US-12619788-B2 - Information processing apparatus, information processing method, and non-transitory computer readable medium

Abstract

An information processing apparatus includes processing circuitry configured to specify a first consent record that includes an identifier for a first business operator, which identifies the related party and which is assigned exclusively to the first business operator, and consent of the related party allowing the first business operator to execute a first handling of the data of the related party, and detect a related party identifier corresponding to the identifier for the first business operator included in the first consent record; and searching circuitry configured to search the first storage system for a second consent record that includes consent of the related party allowing a second business operator to execute a second handling of the data, wherein the processing circuitry is configured to generate an audit record including a record identifier that identifies the first consent record and information regarding the presence or absence of the second consent record.

Inventors

• TOMOKO YONEMURA
• Tsukasa Omino
• Misaki Komatsu
• Yoshikazu HANATANI
• Yuki Nanjo

Assignees

• KABUSHIKI KAISHA TOSHIBA

Dates

Publication Date

20260505

Application Date

20231106

Priority Date

20230203

Claims (17)

1. 1 . An information processing apparatus comprising: a processing circuitry configured to specify, from a first storage system storing records relating to at least one of (i) handling of data of a related party and (ii) consent to the handling of the data, a first consent record including (a) a first business-operator-specific identifier, which identifies the related party and which is assigned exclusively to the first business operator, and (b) consent of the related party allowing the first business operator to execute a first handling of the data of the related party, and detect a related party identifier corresponding to the first business-operator-specific identifier included in the first consent record, on the basis of correspondence data in which a related party identifier identifying the related party and having a different value from the first business-operator-specific identifier is associated with the first business-operator-specific identifier; and a searching circuitry configured to search the first storage system, on the basis of the detected related party identifier, to retrieve a second consent record including consent of the related party allowing a second business operator to execute a second handling of the data of the related party, wherein the first handling and the second handling have a relationship such that the first business operator is allowed to perform the first handling of the data only after the second business operator executes the second handling of the data, the processing circuitry is configured to generate, on the basis of presence or absence of the second consent record, an audit record including a record identifier of the first consent record and including information indicating whether the second consent record exists or does not exist, the generated audit record is stored in the first storage system, an audit record including information indicating that the second consent record exists means that the first handling by the first business operator is in a state of being allowed on condition that the second handling has been executed by the second business operator, and an audit record including information indicating that the second consent record does not exist means that, in a situation where the second handling by the second business operator is not allowed, execution of the first handling by the first business operator results in an inconsistency.
2. 2 . The information processing apparatus according to claim 1 , wherein when the second consent record is detected, the processing circuitry is configured to generate the audit record including the record identifier of the first consent record and information indicating that the second consent record exists.
3. 3 . The information processing apparatus according to claim 1 , wherein when the second consent record is not detected, the processing circuitry is configured to generate the audit record including the record identifier of the first consent record and information indicating that the second consent record does not exist.
4. 4 . The information processing apparatus according to claim 1 , wherein the first handling includes the first business operator receiving or acquiring the data from the second business operator.
5. 5 . The information processing apparatus according to claim 4 , wherein the second handling includes the second business operator receiving or acquiring the data from the related party.
6. 6 . The information processing apparatus according to claim 1 , wherein the first business-operator-specific identifier is assigned to a plurality of first business operators and a different value of the first business-operator-specific identifier is assigned to each of the plurality of first business operators.
7. 7 . The information processing apparatus according to claim 1 , further comprising: a receiving circuitry configured to receive a verification request regarding the consistency of a handling execution record indicating that the first business operator executes the first handling of the data, wherein the searching circuitry is configured to search the first storage system for the handling execution record on the basis of the verification request, the processing circuitry is configured to acquire, from the handling execution record, an identifier of a first consent record that includes consent by the related party allowing the first business operator to execute the first handling, the searching circuitry is configured to retrieve, from the first storage system, the first consent record on the basis of the identifier of the first consent record and retrieve, from the first storage system, an audit record including the identifier of the first consent record and information indicating the presence or absence of the second consent record, and the processing circuitry is configured to verify the consistency of the handling execution record on the basis of the first consent record and the audit record.
8. 8 . The information processing apparatus according to claim 7 , wherein the processing circuitry is configured to detect an inconsistency of the handling execution record when at least one of either the first consent record or the audit record including information indicating that the second consent record exists is not detected.
