KR20210112469A - Method for Personal Information De-identification - Google Patents

Abstract

According to an embodiment of the present invention, a personal information de-identification method comprises: a step of measuring a risk of a data situation; a step of calculating a total risk considering the data situation and determining a processing level; a step of considering the data situation according to the determined processing level to perform pseudonym processing or anonymous processing; a step of evaluating adequacy of a de-identification data set wherein the pseudonym processing or the anonymous processing has been performed; and a step of completing de-identification when evaluated as appropriate. The de-identification includes the pseudonym processing or the anonymous processing.

Description

{Method for Personal Information De-identification}

This application relates to a method of de-identification of personal information.

According to the Personal Information Protection Act amended in February 2020, personal information refers to information about a living individual that falls under any of the following items:

go. Information that can identify an individual through name, resident registration number, and video

me. Information that can be easily combined with other information to identify an individual, even if that information alone cannot identify an individual. In this case, whether or not it can be easily combined shall reasonably consider the time, cost, technology, etc. required to identify an individual, such as the availability of other information.

all. Information that cannot identify a specific individual without the use or combination of additional information to restore the original state by pseudonymizing items (a) or (b) in accordance with subparagraph 1-2

In June 2016, six government ministries jointly published the "Guidelines for measures against personal information de-identification" in Korea. In addition, in February 2020, the conceptual system related to personal information was clarified as personal information, pseudonymous information, and anonymous information, and pseudonymous information can be processed for the purposes of statistical preparation, scientific research, and public record preservation. The Personal Information Protection Act has been amended, which allows for the combination of pseudonymous information held by information controllers only through specialized agencies equipped with security facilities prescribed by Presidential Decree, and permits export after approval of the specialized agencies. However, despite the publication of these guidelines and amendments to the law, the technology that detailed the perspective and method that general companies and institutions, especially small and medium-sized enterprises and start-ups, should approach to the implementation of de-identification measures and the judgment of their adequacy based on these guidelines is not is currently absent.

Therefore, in the technical field, when performing personal information de-identification measures within an organization such as a company or institution, take safe measures based on the level of risk in consideration of the surrounding situation and environment, such as the purpose and method of use, not just data, and check whether the results of the measures are appropriate. A method for evaluation is required.

In order to solve the above problems, an embodiment of the present invention provides a method of de-identification of personal information.

The personal information de-identification method includes: measuring the degree of risk to the data situation; calculating a total risk in consideration of the data situation and determining a processing level; performing pseudonymization or anonymization processing in consideration of the data situation according to the determined processing level; evaluating the adequacy of the de-identified data set on which the pseudonymization or anonymization has been performed; and completing the de-identification measures when it is determined to be appropriate, wherein the de-identification measures include pseudonymization or anonymization.

Incidentally, the means for solving the above problems do not enumerate all the features of the present invention. Various features of the present invention and its advantages and effects may be understood in more detail with reference to the following specific embodiments.

According to an embodiment of the present invention, when performing personal information de-identification measures within an organization such as a company or institution, it is possible to safely take measures and evaluate whether the measures taken are appropriate.

1 is a classification diagram for data situations according to an embodiment of the present invention.
2 is a classification diagram of a data utilization method according to an embodiment of the present invention.
3 is a classification flowchart of a data utilization method according to an embodiment of the present invention.
4 is a flowchart of a method for de-identification of personal information according to an embodiment of the present invention.
5 is a diagram illustrating a flow in case of simple use and a degree of risk for each detailed situation according to an embodiment of the present invention.
6 is a diagram illustrating a flow and a degree of risk for each detailed situation in the case of an internal coupling according to an embodiment of the present invention.
7 is a diagram illustrating a flow in the case of external coupling through a specialized agency and a degree of risk for each detailed situation according to an embodiment of the present invention.
8 is a diagram illustrating a flow chart for measuring the risk of pseudonymization and a risk calculation table according to an embodiment of the present invention.
9 is a diagram illustrating a final risk score according to a score distribution and frequency of each stage of pseudonymization processing according to an embodiment of the present invention.
10 is a diagram illustrating a case of simple use of pseudonymization according to an embodiment of the present invention.
11 is a flowchart of risk measurement in the case of simple use of pseudonym processing according to an embodiment of the present invention.
12 is a diagram illustrating a risk calculation table in the case of simple use of pseudonym processing according to an embodiment of the present invention.
13 is a diagram illustrating a case of an internal coupling of pseudonym processing according to an embodiment of the present invention.
14 is a diagram illustrating a risk measurement flowchart and a risk calculation table in the case of internal combination of pseudonym processing according to an embodiment of the present invention.
15 is a diagram illustrating a case of alias processing external coupling according to an embodiment of the present invention.
16 is a diagram illustrating a risk measurement flow chart and a risk calculation table in the case of external combination of pseudonym processing according to an embodiment of the present invention.
17 is a diagram illustrating an anonymization risk measurement flowchart and risk calculation table according to an embodiment of the present invention.
18 is a diagram showing the final risk score according to the score distribution and frequency of each stage of anonymization according to an embodiment of the present invention.
19 is a diagram illustrating a case of simple use of anonymization according to an embodiment of the present invention.
20 is a flowchart of risk measurement in the case of simple use of anonymization according to an embodiment of the present invention.
21 is a diagram illustrating a risk level calculation table in the case of simple use of anonymization according to an embodiment of the present invention.
22 is a diagram illustrating a case of anonymization inner coupling according to an embodiment of the present invention.
23 is a diagram illustrating a risk measurement flow chart and a risk calculation table in the case of an anonymization internal combination according to an embodiment of the present invention.
24 is a diagram illustrating a case of anonymization outsourcing according to an embodiment of the present invention.
25 is a diagram illustrating a risk measurement flow chart and a risk calculation table in the case of anonymization outsourcing according to an embodiment of the present invention.
26 is a flowchart of an adequacy evaluation procedure according to an embodiment of the present invention.

Hereinafter, with reference to the accompanying drawings, a preferred embodiment will be described in detail so that those skilled in the art to which the present invention pertains can easily practice the present invention. However, in describing a preferred embodiment of the present invention in detail, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the gist of the present invention, the detailed description thereof will be omitted. In addition, the same reference numerals are used throughout the drawings for parts having similar functions and functions.

In addition, throughout the specification, when a part is 'connected' with another part, it is not only 'directly connected' but also 'indirectly connected' with another element interposed therebetween. include In addition, 'including' a certain component means that other components may be further included, rather than excluding other components, unless otherwise stated.

