 71 operates as the transmission unit 22 shown in FIG. 7 by executing the transmission process 82. Further, the CPU 71 operates as the acquisition unit 24 shown in FIG. 7 by executing the acquisition process 84. Further, the CPU 71 operates as the machining unit 26 shown in FIG. 7 by executing the machining process 86. Further, the CPU 71 operates as the update unit 28 shown in FIG. 7 by executing the update process 88. Further, the CPU 71 reads information from the information storage area 90 and expands each of the personal information DB 32, the usage service DB 34, and the selection service DB 36 into the memory 72. As a result, the computer 70 that has executed the information management program 80 functions as the information management device 20. The CPU 71 that executes the program is hardware.

The functions realized by each of the information processing program 60 and the information management program 80 can also be realized by, for example, a semiconductor integrated circuit, more specifically, an ASIC (Application Specific Integrated Circuit) or the like.

Next, the operation of the information bank system 100 according to the present embodiment will be described.

When the application for using the service of the information bank system 100 is started on the user terminal 10, the user terminal information processing shown in FIG. 13 is executed on the user terminal 10. Further, the information management device 20 executes the transmission process shown in FIG. Then, when the information management device 20 receives some information from the user terminal 10, the information management device 20 executes the information management process shown in FIG. The user terminal information processing is an example of the information processing method of the disclosed technique, and the information management process is an example of the information management method of the disclosed technique.

In step S12 of the user terminal information processing shown in FIG. 13, the personal information receiving unit 12 determines whether or not the user who has started the application has user registration for using the service of the information bank system 100. For example, when the personal information receiving unit 12 accepts the input of the user ID for logging in to the application, it can be determined that the user has been registered. If there is user registration, the process proceeds to step S14, and if there is no user registration, the process proceeds to step S30.

In step S14, the anonymization degree receiving unit 14 acquires the personal information stored in association with the corresponding user ID in the personal information DB 32 of the information management device 20. Further, the selection unit 16 acquires from the information management device 20 information that can or cannot be provided for each service and information of the "selection service" that is stored in association with the corresponding user ID in the selection service DB 36. ..

Next, in step S16, the anonymization degree reception unit 14 calculates the input rate of the entire personal information and each category from the personal information acquired in step S14. Further, the anonymization degree receiving unit 14 determines whether or not each data holder server 40 has been linked from the personal information acquired in step S14. Then, the anonymization degree reception unit 14 displays the home screen 110 as shown in FIG. 4, for example, based on the acquired personal information, the calculation result of the input rate, and the determination result of whether or not the cooperation has been completed.

More specifically, the anonymization degree reception unit 14 displays an icon image 112, an indicator 114, a user name display 116, a mark 118, and a category button 120. It is assumed that the icon image 112 and the user name are included in the personal information. Further, the selection unit 16 displays the service button 122 on the home screen 110 based on the acquired information on whether the service can be provided or not and the information on the "selection service".

Next, in step S18, the anonymization degree reception unit 14 determines whether or not any of the category buttons 120 has been selected on the home screen 110, thereby determining whether or not any of the categories of personal information has been selected. Is determined. If any of the categories is selected, the process proceeds to step S20, and if not selected, the process proceeds to step S22.

In step S20, the anonymization degree designation process shown in FIG. 14 is executed.

In step S202 of FIG. 14, for example, in FIG. 5, the anonymization degree reception unit 14 is based on the personal information related to the selected category among the personal information acquired in step S14 of the user terminal information processing (FIG. 13). The anonymization degree designation screen 130 as shown is displayed.

Next, in step S204, it is determined whether or not the operation for the slide bar 134 included in the anonymization degree designation screen 130 has been performed. If the slide bar 134 is operated, the process proceeds to step S206, and if the slide bar 134 is not operated, the process proceeds to step S214.

In step S206, the anonymization degree receiving unit 14 changes the display of the slide bar 134 by arranging the position of the knob of the slide bar 134 at the designated position.

Next, in step S208, the anonymization degree reception unit 14 passes the anonymization degree indicated by the position of the knob of the changed slide bar 134 and the item name of the corresponding personal information to the request unit 18. Then, the requesting unit 18 transmits the item name of the personal information and the degree of anonymization to the information management device 20, so that the information management device performs a process of anonymizing the corresponding personal information according to the designated degree of anonymization. Ask 20.

Next, in step S210, the request unit 18 acquires the anonymized personal information from the information management device 20 and hands it over to the anonymization degree reception unit 14.

