Anonymization device, anonymization method, and anonymization program

The anonymization device addresses the challenge of balancing personal information protection and data utility by integrating anonymized and non-anonymized records, facilitating accurate statistical analysis while maintaining privacy.

JP2026106847APending Publication Date: 2026-06-30NTT DOCOMO BUSINESS INC

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
NTT DOCOMO BUSINESS INC
Filing Date
2024-12-18
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Conventional anonymization technologies struggle to balance the protection and utilization of personal information, often leading to incomplete data understanding or inadequate personal information protection during statistical analysis.

Method used

An anonymization device that generates aggregated data through k-anonymization and further aggregation, allowing for the integration of anonymized and non-anonymized records to maintain data utility while protecting personal information.

Benefits of technology

Enables appropriate balancing of personal information protection and data utilization by generating integrated data that allows for accurate understanding of statistical trends while ensuring individual privacy.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026106847000001_ABST
    Figure 2026106847000001_ABST
Patent Text Reader

Abstract

This enables a proper balance between protecting and using personal information. [Solution] The anonymization device 100 generates aggregated data using data that includes unanonymized records, after deleting personally identifiable information and aggregating records with similar attributes. The anonymization device 100 generates integrated data by associating aggregated data, which is data after performing an aggregation process that aggregates records belonging to a specified column in the aggregated data whose count is less than a lower limit, with the aggregated data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to an anonymization device, an anonymization method, and an anonymization program.

Background Art

[0002] When performing statistical analysis of data to grasp trends and problems in the data, from the perspective of protecting personal information, it is common practice to delete information that can identify an individual or generalize it using techniques such as k-anonymization before performing the statistical analysis.

[0003] For example, as a conventional technique related to anonymization, for personal information including an attribute having a plurality of attribute values for one attribute, the combination of one of the attribute values included in the attribute and the attribute values other than the attribute eliminates the possibility of identifying an individual and generates data that is easy to reuse (see, for example, Patent Document 1).

[0004] In addition, there is a known technique for determining the level of anonymization of personal information when it is used based on the usage conditions of the registered personal information and performing anonymization processing at the determined level for the personal information (see, for example, Patent Document 2).

Prior Art Documents

Patent Documents

[0005]

Patent Document 1

Patent Document 2

Summary of the Invention

Problems to be Solved by the Invention

[0006] However, conventional technologies sometimes make it difficult to appropriately balance the protection and use of personal information. For example, when using data from which personal information has been deleted, it can be difficult to understand the details because it is unclear where the individual data is being aggregated. On the other hand, if appropriate processing is not performed with the aim of understanding the details, it may be possible to understand the situation at the individual level, and personal information may not be adequately protected. [Means for solving the problem]

[0007] Therefore, in order to solve the above-mentioned problems and achieve the objective, the anonymization device of the present invention is characterized by comprising: an aggregation unit that generates aggregated data using data including unanonymized records, in which personally identifiable information is deleted and records having the same attributes are aggregated; an integration unit that generates integrated data by associating aggregated data, which is data after performing an aggregation process that aggregates records belonging to a specified column in the aggregated data whose count is less than a lower limit, with the aggregated data. [Effects of the Invention]

[0008] The present invention has the effect of enabling the appropriate balance between the protection and use of personal information. [Brief explanation of the drawing]

[0009] [Figure 1] Figure 1 is a diagram illustrating the overall process performed by the anonymization device according to this embodiment. [Figure 2] Figure 2 shows the configuration of the anonymization device according to the embodiment. [Figure 3] Figure 3 is a table diagram showing an example of pre-anonymized data according to the embodiment. [Figure 4] Figure 4 is a table diagram showing an example of aggregated data according to the embodiment. [Figure 5] Figure 5 is a table diagram showing an example of integrated data according to the embodiment. [Figure 6]Figure 6 is a diagram illustrating an example of the anonymization process flow according to the embodiment. [Figure 7] Figure 7 shows an example of the aggregation process according to the embodiment. [Figure 8] Figure 8 shows an example of the aggregation process according to the embodiment. [Figure 9] Figure 9 shows an example of data generated based on the initialization process according to the embodiment. [Figure 10] Figure 10 shows an example of data generated based on anonymization and aggregation processing of the third-level columns according to the embodiment. [Figure 11] Figure 11 shows an example of data generated based on the flag information update process for the second-level column according to the embodiment. [Figure 12] Figure 12 shows an example of data generated based on anonymization and aggregation processing of the second-level columns according to the embodiment. [Figure 13] Figure 13 shows an example of the output of integrated data according to the embodiment. [Figure 14] Figure 14 is a flowchart showing the processing performed by the anonymization device according to this embodiment. [Figure 15] Figure 15 shows an example of a computer that implements an anonymization device according to the embodiment. [Modes for carrying out the invention]

[0010] Hereinafter, embodiments for carrying out the present invention (hereinafter referred to as "embodiments") will be described with reference to the drawings. However, each embodiment is not limited to those described below.

[0011] <Overview> (background) When performing statistical analysis of data to grasp the trends and issues of data in a specific organization, it is required that information that can identify an individual be deleted from the perspective of personal information protection. As an example, when employees utilize statistical information such as their overtime hours on their own, they are required to meet the conditions described below. (1) It should be in a form where the situation at the individual level cannot be grasped. (2) It should be in a form where one can understand how the individual data is being statistically processed.

[0012] Here, as a reference technique for performing statistical processing that meets the above conditions, anonymization processing such as "k-anonymization" is known. However, with the above reference techniques, it may be difficult to appropriately balance the protection and utilization of personal information in some cases.

[0013] For example, when performing statistical analysis after deleting data that can identify an individual for the purpose of protecting personal information, there are issues such as not being able to correctly grasp the overall picture because not all data is being utilized. Also, when performing statistical analysis after anonymization, it may be difficult for the individual himself / herself to understand the situation because it is not clear how the individual data is being statistically processed.

[0014] On the other hand, when performing statistical analysis without performing processing such as deleting personal information for the purpose of appropriately utilizing the data, there may be cases where an individual can be identified, and it may be difficult to appropriately protect personal information.