1 is a classification diagram for data situations according to an embodiment of the present invention.

Referring to FIG. 1 , in an embodiment of the present invention, a configuration of a data situation may be defined from a total of 12 viewpoints as follows.

First, in terms of data utilization methods, it can be classified into seven perspectives. Specifically, the data utilization method is classified into simple use or data combination (internal combination or external combination), and may be classified as follows according to each case. As used herein, the term 'de-identifying action' includes pseudonymization or anonymization.

1.1 Why (Purpose Perspective) Do you want to take de-identification measures? That is, what is the purpose of its use?

1.2 What (source point of view) When combining data, do you want to combine data within the same institution? Or do you want to combine data from different institutions?

1.3 Where (Place Perspective) Where do you intend to use the data, internally, externally, or both?

1.4 Where (processing point of view) Where (internal, external, professional) actions on data de-identification take place?

1.5~1.7 How (1.5 Data Disclosure Perspective) How is data access/analysis done? (1.6 Perspective of data provision) During what period is data provided? (1.7 Data Utilization Perspective) From the point of view of the purpose of use, what purpose do you intend to use the data for, such as single, multi-purpose, or contractual?

Next, it can be classified into the following two viewpoints in terms of the data use environment.

2.1 Possibility of re-identification attempts by data users or recipients

2.2 Effect on data subjects when re-identified

Finally, in terms of the risk to the data itself, it can be classified into the following three perspectives.

3.1 Data organization

3.2 Data Distribution

3.3 Data Sensitivity

Data situations can be classified from 12 viewpoints as described above, and each viewpoint will be described in more detail.

first of all, Looking at the detailed configuration of the data utilization method from each point of view, it can be classified into 19 types as follows. FIG. 2 is a classification diagram of a data utilization method according to an embodiment of the present invention.

1.1 Why? (According to the purpose of use of data)

1.1.1 The purpose of statistical preparation, scientific research, public record preservation, etc. in accordance with the purpose of Article 23-2 (Processing of pseudonymous information, etc.) Paragraph 1 of the Korea Personal Information Protection Act, Article 32 ( Consent to the provision and use of personal credit information) Paragraph 6 9-2 In case of providing pseudonymous information for statistical preparation, research, public record preservation, etc. (In this case, statistical preparation for commercial purposes, such as market research, and the purpose of research includes industrial research.)

1.1.2 For purposes other than those described in 1.1.1 above

1.2 What? (Combined Sources Perspective)

1.2.1 When the source data to be combined is the same institution

1.2.2 When the target source data to be combined is from different institutions

1.3 Where? (in terms of processing - in terms of actions to de-identify data)

1.3.1 Measures of data de-identification within an institution

1.3.2 Refers to data de-identification measures outside the institution (e.g., private specialized agencies)

1.3.3 Refers to data de-identification measures by specialized agencies

1.4 Where? (Place Perspective)

1.4.1 Applies to cases where the place where data is intended to be used is used only inside an institution or company

1.4.2 When the place where data is to be used is used outside the institution or company (for example, a private specialized institution)

1.3.3 Applies to both 1.3.1 and 1.3.2 above

1.5 How? (Public point of view - depending on how the data will be disclosed after the data has been de-identified from the point of view of data disclosure)

1.5.1 refers to disclosure only within its own analytical laboratory within a company or institution

1.5.2 Full disclosure to the general public

1.5.3 Disclosure by mutual agreement between the data provider and the data user

1.5.4 Disclosure refers to disclosure only within a sandbox with security facilities for external users.

1.6 How?

1.6.1 Applicable in case of one-time provision of data

1.6.2 When data provision is periodic (monthly, quarterly, semi-annually, etc.)

1.6.3 Applicable when data provision is for a predetermined period of time

1.7 How? (Usage Perspective)

1.7.1 When the purpose of using the data is for a single purpose

1.7.2 In cases where the purpose of using data is multi-purpose

When the above-described data utilization method is classified into 1) simple use and 2) data combination (internal combination inside an institution or company and external combination outside), a flowchart according to the sequence is shown in FIG. 3 .

Next, the data use environment and the data itself can be classified as follows.

2.1 Probability of re-identification attempt: refers to the intention and capability of re-identification of the data user or the receiving institution or company, and the level of personal information protection

2.1.1 Refers to the re-identification intention, re-identification ability, and possibility of linkage with external information of the data user or the receiving institution or company

2.1.2 Refers to the ability of data users or organizations or companies to protect personal information

2.2 Effect on data subject upon re-identification: This refers to the effect on data subject when data is re-identified intentionally or unintentionally.

2.2.1 Same as above 2.2

3.1 Data composition: Refers to the composition diagram of the original data itself

3.1.1 Whether the data contains a unique identifier

3.1.2 Total number of data columns

3.1.3 Single or Multiple Statistical Characteristics of a Data Set

3.1.4 Total number of quasi-identifier columns

3.1.5 Total number of columns of sensitive information

3.1.6 Whether the original population corresponds to all citizens

3.2 Data distribution: refers to the distribution of attribute values in each column of the original data and whether outliers are included

3.2.1 Distribution of attribute values in each column (attribute)

3.2.2 Whether or not to include personally identifiable outliers

3.3 Data Sensitivity: Refers to the sensitivity of the original data itself.

3.3.1 Single, Multiple, Linked (Behavioral or Positional) Temporal Characteristics of the Source Data

3.3.2 Whether data restricted by Korean law is included

3.3.3 Whether or not sensitive information handled by the relevant industry group is included

Hereinafter, a method of performing the de-identification action in consideration of the data situation defined as described above will be described.

4 is a flowchart of a personal information de-identification method according to an embodiment of the present invention.

Referring to FIG. 4 , the personal information de-identification method according to an embodiment of the present invention may largely include six steps.

First, in the first stage, the risk measurement step for the data situation, the data situation of the three data environments defined as described above, namely, the data utilization method (A), the data use environment (B), and the data itself (C) risk can be measured.

After that, in the second step, the calculation of the total risk and the determination of the processing level in consideration of the data situation, the It is possible to calculate the total risk (D=A+B+C) considering the three data situations and determine the treatment level.

Thereafter, in the third step, the de-identification processing step, according to the processing level calculated in the second step, pseudonymization processing or anonymization processing may be performed according to the purpose of use in consideration of the data situation of the first step described above.

Thereafter, in the fourth step, the adequacy evaluation step, it may be evaluated whether the de-identified data set that has been pseudonymized or anonymized in the third step described above has been properly processed. In this case, if it is determined to be appropriate, the process proceeds to the fifth step, and if it is determined to be unsuitable, the third step may be re-entered and repeated processing may be performed continuously until the processing level becomes an appropriate level.

