WO2022234734A1 - データサービス提供方法およびデータサービス提供システム - Google Patents

データサービス提供方法およびデータサービス提供システム Download PDF

Info

Publication number
WO2022234734A1
WO2022234734A1 PCT/JP2022/013071 JP2022013071W WO2022234734A1 WO 2022234734 A1 WO2022234734 A1 WO 2022234734A1 JP 2022013071 W JP2022013071 W JP 2022013071W WO 2022234734 A1 WO2022234734 A1 WO 2022234734A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
access
service
access policy
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2022/013071
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
真悟 宮崎
達徳 金井
祐介 城田
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toshiba Data Corp
Original Assignee
Toshiba Data Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Toshiba Data Corp filed Critical Toshiba Data Corp
Priority to JP2023518632A priority Critical patent/JP7663121B2/ja
Publication of WO2022234734A1 publication Critical patent/WO2022234734A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services

Definitions

  • Embodiments of the present invention relate to data service providing methods and data service providing systems. This application claims priority based on Japanese Patent Application No. 2021-079205 filed in Japan on May 07, 2021, the content of which is incorporated herein.
  • a service business that provides services that utilize data, including users' personal data, is in operation.
  • a data service providing business that customizes and provides optimal information for users using a wide variety of data such as shopping histories and healthcare information.
  • it is desired to be able to handle data seamlessly.
  • the problem to be solved by the present invention is to provide a data service providing method and a data service providing system that can seamlessly handle data.
  • a data service providing method is a data service providing method for providing data services to registered users, comprising a data obtaining step of obtaining first data and setting an access policy for the first data. a data generating step of generating second data for use in the data service provided to the user from the first data based on the access policy; and data based on the second data. and a data providing step for providing the service.
  • FIG. 1 is a configuration diagram of a data service providing system according to the first embodiment; FIG. The figure which shows the specific example of the same data service provision system.
  • FIG. 2 is a functional block diagram of the same data service providing system;
  • FIG. 3 is a functional block diagram of a provided data control unit of the data service providing system;
  • FIG. 4 is a functional block diagram of an access policy control unit of the same data service providing system;
  • FIG. 4 is a diagram showing a specific example of access policy that can be set for each data provision mode in personal user access policy;
  • FIG. 4 is a diagram showing a specific example of a consent policy in an individual user access policy and an access policy that can be set for each usage area;
  • FIG. 4 is a diagram showing a specific example of access policy that can be set for each lifecycle of acquired data in personal user access policy
  • FIG. 10 is a diagram showing a specific example of an access policy that can set permission/prohibition of combination for each data type of acquired data in an individual user access policy; The figure which shows the example of a data classification handling policy.
  • FIG. 10 is a diagram showing an example of data items newly created based on the combination policy;
  • FIG. 3 is a functional block diagram of a cooperation information recording unit of the data service providing system;
  • FIG. 10 is a diagram showing an example of a generated virtual table;
  • FIG. 10 is a diagram showing another example of a generated virtual table;
  • FIG. 2 is a functional block diagram of a data access control unit of the same data service providing system;
  • a display screen example of an individual user application A display screen example of an individual user application.
  • a display screen example of an individual user application A display screen example of an individual user application.
  • FIG. 1 is a configuration diagram of a data service providing system 100 according to the first embodiment.
  • the data service providing system 100 is a system that provides data services to registered users (individual user U and service provider SP). "Provision of data services” includes not only the provision of data itself, but also the provision of data analysis results and the provision of various services based on data.
  • the data service providing system 100 is composed of one or more servers.
  • a basic infrastructure of the data service providing system 100 is constructed using a known data distribution processing system.
  • the functions of the data service providing system 100 are implemented by programs executed by the processor of the server.
  • FIG. 2 is a diagram showing a specific example of the data service providing system 100.
  • the data service providing system 100 illustrated in FIG. 2 includes servers SV1, SV2, SV3, and SV4.
  • the servers SV1, SV2, SV3, and SV4 are servers that include hardware such as processors such as CPUs, memories, recording media such as hard disks and flash memories, and communication devices.
  • the servers SV1, SV2, SV3, and SV4 may be servers with different types of OS, software, and the like. Also, the servers SV1, SV2, SV3, and SV4 may be operated by different operating entities. Servers SV1, SV2, SV3 and SV4 may be installed in different countries or different regions.
  • servers SV3 and SV4 provide data service providing system 100 with only part of their hardware and software resources. That is, the data service providing system 100 includes on-site servers such as servers SV1 and SV2, and IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service) such as servers SV3 and SV4. ) and a cloud server that provides In the following description, "server” includes any of the above servers.
  • Functional blocks (data acquisition unit 1, access policy control unit 2, cooperation control unit 3, provided data generation unit 4, data access control unit 5, etc.) of the data service providing system 100 are distributed via the network NW. It is realized by the operation of servers (for example, servers SV1, SV2, SV3, and SV4 illustrated in FIG. 2) arranged in the same manner. Note that the functional blocks of the data service providing system 100 may be realized by the operation of one server.
  • the data service providing system 100 includes, via a network NW, a data device 200 managed by a data provider (DP), a smartphone or tablet terminal owned by an individual user U, and a personal computer. etc. (hereinafter referred to as personal terminal 300), a management device 400 owned by the administrator A of the data service providing system 100, and a service providing device 500 owned by the service provider SP.
  • the data device 200, the management device 400, and the service providing device 500 may be a system composed of one or more servers.
  • the network NW may be a wide area network (WAN) such as the so-called Internet, a private network (LAN) in the building where the data service providing system 100 is installed, or a combination thereof.
  • WAN wide area network
  • LAN private network
  • the network NW may be either wired communication or wireless communication. Communication between each device may be mediated by another device such as an access point.
  • FIG. 3 is a functional block diagram of the data service providing system 100. As shown in FIG.
  • the data service providing system 100 includes a data acquisition unit 1 , an access policy control unit 2 , a cooperation control unit 3 , a provided data generation unit 4 and a data access control unit 5 .
  • the data acquisition unit 1 acquires data including the personal data of the individual user U from the data device 200 of the data provider DP, and records it as acquired data (first data) D.
