WO2008040800A2 - System and method for selecting records from a list with privacy protections - Google Patents

System and method for selecting records from a list with privacy protections Download PDF

Info

Publication number
WO2008040800A2
WO2008040800A2 PCT/EP2007/060593 EP2007060593W WO2008040800A2 WO 2008040800 A2 WO2008040800 A2 WO 2008040800A2 EP 2007060593 W EP2007060593 W EP 2007060593W WO 2008040800 A2 WO2008040800 A2 WO 2008040800A2
Authority
WO
WIPO (PCT)
Prior art keywords
records
subset
record
attribute
user
Prior art date
Application number
PCT/EP2007/060593
Other languages
French (fr)
Other versions
WO2008040800A3 (en
Inventor
Jeffrey James Jonas
David Charles Martin
Original Assignee
International Business Machines Corporation
Ibm United Kingdom Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corporation, Ibm United Kingdom Limited filed Critical International Business Machines Corporation
Publication of WO2008040800A2 publication Critical patent/WO2008040800A2/en
Publication of WO2008040800A3 publication Critical patent/WO2008040800A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2151Time stamp

Definitions

  • the present invention relates to a system and method for selecting records from a list using privacy protection. More particularly, the present invention relates to a system and method for selecting and providing a reduction completion result to a user without exposing other records during the selection process.
  • Many users perform record retrievals on a routine basis, such as retrieving a patient's medical history. These users may search their own databases or use a third party to locate a particular record.
  • a user When searching for a particular record, a user typically provides a certain number of attributes in order to adequately search a database, such as a name or address.
  • the search returns multiple records existing art allows the user to view each of the records in order for the user to select the correct record. For example, if a user wished to retrieve medical history for "Pat Smith," the search result may return ten records, each corresponding to a different Pat Smith. In this example, the user may view information in each of the records in an effort to identify the correct "Pat Smith" record.
  • a challenge found with this approach is that the user is privy to information included in each retrieved record in addition to the record that user wishes to actually retrieve. As a result, the user may view a person's personal information included in the records that the user has no reason to view.
  • a system, method, and computer program product for providing a reduction completion result to a user without exposing other records during the selection process.
  • a subset of records is identified from a group of records using an initial user provided attribute supplied by a user.
  • Each of the subset of records includes a record attribute value that matches the initial user provided attribute.
  • the system, method, and program product sends a subset discriminating request to the user, which requests further attribute information.
  • the system, method, and program product receives a subsequent user provided attribute from the user that is used to reduce the subset of records to a reduction completion result.
  • the system, method, and program product provides the reduction completion result to the user.
  • system, method, and program product includes only one record, which is an explicit matched record, in the reduction completion result.
  • system, method, and program product includes an irreducible record set as the reduction completion result.
  • the irreducible record set is a reduced subset of records that is no longer reducible using additional subsequent user provided attributes.
  • system, method, and program product conceals, from the user, each of the subset of records during the process of selecting the reduction completion result.
  • system, method, and program product computes conjoint probabilities among record attributes using corresponding record attribute values.
  • system, method, and program product determines, using the computed conjoint probabilities, discrimination factors that have a highest calculated conjoint probability of appearing together in the subset of records.
  • system, method, and program product includes subsequent user provided attributes such as a demographic attribute, a non-demographic attribute, a biographical attribute, a descriptive attribute, a condition attribute, a state attribute, a transactional attribute, a geo-spatial attribute, and a temporal attribute.
  • system, method, and program product includes discrimination factors such as a probability factor, an expert rules factor, or a policy factor, that correspond to the subset discriminating requests.
  • system, method, and program product includes an explicit matched record, an irreducible record set, an under threshold set, or an over limit response as the reduction completion result. In one embodiment, the system, method, and program product determines that the subset of records is the reduction completion result by using only the initial user provided attribute.
  • system, method, and program product determines that the subset of records includes a non-compliant amount of records compared with a maximum record set limit. In this embodiment, the system, method, and program product provides an over limit response to the user, which includes zero records.
  • system, method, and program product determines that the subset of records includes an amount of records that are less than an allowable threshold value. In this embodiment, the system, method, and program product provides the records, which are an under threshold set, to the user.
  • Figure 1 is a diagram showing a record selection manager providing a reduction completion result to a user, which is based upon initial user provided attributes and subsequent user provided attributes;
  • Figure 2 is a diagram showing a record table that includes a plurality of records
  • Figure 3 is a diagram showing a record selection manager interfacing with a user's client to iteratively identify and provide a reduction completion result
  • Figure 4 is a high-level flowchart showing steps taken in selecting a reduction completion result from a plurality of records
  • Figure 5 is a detail level flowchart showing steps taken in selecting a reduction completion result based upon subsequent user provided attributes
  • Figure 6 is a detail level flowchart showing steps taken in identifying whether the subset of records is a reduction completion result
  • Figure 7 is a block diagram of a computing device capable of implementing the present invention.