Thereafter, in the processing completion step, which is the fifth step, when the adequacy evaluation result of the fourth step described above is appropriate, the processing may be completed and the sixth step may be performed.

Thereafter, in the process recording step, which is the sixth step, the processes of the first to fifth steps described above may be recorded and stored.

The personal information de-identification method shown in FIG. 4 may be performed by the processing device. Each step of FIG. 4 will be described in more detail below.

Step 1 (Risk Measurement Step for Data Situation)

According to an embodiment of the present invention, the risk measurement method and the reflection ratio for the data situation may be set as follows.

1) Measurement of risk of data utilization method (40%)

After giving Very Low (1 point), Low (2 points), Normal (3 points), High (4 points), and Very High (5 points) in each step according to each case such as simple use, internal coupling and external coupling use. It can be reflected by summing up the scores.

5 is a diagram showing a flow and a degree of risk for each detailed situation in the case of simple use according to an embodiment of the present invention, and FIG. 6 is a flow and each detail in the case of an internal coupling according to an embodiment of the present invention. It is a view showing the degree of risk for the situation, and FIG. 7 is a view showing the flow in the case of external coupling through a specialized agency according to an embodiment of the present invention and the degree of risk for each detailed situation.

In addition, Table 1 below shows the possible types and levels of pseudonymous and anonymous information according to the data utilization method in the case of simple use, for example.

First, the risk measurement method according to pseudonymization will be described in detail.

8 is a diagram illustrating a flow chart for measuring the risk of pseudonymization and a risk calculation table according to an embodiment of the present invention.

As shown in FIG. 8 , the sum of the points of the arrows on the path taken while moving from 1. purpose of use to 7. completion of the data usage form of the institution or company becomes the total risk for the utilization method. The total risk score can be checked using the risk calculation table.

For example, if your company uses it, requires periodic analysis, and is used for a single purpose;

3 points for holding institutions + 4 points for periodic use + 3 points for single-purpose use = 10 points

According to the risk calculation table, the total risk score is 13 points or less, which is normal, and the risk score can be calculated as 24 points.

In this way, based on the risk score and sum of each stage, the risk is divided into three levels of normal (27.8%), high (45.6%), and very high (26.7%) according to the frequency and given a score, as shown in FIG. same as it has been Here, according to the level, the risk score may be given 24 points for normal, 32 points for high, and 40 points for very high.

10 is a diagram illustrating a case of simple use of pseudonym processing according to an embodiment of the present invention, FIG. 11 is a flowchart of risk measurement in case of simple use of pseudonym processing according to an embodiment of the present invention, and FIG. 12 is this It is a diagram showing a risk calculation table in the case of simple use of pseudonymization according to an embodiment of the present invention.

10 to 12, in each step Very low (1 point), Low (2 points), Normal (3 points), High (4 points), and Very high (5 points) can be given. Normal, 11~13 points (45%, 8Case) can be judged high, and 14 points or more (33%, 6Case) can be judged as very high.

13 is a diagram showing a case of internal combination of pseudonym processing according to an embodiment of the present invention, and FIG. 14 is a flowchart showing a risk measurement flow chart and a risk calculation table in the case of internal combination of pseudonym processing according to an embodiment of the present invention It is a drawing.

13 and 14, very low (1 point), Low (2 points), Normal (3 points), High (4 points), and Very high (5 points) can be given for each step. , It can be judged as Normal when the total score is 12 (20.8%, 10Case) or less, High when it is 13-15 (43.8%, 23Case), and Very High when it is 22 or more (35.4%, 17Case). have.

15 is a diagram showing a case of alias processing external combination according to an embodiment of the present invention, and FIG. 16 is a risk measurement flow chart and risk calculation table in the case of alias processing external combination according to an embodiment of the present invention It is a drawing.

15 and 16, very low (1 point), Low (2 points), Normal (3 points), High (4 points), and Very high (5 points) can be given for each step. , It can be judged as Normal when the total score is 15 (25%, 18 Case) or less, High when it is 16 to 18 (41.7%, 30 Case), and Very High when it is 19 or more (33.3%, 24 Case). have.

Next, the risk measurement method according to anonymization will be described in detail.

17 is a diagram illustrating an anonymization risk measurement flow chart and risk calculation table according to an embodiment of the present invention, which is the same as the case of the pseudonymization risk measurement described above with reference to FIG. 8, and a redundant description thereof will be omitted. However, after calculating all risks, pseudonymization is classified into three levels (normal, high, and very high), whereas anonymization can be classified into five levels (very low to very high). In addition, in the case of full disclosure, it can be disclosed at the highest level, very high, without calculating a score.

18 is a diagram showing the final risk score according to the score distribution and frequency of each stage of anonymization according to an embodiment of the present invention.

As shown in Fig. 18, based on the risk score and sum of each stage, the risk was set to very low (18.89%), low (18.9%), normal (23.3%), high (21.11%), and very high according to the frequency. (17.8%) can be divided into five levels to give a score. Here, depending on the level, the risk score can be given 8 points for very low, 16 points for low, 24 points for normal, 32 points for high, and 40 points for very high.

In this way, in anonymization, the sum of the frequencies according to each frequency is divided into 5 steps to calculate the risk and the risk score.

19 is a diagram showing a case of simple use of anonymization according to an embodiment of the present invention, FIG. 20 is a flowchart of risk measurement in case of simple use of anonymization according to an embodiment of the present invention, and FIG. It is a diagram showing a risk calculation table in the case of simple use of anonymization according to an embodiment of the present invention.

19 to 21, Very low (1 point), Low (2 points), Normal (3 points), High (4 points), and Very high (5 points) can be given to each step. , When the total score is 9 (11.1%, 2Case) or less, it is very low, when it is 10 to 11 (27.8%, 5Case), it is low, and when it is 12 to 13 (27.8%, 5Case), it is Normal. 14 points (22.2%, 4 cases) can be judged high, and 15 points (11.1%, 2 cases) can be judged as very high.

22 is a diagram illustrating a case of anonymization inner combination according to an embodiment of the present invention, and FIG. 23 is a risk measurement flowchart and risk calculation table in the case of anonymization inner combination according to an embodiment of the present invention. It is a drawing.