  • the data access control unit 5 controls to respond to a data service request from a service provider SP or the like.
  • the provided data generation unit 4 generates provided data (second data) from the acquired data (first data) D in response to a data access request via the data access control unit 5 .
  • the access policy control unit 2 controls an access policy for acquired data (first data) D when generating provided data (second data).
  • the cooperation control unit 3 controls cooperation with a service business SB (Service business) and a data provision business DB (Data provision business).
  • FIG. 4 is a functional block diagram of the data acquisition unit 1. As shown in FIG. The data acquisition unit 1 acquires data including personal data of the individual user U from the data device 200 of the data provider DP, and records it as acquired data (first data) D (data acquisition step). The data acquisition unit 1 also provides the acquisition data D to the provided data generation unit 4 . The data acquisition unit 1 has a data import interface 11 and an acquired data recording unit 12 .
  • the data import interface 11 is an interface that acquires data from the data device 200 of the data provider DP.
  • the data device 200 of the data provider DP imports data including the personal data of the individual user U, which is obtained based on the consent of the individual user U, to the data service providing system 100 via the data import interface 11. provide to
  • the data import interface 11 acquires data from the data device 200 of the data provider DP and records it in the acquired data recording unit 12 based on the contract with the data provider DP.
  • the data import interface 11 may acquire data in real time from a device connected via an API (Application Programming Interface), for example (streaming type).
  • the acquired data recording unit 12 is a data storage that records the acquired data (first data) D acquired from the data provider DP.
  • Acquired data (first data) D may be raw data itself acquired from the data provider DP, or processed data processed into a standard data format or the like by a data processing unit (not shown). may Processed data is, for example, statistical data, aggregated data, or anonymized data.
  • the data service providing system 100 has three data acquisition units 1 .
  • a first data acquisition unit 1A when distinguishing between the three data acquisition units 1, they are referred to as a first data acquisition unit 1A, a second data acquisition unit 1B, and a third data acquisition unit 1C.
  • the data acquisition unit 1 acquires and records acquired data D including multiple data types with different handling policies.
  • Data including a plurality of data types with different handling policies is also called a "data group”.
  • the first data acquisition unit 1A acquires the purchase data D1 provided by the first data provider DB1 from the data device 200 (hereinafter also referred to as "data device 200A") managed by the data provider DP1. Record.
  • the purchase data D1 is, for example, purchase detail data of a receipt, settlement data, and the like.
  • the data import interface 11 (hereinafter also referred to as “data import interface 11A") of the first data acquisition unit 1A is an interface capable of acquiring the purchase data D1 from the data provider DP1.
  • the second data acquisition unit 1B retrieves HR (Human Resources) data D2 provided by the second data provider DB2 from the data device 200 (hereinafter also referred to as "data device 200B") managed by the data provider DP2. is obtained and recorded.
  • the HR data D2 is, for example, personnel announcement data, attendance data, salary data, education data, and the like.
  • the data import interface 11 of the second data acquisition unit 1B (hereinafter also referred to as "data import interface 11B") is an interface capable of acquiring the HR data D2 from the data provider DP2.
  • Third data acquisition unit 1C acquires health data D3 provided by third data provider DB3, for example, from data device 200 managed by data provider DP3 (hereinafter also referred to as “data device 200C”). Record.
  • the health data D3 is, for example, health checkup data and daily vital health data.
  • the data import interface 11 (hereinafter also referred to as "data import interface 11C") of the third data acquisition unit 1C is an interface capable of acquiring the health data D3 from the data provider DP3.
  • the data import interface 11 differs depending on the type of data handled and the data provider. Note that the data import interface 11 may be a general-purpose interface that can be used regardless of the type of data handled or the data provider.
  • the data acquisition unit 1 (the first data acquisition unit 1A, the second data acquisition unit 1B, and the third data acquisition unit 1C) is a distributed storage provided in different servers, and has a plurality of data types with different handling policies. can be distributed and stored.
  • the data acquisition section 1 (the first data acquisition section 1A, the second data acquisition section 1B, and the third data acquisition section 1C) may be provided in the same server.
  • Acquired data D includes three types of education data (intellectual education data, physical education data, moral education data), education attendance data, qualification acquisition data, medical examination data, power consumption data, gas usage data, water usage data, communication details data, schedule data, Data including personal data such as music/video viewing data may be used.
  • purchase data “purchase data”, “HR data”, and “health data” are used as examples of data types with different handling policies, but the data types with different handling policies are not limited to these.
  • purchasing data when purchasing data is acquired from a plurality of different data providers, it may be handled as acquired data including a single data type with different handling policies.
  • purchase data highly reliable purchase data
  • purchase data including purchase data (medium reliability purchase data) input by an individual user U through camera shooting or manual input using a predetermined application that operates on a mobile terminal or the like. It may be treated as
  • acquired data including data types with different handling policies is not limited to data acquired from data providers. Data directly acquired from the individual user U by the operator of the data service providing system 100 may also be handled as acquired data including data types with different handling policies.
  • FIG. 5 is a functional block diagram of the access policy control unit 2.
  • the access policy control unit 2 controls access policies for the obtained data D recorded in the obtained data recording unit 12 .
  • the access policy is the permission/prohibition of access to the acquired data D, access conditions, and the like.
  • the access policy may include information on the erasure period of the acquired data D, the usage period of the converted data that has undergone processing such as anonymization from the raw data at the time of acquisition, the life cycle, and the like.
  • the access policy may include information regarding whether or not it is possible to use a combination of different types of data.
  • the access policy control section 2 has an access policy interface 21 and an access policy recording section 24 .
  • the access policy interface 21 is an interface that connects the personal terminal 300 and the management device 400 owned by the administrator A of the data service providing system 100 .
  • access policy interface 21 includes an API that connects personal terminal 300 and management device 400 with access policy recording unit 24 .
  • the access policy interface 21 has an individual user interface 22 and an administrator interface 23 .