[0015] (Processing by anonymization device 100) Therefore, the anonymization device 100 according to the present embodiment realizes the generation of data that appropriately balances the protection and utilization of personal information by associating aggregated data on which aggregation processing such as k-anonymization has been performed with aggregated data obtained by further aggregating the target records in the aggregated data.

[0016] Here, we will explain the overall process performed by the anonymization device 100. Figure 1 is a diagram illustrating the overall process performed by the anonymization device 100 according to this embodiment. The anonymization device 100 shown in Figure 1 is an example of a computer that provides the technology to realize the information processing described below.

[0017] First, the anonymization device 100 performs aggregation processing on the unprocessed data that is the target of the anonymization process (hereinafter sometimes referred to as "pre-anonymization data").

[0018] Specifically, the anonymization device 100 performs k-anonymization processing on the pre-anonymization data as shown in Figure 1(1) and (1-1) to generate aggregated data in which records with common attributes are aggregated (Figure 1(2)). The term "record" as used above refers to a "row" in table-formatted data such as aggregated data or aggregated data.

[0019] The anonymization device 100 repeatedly performs aggregation processing (loop processing) on ​​the generated aggregated data based on predetermined conditions such as a lower limit of the count of each record belonging to a specified column (for example, when the aggregated records are less than the minimum number of people) to generate aggregated data (Figure 1 (3)).

[0020] The term "column" as used above refers to a "column" in table-formatted data such as aggregated or aggregated data. In this embodiment, the term "count" refers to the number of records aggregated or aggregated based on aggregation processing such as k-anonymization or aggregation processing described later.

[0021] Next, the anonymization device 100 generates integrated data that allows tracking of how the aggregation process was performed by associating the aggregated data with the aggregated data (Figure 1(4)). Then, the anonymization device 100 outputs the integrated data, which associates the aggregated data with the aggregated data, to the user or the like in a tabular format, for example, as shown in Figure 1(5).

[0022] In this way, the anonymization device 100 according to this embodiment removes information that could identify an individual and generates data that correlates the data before and after aggregation, thereby protecting personal information while simultaneously enabling accurate understanding of the overall picture of the generated data and its use, such as drilling down into it.

[0023] <Description of the anonymization device 100> The configuration of the anonymization device 100 according to this embodiment will now be described. Figure 2 is a diagram showing the configuration of the anonymization device 100 according to this embodiment. As shown in Figure 2, the anonymization device 100 includes a communication unit 110, a storage unit 120, and a control unit 130.

[0024] Although not shown in Figure 2, the anonymization device 100 may be equipped with an input unit such as a keyboard or mouse to receive input such as operations from an administrator. Furthermore, the anonymization device 100 may be equipped with a display or the like to show aggregated data, integrated data, etc., to an administrator.

[0025] (Communications Department 110) The communication unit 110 performs data communication related to the input of data subject to anonymization, such as pre-anonymized data. The communication unit 110 also performs data communication related to the output of aggregated data that has undergone aggregation processing, and integrated data that has undergone aggregation processing.

[0026] The communication unit 110 is implemented using a NIC (Network Interface Card) or the like, and controls communication via telecommunication lines such as a LAN (Local Area Network) or the Internet. The communication unit 110 can be connected to the network via wired or wireless connection as needed, and can send and receive information bidirectionally with external information processing devices, etc.

[0027] (Storage unit 120) The storage unit 120 stores data and programs used for various processes by the control unit 130, as well as various data acquired through the operation of the control unit 130. The storage unit 120 is implemented using semiconductor memory elements such as RAM (Random Access Memory) and flash memory, or storage devices such as hard disks and optical discs. As shown in Figure 2, the storage unit 120 also includes a pre-anonymization data DB 121, an aggregated data DB 122, and an integrated data DB 123.

[0028] (Data before anonymization DB121) The pre-anonymization data DB121 is a database that stores data that is subject to anonymization but has not undergone aggregation or consolidation processing (pre-anonymization data). Specifically, the pre-anonymization data DB121 stores information that identifies individuals, organization names, and predetermined attribute information such as the date of the data.

[0029] Here, an example of pre-anonymized data stored in the pre-anonymized data DB121 will be explained using Figure 3. Figure 3 is a table diagram showing an example of pre-anonymized data according to the embodiment. Figure 3 shows, as an example of pre-anonymized data according to this embodiment, information about the organization to which each user belongs to a certain organization, and the target date.

[0030] In the example shown in Figure 3, the pre-anonymization data DB121 stores information related to each of the following items in a table format: "User Number," "First Organization," "Second Organization," "Third Organization," and "Target Year and Month."

[0031] The "User Number" mentioned above is information that identifies the target user and includes a predetermined combination of numbers, etc., and may also include text and symbols in addition to numbers. "Organization 1" to "Organization 3" is information that identifies the name of the organization to which the user belongs and includes information that combines numbers, text, symbols, etc. The target year and month is information that indicates the point in time when the data was collected.

[0032] (Aggregated data DB122) The aggregated data DB122 is a database that stores aggregated data, which is data on which a predetermined aggregation process has been performed on the pre-anonymized data by the aggregation unit 132 described later. Specifically, the aggregated data DB122 stores hierarchical attribute information, which is information that represents the attributes of each record, counts (number of aggregated or aggregated records), and so on.

[0033] Here, an example of aggregated data stored in the aggregated data DB122 will be explained using Figure 4. Figure 4 is a table diagram showing an example of aggregated data according to the embodiment. The aggregated data DB122 associates the organization (orig(x,y)), the number of people (orig_cnt(x)), and the target year and month (attr) with the organization number (x), and stores them in a table format, for example, as shown in Figure 4.

[0034] The above-mentioned "(x)", "(orig(x,y))", "(orig_cnt(x))", and "(attr)" are examples of parameters used to identify and manipulate target information in database operations, etc.

[0035] The "organization number (x)" mentioned above is information used to identify records included in the aggregated data, and is represented, for example, by a combination of text, numbers, symbols, etc.

