JP2007317075A - Apparatus and method for dividing personal information - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem of conventional techniques being unable to operate all programs that share an encryption key, until the reproduction of the encryption key and an encrypted identifier is complete, and being unable to change pieces of information that can be coupled together by programs that couple and use pieces of personal information, because a plurality of programs can have only the same encryption key. <P>SOLUTION: Divided pieces of personal information about the same person are given a plurality of respective identifiers and output. Also, data corresponding to each of the identifiers is encrypted by a different key and output. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a database system that handles computerized personal information, and more particularly to a personal information dividing device and a personal information dividing method for dividing and outputting personal information stored in a database.

  The present invention mainly relates to a method of protecting personal information in electronic form. Personal information is information about an individual, and includes information that can identify a specific individual by name, date of birth, and other descriptions, and other information that can be collated with such information. The information subject is a specific individual identified by personal information. In the present invention, electronic personal information is particularly targeted for processing.

  With the increasing social demand for privacy protection, privacy considerations have become essential in corporate information systems that handle personal information. The so-called Personal Information Protection Law (hereinafter referred to as the Protection Law) and related laws and regulations that were fully enforced at least in April 2005 for companies (persons handling personal information), although the objects to be protected and their ideals are not determined as social conventions Compliance is essential.

Article 20 of the Protection Law requires necessary and appropriate measures for safety management, and each ministry and agency provides examples of safety management measures as guidelines. For example, a guideline by the Ministry of Economy, Trade and Industry (Non-Patent Document 1) lists “minimization of access authority granted to employees (users)” as one of the desired technical safety management measures.
One of the methods for realizing “minimization of access authority” is a method for making it possible to access only limited items among items constituting personal information. If every item of personal information is not required for all operations, the original personal information may be divided into items and a database consisting only of items necessary for each operation may be configured. For example, you can use items that can identify individuals such as name and address in the business of shipping invoices, etc., and you can use only items such as service usage history and product purchase history in the billing business that calculates the billing amount. That's fine.

In relation to this method, Patent Document 1 divides items constituting personal information into several item groups, and constructs a personal information database in which the user cannot combine the divided items without permission. Means are disclosed.
The method disclosed in Patent Document 1 is
(1) Dividing personal information of a plurality of information subjects composed of a plurality of item data into item data groups;
(2) An identifier is assigned to each item data group,
(3) Encrypt the identifier to generate an encrypted identifier,
(4) Data in which the encryption identifier of (3) is paired with the item data group of (1) is given to the user.
For the encryption of (3) above, a symmetric key block cipher such as AES is used.
One typical application of the above technology is entrusting a name entry operation. The contractor divides electronic data obtained by scanning a postcard on which personal information including items such as name and address is written into item values according to the prior art 1, and transmits the item value to the contractor. In the contractor, the key puncher converts the item value into text data based on each scanned image with an encryption identifier.
JP 2005-182275 A "Guidelines for the Law on the Protection of Personal Information in the Economic and Industrial Field", [online], October 22, 2004, Ministry of Health, Labor and Welfare, Ministry of Economy, Trade and Industry Notification No. 4, [Search April 27, 2006], Internet <URL: http: //www.meti.go.jp/policy/it_policy/privacy/041012_hontai.pdf>

In Patent Document 1, an encrypted identifier itself is assigned to the divided item data group, and the encryption key is concealed. In the modified example disclosed in Non-Patent Document 1, a serial number corresponding to the encryption identifier is assigned, and a serial number is assigned to the item data group itself to conceal the encryption key and the correspondence table between the encryption identifier and the serial number. The method is shown. In either case, only one encryption key can be used for recombination. Based on the principle of the prior art 1, when the prior art 1 is to be applied in the usage mode assumed by the present invention, the personal information is combined regardless of whether the binary of the encryption key is shared as a file or copied on the memory. The same encryption key is passed to all the programs that are used.
That is, since a plurality of programs have the same encryption key, it is difficult to change information that can be combined in each program that combines and uses personal information.

On the other hand, if the possibility of unauthorized use cannot be excluded, such as when the encryption key is lost, it is necessary to reissue the key. This is the same even if the encryption key is backed up. Reissuing the encryption key also requires processing for reassigning a new encryption identifier to the item data group.
Therefore, the technique of Patent Document 1 has a problem that all programs sharing the encryption key cannot operate until the regeneration of the encryption key and the encryption identifier is completed.