  • the personal user interface 22 includes an API that connects the personal terminal 300 and the access policy recording unit 24 . Also, the personal user interface 22 connects the personal terminal 300 and the data access control unit 5 as shown in FIG.
  • the administrator interface 23 includes an API that connects the management device 400 owned by the administrator A and the access policy recording unit 24 .
  • the access policy recording unit 24 records the access policy for the acquired data D. Access policies recorded in the access policy recording unit 24 are managed by the individual user U and the administrator A via the access policy interface 21 .
  • the access policy recording section 24 has a first access policy recording section 25 and a second access policy recording section 26 .
  • the first access policy recording unit 25 records the access policy set by the personal user U via the personal user interface 22 .
  • Access policies recorded by the first access policy recording unit 25 include an individual user access policy 251 and a comprehensive access policy 252 .
  • the individual user access policy 251 is an access policy in which whether or not access by the service business S to the acquired data D including the personal data of the individual user U is permitted is set for each individual user U.
  • the personal user access policy 251 is, for example, for each data providing business DB that provided the acquired data D, each service business SB that uses the acquired data D, each data type and purpose of use of the acquired data D, each data provision mode, and each consent policy. , for each area of use, for each life cycle of the acquired data D, and so on.
  • An individual user U can set an individual user access policy 251 for any combination of these conditions.
  • the access policy that can be set for each data providing business DB in the personal user access policy 251 is, for example, when the data providing business DB that provided the acquired data D is the "first data providing business DB 1" or "the second data providing business DB 2 ” indicates whether data access is possible or not.
  • the access policy that can be set for each service business SB in the individual user access policy 251 is, for example, data access permission/prohibition when the service business SB is "first service business SB1" or "second service business SB2".
  • the access policy may be a data access permission/prohibition that can be set for each service provider SP, such as "service provider SP1" that provides "first service business SB1" and "second service business SB2".
  • the access policy may be data access permission/prohibition that can be set for each service provider category such as "medical care”, “finance”, “entertainment", and "academic institution”.
  • the access policy that can be set for each service business SB in the personal user access policy 251 includes attribute information such as business category and industry/industrial type, such as when the service business SB is a "public utility business” or a "commercial business.” data access based on
  • the access policy that can be set for each data type in the personal user access policy 251 is, for example, whether or not data can be accessed when the data type is "purchasing data D1" or "health data D3".
  • the access policy that can be set for each purpose of use in the personal user access policy 251 is, for example, whether or not data can be accessed when the purpose of use is "statistical use that does not identify an individual" or "non-statistical use that identifies an individual". is.
  • the case in which an individual is identified may include a case in which a different individual user can be identified although the individual identification information does not lead to identification of the individual.
  • FIG. 6 is a diagram showing a specific example of an access policy that can be set for each data provision mode in the personal user access policy 251.
  • FIG. The specific example shown in FIG. 6 is matrix data in which an access policy is set for each data type and data provision mode.
  • the access policy to be set is whether or not the service business SB can access the acquired data D, specifically, "service business SB that agrees to use” and "service business SB that does not agree to use”.
  • the number in parentheses indicates the purpose of use.
  • the data type is purchase data
  • an individual can be identified if the purpose of use is service collaboration for a company service business S0001 (described as "company S0001" in FIG. 6). It is agreed that data can be provided in any form.
  • provision of data in a form that can identify an individual is suspended (prohibited) to the corporate service business S1001 (described as "company S1001" in FIG. 6) regardless of the purpose of use. ing.
  • FIG. 7 is a diagram showing a specific example of the consent policy in the individual user access policy 251 and the access policy that can be set for each usage area.
  • the data type of acquired data D is purchase data, and raw data that can identify an individual is provided.
  • the member's consent (each time consent) is required for each use by the service business SB, and an access policy is set to limit the area of use to Japan.
  • FIG. 8 is a diagram showing a specific example of an access policy that can be set for each life cycle of acquired data D in the personal user access policy 251.
  • the data type of the acquired data D is purchase data
  • the storage period of the raw data of the purchase data is An access policy is set that the period of use is three years, and that if the raw data of the purchase data is pseudonymized, the period of use is up to three years after withdrawal.
  • FIG. 9 is a diagram showing a specific example of an access policy that can set whether or not combinations of acquired data D can be combined for each data type in the personal user access policy 251.
  • FIG. 9 for a member (individual user U) with member ID: #0081100100000002, purchase data and different data (purchase data, HR data, health data, Saniku data, training attendance data, qualification Data, communication details data, schedule data, viewing data) can be provided in combination (however, depending on the combination, the provision destination may be limited to health providers, medical institutions, etc.).
  • the different data referred to here includes not only data of different data types but also data of the same type but obtained from different sources.
  • the individual user access policy 251 shown in FIGS. 7 and 8 can also be set for each individual user U.
  • the individual user access policy 251 shown in FIGS. 7 and 8 may be in a form common to individual users U belonging to a set group or to all individual users U. FIG.
  • the comprehensive access policy 252 is an access policy that comprehensively specifies the individual user access policy 251.
  • the comprehensive access policy 252 roughly indicates whether or not the individual user U is allowed to access personal data using, for example, step-by-step indicators from level 1 to level 5.
  • FIG. The individual user U can roughly set the individual user access policy 251 for each individual user U by setting the comprehensive access policy 252 without setting all the individual user access policies 251 .
  • the "personal user access policy 251" includes the individual user access policy 251 roughly set by the comprehensive access policy 252.
  • the personal user U can access the personal user access policy 251 using an application implemented using the API of the personal user interface 22 .
  • the application may be a native application running on the personal terminal 300 or a web application running on the data service providing system 100 .
  • the application implemented using the API of the personal user interface 22 will also be referred to as "personal user application AP1".
  • the second access policy recording unit 26 records access policies set by the administrator A via the administrator interface 23 .