[0036] The "organization (orig(x,y))" mentioned above is information used to identify the attribute information (e.g., department name, etc.) of a record included in the aggregated data, and is represented by a combination of text, numbers, symbols, etc.

[0037] Furthermore, the "organization (orig(x,y))" has multiple levels at predetermined granularities. In the above-mentioned (orig(x,y)), "x" is substituted with the numerical value of the organization number (x), and "y" is substituted with a numerical value that specifies a column such as "the xth from the lowest level" in the organization (orig(x,y)). For example, as shown in Figure 4, the "organization (orig(x,y))" may include the first organization (orig(x,1)), the second organization (orig(x,2)), the third organization (orig(x,3)), and so on.

[0038] Furthermore, the "Target Year and Month (attr)" above is where information indicating the year, month, and day to be aggregated is entered. Note that "attr" above may be used as a parameter to represent predetermined attribute information other than the target year and month. Also, the "Number of People (orig_cnt(x))" above is information indicating the number of users who have the same "orig(x)" and "attr". In the example above, "attr" is used as a single parameter for attribute information, but multiple parameters may exist.

[0039] (Integrated data DB123) The integrated data DB123 is a database that stores integrated data that has been aggregated by the integration unit 133, which will be described later. Specifically, the integrated data DB123 stores integrated data that associates aggregated data with aggregated data.

[0040] Here, an example of integrated data stored in the integrated data DB123 will be explained using Figure 5. Figure 5 is a table diagram showing an example of integrated data according to the embodiment. The integrated data DB123 stores the organization (orig(x,y)) and the number of people (orig_cnt(x)), as well as the aggregated organization (anon(x,y)) and the aggregated number of people (anon_cnt(x)), in association with the organization number (x), in the format of the table diagram shown in Figure 5.

[0041] The above-mentioned "(x)", "(orig(x,y))", "(orig_cnt(x))", "(attr)", "(anon(x,y))", and "(anon_cnt(x))" are examples of parameters used to identify and manipulate target information in database operations, etc.

[0042] The "aggregated organization (anon(x,y))" above is information used to identify the attribute information (e.g., department name) of the records included in the aggregated data, and is represented by a combination of text, numbers, symbols, etc. The "aggregated number of people (anon_cnt(x))" above is information indicating the number of users who have the same "anon(x)" and "attr".

[0043] (Control unit 130) Now, let's return to Figure 2 and continue the explanation. The control unit 130 has an internal memory for temporarily storing programs and processing data that define various processing procedures of the anonymization device 100, and is realized by electronic circuits such as a CPU (Central Processing Unit) and an MPU (Micro Processing Unit), and integrated circuits such as an ASIC (Application Specific Integrated Circuit) and an FPGA (Field Programmable Gate Array). As shown in Figure 2, the control unit 130 has a reception unit 131, an aggregation unit 132, an integration unit 133, and an output unit 134.

[0044] (Reception desk 131) The reception unit 131 receives input of pre-anonymized data, including records that have not been anonymized, via the input unit and communication unit 110, etc. In addition, the reception unit 131 can receive commands to execute aggregation processing, etc., from terminal devices operated by users via the communication unit 110, etc.

[0045] (Aggregation Section 132) The aggregation unit 132 uses data that includes unanonymized records to generate aggregated data in which personally identifiable information is removed and records with similar attributes are aggregated. For example, the aggregation unit 132 generates aggregated data in which records belonging to similar attributes from the unanonymized data are aggregated based on k-anonymization.

[0046] An example of processing performed by the aggregation unit 132 will be explained in detail in the section describing Figure 8 below.

[0047] (Integration Section 133) The integration unit 133 generates integrated data by associating aggregated data, which is data obtained after performing an aggregation process that aggregates records belonging to a specified column in the aggregated data whose count is less than a lower limit, with the aggregated data. Specifically, the integration unit 133 performs an "anonymization process," a "summation process," and a "flag information update process."

[0048] For example, the integration unit 133 identifies a first record among one or more records included in the aggregated data whose count is less than a lower limit and whose attribute information is not blank, and performs an anonymization process on the identified first record by replacing the attribute identification information with null (hereinafter sometimes referred to as "making it blank"). The integration unit 133 also performs an anonymization process to add records based on predetermined conditions.

[0049] For example, the integration unit 133 adds the second count of a second record whose count is less than the lower limit among one or more records included in the aggregated data after anonymization processing, to the third count of a third record belonging to the same column as the second record, or to the fourth count of a fourth record belonging to a higher column than the second record. Then, the integration unit 133 performs a summation process to replace the summed count of the second record with zero.

[0050] For example, the integration unit 133 executes a "flag information update process" to update the flag information of the records that have undergone aggregation processing.

[0051] An example of processing by the integration unit 133 will be explained in detail in the following sections describing Figures 6 to 12.

[0052] (Output section 134) The output unit 134 outputs integrated data, which associates aggregated data and summary data, to the user in a predetermined tabular format. An example of the integrated data output by the output unit 134 will be explained in detail in the section describing Figure 13 below.

[0053] (An example of the anonymization process) From here, an example of processing by the anonymization device 100 will be explained using Figures 6 to 13. First, the sequence of anonymization processing will be explained using Figure 6. Figure 6 is a diagram illustrating an example of the flow of anonymization processing according to the embodiment. Figure 6 shows the anonymization device 100, which generates integrated data by performing aggregation processing and consolidation processing on the data before anonymization.

[0054] The anonymization device 100 (integration unit) performs a predetermined aggregation process, such as k-anonymization, on the pre-anonymization data that has not been anonymized as shown in (1-1) of Figure 6, and generates aggregated data ((1-2) of Figure 6).

[0055] The anonymization device 100 (integration unit) uses the generated aggregated data to perform an initialization process that generates initialization data to be used when performing subsequent aggregation processing (Figure 6 (2)). Details of the initialization process will be explained with reference to Figure 9.

[0056] Next, the anonymization device 100 (integration unit) performs aggregation processing on the columns located in the hierarchy of the target (specified) for which aggregation processing is to be performed (for example, the hierarchy related to "third organization") (hereinafter sometimes simply referred to as "specified columns") (Figure 6 (3)).

