JP-7855668-B2 - Privacy-protected data sharing system and privacy-protected data sharing device

Inventors

• 野澤 一真
• 中川 智尋
• 佐々木 一也
• 寺田 雅之

Assignees

• 株式会社ＮＴＴドコモ

Dates

Publication Date

20260508

Application Date

20241129

Priority Date

20210604

Claims (7)

1. The system includes multiple devices that hold user data, including user IDs and personal information about the user. Each of the above devices is An anonymization processing unit that deidentifies the user data and generates anonymized data, An encryption unit performs a first encryption using its own encryption key on the anonymized data, and a second encryption using its own encryption key on the anonymized data received from the other party's device. An aggregation processing unit compares the second encrypted deidentified data with the second encrypted deidentified data received from the other party's device, and aggregates the number of second encrypted deidentified data where the user ID corresponding portion, identified based on predetermined structural information of the user data, matches, as the number of target users. Includes, The anonymization processing unit extracts the user data based on the conditions that the personal information must satisfy, and generates anonymized data corresponding to the extracted user data. The de-identification processing unit generates grouped de-identification data corresponding to groups of user data where the personal information satisfies each of the multiple conditions, if the conditions that the personal information must satisfy include multiple conditions. Privacy-protecting data sharing system.
2. The system includes multiple devices that hold user data, including user IDs and personal information about the user. Each of the above devices is An anonymization processing unit that deidentifies the user data and generates anonymized data, An encryption unit performs a first encryption using a first encryption key held by the first device, which is the device itself, on the anonymized data, and a second encryption using the first encryption key on the anonymized data that has been encrypted in the first encryption, which has been received from the second device. A third device comprises an aggregation processing unit that compares the second encrypted deidentified data from the first device with the second encrypted deidentified data from the second device, and aggregates the number of second encrypted deidentified data where the user ID corresponding portion, identified based on predetermined structural information of the user data, matches, as the number of target users. Includes, The anonymization processing unit extracts the user data based on the conditions that the personal information must satisfy, and generates anonymized data corresponding to the extracted user data. The de-identification processing unit generates grouped de-identification data corresponding to groups of user data where the personal information satisfies each of the multiple conditions, if the conditions that the personal information must satisfy include multiple conditions. Privacy-protecting data sharing system.
3. The system includes multiple encryption devices that store and encrypt user data, including user IDs and personal information about users, and an aggregation device. Each of the aforementioned encryption devices is An anonymization processing unit that deidentifies the user data and generates anonymized data, An encryption unit performs a first encryption using its own encryption key on the anonymized data, and a second encryption using its own encryption key on the anonymized data received from the other party's device. Includes, The aforementioned aggregation device is An aggregation processing unit compares the second encrypted deidentified data received from the encryption device with the second encrypted deidentified data received from the counterparty device of the encryption device, and aggregates the number of second encrypted deidentified data where the user ID corresponding portion, identified based on predetermined structural information of the user data, matches, as the number of target users. Includes, The anonymization processing unit extracts the user data based on the conditions that the personal information must satisfy, and generates anonymized data corresponding to the extracted user data. The de-identification processing unit generates grouped de-identification data corresponding to groups of user data where the personal information satisfies each of the multiple conditions, if the conditions that the personal information must satisfy include multiple conditions. Privacy-protecting data sharing system.
4. The anonymization processing unit further performs processing for privacy protection of the personal information. A privacy-protecting data linkage system according to any one of claims 1 to 3.
5. Each of the above devices is A confidentiality processing unit performs confidentiality processing on the aggregated results obtained by the aforementioned aggregation processing unit to generate confidential statistical information. The privacy-protecting data sharing system according to claim 1 or 2, further comprising:
6. The aforementioned aggregation device is A confidentiality processing unit performs confidentiality processing on the aggregated results obtained by the aforementioned aggregation processing unit to generate confidential statistical information. The privacy-protecting data linkage system according to claim 3, further comprising:
7. An anonymization processing unit that deidentifies user data, including user ID and personal information about the user, to generate anonymized data, An encryption unit performs a first encryption using its own encryption key on the anonymized data, and a second encryption using its own encryption key on the anonymized data received from the other party's device. An aggregation processing unit compares the second encrypted deidentified data with the second encrypted deidentified data received from the other party's device, and aggregates the number of second encrypted deidentified data where the user ID corresponding portion, identified based on predetermined structural information of the user data, matches, as the number of target users. Includes, The anonymization processing unit extracts the user data based on the conditions that the personal information must satisfy, and generates anonymized data corresponding to the extracted user data. The de-identification processing unit generates grouped de-identification data corresponding to groups of user data where the personal information satisfies each of the multiple conditions, if the conditions that the personal information must satisfy include multiple conditions. Privacy-protecting data sharing device.