  • Figure 1 is a diagram showing a record selection manager providing a reduction completion result to a user based upon received user provided attributes.
  • User 100 wishes to view a record (e.g., medical history) that is located in records store 140.
  • record selection manager 130 iteratively requests attribute information from user 100 to disambiguate which records to provide.
  • Records store 140 may be stored on a nonvolatile storage area, such as a computer hard drive.
  • Initial user provided attributes 115 includes one or more attributes (e.g., a person's name) corresponding to the record which user 100 wishes to view.
  • Record selection manager 130 identifies a subset of records included in records store 140 that each includes a record attribute value that matches initial user provided attributes 115. For example, if initial user provided attributes 115 includes the name "Pat Smith,” record selection manager 130 identifies those records included in records store 140 that includes a record attribute value of "Pat Smith.”
  • Record selection manager 130 analyzes the subset of records and determines 1) whether any records include record attribute values that match initial user provided attributes 115, 2) whether further record refinement is required, or 3) whether the subset of records is a "reduction completion result.”
  • a reduction completion result may include an "explicit matched record,” an “irreducible record set,” an “over threshold set,” or an “over limit response” (see Figure 6 and corresponding text for further details).
  • record selection manager 130 When no records match, record selection manager 130 sends a "no records match" message to user 100.
  • record selection manager 130 uses conjoint probability calculations in order to identify "subset discriminating requests" that, when known, minimize the number of records included in the subset of records. For example, if ten "Pat Smith" records are included in the subset of records, five of which live in Texas and five of which live in California, record selection manager 130 may determine that by user 100 providing which state the person resides, that the number of records included in the subset of records may be reduced in half (see Figure 5 and corresponding text for further details).
  • record selection manager 130 sends subset discriminating requests 150 to user 100's client 110 through computer network 120.
  • user 100 provides subsequent user provided attributes 160 to record selection manager 130.
  • subset discriminating requests 150 may include a choice as to which attributes to provide, such as "Please provide Pat Smith's year of birth or City.”
  • subsequent user provided attributes 160 may include one of the requested attributes (e.g., Pat Smith's year of birth).
  • Subsequent user provided attributes 160 may include, for example, a demographic attribute (e.g., nationality), a non-demographic attribute (e.g., diabetic), a biographical attribute (e.g., proper name), a descriptive attribute (e.g., large), a condition attribute (e.g., possible weapon), a state attribute (e.g., criminal), a transactional attribute (e.g., $125), a geo-spatial attribute (e.g., Corner of Charlston/Weber, or latitude/longitude), or a temporal attribute (e.g., December 3, 2007).
  • a demographic attribute e.g., nationality
  • a non-demographic attribute e.g., diabetic
  • a biographical attribute e.g., proper name
  • a descriptive attribute e.g., large
  • a condition attribute e.g., possible weapon
  • a state attribute e.g., criminal
  • a transactional attribute e.g., $12
  • Record selection manager 130 matches subsequent user provided attributes 160 against the subset of records, and determines whether no records match or whether the remaining records are a reduction completion result, which may be an "explicit matched record,” an “irreducible record set,” an “over threshold set,” or an “over limit response.”
  • An explicit matched record results when the subset of records includes only one record that includes record attribute value(s) that match the user provided attributes (initial/subsequent).
  • An irreducible record set results when the subset of records comprises a plurality of records that each includes record attribute value(s) that match the user provided attributes (initial/subsequent), and where the subset of records is not further reducible using additional subsequent user provided attributes.
  • record A may include "Customer 123, Mark Smith, Born 1976”
  • record B may include "Customer 345, Mark R. Smith, Born 3/12/1976.”
  • An under threshold set results when a subset of records, although possibly further reducible with more subsequent user provided attributes, includes an amount of records that is less than or equal to an allowable threshold value, such as a policy that the subset of records must be less than five records. For example, if a database includes 1,000 records and, after user
  • record selection manager 130 reduced the subset of records to four records, record selection manager 130 returns each of the four records to user 100.
  • An over limit response results when the subset of records is a non-compliant amount, such as over a maximum record set limit. When an over limit response occurs, record selection manager 130 returns zero records.
  • record selection manager 130 determines that the subset of records is a reduction completion result, record selection manager 130 sends reduction completion result 170 to user 100.
  • record selection manager 130 once again sends more subset discriminating requests 150 to user 100.
  • record selection manager 130 receives additional subsequent user provided attributes 160 to reduce the number of records included in the subset of records.
  • record selection manager 130 reduces the subset of records to a reduction completion result or no record match, record selection manager 130 provides reduction completion result 170, or a no record match response, to user 100.
