(19)
(11)EP 3 136 284 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
18.03.2020 Bulletin 2020/12

(21)Application number: 16180105.5

(22)Date of filing:  19.07.2016
(51)Int. Cl.: 
G06F 21/62  (2013.01)
H04L 29/06  (2006.01)

(54)

PERSONAL INFORMATION ANONYMIZATION METHOD, PERSONAL INFORMATION ANONYMIZATION PROGRAM, AND INFORMATION PROCESSING APPARATUS

VERFAHREN ZUR ANONYMISIERUNG PERSÖNLICHER INFORMATIONEN, PROGRAMM ZUR ANONYMISIERUNG PERSÖNLICHER INFORMATIONEN UND INFORMATIONSVERARBEITUNGSVORRICHTUNG

PROCÉDÉ ET PROGRAMME D'ANONYMISATION D'INFORMATIONS PERSONNELLES ET APPAREIL DE TRAITEMENT D'INFORMATIONS


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 31.08.2015 JP 2015171057

(43)Date of publication of application:
01.03.2017 Bulletin 2017/09

(73)Proprietor: FUJITSU LIMITED
Kawasaki-shi Kanagawa 211-8588 (JP)

(72)Inventors:
  • Hamamoto, Masahiro
    Osaka, 540-8514 (JP)
  • Matsune, Shinji
    Osaka, 540-8514 (JP)
  • Yoshida, Takao
    Osaka, 540-8514 (JP)

(74)Representative: Hoffmann Eitle 
Patent- und Rechtsanwälte PartmbB Arabellastraße 30
81925 München
81925 München (DE)


(56)References cited: : 
WO-A1-2014/109277
US-A1- 2014 189 858
WO-A1-2014/181541
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    FIELD



    [0001] The embodiments discussed herein are related to a personal information anonymization method, a personal information anonymization program, and an information processing apparatus.

    BACKGROUND



    [0002] Recently, due to wide use of cloud computing and diversification of businesses and communication devices such as smart phones, information accumulated by an on-premise system (by a computer system within an enterprise) has been accumulated and utilized by an external system, which does not belong to the enterprise or its organization.

    [0003] The information may include customers' information and personal information. On the other hand, in a business operation, an operation in the cloud computing, or the like, in a case of a purpose of using information, by laws and guidelines, including the Act on the Protection of Personal Information (so-called "Personal Information Protection Act"), there is obligation to properly process the information so as not to identify a certain person.

    [0004] Also, regarding the Law about the protection of the personal information and the Law to revise a part of the law about the number use to distinguish the authorized individual in the administrative procedure (the 189th 2015 Diet under discussion) in Japan, the following contents have been under discussion. If the information is processed to be in a state in which the person is not easily specified, that is, is anonymized, with an aim to further utilize information by an Information and Communication Technology, the information may be provided to a third party without permission of the person.

    [0005] In a view of anonymizing and using data, a technology and the like have been known to receive various kinds of k-anonymized data from multiple data providing agents and to evaluate whether the received k-anonymized data are acceptable.

    [Patent Documents]



    [0006] 

    Japanese Laid-open Patent Publication No. 2014-71618

    Japanese Laid-open Patent Publication No. 2014-86037



    [0007] Document WO 2014/109277 A1 describes an information processing device including a cluster information acquisition unit which acquires information indicating a cluster which is a set of records in an anonymized state in which at least a portion of attribute values of set-valued attributes, which can include one value or a plurality of values included in the records, is removed from the cluster which is a set of records including an attribute value so that the cluster satisfies a predetermined anonymity; and a set-valued attribute refinement unit which discloses at least a portion of attribute values from among removed attribute values of the set-valued attributes of records included in the cluster acquired by the cluster acquisition, and divides the cluster into clusters which satisfy the predetermined anonymity based on the disclosed attribute values.

    SUMMARY



    [0008] The object of the present invention is solved by the independent claims where advantageous embodiments are described in the dependent claims.

    [0009] According to one example, there is provided a personal information anonymization method, including classifying each of a plurality of data including personal information into any one of a plurality of groups based on a degree of commonality of the personal information; performing, for each of the groups, an anonymization process that standardizes the personal information of each of data belonging to each of the groups; calculating, for each of the groups, a total number of the data belonging to each of the groups; calculating, for each of the groups, a ratio of the total number of the data belonging to each of the groups with respect to a total number of data in the plurality of data; and outputting, as a recommended value for an anonymization, the total number of data belonging to the group of a highest ratio among the calculated ratios respective to each of the groups.

    BRIEF DESCRIPTION OF DRAWINGS



    [0010] 

    FIG. 1 is a diagram illustrating a network configuration of an anonymization system in an embodiment;

    FIG. 2 is a diagram illustrating a hardware configuration of a server;

    FIG. 3 is a diagram illustrating a hardware configuration of a client terminal;

    FIG. 4 is a flowchart for briefly explaining an entire process in the anonymization system;

    FIG. 5 is a diagram illustrating examples of functional configurations of the client terminal and the server;

    FIG. 6 is a diagram illustrating an anonymization process;

    FIG. 7 is a diagram for explaining an evaluation target information generation process;

    FIG. 8 is a diagram illustrating an example of an evaluation result screen displayed at the client terminal;

    FIG. 9 is a diagram for explaining a second graph process;

    FIG. 10 is a diagram illustrating an example of a bar graph;

    FIG. 11 is a diagram for explaining an ambiguity process; and

    FIG. 12 is a diagram illustrating an update example of statistics information by the ambiguity process.


    DESCRIPTION OF EMBODIMENTS



    [0011] Regarding a related technology, there is a view that protection from specifying individuals is not assured by anonymized data. In a current state, the anonymized data are approved by being visually observed by a well-informed person or by being verified by a third party committee set up in the organization.

    [0012] At a final stage, the well-informed person evaluates the anonymized data. An objective evaluation is difficult. In addition, in a case in which a huge amount of data such as Big Data or the like is subject to use, a large amount of time is consumed with expertise to confirm whether the data are anonymized as desired.

    [0013] At the final stage of an anonymity evaluation by the well-informed person, it is not easy to comprehend to what degree the data are anonymized or to comprehend information pertinent to non-anonymized data.

    [0014] In an embodiment describe below, the anonymized data are easily evaluated.

    [0015] Preferred embodiments of the present invention will be described with reference to the accompanying drawings. An anonymization system in an embodiment will be described, in which personal information is anonymized and evaluated. FIG. 1 is a diagram illustrating a network configuration of the anonymization system in the embodiment. In an anonymization system 1000, a server 100, and multiple client terminals 3 are connected via a network 2. The personal information corresponds to information related to a specific individual. In the embodiment, an anonymization process includes at least one of a process for preventing from specifying the individual and a process for preventing from differentiating individuals.

    [0016] The server 100 includes an anonymization part 40 that anonymizes data (which may be the personal information) provided from each of the client terminals 3, and performs the anonymization process to report an anonymization degree to each of the client terminals 3.

    [0017] The client terminal 3 uses a service, which is provided by the server 100 to anonymize the personal information, and acquires, from the server 100, an anonymized file 1b, which the server 100 has anonymized from a non-anonymized file 1a. The non-anonymized file 1a includes items, which are other than an individual name and subject to be used. The embodiment will be described in which an entity of the non-anonymized file 1a is retained inside the client terminal 3. The embodiment is not limited to this configuration. Alternatively, the entity of the non-anonymized file 1a may be externally maintained.