9. 9 . The information processing apparatus according to claim 7 , wherein the processing circuitry is configured to detect an inconsistency of the handling execution record when the first consent record and the audit record including information indicating that the second consent record does not exist are not detected.
10. 10 . The information processing apparatus according to claim 1 , wherein the audit record includes an identifier of an auditor, the information processing apparatus further comprises a receiving circuitry is configured to receive a verification request regarding the consistency of the audit record including the identifier of the auditor, the processing circuitry is configured to acquire, from a second storage system in which a log of operations performed in relation to the generation of the audit record is stored in association with the identifier of the auditor, the log associated with the identifier of the auditor, and verify the consistency of the audit record on the basis of the log.
11. 11 . The information processing apparatus according to claim 10 , wherein the second storage system stores the log of communication related to the audit record, the communication performed between a first apparatus that generates the audit record including the identifier of the auditor and a second apparatus that receives and writes the audit record to the first storage system, and the processing circuitry is configured to verify the consistency of the audit record on the basis of whether or not the reception of the audit record including the identifier of the auditor is included in the log of communication.
12. 12 . The information processing apparatus according to claim 10 , wherein the second storage system stores the log of communication related to the audit record, the communication being performed between a first apparatus that generates the audit record including the identifier of the auditor and a second apparatus that receives and writes the audit record to the first storage system, the searching circuitry is configured to search the first storage system for the audit record including the identifier of the auditor associated with the log of communication, and the processing circuitry is configured to verify the consistency of the audit record according to a result of the search for the audit record.
13. 13 . The information processing apparatus according to claim 10 , wherein the second storage system stores the log of a result of an authentication process for authenticating the auditor performed by a third apparatus that stores the audit record in the first storage system when the authentication process is successful, and the processing circuitry is configured to verify the consistency of the audit record according to whether successful authentication of the auditor is included in the log.
14. 14 . The information processing apparatus according to claim 1 , wherein the processing circuitry is configured to transmit a request for writing the audit record to the first storage system to an apparatus that writes records to the first storage system.
15. 15 . The information processing apparatus according to claim 1 , wherein the first storage system is a blockchain.
16. 16 . An information processing method comprising: specifying, from a first storage system storing records relating to at least one of (i) handling of data of a related party and (ii) consent to the handling of the data, a first consent record including (a) a first business-operator-specific identifier, which identifies the related party and which is assigned exclusively to the first business operator, and (b) consent of the related party allowing the first business operator to execute a first handling of the data of the related party, detecting a related party identifier corresponding to the first business-operator-specific identifier included in the first consent record, on the basis of correspondence data in which a related party identifier identifying the related party and having a different value from the first business-operator-specific identifier is associated with the first business-operator-specific identifier, searching the first storage system, on the basis of the related party identifier, to retrieve a second consent record including consent of the related party allowing a second business operator to execute a second handling of the data of the related party, wherein the first handling and the second handling have a relationship such that the first business operator is allowed to perform the first handling of the data only after the second business operator executes the second handling of the data, and generating, on the basis of presence or absence of the second consent record, an audit record including a record identifier of the first consent record and information indicating whether the second consent record exists or does not exist, the generated audit record is stored in the first storage system, wherein an audit record including information indicating that the second consent record exists means that the first handling by the first business operator is in a state of being allowed on condition that the second handling has been executed by the second business operator, and an audit record including information indicating that the second consent record does not exist means that, in a situation where the second handling by the second business operator is not allowed, execution of the first handling by the first business operator results in an inconsistency.
