Eight principles concerning protection of privacy are presented by the recommendation “OECD RECOMMENDATION CONCERNING AND GUIDELINES GOVERNING THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA” adopted by the Organization for Economic Co-operation and Development (OECD) in 1980. The eight principles of the OECD define principles, with which businesses handling personal information such as companies should comply, concerning eight items, namely, purpose specification, use limitation, collection limitation, data quality, security safeguards, openness, individual participation, and accountability. Member countries of the OECD are proceeding with improvements of systems such as domestic laws and guidelines so as to follow the eight principles toward protection of privacy and protection of personal information. As a result, companies handling personal information are urged to cope with such systems. Therefore, the companies undertake various new tasks and require personnel and financial cost to carry out the tasks.
The advent of computer networks has made it easy to exchange a large quantity of personal data in an electronic form. Thus, once personal information is accidentally leaked, it is likely that a large number of people are suffered by the leakage of information. Moreover, in accordance with the development of the Internet, a risk of litigations in a form of damages with respect to the leakage of information increases. In these days, since people are more and more conscious of privacy, companies are accused of not only responsibility for handling of personal information but also moral responsibility. Therefore, a risk of unexpected leakage of personal information is also recognized in a form of a risk factor that causes deterioration of brand images. In other words, in order to avoid such risks, many companies have to spend more for managing personal information appropriately. As a system supporting jobs concerning management of personal information, a personal information management system, which has an access control function based on a consent, for, in particular, personal information in an electronic form is known (hereinafter referred to as first conventional technique). An explanation about the first conventional technique is found, for example, in http://www-6.ibm.com/jp/software/tivoli/products/privacy.html.
The first conventional technique has a function of disclosing a policy for handling personal information such as a purpose of usage and data collecting items and recording a consent from a provider of personal information such as a consumer and a user to the policy for handling personal information. In addition, the first conventional technique has an access control function of limiting the use of personal information in a company to appropriate users. Access control based on a consent to follow the policy is realized on the basis of authorization of a program executed by a computer. Moreover, the first conventional technique has a function of recording which user accesses such personal information for what kind of purpose of usage.
As publicly-known means for anonymously managing so-called “subtle information” and “sensitive data” out of personal information, there is a system for handling medical information (hereinafter referred to as second conventional technique). The second conventional technique is explained in, for example, JP-A-2001-357130. The second conventional technique 2 separates personal identification information such as names, addresses, and dates of birth and disease information such as genetic information other than the personal identification information, encrypts the respective kinds of information with different keys, and stores decryption keys for the information in a recording medium such as an IC card. This makes it possible for an owner of the IC card to control the use of the individual identification information and the disease information. The system allocates a management code that associates the personal identification information and the disease information. Using this management code allows to use the disease information anonymously without using the personal identification information.
Protective laws and guidelines in the respective member countries complying with the eight principles of the OECD stipulate, as essential requirements, that a purpose of usage should be clearly described in a policy for handling individual information and a consent to the usage of the information should be obtained from an information provider. The first conventional technique realizes control of access to accumulated personal information based on a consent to follow the policy. However, the first conventional technique has a problem in that an information provider cannot grasp the state of use of personal information. The same problem also occurs when jobs using the personal information are entrusted to other companies. The first conventional technique does not provide means with which an entrusting company can manage the state of use of information by an entrusted company.
The second conventional technique has a problem in that use of the personal identification information in which the disease information is not required, is also limited. In the second conventional technique, although it is also possible not to encrypt the disease information, the personal identification information is always encrypted and stored in order to guarantee confidentiality. Therefore, the decryption key stored in the IC card or the like is always required for decryption of the personal identification information. In addition, in the second conventional technique, the management code associating the personal identification information and the disease information is an unencrypted plain text. The management code is never changed once granted. Therefore, once a system user obtains the decrypted personal identification information, after that, the system user can associate the disease information with the acquired personal identification information freely. Thus, it turns out that confidentiality is not taken into account.
The problems of the second conventional technique are caused by a constitutional principle itself that does not depend on a field of application. For example, when the second conventional technique is applied to management of customer information in a retail shop, it is conceivable to handle a purchase history as disease information. However, the second conventional technique cannot be used for an application in which only the personal identification information is referred to for identification inquiry at a customer counter in a call center or the like.