[0057] Specifically, the anonymization device 100 (integration unit) repeatedly executes "anonymization process (S10 in FIG. 6)", "aggregation process (S20 in FIG. 6)", and "flag information update process (S30 in FIG. 6)". The flows of the anonymization process, aggregation process, and flag information update process will be described in detail using FIG. 7.

[0058] When the anonymization device 100 (integration unit) satisfies the end condition of the aggregation process for the specified column, it ends the loop process (Yes in (3-1) of FIG. 6) and outputs the integrated data generated by the aggregation process (4 in FIG. 6).

[0059] The above end condition of the aggregation process is an arbitrarily determined end condition. For example, conditions such as "the processing flag (flag(x)) is 0 and there is no record whose count number after aggregation is less than the preset lower limit value (there is no x such that anon_cnt(x) < K)" may be set.

[0060] On the other hand, when the anonymization device 100 (integration unit) does not satisfy the end condition of the aggregation process for the specified column, it continues the aggregation process (No in (3-1) of FIG. 6). Specifically, the anonymization device 100 (integration unit) executes the aggregation process for the next specified column (for example, "second organization" ··· "nth organization", etc.) (5 in FIG. 6). Then, the anonymization device 100 (integration unit) continues the process until the above end condition of the aggregation process is satisfied (Yes in (5-1) of FIG. 6).

[0061] Hereafter, the details of the "anonymization process (S10 in FIG. 6)", "aggregation process (S20 in FIG. 6)", and "flag information update process (S30 in FIG. 6)" by the anonymization device 100 (integration unit) described in FIG. 6 will be described using FIG. 7. FIG. 7 is a diagram showing an example of the aggregation process according to the embodiment.

[0062] In the following items, the description will be made using the parameters (for example, orig, anon, flag, etc.) described in FIGS. 4 and 5.

[0063] First, the "anonymization process (S10 in FIG. 7)" by the anonymization device 100 (integration unit) will be described. In the "anonymization process", a process of emptying the attribute information of records whose values are below the lower limit value, and a process of adding records that exist in anon(x) but do not exist in orig(x) are executed.

[0064] The anonymization device 100 (integration unit) specifies the organization information of the specified column (for example, x = 1 of the third organization (orig(x,3)), etc.) based on the preset column specification (S11). Note that the above "organization information" means one or more attribute information included in each record, and hereinafter it will be simply referred to as "organization information".

[0065] The anonymization device 100 (integration unit) changes the flag to "1" by emptying the organization information related to records that satisfy a predetermined condition (for example, flag(x) = 0, and orig_cnt(x) < K, and anon(x,y) is not blank) among the records of the specified column (Yes in S12 and S13).

[0066] For example, when the target organization information is originally "empty", the anonymization device 100 (integration unit) executes a process of making it "empty" again. Also, for example, when organization information such as "1G" exists, the anonymization device 100 (integration unit) executes a process of making the organization information "empty". By this process, the anonymization device 100 (integration unit) can anonymize the organization information of the specified column to a higher level.

[0067] On the other hand, when there are no records that satisfy the above predetermined condition (No in S12), the anonymization device 100 (integration unit) skips the processes from S13 to S15 hereinafter.

[0068] When "anon(x)" exists in the organization information in the specified column (Yes in S14), the anonymization device 100 (integration unit) skips the process of S15 hereinafter.

[0069] On the other hand, if "anon(x)" does not exist in the organizational information in the specified column (No. in S14), the anonymization device 100 (integration unit) generates "organizational information x0" based on predetermined conditions. Specifically, the anonymization device 100 (integration unit) generates "organizational information x0" by inputting the information contained in anon(x) into "orig(x0)" and "anon(x0)", "0" into "orig_cnt(x0)" and "anon_cnt(x0)", and "0" into flag(x0) (S15).

[0070] For example, the anonymization device 100 (integration unit) executes the above-described emptying process on a specified column, thereby replacing the attribute information "A Department, X Division, 1G" with "A Department, X Division, (blank)". If there is no corresponding column for the aggregation process, the device creates a new column with the attribute "A Department, X Division, (blank)".

[0071] The anonymization device 100 (integration unit) then repeatedly processes the records included in the organizational information for the specified column (S16). For example, if the organizational information for the specified column contains records from "x=1 to N", the anonymization device 100 (integration unit) repeatedly processes until it reaches the record for "N".

[0072] Next, we will explain the "summation process (S20 in Figure 7)" performed by the anonymization device 100 (integration unit). After the anonymization process for the target organization information (x=1 to N) described above, the anonymization device 100 (integration unit) performs the "summation process (S20 in Figure 7)". In the "summation process", the counts of target records that fall below the lower limit of the count count among the records included in the specified column are added to the counts of the other records.

[0073] The anonymization device 100 (integration unit) identifies the record to be aggregated, "organization information 1 (x1=1,···,N)" (for example, x1=1 for the third organization (orig(x,3)) that performed the anonymization process) from the specified column based on the pre-configured column specification (S21).

[0074] The anonymization device 100 (integration unit) identifies "organization information 2 (x2=1,···,N)" which is a record to be summed from each record in the specified column that satisfies a predetermined condition (for example, flag(x)=0) (Yes in S22 and S23). If no organization information 2 that satisfies the condition exists (No in S22), steps S23 to S25 are skipped.

[0075] The anonymization device 100 (integration unit) determines whether the organizational information 2 satisfies predetermined conditions (for example, flag(x2)=1 and anon(x1)=anon(x2)) (S24). If the organizational information 2 does not satisfy the above predetermined conditions (No. in S24), the anonymization device 100 (integration unit) skips the process in S25.

[0076] On the other hand, if the organization information 2 satisfies the above predetermined conditions (Yes in S24), the anonymization device 100 (integration unit) adds the count of the organization information 2 (anon_cnt(x2)) to the count of the organization information 1 (anon_cnt(x1)) which has the same attributes as the organization information 2 (S25). Furthermore, the anonymization device 100 (integration unit) replaces the count of the organization information 2 (anon_cnt(x2)) after adding the count to "0" (S25).