  • the access policy recorded by the second access policy recording unit 26 includes virtual table definition information 261 , data type handling policy 262 , data type combination policy 263 , and service business access policy 264 .
  • the virtual table definition information 261 is definition information used to set the access policy, and defines the specifications of the virtual table T generated by the provided data generation unit 4 .
  • the specification defined in the virtual table definition information 261 is, for example, a schema indicating the structure of the virtual table T, data items (columns), and the like.
  • a “data item” is the type of data handled in the virtual table T (content, data type, etc.).
  • a data item to be defined may be a data item included in the acquired data D in advance, or may be a data item newly created by combining data items of different acquired data D.
  • the data type handling policy 262 is an access policy that sets the handling of the acquired data D for each data type.
  • the data type handling policy 262 is, for example, a handling policy for the purchase data D1, a handling policy for the HR data D2, and a handling policy for the health data D3.
  • a handling policy for each data type the data service providing system 100 can handle a wide variety of acquired data D. FIG.
  • FIG. 10 is a diagram showing a specific example of the data type handling policy 262.
  • Acquired data D is classified into one of five information handling levels based on the data type, as shown in FIG.
  • the data type handling policy 262 is set for each of five information handling levels, such as, for example, a means of identifying the individual user U, a means of authenticating the person, an area restriction on the storage area of the acquired data D, and a data storage method.
  • the information handling level shown in FIG. 10 is a numerical value indicating that the larger the number, the stricter the restrictions imposed on data handling.
  • the data type combination policy 263 is an access policy that sets a combination of acquired data D with different data types.
  • the data type combination policy 263 is, for example, a rule for using the purchase data D1 and the health data D3 in combination.
  • FIG. 11 is a diagram showing an example of data items newly created based on the data type combination policy 263.
  • the data items of the acquired data D of different data types are combined based on the data type combination policy 263 and used as a new data item.
  • the data items "food purchase date” and "purchased food name” of the purchase data D1 and the data item "exercise date” of the health data D3 are combined to form new data. Used as the item "name of food purchased before and after exercise”.
  • a new data item can be easily generated by seamlessly associating data items of data types with different handling policies.
  • the highest information handling level among the information handling levels of the acquired data D used for the combination is set as the information handling level of the data obtained by combining the acquired data D with different information handling levels.
  • the information handling level of data obtained by combining purchase data with information handling level 2 and HR data with information handling level 3 is "3".
  • the data type may be further subdivided and the information handling level may be set for each data item. As a result, when a data item including My Number information is included in the HR data, the data item can be set to an information handling level suitable for handling specific personal information.
  • the data type combination policy 263 may be a rule or the like for combining and using acquired data D with different reliability levels.
  • purchase data highly reliable purchase data, first purchase data
  • personal information based on the information described in the paper receipt Acquisition data D includes purchase data (medium-reliability purchase data, second purchase data) input by user U through camera shooting or manual input using a predetermined application running on a mobile terminal or the like.
  • the data type combination policy 263 is a rule that prohibits combining high-reliability purchase data (first purchase data) and medium-reliability purchase data (second purchase data) with different reliability levels.
  • highly reliable purchase data (primary purchase data) that is difficult to modify or forge, and free from erroneous judgments by applications such as mobile terminals and erroneous input by individual users, etc., has a relative level of reliability. It can be prohibited to be used in combination with low secondary purchase data, and a highly reliable data service can be provided.
  • the service business access policy 264 is an access policy in which whether or not the service business SB can access the acquired data D is set for each service business SB based on the contract with the service business SP.
  • the service business access policy 264 is set for each “data item” defined in the virtual table definition information 261 .
  • the service business access policy 264 can, for example, be set generically to disallow access by the first service business SB1 to all data items relating to HR data D2.
  • Administrator A can access the first access policy recording section 25 and the second access policy recording section 26 using an application implemented using the API of the administrator interface 23 .
  • the application may be a native application that runs on the management device 400 owned by the administrator A, or a web application that runs on the data service providing system 100 .
  • FIG. 12 is a functional block diagram of the cooperation control section 3. As shown in FIG. The cooperation control unit 3 controls mutual cooperation among the individual user U, the service business SB, and the data providing business DB. The cooperation control unit 3 has a cooperation interface 31 and a cooperation information recording unit 34 .
  • the cooperation interface 31 is an interface connected to the service providing device 500 owned by the service provider SP and the management device 400 owned by the administrator A of the data service providing system 100 .
  • the cooperation interface 31 includes an API that connects the service providing device 500 and the management device 400 with the cooperation information recording unit 34 .
  • the cooperation interface 31 has a service business cooperation interface 32 and an administrator cooperation interface 33 .
  • the service business cooperation interface 32 includes an API that connects the service providing device 500 owned by the service provider SP and the cooperation information recording unit 34 .
  • the administrator cooperation interface 33 includes an API that connects the management device 400 owned by the administrator A and the cooperation information recording unit 34 .
  • the cooperation interface 31 may have a data providing business cooperation interface that connects the data device 200 owned by the data provider DP and the cooperation information recording unit 34 .
  • the cooperation information recording unit 34 records cooperation information of users of the data service providing system 100 .
  • the cooperation information recording unit 34 has a business operator cooperation information recording unit 35 and an individual user cooperation information recording unit 36 .
  • the business operator cooperation information recording unit 35 records data provision business cooperation information 351 and service business cooperation information 352 .
  • the data providing business cooperation information 351 is metadata indicating details such as the member ID data (hereinafter referred to as "first cooperative member ID data") and the item code included in the data provided by the data providing business DP in the data providing business DB. data and;