  In an actual information system, a plurality of databases for storing personal information are arranged, and new functions and services are added. Therefore, it is not uncommon to add and modify databases partially. In such an environment where old and new databases are intermingled with the system, it is not enough to limit the possibility of combining with only a limited number of databases, and the consistency of access rights given to items in multiple databases is checked. There is a need.

  However, Patent Document 1 cannot provide a solution for such a problem because of its principle. Although one database can be constructed using Patent Document 1 so that a certain group of items cannot be used at the same time without permission, it is not possible to check duplicate items existing in another database.

The present invention provides a technique for constructing a database in which items are divided in order to realize the principle of minimizing access authority. However, in the present invention, there are a program that accesses and uses a partitioned database via a communication network, and a program that combines and uses data of the same partitioned database, and further assumes a usage mode in which a plurality of each program exists. To do.
In addition, the present invention provides a technique for constructing a divided personal database so that it is difficult to be illegally combined.
That is, in the present invention, the personal information of the same person is divided into two or more data, each data is assigned an identifier and output to the database, and the corresponding data of the identifier is encrypted with asymmetric encryption and output. Means.

The present invention further includes means for checking the access right of each table stored in the database based on the data division definition for dividing the personal information.
As a result, it is possible to check whether or not the data divided using the present invention can be fetched in a state of being joined from another table. Furthermore, it is possible to restrict access to items that can identify individuals such as names and addresses and items that cannot identify individuals such as occupations but are related to privacy, and can be restricted from being used as a single piece of information.
Furthermore, the present invention includes means for assigning two or more identifiers to one piece of divided data and encrypting each identifier corresponding data with a different key.
This makes it possible to combine a set of divided personal information using a plurality of public keys.

The present invention has an effect that a database can be constructed so that a plurality of items of personal information cannot be combined without permission.
According to the present invention, it is possible to provide only necessary item data to an application that uses personal information.

  The system 100 of FIG. 1 shows the basic configuration of the present invention. Reference numeral 101 denotes source data representing personal information before being divided and serves as input data to the present invention.

  The data dividing device 102 divides the source data 101 based on the data division definition 106. The data division definition 106 and the identifier correspondence table public key 105 are data prepared in advance by the system administrator. The division identifier generating apparatus 103 assigns an identifier to each piece of divided data and outputs the divided data 106 and 107 with division identifiers. Further, the identifier correspondence table encryption apparatus 104 encrypts the identifier correspondence data generated by 103 using the identifier correspondence table public key 105 and outputs the encrypted identifier correspondence table 108. In the present invention, the identifier correspondence table encryption apparatus 104 uses an asymmetric block cipher such as an elliptical key cipher.

  Devices 102, 103, and 104 are typically implemented as software. A computer 109 in FIG. 1 illustrates an example of a hardware configuration that implements the system 100. The computer 109 includes a CPU 110, a memory 111 such as a RAM / ROM, a hard disk 112, an input device 113 such as a keyboard and a mouse as a user interface for inputting data, and a liquid crystal display and a cathode ray tube as a user interface for displaying data. A display device 114 such as a display, a communication interface 115 for communicating with other computers, and the like are included.

  The system 200 of FIG. 2 shows Example 1 in the present invention. Each of the personal information DB 201, the data division server 202, the divided personal information DB 203, the combination permission DB 204, the application 205, and the application 206 is a computer connected via a communication interface via a network.

A personal information DB (database) 201 is a database that stores the source data 101. In a typical configuration, 201 is constructed by RDB (relational database) or the like, and stores personal information as a set of record data.
The data division server 201 includes a data division device 102, a division identifier generation device 103, and an identifier correspondence table encryption device 104.
The divided personal information DB 203 is a database that stores data 106 and 107 with identifiers for division. In a typical configuration, 203 is constituted by an RDB or the like, and stores data 106 and 107 as a set of record data.

  The combination permission DB 204 is a database that stores the encrypted identifier correspondence table 108. In a typical configuration, 204 is configured by RDB or the like, and stores the table 108 as a set of record data. However, on the principle of the present invention, the divided personal information DB 203 and the combination permission DB 204 may be the same database.

  The application 205 is an application that refers to each of the data with identifiers for division 106 and 107. However, the record data of the same person in 106 and 107 cannot be combined as that of the same person. The application 206 is an application that references each of the data with identifiers for division 106 and 107.

