WO2022238948A1 - Method and system for transforming personally identifiable information - Google Patents

Method and system for transforming personally identifiable information Download PDF

Info

Publication number
WO2022238948A1
WO2022238948A1 PCT/IB2022/054417 IB2022054417W WO2022238948A1 WO 2022238948 A1 WO2022238948 A1 WO 2022238948A1 IB 2022054417 W IB2022054417 W IB 2022054417W WO 2022238948 A1 WO2022238948 A1 WO 2022238948A1
Authority
WO
WIPO (PCT)
Prior art keywords
pii
value
anonymous
external system
requester
Prior art date
Application number
PCT/IB2022/054417
Other languages
French (fr)
Inventor
Jonathan Graham PITTS
Juan Jose RIVERO
Original Assignee
Pitts Jonathan Graham
Rivero Juan Jose
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pitts Jonathan Graham, Rivero Juan Jose filed Critical Pitts Jonathan Graham
Publication of WO2022238948A1 publication Critical patent/WO2022238948A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification

Definitions

  • the invention relates to techniques for identifying and replacing data values within a digital storage system, particularly for use in replacing personally identifiable information with anonymised values.
  • PII Personally Identifiable Information
  • databases and other digital storage systems include customer databases, human resource databases, patient health records, and prospect databases to name a few.
  • PII can be defined as information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Some information considered to be PII are available in public sources such as telephone books, public Web sites, and university listings. These types of information are Public PII and include, for example, first and last name, address, work telephone number, email address, home telephone number, and general educational credentials. Whether information can be considered PII depends on 2 the probability that an individual can be identified using the information. Non-PII can become PII whenever additional information is made available, in any medium and from any source, that, when combined with other available information, could be used to identify an individual.
  • Transactional information is not considered PII.
  • Examples of transactional information include products purchased, invoicing details, financial records, and support requests.
  • a breakdown in referential integrity means that non-PII data is retained but can no longer be linked to a source record, meaning grouping of data (or even the appearance of that data in reports) may no longer be possible. In many systems, deleting data is prohibited to prevent these issues from occurring. Blanking of PII data, or replacing with random data is also not desirable as it may also remove the ability to successfully analyze data. Encrypting PII is not a solution, as the data still remains in the database and can be accessed by anyone with the correct access details (i.e. password or security token of some other form).
  • An additional or alternative object is to at least provide the public with a useful choice.
  • a computer implemented method for transforming personally identifiable information comprises: receiving a request to transform the PII, the request including a PII value, a PII type of the PII value, and Requester ID of an external system associated with the PII value; applying an irreversible deterministic process to generate an anonymous value, the deterministic process taking as input the PII value, the PII type and the Requester ID of the external system; and transmitting the anonymous value as a transform of the PII.
  • the method further comprises storing the anonymous value with the PII type of the PII value and the Requester ID of the external system.
  • the method further comprises: comparing the anonymous value with a stored anonymous value; and determining that the PII has previously been transformed using the irreversible deterministic process if the comparison matches.
  • the comparison between the anonymous value and the stored anonymous value matches if the combination of PII value, PII type and Requester ID of the external system used to generate each of the two anonymous values are the same.
  • the request to transform the PII is received from an external system and the anonymous value is transmitted back to the external system.
  • the anonymous value is used to replace all instances of the PII in the external system.
  • the PII value comprises a string, number, Boolean or date value.
  • the PII type comprises a format type, personal identifier or business identifier.
  • the Requester ID comprises a business name, industry type or government organisation type.
  • a system for transforming personally identifiable information is configured to: receive a request to transform a PII value, the request includes the PII value, a PII type associated with the PII value, and a Requester ID of an external system; apply an irreversible deterministic process to generate an anonymous value, the deterministic process takes as input the PII value, the PII type and the Requester ID of the external system; and transmit the anonymous value as a transform of the PII.
  • system is further configured to store the anonymous value with the PII type and the Requester ID.
  • system is further configured to: compare the anonymous value with a stored anonymous value; and determine that the PII value has previously been transformed using the irreversible deterministic process if the comparison matches. 4
  • the comparison between the anonymous value and the stored anonymous value matches if the combination of PII value, PII type and Requester ID of the external system used to generate each of the two anonymous values are the same.
  • Figure 1 shows an example of a method for transforming PII
  • Figure 2 shows an example of a method for determining whether PII has previously been anonymised
  • Figure 3 shows another example method for determining whether PII has previously been anonymised
  • Figure 4 shows an example of a transformation module
  • Figure 5 shows an example of a external system including a transformation module
  • Figure 6 shows example computing devices that can be used to implement embodiments of the present invention.
  • Figure 1 shows a computer implemented method 100 for transforming personally identifiable information (PII) that involves an interaction between an external system 102 and a transformation module 104.
  • the external system 102 may comprise an IT or information system of an enterprise or organisation for example.
  • the external system 102 can be operated by an individual or an organisation.
  • the transformation module 104 operates on a server or 'the cloud'. Alternatively, the transformation module 104 can operate within the IT or information system of an individual, enterprise or organisation as part of the external system 102.
  • Method 100 includes selecting 106 PII to be replaced within the external system 102 at the request of a user.
  • a user may wish to replace PII of an individual from the external system 102 after the individual has left an organisation or unsubscribed from the services of an enterprise operating the external system 102. 5
  • the PII value(s), PII type and Requester ID associated with the selected PII are transmitted 108 to the transformation module 104 through a secure API along with a request to transform the PII value(s).
  • the PII is stored within a digital storage of external system 102.
  • a user may provide the PII in the request to transform the PII value(s).
  • a business process may query the PII from an external system other than external system 102 in order to initiate the request to transform the PII value(s).
  • the PII is represented by a PII value that can be a name, phone number, email address or any other information that can be associated with an individual.
  • the PII can also be represented by PII type information associated with the PII value and/or Requester ID of the external system.
  • the PII type indicates a category of data type that the PII value belongs to.
  • the PII type can indicate a data format, a personal identifier or a business identifier.
  • the data format of the PII value can be a string, number, Boolean or date for example.
  • the personal identifier indicates the type of personal detail in the PII value such as name, email address, phone number, Social Security Number for example.
  • the business identifier indicates the business unit, business division, individual in the business or an account number associated with the PII value.
  • the Requester ID of the external system is associated with the enterprise or organisation that has requested for the PII to be transformed.
  • the Requester ID of the external system can indicate a business name, business division name or organisation name.
  • the Requester ID can also indicate the industry type of a business or organisation such as finance or healthcare industries for example.
  • the Requester ID can also indicate a government organisation that has requested PII transformation.
  • both the PII type and the Requester ID are transmitted 108 in the same request.
  • Different processes may be used for different values. For example, an email address could be transformed using a different process than a phone number.
  • the generated value may also need to fit different criteria for different values.
  • An anonymised value may still need to be in a valid phone number format instead of a long collection of numbers and letters.
  • transformation module 104 receives 110 the request to transform selected PII from external system 102 that includes PII value(s) and additional PII type information associated with the PII value and Requester ID of external system 102.
  • the PII type information and requester ID can be optional information 6 that do not have to be transmitted 108 by external system 102 or received 110 by transformation module 104 for the PII value(s) to be transformed.
  • transformation module 104 is configured to treat all requests the same regardless of where the PII is stored. Alternatively, transformation module 104 is configured to treat requests differently based on the optionally provided identification information of the requesting system as to whether the PII is stored internally or externally.
  • the transformation module 104 applies 112 an irreversible deterministic process to generate an anonymous value.
  • the anonymous value comprises a random collection of numbers and/or letters. The particular combination of numbers and/or letters may vary by the encoding process used to generate the combination.
  • the PII may comprise an email address
  • the PII type may comprise the value 'email_address'
  • the requester ID may comprise the name of a company.
  • the generated anonymised values each correspond to a PII value.