  • record selection manager 130 conceals the records included in records store 140 until it identifies reduction completion result 170, in which case record selection manager 130 only provides reduction completion result 170 to user 100 to view.
  • Figure 2 is a diagram showing a record table that includes a plurality of records.
  • Table 200 includes records 250-270, in which each record includes a number of record attributes (columns 205-240).
  • the record selection manager selects a reduction completion result from records 250-270 and provides the reduction completion result to the user.
  • the reduction completion result may be an explicit matched record, an irreducible record set, an under threshold set, or an over limit response.
  • table 200 includes three records with the same "Name” record attribute of "Pat Smith” (records 255-265). Two of these records also have the same "State” record attribute of "VT” (records 255-260). As such, in order for the record selection manager to select a reduction completion result for Pat Smith, the record selection manager requires from the user either a City, a Zip code, a year of birth, a social security number, or a deductible amount (see Figure 3 and corresponding text for further details).
  • Figure 3 is a diagram showing a record selection manager interfacing with a user's client to iteratively identify and provide a reduction completion result.
  • Records selection manager 130 receives user provided attributes in order to select a reduction completion result from a plurality of records included in records store 140.
  • Record selection manager 130 and records store 140 are the same as that shown in Figure 1.
  • a user's client such as client 110 shown in Figure 1, displays user interface window 300 to the user in order for the user to initiate the process of viewing a particular person's record.
  • the user enters initial user provided attributes about a record in which the user wishes to view in fields 305-315.
  • Figure 3 shows that the user enters "Pat Smith" in field 305 and leaves fields 310-315 empty.
  • Records selection manager 130 receives initial user provided attribute "Pat Smith” and identifies a subset of records that include record attribute values that match "Pat Smith.” In turn, record selection manager 130 sends a subset discriminating request to the user, which is displayed on the client in user interface window 320.
  • the example shown in Figure 3 allows the user to enter the person's "Year of Birth” in field 325 or the person's "City” in field 330. As can be seen, the user entered the person's city in field 330, which is sent to record selection manager 130.
  • Record selection manager 130 reduces the subset of records using the city "Warsaw,” and determines that one record remains in the subset of records. As a result, the one remaining record is the reduction completion result, which is provided to the user in user interface window 340.
  • Figure 4 is a high-level flowchart showing steps taken in selecting a reduction completion result from a plurality of records.
  • a records selection manager identifies, and iteratively reduces, a subset of records using initial user provided attributes and subsequent user provided attributes. Once the subset of records reduces to a reduction completion result or no matched records, the record selection manager provides the reduction completion result to the user.
  • Processing commences at 400, whereupon processing receives a request from user 100 through client 110 at step 410.
  • the request includes an initial user provided attribute, such as a person's name or address.
  • the request may include more than one attribute, such as a person's name and phone number.
  • User 100 and client 110 are the same as that shown in Figure 1.
  • Processing identifies a subset of records from a plurality of records included in records store 140, and proceeds through an iteration process that queries user 100 for subsequent user provided attributes in order to reduce the subset of records to either a reduction completion result or no matched records (pre-defined process block 420, see Figure 5 and corresponding text for further details).
  • Records store 140 is the same as that shown in Figure 1.
  • a reduction completion result may include an explicit matched record, an irreducible record set, an under threshold set, or an over limit response. If the iteration process resulted in a reduction completion result, decision 430 branches to "Yes" branch 438 whereupon processing provides user 100 with the reduction completion result at step 450, and processing ends at 460. Up to this point, processing has concealed each of the plurality of records from user 100.
  • decision 430 branches to "No" branch 432 whereupon processing informs user 100 that no records matched user 100's user provided attributes, and processing ends at 460.
  • FIG. 5 is a detail level flowchart showing steps taken in selecting a reduction completion result based upon user provided attributes.
  • a records selection manager receives a request from user 100 that includes initial user provided attributes. For example, user 100 may wish to view a record for "Pat Smith" and, in this example, user 100's request includes the name "Pat Smith” as the initial user provided attributes (see Figure 4 and corresponding text for further details).
  • processing proceeds through a series of steps in order to identify and select a reduction completion result from a plurality of records.
  • Processing commences at 500, whereupon processing identifies a subset of records from records store 140 that include record attribute values that match the initial user provided attributes (step 510). Using the example described above, processing identifies each record that includes "Pat Smith" as a name record attribute value. Processing proceeds through a series of steps to determine whether the subset of records is at a record completion result (pre-defined process block 515, see Figure 5 and corresponding text for further details).
  • a record completion result may include an explicit matched record, an irreducible record set, an under threshold set, or an over limit response.
  • processing checks whether the subset of records is less than five records at this decision and, if so, determines that the subset of records is an under threshold set. In another example, if processing has proceeded through a number of iteration steps and is no longer able to refine the subset of records, yet the number of records remaining in the subset of records is over a record set limit, processing determines that the subset of records results in at an over limit response and returns zero records.