[0077] The anonymization device 100 (integration unit) then repeatedly performs the process related to the identification and count addition of organization information 1 and organization information 2 for records included in the specified column (S26 and S27). For example, if there are records from "x=1 to N" for the specified column, the anonymization device 100 (integration unit) repeatedly performs the process until it reaches record "N".

[0078] Next, the "flag information update process (S30 in FIG. 7)" by the anonymization device 100 (integration unit) will be described. The anonymization device 100 (integration unit) executes the "flag information update process (S30 in FIG. 7)" after the aggregation process for the above-mentioned target organization information (x = 1 to N). In the "flag information update process", a process of updating the flag information for the records related to the organization information 2 after the aggregation process of the count number is executed.

[0079] The anonymization device 100 (integration unit) specifies the organization information 1 of the specified column (for example, x1 = 1, etc. of the third organization (orig(x,3)) for which anonymization processing has been executed) based on the specification of a preset column (S31). Note that the records that satisfy the predetermined conditions specified in S31 are denoted as "organization information 1 (x1 = 1, ···, N)".

[0080] The anonymization device 100 (integration unit) specifies the records that satisfy a predetermined condition (for example, flag(x) = 0 and anon_cnt(x) < K) among the records of each column specified (Yes in S32 and S33). Here, when the organization information 1 does not satisfy the above-mentioned predetermined conditions (No in S32), the anonymization device 100 (integration unit) skips the processes from S33 to S35.

[0081] The anonymization device 100 (integration unit) determines whether the organization information 2 satisfies a predetermined condition (for example, flag(x2) = 1 and anon(x1) = anon(x2)) (S34). Here, when there is no organization information 2 that satisfies the condition (No in S34), the process of S35 is skipped.

[0082] On the other hand, when the organization information 2 satisfies the above-mentioned predetermined conditions (Yes in S34), the anonymization device 100 (integration unit) changes the flag(x2) of the organization information 2 to "0" (S35). [[ID=!]]

[0083] The anonymization device 100 (integration unit) then repeatedly performs the process related to the identification of organization information 1 and organization information 2 and the modification of flags for records included in the specified column (S36 and S37). For example, if there are records from "x=1 to N" for the specified column, the anonymization device 100 (integration unit) repeatedly performs the process until it reaches the record "N".

[0084] Based on the flow described above, the anonymization device 100 (integration unit) executes aggregation processing, which includes "anonymization processing," "summation processing," and "flag information update processing," to generate aggregated data. The anonymization device 100 (integration unit) then generates integrated data by associating the generated aggregated data with the aggregated data.

[0085] (An example of anonymization) From here, an example of the integrated data generation process based on the anonymization process flow by the anonymization device 100, as explained using Figures 6 and 7, will be described using Figures 8 to 13. Hereafter, it will be assumed that the column (H) specified at the start of processing is "3 (Third Organization)" and the lower limit (K) is "5".

[0086] In the example of anonymization process described below, the anonymization device 100 repeatedly performs aggregation processing until there are no more records that satisfy the predetermined conditions in the initially specified column. Then, if there are no more records that satisfy the predetermined conditions in the initially specified column, the anonymization device 100 repeatedly performs processing on columns located at a higher level relative to that column until there are no more records that satisfy the conditions.

[0087] First, using Figure 8, we will explain an example of generating aggregated data by performing a predetermined aggregation process, such as k-anonymization, on pre-anonymized data that has not undergone anonymization. Figure 8 is a diagram showing an example of the aggregation process according to the embodiment.

[0088] As shown in Figure 8, the anonymization device 100 (integration unit) performs k-anonymization processing and other operations on the pre-anonymization data (Figure 8 (1)) to generate aggregated data (Figure 8 (2)).

[0089] For example, the data identified by user numbers 7 to 11 in the pre-anonymized data (Figure 8 (1)) (Figure 8 (1-1)) contains common information for the first organization, the second organization, and the third organization. The anonymization device 100 (integration unit) aggregates the records shown in Figure 8 (1-1) above and generates the record shown in Figure 8 (2-1).

[0090] The "number of people (orig_cnt(x))" included in the aggregated data above refers to the number of records with the same type of attribute, such as the number of users with the same type of attribute.

[0091] Next, using Figure 9, we will explain an example of initialization data generated by the initialization process performed on the aggregated data. Figure 9 is a diagram showing an example of data generated based on the initialization process according to the embodiment.

[0092] First, the anonymization device 100 (integration unit) generates initialization data (Figure 9(1)) by performing an initialization process using the aggregated data shown in Figure 8.

[0093] Specifically, the anonymization device 100 (integration unit) generates initialization data (Figure 9 (1)) which includes "organization number (x) (Figure 9 (1-1))", "organization (orig(x,y)) (Figure 9 (1-2))", "aggregated organization (anon(x,y)) (Figure 9 (1-3))" containing similar data, and "processing flag flag(x) (Figure 9 (1-4))" which is information that identifies whether or not to perform aggregation processing for each record.

[0094] The above initialization data is, that is, a data table that associates "organization (orig(x,y))" with "aggregated organization (anon(x,y))" having the same organization information as "organization (orig(x,y))" and assigns flag information for identifying the execution of processing.

[0095] Next, using FIG. 10, an example of data generated when the anonymization device 100 performs anonymization processing and aggregation processing on columns related to the "third organization" will be described. FIG. 10 is a diagram showing an example of data generated based on anonymization processing and aggregation processing for columns in the third layer according to the embodiment.

[0096] The anonymization device 100 (integration unit) uses the initialization data shown in (1) of FIG. 9 and executes anonymization processing to generate the anonymization data shown in (1) of FIG. 10.

[0097] Specifically, the anonymization device 100 (integration unit) executes processing to make "anon(x,y)" empty and processing to set the processing flag flag(x) to "1" for records that satisfy "flag(x)=0, and orig_cnt(x)<K, and anon(x,y) is not empty".