  • the deterministic process takes as input the PII value, the PII type and the Requester ID of the external system 102 and generates each anonymised value based on the specific combination of the corresponding PII value, its PII type and Requester ID. Alternatively, each anonymised value can also be generated based only on the corresponding PII value.
  • the anonymous value is a hashed value that is generated in a 'lossy' manner. In other words, some of the original data of the PII have been lost to ensure that the anonymous value cannot be a PII and does not need to be treated like PII.
  • an anonymous value is generated using a 'lossless' process that is reversible, the anonymous value would still be PII and would not be anonymous. This is because one can simply reverse the 'lossless' process on the generated anonymous value to result in unique a PII. For example, if the anonymous value is generated using an encryption instead, the PII used to generate the anonymous value can be easily re-obtained using an encryption key. This would defeat the purpose of generating anonymous values.
  • the generated value is always the same if the combination of input information is the same.
  • the same anonymised values are always produced for the same combination of PII value, PII type, and requester ID/external system ID.
  • Hashing is a process that converts one or more values to a single value that is unique to that set of data. 7
  • the irreversible deterministic process can be any other process that generates anonymised values in a 'lossy' manner that results in irreversible values such as a checksum or a jpeg.
  • PII type and Requester ID information allows transformation module 104 to distinguish between PII values to apply 112 different irreversible deterministic processes on PII values of different PII types and/or external systems 102.
  • PII values from different external systems 102 with the same PII types can use the same irreversible deterministic process.
  • the irreversible deterministic process used for a PII value that is a string with a Requester ID of an individual in a specific business differs from the irreversible deterministic process used for another PII value that is a string with a Requester ID of an individual in an industry.
  • an individual can be a member of the specific business and a member of the industry and provide the same PII value that produces different anonymous values.
  • the transformation module 104 optionally stores 114 each anonymous value with a corresponding PII type and Requester ID.
  • the anonymous value can also be stored without its corresponding PII type or Requester ID.
  • the stored anonymous value can be used in the future to identify whether or not an individual that has previously requested their PII to be removed is returning to the organisation or the enterprise operating the external system. This will be expanded on further below.
  • the anonymous value(s) are transmitted 116 back to the external system 102 of the requester as a transform of the PII selected 106 by a user.
  • the anonymous value(s) that are received 118 by the external system 102 are used to replace 120 the PII value(s) that a user selected 106 to be removed or deleted from the external system 102.
  • all instances of the selected PII value(s) are replaced by corresponding anonymous value(s).
  • PII is replaced with its corresponding anonymous value (a hashed value for example)
  • the PII can never be retrieved, yet the database of the external system 102 retains its intrinsic integrity. This allows non-PII data to be retained in its original database structures and allows organisations to meet its legal and regulatory requirements.
  • the generated anonymous value(s) can also be transmitted to any other desired systems or databases.
  • certain instances of the selected PII value(s) are not replaced by the anonymous value(s).
  • the user or enterprise determines how the anonymous value(s) are to be used in the external system 102. 8
  • Figure 2 shows a method 200 for determining whether PII of an individual has previously been anonymised using transformation module 104 (see figure 1).
  • the identification of a possible previously known individual is initiated when a user provides 206 PII data to the external system 102.
  • the PII data represented by PII value(s), PII type and Requester ID is transmitted 108 to the transformation module 104 as a request to transform the PII.
  • the transformation module 104 receives 110 the request to transform the PII and applies 112 an irreversible deterministic process on the PII value(s), PII type(s) and Requester ID to generate anonymous value(s).
  • the anonymous value(s) can be stored 114 at the transformation module 104.
  • method 200 compares 214 newly generated anonymous values(s) at step 112 with previously stored anonymous value(s). If 216 the comparison matches, the PII value is determined to have previously been transformed using the irreversible deterministic process. In an example, a match between an anonymous value and a stored anonymous value provides a probability that the corresponding PII have been previously stored.
  • the comparison involves matching a combination of newly generated 112 anonymous value(s), corresponding PII types and Requester ID against a combination of stored anonymous value(s), corresponding PII types and Requester ID.
  • the combination of PII type, Requester ID and anonymous value is stored together, because the same anonymous value could be generated for different PII types and/or Requester IDs.
  • different divisions within the same company may store the same user email address in different systems. It is desirable to store the email addresses as different entries because they could be associated with different PII and/or different PII requests.
  • the comparison 214 between a newly generated anonymous value and a stored anonymous value matches if the combination of PII value, PII type information and Requester ID used to generate each of the two anonymous values are the same. In other words, if the anonymous values match 216, the PII of the individual has previously been anonymised using the transformation module 104.
  • the external system 102 then performs 218 an appropriate business process.
  • a business process is updating the record of the external system.
  • One example of an update is to re-associate previously stored information with the returning individual.
  • the previously stored information of the returning individual can be re-associated by supplying the PII again at the external system and matching stored anonymous values with the newly generated anonymous values.
  • a brute force approach can be used on the PII data supplied by the returning individual to re-associate anonymous values with the returning individual.
  • the anonymous values do not uniquely identify a specific individual. An anonymous value could match multiple individuals, or could match an unexpected or unintended individual. Such anonymous values therefore do not uniquely identify a specific individual.
  • the business process will not have enough information to re-associate an individual's data. For example, a match may be found for which a user is prompted to enter additional information that would confirm a match against one or more other anonymised entries. Another example includes a situation where a user is prompted to provide all other PII to recreate their account in its entirety.
  • an appropriate business process may be performed 220.
  • One example of a business process includes creating a new record for the individual at external system 102. A process that includes obfuscation of data will lose data that cannot be recovered. For this reason, anonymous values do not need to be treated like PII.
  • step 220 may include another business process.
  • transformation module 104 also returns information identifying which of the newly generated anonymous values match stored anonymous values and/or identifies a key probability value that the individual associated with the corresponding PII is previously known.
  • the key probability value can prompt the organisation operating external system 102 to confirm with the individual that they have previously stored PII at the external system and/or has had their PII anonymised using transformation module 104. Based on the confirmation, the individual's PII can be used to re-associate past records with the individual or create a new record in external system 102.
  • Anonymous values may not be unique depending on what is anonymised. For example, multiple subscribers may have the same email address and/or the same home address city. The same anonymised values associated with different PII types and Requester IDs could be associated with different related information or data systems. 10
  • the newly generated anonymous value(s) are transmitted 116 to external system 102 prior to comparing 316 the newly generated anonymous value(s) against the stored anonymous value(s). If external system 102 has previously replaced PII with anonymous value(s), the anonymous value(s) would have to be stored at the external system. Therefore, the comparison 316 between anonymous values can be carried out at external system 102.
  • an appropriate business process is performed 320. For example, records of the individual that were previously anonymised may be re-associated with the PII of the returning individual.
  • an appropriate business process is performed 322. For example, a new record may be created for the individual at external system 102.
  • PII are required to be anonymised for the creation of reports for data analysis.
  • a company uses a third-party agency to perform analytics on their customer and sales data and provides weekly updates to the agency.
  • the company has a policy of not letting third-party agencies access their customers' PII data.
  • ETL Extract, Transform, and Load
  • External system 102 in the form of a source databases (CRM and Financial), of the company are left untouched in this process.
  • the customer information and financial information are supplied to the third-party agency with PII removed.
  • the weekly updates can still link all purchases to individuals over time due to the deterministic nature of the anonymised values. Potential duplicates can be recognized in the data at an analytics level because of the deterministic nature of the anonymised values.
  • inactive customer records are required to be removed or deleted.
  • a customer of a company has been inactive for a period of two years.
  • the company's policy is to remove all customer PII data after two years of inactivity.
  • the company does not wish to delete the customer record as it would impact historical reporting and has significant analytical value. 11
  • the company submits the customer's PII to transformation module 104 and receives 118 deterministic anonymised values back that are used to replace 120 PII at external system 102 of the company (e.g., CRMs and Reporting Databases).