Next, in step S212, the anonymization degree reception unit 14 changes the content display 132 of the anonymization degree designation screen 130 with the anonymized personal information passed from the request unit 18.

Next, in step S214, the anonymization degree reception unit 14 determines whether or not the menu for editing personal information (not shown) is selected on the anonymization degree designation screen 130, thereby transitioning to the input screen 101. Determine whether or not to do so. When transitioning to the input screen 101, the process proceeds to step S30 of the user terminal information processing (FIG. 13), and when the transition does not occur, the process proceeds to step S216.

In step S216, whether or not the anonymization degree reception unit 14 determines the currently designated anonymization degree by determining whether or not the confirm button (not shown) is selected on the anonymization degree designation screen 130. Is determined. If the degree of anonymization is not determined, the process returns to step S204, and if the degree of anonymization is determined, the process returns to user terminal information processing (FIG. 13).

Returning to the description of the user terminal information processing shown in FIG. 13, in step S22, the selection unit 16 determines whether or not any service button 122 has been selected by the user on the home screen 110, whereby the service is provided. Determine if selected. If the service is selected, the process proceeds to step S24, and if not selected, the process proceeds to step S32.

In step S24, the selection unit 16 displays a check mark on the selected service button 122.

Next, in step S26, the selection unit 16 passes the service name of the selected service to the request unit 18. The request unit 18 transmits the service selection information in which the user ID is associated with the delivered service name to the information management device 20, requests the process of updating the selection service DB 36 of the information management device 20, and proceeds to step S32. do.

In step S32, the personal information receiving unit 12 determines whether or not to terminate the application by determining whether or not the command to terminate the application has been input. If it does not end, the process returns to step S14, and if it ends, the user terminal information processing ends.

Next, the personal information reception process executed in step S30 of the user terminal information processing will be described.

In step S302 of the personal information reception process shown in FIG. 15, for example, the input screen 101 as shown in FIG. 3 is displayed. However, at this stage, the input box 102 is blank.

Next, in step S304, the personal information acquired in step S14 of the user terminal information processing (FIG. 13) is displayed in the input box 102. In the case of new registration, that is, in the case where a negative determination is made in step S14 of the user terminal information processing (FIG. 13) and the process proceeds to the personal information reception process, there is no personal information to be displayed, so this step is omitted.

Next, in step S306, the personal information receiving unit 12 receives the personal information input to the input screen 101. Further, the personal information receiving unit 12 communicates with the peripheral device and accepts the data detected by the peripheral device as personal information. Further, the personal information reception unit 12 obtains personal information such as action history and purchase history from log data of other applications such as shopping sites and transportation IC cards recorded by the user terminal 10 and positioning results by GPS. Accept.

Next, in step S308, the personal information receiving unit 12 determines whether or not the input has been confirmed by determining whether or not the confirmation button (not shown) has been selected on the input screen 101. If the input is confirmed, the process proceeds to step S310, and if the input is not confirmed, the process returns to step S306.

In step S310, the personal information receiving unit 12 delivers the received personal information to the requesting unit 18. Then, the request unit 18 associates the delivered personal information with the user ID, transmits the personal information to the information management device 20, and stores the personal information in the personal information DB 32 of the information management device 20. Request to device 20. Then, the process returns to the user terminal information processing (FIG. 13).

Next, with reference to FIG. 16, a transmission process executed by the information management device 20 when the application is started will be described.

In step S42, the transmission unit 22 acquires the personal information associated with the user ID transmitted from the user terminal 10 from the personal information DB 32 and transmits it to the user terminal 10.

Next, in step S44, the transmission unit 22 refers to the service DB 34 used and identifies the personal information required for each service. Then, the transmission unit 22 is "providable" when all the personal information required for the specified service for the corresponding user is stored in the personal information DB 32, and when any one of them is not stored. Information of "cannot be provided" is transmitted to the user terminal 10.

Next, in step S46, the transmission unit 22 acquires the information of the "selection service" associated with the user ID transmitted from the user terminal 10 from the selection service DB 36 and transmits it to the user terminal 10. Then, the transmission process ends.

Next, the information management process will be described with reference to FIG.

In step S52, the transmission unit 22 determines whether the information received from the user terminal 10 is personal information, service selection information, or anonymization degree. In the case of personal information, the process proceeds to step S54, in the case of service selection information, the process proceeds to step S60, and in the case of anonymization degree, the process proceeds to step S70.

In step S54, the acquisition unit 24 acquires personal information from the data holder server 40 by API using the information for accessing the data holder server 40 included in the personal information acquired from the user terminal 10.