  The IC card 208 stores the identifier correspondence table private key 207. The identifier correspondence table private key 207 is a key paired with the identifier correspondence table public key 105. The secret key 207 and the public key 105 are used for asymmetric encryption, and the data encrypted with the public key 105 is decrypted using the secret key 207. In the first embodiment, the secret key 207 and the public key 105 are generated in advance using a key generation program outside the system 200, and the secret key 207 is arranged on the IC card 208 and the public key 105 is arranged on the data division server 202. It shall be. The IC card 208 conceals the secret key 207. Due to the configuration of the first embodiment, only the application 206 that can combine the divided data can use the secret key 207. The public key 105 is used by the data division server 202, but unlike the secret key 207, it is not secret information, so it may be known to any computer. Therefore, the public key 208 can be passed to the data partitioning server 202 from the key generation program through the communication network.

  Although the public key 105 and the private key 207 are at least one set based on the principle of the present invention, there may be two or more sets. Key combinations can be prepared for the number of authorities that can execute data combination, for example, the number of users who are allowed to perform combination. Further, in the divided personal information DB 203, the personal information in the table 300 may be divided into three or more tables.

  In the first embodiment, an example will be described in which it is assumed that the table 300 is divided into two pieces of personal information 106 and 107 and the authority to combine the divided pieces of personal information is given to two users A and B. There are two secret keys 207 207A and 207B used by the system 200, which are stored in the IC cards 208A and 208B, respectively. In general, 207A and 207B are different encryption keys. The two public keys 105A and 105B are stored together in the data division server 202. The two public keys 205A and 205B are associated with tables 311 and 312 described later, respectively.

  FIG. 3 shows processing data of the system 200. The table 300 is an example of the source data 101, and one record represents personal information of one information subject. Each record is composed of five items: customer number 301, name 302, address 303, gender 304, and occupation 305. The customer number 301 is a record identifier item, and stores a unique value for each record in the table 300.

  A table 306 is an example of the data 106 with the identifier for division, and includes only items of the name 302 and the address 303 in the data 300. An identifier A308 is an identifier item of a record, and each item value takes a unique value that is different for each record.

  A table 307 is an example of the data 107 with an identifier for division, and includes only items of an address 303, a gender 304, and an occupation 305 in the data 300. Each of the identifier B309 and the identifier C310 is a record identifier item, and in each item, each item value has a unique value that is different for each record. In general, the identifier B309 and the identifier C310 take different values.

  A table 311 is an identifier correspondence table, and is data held internally by the identifier correspondence table encryption apparatus 104. The table 311 holds the correspondence between the identifier A308 in the table 306 and the identifier B309 in the table 307. Note that the item value of the identifier A308 is a random and unique bit string, but in FIG. 3, for the convenience of explanation, it is set as A001, A002, and the like. By using the table 311, items of the same person in the tables 306 and 307, that is, items assigned the same customer number in the table 300 can be combined.

  The table 312 is also an identifier correspondence table like the table 311, but the identifiers holding the correspondence relationship are different, and the correspondence between the identifier A 308 and the identifier C 310 is held.

  The data 311 and 312 are encrypted by the identifier correspondence table encryption device 104 when output to the outside, and stored in the encrypted identifier table 108 in 204. Since the encryption key and the encrypted data are merely a bit string, the figure is omitted in the first embodiment. However, when the encryption identifier table 108A encrypted with the public key 105A for the table 311 is decrypted with the secret key 207A, The same table 311 can be obtained. Similarly, when the encrypted identifier table 108B encrypted with the public key 105B for the table 312 is decrypted with the secret key 207B, the same one as the table 312 can be obtained.

  Tables 313 and 317 are data examples of the data division definition 106. Each table of the data division definition 106 is prepared by the system administrator as permanent data such as a file on the hard disk. The table 313 includes an item name 314 of source data of personal information before division and an item name 315 after division, and the value of each item takes the form of “table name.item name”. In the first embodiment, each item of the table 300 is divided into tables 306 and 307. The item 316 takes TRUE as a value if the source data item acts as an identifier, and takes FALSE if the source data item is not an identifier item. In the first embodiment, the value of the item 316 is TRUE in each record including the customer number of the table 300 corresponding to the identifier item.