22 and 23, very low (1 point), Low (2 points), Normal (3 points), High (4 points), and Very high (5 points) can be given for each step. , When the total score is 11 (10.4%, 5Case) or less, it is very low, when it is 12 to 13 (20.8%, 10Case), it is low, when it is 14 to 15 (33.3%, 16Case), it is Normal. 16 to 17 points (22.9%, 11 cases) can be judged high, and 18 points or more (12.5%, 6 cases) can be judged as very high.

24 is a diagram illustrating a case of anonymization outsourcing according to an embodiment of the present invention, and FIG. 25 is a risk measurement flow chart and risk calculation table in the case of anonymization external binding according to an embodiment of the present invention. It is a drawing.

24 and 25, Very low (1 point), Low (2 points), Normal (3 points), High (4 points), and Very high (5 points) can be given at each stage. , Very low when the total score is 14 (15.3%, 11Case) or less, Low when 15 to 16 (23.6%, 17Case), Normal when 17 to 18 (27.8%, 20Case). If it is 19~20 points (20.8%, 15Case), it can be judged as High, and when it is 21 points or more (12.5%, 9Case), it can be judged as Very High.

2) Measurement of risk for data use environment (30%)

It is divided into a pseudonymous case and an anonymous case, and a checklist is used. In the case of a 5-point scale, 1 to 5 points are given, and in the case of yes/no, 5 points and 1 point are given, respectively, and the scores can be summed and reflected.

Specifically, the detailed risk level for the data use environment can be measured by dividing it into a pseudonymous case and an anonymous case as shown in Tables 2 and 3 below.

First, the possibility of re-identification attempts is, It refers to two measures of 1) re-identification intention and ability of data users or receiving organizations or companies, and 2) level of personal information protection.

Here, the re-identification intention and ability of 1) can be divided into the case of internal use and external use. In addition, this is subdivided into pseudonymous and anonymous cases, respectively, and the following detailed indicators can be defined.

1-1) In case of external use of pseudonymization (15%, converted to a scale of 7.5 points)

The checklist of Table 4 below is used, and in the case of a 5-point scale, 1 to 5 points are given, and in the case of yes/no, 5 points and 1 point are given, respectively, and the scores can be summed and reflected. Here, the two indicators indicated in blue indicate additional indicators only for external use.

Depending on the sum of the scores for the evaluation results for these detailed indicators, 21 points (12.4%, 38,640case) or less (very low), 22~25 points (25.4%, 79,340case) (low), 26~28 points (24.4) %, 76,540case) (normal), 29~32 points (25.4%, 79,340case) (high), 33 points (12.4%, 38,640case) can be calculated as very high (refer to the risk calculation table in Table 5) ).

1-2) In case of external use of anonymization (15%, converted to a full scale of 15 points)

In this case, detailed indicators and scoring methods are the same as in the case of pseudonymization, and the risk calculation table is shown in Table 6.

1-3) In case of internal use of pseudonymization (15%, converted to a scale of 7.5 points)

The checklist of Table 7 below is used, and in the case of a 5-point scale, 1 to 5 points are given, and in the case of yes/no, 5 points and 1 point are given, respectively, and the scores can be summed and reflected.

According to the sum of the scores for the evaluation results for these detailed indicators, 16 points (13.4%, 4,201 case) or less (very low), 17-19 points (22.4%, 6,986 case) (low), 20-22 points (28.4) %, 8,876case) (normal), 23-25 points (22.4%, 6,986case) (high), 26 points (13.4%, 4,201case) can be calculated as very high (refer to the risk calculation table in Table 8) ).

1-4) In case of internal use of anonymization (15%, converted to a full scale of 15 points)

In this case, the detailed index and scoring method are the same as in the case of pseudonymization, and the risk calculation table is shown in Table 9.

On the other hand, 2) detailed indicators of the level of personal information protection can be defined as shown in Table 10 only in the case of pseudonymization (25%, converted to a scale of 7.5 points).

Depending on the sum of the scores for the evaluation results for these detailed indicators, 24 points (13.6%) or less (very low), 24-27 points (20.2%) (low), 28-32 points (32.4%) (normal), 33~36 points (20.2%) (high), 37 points (13.6%) or higher (very high) can be calculated (refer to the risk calculation table in Table 11).

Next, the analysis of the effect on the data subject upon re-identification (50%, total score of 15 points) means the effect on the data subject when the data is intentionally or unintentionally re-identified, and the detailed indicators of this are pseudonym and anonymity. It can be equally defined as in Table 12 without distinction (50%, converted to a full scale of 15 points).

According to the sum of the scores for the evaluation results for these detailed indicators, 8 points (11.2%, 70case) or less (very low), 9-10 points (19.2%, 120case) (low), 11-13 points (39.2%, 245case) (normal), 14-15 points (19.2%, 120case) (high), 16 points (11.2%, 70case) or higher (very high) (refer to the risk calculation table in Table 13).

3) Measuring the risk of the data itself (30%)

In the case of pseudonymity and anonymous, it is the same, and a checklist is used. In the case of a 5-point scale, 1 to 5 points are given, and in the case of yes/no, 5 points and 1 point are given, respectively, and the scores can be summed and reflected. .

Specifically, the risk measurement for the data itself can be divided into three areas as follows.

- Data composition diagram (reflected by 50%, converted to a full scale of 15 points)

- Data distribution chart (reflected by 20%, converted to a score of 6)

- Data sensitivity (reflected 30%, converted out of 9 points)

Here, the data configuration diagram may be divided into six subregions as follows.

1) Whether a unique identifier is included in the data

2) Total number of data columns

3) single or multiple statistical characteristics of the data set

4) Total number of quasi-identifier columns

5) Total number of columns of sensitive information

6) Whether the original population corresponds to all citizens

Also, the data distribution map may be divided into two subregions as follows.

1) Distribution of attribute values in each column (attribute)

2) Whether personally identifiable outliers are included

In addition, data sensitivity may be divided into three sub-regions as follows.

1) Single, multiple, and concatenated (behavioral or positional) temporal characteristics of the original data

2) Whether data restricted by Korean law is included

3) Whether or not sensitive information handled by the relevant industry group is included

The detailed indicators of the data composition diagram can be equally defined as in Table 14 without distinction between pseudonyms and anonymity.

If the first item of this detailed indicator (that is, whether it contains a unique identifier) is inappropriate, the total score of the data composition diagram is converted to 0; otherwise, the total score is 13 points (15.94%, 51 cases) or less (very low) , 14-16 points (20.94%, 67case) (low), 17-19 points (26.24%, 84case) (normal), 20-22 points (20.94%, 67case) (high), 23 points (15.94%, 51case) ) can be estimated as very high (refer to the risk calculation table in Table 15).