[0098] For example, regarding the record identified by the organization number (4) of the initialization data shown in (1) of FIG. 9, since the above conditions are not satisfied, the anonymization device 100 (integration unit) leaves anon(1,4) as "3G" and flag(4) as "0" ((1-1) and (1-2) of FIG. 10). On the other hand, regarding the record identified by the organization number (2) of the initialization data shown in (1) of FIG. 9, since the above conditions are satisfied, the anonymization device 100 (integration unit) executes processing to make anon(1,2) "(empty)" and flag(4) "1" ((1-3) and (1-4) of FIG. 10).

[0099] Furthermore, since anon(second organization) (that is, organization information where the first organization is "A department", the second organization is "X department", and the third organization is "empty") does not exist in orig(x), a record identified by the organization number (9) is added.

[0100] Specifically, the anonymization device 100 (integration unit) adds a record identified by the organization number (9), in which the information contained in anon(2) is entered into "orig(9)" and "anon(9)", "0" is entered into "orig_cnt(9)" and "anon_cnt(9)", and "0" is entered into flag(9) (Figure 10 (1-5)).

[0101] The anonymization device 100 (integration unit) then generates anonymized data (Figure 10 (1)) by repeatedly performing the above process until there are no more target records.

[0102] Next, the anonymization device 100 (integration unit) uses the anonymized data (Figure 10(1)) that has undergone the anonymization process shown in Figure 10 to perform an aggregation process, thereby generating aggregated data (Figure 10(2)) that has undergone the aggregation process.

[0103] Specifically, the anonymization device 100 (integration unit) identifies records identified by organization number (5) where flag(x) is "0" and records identified by organization number (6) where flag(x) is "1" and the aggregated third organization (anon(x,3)) is the same (Figures 10 (2-1) and (2-2)).

[0104] Next, the anonymization device 100 (integration unit) adds the anon_cnt(6) "1" of the record identified by the specified organization number (6) to the anon_cnt(5) of the record identified by the organization number (5). Then, the anonymization device 100 (integration unit) similarly adds the anon_cnt(5) of the record identified by the organization number (5) for the records identified by the organization numbers (7) and (8) (Figure 10 (2-3) and (2-4)).

[0105] As a result, the anon_cnt(5) of the record identified by the organizational number (5) in the aggregated data will be "4" (Figure 10 (2-5)). Also, the anon_cnt(x) of the records identified by the organizational numbers (6) to (8) in the aggregated data will each be "0" (Figure 10 (2-6)).

[0106] The anonymization device 100 (integration unit) then repeatedly performs the above process until no more target records remain, thereby generating aggregated data (Figure 10 (2)).

[0107] Next, an example of flag information update data generated by the flag information update process using the aggregated data shown in Figure 10 (2) will be explained using Figure 11. Figure 11 is a diagram showing an example of data generated based on the flag information update process for the second-level column according to the embodiment.

[0108] The anonymization device 100 (integration unit) generates the flag information update data shown in Figure 11 (2) by performing a flag information update process using the aggregated data shown in Figure 11 (1). Note that the aggregated data shown in Figure 11 (1) is the same data as the aggregated data explained in Figure 10 (2).

[0109] Specifically, the anonymization device 100 (integration unit) updates the processing flag flag(x) from "1" to "0" for anon(6), anon(7), and anon(8) that have undergone aggregation processing (Figure 11 (2-1)).

[0110] Next, using Figure 12, we will explain an example of data generated by anonymization and aggregation processing applied to the second-level columns, using data (flag information update data) that has been processed on the third-level columns shown in Figure 11(2). Figure 12 is a diagram showing an example of data generated based on anonymization and aggregation processing applied to the second-level columns according to the embodiment.

[0111] The anonymization device 100 (integration unit) generates the anonymized data shown in Figure 12 (1) by performing an anonymization process using the flag information update data shown in Figure 11 (2). The anonymization process targeting the second-level columns is performed using the same procedure as the anonymization process targeting the third-level columns.

[0112] Specifically, the anonymization device 100 (integration unit) performs the following processes: clearing the organizational information of the aggregated second organization (anon(x,2)) identified by identification numbers (5) to (8) (Figure 12 (1-1)), and setting the processing flag flag(x) to "1" (Figure 12 (1-2)).

[0113] Next, the anonymization device 100 (integration unit) uses the anonymized data (Figure 12 (1)) to perform aggregation processing, thereby generating aggregated data in which aggregation processing has been performed on the second-level columns shown in Figure 12 (2).

[0114] Specifically, the anonymization device 100 (integration unit) adds the anon_cnt(1) "4" of organization number (5) where flag(x) is "1" to the anon_cnt(5) of the record identified by organization number (1) where flag(x) is "0" (Figure 12 (2-1)). As a result, the anon_cnt(1) of the record identified by organization number (1) becomes "5" (Figure 12 (2-2)).

[0115] Furthermore, the anonymization device 100 (integration unit) executes the flag information update process described using (2) in Figure 11 to update the processing flag flag(x) of the target record from "0" to "1" (Figures 12 (2-3) and (2-4)).

[0116] The anonymization device 100 (integration unit) repeatedly performs the aggregation process described above by changing the specified column until there are no more records below the lower limit of the count. In other words, the anonymization device 100 (integration unit) sequentially performs the "anonymization process," the "aggregation process," and the "flag information update process" on the specified column and columns located in higher hierarchical levels, thereby generating integrated data from which personally identifiable information has been removed and from which the progress of the aggregation process can be tracked.

[0117] Next, the anonymization device 100 (output unit) outputs the integrated data (output data) to the user, for example, in tabular format. From here, an example of the output of integrated data generated by the aggregation process described above will be explained using Figure 13. Figure 13 is a diagram showing an example of the output of integrated data according to the embodiment.

[0118] As shown in (1-1) of Figure 13, in the aggregated data before the aggregation process is performed, there are records where the number of people (orig_cnt(x)) is less than or equal to the lower limit (K<5). As a result, for example, in organizations with a number of people of "1", even if anonymization is performed, individuals can actually be identified.