  In the first embodiment, the source data is only one table 300, but when two or more tables having the identifier item “customer number” in common are used as the source data, as many tables 313 as the number of source data are prepared. It can respond by doing. At this time, when it is desired to have a common identifier item in different post-division tables, a common identifier item name is set in the post-division item 315.

  In the first embodiment, the customer number in the table 300 can be used as an identifier item in either the table 306 or 307, and the effect of dividing the personal information is the same. For example, when the customer number is copied to the identifier A of the table 306, the identifier item 316 of the record having “table 300. customer number” in the first record of the table 317 is set to FALSE.

  The table 317 defines the configuration of the identifier correspondence table. Each record has a configuration of one identifier correspondence table, and the divided identifier generation apparatus 103 generates an identifier correspondence table according to the table 317. In the first embodiment, the first record indicates that the identifier correspondence table 311 is generated, and that the public key 105A is used for encryption of the identifier correspondence table 311. The second record generates the identifier correspondence table 312 and indicates that the public key 105B is used for encryption.

  Hereinafter, a processing flow of the data dividing server 202 that generates the tables 306, 307, 311 and 312 by dividing the table 300 will be described with reference to FIG. At the time when the processing flow is activated and initialization is performed, each data of the data partition definition 106 and the identifier correspondence table public key 105 is read into the memory. At the time of initialization, random numbers RA, RB, and RC for generating item values of identifier A, identifier B, and identifier C defined as identifier items in table 313 are generated. RA, RB, and RC are different values. These random numbers are used in step 406. In initialization, as many identifier correspondence tables as the number of records in the table 317 are prepared and filled with null values. In the first embodiment, empty tables of the tables 311 and 312 are generated.

  Step 401 is a condition judgment of a loop for dividing all the records in the table described in the pre-division item 314 of the table 313. In the first embodiment, step 402 and subsequent steps are repeated for each record in the table 300 until processing of all the records in the table 300 is completed.

  In step 402, the data dividing device 102 extracts one record from the table 300 and expands all items in the memory. Also, referring to the table 313, in accordance with the post-division item 315, an area on the memory for storing the division result is initialized. In the first embodiment, a temporary storage area for record output to the table 306 is initialized so that the item values of the identifier A, name, and address can be stored. Separately, the identifier B, identifier C, address, gender, occupation The temporary storage area for record output to the table 307 is initialized so that item values can be stored.

  Step 403 is a condition determination for a loop in which all items of the record extracted in step 402 are processed one by one. Step 404 and subsequent steps are repeated until all items have been processed.

  Step 404 is a condition determination for a loop that processes one item. In step 404, the data dividing apparatus 102 refers to the table 313, specifies a record that matches the item name being processed and the pre-division item 314, and repeats step 405 and subsequent steps for each specified record. Hereinafter, a case where the customer number “001” in the first record of the table 300 is processed will be described as an example. Since the item 314 of the table 313 includes three records having “table 300.customer number”, step 405 and subsequent steps are executed for each of the three records matched in 313.

  In step 405, the data dividing apparatus 102 determines whether or not it is an identifier item based on the value of the item 316 constituting the record extracted from the table 313 in step 404. When the item 316 is TRUE, it is determined that the item is an identifier item, and the process proceeds to Step 406.

  In step 406, the division identifier generation apparatus 103 generates an identifier. For example, the customer number “001” in the first record of the table 300 is processed according to the first record of the table 313, and the value of the identifier A of the table 306 is generated. Here, since the item 315 is “Table 306. Identifier A”, the random number RA generated for the identifier A is XORed with the value of the identifier, and the result is input to the hash function to change the value of the identifier A. Generate. In the item 315 of the table 313, even when the table names are different, the same random numbers are used when the item names are the same. In the first embodiment, SHA1 is used for the hash function, and the identifier A has a value of 160 bits. In order to make the explanation easy to understand, the customer number “001” is expressed as “A001” in which the prefix “A” is added to the original value as the value obtained by hash-converting the customer number “001” into the identifier A.

  In step 407, the division identifier generation device 103 stores the generated identifier “A001” in the record output temporary storage area to the table 306.

  In step 408, the division identifier generation apparatus 103 refers to the table 317 and stores the generated identifier A value “A001” in the item 308 of the table 311 and the item 308 of the table 312.