The detailed index of the data distribution chart can be equally defined as in Table 16, without distinction between pseudonyms and anonymity.

2 points (25%, 1 case) (low), 6 points (50%, 2 case) (normal), and 10 points (25%, 1 case) (high) according to the sum of the scores for the evaluation results for these detailed indicators can be estimated (see risk calculation table in Table 17).

The detailed index of data sensitivity can be defined as in Table 18 in the same way regardless of pseudonym and anonymity.

5 points (16.67%, 2case) or less (very low), 7 points (25%, 3case) (low), 9 points (16.66%, 2case) (normal) ), 11 points (25%, 3 cases) (high), and 13 points (16.67%, 2 cases) very high (refer to the risk calculation table in Table 19).

Step 2 (Calculation of total risk taking into account the data situation and determination of treatment level)

The total risk (D) is obtained by adding up the three risk levels of the data utilization method (A), the data use environment (B), and the data itself (C) calculated in the first step described above according to the reflection ratio in Table 20 below. can be calculated.

According to the above-mentioned measurement items and reflection ratio, if the total score is a pseudonym, 3 levels (Level 1 (less than 52 points, 29.2%), Level 2 (52 points or more - less than 70 points, 44.2%), Level 3 (70 points or more) , 26.6%)), in the case of anonymity, 5 levels (Level 1 (42 points or less, 9.8%), Level 2 (42 points or more and less than 53 points, 21.8%), Level 3 (53 points or more and less than 68 points, 36.8%) ), Level 4 (68 points or more, less than 79 points, 21.8%), and Level 5 (79 points or more, 9.8%) The treatment levels according to the final evaluation results are shown in Table 21 below.

Step 4 (Adequacy Assessment Step)

According to an embodiment of the present invention, the adequacy evaluation step may be performed by the applicant organization itself or by an adequacy evaluation group separate from the applicant organization.

Here, when the evaluation subject is the adequacy evaluation group, quantitative analysis of the K-anonymity model (limited to the case used) used in the evaluation may be included.

In addition, the adequacy evaluation can be considered separately from pseudonymization and anonymization standards.

26 is a flowchart of an adequacy evaluation procedure according to an embodiment of the present invention, which may be comprised of a total of six steps, and appropriateness evaluation in consideration of the method described above in detail in relation to the personal information de-identification method shown in FIG. can be performed.

First, the appropriateness evaluation procedure for the case of pseudonymization will be described.

[Step 1] Risk measurement and evaluation of data situation

[Step 2] Measure the total risk (D=A+B+C) considering the data situation and evaluate the processing level

[Step 3] This is an evaluation of whether or not the application of the safety evaluation criteria for pseudonymization is satisfied according to the treatment level evaluation result (3 levels of risk in total) of [Step 2], based on the safety evaluation criteria for pseudonymization as shown in Table 22 below. rated as

[Step 4] [Step 3] If the evaluation result satisfies the treatment criteria, it is judged as appropriate; otherwise, it is judged as unsuitable.

[Step 5] Record the entire evaluation process

Here, pseudonymization refers to a specific type of de-identification that removes associations with all data subjects and adds associations between data objects and a specific set of characteristics associated with one or more pseudonyms.

In addition, irreversible pseudonymization refers to a situation in which a pseudonym cannot be traced and calculated again from a pseudonym to an original identifier. A temporary table can be used during the process but is removed when the process is completed. It could be a secret lookup-table that can be used to discover the original identity in an authenticated context where it can be traced back and computed as an identifier.

In addition, identifiability refers to the possibility of recognizing (identifying) the data subject from the pseudonymized data set, and reconstructability refers to the possibility of recognizing (identifying) the data subject from the pseudonymized data set. means the possibility of restoring (reverting to before pseudonymization).

In addition, the processing target includes a unique identifier, some of the quasi-identifiers, and outliers, and the unique identifier means an attribute in the data set that independently selects the data subject from the data set (singles out), and the quasi-identifier Some of these refer to easily obtainable quasi-identifiers or attributes with a high risk of combining with external data from an attacker, and outliers refer to unusual or rare data.

Next, the adequacy evaluation procedure for the case of anonymization will be described.

[Step 1] Risk measurement and evaluation of data situation

[Step 2] Measure the total risk (D=A+B+C) considering the data situation and evaluate the processing level

[Step 3] This is an evaluation of the satisfaction with the application of the safety evaluation criteria for anonymization according to the processing level evaluation result of [Step 2] (5 levels of risk in total). That is, evaluation by applying the evaluation criteria and methods of Tables 23 to 25 below for each level according to the criteria for specificity (Single out), linkability, and inference possibility

[Step 4] [Step 3] If the evaluation result satisfies the treatment criteria, it is judged as appropriate; otherwise, it is judged as unsuitable.

[Step 5] Record the entire evaluation process

Here, the specificity (Single) refers to the act of isolating records belonging to the data subject by observing the set of characteristics of the data set in order to uniquely identify the data subject (see Table 23).

Linkability also refers to the act of linking records related to the same data subject or group of data subjects to a separate data set (see Table 24).

In addition, inferability refers to the act of inferring the value of an attribute from the value of another attribute set with a non-negligible probability (see Table 25).

