In recent years, with the widespread use of computer networks and the WWW system, companies have widely put forth schemes to construct databases by collecting information relating to the privacy of individuals. The method of recording collected information in a data structure in the form of a table has generally been practiced in order to efficiently manage the collected information. This method enables a user to easily and conveniently select information from a data base by designating a condition by using SQL (Structured Query Language) for example.
A technique of limiting access with respect to each of items in tables in a database as well as limiting access to each of the tables has been used (see Japanese Published Unexamined Patent Application No. 2002-269092). In the technique described in Japanese Published Unexamined Patent Application No. 2002-269092, determination as to whether or not reference to or change of each of items in a database is permitted can be made according to the right of a person who accesses the database. In a system constructed in accordance with “Tivoli Privacy Manager Ver. 1.1” from IBM Corporation, access control is performed with respect to each of items in a table on the basis the privacy policy described in “The platform for Privacy Preferences (P3P) 1.0 Specification” home page URL “http://www.w3.org/TR/P3P”, 2002.
More specifically, in this system, determination as to whether or not a user who wishes to access a column is permitted to access the column is made on the basis of the identification of the user, an access purpose and a set of owners of information in the column. Further, in this system, access control can be performed according to attributes of an owner of information, such as, the age of the owner, whether or not the owner consents to use of the information (sending of direct mail for example) or whether or not the owner consents to a prescribed privacy policy.
Information generally called personal information includes PII (Personal Identifiable Information) and PSI (Privacy Sensitive Information). PII is information for identification of a person, e.g., a name or an electronic mail address. PSI infringes the privacy of a person when output while being related to PII. PSI is, for example, information on an annual income, etc. To prevent infringement on privacy, it is necessary to prohibit outputting PII and PSI by relating PII and PSI to each other. It is desirable to permit output of PSI alone since the probability that PSI alone will not infringe privacy is high.
To use a database as effectively as possible while suitably protecting privacy as described above, it is necessary to perform determination as to permission/denial of access in such a manner that permission/denial of access with respect to a plurality of columns is determined on the basis of the mutual relationship between the columns. Each of the above-described arts enables determination as to permission/prohibition of each of columns in a database, but does not enable determination as to permission/prohibition of acquisition of data defined as a combination of a plurality of columns.
It is, therefore, an object of the present invention to provide an access control system, an access control device, an access control method, a program and a recording medium capable of solving the above-described problem. This object can be attained by a combination of features described in the independent claims in the appended claims. In the dependent claims, further advantageous examples of the present invention are specified.