  When processing the customer number “001” in the first record of the table 300, steps 405 to 408 are repeated according to the item 314 of the table 313 by the loop defined in step 404, and the identifier B and identifier C The value of is generated. In step 406, the customer number “001” is hash-transformed using the random number RB to generate the value “B001” of the identifier B, and in step 407, it is stored in the output record on the memory. In step 408, the information is stored in the item 309 of the table 311. However, while steps 407 to 408 are repeated, all of the records in the same record in the table 311 are stored in the corresponding item, and as a result, records “A001” and “B001” are added to the table 311.

  The same applies to steps 406 to 408 for generating the value of the identifier C, and “C001” is stored in the output record on the memory and also stored in the item 310 of the table 312. As a result, in the table 312, records “A001” and “C001” are added.

  On the other hand, if the item 316 referred to in step 405 is FALSE, it is determined that the item is not an identifier item, and the process proceeds to step 409. In the case where the name “Sato” in the first record of the table 300 is processed, the data dividing device 102 stores the name in the temporary storage area for record output to the table 306 based on the post-division item 315 specified in step 404. Store “Sato” in the item.

  As described above, in the loop defined by step 403, processing is executed for each item of one record, and in the inner loop defined by step 404, each item value of one record corresponds to each record in the table 313. Execute the process. When the process is completed for all items read in step 402, step 410 is executed. In step 410, the data in the temporary storage area for record output to the table 306 consisting of the identifier A, name, and address is output to the table 306, and the record is output to the table 307 consisting of the identifier B, identifier C, address, gender, and occupation. The temporary storage area data is output to the table 307.

  In step 410, the output records to the table 306 may be buffered on the memory until a certain number of records are output, and the records may be output in the descending or ascending order of the identifier A. Alternatively, the record set may be rearranged according to either ascending order or descending order of random numbers given to each record in the buffer by the record output means. Since the random number given to each record in the identifier A or the buffer takes a random value, the effect of random sorting by rearrangement can be obtained. This makes it more difficult to infer the correspondence between the records in the tables 306 and 307 from the arrangement order. Similar processing can be performed for output to the table 307.

When the processing from step 402 is executed on all the records in the table 300, the process proceeds to step 411.
If the table 313 is composed of a plurality of tables, step 401 to step 402 are repeated for each table.
In step 411, the identifier correspondence table encryption apparatus 104 encrypts the table 311 using the public key 105A, and outputs the encrypted identifier correspondence table 108A to the combination permission DB 204. The items encrypted in the table 311 are items in which the identifier item 316 is set to TRUE in the table 313. In the first embodiment, both identifier A and identifier B are applicable. When the identifier item 316 of the table 313 is set to FALSE, for example, when the customer number of the table 300 is copied to the identifier A of the table 306, the identifier A is not encrypted and only the identifier B is encrypted. .

Further, the identifier correspondence table encryption apparatus 104 encrypts the table 312 using the public key 105B, and outputs the encrypted identifier correspondence table 108B to the combination permission DB 204.
The processing flow of the data dividing server 202 that generates the tables 306, 307, 311 and 312 has been described above.

  Each of the tables 306 and 307 configured in the first embodiment can be referred to from the application 205, but the records of the same person cannot be combined. On the other hand, the application 206 is the same as the application 205 in a situation where the private key is not obtained. However, when the user A gives the identifier correspondence table private key 207A, the encrypted identifier correspondence data 108A in the combination permission DB. And the table 311 can be obtained. Therefore, when the application 206 has the secret key 207A, it is possible to combine the records of the same person in the tables 306 and 307. Further, when the user B gives the secret key 207B, it is possible to decrypt the table 312 and combine the records of the same person.

  In the first embodiment, since a plurality of identifier correspondence tables can be provided, it is easy to change a record that can be combined for each user by omitting a record related to a specific information subject when generating the identifier correspondence table. For example, if the item value meets a specific condition by referring to the data in the temporary storage area for the table 306 or the data in the temporary storage area for the output 307 in step 411, the identifier of the table 311 or the table 312 is deleted. There can be a method of doing so.

  Further, as an example of modification of the dividing identifier generation apparatus 103, it is also possible to determine identifiers by reading data prepared outside the system 200 instead of generating the identifiers inside the system 200. It is easy in principle. In step 406 described above, an identifier is given by a hash value using a customer number and a random number as keys, but here an identifier input from a file or the like may be given instead. Since an arbitrary identifier can be given, there is an advantage that the existing member ID can be diverted and the system can be easily transferred.