classification mode of use Evaluation Criteria and Methods Level of final risk measurement result Level 1 internal analysis room [Step 1] Check the uniqueness of the quasi-identifiers, if unique, not appropriate, otherwise appropriate sandbox
(den) [Step 1] Check the uniqueness of the quasi-identifiers, if unique, not appropriate, otherwise appropriate Data use
agreement [Step 1] Check the uniqueness of the quasi-identifiers, if it is unique, it is invalid. Otherwise, go to [Step 2]
[Step 2] Check whether the outlier is treated as unique, if the outlier is not processed, it is not appropriate. Otherwise, it is appropriate. Level 2 internal analysis room [Step 1] Check the uniqueness of the quasi-identifiers, if unique, not appropriate, otherwise appropriate sandbox
(den) [Step 1] Check the uniqueness of the quasi-identifiers, if unique, not appropriate, otherwise appropriate Data use
agreement [Step 1] Check the uniqueness of the quasi-identifiers, if it is unique, it is invalid. Otherwise, go to [Step 2]
[Step 2] Check whether the outlier is treated as unique, if the outlier is not processed, it is not appropriate. Otherwise, it is appropriate. Level 3 internal analysis room [Step 1] Check the uniqueness of the quasi-identifiers, if it is unique, it is invalid. Otherwise, go to [Step 2]
[Step 2] Check whether the outlier is processed as unique, if the outlier is not processed, it is not appropriate. Otherwise, go to [Step 3].
[Step 3] Check whether the column that is not a quasi-identifier exactly matches the original data, if there is no exact match, it is appropriate
[Step 4] Check the necessity for the analysis purpose of the data value that matches perfectly, if necessary, judge whether it is appropriate in consideration of the management procedure and the level of protection of the use environment, if there is no need, it is inappropriate
※ Consideration of administrative procedures to eliminate the possibility of collation with the original and the level of protection of the use environment sandbox
(den) [Step 1] Check the uniqueness of the quasi-identifiers, if unique, not appropriate, otherwise appropriate Data use
agreement [Step 1] Check the uniqueness of the quasi-identifiers, if it is unique, it is invalid. Otherwise, go to [Step 2]
[Step 2] Check whether the outlier is treated as unique, if the outlier is not processed, it is not appropriate. Otherwise, it is appropriate. Final risk measurement
Result Level Level 4 internal analysis room [Step 1] Check the uniqueness of the quasi-identifiers, if it is unique, it is invalid. Otherwise, go to [Step 2]
[Step 2] Check whether the outlier is processed as unique, if the outlier is not processed, it is not appropriate. Otherwise, go to [Step 3].
[Step 3] Check whether the column that is not a quasi-identifier exactly matches the original data, if there is no exact match, it is appropriate
[Step 4] Check the necessity for the analysis purpose of the data value that matches perfectly, if necessary, judge whether it is appropriate in consideration of the management procedure and the level of protection of the use environment, if there is no need, it is inappropriate
※ Consideration of administrative procedures to eliminate the possibility of collation with the original and the level of protection of the use environment sandbox
(den) [Step 1] Check the uniqueness of the quasi-identifiers, if unique, not appropriate, otherwise appropriate Data use
agreement [Step 1] Check the uniqueness of the quasi-identifiers, if it is unique, it is invalid. Otherwise, go to [Step 2]
[Step 2] Check whether the outlier is processed as unique, if the outlier is not processed, it is not appropriate. Otherwise, go to [Step 3].
[Step 3] Check whether the column that is not a quasi-identifier exactly matches the original data, if there is no exact match, it is appropriate
[Step 4] Confirm the need for the analysis purpose of the exact data value, and if necessary, determine whether it is appropriate based on the contents of the contract and the usage environment Level 5 Data use
agreement [Step 1] Check the uniqueness of the quasi-identifiers, if it is unique, it is invalid. Otherwise, go to [Step 2]
[Step 2] Check whether the outlier is processed as unique, if the outlier is not processed, it is not appropriate. Otherwise, go to [Step 3].
[Step 3] Check whether the column that is not a quasi-identifier exactly matches the original data, if there is no exact match, it is appropriate
[Step 4] Confirm the need for the analysis purpose of the exact data value, and if necessary, determine whether it is appropriate based on the contents of the contract and the usage environment full disclosure [Step 1] Check the uniqueness of the quasi-identifiers, if it is unique, it is invalid. Otherwise, go to [Step 2]
[Step 2] Check whether the outlier is processed as unique, if the outlier is not processed, it is not appropriate. Otherwise, go to [Step 3].
[Step 3] Check whether the column that is not a quasi-identifier exactly matches the original data, if there is no exact match, it is appropriate
[Step 4] If there is an exact match, check the uniqueness of the data, if unique, it is negative, otherwise it is appropriate
※ Techniques that do not completely match include noise addition and categorization, and check whether this technique is applied to each column.

