System and Method for the Anonymisation of Sensitive Personal Data and Method of Obtaining Such Data

US 20080304663A1
Filed: 01/26/2006
Published: 12/11/2008
Est. Priority Date: 01/26/2005
Status: Active Grant

First Claim

Patent Images

1. A system for managing sensitive personal data (DD_A), comprising:

a first data processing subsystem (40) including;

means (41, 42, 43) for generating a common key (IDC_A) from data (ID_A) identifying a person (A); and

a private database (45) that associates said common key (IDC_A) with said identification data (ID_A); and

a second data processing subsystem (30) including;

means (38) for obtaining said common key (IDC_A);

means for generating a random number (NA) from said common key (IDC_A);

means (38) for receiving a registration message (M3) including at least sensitive personal data (DD_A) of said person (A) and said random number (NA); and

means (31, 32, 33) for storing said personal data (DD_A) in a second database (35) in association with said random number (NA) and said common key (IDC_A).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for managing sensitive personal data (DD_A) includes two databases (45, 35) hosted by two independent subsystems (40, 30). One of these databases associates data (ID_A) identifying a person (A) with a common key (IDC_A) shared with the second database, which associates that common key (IDC_A) with the sensitive personal data (DD_A) of that person (A).

32 Citations

View as Search Results

18 Claims

1. A system for managing sensitive personal data (DD_A), comprising:
- a first data processing subsystem (40) including;
  
  means (41, 42, 43) for generating a common key (IDC_A) from data (ID_A) identifying a person (A); and
  
  a private database (45) that associates said common key (IDC_A) with said identification data (ID_A); and
  
  a second data processing subsystem (30) including;
  
  means (38) for obtaining said common key (IDC_A);
  
  means for generating a random number (NA) from said common key (IDC_A);
  
  means (38) for receiving a registration message (M3) including at least sensitive personal data (DD_A) of said person (A) and said random number (NA); and
  
  means (31, 32, 33) for storing said personal data (DD_A) in a second database (35) in association with said random number (NA) and said common key (IDC_A).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system according to claim 1, wherein the second data processing subsystem (30) includes:
    - means (31, 32, 33) for obtaining reduced data (DR_A) from the sensitive data (DD_A); and
      
      means for sending said first data processing subsystem (40) a message (M6) including said reduced data (DR_A) and the common key (IDC_A) associated with said sensitive personal data (DD_A) in the second database (35).
  - 3. The system according to claim 1, wherein the second data processing subsystem (30) includes means (31, 32, 33) for statistically processing said sensitive data (DD_A) stored in the second database (35).
  - 4. The system according to claim 1, wherein the second data processing subsystem (30) includes means for creating a private encryption/public encryption key pair (KPRIV_C, KPUB_C);
    - wherein in the system said person (A) uses a personal digital storage medium (10) to calculate encrypted data (DC) from said sensitive personal data (DD_A), said random number (NA) and said public encryption key (KPUB_C), said encrypted data (DC) being sent to said second data processing subsystem (30) via a reader (20) of the medium (10), the second data processing subsystem (30) including;
      
      means (38) for receiving said encrypted data (DC) from said reader (20); and
      
      means (31, 32, 33) for decrypting said encrypted data (DC) using said private encryption key (KPRIV_C) and obtaining said random number (NA) and said personal data (DD_A) in order to store them in said second database (35).
  - 5. The system according to claim 4, wherein said medium (10) is adapted to obtain said sensitive data (DD_A) from said reader (20).
  - 6. The system according to claim 1, wherein:
    - said first data processing subsystem (40) includes;
      
      means (48) for receiving a request (RQ1) for obtaining particular sensitive personal data (DD_A1) of a person (A); and
      
      means (48) for sending the second data processing subsystem (30) a request (RQ2) for authentication of said person (A), said authentication request (RQ2) including an identifier (NF) of said particular sensitive personal data (DD_A1) and the common key (IDC_A) generated from data (ID_A) identifying said person (A); and
      
      said second processing subsystem (30) includes;
      
      means (38) for receiving said authentication request (RQ2);
      
      means (31, 32, 33) for authenticating said person (A); and
      
      means (38) for sending said particular sensitive personal data (DD_A1) to said first data processing subsystem (40) if said authentication is successful.
  - 7. The system according to claim 1, wherein said sensitive personal data consists of:
    - detailed medical data (DD_A) relating to a medical service provided for a patient (A) and associated with reduced medical data (DR_A); and
      
      complementary information including an amount (MP) charged for said service.
  - 8. The system according to claim 7, wherein:
    - the second database (35) stores information (DT_A) representing entitlements (DT_A) of a patient (A) in association with said common key (IDC_A) generated for the patient (A); and
      
      wherein the second data processing subsystem (30) includes;
      