  • the data provider cooperation information 351 also includes contract management information (which may include terms of use and agreement data for the terms of use) that defines the content of the contract of use with the data provider DP.
  • the service business cooperation information 352 is data indicating details such as member ID data (hereinafter referred to as "second cooperation member ID data") used in the service business SB.
  • the second affiliated member ID data is used by the service business SB when reading data via the data access control unit 5 .
  • the service business SB can update the service business cooperation information 352 and acquire the cooperation information via the service business cooperation interface 32 .
  • the service business cooperation information 352 includes contract management information (which may include terms of use and agreement data for the terms of use) including the details of the use contract regarding the service business SB with the service provider SP.
  • the individual user cooperation information recording unit 36 records data such as member ID data of registered individual users U who use the data service providing system 100 .
  • the administrator A can update the data recorded in the individual user cooperation information recording unit 36 via the administrator cooperation interface 33 .
  • the cooperation control unit 3 generates cooperation information that associates the first cooperation member ID data and the second cooperation member ID data with the member ID data of the related individual user cooperation information recording unit 36 .
  • the individual user U, the service business SB, and the data providing business DB can cooperate with each other.
  • first affiliated member ID data and the second affiliated member ID data may not be the member ID data itself, but may be data indicating the affiliated information.
  • Provided data generation unit 4 generates provided data from acquired data (first data) D in response to a data access request from registered users (individual user U and service provider SP) via data access control unit 5. (Second data) is generated.
  • the data that registered users (individual user U and service provider SP) can read out via the data access control unit 5 is not the acquired data D recorded in the acquired data recording unit 12, but the provided data (first second data).
  • the provided data generation unit 4 generates a virtual table T corresponding to the data access request as provided data (second data).
  • a virtual table T is a table that is generated for each data access request and is not entirely recorded in a nonvolatile recording unit.
  • the provided data generation unit 4 responds to the data access request from the data access control unit 5 based on the generated virtual table T.
  • FIG. The provided data generation unit 4 has an access control integration unit 41 and a virtual table generation unit 42, as shown in FIG.
  • the access control integration unit 41 integrates the access policy recorded in the access policy recording unit 24 and the cooperation information generated in the cooperation information recording unit 34 in response to the data access request from the data access control unit 5. , to generate "access control information".
  • the generated access control information includes an individual user access policy 251 for the personal data of a plurality of individual users U included in the acquired data D acquired by the data access request from the data access control unit 5.
  • the generated access control information includes the service business access policy 264 set in the service business SB that made the data access request.
  • the generated access control information includes linking information that associates the member ID data in the individual user linking information recording unit 36 with the first linking member ID data and the second linking member ID data.
  • the virtual table generation unit 42 generates a virtual table (second data) T from the acquired data (first data) D based on the access control information generated by the access control integration unit 41 .
  • the virtual table generation unit 42 acquires the acquisition data D necessary for responding to the data access request from the data access control unit 5 from the data acquisition unit 1 based on the cooperation information included in the access control information. do.
  • the virtual table generation unit 42 generates a virtual table (second data) T from the obtained data (first data) D based on the personal user access policy 251 included in the access control information. For example, if the personal user U restricts the use of personal data for the service business SB that requested the data access or the purpose of use, the virtual table generation unit 42 deletes the virtual data without including the corresponding personal data. Generate table T.
  • the virtual table generation unit 42 generates a virtual table (second data) T from the acquired data (first data) D based on the service business access policy 264 included in the access control information. For example, if the individual user U restricts the use of a specific data item to the service business SB that has made the data access request, the virtual table generation unit 42 creates a virtual table that does not include the corresponding data item and deletes it. Generate T.
  • FIG. 13 is a diagram showing an example of the virtual table T generated.
  • the virtual table generation unit 42 generates a virtual table T for each service business SB for which a data access request has been made. For example, as shown in FIG. 13, the virtual table generator 42 creates a first virtual table T1 for a data access request from the first service business SB1. Also, the virtual table generator 42 creates a second virtual table T2 for a data access request from the second service business SB2. The virtual table generation unit 42 also creates a third virtual table T3 for data access requests from the third service business SB3. However, if the access control information regarding a plurality of data access requests is the same, the virtual table generation unit 42 generates only one virtual table T and responds to a plurality of data access requests with the same access control information. good.
  • FIG. 14 is a diagram showing another example of the virtual table T generated.
  • the virtual table generation unit 42 may generate a hierarchical virtual table T that is linked in multiple stages.
  • a hierarchical virtual table T4 includes a virtual table of purchase data (upper layer virtual table), a virtual table obtained by extracting purchase data of a specific region from the upper layer virtual table, and a virtual table of purchase data for a specific region from the upper layer virtual table.
  • the hierarchical virtual table T5 includes a virtual table (upper layer virtual table) obtained by merging purchase data and HR data based on the data type combination policy 263, a virtual table of statistical data calculated from the upper layer virtual table, A virtual table obtained by performing anonymization based on the personal user access policy 251 with respect to the upper layer virtual table is linked.
  • the virtual table generation unit 42 can omit overlapping processing when the virtual table T is generated.
  • the access policy of the hierarchical virtual table T may inherit the access policy of the upper layer virtual table.
  • the lower layer virtual table T linked to the purchase data virtual table (upper layer virtual table) is information Handling level 2 may be taken over.
  • the virtual table that has undergone anonymization on the upper layer virtual table at information handling level 3 has been changed to information that cannot identify individuals. Therefore, the virtual table subjected to anonymization may be set to information handling level 2 by lowering the information handling level compared to the upper layer virtual table.