    [0018] In the anonymization system 1000, an exchange between the client terminal 3 and the server 100 will be briefly described in a case of anonymizing the personal information. The client terminal 3 connects to the server 100 via the network 2. After that, the client terminal 3 has the server 100 conduct the anonymization process corresponding to a desired anonymization degree (k value) via the network 2. In the following, procedures will be described.

    <Procedure 1>



    [0019] The client terminal 3 sends an anonymization condition setting request 8a including an anonymization condition (including the k value), which is indicated by a user and corresponds to the non-anonymized file 1a, to the server 100. The server 100 sets the anonymization condition in response to the anonymization condition setting request 8a of the client terminal 3.

    <Procedure 2>



    [0020] In response to an operation of the user indicating the non-anonymized file 1a to anonymize the non-anonymized file 1a, the client terminal 3 sends an anonymization execution request 8b to the server 100. The server 100 performs the anonymization process by the k value indicated by the anonymization condition, which the client terminal 3 sets with respect to the non-anonymized file 1a, in response to the anonymization execution request 8b.

    <Procedure 3>



    [0021] The client terminal 3 sends an anonymization evaluation request 8c to the server 100. In response to the anonymization evaluation request 8c, the server 100 evaluates an anonymization state based on a result from performing the anonymization process, that is, by using the anonymized file 1b. In the embodiment, the server 100 provides evaluation information 1c with respect to the anonymized file 1b.

    [0022] By providing the evaluation information 1c, the following one or more graphs are displayed at the client terminal 3:
    • a circle graph representing a ratio for each of k values
    • a bar graph representing a ratio for each of combinations of anonymization items.

    <Procedure 4>



    [0023] The client terminal 3 sends an ambiguity request 8d of the anonymization result to the server 100 in response to an operation for making the anonymized file 1b ambiguous after the evaluation information 1c is displayed. The ambiguity request 8d includes an expected k value 1d.

    [0024] The server 100 makes the anonymized file 1b ambiguous in accordance with the expected k value 1d indicated by the ambiguity request 8d. An ambiguity process for making the anonymized file 1b ambiguous is regarded as a process, which copies or sanitizes the personal information of the anonymized file 1b acquired as a result of the anonymization process as if the expected k value 1d indicated by the ambiguity request 8d is satisfied.

    <Procedure 5>



    [0025] The client terminal 3 sends a condition review request 8e to the server 100 in response to an operation for reviewing the anonymization process by the user. When receiving the condition review request 8e, the server 100 calculates a recommended k value 1e based on the evaluation information 1c and sends the recommended k value 1e to the client terminal 3.

    <Procedure 6: >



    [0026] When receiving the recommended k value 1e, the client terminal 3 sends the anonymization condition setting request 8a indicating the recommended k value 1e to the server 100, and repeats the above described procedures 1 to 5.

    [0027] As described above, in the embodiment, the server 100 provides the evaluation information 1c indicating to what degree the anonymized file 1b realizes anonymity. Based on the evaluation information 1c, the anonymity of the anonymized file 1b and/or a review of the anonymization process is performed.

    [0028] The k value indicates a state in which k individuals are not specified respectively by k sets of the personal information (corresponding to k records) in the anonymized file 1b. The k value corresponds to a number of the individuals who are not specified in each of groups (a number of records in which the individuals are not specified) for each of combinations of the anonymization items. On the other hand, when the sets of the personal information (the records) are less than k sets (the k records), the individuals may be specified. The anonymization item is regarded as an item of which a value is anonymized in the non-anonymized file 1a.

    [0029] The anonymization of k=2 is to anonymize data file impossible to specify more than one individual from more than one set of the personal information. Only information common among all sets of the personal information for the more than one individual is retained, and information, which is not common, is sanitized. In this case, there is a group, to which only one individual belongs, in the anonymized file 1b.

    [0030] The anonymization of k=3 to anonymize data indicates to anonymize the data file impossible to specify more than two individuals from more than two sets of the personal information. Only information common among all sets of the personal information for the more than two individuals is retained, and information, which is not common, is sanitized. In this case, there is at least one of a group to which two individuals belong and in which each of the two individuals is not specified, and a group to which only one individual belongs. The k value may indicate a common degree among multiple sets of the personal information.

    [0031] In the embodiment, with respect to the anonymized file 1b acquired by anonymizing the personal information, the records are classified into the groups by common portions in the multiple sets of the personal information, and a ratio of the number of the records in each of the groups is acquired with respect to a total number of the records of the anonymized file 1b. Then, the graph is displayed to indicate the ratio for each of the k values and/or the ratio for each of the common portions. Hence, it is possible to easily conduct an anonymization result.

    [0032] The server 100 conducting the anonymization process includes a hardware configuration as illustrated in FIG. 2. FIG. 2 is a diagram illustrating the hardware configuration of the server. In FIG. 2, the server 100 is regarded as an information processing apparatus controlled by a computer, and includes a Central Processing Unit (CPU) 11a, a main storage device 12a, an auxiliary storage device 13a, an input device 14a, a display device 15a, a communication InterFace (I/F) 17a, and a drive device 18a, which are mutually connected via a bus B1.

    [0033] The CPU 11a corresponds to a processor that controls the server 100 in accordance with a program stored in the main storage device 12a. The main storage device 12a includes a Random Access Memory (RAM), a Read Only Memory (ROM), and the like, and stores or temporarily stores the program to be executed by the CPU 11a, data used in a process of the CPU 11a, data acquired in the process of the CPU 11a, and the like.

    [0034] A Hard Disk Drive (HDD) or the like is used as the auxiliary storage device 13a, and stores data such as programs for various processes, and the like. A part of the program stored in the auxiliary storage device 13a is loaded to the auxiliary storage device 13a, and is executed by the CPU 11a to realize the various processes. A storage part 130a corresponds to the main storage device 12a and/or the auxiliary storage device 13a.

    [0035] The input device 14a includes a mouse, a keyboard, and the like, and is used by a server administrator to input various information items for the processes conducted by the server 100. The display device 15a displays multiple information items under control of the CPU 11. The input device 14a and the display device 15a may be formed as an integrated user interface such as a touch panel or the like. The communication I/F 17a controls communications such as wired or wireless communications through a network. The communication I/F 17a is not limited to the wired or wireless communications.

    [0036] The program realizing a process conducted by the server 100 in the embodiment may be provided to the server 100 with a recording medium 19a such as a Compact Disc Read-Only Memory (CD-ROM).

    [0037] The drive device 18a interfaces between the recording medium 19a (which may be the CD-ROM or the like) set to the drive device 18a and the server 100.

    [0038] Also, respective programs realizing various processes according to the embodiment described below are stored in the recording medium 19a. The programs stored in the recording medium 19a are installed to the server 100 through the drive device 18a. After being installed, the programs become executable in the server 100.

    [0039] The recording medium 19a storing the programs is not limited to the CD-ROM, and may be a computer-readable, non-transitory, and tangible medium. As the computer-readable recording medium, the recording medium 19a may be a Digital Versatile Disk (DVD), a Universal Serial Bus (USB) memory, and a semiconductor memory such as a flash memory may be used as well as the CD-ROM.

    [0040] FIG. 3 is a diagram illustrating a hardware configuration of the client terminal. In FIG. 3, the client terminal 3 may be an information processing terminal controlled by the computer such as a tablet terminal, a mobile terminal, or the like, and includes a Central Processing Unit (CPU) 11b, a main storage device 12b, a user I/F 16b, a communication I/F 17b, and a drive device 18b, which are mutually connected via a bus B2.