  • the company's Privacy Policy requirements continue to be met and the historical reporting continues to function correctly. All non-PII data remains unchanged such as financial details and product purchase details for example.
  • the company can transmit 108 a PII transformation request with the customer's PII to the transformation module 204 that responds with a key probability value indicating that the person has likely been a previous customer.
  • the company can then perform the appropriate confirmation to confirm the re-engaged Customer.
  • the confirmation may include performing 218, 318 an appropriate business process such as re-associating prior purchasing history and leveraging prior analytical data to optimize their interactions with the returning customer.
  • records of past employee or staff are anonymised.
  • An employee of company resigns and requests their PII be removed from the HR system 102.
  • the company does not wish to fully delete their records as they contain information such as payroll data and tax information for example that they need to retain for analytical, reporting, and legal purposes.
  • the company transmits 108 the employee's PII to the transformation module 104, and receives 118 deterministic anonymised values 112 back that they use to replace 120 all PII in HR and reporting databases. This allows the company's reporting procedures to continue to function correctly.
  • the employee gets rehired at the company, their current PII 206 is transmitted to the transformation module 104 that responds with a key probability value indicating that there is a high chance that the person has been a previous employee.
  • the company performs 218 an appropriate business process such as re-activating the employee's original information, and is able to manage long service entitlements, access previous performance evaluations etc.
  • J Doe's email j.doe@anemaildomain.com will always yield the same unique hashed value from the irreversible deterministic process. If J Doe interacts with an entity today that they have previously interacted with and subsequently asked to be 12 forgotten by, their newly supplied email address can be hashed and tested against values in the entity's database to see if they have a match on the hashed value. If there is a match, then the entity can safely say they have interacted with the email address j.doe@anemaildomain.com in the past, without retaining any PII in the interim. Further confirmation may be required on the part of the entity to confirm that the email address does in fact belong to J Doe.
  • Figure 4 shows an example of a transformation module 104.
  • the transformation module may be implemented within a server or the cloud.
  • the receiver 402 is configured receive a request to transform a PII value.
  • the request includes the PII value, a PII type associated with the PII value, and a Requester ID of an external system.
  • the deterministic processor 410 is configured to apply an irreversible deterministic process to generate an anonymous value.
  • the deterministic processor takes as input the PII value, the PII type and the Requester ID of the external system.
  • the transmitter 406 is configured to transmit the anonymous value as a transform of the PII.
  • Storage 412 is configured store the anonymous value with the PII type and the Requester ID.
  • the comparison module 414 is configured to compare the anonymous value with a stored anonymous value in storage 412. Comparison module 414 is also configured to determine that the PII value has previously been transformed using the irreversible deterministic process if the comparison matches.
  • Transmitter 406 is configured to signal a match of the comparison between the anonymous value and the stored anonymous value by the comparison module 414, if the combination of PII value, PII type and Requester ID of the external system used to generate each of the two anonymous values are the same.
  • Figure 5 shows an example of transformation module 104 implemented within the IT or information system of an individual, enterprise or organisation as part of the external system 102.
  • comparison module 414 and storage 412 may be implemented within external system 102.
  • comparison module 414 and storage 412 may be within the transformation module 104 when the transformation module 104 is within the external system 102.
  • Figure 6 shows example computing devices 600.
  • One example is computing device 140 that may be used to implement the transformation module 104, the external system 102 and/or any part of the transformation module 104 or the external system 102.
  • the computing device 140 is an example of a suitable computing device. It is not intended to 13 suggest any limitation as to the scope of use or functionality of the operating environment.
  • Example computing devices include, but are not limited to, personal computers, server computers, hand-held or laptop devices, mobile devices, multiprocessor systems, consumer electronics, mini computers, mainframe computers, and distributed computing environments that include any of the above systems or devices.
  • mobile devices include mobile phones, smartphones, tablets, and Personal Digital Assistants (PDAs).
  • PDAs Personal Digital Assistants
  • computer readable instructions are implemented as program modules.
  • program modules include functions, objects, Application Programming Interfaces (APIs), and data structures that perform particular tasks or implement particular abstract data types.
  • APIs Application Programming Interfaces
  • data structures that perform particular tasks or implement particular abstract data types.
  • functionality of the computer readable instructions is combined or distributed as desired in various environments.
  • computing device 140 comprising a primary computing device 605 configured to implement one or more embodiments described above.
  • computing device 605 includes at least one processing unit 610 and memory 615.
  • memory 615 is volatile (such as RAM, for example), non-volatile (such as ROM, flash memory, etc., for example) or some combination of the two.
  • a server 620 is shown by a dashed line notionally grouping processing unit 610 and memory 615 together.
  • computing device 605 includes additional features and/or functionality.
  • removable and/or non-removable additional storage including, but not limited to, magnetic storage and optical storage.
  • Such additional storage is illustrated in Figure 6 as storage 625.
  • computer readable instructions to implement one or more components provided herein are maintained in storage 625.
  • storage 625 stores other computer readable instructions to implement an operating system and/or an application program.
  • Computer readable 14 instructions are loaded into memory 615 for execution by processing unit 610, for example.
  • Memory 615 and storage 625 are examples of computer storage media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVDs) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by computing device 605. Any such computer storage media may be part of device 605.
  • computing device 605 includes at least one communication connection 640 that allows device 605 to communicate with other devices.
  • the at least one communication connection 640 includes one or more of a modem, a Network Interface Card (NIC), an integrated network interface, a radio frequency transmitter/receiver, an infrared port, a USB connection, or other interfaces for connecting computing device 605 to other computing devices.
  • NIC Network Interface Card
  • radio frequency transmitter/receiver an infrared port
  • USB connection or other interfaces for connecting computing device 605 to other computing devices.
  • the at least one communication connection 640 includes Bluetooth L.E. components.
  • communication connection(s) 640 facilitate a wired connection, a wireless connection, or a combination of wired and wireless connections.
  • Communication connection(s) 640 transmit and/or receive communication media.
  • Communication media typically embodies computer readable instructions or other data in a "modulated data signal” such as a carrier wave or other transport mechanism and includes any information delivery media.
  • modulated data signal includes a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • device 605 includes at least one input device 645 such as a physical keyboard, mouse, pen, voice input device, touch input device, infrared cameras, video input devices, and/or any other input device.
  • Device 605 also includes at least one output device 650 such as one or more displays, speakers, printers, and/or any other output device.
  • Input device(s) 645 and output device(s) 650 are connected to device 605 via a wired connection, wireless connection, or any combination thereof. In an embodiment, an input device or an output device from another computing device is/are used as input device(s) 645 or output device(s) 650 for computing device 605. 15
  • components of computing device 605 are connected by various interconnects, such as a bus.
  • interconnects include one or more of a Peripheral Component Interconnect (PCI), such as PCI Express, a Universal Serial Bus (USB), firewire (IEEE 13104), and an optical bus structure.
  • PCI Peripheral Component Interconnect
  • USB Universal Serial Bus
  • IEEE 13104 Firewire
  • optical bus structure an optical bus structure.
  • components of computing device 605 are interconnected by a network.
  • memory 615 in an embodiment comprises multiple physical memory units located in different physical locations interconnected by a network.
  • storage devices used to store computer readable instructions may be distributed across a network.
  • a computing device 655 accessible via a network 660 stores computer readable instructions to implement one or more embodiments provided herein.
  • Computing device 605 accesses computing device 655 in an embodiment and downloads a part or all of the computer readable instructions for execution. Alternatively, computing device 605 downloads portions of the computer readable instructions, as needed. In an embodiment, some instructions are executed at computing device 605 and some at computing device 655.
  • a client application 685 is provided as a thin client application configured to run within a web browser.
  • the client application 685 is provided as an application on a user device. It will be appreciated that application 685 in an embodiment is associated to computing device 605 or another computing device.
  • computing devices 605 and 655 corresponds to external system 102 and transformation module 104 respectively or vice versa.
  • computing device 605 and 655 corresponds to the external system that includes the transformation module 104 and a client of the external system 102 respectively or vice versa.