  Further, when the customer number in the table 300 is copied to the identifier A in the tables 306 and 311, the identifier correspondence table 311 and the table 312 can be updated independently. Therefore, even when one of the identifier correspondence tables must be updated by reissuing the key when the key is lost, the application using the other secret key is not affected. For the same reason, in the first embodiment, it is easy to operate the system so that the key expires unless it is periodically updated.

  Further, in the first embodiment, an asymmetric block cipher such as an elliptical key cipher is used for generating the encryption identifier correspondence table 108. Therefore, the key may be known to others when delivered to the data division server 202, and even if the key stored in the data division server 202 is leaked, the encrypted identifier corresponding data 108 that is confidential information is a threat. There is no fear of exposure. Therefore, there is an advantage that the operation of the data dividing server 202 becomes easier as compared with the prior art 1 using a symmetric key.

  If the encryption processing of the encryption identifier correspondence table in step 411 or the speed of the decryption processing in the application 206 becomes a problem, the processing speed can be increased by using a symmetric encryption (common key encryption) such as DES. Can improve. In this case, in the encryption processing in step 411, the identifier correspondence table encryption apparatus 104 first generates a common key such as DES as a session key. The session key is a disposable key. Next, the identifier correspondence table 311 is encrypted with the session key, then the session key is encrypted with the public key 105A, and these two encrypted data are respectively stored in the encrypted identifier correspondence table 108A. The same applies to the encryption processing and output processing of the table 312. In general, symmetric encryption is a faster algorithm than asymmetric encryption, and improvement in processing speed can be expected. In addition, the session key is not stored in a disposable manner, and is protected with a public key even in a communication path. Therefore, the merit of using the asymmetrical encryption described above is not impaired.

  The system 500 of FIG. 5 shows Embodiment 2 of the present invention. In the second embodiment, when personal information that is not divided and managed is mixed in the system, a setting that can avoid the combination restriction set in the divided management is detected, and an alert is output.

  Compared to the first embodiment, an access right check device 501 is added to the data division server 202. Other device configurations are the same as those of the system 200. In addition to the data 106 and 107 output from the data division server 202, the divided personal information DB 203 stores data 503 created by copying the source data 101 by a program external to the system 500. The data replication definition 505 is definition data used when the replication data 503 is created from the source data 101 and is given from outside the system 500. The alert information 504 is an output from the data division server 202.

  FIG. 6 shows processing data of the second embodiment. The table 600 is an example of the duplicated data 503, and stores data obtained by duplicating the data 300. Items 601, 602, 603, 604, and 605 are duplicate items of the items 301, 302, 303, 304, and 305, respectively.

  A table 606 is an example of the data replication definition 505. The source table 607, the source item 606, the replication table 609, and the replication item 610 indicate which item of the data 600 corresponds to each item of the data 300. In the second embodiment, the same item names are used in the table 600 and the table 300 for the sake of simplicity. However, the item names in the table 600 may be different from those in the table 300.

  A table 611 is an example of the access right setting 502. The access right setting 502 is database management information and indicates which application can refer to which table. Although an application name is set in the item 612, a database user name can be used instead of the application. In the second embodiment, it is assumed that all items of the data with partitioning identifiers 106 (table 306) and 107 (table 307) are accessible from all applications.

  Details of the second embodiment will be described below with reference to FIG. FIG. 7 shows a process 700 of the access right check device 501. The process 700 is started by the system administrator after a new setting of the data division definition 106 or when the setting is changed.

  In step 701, the table 313 is read into the memory, and item configurations other than the table identifier defined in the item 315 are listed. In the second embodiment, item sets A = {name, address}, B = {address, gender, occupation} are obtained for each of the tables 306 and 307. However, if the item names are different between the tables 300 and 306 and the tables 300 and 307, each element of the set is replaced with the item name in the table 300. Next, among the items defined in the item 314, a set of items corresponding to the identifier item is listed. In the second embodiment, an identifier item set I = {customer number} is obtained.

  In step 702, an item set A ′ that can be referred to only by the table 306 and an item set B ′ that can be referenced only by 307 are specified. If the product operation of the two sets is x and the difference operation is-, A '= AA-B = {name} and B' = BA-B * {sex, occupation} are obtained.