  • decision 520 branches to "No" branch 528 to begin an iterative process of reducing the subset of records to a result of either a reduction completion result or no record match.
  • processing calculates conjoint probabilities of the subset of records.
  • Conjoint probability calculations are known to those skilled in the art, such as by using an a-priori algorithm. Conjoint probability calculations provide subsets of entities within an overall set of potential entities based on higher (or lower) conjoint probabilities than would be otherwise expected from the calculation of distributions independently.
  • Deviations from this expected value may be pre-calculated for a set of all entities, and those sets that have the lowest values (e.g. only 5% of all records are males with brown eyes) may be utilized to provide the selection criteria. This technique may also be performed on individual set elements when background population statistics are known (e.g. 60% of all people are female or 70% of all people have brown eyes).
  • Processing uses the results of the conjoint probability calculations to identify discriminating factors, which may include a probability factor (e.g., statistically motivated to request a specified attribute), an expert rules factor (e.g., always ask for year of birth over month of birth), a policy factor (e.g., pursuant to company policy, only the last four digits of the SSN), or other factors that discriminate one record over another record. For example, if ten records include the name "Pat Smith,” five of which live in Texas and five of which live in
  • processing may identify that by user 100 providing which state the person resides, the number of records included in the subset of records may be reduced in half.
  • Processing at step 560, sends a subset discriminating request to user 100 through client 110.
  • the subset discriminating request includes a request for attributes corresponding to the discriminating factors that were identified back in step 550.
  • User 100 reviews the subset discriminating request, and responds by providing one or more subsequent user provided attributes, which are received at step 570.
  • Processing reduces the subset of records based upon the subsequent user provided attributes at step 580.
  • processing reduces the subset of records to five records.
  • Processing loops back to proceed through a series of steps to determine whether the subset of records is at a record completion result (pre-defined process block 515). This looping continues until the subset of records includes no records or is a reduction completion result, in which case decision 520 branches to "No" branch 522 or "Yes” branch 524, respectively.
  • Figure 6 is a detail level flowchart showing steps taken in identifying whether the subset of records is a reduction completion result. Processing commences at 600, whereupon a determination is made as to whether only one record remains in the subset of records (decision 605). If the subset of records includes only record, decision 605 branches to "Yes" branch 607 whereupon processing identifies the reduction completion result as an explicit matched record (step 610), and returns at 615. On the other hand, if the subset of records includes more than one record, decision 605 branches to "No" branch 609.
  • An irreducible record set is a subset of records that is no longer reducible with additional subsequent user provided attributes. If the subset of records is an irreducible record set, decision 620 branches to "Yes" branch 622 whereupon a determination is made as to whether the number of records included in the subset of records is over a maximum record set limit, such as ten records (decision 625). If the number of records included in the subset of records is over the maximum record set limit, decision 625 branches to "Yes" branch 627 whereupon processing identifies the reduction completion result as an over limit response (step 630), in which case zero records will be returned to the user. Processing returns at 635.
  • decision 625 branches to "No" branch 629 whereupon processing identifies the reduction completion result as an irreducible record set (step 640), and processing returns at 645.
  • decision 620 branches to "No" branch 624 whereupon a determination is made as to whether the number of records included in the subset of records is under an allowable threshold value (decision 650). If the number of records is under an allowable threshold value, decision 650 branches to "Yes" branch 652 whereupon processing identifies the reduction completion result as an under threshold set (step 660), and processing returns at 670.
  • decision 650 branches to "No" branch 658 whereupon processing returns at
  • Figure 7 illustrates information handling system 701 which is a simplified example of a computer system capable of performing the computing operations described herein.
  • Computer system 701 includes processor 700 which is coupled to host bus 702.
  • a level two
  • L2 cache memory 704 is also coupled to host bus 702.
  • Host-to-PCI bridge 706 is coupled to main memory 708, includes cache memory and main memory control functions, and provides bus control to handle transfers among PCI bus 710, processor 700, L2 cache 704, main memory 708, and host bus 702.
  • Main memory 708 is coupled to Host-to-PCI bridge 706 as well as host bus 702.
  • Devices used solely by host processor(s) 700, such as LAN card 730 are coupled to PCI bus 710.
  • Service Processor Interface and ISA Access Pass- through 712 provides an interface between PCI bus 710 and PCI bus 714. In this manner, PCI bus 714 is insulated from PCI bus 710.
  • Devices, such as flash memory 718 are coupled to PCI bus 714.
  • flash memory 718 includes BIOS code that incorporates the necessary processor executable code for a variety of low- level system functions and system boot functions.
  • PCI bus 714 provides an interface for a variety of devices that are shared by host processor(s) 700 and Service Processor 716 including, for example, flash memory 718.