Landscapes

  • Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The use of databases and other digital storage systems to store individuals' details, including Personally Identifiable Information (PII), may be insufficiently secured from internal attacks. Disclosed herein is a computer implemented method for transforming personally identifiable information (PII). The method comprises receiving a request to transform the PII, the request including a PII value, a PII type of the PII value, and Requester ID of an external system associated with the PII value. The method further comprises applying an irreversible deterministic process to generate an anonymous value, the deterministic process taking as input the PII value, the PII type and the Requester ID of the external system. The method further comprises transmitting the anonymous value as a transform of the PII.

Description

METHOD AND SYSTEM FOR TRANSFORMING PERSONALLY IDENTIFIABLE
INFORMATION
FIELD OF THE INVENTION
The invention relates to techniques for identifying and replacing data values within a digital storage system, particularly for use in replacing personally identifiable information with anonymised values.
BACKGROUND TO THE INVENTION
The use of databases and other digital storage systems to store individuals' details, including Personally Identifiable Information (PII) has proliferated in the past decade.
The ways in which this data is being used has also changed immeasurably, with advertising and marketing becoming increasingly targeted based on the information held.
The risks of identity theft have increased dramatically as many of these databases are accessible via the internet and/or are insufficiently secured from internal attacks. These databases and other digital storage systems include customer databases, human resource databases, patient health records, and prospect databases to name a few.
In recent years, legislation has been put in place to both allow individuals to request that entities remove the individual's PII from all systems and to put limits on how long an entity may retain an individual's PII. Notable examples of this legislation include the General Data Protection Regulation (GDPR; EU legislation) and the California Consumer Privacy Act (CCPA). These are both examples of sovereign legislation in that they apply to citizens and residents of these jurisdictions regardless of the jurisdiction or location the data is held in. The right of a person to request the removal of PII is often called the 'right to be forgotten'.
PII can be defined as information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Some information considered to be PII are available in public sources such as telephone books, public Web sites, and university listings. These types of information are Public PII and include, for example, first and last name, address, work telephone number, email address, home telephone number, and general educational credentials. Whether information can be considered PII depends on 2 the probability that an individual can be identified using the information. Non-PII can become PII whenever additional information is made available, in any medium and from any source, that, when combined with other available information, could be used to identify an individual.
Transactional information is not considered PII. Examples of transactional information include products purchased, invoicing details, financial records, and support requests.
When a 'request to be forgotten' is submitted, an organisation must remove all relevant PII from their system, but often have other legal and reporting requirements to retain the data that is not considered PII. Simply deleting data can cause other information linked to the deleted record to also be deleted from other areas of the database. This means that non-PII data that an organisation is legally required to retain, or may wish to retain for reporting and analytics purposes, is often also deleted along with the PII data.
A breakdown in referential integrity means that non-PII data is retained but can no longer be linked to a source record, meaning grouping of data (or even the appearance of that data in reports) may no longer be possible. In many systems, deleting data is prohibited to prevent these issues from occurring. Blanking of PII data, or replacing with random data is also not desirable as it may also remove the ability to successfully analyze data. Encrypting PII is not a solution, as the data still remains in the database and can be accessed by anyone with the correct access details (i.e. password or security token of some other form).
It is an object of at least preferred embodiments to address at least some of the aforementioned disadvantages. An additional or alternative object is to at least provide the public with a useful choice.
SUMMARY OF THE INVENTION
In accordance with an aspect, a computer implemented method for transforming personally identifiable information (PII) comprises: receiving a request to transform the PII, the request including a PII value, a PII type of the PII value, and Requester ID of an external system associated with the PII value; applying an irreversible deterministic process to generate an anonymous value, the deterministic process taking as input the PII value, the PII type and the Requester ID of the external system; and transmitting the anonymous value as a transform of the PII.
The term 'comprising' as used in this specification means 'consisting at least in part of'. When interpreting each statement in this specification that includes the term 'comprising', features other than that or those prefaced by the term may also be 3 present. Related terms such as 'comprise' and 'comprises' are to be interpreted in the same manner.
In an embodiment, the method further comprises storing the anonymous value with the PII type of the PII value and the Requester ID of the external system.
In an embodiment, the method further comprises: comparing the anonymous value with a stored anonymous value; and determining that the PII has previously been transformed using the irreversible deterministic process if the comparison matches.
In an embodiment, the comparison between the anonymous value and the stored anonymous value matches if the combination of PII value, PII type and Requester ID of the external system used to generate each of the two anonymous values are the same.
In an embodiment, the request to transform the PII is received from an external system and the anonymous value is transmitted back to the external system.
In an embodiment, the anonymous value is used to replace all instances of the PII in the external system.
In an embodiment, the PII value comprises a string, number, Boolean or date value.
In an embodiment, the PII type comprises a format type, personal identifier or business identifier.
In an embodiment, the Requester ID comprises a business name, industry type or government organisation type.
In accordance with a further aspect of the invention, a system for transforming personally identifiable information (PII) is configured to: receive a request to transform a PII value, the request includes the PII value, a PII type associated with the PII value, and a Requester ID of an external system; apply an irreversible deterministic process to generate an anonymous value, the deterministic process takes as input the PII value, the PII type and the Requester ID of the external system; and transmit the anonymous value as a transform of the PII.
In an embodiment, the system is further configured to store the anonymous value with the PII type and the Requester ID.
In an embodiment, the system is further configured to: compare the anonymous value with a stored anonymous value; and determine that the PII value has previously been transformed using the irreversible deterministic process if the comparison matches. 4
In an embodiment, the comparison between the anonymous value and the stored anonymous value matches if the combination of PII value, PII type and Requester ID of the external system used to generate each of the two anonymous values are the same.
BRIEF DESCRIPTION OF THE DRAWINGS
Preferred forms of the method for transforming personally identifiable information (PII) will now be described by way of example only with reference to the accompanying figures in which:
Figure 1 shows an example of a method for transforming PII;
Figure 2 shows an example of a method for determining whether PII has previously been anonymised;
Figure 3 shows another example method for determining whether PII has previously been anonymised;
Figure 4 shows an example of a transformation module;
Figure 5 shows an example of a external system including a transformation module; and
Figure 6 shows example computing devices that can be used to implement embodiments of the present invention.
DETAILED DESCRIPTION
Figure 1 shows a computer implemented method 100 for transforming personally identifiable information (PII) that involves an interaction between an external system 102 and a transformation module 104. The external system 102 may comprise an IT or information system of an enterprise or organisation for example. The external system 102 can be operated by an individual or an organisation. The transformation module 104 operates on a server or 'the cloud'. Alternatively, the transformation module 104 can operate within the IT or information system of an individual, enterprise or organisation as part of the external system 102.