  • FIG. 15 is a functional block diagram of the data access controller 5.
  • the data access control unit 5 responds to data service requests from registered users (individual user U and service provider SP). After receiving the data service request, the data access control unit 5 issues a data access request to the provided data generation unit 4 in order to access the provided data (second data) necessary for providing the requested data service. put out.
  • the data access control unit 5 provides the data service to the data service requester based on the provided data (second data) acquired from the provided data generation unit 4 .
  • the provision of data services includes not only the provision of data itself, but also the provision of data analysis results and the provision of various services based on data.
  • Methods of providing data services include a method of allowing a user to access provided data generated in the data service providing system 100, and a method of providing generated provided data to a user via a predetermined network. The method of sending, etc. are mentioned.
  • Each data service request includes an ID or the like that can be identified by service provider SP unit, service business SB unit, or individual user U unit, which is the access source, so that each data service request subject can be identified.
  • the data access control unit 5 has a service business data access interface 52 and an individual user data access interface 53 .
  • the service business data access interface 52 includes an API that connects the service providing device 500 owned by the service provider SP and the provided data generation unit 4 .
  • Service business SB can receive data services from data service providing system 100 via service business data access interface 52 .
  • the service business data access interface 52 includes, for example, an API for data search, an API for data analysis, and an API for visualizing data analysis results.
  • the personal user data access interface 53 connects the personal user interface 22 and the provided data generation unit 4 . Via the personal user interface 22 and the personal user data access interface 53, the individual user U can check how the personal data of the individual user U is accessed to the service business SB. .
  • FIG. 16 to 19 are examples of display screens of the personal user application AP1 operating on the personal terminal 300.
  • FIG. 16 to 19 are examples of display screens of the personal user application AP1 operating on the personal terminal 300.
  • the personal user application AP1 is an application implemented using the API of the personal user interface 22.
  • a personal user U can access a personal user access policy 251 using a personal user application AP1.
  • the personal user application AP1 shown in FIG. 16 displays a personal user access policy setting window 301.
  • the personal user access policy setting window 301 includes a first window 302 for setting the personal user access policy 251 for each service business SB, a second window 303 for setting the personal user access policy 251 for each data type, and a window 303 for setting the personal user access policy 251 for each data type. and a third window 304 for setting an individual user access policy 251 .
  • the individual user U can use the switch button SW in the first window 302 to set whether or not to permit access to the personal data of the individual user U for each service business SB.
  • access to personal data is permitted from the first service business SB1 and second service business SB2, but access to personal data from the third service business SB3 and fourth service business SB4 is permitted. Access not allowed.
  • the service business SB may prepare a cooperative application AP2 that runs on the personal terminal 300.
  • the individual user application AP1 may start cooperation between the data service providing system 100 and the cooperative application AP2 when the individual user U selects to allow access to the service business.
  • the individual user U can use the switch button SW to set whether or not to permit access to the personal data of the individual user U for each data type.
  • access to personal data relating to purchase data D1 and health data D3 is permitted, but access to personal data relating to HR data D2 is not permitted.
  • the individual user U can use the switch button SW to set whether or not to permit access to the personal data of the individual user U for each purpose of use.
  • access to personal data is permitted when the purpose of use is "statistical use that does not identify an individual", but the purpose of use is "non-statistical use that identifies an individual”. Access to personal data in cases is not permitted.
  • the personal user access policy 251 that can be set in the personal user application AP1 may be configured so that whether or not access to personal data is permitted for each purpose of use can be set for each data type.
  • the personal user access policy 251 for purchase data D1 can be set as consenting to both "non-personally identifiable statistical use” and “personally identifiable non-statistical use.”
  • the personal user access policy 251 for the HR data D2 can be set as consenting to "non-personally identifiable statistical use” but not to "personally identifiable non-statistical use.”
  • the combined data of the purchase data D1 and the HR data D2 is based on a form in which if access to either one is not permitted, access to the combined data is set as not permitted. It may be in the form of permitting access.
  • the setting items for "personally identifiable non-statistical use” may be subdivided. For example, for each “Purpose of Use A” that uses all data items of a single purchase data, and “Purpose of Use B” that uses purchase data corresponding to a specific purchase area or a specific product, It may be possible to set whether to allow or not to allow "use of statistics".
  • the personal user access policy 251 can be set so that, in principle, the use of the purchase data D1, the HR data D2, and the health data D3 is permitted in principle when the purpose of use is for medical research, for example. can be
  • All of the personal user access policies 251 set in the personal user access policy setting window 301 are considered when the provided data generation unit 4 generates provided data (second data).
  • the provided data generation unit 4 When at least one access policy out of the set personal user access policies 251 is "disallowed", the corresponding personal data is not used as the provided data (second data).
  • the personal user application AP1 shown in FIG. 17 displays an access status confirmation window 305.
  • FIG. The access status confirmation window 305 displays the access status of personal data for each service business SB acquired via the personal user data access interface 53 .
  • the access status confirmation window 305 includes a fourth window 306 that displays the status of access to personal data from the first service business SB1, and a fifth window 307 that displays the status of access to personal data from the third service business SB3. It is configured.
  • the settings in the first window 302 do not permit access to personal data from the third service business SB3. Therefore, in the fifth window 307, all data are not displayed and cannot be used.
  • the individual user U opens the individual user access policy setting window 301 while confirming how the personal data of the individual user U is accessed to the service business SB using the access status confirmation window 305.
  • the individual user access policy 251 can be easily and reliably set using the access policy setting step.
  • the access status confirmation window 305 shown in FIG. 17 shows a data display listing only data items, which is the simplest example.
  • the access status confirmation window 305 may show more complex data displays, such as data analysis results.