classification mode of use Evaluation Criteria and Methods Level of final risk measurement result Level 1 internal analysis room [Step 1] It is appropriate if there is sufficient control over the risk of linkability with the original based on the internal information management plan. Sandbox (closed room) [Step 1] Check if there is any data other than the analysis target in the sandbox (closed room)
[Step 2] If there is no other data, it is judged appropriate that there is no connection possibility. If there is, go to [Step 3]
[Step 3] Check whether K-Anonymity is applied or not, and if K-Anonymity is applied, it is judged as appropriate.
* The level of protection against K-anonymity (representative or average K value, etc.) is determined by the adequacy evaluation team. Data use
agreement [Step 1] Review whether K-anonymity is applied to quasi-identifiers and, if applicable, go to [Step 2]. If not, go to [Step 2].
[Step 2] For the K value of K-anonymity, if a sufficient level of K value is applied according to the judgment of the adequacy evaluation team, go to [Step 3], if not sufficient, it is inappropriate
[Step 3] Review the contract and decide whether it is appropriate based on whether technical, administrative, and procedural measures to sufficiently reduce connection attacks are established in the contract Level 2 internal analysis room [Step 1] If there is sufficient control over the risk of linkability with the original by reviewing the internal information management plan, etc., it is appropriate; sandbox
(den) [Step 1] Check if there is any data other than the analysis target in the sandbox (closed room)
[Step 2] If there is no other data, it is judged appropriate that there is no connection possibility. If there is, go to [Step 3]
[Step 3] Check whether K-Anonymity is applied or not, and if K-Anonymity is applied, it is judged as appropriate.
* The level of protection against K-anonymity (representative or average K value, etc.) is judged by the adequacy evaluation team. Data use
agreement [Step 1] Review whether K-anonymity is applied to quasi-identifiers and, if applicable, go to [Step 2]. If not, go to [Step 2].
[Step 2] For the K value of K-anonymity, if a sufficient level of K value is applied according to the judgment of the adequacy evaluation team, go to [Step 3], if not sufficient, it is inappropriate
[Step 3] Review the contract and decide whether it is appropriate based on whether technical, administrative, and procedural measures to sufficiently reduce connection attacks are established in the contract Level 3 internal analysis room [Step 1] Review whether K-anonymity is applied to quasi-identifiers and, if applicable, go to [Step 2]. If not, go to [Step 2].
[Step 2] For the K value of K-anonymity, if a sufficient level of K value is applied according to the judgment of the adequacy evaluation team, go to [Step 3], if not sufficient, it is inappropriate
[Step 3] If there is sufficient control over the risk of linkability to the original source and linkability with other data by reviewing the internal information management plan, etc. sandbox
(den) [Step 1] Check if there is any data other than the analysis target in the sandbox (closed room)
[Step 2] If there is no other data, it is judged appropriate that there is no connection possibility. If there is, go to [Step 3]
[Step 3] Check whether K-anonymity is applied, and if K-anonymity is applied, it is judged as appropriate; if K-anonymity is not applied, it is judged as inappropriate
* The level of protection against K-anonymity (representative or average K value, etc.) is judged by the adequacy evaluation team. Data use
agreement [Step 1] Review whether K-anonymity is applied to quasi-identifiers and, if applicable, go to [Step 2]. If not, go to [Step 2].
[Step 2] For the K value of K-anonymity, if a sufficient level of K value is applied according to the judgment of the adequacy evaluation team, go to [Step 3], if not sufficient, it is inappropriate
[Step 3] Titration if the data was de-identified at the full disclosure level in the previous assessment of specific likelihood, otherwise go to [Step 4]
[Step 4] Review the contract and decide whether it is appropriate based on whether technical, administrative, and procedural measures to sufficiently reduce connection attacks are established in the contract details Level 4 internal analysis room [Step 1] Review whether K-anonymity is applied to quasi-identifiers and, if applicable, go to [Step 2]. If not, go to [Step 2].
[Step 2] For the K value of K-anonymity, if a sufficient level of K value is applied according to the judgment of the adequacy evaluation team, go to [Step 3], if not sufficient, it is inappropriate
[Step 3] If there is sufficient control over the risk of linkability to the original source and linkability with other data based on the internal information management plan, move to [Step 4]; otherwise, it is inappropriate.
[Step 4] If a technique that can sufficiently exclude linkability (connectivity between provided data) according to the characteristics of periodically provided data is applied by checking whether data is provided periodically, it is appropriate, otherwise the It is decided whether it is appropriate by reviewing whether technical, administrative, and procedural measures have been established to sufficiently reduce connection attacks according to the judgment.
※ Consideration of administrative procedures to eliminate the possibility of collation with the original and the level of protection of the use environment Sandbox (closed room) [Step 1] Check if there is any data other than the analysis target in the sandbox (closed room)
[Step 2] If there is no other data, it is judged appropriate that there is no connection possibility. If there is, go to [Step 3]
[Step 3] Check whether K-anonymity is applied, and if K-anonymity is applied, it is judged as appropriate; if K-anonymity is not applied, it is judged as inappropriate
* The level of protection against K-anonymity (representative or average K value, etc.) is judged by the adequacy evaluation team. Data use
agreement [Step 1] Check the sensitivity of the data you want to use, and if the data sensitivity evaluation receives an evaluation of very high or higher, it is inappropriate, otherwise go to [Step 2]
[Step 2] Review whether K-Anonymity is applied to QI and if it is applied, [Step 3] Review, if not, Inappropriate
[Step 3] For the K value of K-anonymity, if a sufficient level of K value is applied according to the judgment of the adequacy evaluation team, [Step 4] Review, if not sufficient, it is inappropriate
[Step 4] Appropriate if the data was de-identified at the full disclosure level in the previous assessment of specific possibilities, otherwise [Step 5] Review
[Step 5] If a technique is applied that can sufficiently exclude linkability (connectivity between provided data) according to the characteristics of periodically provided data by checking whether data is provided periodically [Step 6] Review otherwise inappropriate
[Step 6] Based on the contract, it is decided whether it is appropriate by reviewing whether technical, administrative, and procedural measures that can sufficiently reduce connection attacks are established in the contract contents. Level 5 Data use
agreement [Step 1] Check the sensitivity of the data to be utilized, and if the above-mentioned 'Data Sensitivity' evaluation received an evaluation of high to very high, it is inappropriate, otherwise move to [Step 2] Review
[Step 2] Review whether K-anonymity is applied to quasi-identifiers, and if it is applied, go to [Step 3]. If not, go to [Step 3].
[Step 3] For the K value of K-anonymity, if a sufficient level of K is applied according to the judgment of the adequacy evaluation team, go to [Step 4]. If not enough, it is inappropriate.
[Step 4] Titration if the data was de-identified at the full disclosure level in the previous assessment of specific likelihood, otherwise go to [Step 5]
[Step 5] If a technique is applied that can sufficiently exclude linkability (connectivity between provided data) according to the characteristics of periodically provided data by checking whether data is provided periodically, go to [Step 6]; otherwise inappropriate
[Step 6] Based on the contract, it is decided whether it is appropriate by reviewing whether technical, administrative, and procedural measures that can sufficiently reduce connection attacks are established in the contract contents. full disclosure [Step 1] Check the sensitivity of the data to be utilized and if the above evaluation of 'Data Sensitivity' is evaluated above Normal, it is inappropriate, otherwise go to [Step 2]
[Step 2] Review whether K-anonymity is applied to quasi-identifiers, and if it is applied, go to [Step 3]. If not, go to [Step 3].
[Step 3] For the K value of K-anonymity, if a sufficient level of K value is applied according to the judgment of the adequacy evaluation team, it is appropriate, if it is not sufficient, it is inappropriate
(For example, in the United States and Canada, if the representative K value is 20 or more, it is used for full disclosure)