Method 100 includes selecting 106 PII to be replaced within the external system 102 at the request of a user. A user may wish to replace PII of an individual from the external system 102 after the individual has left an organisation or unsubscribed from the services of an enterprise operating the external system 102. 5
Once the relevant PII are selected, the PII value(s), PII type and Requester ID associated with the selected PII are transmitted 108 to the transformation module 104 through a secure API along with a request to transform the PII value(s).
In an embodiment, the PII is stored within a digital storage of external system 102. However, it will be appreciated that there are several locations in which the PII is stored. For example, a user may provide the PII in the request to transform the PII value(s). A business process may query the PII from an external system other than external system 102 in order to initiate the request to transform the PII value(s).
The PII is represented by a PII value that can be a name, phone number, email address or any other information that can be associated with an individual. In addition to the PII value, the PII can also be represented by PII type information associated with the PII value and/or Requester ID of the external system.
The PII type indicates a category of data type that the PII value belongs to. The PII type can indicate a data format, a personal identifier or a business identifier. The data format of the PII value can be a string, number, Boolean or date for example. The personal identifier indicates the type of personal detail in the PII value such as name, email address, phone number, Social Security Number for example. Further, the business identifier indicates the business unit, business division, individual in the business or an account number associated with the PII value.
The Requester ID of the external system is associated with the enterprise or organisation that has requested for the PII to be transformed. The Requester ID of the external system can indicate a business name, business division name or organisation name. The Requester ID can also indicate the industry type of a business or organisation such as finance or healthcare industries for example. The Requester ID can also indicate a government organisation that has requested PII transformation.
In an embodiment, both the PII type and the Requester ID are transmitted 108 in the same request. Different processes may be used for different values. For example, an email address could be transformed using a different process than a phone number. The generated value may also need to fit different criteria for different values. An anonymised value may still need to be in a valid phone number format instead of a long collection of numbers and letters.
As shown in figure 1, transformation module 104 receives 110 the request to transform selected PII from external system 102 that includes PII value(s) and additional PII type information associated with the PII value and Requester ID of external system 102. In another example, the PII type information and requester ID can be optional information 6 that do not have to be transmitted 108 by external system 102 or received 110 by transformation module 104 for the PII value(s) to be transformed.
In an embodiment, transformation module 104 is configured to treat all requests the same regardless of where the PII is stored. Alternatively, transformation module 104 is configured to treat requests differently based on the optionally provided identification information of the requesting system as to whether the PII is stored internally or externally.
The transformation module 104 applies 112 an irreversible deterministic process to generate an anonymous value. In an embodiment, the anonymous value comprises a random collection of numbers and/or letters. The particular combination of numbers and/or letters may vary by the encoding process used to generate the combination. For example, the PII may comprise an email address, the PII type may comprise the value 'email_address', and the requester ID may comprise the name of a company.
The generated anonymised values each correspond to a PII value. The deterministic process takes as input the PII value, the PII type and the Requester ID of the external system 102 and generates each anonymised value based on the specific combination of the corresponding PII value, its PII type and Requester ID. Alternatively, each anonymised value can also be generated based only on the corresponding PII value.
In an example, the anonymous value is a hashed value that is generated in a 'lossy' manner. In other words, some of the original data of the PII have been lost to ensure that the anonymous value cannot be a PII and does not need to be treated like PII.
If an anonymous value is generated using a 'lossless' process that is reversible, the anonymous value would still be PII and would not be anonymous. This is because one can simply reverse the 'lossless' process on the generated anonymous value to result in unique a PII. For example, if the anonymous value is generated using an encryption instead, the PII used to generate the anonymous value can be easily re-obtained using an encryption key. This would defeat the purpose of generating anonymous values.
In a deterministic process, the generated value is always the same if the combination of input information is the same. In other words, the same anonymised values are always produced for the same combination of PII value, PII type, and requester ID/external system ID. Hashing is a process that converts one or more values to a single value that is unique to that set of data. 7
In other examples, the irreversible deterministic process can be any other process that generates anonymised values in a 'lossy' manner that results in irreversible values such as a checksum or a jpeg.
The use of PII type and Requester ID information along with the PII value allows transformation module 104 to distinguish between PII values to apply 112 different irreversible deterministic processes on PII values of different PII types and/or external systems 102. In an example, PII values from different external systems 102 with the same PII types can use the same irreversible deterministic process. In another example, the irreversible deterministic process used for a PII value that is a string with a Requester ID of an individual in a specific business differs from the irreversible deterministic process used for another PII value that is a string with a Requester ID of an individual in an industry. In this case, an individual can be a member of the specific business and a member of the industry and provide the same PII value that produces different anonymous values.
The transformation module 104 optionally stores 114 each anonymous value with a corresponding PII type and Requester ID. The anonymous value can also be stored without its corresponding PII type or Requester ID. The stored anonymous value can be used in the future to identify whether or not an individual that has previously requested their PII to be removed is returning to the organisation or the enterprise operating the external system. This will be expanded on further below.
The anonymous value(s) are transmitted 116 back to the external system 102 of the requester as a transform of the PII selected 106 by a user. The anonymous value(s) that are received 118 by the external system 102 are used to replace 120 the PII value(s) that a user selected 106 to be removed or deleted from the external system 102.
In an example, all instances of the selected PII value(s) are replaced by corresponding anonymous value(s). When PII is replaced with its corresponding anonymous value (a hashed value for example), the PII can never be retrieved, yet the database of the external system 102 retains its intrinsic integrity. This allows non-PII data to be retained in its original database structures and allows organisations to meet its legal and regulatory requirements.
In other examples, the generated anonymous value(s) can also be transmitted to any other desired systems or databases. In an embodiment, certain instances of the selected PII value(s) are not replaced by the anonymous value(s). In other words, the user or enterprise determines how the anonymous value(s) are to be used in the external system 102. 8
Figure 2 shows a method 200 for determining whether PII of an individual has previously been anonymised using transformation module 104 (see figure 1). The identification of a possible previously known individual is initiated when a user provides 206 PII data to the external system 102. The PII data represented by PII value(s), PII type and Requester ID is transmitted 108 to the transformation module 104 as a request to transform the PII. The transformation module 104 receives 110 the request to transform the PII and applies 112 an irreversible deterministic process on the PII value(s), PII type(s) and Requester ID to generate anonymous value(s).
Referring to figure 1, the anonymous value(s) can be stored 114 at the transformation module 104. In figure 2, method 200 compares 214 newly generated anonymous values(s) at step 112 with previously stored anonymous value(s). If 216 the comparison matches, the PII value is determined to have previously been transformed using the irreversible deterministic process. In an example, a match between an anonymous value and a stored anonymous value provides a probability that the corresponding PII have been previously stored.