  • the access status confirmation window 305 may display an incentive that the individual user U has acquired through the access.
  • the access status confirmation window 305 may display the points and virtual currency obtained by one access, the degree of contribution to the global environment, and the degree of contribution to medical research.
  • the access status confirmation window 305 may also display a message or request to the individual user U from the access entity (service business SB).
  • the personal user application AP1 shown in FIG. 18 displays a comprehensive access policy setting window 310.
  • FIG. The individual user U may not individually set all of the individual user access policies 251, but may select the comprehensive access policy 252 from a plurality of prepared templates at his or her own will.
  • the comprehensive access policy setting window 310 the individual user U can select the comprehensive access policy 252 from a plurality of prepared templates using the radio button RB.
  • the individual user U selects mode X, it becomes a mode in which the individual user U sets all of the individual user access policies 251 .
  • permission/non-permission of access is individually set for each individual user U, all service businesses, data types, and purposes of use.
  • the individual user U selects mode Y, if the data utilization purpose of the service business SB of the service provider SP that uses the acquired data D is “medical research,” “drug discovery research,” or “earth-life research,” comprehensive consent is given.
  • An inclusive access policy 252 is selected. If the data utilization purpose of the service business SB is other than that, the individually set personal user access policy 251 is selected.
  • the personal user access policy template previously set by the administrator A or another individual user is referenced and set as the personal user access policy 251 of the individual user U.
  • An individual user U may customize selected templates and set their own individual user access policies 251 .
  • the template of the individual user access policy 251 may be created not only by the administrator A or other individual users, but also by a template creation service provider.
  • the personal user application AP1 shown in FIG. 19 displays a recommended comprehensive access policy window 320.
  • a comprehensive access policy window 320 displays recommended template candidates that are recommended based on popular template rankings, individual user attributes, possession data, and the like. By selecting an appropriate template from the recommended templates, the individual user U can reduce the burden of setting all of the individual user access policies 251 by the individual user U.
  • FIG. 20 is a diagram showing the data service providing system 100 that operates in cooperation with the cooperative application AP2 of the service business SB.
  • the cooperative application AP2 first sends an authentication request for receiving the data service to the data service providing system 100 (authentication step).
  • the data service providing system 100 receives the authentication request via the service business cooperation interface 32 and checks the service business cooperation information 352 recorded in the cooperation information recording unit 34 .
  • the service business cooperation interface 32 transmits the authentication result to the cooperation application AP2 when the data service is possible for the service business SB that requested the authentication request.
  • the data service providing system 100 may transmit the result of the authentication error to the cooperative application AP2.
  • the cooperative application AP2 transmits a data service request to the data service providing system 100.
  • the data service providing system 100 receives the data service request via the service business data access interface 52 and confirms the data service content.
  • the service business data access interface 52 issues a data access request to the provided data generator 4 in order to access the provided data (second data) necessary for providing the requested data service.
  • the provided data generation unit 4 generates a virtual table T as provided data (second data) from the acquired data (first data) D in response to the data access request (data generation step) provided data generation
  • the unit 4 creates a virtual table T that always reflects the ever-changing access policy.
  • the data access control unit 5 can provide data services using provided data reflecting the latest access policy.
  • the provided data generation unit 4 may cache the created virtual table T as temporary storage. When the next data access request occurs, the provided data generator 4 may reuse all or part of the cached virtual table T if the related access policy has not been updated. The provided data generation unit 4 can reduce the processing load for generating the virtual table T by using cached data (cache data) as temporary storage.
  • the service business data access interface 52 provides a data service based on the virtual table T (data providing step).
  • access policies are set for each data type and registered user (individual user U and service provider SP) for acquired data D including a plurality of data types with different handling policies.
  • Acquired data D including personal data of individual user U can also be managed more strictly.
  • the provided data generation unit 4 generates the virtual table T as the provided data (second data), but the provided data generation unit 4 generates the real table as the provided data (second data). good too.
  • a real table is a table recorded in advance in a nonvolatile recording unit before a data access request is made.
  • the provided data generation unit 4 periodically generates or updates a real table as provided data based on specific specifications (for example, provided data used for "statistical use in which individuals are not identified"). By using such a real table, the provided data generation unit 4 can reduce the processing load for generating provided data.
  • the program in the above-described embodiment may be recorded in a computer-readable recording medium, and the program recorded in this recording medium may be read into a computer system and executed.
  • the “computer system” here includes hardware such as an OS and peripheral devices.
  • the term "computer-readable recording medium” refers to portable media such as flexible discs, magneto-optical discs, ROMs and CD-ROMs, and storage devices such as hard discs incorporated in computer systems.
  • “computer-readable recording medium” means a medium that dynamically retains a program for a short period of time, like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line.
  • the program may also include something that holds the program for a certain period of time, such as a volatile memory inside a computer system that serves as a server or client in that case.
  • the program may be for realizing part of the functions described above, or may be capable of realizing the functions described above in combination with a program already recorded in the computer system.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Marketing (AREA)
  • Finance (AREA)
  • Development Economics (AREA)
  • Accounting & Taxation (AREA)
  • General Health & Medical Sciences (AREA)
  • Tourism & Hospitality (AREA)
  • Economics (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Primary Health Care (AREA)
  • Bioethics (AREA)
  • Human Resources & Organizations (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Entrepreneurship & Innovation (AREA)
  • General Engineering & Computer Science (AREA)
  • Game Theory and Decision Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
PCT/JP2022/013071 2021-05-07 2022-03-22 データサービス提供方法およびデータサービス提供システム Ceased WO2022234734A1 (ja)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2023518632A JP7663121B2 (ja) 2021-05-07 2022-03-22 データサービス提供方法およびデータサービス提供システム