Next, in step S56, the acquisition unit 24 performs normalization such as name identification processing and data cleansing on the personal information acquired from the user terminal 10 and the data holder server 40.

Next, in step S58, the acquisition unit 24 stores the personal information normalized in step S56 in the "input data" field associated with the user ID of the corresponding user in the personal information DB 32, and manages the information. The process ends.

Further, in step S60, the update unit 28 updates the selection service DB 36 based on the received service selection information, and the information management process ends.

Further, in step S70, the machining process shown in FIG. 18 is executed.

In step S702 of FIG. 18, the processing unit 26 reads out the personal information in the "input data" column associated with the user ID of the corresponding user in the personal information DB 32.

Next, in step S704, the processing unit 26 performs a processing process for anonymizing the read personal information according to the received anonymization degree and a predetermined anonymization rule.

Next, in step S706, the processing unit 26 stores the data of the personal information subjected to the anonymization processing in the "processing data" column of the personal information DB 32, and is designated in the "anonymization degree" column. Memorize the degree of anonymization.

Next, in step S708, the processing unit 26 transmits the anonymized personal information data to the user terminal 10, returns to the information management process (FIG. 17), and ends the information management process.

As described above, it is assumed that the information management device 20 receives the personal information acquisition condition from the service provider server 45 when the personal information processed for anonymization is stored in the personal information DB 32. .. The acquisition conditions are, for example, a man aged 60 to 80 years old, a woman living in Tokyo, and the like. The information management device 20 transmits anonymized personal information of a user whose "processed data" meets the acquisition conditions to the service provider server 45. As a result, personal information anonymized with the degree of anonymization specified by the user is provided to the service provider.

As described above, according to the information bank system according to the present embodiment, the user can specify the degree of anonymization of the personal information entrusted to the information bank system, and the personal information provided to the service provider can be specified. , Anonymized with the degree of anonymization specified by the user. This makes it possible for the user to intuitively understand how much the personal information provided by the user will be anonymized when the personal information is utilized.

In addition, with the enforcement of the GDPR (General Data Protection Regulation), when a service provider acquires personal information from a user, the purpose of use of the personal information is clearly communicated and then the user informs the user. "Express consent" is required. However, the license to use personal information is described in a very long agreement, and it is hard to say that it is an explicit consent. According to the present embodiment, since the user himself / herself selects which item of personal information is to be deposited and which service is to be used, the problem of "explicit consent" can be solved.

In the above embodiment, the case where the degree of anonymization is accepted for each item of personal information has been described, but the present invention is not limited to this. For example, personal information may be grouped under predetermined conditions, and the degree of anonymization may be accepted for each group. In this case, for example, the anonymization degree designation screen 140 as shown in FIG. 19 is displayed. The example of FIG. 19 is a case where the degree of anonymization is accepted for each category of personal information. The anonymization degree designation screen 140 of FIG. 19 includes one slide bar 134 for one category and a content display 132 for each item of personal information included in the category.

When the slide bar 134 on the anonymization degree designation screen 140 of FIG. 19 is operated, as shown in FIG. 20, all the personal information included in the category is anonymized with the same anonymization degree specified by the slide bar 134. Will be done.

Further, in the above embodiment, the embodiment in which the information processing program and the information management program are stored (installed) in the storage unit in advance has been described, but the present invention is not limited to this. The program according to the disclosed technique can also be provided in a form stored in a storage medium such as a CD-ROM, a DVD-ROM, or a USB memory.

Further, the following additional notes will be disclosed with respect to the above embodiments.

(Appendix 1)
Accepting the user's identification information and the user's personal information,
Display the screen that accepts the degree of anonymization of the received personal information, and display it.
The process of anonymizing the personal information according to the degree of acceptance on the screen, and the process of associating the anonymized personal information with the received identification information of the user and storing the personal information in the storage unit. Request to an information management device that manages information,
An information processing program that allows a computer to perform processing including that.

(Appendix 2)
The screen for accepting the degree of anonymization includes the received display of the personal information and the operation component for changing the degree, and the display of the personal information is designated by operating the operation component. The information processing program according to Appendix 1, which changes the display to anonymized according to the degree.

(Appendix 3)
The operating component has a minimum degree associated with a first end and a maximum degree associated with a second end, between the first end and the second end. The information processing program according to Appendix 2, which is a slide bar associated with the degree to which the degree gradually increases from the first end to the second end at each position.