    [0041] The CPU 11b corresponds to a processor controlling the client terminal 3 in accordance with a program stored in the main storage device 12b. The RAM, the ROM, and the like may be used as the main storage device 12b, and store or temporarily store the program to be executed by the CPU 11b, data used in a process of the CPU 11b, data acquired in the process of the CPU 11b, and the like. The program stored in the main storage device 12b causes the CPU 11b to perform various processes.

    [0042] The user I/F 16b displays various information items under control of the CPU 11b. The user I/F 16b may be a touch panel or the like enabling the user to conduct input operations and the like. The communication I/F 17b is not limited to the wireless or wired communications.

    [0043] The program realizing the process conducted by the client terminal 3 may be downloaded from an external apparatus through the network 2. Alternatively, the program may be stored beforehand in the main storage device 12b or a recording medium 19b of the client terminal 3. A storage part 130b corresponds to the main storage device 12b and/or the auxiliary storage device.

    [0044] The drive device 18b interfaces a recording medium 19b (which may be a Secure Digital (SD) memory card or the like) set to the drive device 18b and the client terminal 3. The recording medium 19b may be a computer-readable, non-transitory, and tangible medium.

    [0045] The client terminal 3 may be a desktop terminal, a notebook terminal, a laptop terminal, a mobile terminal, or the like.

    [0046] FIG. 4 is a flowchart for briefly explaining an entire process in the anonymization system. Referring to FIG. 4, in the anonymization system 1000, when receiving a setting of the anonymization condition from the user, the client terminal 3 sends the anonymization condition setting request 8a to the server 100 (step S61). The server 100 stores the anonymization condition indicated by the anonymization condition setting request 8a.

    [0047] After that, the client terminal 3 sends the anonymization execution request 8b to the server 100 in response to an operation of the user to conduct the anonymization process (step S62). The server 100 conducts the anonymization process with respect to the non-anonymized file 1a indicated by the anonymization execution request 8b.

    [0048] After that, the server 100 generates the evaluation information 1c by totaling the number of records for each of the k values (k=1, 2, 3, ...) of the anonymized file 1b (step S63). The evaluation information 1c being generated is displayed by the circle graph or the bar graph at the user I/F 16b of the client terminal 3.

    [0049] At the client terminal 3, it is determined in response to the operation of the user whether the user selects auto-ambiguity, after the evaluation information 1c is displayed (step S64). When the auto-ambiguity is selected (YES of step S64), the client terminal 3 sends the ambiguity request 8d to the server 100. The server 100 conducts a process to improve anonymity of the anonymized file 1b in accordance with the expected k value 1d of the user (step S65).

    [0050] On the other hand, when the auto-ambiguity is not selected (NO of step S64), the client terminal 3 determines whether a condition review is selected (step S66). When the condition review is selected (YES of step SS66), the client terminal 3 sends the condition review request 8e to the server 100. The server 100 sends the recommended k value 1e to the client terminal 3. After that, at the client terminal 3, the processes described above are repeated from step S61 in order of the anonymization process in which the recommended k value 1e is set as the anonymization condition.

    [0051] On the other hand, when the condition review is not selected (NO of step S66), the entire process is terminated in the anonymization system 1000. That is, the client terminal 3 receives the anonymized file 1b from the server 100. The personal information being anonymized is used under control of the user.

    [0052] Next, examples of functional configurations of the client terminal 3 and the server 100 will be described in the anonymization system 1000. FIG. 5 is a diagram illustrating the examples of functional configurations of the client terminal and the server.

    [0053] First, a functional configuration of the server 100 will be described. In FIG. 5, the server 100 includes an anonymization part 40 that anonymizes the personal information in the non-anonymized file 1a, which the client terminal 3 indicates, in response to the anonymization execution request 8b.

    [0054] The anonymization part 40 further includes a condition setting part 41, a data anonymization part 42, an evaluation target information generation part 43a, a first graph process part 43b, a second graph process part 43c, an ambiguity process part 44, and a condition review part 45. The parts 41, 42, 43a, 43b, 43c, 44, and 45 are realized by corresponding processes, which the program installed into the server 100 causes the CPU 11a of the server 100 to perform.

    [0055] In the server 100, the storage part 130a stores anonymity condition setting information 51, the anonymized file 1b, evaluation target information 53a, first evaluated information 53b, second evaluated information 53c, statistics information 59, and the like.

    [0056] The condition setting part 41 receives the anonymization condition setting request 8a sent from the client terminal 3 through the communication I/F 17a, and conducts a condition setting process to set the anonymity condition setting information 51 indicating the anonymization condition indicated in the anonymization condition setting request 8a. The anonymization condition includes the k value, more than one combination of the anonymization items, and the like. After storing the anonymity condition setting information 51, the condition setting part 41 sends a setting completion notice to the client terminal 3.

    [0057] The data anonymization part 42 receives the anonymization execution request 8b sent from the client terminal 3 through the communication I/F 17a, and performs the anonymization process in accordance with the anonymity condition setting information 51 stored in the storage part 130a with respect to the non-anonymized file 1a indicated in the anonymization execution request 8b. After performing the anonymization process, the data anonymization part 42 sends an execution completion notice to the client terminal 3 through the communication I/F 17a.

    [0058] The anonymization process may be called "k- anonymization process", which anonymizes each set of the personal information in the non-anonymized file 1a not to specify the individuals being less than or equal to k different persons from the personal information in accordance with the anonymization condition defined beforehand.

    [0059] The evaluation target information generation part 43a preforms an evaluation target information generation process. In the evaluation target information generation process, the evaluation target information generation part 43a receives the anonymization evaluation request 8c sent from the client terminal 3 through the communication I/F 17a, and generates the evaluation target information 53a by grouping the personal information in the anonymized file 1b for each of the combinations of values of the anonymization items. The evaluation target information 53a is stored in the storage part 130a.

    [0060] The evaluation target information generation part 43a performs the evaluation target information generation process that classifies the sets of the personal information into the groups for each of the values of the anonymization items, and generates the evaluation target information 53a. The evaluation target information generation part 43a acquires the k value from the number of sets of the personal information (that is, the number of the records) for each of the groups, and acquires the statistics information 59 by calculating the ratio with respect to the total number of the sets of the personal information (that is, the number of the records) of the anonymized file 1b for each of the groups. By the statistics information 59, the k value, the ratio, and the like are indicated for each of the groups.

    [0061] The first graph process part 43b performs a first graph process. In the first graph process, the first graph process part 43b creates the first evaluated information 53b indicating the ratio for each of the k values by using the statistics information stored in the storage part 130a, and stores the first evaluated information 53b in the storage part 130a. The first graph part 43b creates a circle graph 33b based on the first evaluated information 53b, and sends the evaluation information 1c indicating the created circle graph 33b to the client terminal 3 through the communication I/F 17a.

    [0062] The first evaluated information 53b may be included in the evaluation information 1c. Alternatively, at the client terminal 3, the circle graph 33b may be drawn based on the first evaluated information 53b, and may be displayed at the user I/F 16b.

    [0063] The second graph process part 43c performs a second graph process. In the second graph process, the second graph process part 43c creates the second evaluated information 53c indicating the ratio for each of the k values by using the statistics information 59a stored in the storage part 130a, and stores the second evaluated information 53c in the storage part 130a. The second graph process part 43c creates a bar graph 33c based on the second evaluated information 53c, and sends the evaluation information 1c indicating the created bar graph 33c to the client terminal 3 through the communication I/F 17a.