classification mode of use Evaluation Criteria and Methods Level of final risk measurement result Level 1 internal analysis room [Step 1] If there is sufficient control over identification due to inference attack based on the internal information management plan, it is judged as appropriate; otherwise, it is determined as appropriate according to the judgment of the evaluation team sandbox
(den) [Step 1] Determining that there is no possibility of inference Data use
agreement [Step 1] Review whether K-anonymity is applied to quasi-identifiers and, if applicable, go to [Step 2]. If not, go to [Step 2].
[Step 2] For the K value of K-anonymity, if a sufficient level of K value is applied according to the judgment of the adequacy evaluation team, go to [Step 3], if not sufficient, it is inappropriate
[Step 3] Based on the contract, it is decided whether it is appropriate by reviewing whether technical, administrative, and procedural measures that can sufficiently reduce inference attacks are established in the contract content. Level 2 internal analysis room [Step 1] If there is sufficient control over identification due to inference attack based on the internal information management plan, it is judged as appropriate; otherwise, it is determined as appropriate according to the judgment of the evaluation team sandbox
(den) [Step 1] Determining that there is no possibility of inference Data use
agreement [Step 1] Review whether K-anonymity is applied to quasi-identifiers and, if applicable, go to [Step 2]. If not, go to [Step 2].
[Step 2] For the K value of K-anonymity, if a sufficient level of K value is applied according to the judgment of the adequacy evaluation team, go to [Step 3], if not sufficient, it is inappropriate
[Step 3] Based on the contract, it is decided whether it is appropriate by reviewing whether technical, administrative, and procedural measures that can sufficiently reduce inference attacks are established in the contract content. Level 3 internal analysis room [Step 1] It is judged appropriate if it is applied to all columns based on whether non-identification measures (refer to ISO/IEC 20889, such as noise addition) that can prevent inference attacks are sufficiently applied to all columns except for quasi-identifiers , otherwise go to [Step 2]
[Step 2] Review the ratio of columns to which non-identification measures that can defend against inference attacks are applied, and if it is judged that it is not inappropriate according to the judgment of the evaluation team, move to [Step 3] From the column, it is recommended to apply 3/5 for very high risk, 1/2 or more for high, at least 2/5 for normal, at least 1/3 or more for low, and at least 1/5 for very low)
[Step 3] If there is sufficient control over the identification due to inference attack based on the internal information management plan, it is judged as appropriate; otherwise, it is decided according to the judgment of the evaluation team. sandbox
(den) [Step 1] Check whether the composition of the data contains content that can be inferred by common sense, and if it is not included, it is judged as appropriate. Data use
agreement [Step 1] It is judged appropriate if it is applied to all columns based on whether non-identification measures (refer to ISO/IEC 20889, such as noise addition) that can prevent inference attacks are sufficiently applied to all columns except for quasi-identifiers and, if not, go to [Step 2]
[Step 2] Review the ratio of columns to which non-identification measures that can defend against inference attacks are applied, and if it is judged that it is not inappropriate according to the judgment of the evaluation team, move to [Step 3] From the column, it is recommended to apply at least 3/4 or more in the case of very high risk, 2/3 or more in the case of high, at least 1/2 or more in the normal case, at least 1/3 or more in the case of low risk, and at least 1/4 or more in the case of very low risk. )
[Step 3] Based on the contract, determine whether it is appropriate by reviewing whether technical and administrative procedural measures that can sufficiently reduce inference attacks are established in the contract's contents Level 4 internal analysis room [Step 1] It is judged appropriate if it is applied to all columns based on whether non-identification measures (refer to ISO/IEC 20889, such as noise addition) that can prevent inference attacks are sufficiently applied to all columns except for quasi-identifiers and, if not, go to [Step 2]
[Step 2] Review the ratio of columns to which non-identification measures that can defend against inference attacks are applied, and if it is judged that it is not inappropriate according to the judgment of the evaluation team, move to [Step 3] From the column, it is recommended to apply 4/5 for very high risk, 3/4 or more for high, at least 2/3 or more for normal, at least 1/2 or more for low, and at least 2/5 or more for very low)
[Step 3] If there is sufficient control over identification due to inference attack based on the internal information management plan, it is judged as appropriate; otherwise, it is determined as appropriate according to the judgment of the evaluation team sandbox
(den) [Step 1] Check whether the composition of the data contains content that can be inferred by common sense, and if it is not included, it is appropriate. Data use
agreement [Step 1] Check the sensitivity of the data to be utilized, and if the above-mentioned data sensitivity evaluation received an evaluation of very high or higher, it is inappropriate, otherwise, review stage 2
[Step 2] Appropriate if applied to all columns based on whether the de-identification action technique (refer to ISO/IEC 20889, such as noise addition, etc.) that can prevent inference attacks is sufficiently applied to all columns except for quasi-identifiers. If not, review [Step 3]
[Step 3] Review the ratio of columns to which non-identification measures that can defend against inference attacks are applied, and if it is determined that it is not inappropriate according to the judgment of the evaluation team, move to [Step 4] It is recommended to apply at least 3/4 or more in the case of high risk from the column, at least 2/3 or more in the normal case, at least 1/2 or more in the case of low risk, and at least 1/4 or more in the case of very low risk)
[Step 4] Based on the contract, determine whether it is appropriate by reviewing whether technical and administrative procedural measures to sufficiently reduce inference attacks are established in the contract content Level 5 Data use
agreement [Step 1] Check the sensitivity of the data you want to use and if it receives an evaluation of high to very high or higher in the above-mentioned 'data sensitivity' evaluation, it is judged as inappropriate, otherwise go to [Step 2]
[Step 2] It is judged appropriate if it is applied to all columns based on whether the de-identification action technique (refer to ISO/IEC 20889 such as noise addition) is sufficiently applied to all columns except for quasi-identifiers. and, if not, go to [Step 3]
[Step 3] Review the ratio of columns to which non-identification measures that can defend against inference attacks are applied, and if it is determined that it is not inappropriate according to the judgment of the evaluation team, move to [Step 4] From the column, it is recommended to apply at least 3/4 or more in the normal case, at least 2/3 or more in the case of low, and at least 1/2 or more in the case of very low)
[Step 4] Based on the contract, it is decided whether it is appropriate by reviewing whether technical and administrative procedural measures that can sufficiently reduce inference attacks are established in the contents of the contract. full disclosure [Step 1] Check the sensitivity of the data to be utilized and if the above evaluation of 'Data Sensitivity' has been evaluated above Normal, it is judged as inappropriate, otherwise go to [Step 2]
[Step 2] It is judged appropriate if it is applied to all columns based on whether non-identification measures (refer to ISO/IEC 20889 such as noise addition) that can prevent inference attacks are sufficiently applied to all columns except for quasi-identifiers and, otherwise, inappropriate

The present invention is not limited by the above embodiments and the accompanying drawings. For those of ordinary skill in the art to which the present invention pertains, it will be apparent that the components according to the present invention can be substituted, modified and changed without departing from the technical spirit of the present invention.

Claims (5)

measuring the degree of risk for the data situation;
calculating a total risk in consideration of the data situation and determining a processing level;
performing pseudonymization or anonymization processing in consideration of the data situation according to the determined processing level;
evaluating the adequacy of the de-identified data set on which the pseudonymization or anonymization has been performed; and
Completing de-identification measures if determined to be appropriate;
The method of de-identification of personal information, characterized in that the de-identification measures include pseudonymization or anonymization.
The method of claim 1,
The data situation is a personal information de-identification method, characterized in that it includes a data utilization method, a data use environment, and the data itself.
3. The method of claim 2,
In the measuring the risk, the personal information de-identification measures method, characterized in that each of the risk for the data utilization method, the risk for the data use environment, and the risk for the data itself are measured according to predefined indicators.
4. The method of claim 3,
In the step of calculating the total risk and determining the processing level, the total risk is calculated by adding up the risk for the data utilization method, the risk to the data use environment, and the risk to the data itself according to a preset ratio, and the total risk is A method of de-identification of personal information, characterized in that it determines the level of processing based on it.
The method of claim 1,
If it is determined to be inappropriate, it re-enters the step of performing the pseudonymization or anonymization process, and repeats the processing until it is determined to be appropriate.

Images