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2021-079205 2021-05-07
JP2021079205 2021-05-07

Publications (1)

Publication Number Publication Date
WO2022234734A1 true WO2022234734A1 (ja) 2022-11-10

Family

ID=83932092

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/013071 Ceased WO2022234734A1 (ja) 2021-05-07 2022-03-22 データサービス提供方法およびデータサービス提供システム

Country Status (2)

Country Link
JP (1) JP7663121B2 (https=)
WO (1) WO2022234734A1 (https=)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20240130574A (ko) * 2023-02-22 2024-08-29 서울여자대학교 산학협력단 개인정보보호법 기반의 개인정보수집이용동의서 평가 장치 및 방법
CN118890201A (zh) * 2024-08-12 2024-11-01 神州融信云科技股份有限公司 安全架构配置方法、系统控制方法、设备及存储介质

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120455171B (zh) * 2025-07-10 2025-09-19 成都职业技术学院 服务器数据访问控制方法、装置、设备及存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014044528A (ja) * 2012-08-24 2014-03-13 Kddi Corp ユーザ非特定情報の提供記録を通知するユーザ情報管理装置、プログラム及び方法
WO2017154620A1 (ja) * 2016-03-08 2017-09-14 大日本印刷株式会社 個人情報提供システム及びプログラム
WO2019234887A1 (ja) * 2018-06-07 2019-12-12 三菱電機株式会社 情報提供装置、情報提供方法、および情報提供プログラム

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018151881A (ja) 2017-03-13 2018-09-27 Kddi株式会社 監視装置、監視方法、及びプログラム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014044528A (ja) * 2012-08-24 2014-03-13 Kddi Corp ユーザ非特定情報の提供記録を通知するユーザ情報管理装置、プログラム及び方法
WO2017154620A1 (ja) * 2016-03-08 2017-09-14 大日本印刷株式会社 個人情報提供システム及びプログラム
WO2019234887A1 (ja) * 2018-06-07 2019-12-12 三菱電機株式会社 情報提供装置、情報提供方法、および情報提供プログラム

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20240130574A (ko) * 2023-02-22 2024-08-29 서울여자대학교 산학협력단 개인정보보호법 기반의 개인정보수집이용동의서 평가 장치 및 방법
KR102873704B1 (ko) * 2023-02-22 2025-10-20 서울여자대학교 산학협력단 개인정보보호법 기반의 개인정보수집이용동의서 평가 장치 및 방법
CN118890201A (zh) * 2024-08-12 2024-11-01 神州融信云科技股份有限公司 安全架构配置方法、系统控制方法、设备及存储介质

Also Published As

Publication number Publication date
JP7663121B2 (ja) 2025-04-16
JPWO2022234734A1 (https=) 2022-11-10

Similar Documents

Publication Publication Date Title
CN111149332B (zh) 在去中心化系统中实施集中式隐私控制的系统和方法
Gan et al. Blockchain-based access control scheme with incentive mechanism for eHealth systems: patient as supervisor
US8725536B2 (en) Establishing a patient-provider consent relationship for data sharing
Chan et al. The asthma mobile health study, smartphone data collected using ResearchKit
Mitgang et al. Digital health in response to COVID‐19 in low‐and middle‐income countries: opportunities and challenges
JP7663121B2 (ja) データサービス提供方法およびデータサービス提供システム
US20090327297A1 (en) Establishing patient consent on behalf of a third party
JP2021503130A (ja) 階層データ交換管理システム
US9824185B2 (en) Electronic health records data management systems and methods
US12287893B2 (en) Data governance systems and methods
KR20210067353A (ko) 블록체인 상의 다중서명 전자계약으로 개인의 통제권을 강화하여 의료기록을 저장하고 정보제공하는 방법 및 시스템
US11328254B2 (en) Automatic group creation based on organization hierarchy
EP3264315B1 (en) Information processing apparatus and method, and program
JP6242469B1 (ja) 個人医療情報管理方法、個人医療情報管理サーバおよびプログラム
US20230290453A1 (en) Emergency department communication system
US9582776B2 (en) Methods and systems for providing a comprehensive view of it assets as self service inquiry/update transactions
JP7460365B2 (ja) 情報提供サーバ、プログラム、および情報提供方法
JP7308631B2 (ja) 情報連携システムおよび情報管理方法
JP6429962B1 (ja) 情報処理装置、情報処理方法、及び情報処理プログラム
JP2012137995A (ja) リソース提供システム、アクセス制御プログラム及びアクセス制御方法
JP2024002548A (ja) 契約管理プログラム、情報処理装置、情報処理システム、情報処理方法、情報処理端末
Williams et al. Privacy in Healthcare
JP2018097826A (ja) サーバ装置、通信システム、情報処理方法、および、情報処理プログラム
JP2013016083A (ja) 介護支援システム
Bashkin et al. Maccabi-RED, mHealth innovation in community emergency care: a 4-year analysis of adoption patterns and impact on healthcare utilization

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22798841

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023518632

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22798841

Country of ref document: EP

Kind code of ref document: A1