17. 17 . A non-transitory computer readable medium having a computer program stored therein which causes a computer to perform processes comprising: specifying, from a first storage system storing records relating to at least one of (i) handling of data of a related party and (ii) consent to the handling of the data, a first consent record including (a) a first business-operator-specific identifier, which identifies the related party and which is assigned exclusively to the first business operator, and (b) consent of the related party allowing the first business operator to execute a first handling of the data of the related party, detecting a related party identifier corresponding to the first business-operator-specific identifier included in the first consent record, on the basis of correspondence data in which a related party identifier identifying the related party and having a different value from the first business-operator-specific identifier is associated with the first business-operator-specific identifier, searching the first storage system, on the basis of the detected related party identifier, to retrieve a second consent record including consent of the related party allowing a second business operator to execute a second handling of the data of the related party, wherein the first handling and the second handling have a relationship such that the first business operator is allowed to perform the first handling of the data only after the second business operator executes the second handling of the data, and generating, on the basis of presence or absence of the second consent record, an audit record including a record identifier of the first consent record and information indicating whether the second consent record exists or does not exist, the generated audit record is stored in the first storage system, wherein an audit record including information indicating that the second consent record exists means that the first handling by the first business operator is in a state of being allowed on condition that the second handling has been executed by the second business operator, an audit record including information indicating that the second consent record does not exist means that, in a situation where the second handling by the second business operator is not allowed, execution of the first handling by the first business operator results in an inconsistency.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application is based upon and claims the benefit of priority from the prior Japanese Patent Application No. 2023-015632, filed on Feb. 3, 2023, the entire contents of which are incorporated herein by reference. FIELD Embodiments herein relate generally to an information processing apparatus, an information processing method, and a non-transitory computer readable medium. BACKGROUND According to the law related to the protection of personal information (hereinafter, Act on the Protection of Personal Information), in the acquisition, use, and the like of sensitive personal information, a business handling personal information is requested to acquire consent in advance from the person in question, that is, the owner of the personal data. The consent concerns the purpose of use, the disclosure of personal data to a third party, and the receipt of personal data from a third party. For example, the business handling personal information creates a record related to the consent. When executing a process requiring the consent of the owner, the business handling personal information confirms the existence or non-existence of the consent on the basis of the record. To make the flow of the disclosure of personal data traceable, when providing personal data to a third party, the business handling personal information is requested to make a record related to the disclosure and retain the record for a certain period. For example, the business handling personal information records an indication that personal data has been provided, together with information such as the name of the owner, the consent of the owner, the category of personal data, and the name of the recipient third party. The third party business handling personal information receiving the personal data is requested to check the background by which the providing business handling personal information acquired the provided personal data, make a record of receiving the personal data, and retain the record for a certain period. For example, the third party provided with the personal data, or in other words, the business operator to act as the party using the personal data, checks the name of the business handling personal information from which the data was provided and the background by which the providing personal information handling business operator acquired the provided personal data, and makes a record of receiving the personal data together with the checked information. To enable verification of processing performed on personal data, a business handling personal information creates records other than a record related to disclosure (disclosure record) and a record related to receipt (receipt record). For example, a business handling personal information creates a record related to the acquisition of personal data (acquisition record), a record related to generation (for example, processing personal data to generate data), and a record related to deletion (deletion record), and retains the records for a certain period. These records are collectively referred to as records related to processing. Acquisition is taken to mean the acquisition (primary acquisition) of personal data from the owner of personal data or a representative, and receipt is taken to mean the acquisition (secondary acquisition) of personal data from the party who acquired the personal data from the individual or representative. However, acquisition and receipt may also be unified into either one, or another expression may be used. When personal data is provided to multiple third parties, an identifier of the owner to be included in a record related to consent is changed to a different identifier that uniquely corresponds to each third party and stored, for example. This allows for checking owner consent to the disclosure of personal data to the third parties and a history of disclosure to the third parties, while also reducing disadvantages that may occur in the event of a personal data leak (the collation of leaked personal data with other data). When a record related to consent before a change and a record related to consent after the change are both stored, a party with access to both records related to consent before and after the change can see from the agreement of items in the records related to consent that the set of identifiers before the change and the set of identifiers after the change correspond as the set of a user (owner) who has consented to the disclosure of personal data to a certain third party. As a result, this could lead to the leaking of a correspondence table of the identifiers before and after the change. Moreover, storing both records related to consent before and after the change could put pressure on storage system capacity. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram illustrating an example of a data management system that is an information processing system according to an embodiment; FIG. 2 is a