  In step 703, the table 611 is first referred to, and a table set T other than the data with the partitioning identifier that can be accessed (referenced) by each application is obtained. In the second embodiment, T = {} for the application 205 and T = {table 600} for the application 206.

  Next, steps 705 to 708 are repeated for each application for which T is not empty. The item structure of the accessible table is checked, and the possibility of obtaining the combined data of the tables 306 and 307 is checked.

  First, in step 705, a non-empty table set T = {T1, T2,. . . , Tn} are compared with the items 609 and 610 of the table 606, and the source item 608 of the matching record is listed as an accessible item set C. As a result, item set C1, table T2, item set C2,. . . , Tn, an item set Cn is obtained. In Example 2, only C1 = {customer number, name, address, gender, occupation} is obtained.

  Next, at step 706, item sets C1, C2,. . . , Cn are grouped by identifier items. Identifier item set I = {i1, i2,. . . , Im}. First, C1, C2,. . . , Cn, the item set including the identifier item i1 is specified, and G1 is obtained by the union of all the specified item sets. Next, the item set including the identifier item i2 is specified, and G2 is obtained from the union of all the specified item sets. In this way, G1, G2,. . . , Gm is obtained. G1, G2,. . . , Gm represent a set of items that can be combined using the identifier item as a key. In the second embodiment, since I = {customer number} and C1 = {customer number, name, address, gender, occupation}, only G1 = {customer number, name, address, gender, occupation} is obtained.

  In step 707, G1, G2,. . . , Gm are inspected, and among the combinations of the elements of the item sets A 'and B', those appearing in the item set G are listed as a set D of division violation item sets. In the second embodiment, A '= {name} and B' = {sex, occupation}, so the combination of elements A 'and B' is {name, sex} and {name, occupation}. These are compared with G1 = {customer number, name, address, gender, occupation} and the result is a division violation item set D = {{name, gender}, {name, occupation}}.

  In steps 708 and 709, the access right check device 501 outputs an alert when D is not empty. The meaning of the alert by the device 501 is that data equivalent to the combined data of the data with the partitioning identifier exists in another table. In the second embodiment, the table 612 is an alert. The table 612 is displayed on a screen for a system administrator outside the system 500, for example. The first line of the table 612 indicates that the application 206 can obtain a combination of name and sex from the table 600. Similarly, the second line indicates that the application 206 can obtain a combination of name and occupation from the table 600.

  The above is the processing of the second embodiment. The tables 306 and 307 of the system 500 are originally designed so that combined data of name and gender or name and occupation cannot be obtained for the same person unless the encrypted identifier correspondence table 104 is provided. However, when table data such as the table 600 coexists in the system, the restriction of connection due to division may be avoided. In an actual information system, a plurality of databases for storing personal information are arranged and new functions and services are added. Therefore, it is not uncommon to add and modify databases partially. Even in the case where a personal information database divided in an environment where old and new databases are mixed in the system is constructed and operated in this way, if the second embodiment is used, matching of access rights given to items of a plurality of databases is achieved. It becomes possible to check sex

  The present invention can be used to manage personal information such as employee information, billing information, medical information, and official documents.

It is a figure which shows the basic composition of this invention. It is a system configuration figure of Example 1 of the present invention. It is the processing data in Example 1 of this invention. It is a processing flow of Example 1 of the present invention. It is a system configuration | structure of Example 2 of this invention. It is the processing data in Example 2 of this invention. It is a processing flow of Example 2 of the present invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 System 101 Source data 102 Data dividing device 103 Partition identifier generating device 104 Identifier correspondence table encryption device 105 Identifier correspondence table public key 106 Data partition definition 106 Data with partition identifier 107 Data with partition identifier 111 Memory 112 Hard disk 113 Input device 114 Display device 115 Communication interface 200 System 201 Personal information DB
202 Data division server 203 Division personal information DB
204 DB for binding permission
205 application 206 application 207 identifier correspondence table private key 207 private key 207A private key 207B private key 208A IC card 208B IC card 300 table 301 customer number 302 name 303 address 304 gender 305 occupation 306 table 307 table 308 identifier A
309 Identifier B
310 Identifier C
311 Identifier correspondence table 312 Identifier correspondence table 313 Table 314 Item before division 315 Item after division 316 Identifier item 317 Table 500 System 501 Access right check device 502 Access right setting 503 Duplicate data 505 Data duplication definition 600 Table 601 Duplicate item 606 Source item 609 Replication table 610 Replication item 700 Processing