[0119] On the other hand, as shown in (1-2) of Figure 13, in the integrated data after aggregation processing, there are no records where the number of people (orig_cnt(x)) exceeds the lower limit (K<5), so individuals cannot be identified.

[0120] The anonymization device 100 (integration unit) can then associate the aggregated data before the aggregation process described above is performed (Figure 13 (1-1)) with the integrated data after the aggregation process is performed (Figure 13 (1-2)), and output it in a list format or the like. In other words, the anonymization device 100 (integration unit) can output integrated data in a state where individuals cannot be identified, and which also ensures traceability of how the aggregation and aggregation processes were performed.

[0121] (Procedure for processing by the anonymization device 100) Next, the procedure for processing implemented by the anonymization device 100 according to this embodiment will be explained using Figure 14. Figure 14 is a flowchart showing the processing performed by the anonymization device 100 according to this embodiment.

[0122] The aggregation unit 132 uses the data, including records that have not been anonymized, to generate aggregated data in which personally identifiable information has been removed and records with similar attributes have been aggregated (S101).

[0123] The integration unit 133 performs anonymization processing on the aggregated data (S102). Next, the integration unit 133 performs summation processing on records belonging to a specified column in the aggregated data whose count is less than the lower limit (S103). Next, the integration unit 133 performs flag information update processing on the aggregated data after the summation processing has been performed (S104).

[0124] If a record that satisfies the predetermined conditions exists (Yes in S105), the integration unit 133 returns to the previous step and repeatedly executes the processes in S103 and S104.

[0125] On the other hand, if no record satisfies the predetermined conditions (No. in S105), the output unit 134 outputs integrated data in which the aggregated data and the summary data are associated (S106). Then, the anonymization device 100 terminates the processing step.

[0126] (effect) Next, we will explain the effects of the anonymization device 100 according to this embodiment. Conventionally, it has sometimes been difficult to appropriately balance the protection and use of personal information.

[0127] Therefore, the aggregation unit 132 of the anonymization device 100 according to this embodiment generates aggregated data using data that includes unanonymized records, in which personally identifiable information is deleted and records having similar attributes are aggregated. The integration unit 133 of the anonymization device 100 generates integrated data that associates aggregated data, which is data after performing an aggregation process that aggregates records belonging to a specified column in the aggregated data whose count is less than a lower limit, with the aggregated data.

[0128] In other words, the anonymization device 100 according to this embodiment performs the following processing so that the correspondence between organizations and the number of members before and after anonymization can be tracked. (1) If organizations are consolidated through anonymization, etc., they will be retained as organizations (records) with 0 members after anonymization. (2) If anonymization creates a new organization (for example, if there is no organization corresponding to the higher level), add an organization (record) with 0 members before anonymization. (3) Anonymized organizations will only retain information about the anonymized organization.

[0129] As a result, the anonymization device 100 can generate anonymized statistical data that satisfies the following conditions. (1) The data does not allow for understanding the situation on an individual (user) basis. (2) Data that allows us to understand how individual data has been statistically analyzed.

[0130] Therefore, the anonymization device 100 according to this embodiment has the effect of enabling the appropriate balance between the protection and use of personal information.

[0131] Furthermore, the anonymization device 100 according to this embodiment achieves predetermined effects by performing the processes described below.

[0132] The integration unit 133 adds the second count of a second record whose count is less than the lower limit among one or more records included in the aggregated data on which the anonymization process has been performed, to the third count of a third record belonging to the same column as the second record, or to the fourth count of a fourth record belonging to a higher column than the second record. Then, the integration unit 133 performs a summation process to replace the summed count of the second record with zero.

[0133] Through the process described above, the anonymization device 100 generates data that does not allow for the identification of individual (user) information by summing the counts of records whose counts are less than a set lower limit with the counts of other records. As a result, the anonymization device 100 has the effect of appropriately protecting personal information.

[0134] The integration unit 133 identifies a first record among the one or more records included in the aggregated data whose count is less than a lower limit and whose attribute information is not blank, and performs an anonymization process on the identified first record to make the attribute identification information blank.

[0135] Through the process described above, the anonymization device 100 retains records of the aggregation process even in the anonymized data, making it possible to understand how individual data has been statistically analyzed. As a result, the anonymization device 100 has the effect of protecting personal information while enabling the appropriate use of the data in which such personal information has been protected.

[0136] The aggregation unit 132 generates aggregated data in which records belonging to the same type of attribute from the unanonymized data are aggregated based on k-anonymization. Through the above-described process, the anonymization device 100 is able to appropriately anonymize the unanonymized data. As a result, the anonymization device 100 has the effect of appropriately protecting personal information.

[0137] The output unit 134 outputs integrated data, which associates aggregated data and summary data, to the user in a predetermined tabular format. Through the above-described process, the anonymization device 100 has the effect of protecting personal information while enabling users with predetermined authority, such as managers and supervisors of the organization, to appropriately use the information.

[0138] <Variation> The following describes modifications that can be implemented by the anonymization device 100 according to this embodiment.

[0139] (Data, etc.) The terms used in the description of the above embodiment, such as pre-anonymized data, aggregated data, integrated data, aggregation process, anonymization process, summation process, flag information update process, names of various parameters, names of functional parts of the anonymization device 100, steps, processes, names of steps or processes, etc., are merely examples and can be changed at will.

[0140] For example, while it was explained that the pre-anonymized data DB121 stores information related to each item, such as "No," "User Number," "First Organization," "Second Organization," "Third Organization," and "Target Year and Month," associated with the information contained in the pre-anonymized data, in a table format such as that shown in Figure 3, the items to be stored, the content of the items, and the storage format are not limited. Similarly, while it was explained that the aggregated data DB122 stores information related to the organization number (x), such as the organization (orig(x,y)), the number of people (orig_cnt(x)), and the target year and month (attr), associated with the organization number (x), in a table format such as that shown in Figure 4, the items to be stored, the content of the items, and the storage format are not limited. Furthermore, while it was explained that the integrated data DB123 stores the organization (orig(x,y)) and the number of people (orig_cnt(x)), as well as the aggregated organization (anon(x,y)) and the aggregated number of people (anon_cnt(x)), in association with the organization number (x), in the format of a table diagram as shown in Figure 5, the items to be stored, the content related to the items, and the format in which they are stored are not limited.

