De-identification of data
First Claim
Patent Images
1. A computer program product for dynamically de-identifying sensitive data from a data source for a target application, the computer program product comprising a computer readable storage device having computer readable program code embodied therewith, the computer readable program code being configured to cause a hardware processor to:
- generate a default rule set including at least one rule, the default rule set including a default de-identification protocol to produce de-identified data from an Extract/Transform/Load (ETL) tool, wherein the default de-identification protocol is selected based on business rules;
map the default rule set to data definitions each generated by a discovery tool and associated with a corresponding sensitive data element identified in the data;
specify a runtime rule set comprising at least one runtime rule, the runtime rule including a runtime de-identification protocol to produce de-identified data from the ETL tool, wherein the runtime rule set is specified via an interface;
replace the default rule set with the runtime rule set to change the default de-identification protocol to the runtime de-identification protocol at runtime to accommodate changing de-identification requirements of a target environment, and map the runtime rule set to the data definitions, whereineach data definition includes a data object comprising metadata, including an indicator of a type of sensitive data from among a plurality of types of sensitive data and information indicating the location of the data element within the data source, for that data element, andeach runtime rule is mapped to a corresponding data definition of a sensitive data element based on the type of sensitive data; and
receive the data and the data definitions, and for each data definition;
obtain the runtime rule mapped to that data definition; and
apply the obtained runtime rule to the sensitive data element corresponding to that data definition in the received data and dynamically de-identify the sensitive data element for the target application by the ETL tool at runtime via the runtime de-identification protocol of the obtained runtime rule.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to a method, computer program product and system for de-identifying data, wherein a de-identification protocol is selectively mapped to a business rule at runtime via an ETL tool.
24 Citations
17 Claims
-
1. A computer program product for dynamically de-identifying sensitive data from a data source for a target application, the computer program product comprising a computer readable storage device having computer readable program code embodied therewith, the computer readable program code being configured to cause a hardware processor to:
-
generate a default rule set including at least one rule, the default rule set including a default de-identification protocol to produce de-identified data from an Extract/Transform/Load (ETL) tool, wherein the default de-identification protocol is selected based on business rules; map the default rule set to data definitions each generated by a discovery tool and associated with a corresponding sensitive data element identified in the data; specify a runtime rule set comprising at least one runtime rule, the runtime rule including a runtime de-identification protocol to produce de-identified data from the ETL tool, wherein the runtime rule set is specified via an interface; replace the default rule set with the runtime rule set to change the default de-identification protocol to the runtime de-identification protocol at runtime to accommodate changing de-identification requirements of a target environment, and map the runtime rule set to the data definitions, wherein each data definition includes a data object comprising metadata, including an indicator of a type of sensitive data from among a plurality of types of sensitive data and information indicating the location of the data element within the data source, for that data element, and each runtime rule is mapped to a corresponding data definition of a sensitive data element based on the type of sensitive data; and receive the data and the data definitions, and for each data definition; obtain the runtime rule mapped to that data definition; and apply the obtained runtime rule to the sensitive data element corresponding to that data definition in the received data and dynamically de-identify the sensitive data element for the target application by the ETL tool at runtime via the runtime de-identification protocol of the obtained runtime rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 15)
-
-
8. A system for dynamically de-identifying sensitive data from a data source for a target application, the system comprising a computer system including at least one hardware processor configured to:
-
generate a default rule set including at least one rule, the default rule set including a default de-identification protocol to produce de-identified data from an Extract/Transform/Load (ETL) tool, wherein the default de-identification protocol is selected based on business rules; map the default rule set to data definitions each generated by a discovery tool and associated with a corresponding sensitive data element identified in the data; specify a runtime rule set comprising at least one runtime rule, the runtime rule including a runtime de-identification protocol to produce de-identified data from the ETL tool, wherein the runtime rule set is specified via an interface; replace the default rule set with the runtime rule set to change the default de-identification protocol to the runtime de-identification protocol at runtime to accommodate changing de-identification requirements of a target environment, and map the runtime rule set to the data definitions, wherein each data definition includes a data object comprising metadata, including an indicator of a type of sensitive data from among a plurality of types of sensitive data and information indicating the location of the data element within the data source, for that data element, and each runtime rule is mapped to a corresponding data definition of a sensitive data element based on the type of sensitive data; and receive the data and the data definitions, and for each data definition; obtain the runtime rule mapped to that data definition; and apply the obtained runtime rule to the sensitive data element corresponding to that data definition in the received data and dynamically de-identify the sensitive data element for the target application by the ETL tool at runtime via the runtime de-identification protocol of the obtained runtime rule. - View Dependent Claims (9, 10, 11, 12, 13, 14, 16)
-
-
17. A system for dynamically de-identifying sensitive data from a data source for a target application, the system comprising a computer system including at least one hardware processor configured to:
-
identify sensitive data elements in the data via a discovery tool, wherein identifying a sensitive data element comprises associating the data element with a type of sensitive data from among a plurality of types of sensitive data; generate data definitions via the discovery tool, wherein each data definition is associated with an identified sensitive data element and includes a data object comprising metadata, including an indicator of a type of sensitive data and information indicating the location of the data element within the data source, for that data element; specify a default rule set comprising at least one runtime rule, the default rule set including a default de-identification protocol to produce de-identified data from an Extract/Transform/Load (ETL) tool, wherein the default de-identification protocol is selected based on business rules; map the default rule set to the data definitions generated by the discovery tool for the identified sensitive data elements; replace the default rule set with a runtime rule set comprising at least one runtime rule, the runtime rule including a runtime de-identification protocol to produce de-identified data from the ETL tool, wherein the runtime rule set is specified via an interface and the replacing changes the default de-identification protocol to the runtime de-identification protocol at runtime to accommodate changing de-identification requirements of a target environment; map the runtime rule set to the data definitions generated by the discovery tool and associated with a corresponding sensitive data element identified in the data, wherein each runtime rule is mapped to a corresponding data definition of a sensitive data element based on the type of sensitive data; and receive the data and the data definitions, and for each data definition; obtain the runtime rule mapped to that data definition; and apply the obtained runtime rule to the sensitive data element corresponding to that data definition in the received data and dynamically de-identify the sensitive data element for the target application by the ETL tool at runtime via the runtime de-identification protocol of the obtained runtime rule.
-
Specification