    [0064] The evaluation information 1c may include the second evaluated information 53c. Alternatively, at the client terminal 3, the bar graph 33c may be drawn based on the second evaluated information 53c, and may be displayed at the user I/F 16b.

    [0065] At the client terminal 3, the user may select the circle graph 33b, the bar graph 33c, or both the circle graph 33b and the bar graph 33c as the evaluation target information 53, and a user's selection is indicated in the anonymization evaluation request 8c.

    [0066] The ambiguity process part 44 receives the ambiguity request 8d sent from the client terminal 3 through the communication I/F 17a, and performs the ambiguity process. In the anonymization process, the ambiguity process part 44 specifies the records belonging to the groups satisfying less than the expected k value 1d indicated by the ambiguity request 8d from the anonymized file 1b, and makes the personal information in the records ambiguous. By the ambiguity process, there is no personal information being less than the expected k value 1d in the anonymized file 1b.

    [0067] After the ambiguity process, the ambiguity process part 44 calculates the k value and the ratio for each of the groups, again, updates the statistics information 59, and sends an ambiguity completion notice to the client terminal 3 through the communication I/F 17a. The updated statistics information 59 may be sent to the client terminal 3. Alternatively, the client terminal 3 may send an update request of the evaluation information 1c to the server 100. In this case, the server 100 provides the circle graph 33b and/or the bar graph 33c to the client terminal 3, and the client terminal 3 displays the updated circle graph 33b and/or the bar graph 33c at the user I/F 16b.

    [0068] The condition review part 45 performs a condition review process. In the condition review process, the condition review part 45 receives the condition review request 8e sent from the client terminal 3 through the communication I/F 17a. The condition review part 45 acquires the k value of a highest ratio as the recommended k value 1e based on the second evaluated information 53c stored in the storage part 130a with respect to the anonymized file 1b. Then, the condition review part 45 sends the recommended k value 1e to the client terminal 3 through the communication I/F 17a.

    [0069] Next, the example of the functional configuration of the client terminal 3 will be described. In FIG. 5, the client terminal 3 includes an anonymization condition setting part 31, an anonymization execution part 32, an evaluation information generation part 33, an anonymization improvement part 34, and a k value acquisition part 35. The parts 31 to 35 are realized by a process, which the program installed to the client terminal 3 causes the CPU 11b of the client terminal 3 to perform. Alternatively, the parts 31 to 35 may be realized by script codes, which are provided from the server 100, are controlled by the server 100, and operate on a Web browser.

    [0070] At the client terminal 3, the storage part 130b may temporarily store the non-anonymized file 1a, the evaluation information 1c, the expected k value, the expected k value, and the like.

    [0071] The anonymization condition setting part 31 performs an anonymization condition setting process. In the anonymization condition setting process, the anonymization condition setting part 31 acquires the k value representing the anonymization degree, one or more items to be anonymized (the anonymization items), or the like from the user, sends the anonymization condition setting request 8a to the server 100 through the communication I/F 17b, and makes the server 100 set the anonymization condition.

    [0072] The anonymization condition setting part 31 may display a setting screen for setting the k value, the anonymization items, and the like at the user I/F 16b, and may acquire these values from the user. When receiving the setting completion notice sent from the server 100 through the communication I/F 17b, the anonymization condition setting part 31 terminates the anonymization condition setting process.

    [0073] The anonymization execution part 32 performs an anonymization execution process. In the anonymization execution process, the anonymization execution part 32 sends the anonymization execution request 8b to the server 100 through the communication I/F 17b in response to an operation of executing the anonymization process with the anonymization condition set by the user. The server 100 anonymizes the personal information.

    [0074] The anonymization execution part 32 may display an anonymization execution screen at the user I/F 16b and may acquire a storage location of a file from the user. The anonymization execution screen may include an area to indicate the file to be anonymized, a button to execute the anonymization of the file. The anonymization execution request 8b may include the entity of the non-anonymized file 1a, and may indicate the storage location. The anonymization execution part 32 may receive the execution completion notice sent from the server 100 through the communication I/F 17b, and terminates the anonymization execution process.

    [0075] The evaluation information generation part 33 sends the anonymization evaluation request 8c to the server 100 through the communication I/F 17b, in response to an operation of the user pertinent to generation of the evaluation information or an end of the anonymization execution process. The server 100 evaluates the anonymity with respect to the anonymized file 1b. After that, the client terminal 3 receives the evaluation information 1c from the server 100, and performs an evaluation information generation process for displaying the evaluation information 1c at the user I/F 16b.

    [0076] The evaluation information generation part 33 displays the circle graph 33b and/or the bar graph 33c at the user I/F 16b based on the evaluation information 1c received from the server 100, and terminates the evaluation information generation process. At a screen displaying the circle graph 33b and/or the bar graph 33c at the user I/F 16b, it is preferable to display an "auto-ambiguity" button to improve the ambiguity, a "condition review" button to review the anonymization condition, and the like.

    [0077] The anonymization improvement part 34 performs an anonymization improvement process. In the anonymization improvement process, the anonymization improvement part 34 sends the ambiguity request 8d to the server 100 through the communication I/F 17b in response to an operation of the user indicating the "auto-anonymization". The server 100 makes the personal information in the anonymized file 1b ambiguous in accordance with the expected k value 1d indicated by the ambiguity request 8d. When receiving the ambiguity completion notice sent from the server 100 through the communication I/F 17b, the anonymization improvement part 34 terminates the anonymization improvement process.

    [0078] The k value acquisition part 35 performs a k value acquisition process. In the k value acquisition process, the k value acquisition part 35 sends the condition review request 8e to the server 100 through the communication I/F 17b in response to an operation of the user indicating the "condition review". The server 100 reviews the anonymization condition with respect to the non-anonymized file 1a. As a result, the client terminal 3 receives the recommended k value 1e from the server 100.

    [0079] Next, the anonymization process of the personal information by the anonymization part 40 of the server 100 in the embodiment will be described with reference to a data example. First, the anonymization process by the anonymization part 40 of the server 100 will be described.

    [0080] FIG. 6 is a diagram illustrating the anonymization process. In FIG. 6, a file including the personal information pertinent to an injury and disease history is illustrated as an example of the non-anonymized file 1a. A difference will be described between a case of the anonymization process other than the k-anonymization process and a case of the k-anonymization process. As an example of the anonymization process other than the k-anonymization process, a masking anonymization process will be described.

    [0081] The non-anonymized file 1a includes items such as "NAME", "ADDRESS", "GENDER", "AGE", "DIAGNOSTIC RESULT", and the like. By the anonymization process, the item "NAME" is sanitized from the non-anonymized file 1a, the anonymization items are set from the items "ADDRESS", "GENDER", "AGE", "DIAGNOSTIC RESULT", and the like.

    [0082] In this example, the items "ADDRESS", "GENDER", and "AGE" are set as the anonymization items. In the non-anonymized file 1a depicted in FIG. 6, there is only one record for a combination of the address "HEIWAJIMA 2, OTA-KU, TOKYO", the gender "M" (male), and the age "75". Thus, an individual "AAA BBB" is highly likely to be specified without the name.