Claims (10)

In a personal information dividing device for dividing and outputting personal information stored in a database,
Means for inputting personal information of the same person stored in the database; means for inputting a data partition definition describing an item configuration method of the input personal information; and based on the data partition definition, the input Means for dividing the personal information of the same person into two or more records; means for generating and assigning one or more unique identifiers for the divided records of the same person; Means for outputting the assigned record, means for inputting one or more encryption keys, means for configuring a set of identifiers assigned to two or more records of the divided same person as data, Means for encrypting data composed of the corresponding pair of the two or more identifiers with the input encryption key, and means for outputting the encrypted identifier correspondence pair. Personal information division apparatus characterized. In a personal information dividing device for dividing and outputting personal information stored in a database,
Means for inputting a data division definition describing the item configuration method of personal information, means for inputting access right settings of a database storing processed personal information, and copying personal information to a database storing personal information A means for inputting a data replication definition that defines item relationships, and a data partition definition from a table of personal information that can be referred to by each application based on the input data partition definition, access right setting, and data replication definition. A personal information dividing apparatus, comprising: means for extracting a set of items of personal information instructed to be divided and stored; and means for outputting the extracted information. The personal information dividing device according to claim 1,
The means for outputting the record with the identifier is composed of means for temporarily storing the output record in an internal buffer, and means for disturbing the order of record generation by rearranging the record set in the buffer. The order in which the record set is rearranged is ascending order of assigned identifier, descending order of assigned identifier, ascending order of random numbers given to each record in the buffer by the record output means, and random number given to each record in the buffer by the record output means A personal information dividing device characterized by following one of descending orders. In the personal information dividing device according to claim 1 or 3,
A means for generating and assigning a unique identifier to each of the divided records of the same person gives two or more different identifiers to one divided record, and means for configuring a set of identifiers as data Configure the correspondence table with the divided pairs of identifiers,
The means for encrypting data of a set of identifiers encrypts each of the divided records with two or more different identifiers with different encryption keys. In the personal information dividing device according to any one of claims 1 to 4,
The data division definition describing the item configuration method of the input personal information includes a data item before division, an item indicating that the item is an identifier item, definition data including a data item after division, A personal information dividing device comprising: an identifier item that generates and assigns a unique identifier to each of two or more records of the same person divided, and a key identifier for encrypting the identifier correspondence set. . In the personal information dividing device according to any one of claim 1, claim 3, or claim 4,
A personal information dividing device characterized in that the means for encrypting data consisting of a pair of identifiers uses asymmetrical encryption. In the personal information dividing device according to any one of claims 1, 3, 4, and 6,
The means for generating and assigning one or more unique identifiers to each of the divided same person records is such that the values of one or more items of the inputted personal information of the same person satisfy a predetermined condition. In some cases, the personal information dividing device is characterized by giving a null value. In the personal information dividing device according to any one of claims 1, 3, 4, 6, or 7,
The means for generating and assigning at least one unique identifier for each of the divided records of the same person gives an arbitrary identifier inputted by the user. In the personal information dividing method for dividing and outputting the personal information stored in the database,
A step of inputting personal information of the same person stored in the database; a step of inputting a data partition definition describing an item configuration method of the input personal information; and the input based on the data partition definition Dividing the personal information of the same person into two or more records, generating and assigning one or more unique identifiers for each of the divided records of the same person, A step of outputting a given record, a step of inputting one or more encryption keys, a step of configuring a set of identifiers given to two or more records of the same divided person as data, A step of encrypting data consisting of a correspondence set of the two or more identifiers with the inputted encryption key; and the encrypted identifier correspondence set. Personal information division method characterized by comprising the steps of: outputting a. In the personal information dividing method for dividing and outputting the personal information stored in the database,
A step of inputting a data division definition describing a method of configuring personal information items, a step of inputting access right settings of a database storing processed personal information, and a copy of the personal information in a database storing personal information A step of inputting a data replication definition that defines item relationships, and a data partition definition from a table of personal information that can be referred to by each application based on the input data partition definition, access right setting, and data replication definition. A personal information dividing method comprising: extracting a set of items of personal information instructed to be divided and stored in step (a); and outputting the extracted information.

Images