      means (31, 32, 33) for calculating a reimbursement amount (MR) from the entitlements (DT_A) of the patient (A) and the amount (MP) charged for the service received in the form of encrypted data (DC) from the reader (20) of a healthcare professional adapted to read the personal digital storage medium (10) of said patient (A); and
      
      means (38) for sending said reimbursement amount (MR) to-said reader (20) or the first data processing subsystem.
  - 9. A method of managing sensitive personal data (DD_A) used by the second data processing subsystem (30) of the management system according to claim 1, including:
    - a step (E10) of obtaining a common key (IDC_A);
      
      a step (E12) of generating a random number (NA) from said common key (IDC_A);
      
      a step (E18) of receiving a registration message (M3) including sensitive personal data (DD_A) of said person (A) and said random number (NA); and
      
      a step (E22) of storing said sensitive personal data (DD_A) in a second database (35) of said second data processing subsystem (30) in association with said random number (NA) and said common key (IDC_A).
  - 10. The method according to claim 9, comprising:
    - a step (E24) of obtaining reduced data (DR_A) from sensitive data (DD_A); and
      
      a step (E26) of sending a first data processing subsystem (40) of a management system according to any one of claims 1 to 8 a message (M6) including said reduced data (DR_A) and the common key (IDC_A) associated with said sensitive data in the second database (35).
  - 11. The method according to claim 9 further comprising:
    - a step (E18) of receiving encrypted data (DC) calculated from sensitive personal data (DD_A), a random number (NA) and a public encryption key (KPUB_C); and
      
      a step (E20) of decrypting said encrypted data (DC) using a private encryption key (KPRIV_C) associated with said public key (KPUB_C) to obtain said random number (NA) and said personal data (DD_A) in order to store them in said second data base (35).
  - 12. The method according to claim 9, wherein said sensitive personal data consists of:
    - detailed medical data (DD_A) relating to a medical service provided for a patient (A), that detailed medical data (DD_A) being associated with reduced medical data (DR_A); and
      
      complementary data including an amount (MP) charged for said service; and
      
      wherein the second database (35) stores (E14) in association with said common key (IDC_A) generated for a patient (A) information (DT_A) representing entitlements (DT_A) of the patient (A), wherein the method comprises;
      
      a step (E28) of calculating a reimbursement amount (MR) from the entitlements (DT_A) of the patient (A) and the amount (MP) charged for the service received in the form of encrypted data (DC) from a reader (20) of a personal digital storage medium (10) of said patient (A); and
      
      a step (E30) of sending said reimbursement amount (MR) to said reader (20) or the first data processing subsystem (40).
  - 13. The method according to claim 10, comprising:
    - a step (E32) of receiving from said first data processing subsystem (40) an authentication request (RQ2) including an identifier (NF) of said particular sensitive personal data (DD_A1) and a common key (IDC_A) generated for a person (A);
      
      a step (E34) of authenticating said person (A); and
      
      a step (E36) of sending said particular sensitive personal data (DD_A1) to said first data processing subsystem (40) if said authentication is successful.
  - 14. A computer program on an information medium, the program including instructions adapted to execute a method according to claim 9 for managing sensitive personal data, wherein the computer program is adapted to be executed by the second data processing subsystem.
  - 15. An information medium that includes instructions of a computer program according to claim 14, wherein the information medium is readable by the second data processing subsystem.
  - 16. A method of obtaining sensitive personal data (DD_A) used in a first data processing subsystem (40) of a system according to claim 1, including:
    - a step (F10) of receiving a request (RQ1) for obtaining particular sensitive personal data (DD_A1) of a person (A);
      
      a step (F14) of sending a second data processing subsystem (30) of a system according to any one of claims 1 to 8 a request (RQ2) for authentication of said person (A), said authentication request (RQ2) including an identifier (NF) of said particular sensitive personal data (DD_A1) and a common key generated from data (ID_A) identifying said person (A); and
      
      a step (F14) of receiving said particular sensitive personal data (DD_A1) from said second data processing subsystem (30) if said authentication is successful.
  - 17. A computer program on an information medium, the program including instructions for executing a method according to claim 16 for obtaining sensitive personal data, wherein the computer program is adapted to be executed by the first data processing subsystem.
  - 18. An information medium that includes instructions of a computer program according to claim 17, wherein the information medium is readable by the second data processing subsystem.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Orange S.A.
Original Assignee
Orange S.A.
Inventors
Canard, Sébastien, Guilloteau, Stéphane, Boudet, François

Granted Patent

US 8,607,332 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/45
CPC Class Codes

G06F 21/6254 by anonymising data, e.g. d...

G06F 2221/2153 Using hardware token as a s...

System and Method for the Anonymisation of Sensitive Personal Data and Method of Obtaining Such Data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for the Anonymisation of Sensitive Personal Data and Method of Obtaining Such Data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links