    [0083] In the masking anonymization process, for one or more items, the personal information is anonymized by rounding item values to reduce precision, by masking the item values by deleting the item values and replacing the item values, with predetermined values, and the like.

    [0084] For a masked file 1m, a data example is depicted in a case in which the non-anonymized file 1a is masked to be anonymized.

    [0085] In this data example, a region is rounded into prefectural governments with respect to the address. Since the precision of the address is reduced, it becomes difficult to specify the individuals. However, the precision is lower, if the masked file 1m is used for a trend analysis based on a region. Also, in a case of masking the personal information for the age, it becomes difficult to specify the individuals. On the other hand, it is impossible to conduct an analysis based on the age. Accordingly, effective data are not provided by the masked file 1m in light of utilization.

    [0086] The k-anonymization process will be briefly described in a case of k=2. That is, the anonymized file 1b is acquired when the non-anonymized file 1a is anonymized while allowing two or more records having the same values of the anonymization items.

    [0087] The anonymized file 1b indicates a result from making values of the address and the age ambiguous. In the anonymized file 1b, precision of the item values are made to be rough until the number of the records having the same item values is not reduced less than or equal to two. However, the precision may not be made to be uniformly rough for all records.

    [0088] In the anonymized file 1b, there are two records of the address "Ota-ku, Tokyo", and there are two records of the address "Tokyo". Accordingly, with respect to a part of the records, it is possible to acquire the personal information related to the region specified in detail more than the prefectural governments. Hence, it is possible to conduct regional analysis.

    [0089] Regarding the age, there are at least two records for each of the age "60s to 70s" and the age "10s to 20s". It is possible to analyze each of the age "60s to 70s" and the age "10s to 20s".

    [0090] FIG. 7 is a diagram for explaining the evaluation target information generation process. In FIG. 7, the evaluation target information generation part 43a of the server 100 generates the evaluation target information 53a by applying a group ID for each of the combinations of three items of the anonymized file 1b: the address, the gender, and the age. The evaluation target information 53a corresponds to a file to which the group ID is added to existing items of the anonymized file 1b. That is, the evaluation target information 53a includes the items of the address, the gender, the age, the diagnostic result, the group ID, and the like.

    [0091] In this example, the records indicating the address "Ota-ku, Tokyo", the gender "M", and the age "60s to 70s" are classified into a group "G001". The records indicating the address "Tokyo", the gender "F", and the age "10s to 20s" are classified into a group "G002". The records indicating the address "Nakahara-ku, Kawasaki-shi, Kanagawa-ken, Tokyo", the gender "M", and the age "60s to 70s" are classified into a group "G003".

    [0092] Two records are classified into the group "G001", three records are classified into the group "G002", and one record is classified into the group "G003".

    [0093] The evaluation target information generation part 43a refers to the evaluation target information 53a, and acquires the k value by counting the records having the same group ID for each of the groups. Accordingly, the k value indicates the count of the records having the same values for the anonymization items, in this example, the same values for the combination of the address, the gender, and the age.

    [0094] The evaluation target information generation part 43a calculates the ratio with respect to the total number of the records of the evaluation target information 53a for each of the group IDs, and generates the statistics information 59. The statistics information 59 includes the items of the group ID, the k value, the ratio, and the like.

    [0095] In this example, the statistics information 59 indicates the k value "2" and the ratio "33%" for the group ID "G001", the k value "3" and the ratio "50%" for the group ID "G002", and the k value "1" and the ratio "17%" for the group ID "G003". For each of the groups, a different k value is indicated. However, there may be two or more groups indicating the same k value.

    [0096] FIG. 8 is a diagram illustrating an example of an evaluation result screen displayed at the client terminal. In FIG. 8, a display example at the user I/F 16b of the client terminal 3 is depicted. The display example depicts the circle graph 33b generated by the first graph process part 43b of the anonymization part 40 of the server 100 based on the statistics information 59.

    [0097] At the client terminal 3, an evaluation result screen G91 is displayed at the user I/F 16b based on the evaluation information 1c received from the server 100 by the evaluation information generation part 33. The evaluation result screen G91 includes a first display area 91a, a second display area 91b, and the like.

    [0098] The first display area 91a corresponds to an area for displaying various information items according to the anonymization process. The second display area 91b corresponds to an area for displaying the evaluation result acquired by evaluating the anonymization state of the anonymized file 1b.

    [0099] The first display area 91a displays basic information pertinent to anonymization requested from the client terminal 3 to the server 100. The first display area 91a may display information of a request ID, a request date, a completed date, a preprocessed code count, a post-processed code count, an anonymized file, the k value, the anonymized items, and the like. At an item "ANONYMIZED FILE", the anonymized file 1b, which is acquired by anonymizing the non-anonymized file 1a and is stored in the storage part 130a of the server 100, is displayed for user to download from the client terminal 3 to the server 100. Also, the anonymization condition used for the anonymization is indicated at items "K VALUE" and "ANONYMIZED ITEMS".

    [0100] The second display area 91b displays the evaluation result of the anonymization state. The second display area 91b may display a total number of the groups 91c (a number of combinations of anonymization item values) of the anonymized file 1b, the circle graph 33b (or the bar graph 33c), a "GRAPH SWITCH" button 91e, an "AUTO-AMBIGUITY" button 91f, a "REVIEW CONDITION" button 91g, and the like.

    [0101] As an example, the circle graph 33b may indicate a ratio of the number of the records having the k value greater than the anonymization condition set by the user, a ratio of the number of the records having the k value of the anonymization condition, and a ratio of the number of the records having the k value smaller than the anonymization condition. If the anonymization process is conducted with the anonymization condition "k=3", the ratio of k>3, the ratio of k=3, and the ratio of k<3 are indicated. The records of k=3 and k>3 satisfy the anonymization condition.

    [0102] When the user selects an area of the ratio of k<3 on the circle graph 33b displayed as described above, a screen G92 is displayed to indicate the records of interest. As an example of the screen G92, contents of one record of k=1 is displayed for the records of k<3. The contents of this record may indicate the address "Nakahara-ku, Kawasaki-shi, Kanagawa-ken", the gender "M", the age "60s to 70s", the diagnostic result "influenza", and the group ID "G003". It is possible for the user to concretely review the contents of each of the records, which do not satisfy the anonymization condition.

    [0103] In this example, when the user selects the "GRAPH SWITCH" button 91e, the circle graph 33b is changed to the bar graph 33c. In a state of displaying the bar graph 33c, if the graph switch button 91e is selected, the circle graph 33d is displayed.

    [0104] In a case of making the contents of the records ambiguous after the user confirms the contents of the records, which do not satisfy the anonymization condition in the screen G92, the user selects the "AUTO-AMBIGUITY" button 91f. When the "AUTO-AMBIGUITY" button 91f is selected, the user may set a desired k value (the expected k value). Also, the expected k value may not be set. In this case, the k value (=3) of the anonymization condition is set as a default value. In response to selection of the "AUTO-AMBIGUITY" button 91f, the ambiguity request 8d is sent to the server 100.

    [0105] In the server 100, after the ambiguity process by the ambiguity process part 44, the ambiguity process part 44 has the evaluation target information generation part 43a, the first graph process part 43b, and the second graph process part 43c conduct corresponding processes, and sends the evaluation information 1c as an ambiguity result to the client terminal 3. In this manner, it is possible to update information in the second display area 91b of the evaluation result screen G91 being displayed at the user I/F 16b at the client terminal 3.

