(1) Field of the Invention
The present invention relates to a technology for converting information of a highly private nature into an anonymous form such that it is impossible to specify to whom the information relates, and for storing and supplying the converted information.
(2) Description of the Related Art
Medical information such as the results from diagnoses and medical examinations which have taken place in hospitals is commonly recorded together with personal information capable of specifying the patient to whom the results belong, such as a name, a date of birth, and an address, and the like. Further, grade data from examinations and the like in schools or other institutions and personal assessment data in industry are commonly stored together with students' and employees' personal information respectively. Moreover, in the case of data resulting from various types of survey, respondents' survey responses are commonly stored together with personal information.
Since this information reveals information such as who has which medical history, who obtained which grade or personal assessment, and who gave which survey response, it bears strongly upon privacy, and from the point of view of privacy protection, strict confidentiality management is required.
On the other hand, in the case of medical information, for instance, in order that statistical information, such as the number of patients afflicted with particular disease in a given year, or the like, may be acquired, and that the medical histories of particular patients may be traced and put to use in establishing new medical treatments and in preventative medicine, it is desirable to enter the medical information into a database and thereby make it available to a large number of researchers. Similarly, in the case that the information is grades and results, it is desirable that it can be used for finding statistical information such as grade distributions and the like, and thereby be of use in providing students with academic guidance, and the like.
Thus, it is desirable that information of the type described above is disclosed in the kind database that enables statistical enquiries, tracing, and the like, while protecting the privacy of the patients, the students, or the like.
Here, protecting the privacy of the patients or students is used to mean disclosing the results of medical examinations or diagnoses, or the grades, but making it impossible to specify the patients or students to whom the data belong.
In one general method conceivable as a method to fulfill the type of demands described above, data is stored in the public database only after the personal information section specifying the individual patients, individual students, or the like has been removed. In the case of medical information, for instance, each hospital removes the section containing personal information from the examination data (medical records) of patients who have been examined, and stores the remaining information in the public database. The information in the public database is disclosed to researchers, but since data specifying the origins of the patients is not included, patient privacy is protected.
However, there is a problem with this method in that if the same patient is examined at different hospitals for each of a series of medical problems, it is impossible to tell from the public database that the various clinical information belongs to the same patient since it is stored in the database with the patient's personal information removed.
One method disclosed as a method to solve this problem is capable of distinguishing clinical information belonging to the same patient while protecting patient privacy (see Japanese Laid-open Application No. 2002-312361, for instance). According to this method, the patient information is converted into an anonymous patient ID and stored in a data base, and a code table showing correspondences between the patient information and anonymous patient IDs is stored and managed. Using this method, it is possible to distinguish whether clinical information belongs to the same patient by making reference to the anonymous patient ID attached to the clinical information.
However, with this prior art, a code table showing the correspondences between the patient information and the anonymous patient IDs must be stored at the apparatus recording onto the public database. Consequently, the prior art has the problem that, if in a worst case scenario the code table were stolen from the apparatus in which it had been stored, the original patient information would be exposed by way of the anonymous patient IDs, and the anonymity of the clinical information on the data base would be completely lost.