(Appendix 4)
The personal information is grouped under predetermined conditions, and the personal information is grouped under predetermined conditions.
The screen for accepting the degree of anonymization is the information processing program according to any one of Supplementary note 1 to Supplementary note 3, which accepts the degree of anonymization of the personal information for each group.

(Appendix 5)
Any one of Appendix 1 to Appendix 4 that identifiablely displays the service that can be provided by using the personal information stored in the storage unit among the plurality of services provided to the user by using the personal information. The information processing program described in item 1.

(Appendix 6)
Acquire the personal information of the user associated with the user's identification information,
The degree of anonymization of the personal information is accepted, and the acquired personal information is anonymized according to the received degree.
The anonymized personal information is stored in the storage unit in association with the user's identification information.
An information management program that allows a computer to perform processing including that.

(Appendix 7)
The information management program according to Appendix 6 that anonymizes the personal information according to the anonymization rule according to the degree, which is predetermined for each item of personal information.

(Appendix 8)
The anonymization rule is an information management program described in Appendix 7, which includes deletion, replacement, aggregation, and abstraction of at least a part of the personal information.

(Appendix 9)
A reception unit that accepts user identification information and the user's personal information,
A display control unit that displays a screen that accepts the degree of anonymization of the received personal information, and
The process of anonymizing the personal information according to the degree of acceptance on the screen, and the process of associating the anonymized personal information with the received identification information of the user and storing the personal information in the storage unit. The request department that requests the information management device that manages information, and
Information processing equipment including.

(Appendix 10)
The screen for accepting the degree of anonymization includes the display of the accepted personal information and the operation component for changing the degree.
The information processing device according to Appendix 9, wherein the display control unit changes the display of the personal information to an anonymized display according to the degree specified by operating the operating component.

(Appendix 11)
The operating component has a minimum degree associated with a first end and a maximum degree associated with a second end, between the first end and the second end. The information processing apparatus according to Appendix 10, wherein the information processing apparatus is a slide bar associated with the degree to which the degree gradually increases from the first end portion to the second end portion at each position.

(Appendix 12)
The display control unit groups the personal information under predetermined conditions, and the screen that accepts the degree of anonymization is any one of Supplementary Note 9 to Appendix 11 that receives the degree of anonymization of the personal information for each group. The information processing device described in the section.

(Appendix 13)
Appendix 9 to further include a selection unit that identifiablely displays the services that can be provided by using the personal information stored in the storage unit among the plurality of services provided to the user by using the personal information. The information processing apparatus according to any one of Appendix 12.

(Appendix 14)
An acquisition unit that acquires the user's personal information associated with the user's identification information, and
An anonymization unit that accepts the degree of anonymization of the personal information and anonymizes the acquired personal information according to the received degree.
A storage control unit that stores the anonymized personal information in the storage unit in association with the user's identification information.
Information management equipment including.

(Appendix 15)
The information management device according to Appendix 14, wherein the anonymization unit anonymizes the personal information according to an anonymization rule according to the degree, which is predetermined for each item of personal information.

(Appendix 16)
The information management device according to Appendix 15, wherein the anonymization rule includes deletion, replacement, aggregation, and abstraction of at least a part of the personal information.

(Appendix 17)
Accepting the user's identification information and the user's personal information,
Display the screen that accepts the degree of anonymization of the received personal information, and display it.
The process of anonymizing the personal information according to the degree of acceptance on the screen, and the process of associating the anonymized personal information with the received identification information of the user and storing the personal information in the storage unit. Request to an information management device that manages information,
An information processing method in which a computer executes processing including that.

(Appendix 18)
Acquire the personal information of the user associated with the user's identification information,
The degree of anonymization of the personal information is accepted, and the acquired personal information is anonymized according to the received degree.
The anonymized personal information is stored in the storage unit in association with the user's identification information.
An information management method in which a computer performs processing including that.

(Appendix 19)
Accepting the user's identification information and the user's personal information,
Display the screen that accepts the degree of anonymization of the received personal information, and display it.
The process of anonymizing the personal information according to the degree of acceptance on the screen, and the process of associating the anonymized personal information with the received identification information of the user and storing the personal information in the storage unit. Request to an information management device that manages information,
A storage medium that stores an information processing program for causing a computer to execute processing including the above.

(Appendix 20)
Acquire the personal information of the user associated with the user's identification information,
The degree of anonymization of the personal information is accepted, and the acquired personal information is anonymized according to the received degree.
The anonymized personal information is stored in the storage unit in association with the user's identification information.
A storage medium that stores an information management program for causing a computer to perform processing including the above.