    [0106] The user refers to the circle graph 33b (or the bar graph 33c) being updated in the second display area 91b. When the user decides to review the anonymization condition, the user selects the "REVIEW CONDITION" button 91g. In response to the "REVIEW CONDITION" button 91g, the condition review request 8e is sent to the server 100.

    [0107] At the server 100, the anonymization condition is reviewed by the condition review part 45, and the recommended k value 1e acquired by the review is provided to the client terminal 3. At the client terminal 3, when receiving the recommended k value 1e, the anonymization condition setting process is conducted by the anonymization condition setting part 31, again. In the anonymization condition setting process, the recommended k value 1e is indicated as the anonymization condition in the anonymization condition setting request 8a, and is sent to the server 100.

    [0108] FIG. 9 is a diagram for explaining the second graph process. In FIG. 9, the second graph process part 43c of the anonymization part 40 of the server 100 refers to the evaluation target information 53a, the statistic information 59 stored in the storage part 130a, generates the second evaluated information 53c, and stores the generated second evaluated information 53c in the storage part 130a.

    [0109] In addition to the existing items of the statistic information 59, the anonymization items (the address, the gender, and the age) are added to the second evaluated information 53c.

    [0110] The second graph process part 43c acquires the records having the same group IDs of respective records of the statistics information 59, from the evaluation target information 53a, sets values of the address, the gender and the age of each of the acquired records to the second evaluated information 53b, and completes the second evaluated information 53c. After that, the second graph process part 43c sorts the second evaluated information 53c in a predetermined order. The second evaluated information 53c may be sorted in an ascending order of the ratio, the anonymization items, the k value, or the like. The bar graph 33c is drawn based on the ratio.

    [0111] FIG. 10 is a diagram illustrating an example of the bar graph. In the bar graph 33c depicted in FIG. 10, for the item "RATIO" of the second evaluated information 53c, bars representing respective numerical values are displayed with these numerical values. A display of the bar graph 33c is not limited to this example depicted in FIG. 10.

    [0112] In the evaluation result screen G91 displayed at the client terminal 3 as depicted in FIG. 8, the bar graph 33c is displayed in the second display area 91b.

    [0113] When the user selects the "AUTO-AMBIGUITY" button 91f in the second display area 91b, the ambiguity request 8d is sent from the client terminal 3 to the server 100. The ambiguity process, which is conducted by the ambiguity process part 44 of the anonymization part 40 at the server 100, will be described with reference to FIG. 11 and FIG. 12.

    [0114] FIG. 11 is a diagram for explaining the ambiguity process. In FIG. 11, the ambiguity process part 44 refers to the statistics information 59 being stored in the storage part 130a based on the expected k value 1d indicated by the ambiguity request 8d, and acquires one or more group IDs. In the following, a case of indicating k=2 by the expected k value 1d will be described. In this example, the acquired group ID is "G003".

    [0115] The ambiguity process part 44 searches for the records of the group ID "G003" from the anonymized file 1b, copies all retrieved records, and generates the evaluation target information 53a-2. Each of the retrieved records is repeatedly copied at least until a repetition count reaches the expected k value 1d. If there is the k value greater than the expected k value 1d, each of the retrieved records may be repeatedly copied until the repetition count reaches a highest k value.

    [0116] As a result, the evaluation target information 53a-2, in which a record 9r of the group ID "G003" is copied, is acquired. In FIG. 11, a copying example is depicted. Instead, the retrieved records may be deleted to make the evaluation target information 53a-2 ambiguous. Also, the user may set copy or deletion when the user selects the "AUTO-AMBIGUITY" button 91f.

    [0117] FIG. 12 is a diagram illustrating an update example of the statistics information by the ambiguity process. In FIG. 12, the ambiguity process part 44 updates the statistics information 59 by using the evaluation target information 53a acquired by the ambiguity process, and obtains the statistics information 59-2.

    [0118] In the statistics information 59-2, the k value of the group ID "G003" is changed from "1" to "2", and the k value is two or more for all groups. Accordingly, the anonymized file 1b satisfying the expected k value is provided.

    [0119] The ratio of the group ID "G001", that is, the ratio of the records (the personal information), which are specified by "G001", respective to the combinations of values of the anonymization items is changed from "33%" to "29%". The ratio of the group ID "G002", that is, the ratio of the records (the personal information), which are specified by "G002", respective to the combinations of values of the anonymization items is changed from "50%" to "43%". The ratio of the group ID "G003", that is, the ratio of the records (the personal information), which are specified by "G003", respective to the combinations of values of the anonymization items is changed from "17%" to "29%".

    [0120] The ambiguity process part 44 instructs at least one of the first graph process part 43b and the second graph process part 43c to generate the first evaluated information 53b and the second evaluated information 53c by using the evaluation target information 53a-2 and the statistics information 59-2. Then, the evaluation information 1c after the ambiguity process is provided to the client terminal 3.

    [0121] Referring back to FIG. 10, by using the data example of the bar graph 33c, an example of the condition review process by the condition review part 45 will be described. The condition review part 45 determines the k value of the highest ratio as the recommended k value 1e based on the second evaluated information 53c (the bar graph 33c). In this case, the recommended k value 1e is "3".

    [0122] When there are multiple k values of the highest ratio, the k value of a smallest ratio is set as the recommended k value 1e among the multiple k values. In general, the smaller the ratio of the k value is, the more the personal information is acceptable to be used. Hence, the k value of the smallest ratio is applied.

    [0123] As described above, in the embodiment, it is possible for the user of the client terminal 3 to easily evaluate the anonymization state of the anonymized file 1b. By referring to the circle graph indicating the ratios of respective k values and/or the bar graph 33c indicating the ratio for each of combinations of the values of the anonymization items, it is possible for the user to easily evaluate the anonymization based on objective numeral values. Accordingly, it is possible to reduce time spent to evaluate the anonymized file 1b.

    [0124] Also, it is possible for the user to make all records of the anonymized file 1b ambiguous by indicating the expected k value 1d until the expected k value 1d is satisfied.

    [0125] Moreover, in a case of reviewing the anonymization condition, it is possible for the user to perform the anonymization process with the recommended k value 1e, and to refer to an evaluation of the recommended k value 1e.

    [0126] As described above, in the embodiment, it is possible for the server 100 to easily evaluate the anonymized file 1b for the user.


    Claims

    1. A personal information anonymization method, comprising:

    classifying each of a plurality of data including personal information into any one of a plurality of groups based on a degree of commonality of the personal information;

    performing, for each of the groups, an anonymization process (42) that standardizes the personal information of each of data belonging to each of the groups;

    calculating, for each of the groups, a total number of the data belonging to each of the groups;

    calculating, for each of the groups, a ratio of the total number of the data belonging to each of the groups with respect to a total number of data in the plurality of data; and

    outputting, as a recommended value for an anonymization, the total number of data belonging to the group of a highest ratio among the calculated ratios respective to each of the groups.


     
    2. The personal information anonymization method as claimed in claim 1, further comprising outputting a number of the plurality of the groups having a total number of specific data, and information indicating a ratio of the specific data to whole plurality of the groups.
     
    3. The personal information anonymization method as claimed in claim 1, further comprising:
    adding, by the computer (100), one or more data including the personal information corresponding to anonymized personal information of data belonging to another group different from the specific group in the plurality of the groups, so as to include same data in the other group as the data in the specific group having a largest number of the data among the plurality of the groups.
     