[0141] Furthermore, although this embodiment describes the number of columns as "3 (first tissue, second tissue, third tissue)," the number of columns is not limited and may be, for example, "less than 3" or "4 or more."

[0142] (Flowcharts, etc.) In flowcharts, each step may be rearranged as long as it does not create inconsistencies, and some steps may be omitted. Furthermore, conjunctions such as "next," "continue," "in addition," "at this time," and "on this occasion" in flowchart descriptions do not limit the order or timing of the processes in the flowchart.

[0143] <Hardware Configuration> Each component of the illustrated device is a functional concept and does not necessarily have to be physically configured as shown. In other words, the specific forms of distribution and integration of each device are not limited to those shown, and all or part of them can be functionally or physically distributed and integrated in any unit according to various loads and usage conditions. Furthermore, each processing function performed by each device can be implemented, all or any part of it, by a CPU and the program that is analyzed and executed by that CPU, or by hardware using wired logic.

[0144] Furthermore, among the processes described in this embodiment, all or part of those described as being performed automatically can be performed manually using known methods. In addition, the processing procedures, control procedures, specific names, and information including various data and parameters shown in the drawings can be arbitrarily changed unless otherwise specified.

[0145] <Program> In one embodiment, the various devices constituting the anonymization device 100 can be implemented by installing an anonymization program as packaged software or online software on a desired computer. For example, by having the above-mentioned anonymization program run on an information processing device, it can function as various devices constituting the anonymization device 100. The information processing device referred to here includes desktop or notebook personal computers. In addition, the information processing device also includes mobile communication terminals such as smartphones and mobile phones, and slate terminals such as PDAs (Personal Digital Assistants).

[0146] Figure 15 shows an example of a computer that implements the anonymization device 100 according to the embodiment. The computer 1000 has, for example, memory 1010 and CPU 1020. The computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These components are connected by a bus 1080.

[0147] Memory 1010 includes ROM (Read Only Memory) 1011 and RAM 1012. ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. For example, a removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120. The video adapter 1060 is connected to, for example, a display 1130.

[0148] The hard disk drive 1090 stores, for example, an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. That is, the program that defines each process of the various devices constituting the anonymization device 100 is implemented as a program module 1093 in which executable code for a computer is written. The program module 1093 is stored, for example, in the hard disk drive 1090. For example, a program module 1093 for performing the same processes as the functional configuration of the various devices constituting the anonymization device 100 is stored in the hard disk drive 1090. Note that the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).

[0149] Furthermore, the configuration data used in the processing of the embodiment described above is stored as program data 1094 in, for example, memory 1010 or hard disk drive 1090. The CPU 1020 then reads the program module 1093 and program data 1094 stored in memory 1010 or hard disk drive 1090 into RAM 1012 as needed and executes the processing of the embodiment described above.

[0150] Furthermore, the program module 1093 and program data 1094 are not limited to being stored in the hard disk drive 1090; for example, they may be stored in a removable storage medium and read by the CPU 1020 via a disk drive 1100 or the like. Alternatively, the program module 1093 and program data 1094 may be stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.). The program module 1093 and program data 1094 may then be read from the other computer by the CPU 1020 via a network interface 1070.

[0151] <Other> Although this embodiment has been described above, this embodiment is not limited by the description and drawings that constitute part of the disclosure. That is, all other embodiments, examples, and operational techniques made by those skilled in the art based on this embodiment are included in the scope of this embodiment. [Explanation of Symbols]

[0152] 100 Anonymization device 110 Communications Department 120 Storage section 121 Data database before anonymization 122 Aggregated Data Database 123 Integrated Data Database 130 Control Unit 131 Reception Department 132 Aggregation Department 133 Integration Department 134 Output section

Claims

1. An aggregation unit generates aggregated data using data that includes unanonymized records, after removing personally identifiable information and aggregating records with similar attributes. An integration unit generates integrated data by associating aggregated data, which is data obtained after performing an aggregation process that aggregates records belonging to a specified column in the aggregated data whose count is less than a lower limit, with the aggregated data. An anonymization device characterized by having the following features.

2. The aforementioned integration unit is Of the one or more records included in the aggregated data on which the anonymization process has been performed, the second count of a second record whose count is less than the lower limit is added to the third count of a third record belonging to the same column as the second record, or the fourth count of a fourth record belonging to a higher column than the second record. The summation process is performed to replace the count of the summed second record with zero. The anonymization device according to feature 1.

3. The aforementioned integration unit is From among one or more records included in the aggregated data, identify a first record whose count is less than the lower limit and whose attribute information is not blank. An anonymization process is performed on the identified first record, in which information identifying the attribute is replaced with null. The anonymization device according to feature 2.

4. The aforementioned aggregation unit, Among the aforementioned unanonymized data, records belonging to the same type of attribute are aggregated based on k-anonymization to generate the aggregated data. An anonymization device according to any one of claims 1 to 3.

5. The system further includes an output unit that outputs integrated data, in which the aggregated data and the summary data are associated, to the user based on a predetermined tabular format. An anonymization device according to any one of claims 1 to 3.

6. An anonymization method to be executed by an anonymization device, An aggregation process that generates aggregated data by removing personally identifiable information and aggregating records with similar attributes using data that includes unanonymized records, An integration step generates integrated data by associating aggregated data, which is data obtained after performing an aggregation process that aggregates records belonging to a specified column in the aggregated data whose count is less than a lower limit, with the aggregated data. An anonymization method characterized by including

7. An aggregation step that generates aggregated data using data that includes unanonymized records, in which personally identifiable information is removed and records with similar attributes are aggregated, An integration step that generates integrated data by associating aggregated data, which is data after performing an aggregation process that aggregates records belonging to a specified column in the aggregated data whose count is less than a lower limit, with the aggregated data. An anonymizing program that causes a computer to execute something.