  • PCI- to-ISA bridge 735 provides bus control to handle transfers between PCI bus 714 and ISA bus
  • Nonvolatile RAM 720 is attached to ISA Bus 740.
  • Service Processor 716 includes JTAG and I2C busses 722 for communication with processor(s) 700 during initialization steps. JTAG/I2C busses 722 are also coupled to L2 cache 704, Host-to-PCI bridge 706, and main memory 708 providing a communications path between the processor, the Service Processor, the L2 cache, the Host- to-PCI bridge, and the main memory. Service Processor 716 also has access to system power resources for powering down information handling device 701.
  • Peripheral devices and input/output (I/O) devices can be attached to various interfaces (e.g., parallel interface 762, serial interface 764, keyboard interface 768, and mouse interface 770 coupled to ISA bus 740.
  • I/O devices can be accommodated by a super I/O controller (not shown) attached to ISA bus 740.
  • LAN card 730 is coupled to PCI bus 710. Similarly, to connect computer system
  • modem 765 is connected to serial port 764 and PCI-to-ISA Bridge 735.
  • information handling system 701 may take the form of a desktop, server, portable, laptop, notebook, or other form factor computer or data processing system.
  • Information handling system 701 may also take other form factors such as a personal digital assistant (PDA), a gaming device, ATM machine, a portable telephone device, a communication device or other devices that include a processor and memory.
  • PDA personal digital assistant
  • One of the preferred implementations of the invention is a client application, namely, a set of instructions (program code) in a code module that may, for example, be resident in the random access memory of the computer.
  • the set of instructions may be stored in another computer memory, for example, in a hard disk drive, or in a removable memory such as an optical disk (for eventual use in a CD ROM) or floppy disk (for eventual use in a floppy disk drive), or downloaded via the Internet or other computer network.
  • the present invention may be implemented as a computer program product for use in a computer.

Abstract

A system and method for selecting records from a list with privacy protections is provided. A user wishes to view a record, such as one that includes a person's medical history, located in a record storage area. In order to prevent the user from viewing records other than the specific record in which the user is interested, a record selection manager iteratively requests attribute information from the user to disambiguate which record to provide until the record selection manager identifies a reduction completion result, which the record selection manager then provides to the user. Using the invention described herein, the record selection manager conceals records included in the records storage area until it identifies a reduction completion result and, at that point, the record selection manager provides only the reduction completion result to the user to view.

Description

SYSTEM AND METHOD FOR SELECTING RECORDS FROM A LIST WITH PRIVACY PROTECTIONS
BACKGROUND OF THE INVENTION
Technical Field
The present invention relates to a system and method for selecting records from a list using privacy protection. More particularly, the present invention relates to a system and method for selecting and providing a reduction completion result to a user without exposing other records during the selection process.
Description of the Related Art
Many users perform record retrievals on a routine basis, such as retrieving a patient's medical history. These users may search their own databases or use a third party to locate a particular record. When searching for a particular record, a user typically provides a certain number of attributes in order to adequately search a database, such as a name or address. When the search returns multiple records, existing art allows the user to view each of the records in order for the user to select the correct record. For example, if a user wished to retrieve medical history for "Pat Smith," the search result may return ten records, each corresponding to a different Pat Smith. In this example, the user may view information in each of the records in an effort to identify the correct "Pat Smith" record.
A challenge found with this approach, however, is that the user is privy to information included in each retrieved record in addition to the record that user wishes to actually retrieve. As a result, the user may view a person's personal information included in the records that the user has no reason to view.
What is needed, therefore, is a system and method that provides record privacy protection during a record query. It has been discovered that the aforementioned challenges are resolved using a system, method, and computer program product for providing a reduction completion result to a user without exposing other records during the selection process. To provide the reduction completion result, a subset of records is identified from a group of records using an initial user provided attribute supplied by a user. Each of the subset of records includes a record attribute value that matches the initial user provided attribute. In order to refine the subset of records, the system, method, and program product sends a subset discriminating request to the user, which requests further attribute information. As a result, the system, method, and program product receives a subsequent user provided attribute from the user that is used to reduce the subset of records to a reduction completion result. In turn, the system, method, and program product provides the reduction completion result to the user.
In one embodiment, the system, method, and program product includes only one record, which is an explicit matched record, in the reduction completion result. In another embodiment, the system, method, and program product includes an irreducible record set as the reduction completion result. The irreducible record set is a reduced subset of records that is no longer reducible using additional subsequent user provided attributes.
In another embodiment, the system, method, and program product conceals, from the user, each of the subset of records during the process of selecting the reduction completion result.
In one embodiment, the system, method, and program product computes conjoint probabilities among record attributes using corresponding record attribute values. In this embodiment, the system, method, and program product determines, using the computed conjoint probabilities, discrimination factors that have a highest calculated conjoint probability of appearing together in the subset of records.