    4. The personal information anonymization method as claimed in claim 1, further comprising:

    specifying groups, to which the data belonging are less than a reference number, among the plurality of the groups when receiving an input of the reference number with respect to the data classified into each of the plurality of the groups; and

    copying the data in each of the specified groups until the sets of the data become greater than or equal to the reference number.


     
    5. The personal information anonymization method as claimed in claim 1, further comprising:

    specifying groups, each of which the data are less than a reference number, among the plurality of the groups, when receiving an input of the reference number with respect to the data classified into each of the plurality of the groups; and

    deleting the data belonging to the specified groups.


     
    6. The personal information anonymization method as claimed in any one of claims 1 to 5, wherein the computer (100) repeats a process including:

    outputting the total number of the data belonging to a group having a highest ratio among ratios of total numbers of the data belonging to respective groups with respect to the data of whole groups, when receiving a request of reviewing a common degree among a plurality of the personal information;

    calculating the total number of the data by conducting the anonymization process (42) by setting the total number of the data belonging to the group having the highest ratio to the common degree, the group being output; and

    outputting a classification result (1c) from classifying the plurality of the groups based on the total number of the data.


     
    7. The personal information anonymization method as claimed in claim 6, wherein the computer (100) performs, with respect to the personal information of the data, the anonymization process (42) that anonymizes a common portion of the personal information while allowing specifying individuals less than a number based on the common degree.
     
    8. A personal information anonymization program that causes a computer (100) to execute a process comprising:

    classifying each of a plurality of data including personal information into any one of a plurality of groups based on a degree of commonality of the personal information;

    performing, for each of the groups, an anonymization process (42) that standardizes the personal information of each of data belonging to each of the groups;

    calculating, for each of the groups, a total number of the data belonging to each of the groups;

    calculating, for each of the groups, a ratio of the total number of the data belonging to each of the groups with respect to a total number of data in the plurality of data; and

    outputting, as a recommended value for an anonymization, the total number of data belonging to the group of a highest ratio among the calculated ratios respective to each of the groups.


     
    9. An information processing apparatus, comprising:

    a calculation unit configured to

    classify each of sets of data including personal information into one of multiple groups,

    perform an anonymization process (42), that standardizes the personal information of the sets of the data belonging to a group, for each of the multiple groups,

    calculate , for each of the groups, a ratio of the total number of the data belonging to each of the groups with respect to a total number of data in the plurality of data; and

    an output unit configured to

    output, as a recommended value for an anonymization, the total number of data belonging to the group of a highest ratio among the calculated ratios respective to each of the groups.


     


    Ansprüche

    1. Verfahren zur Anonymisierung von persönlichen Informationen, umfassend:

    Klassifizieren von jedem von einer Vielzahl von Daten, einschließlich persönlicher Informationen, in eine einer Vielzahl von Gruppen auf der Grundlage eines Grades von Gemeinsamkeit der persönlichen Informationen;

    Ausführen für jede der Gruppen eines Anonymisierungsprozesses (42), der die persönlichen Informationen von jedem von zu jeder der Gruppen gehörenden Daten standardisiert;

    Berechnen für jede der Gruppen einer Gesamtanzahl der zu jeder der Gruppen gehörenden Daten;

    Berechnen für jede der Gruppen eines Verhältnisses der Gesamtanzahl der zu jeder der Gruppen gehörenden Daten in Bezug auf eine Gesamtanzahl von Daten in der Vielzahl von Daten; und

    Ausgeben als einen empfohlenen Wert für eine Anonymisierung der Gesamtanzahl von Daten, die zu der Gruppe mit einem höchsten Verhältnis unter den berechneten Verhältnissen in Bezug auf jede der Gruppen gehören.


     
    2. Verfahren zur Anonymisierung von persönlichen Informationen nach Anspruch 1, weiter umfassend Ausgeben einer Anzahl der Vielzahl der Gruppen, die eine Gesamtanzahl von spezifischen Daten aufweisen, und von Informationen, die ein Verhältnis der spezifischen Daten mit der Vielzahl der Gruppen insgesamt anzeigen.
     
    3. Verfahren zur Anonymisierung von persönlichen Informationen nach Anspruch 1, weiter umfassend:
    Hinzufügen durch den Computer (100) von einem oder mehreren Daten, einschließlich der persönlichen Informationen, die den anonymisierten persönlichen Informationen von Daten entsprechen, die zu einer anderen, unterschiedlichen Gruppe gehören als der spezifischen Gruppe in der Vielzahl von Gruppen, um gleiche Daten in der anderen Gruppe einzuschließen wie die Daten in der spezifischen Gruppe, die eine größte Anzahl von Daten unter der Vielzahl der Gruppen aufweisen.
     
    4. Verfahren zur Anonymisierung von persönlichen Informationen nach Anspruch 1, weiter umfassend:

    Spezifizieren von Gruppen, bei denen die Daten, die zu ihnen gehören, weniger sind als eine Referenzanzahl, unter der Vielzahl der Gruppen, wenn eine Eingabe der Referenzanzahl in Bezug auf die in jeder der Vielzahl der Gruppen klassifizierten Daten empfangen wird; und

    Kopieren der Daten in jeder der spezifizierten Gruppen, bis die Datensätze größer oder gleich der Referenzanzahl werden.


     
    5. Verfahren zur Anonymisierung von persönlichen Informationen nach Anspruch 1, weiter umfassend:

    Spezifizieren von Gruppen, wobei bei jeder von ihnen die Daten weniger sind als eine Referenzanzahl, unter der Vielzahl der Gruppen, wenn eine Eingabe der Referenzanzahl in Bezug auf die in jeder der Vielzahl von Gruppen klassifizierten Daten empfangen wird; und

    Löschen der Daten, die zu den spezifizierten Gruppen gehören.


     
    6. Verfahren zur Anonymisierung von persönlichen Informationen nach einem der Ansprüche 1 bis 5, wobei der Computer (100) einen Prozess wiederholt, einschließlich:

    Ausgeben der Gesamtanzahl der Daten, die zu einer Gruppe gehören, die ein höchstes Verhältnis unter den Verhältnissen von Gesamtanzahlen von den Daten aufweisen, die zu den jeweiligen Gruppen gehören, in Bezug auf die Daten der Gruppen insgesamt, wenn eine Anfrage auf Überprüfung eines gemeinsamen Grades unter einer Vielzahl von den persönlichen Informationen empfangen wird;

    Berechnen der Gesamtanzahl der Daten durch Durchführen des Anonymisierungsprozesses (42) durch Einstellen der Gesamtanzahl der Daten, die zu der Gruppe gehören, die das höchste Verhältnis mit dem gemeinsamen Grad aufweist, als auszugebende Gruppe; und

    Ausgeben eines Klassifizierungsergebnisses (1c) vom Klassifizieren der Vielzahl der Gruppen auf der Grundlage der Gesamtanzahl der Daten.


     
    7. Verfahren zur Anonymisierung von persönlichen Informationen nach Anspruch 6, wobei der Computer (100) in Bezug auf die persönlichen Informationen der Daten den Anonymisierungsprozess (42) ausführt, der einen gemeinsamen Anteil der persönlichen Informationen anonymisiert, während er Spezifizieren von Einzelpersonen, die weniger als eine Anzahl auf der Grundlage des gemeinsamen Grades sind, zulässt.
     