In another example, the comparison involves matching a combination of newly generated 112 anonymous value(s), corresponding PII types and Requester ID against a combination of stored anonymous value(s), corresponding PII types and Requester ID.
In an embodiment, the combination of PII type, Requester ID and anonymous value is stored together, because the same anonymous value could be generated for different PII types and/or Requester IDs. For example, different divisions within the same company may store the same user email address in different systems. It is desirable to store the email addresses as different entries because they could be associated with different PII and/or different PII requests.
Since the anonymous value(s) are generated using a deterministic process, the comparison 214 between a newly generated anonymous value and a stored anonymous value matches if the combination of PII value, PII type information and Requester ID used to generate each of the two anonymous values are the same. In other words, if the anonymous values match 216, the PII of the individual has previously been anonymised using the transformation module 104.
The external system 102 then performs 218 an appropriate business process. One example of a business process is updating the record of the external system. One example of an update is to re-associate previously stored information with the returning individual. 9
The previously stored information of the returning individual can be re-associated by supplying the PII again at the external system and matching stored anonymous values with the newly generated anonymous values. In other words, a brute force approach can be used on the PII data supplied by the returning individual to re-associate anonymous values with the returning individual. In an embodiment, the anonymous values do not uniquely identify a specific individual. An anonymous value could match multiple individuals, or could match an unexpected or unintended individual. Such anonymous values therefore do not uniquely identify a specific individual.
It will be appreciated that in some cases the business process will not have enough information to re-associate an individual's data. For example, a match may be found for which a user is prompted to enter additional information that would confirm a match against one or more other anonymised entries. Another example includes a situation where a user is prompted to provide all other PII to recreate their account in its entirety.
If the individual is not previously known or the PII of the individual has not previously been stored in the external system, an appropriate business process may be performed 220. One example of a business process includes creating a new record for the individual at external system 102. A process that includes obfuscation of data will lose data that cannot be recovered. For this reason, anonymous values do not need to be treated like PII. As an alternative to creating a new record for the individual, step 220 may include another business process.
In another example, transformation module 104 also returns information identifying which of the newly generated anonymous values match stored anonymous values and/or identifies a key probability value that the individual associated with the corresponding PII is previously known. The key probability value can prompt the organisation operating external system 102 to confirm with the individual that they have previously stored PII at the external system and/or has had their PII anonymised using transformation module 104. Based on the confirmation, the individual's PII can be used to re-associate past records with the individual or create a new record in external system 102.
Since the anonymous values are not unique (which would also make them PII), matching a combination of anonymized value, PII type, and requesting external system only potentially identifies a possible previously known individual.
Anonymous values may not be unique depending on what is anonymised. For example, multiple subscribers may have the same email address and/or the same home address city. The same anonymised values associated with different PII types and Requester IDs could be associated with different related information or data systems. 10
Confirmation from the individual or other external system is required to confirm that the anonymized data can indeed be associated to a specific individual.
With reference to figure 3, the newly generated anonymous value(s) are transmitted 116 to external system 102 prior to comparing 316 the newly generated anonymous value(s) against the stored anonymous value(s). If external system 102 has previously replaced PII with anonymous value(s), the anonymous value(s) would have to be stored at the external system. Therefore, the comparison 316 between anonymous values can be carried out at external system 102.
If the anonymous value(s) match 318, then an appropriate business process is performed 320. For example, records of the individual that were previously anonymised may be re-associated with the PII of the returning individual.
On the other hand, if the anonymous value(s) do not match, an appropriate business process is performed 322. For example, a new record may be created for the individual at external system 102.
The methods disclosed above can be used in multiple situations. In a first example, PII are required to be anonymised for the creation of reports for data analysis. In this example, a company uses a third-party agency to perform analytics on their customer and sales data and provides weekly updates to the agency. The company has a policy of not letting third-party agencies access their customers' PII data. To remove PII data as part of their Extract, Transform, and Load (ETL) process, the company selects 106 all relevant PII and transmits 108 a request to transformation module 104 to replace the PII in external system 102, in the form of an analytics database, with anonymous values that are deterministically and irreversibly generated 112.
External system 102, in the form of a source databases (CRM and Financial), of the company are left untouched in this process. The customer information and financial information are supplied to the third-party agency with PII removed. The weekly updates can still link all purchases to individuals over time due to the deterministic nature of the anonymised values. Potential duplicates can be recognized in the data at an analytics level because of the deterministic nature of the anonymised values.
In a second example, inactive customer records are required to be removed or deleted.
A customer of a company has been inactive for a period of two years. The company's policy is to remove all customer PII data after two years of inactivity. However, the company does not wish to delete the customer record as it would impact historical reporting and has significant analytical value. 11
In this case, the company submits the customer's PII to transformation module 104 and receives 118 deterministic anonymised values back that are used to replace 120 PII at external system 102 of the company (e.g., CRMs and Reporting Databases). The company's Privacy Policy requirements continue to be met and the historical reporting continues to function correctly. All non-PII data remains unchanged such as financial details and product purchase details for example.
If the customer re-engages with the company that has removed their PII, the company can transmit 108 a PII transformation request with the customer's PII to the transformation module 204 that responds with a key probability value indicating that the person has likely been a previous customer. The company can then perform the appropriate confirmation to confirm the re-engaged Customer. In some cases, the confirmation may include performing 218, 318 an appropriate business process such as re-associating prior purchasing history and leveraging prior analytical data to optimize their interactions with the returning customer.
In a third example, records of past employee or staff are anonymised. An employee of company resigns and requests their PII be removed from the HR system 102. The company does not wish to fully delete their records as they contain information such as payroll data and tax information for example that they need to retain for analytical, reporting, and legal purposes. The company transmits 108 the employee's PII to the transformation module 104, and receives 118 deterministic anonymised values 112 back that they use to replace 120 all PII in HR and reporting databases. This allows the company's reporting procedures to continue to function correctly.
If the employee gets rehired at the company, their current PII 206 is transmitted to the transformation module 104 that responds with a key probability value indicating that there is a high chance that the person has been a previous employee. The company performs 218 an appropriate business process such as re-activating the employee's original information, and is able to manage long service entitlements, access previous performance evaluations etc.