In another embodiment, the system, method, and program product includes subsequent user provided attributes such as a demographic attribute, a non-demographic attribute, a biographical attribute, a descriptive attribute, a condition attribute, a state attribute, a transactional attribute, a geo-spatial attribute, and a temporal attribute. In one embodiment, the system, method, and program product includes discrimination factors such as a probability factor, an expert rules factor, or a policy factor, that correspond to the subset discriminating requests.
In another embodiment, the system, method, and program product includes an explicit matched record, an irreducible record set, an under threshold set, or an over limit response as the reduction completion result. In one embodiment, the system, method, and program product determines that the subset of records is the reduction completion result by using only the initial user provided attribute.
In another embodiment, the system, method, and program product determines that the subset of records includes a non-compliant amount of records compared with a maximum record set limit. In this embodiment, the system, method, and program product provides an over limit response to the user, which includes zero records.
In another embodiment, the system, method, and program product determines that the subset of records includes an amount of records that are less than an allowable threshold value. In this embodiment, the system, method, and program product provides the records, which are an under threshold set, to the user.
The foregoing is a summary and thus contains, by necessity, simplifications, generalizations, and omissions of detail; consequently, those skilled in the art will appreciate that the summary is illustrative only and is not intended to be in any way limiting. Other aspects, inventive features, and advantages of the present invention, as defined solely by the claims, will become apparent in the non-limiting detailed description set forth below.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention may be better understood, and its numerous objects, features, and advantages made apparent to those skilled in the art by referencing the accompanying drawings. Figure 1 is a diagram showing a record selection manager providing a reduction completion result to a user, which is based upon initial user provided attributes and subsequent user provided attributes;
Figure 2 is a diagram showing a record table that includes a plurality of records;
Figure 3 is a diagram showing a record selection manager interfacing with a user's client to iteratively identify and provide a reduction completion result;
Figure 4 is a high-level flowchart showing steps taken in selecting a reduction completion result from a plurality of records;
Figure 5 is a detail level flowchart showing steps taken in selecting a reduction completion result based upon subsequent user provided attributes;
Figure 6 is a detail level flowchart showing steps taken in identifying whether the subset of records is a reduction completion result; and
Figure 7 is a block diagram of a computing device capable of implementing the present invention.
DETAILED DESCRIPTION
The following is intended to provide a detailed description of an example of the invention and should not be taken to be limiting of the invention itself. Rather, any number of variations may fall within the scope of the invention, which is defined in the claims following the description.
Figure 1 is a diagram showing a record selection manager providing a reduction completion result to a user based upon received user provided attributes. User 100 wishes to view a record (e.g., medical history) that is located in records store 140. In order to prevent user 100 from viewing records other than specific records in which user 100 is interested, record selection manager 130 iteratively requests attribute information from user 100 to disambiguate which records to provide. Records store 140 may be stored on a nonvolatile storage area, such as a computer hard drive.
User 100 uses client 110 to send initial user provided attributes 115 to record selection manager 130 through computer network 120, such as the Internet. Initial user provided attributes 115 includes one or more attributes (e.g., a person's name) corresponding to the record which user 100 wishes to view. Record selection manager 130 identifies a subset of records included in records store 140 that each includes a record attribute value that matches initial user provided attributes 115. For example, if initial user provided attributes 115 includes the name "Pat Smith," record selection manager 130 identifies those records included in records store 140 that includes a record attribute value of "Pat Smith."
Record selection manager 130 analyzes the subset of records and determines 1) whether any records include record attribute values that match initial user provided attributes 115, 2) whether further record refinement is required, or 3) whether the subset of records is a "reduction completion result." A reduction completion result may include an "explicit matched record," an "irreducible record set," an "over threshold set," or an "over limit response" (see Figure 6 and corresponding text for further details).
When no records match, record selection manager 130 sends a "no records match" message to user 100. When further record refinement is required, record selection manager 130 uses conjoint probability calculations in order to identify "subset discriminating requests" that, when known, minimize the number of records included in the subset of records. For example, if ten "Pat Smith" records are included in the subset of records, five of which live in Texas and five of which live in California, record selection manager 130 may determine that by user 100 providing which state the person resides, that the number of records included in the subset of records may be reduced in half (see Figure 5 and corresponding text for further details).
When further record refinement is required, record selection manager 130 sends subset discriminating requests 150 to user 100's client 110 through computer network 120. In turn, user 100 provides subsequent user provided attributes 160 to record selection manager 130. In one embodiment, subset discriminating requests 150 may include a choice as to which attributes to provide, such as "Please provide Pat Smith's year of birth or City." In this embodiment, subsequent user provided attributes 160 may include one of the requested attributes (e.g., Pat Smith's year of birth).