10 User terminal 12 Personal information reception unit 14 Anonymization degree reception unit 16 Selection unit 18 Request unit 20 Information management device 20 Anonymization degree 22 Transmission unit 24 Acquisition unit 26 Processing unit 28 Update unit 30 Storage area 32 Personal information DB
34 Usage service DB
36 Selection service DB
40 Data holder server 45 Service provider server 50, 70 Computer 51, 71 CPU
52, 72 Memory 53, 73 Storage unit 59, 79 Storage medium 60 Information processing program 80 Information management program 100 Information bank system 101 Input screen 110 Home screen 122 Service button 130, 140 Anonymous degree specification screen 132 Content display 134 Slide bar

Claims (11)

Accepting the user's identification information and the user's personal information,
Display the screen that accepts the degree of anonymization of the received personal information, and display it.
The process of anonymizing the personal information according to the degree of acceptance on the screen, and the process of associating the anonymized personal information with the received identification information of the user and storing the personal information in the storage unit. Request an information management device that manages information,
Among a plurality of services provided to the user by using personal information, the service that can be provided by using the personal information stored in the storage unit is identifiablely displayed.
An information processing program that allows a computer to perform processing including that. The screen for accepting the degree of anonymization includes the received display of the personal information and the operation component for changing the degree, and the display of the personal information is designated by operating the operation component. The information processing program according to claim 1, wherein the display is changed to anonymized display according to the degree. The operating component has a minimum degree associated with the first end and a maximum degree associated with the second end, between the first end and the second end. The information processing program according to claim 2, wherein the information processing program is a slide bar in which the degree of increasing stepwise from the first end to the second end is associated with each position. The personal information is grouped under predetermined conditions, and the personal information is grouped under predetermined conditions.
The information processing program according to any one of claims 1 to 3, wherein the screen that accepts the degree of anonymization is the screen that accepts the degree of anonymization of the personal information for each group. Acquire the personal information of the user associated with the user's identification information,
The degree of anonymization of the personal information is accepted, and the acquired personal information is anonymized according to the received degree.
The anonymized personal information is stored in the storage unit in association with the user's identification information.
Among a plurality of services provided to the user by using personal information, the service that can be provided by using the personal information stored in the storage unit is used by the user so as to be identifiablely displayed. Send information to the terminal
An information management program that allows a computer to perform processing including that. The information management program according to claim 5 , which anonymizes the personal information according to the anonymization rule according to the degree, which is predetermined for each item of personal information. The information management program according to claim 6 , wherein the anonymization rule includes deletion, replacement, aggregation, and abstraction of at least a part of the personal information. A reception unit that accepts user identification information and the user's personal information,
A display control unit that displays a screen that accepts the degree of anonymization of the received personal information, and
The process of anonymizing the personal information according to the degree of acceptance on the screen, and the process of associating the anonymized personal information with the received identification information of the user and storing it in the storage unit are performed. Including the request department that requests the information management device that manages information,
The display control unit identifiablely displays a service that can be provided by using the personal information stored in the storage unit among a plurality of services provided to the user by using the personal information.
Information processing equipment. An acquisition unit that acquires the user's personal information associated with the user's identification information, and
An anonymization unit that accepts the degree of anonymization of the personal information and anonymizes the acquired personal information according to the received degree.
A storage control unit that stores the anonymized personal information in the storage unit in association with the user's identification information.
Among a plurality of services provided to the user by using personal information, the service that can be provided by using the personal information stored in the storage unit is used by the user so as to be identifiablely displayed. And the transmitter that sends information to the terminal
Information management equipment including. Accepting the user's identification information and the user's personal information,
Display the screen that accepts the degree of anonymization of the received personal information, and display it.
The process of anonymizing the personal information according to the degree of acceptance on the screen, and the process of associating the anonymized personal information with the received identification information of the user and storing the personal information in the storage unit. Request an information management device that manages information,
Among a plurality of services provided to the user by using personal information, the service that can be provided by using the personal information stored in the storage unit is identifiablely displayed.
An information processing method in which a computer executes processing including that. Acquire the personal information of the user associated with the user's identification information,
The degree of anonymization of the personal information is accepted, and the acquired personal information is anonymized according to the received degree.
The anonymized personal information is stored in the storage unit in association with the user's identification information.
Among a plurality of services provided to the user by using personal information, the service that can be provided by using the personal information stored in the storage unit is used by the user so as to be identifiablely displayed. Send information to the terminal
An information management method in which a computer performs processing including that.

Images