Using a hashed approach to anonymised data has a key additional benefit that derives from its deterministic nature. When an individual re-engages with an organisation that has 'forgotten' them, that individual can have their non-PII data relinked to their new interactions.
In a fourth example, J Doe's email j.doe@anemaildomain.com will always yield the same unique hashed value from the irreversible deterministic process. If J Doe interacts with an entity today that they have previously interacted with and subsequently asked to be 12 forgotten by, their newly supplied email address can be hashed and tested against values in the entity's database to see if they have a match on the hashed value. If there is a match, then the entity can safely say they have interacted with the email address j.doe@anemaildomain.com in the past, without retaining any PII in the interim. Further confirmation may be required on the part of the entity to confirm that the email address does in fact belong to J Doe.
Figure 4 shows an example of a transformation module 104. The transformation module may be implemented within a server or the cloud.
The receiver 402 is configured receive a request to transform a PII value. The request includes the PII value, a PII type associated with the PII value, and a Requester ID of an external system. The deterministic processor 410 is configured to apply an irreversible deterministic process to generate an anonymous value. The deterministic processor takes as input the PII value, the PII type and the Requester ID of the external system. The transmitter 406 is configured to transmit the anonymous value as a transform of the PII.
Storage 412 is configured store the anonymous value with the PII type and the Requester ID. The comparison module 414 is configured to compare the anonymous value with a stored anonymous value in storage 412. Comparison module 414 is also configured to determine that the PII value has previously been transformed using the irreversible deterministic process if the comparison matches.
Transmitter 406 is configured to signal a match of the comparison between the anonymous value and the stored anonymous value by the comparison module 414, if the combination of PII value, PII type and Requester ID of the external system used to generate each of the two anonymous values are the same.
Figure 5 shows an example of transformation module 104 implemented within the IT or information system of an individual, enterprise or organisation as part of the external system 102. As shown in Figure 5, comparison module 414 and storage 412 may be implemented within external system 102. Alternatively, comparison module 414 and storage 412 may be within the transformation module 104 when the transformation module 104 is within the external system 102.
Figure 6 shows example computing devices 600. One example is computing device 140 that may be used to implement the transformation module 104, the external system 102 and/or any part of the transformation module 104 or the external system 102. The computing device 140 is an example of a suitable computing device. It is not intended to 13 suggest any limitation as to the scope of use or functionality of the operating environment.
Example computing devices include, but are not limited to, personal computers, server computers, hand-held or laptop devices, mobile devices, multiprocessor systems, consumer electronics, mini computers, mainframe computers, and distributed computing environments that include any of the above systems or devices. Examples of mobile devices include mobile phones, smartphones, tablets, and Personal Digital Assistants (PDAs).
Although not required, embodiments are described in the general context of 'computer readable instructions' being executed by one or more computing devices. In an embodiment, computer readable instructions are distributed via tangible computer readable media.
In an embodiment, computer readable instructions are implemented as program modules. Examples of program modules include functions, objects, Application Programming Interfaces (APIs), and data structures that perform particular tasks or implement particular abstract data types. Typically, the functionality of the computer readable instructions is combined or distributed as desired in various environments.
Shown in figure 6 is a computing device 140 comprising a primary computing device 605 configured to implement one or more embodiments described above. In an embodiment, computing device 605 includes at least one processing unit 610 and memory 615. Depending on the exact configuration and type of computing device, memory 615 is volatile (such as RAM, for example), non-volatile (such as ROM, flash memory, etc., for example) or some combination of the two.
A server 620 is shown by a dashed line notionally grouping processing unit 610 and memory 615 together.
In an embodiment, computing device 605 includes additional features and/or functionality. One example is removable and/or non-removable additional storage including, but not limited to, magnetic storage and optical storage. Such additional storage is illustrated in Figure 6 as storage 625.
In an embodiment, computer readable instructions to implement one or more components provided herein are maintained in storage 625.
In an embodiment, storage 625 stores other computer readable instructions to implement an operating system and/or an application program. Computer readable 14 instructions are loaded into memory 615 for execution by processing unit 610, for example.
Memory 615 and storage 625 are examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVDs) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by computing device 605. Any such computer storage media may be part of device 605.
In an embodiment, computing device 605 includes at least one communication connection 640 that allows device 605 to communicate with other devices. The at least one communication connection 640 includes one or more of a modem, a Network Interface Card (NIC), an integrated network interface, a radio frequency transmitter/receiver, an infrared port, a USB connection, or other interfaces for connecting computing device 605 to other computing devices.
In an embodiment the at least one communication connection 640 includes Bluetooth L.E. components.
In an embodiment, communication connection(s) 640 facilitate a wired connection, a wireless connection, or a combination of wired and wireless connections. Communication connection(s) 640 transmit and/or receive communication media.
Communication media typically embodies computer readable instructions or other data in a "modulated data signal" such as a carrier wave or other transport mechanism and includes any information delivery media. The term "modulated data signal" includes a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
In an embodiment, device 605 includes at least one input device 645 such as a physical keyboard, mouse, pen, voice input device, touch input device, infrared cameras, video input devices, and/or any other input device. Device 605 also includes at least one output device 650 such as one or more displays, speakers, printers, and/or any other output device.
Input device(s) 645 and output device(s) 650 are connected to device 605 via a wired connection, wireless connection, or any combination thereof. In an embodiment, an input device or an output device from another computing device is/are used as input device(s) 645 or output device(s) 650 for computing device 605. 15
In an embodiment, components of computing device 605 are connected by various interconnects, such as a bus. Such interconnects include one or more of a Peripheral Component Interconnect (PCI), such as PCI Express, a Universal Serial Bus (USB), firewire (IEEE 13104), and an optical bus structure. In an embodiment, components of computing device 605 are interconnected by a network. For example, memory 615 in an embodiment comprises multiple physical memory units located in different physical locations interconnected by a network.
It will be appreciated that storage devices used to store computer readable instructions may be distributed across a network. For example, in an embodiment, a computing device 655 accessible via a network 660 stores computer readable instructions to implement one or more embodiments provided herein.
Computing device 605 accesses computing device 655 in an embodiment and downloads a part or all of the computer readable instructions for execution. Alternatively, computing device 605 downloads portions of the computer readable instructions, as needed. In an embodiment, some instructions are executed at computing device 605 and some at computing device 655.
In an embodiment, a client application 685 is provided as a thin client application configured to run within a web browser. In an embodiment the client application 685 is provided as an application on a user device. It will be appreciated that application 685 in an embodiment is associated to computing device 605 or another computing device.
In an example, the computing devices 605 and 655 corresponds to external system 102 and transformation module 104 respectively or vice versa. In another example, computing device 605 and 655 corresponds to the external system that includes the transformation module 104 and a client of the external system 102 respectively or vice versa.
Preferred embodiments of the invention have been described by way of example only and modifications may be made thereto without departing from the scope of the invention.