Subsequent user provided attributes 160 may include, for example, a demographic attribute (e.g., nationality), a non-demographic attribute (e.g., diabetic), a biographical attribute (e.g., proper name), a descriptive attribute (e.g., large), a condition attribute (e.g., possible weapon), a state attribute (e.g., criminal), a transactional attribute (e.g., $125), a geo-spatial attribute (e.g., Corner of Charlston/Weber, or latitude/longitude), or a temporal attribute (e.g., December 3, 2007).
Record selection manager 130 matches subsequent user provided attributes 160 against the subset of records, and determines whether no records match or whether the remaining records are a reduction completion result, which may be an "explicit matched record," an "irreducible record set," an "over threshold set," or an "over limit response." An explicit matched record results when the subset of records includes only one record that includes record attribute value(s) that match the user provided attributes (initial/subsequent). An irreducible record set results when the subset of records comprises a plurality of records that each includes record attribute value(s) that match the user provided attributes (initial/subsequent), and where the subset of records is not further reducible using additional subsequent user provided attributes. For example, record A may include "Customer 123, Mark Smith, Born 1976", and record B may include "Customer 345, Mark R. Smith, Born 3/12/1976."
An under threshold set results when a subset of records, although possibly further reducible with more subsequent user provided attributes, includes an amount of records that is less than or equal to an allowable threshold value, such as a policy that the subset of records must be less than five records. For example, if a database includes 1,000 records and, after user
100 provided initial user provided attributes 115 and subsequent user provided attributes 160, record selection manager 130 reduced the subset of records to four records, record selection manager 130 returns each of the four records to user 100. An over limit response results when the subset of records is a non-compliant amount, such as over a maximum record set limit. When an over limit response occurs, record selection manager 130 returns zero records.
When record selection manager 130 determines that the subset of records is a reduction completion result, record selection manager 130 sends reduction completion result 170 to user 100. On the other hand, when the subset of records does not include a reduction completion result, record selection manager 130 once again sends more subset discriminating requests 150 to user 100. In turn, record selection manager 130 receives additional subsequent user provided attributes 160 to reduce the number of records included in the subset of records. When record selection manager 130 reduces the subset of records to a reduction completion result or no record match, record selection manager 130 provides reduction completion result 170, or a no record match response, to user 100.
Using the invention described herein, record selection manager 130 conceals the records included in records store 140 until it identifies reduction completion result 170, in which case record selection manager 130 only provides reduction completion result 170 to user 100 to view.
Figure 2 is a diagram showing a record table that includes a plurality of records. Table 200 includes records 250-270, in which each record includes a number of record attributes (columns 205-240). Depending upon initial and subsequent user provided attributes that a record selection manager receives from a user, the record selection manager selects a reduction completion result from records 250-270 and provides the reduction completion result to the user. The reduction completion result may be an explicit matched record, an irreducible record set, an under threshold set, or an over limit response.
As can be seen in the example shown in Figure 2, table 200 includes three records with the same "Name" record attribute of "Pat Smith" (records 255-265). Two of these records also have the same "State" record attribute of "VT" (records 255-260). As such, in order for the record selection manager to select a reduction completion result for Pat Smith, the record selection manager requires from the user either a City, a Zip code, a year of birth, a social security number, or a deductible amount (see Figure 3 and corresponding text for further details).
Figure 3 is a diagram showing a record selection manager interfacing with a user's client to iteratively identify and provide a reduction completion result. Records selection manager 130 receives user provided attributes in order to select a reduction completion result from a plurality of records included in records store 140. Record selection manager 130 and records store 140 are the same as that shown in Figure 1.
A user's client, such as client 110 shown in Figure 1, displays user interface window 300 to the user in order for the user to initiate the process of viewing a particular person's record. Depending upon the user's knowledge of the person's information, the user enters initial user provided attributes about a record in which the user wishes to view in fields 305-315. Figure 3 shows that the user enters "Pat Smith" in field 305 and leaves fields 310-315 empty.
Records selection manager 130 receives initial user provided attribute "Pat Smith" and identifies a subset of records that include record attribute values that match "Pat Smith." In turn, record selection manager 130 sends a subset discriminating request to the user, which is displayed on the client in user interface window 320. The example shown in Figure 3 allows the user to enter the person's "Year of Birth" in field 325 or the person's "City" in field 330. As can be seen, the user entered the person's city in field 330, which is sent to record selection manager 130.
Record selection manager 130 reduces the subset of records using the city "Warsaw," and determines that one record remains in the subset of records. As a result, the one remaining record is the reduction completion result, which is provided to the user in user interface window 340.
Figure 4 is a high-level flowchart showing steps taken in selecting a reduction completion result from a plurality of records. A records selection manager identifies, and iteratively reduces, a subset of records using initial user provided attributes and subsequent user provided attributes. Once the subset of records reduces to a reduction completion result or no matched records, the record selection manager provides the reduction completion result to the user.