    8. Programm zu Anonymisierung von persönlichen Informationen, das bewirkt, dass ein Computer (100) einen Prozess ausführt, umfassend:

    Klassifizieren von jedem von einer Vielzahl von Daten, einschließlich persönlicher Informationen, in eine von einer Vielzahl von Gruppen auf der Grundlage eines Grades von Gemeinsamkeit der persönlichen Informationen;

    Ausführen für jede der Gruppen eines Anonymisierungsprozesses (42), der die persönlichen Informationen von jedem von zu jeder der Gruppen gehörenden Daten standardisiert;

    Berechnen für jede der Gruppen einer Gesamtanzahl der zu jeder der Gruppen gehörenden Daten;

    Berechnen für jede der Gruppen eines Verhältnisses der Gesamtanzahl der zu jeder der Gruppen gehörenden Daten in Bezug auf eine Gesamtanzahl von Daten in der Vielzahl von Daten; und

    Ausgeben als einen empfohlenen Wert für eine Anonymisierung der Gesamtanzahl von Daten, die zu der Gruppe mit einem höchsten Verhältnis unter den berechneten Verhältnissen in Bezug auf jede der Gruppen gehören.


     
    9. Informationsverarbeitungseinrichtung, umfassend:

    eine Berechnungseinheit, die ausgelegt ist, um

    jeden der Datensätze, einschließlich der persönlichen Informationen, in eine von mehreren Gruppen zu klassifizieren,

    einen Anonymisierungsprozess (42) auszuführen, der die persönlichen Informationen der zu einer Gruppe gehörenden Datensätze für jede der mehreren Gruppen standardisiert,

    Berechnen für jede der Gruppen eines Verhältnisses der Gesamtanzahl der zu jeder der Gruppen gehörenden Daten in Bezug auf eine Gesamtanzahl von Daten in der Vielzahl von Daten; und

    eine Ausgabeeinheit, die ausgelegt ist, um

    als einen empfohlenen Wert für eine Anonymisierung die Gesamtanzahl von Daten auszugeben, die zu der Gruppe mit einem höchsten Verhältnis unter den berechneten Verhältnissen in Bezug auf jede der Gruppen gehören.


     


    Revendications

    1. Procédé d'anonymisation d'informations personnelles comprenant :

    un classement de chacune d'une pluralité de données incluant des informations personnelles dans l'un quelconque d'une pluralité de groupes sur la base d'un degré de similitude des informations personnelles ;

    une exécution, pour chacun des groupes, d'un processus d'anonymisation (42) qui normalise les informations personnelles de chacune de données appartenant à chacun des groupes ;

    un calcul, pour chacun des groupes, d'un nombre total des données appartenant à chacun des groupes ;

    un calcul, pour chacun des groupes, d'un rapport du nombre total des données appartenant à chacun des groupes par rapport à un nombre total de données dans la pluralité de données ; et

    une fourniture en sortie, comme une valeur recommandée pour une anonymisation, du nombre total de données appartenant au groupe d'un rapport le plus élevé parmi les rapports calculés respectifs pour chacun des groupes.


     
    2. Procédé d'anonymisation d'informations personnelles selon la revendication 1, comprenant en outre une fourniture en sortie d'un nombre de la pluralité des groupes ayant un nombre total de données spécifiques, et d'informations indiquant un rapport entre les données spécifiques et toute la pluralité des groupes.
     
    3. Procédé d'anonymisation d'informations personnelles selon la revendication 1, comprenant en outre :
    un ajout, par l'ordinateur (100), d'une ou plusieurs données incluant les informations personnelles correspondant à des informations personnelles anonymisées de données appartenant un autre groupe différent du groupe spécifique dans la pluralité de groupes, de manière à inclure des données identiques dans l'autre groupe que les données dans le groupe spécifique ayant un nombre le plus grand des données parmi la pluralité des groupes.
     
    4. Procédé d'anonymisation d'informations personnelles selon la revendication 1, comprenant en outre :

    une spécification de groupes, pour lesquels les données y appartenant sont moins qu'un nombre de référence, parmi la pluralité des groupes lors d'une réception d'une entrée du nombre de référence par rapport aux données classées dans chacun de la pluralité des groupes ; et

    une copie des données dans chacun des groupes spécifiés jusqu'à ce que les ensembles des données deviennent supérieurs ou égaux au nombre de référence.


     
    5. Procédé d'anonymisation d'informations personnelles selon la revendication 1, comprenant en outre :

    une spécification de groupes, de chacun desquels les données sont moins qu'un nombre de référence, parmi la pluralité des groupes, lors d'une réception d'une entrée du nombre de référence par rapport aux données classées dans chacun de la pluralité des groupes ; et

    une suppression des données appartenant aux groupes spécifiés.


     
    6. Procédé d'anonymisation d'informations personnelles selon l'une quelconque des revendications 1 à 5, dans lequel l'ordinateur (100) répète un processus comprenant :

    une fourniture en sortie du nombre total de données appartenant à un groupe ayant un rapport le plus élevé parmi des rapports de nombres totaux des données appartenant à des groupes respectifs par rapport aux données de tous les groupes, lors d'une réception d'une requête d'examen d'un degré commun parmi une pluralité des informations personnelles ;

    un calcul du nombre total des données en effectuant le processus d'anonymisation (42) en fixant le nombre total des données appartenant au groupe ayant le rapport le plus élevé avec le degré commun, le groupe étant fourni en sortie ; et

    une fourniture en sortie d'un résultat de classement (1c) à partir du classement de la pluralité des groupes sur la base du nombre total des données.


     
    7. Procédé d'anonymisation d'informations personnelles selon la revendication 6, dans lequel l'ordinateur (100) effectue, par rapport aux informations personnelles des données, le processus d'anonymisation (42) qui anonymise une portion commune des informations personnelles tout en permettant une spécification d'individus moins qu'un nombre basé sur le degré commun.
     
    8. Programme d'anonymisation d'informations personnelles qui amène un ordinateur (100) à exécuter un processus comprenant :

    un classement de chacune d'une pluralité de données incluant des informations personnelles dans l'un quelconque d'une pluralité de groupes sur la base d'un degré de similitude des informations personnelles ;

    une exécution, pour chacun des groupes, d'un processus d'anonymisation (42) qui normalise les informations personnelles de chacune de données appartenant à chacun des groupes ;

    un calcul, pour chacun des groupes, d'un nombre total des données appartenant à chacun des groupes ;

    un calcul, pour chacun des groupes, d'un rapport du nombre total des données appartenant à chacun des groupes par rapport à un nombre total de données dans la pluralité de données ; et

    une fourniture en sortie, comme une valeur recommandée pour une anonymisation, du nombre total de données appartenant au groupe d'un rapport le plus élevé parmi les rapports calculés respectifs pour chacun des groupes.


     
    9. Dispositif de traitement d'informations comprenant :

    une unité de calcul configurée pour

    classer chacun des ensembles de données incluant des informations personnelles dans un des multiples groupes,

    effectuer un processus d'anonymisation (42), qui normalise les informations personnelles des ensembles des données appartenant à un groupe, pour chacun des multiples groupes,

    un calcul, pour chacun des groupes, d'un rapport du nombre total des données appartenant à chacun des groupes par rapport à un nombre total de données dans la pluralité de données ; et

    une unité de sortie configurée pour

    fournir en sortie, comme une valeur recommandée pour une anonymisation, du nombre total de données appartenant au groupe d'un rapport le plus élevé parmi les rapports calculés respectifs pour chacun des groupes.


     




    Drawing







































    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description