Description

This disclosure relates to a privacy-protected data sharing system and a privacy-protected data sharing device. When performing statistical analysis on user data managed in databases across multiple organizations' information processing devices (devices broadly including computers, servers, etc., hereinafter referred to as "devices"), if the user data contains personal information, measures must be taken from a privacy protection standpoint. As an example of such measures, a technology is known that integrates both confidential and non-confidential data while keeping confidential data confidential, through a system configuration with an interface that can simultaneously handle both confidential and non-confidential data (see Patent Document 1 below). Furthermore, a technology is known that protects personal information by applying both reversible and irreversible encryption to the IDs of each piece of personal information when integrating user data containing personal information across multiple devices, making it difficult for third parties to recover the original IDs (see Patent Document 2 below). Japanese Patent Publication No. 2011-081301Japanese Patent Publication No. 2010-211590 This is a diagram illustrating the configuration of a privacy-protecting data linkage system according to an embodiment of this disclosure.This is a flowchart showing the processes performed in the privacy protection data linkage system according to the embodiment of this disclosure.(a) is a diagram illustrating the process of generating anonymized data using Company A's equipment, and (b) is a diagram illustrating the process of generating anonymized data using Company B's equipment.(a) is a diagram illustrating the grouping of deidentified data by Company A's equipment, and (b) is a diagram illustrating the grouping of deidentified data by Company B's equipment.This diagram illustrates the encryption process of anonymized data using equipment from Company A and Company B.This diagram provides supplementary explanation for the encryption process shown in Figure 5.(a) is a diagram illustrating the aggregation process for the number of users who both used the service and visited the store, (b) is a diagram illustrating the aggregation process for the number of users who used the service but did not visit the store, (c) is a diagram illustrating the aggregation process for the number of users who did not use the service but visited the store, and (d) is a diagram illustrating the aggregation process for the number of users who neither used the service nor visited the store.This is a diagram to explain the confidentiality process.This is a diagram illustrating the configuration of the privacy-protecting data sharing system according to the first modified example.This is a flowchart showing the processes performed in the privacy protection data linkage system according to the first modified example.This is a diagram illustrating the configuration of a privacy-protecting data sharing system related to the second modified example.This is a flowchart showing the processes performed in the privacy protection data linkage system according to the second modified example.This figure shows an example of the hardware configuration for each device. The embodiments of the privacy-protected data linkage system and privacy-protected data linkage device related to this disclosure will be described below with reference to the drawings. (Configuration of the privacy-protecting data sharing system) As shown in Figure 1, the privacy-protecting data linkage system 1 related to this disclosure comprises a plurality of devices 10 (corresponding to privacy-protecting data linkage devices) that can communicate with each other. As will be described later, statistical information regarding the number of target users is generated through the linkage between one of the plurality of devices 10 and the other device. That is, after both the first device and the other device perform the "generation of anonymized data" and "encryption of anonymized data" described later, the first device, which receives the double-encrypted anonymized data from the other device, performs "aggregation processing" and "confidential processing" to generate statistical information. Note that for the sake of explanation, Figure 1 shows two devices 10A and 10B, but it may be equipped with three or more devices. In the processing described later, an example will be described in which device 10A of company A operates as "the first device" and device 10B of company B operates as "the other device". However, each device 10 has the same functional block configuration described later and may operate as "the first device" or as "the other device". Furthermore, each device 10 stores user data, including a "user ID" and "personal information" about the user, in an internal memory not shown. While the "user ID" is in a common data format across all devices, the "personal information" is not nec