Claims

16 CLAIMS:
1. A computer implemented method for transforming personally identifiable information (PII), the method comprising: receiving a request to transform the PII, the request including a PII value, a PII type of the PII value, and Requester ID of an external system associated with the PII value; applying an irreversible deterministic process to generate an anonymous value, the deterministic process taking as input the PII value, the PII type and the Requester ID of the external system; and transmitting the anonymous value as a transform of the PII.
2. The computer implemented method of claim 1, further comprising: storing the anonymous value with the PII type of the PII value and the Requester ID of the external system.
3. The computer implemented method of claim 1, further comprising: comparing the anonymous value with a stored anonymous value; and determining that the PII has previously been transformed using the irreversible deterministic process if the comparison matches.
4. The computer implemented method of claim 3, wherein the comparison between the anonymous value and the stored anonymous value matches if the combination of PII value, PII type and Requester ID of the external system used to generate each of the two anonymous values are the same.
5. The computer implemented method of any one of the preceding claims, wherein the request to transform the PII is received from an external system and the anonymous value is transmitted back to the external system.
6. The computer implemented method of claim 5, wherein the anonymous value is used to replace all instances of the PII in the external system.
7. The computer implemented method of any one of the preceding claims, wherein the PII value comprises a string, number, Boolean or date value.
8. The computer implemented method of any one of the preceding claims, wherein the PII type comprises a format type, personal identifier or business identifier. 17 The computer implemented method of any one of the preceding claims, wherein the Requester ID comprises a business name, industry type or government organisation type. A system for transforming personally identifiable information (PII) configured to: receive a request to transform a PII value, the request includes the PII value, a PII type associated with the PII value, and a Requester ID of an external system; apply an irreversible deterministic process to generate an anonymous value, the deterministic process takes as input the PII value, the PII type and the Requester ID of the external system; and transmit the anonymous value as a transform of the PII. The system of claim 8, further configured to: store the anonymous value with the PII type and the Requester ID. The system of claim 8, further configured to: compare the anonymous value with a stored anonymous value; and determine that the PII value has previously been transformed using the irreversible deterministic process if the comparison matches. The system of claim 10, wherein the comparison between the anonymous value and the stored anonymous value matches if the combination of PII value, PII type and Requester ID of the external system used to generate each of the two anonymous values are the same.
PCT/IB2022/054417 2021-05-12 2022-05-12 Method and system for transforming personally identifiable information WO2022238948A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
NZ77601721 2021-05-12
NZ776017 2021-05-12

Publications (1)

Publication Number Publication Date
WO2022238948A1 true WO2022238948A1 (en) 2022-11-17

Family

ID=84029503

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2022/054417 WO2022238948A1 (en) 2021-05-12 2022-05-12 Method and system for transforming personally identifiable information

Country Status (1)

Country Link
WO (1) WO2022238948A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2011211416B2 (en) * 2008-11-07 2014-10-30 Touchnet Information Systems, Inc. System and method for providing identity theft security
US9129118B1 (en) * 2013-05-03 2015-09-08 Amazon Technologies, Inc. Mapping identifying information
US20160085915A1 (en) * 2014-09-23 2016-03-24 Ims Health Incorporated System and method for the de-identification of healthcare data
US20160147945A1 (en) * 2014-11-26 2016-05-26 Ims Health Incorporated System and Method for Providing Secure Check of Patient Records
WO2018140146A1 (en) * 2017-01-30 2018-08-02 Google Llc Establishing a link between identifiers without disclosing specific identifying information
AU2016299367B2 (en) * 2015-07-28 2021-11-18 Pme Ip Pty. Ltd. Apparatus and method for visualizing Digital Breast Tomosynthesis and anonymized display data export

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2011211416B2 (en) * 2008-11-07 2014-10-30 Touchnet Information Systems, Inc. System and method for providing identity theft security
US9129118B1 (en) * 2013-05-03 2015-09-08 Amazon Technologies, Inc. Mapping identifying information
US20160085915A1 (en) * 2014-09-23 2016-03-24 Ims Health Incorporated System and method for the de-identification of healthcare data
US20160147945A1 (en) * 2014-11-26 2016-05-26 Ims Health Incorporated System and Method for Providing Secure Check of Patient Records
AU2016299367B2 (en) * 2015-07-28 2021-11-18 Pme Ip Pty. Ltd. Apparatus and method for visualizing Digital Breast Tomosynthesis and anonymized display data export
WO2018140146A1 (en) * 2017-01-30 2018-08-02 Google Llc Establishing a link between identifiers without disclosing specific identifying information

Similar Documents

Publication Publication Date Title
US10803196B2 (en) On-demand de-identification of data in computer storage systems
US10860725B2 (en) Increasing search ability of private, encrypted data
US20200142891A1 (en) Optimizing queries and other retrieve operations in a blockchain
US9792454B2 (en) Record level data security
CN114026823A (en) Computer system for processing anonymous data and method of operation thereof
US11386224B2 (en) Method and system for managing personal digital identifiers of a user in a plurality of data elements
KR20190029509A (en) System and method for securely storing user information in a user profile
US11755768B2 (en) Methods, apparatuses, and systems for data rights tracking
CA3171228C (en) Block chain proof for identification
US20210357410A1 (en) Method for managing data of digital documents
US20130046560A1 (en) System and method for deterministic and probabilistic match with delayed confirmation
WO2022238948A1 (en) Method and system for transforming personally identifiable information
WO2018232021A2 (en) Systems and methods for secure storage of user information in a user profile
US11334557B2 (en) Method and system for deriving metadata characteristics of derivative assets
WO2023250403A1 (en) Data resolution using user domain names
US9639707B1 (en) Secure data storage and communication for network computing
EP3864558A1 (en) Method for managing data of digital documents
US20150112732A1 (en) Identifying a user as part of a household

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22806955

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22806955

Country of ref document: EP

Kind code of ref document: A1