Processing commences at 400, whereupon processing receives a request from user 100 through client 110 at step 410. The request includes an initial user provided attribute, such as a person's name or address. In one embodiment, the request may include more than one attribute, such as a person's name and phone number. User 100 and client 110 are the same as that shown in Figure 1.
Processing identifies a subset of records from a plurality of records included in records store 140, and proceeds through an iteration process that queries user 100 for subsequent user provided attributes in order to reduce the subset of records to either a reduction completion result or no matched records (pre-defined process block 420, see Figure 5 and corresponding text for further details). Records store 140 is the same as that shown in Figure 1.
A determination is made as to whether the iteration process resulted in a reduction completion result or no matched record (decision 430). A reduction completion result may include an explicit matched record, an irreducible record set, an under threshold set, or an over limit response. If the iteration process resulted in a reduction completion result, decision 430 branches to "Yes" branch 438 whereupon processing provides user 100 with the reduction completion result at step 450, and processing ends at 460. Up to this point, processing has concealed each of the plurality of records from user 100.
On the other hand, if the iteration process resulted in no matched record, decision 430 branches to "No" branch 432 whereupon processing informs user 100 that no records matched user 100's user provided attributes, and processing ends at 460.
Figure 5 is a detail level flowchart showing steps taken in selecting a reduction completion result based upon user provided attributes. A records selection manager receives a request from user 100 that includes initial user provided attributes. For example, user 100 may wish to view a record for "Pat Smith" and, in this example, user 100's request includes the name "Pat Smith" as the initial user provided attributes (see Figure 4 and corresponding text for further details). Once processing receives the initial request, processing proceeds through a series of steps in order to identify and select a reduction completion result from a plurality of records.
Processing commences at 500, whereupon processing identifies a subset of records from records store 140 that include record attribute values that match the initial user provided attributes (step 510). Using the example described above, processing identifies each record that includes "Pat Smith" as a name record attribute value. Processing proceeds through a series of steps to determine whether the subset of records is at a record completion result (pre-defined process block 515, see Figure 5 and corresponding text for further details). A record completion result may include an explicit matched record, an irreducible record set, an under threshold set, or an over limit response. For example, if processing is configured with an allowable threshold value of less than five records, processing checks whether the subset of records is less than five records at this decision and, if so, determines that the subset of records is an under threshold set. In another example, if processing has proceeded through a number of iteration steps and is no longer able to refine the subset of records, yet the number of records remaining in the subset of records is over a record set limit, processing determines that the subset of records results in at an over limit response and returns zero records.
A determination is made as to whether the subset of records 1) includes any records, 2) requires further refinement, or 3) is a reduction completion result (decision 520). If no records exist in the subset of records, decision 520 branches to "No Match" branch 522 whereupon processing returns a "No Match" at 525. On the other hand, if the subset of records is a reduction completion result, processing branches to "Yes" branch 524 whereupon processing returns a "reduction completion result" at 530.
When the subset of records requires further refinement, decision 520 branches to "No" branch 528 to begin an iterative process of reducing the subset of records to a result of either a reduction completion result or no record match. At step 540, processing calculates conjoint probabilities of the subset of records. Conjoint probability calculations are known to those skilled in the art, such as by using an a-priori algorithm. Conjoint probability calculations provide subsets of entities within an overall set of potential entities based on higher (or lower) conjoint probabilities than would be otherwise expected from the calculation of distributions independently. For example, 50% of records may indicate GENDER=MALE and 50% may indicate EYECOLOR=BROWN, leading to an expected calculation that 25% should have GENDER=MALE & EYECOLOR=BROWN. Deviations from this expected value may be pre-calculated for a set of all entities, and those sets that have the lowest values (e.g. only 5% of all records are males with brown eyes) may be utilized to provide the selection criteria. This technique may also be performed on individual set elements when background population statistics are known (e.g. 60% of all people are female or 70% of all people have brown eyes).
Processing uses the results of the conjoint probability calculations to identify discriminating factors, which may include a probability factor (e.g., statistically motivated to request a specified attribute), an expert rules factor (e.g., always ask for year of birth over month of birth), a policy factor (e.g., pursuant to company policy, only the last four digits of the SSN), or other factors that discriminate one record over another record. For example, if ten records include the name "Pat Smith," five of which live in Texas and five of which live in
California, processing may identify that by user 100 providing which state the person resides, the number of records included in the subset of records may be reduced in half.
Processing, at step 560, sends a subset discriminating request to user 100 through client 110. The subset discriminating request includes a request for attributes corresponding to the discriminating factors that were identified back in step 550. User 100 reviews the subset discriminating request, and responds by providing one or more subsequent user provided attributes, which are received at step 570.
Processing reduces the subset of records based upon the subsequent user provided attributes at step 580. Using the example described above, if user 100 specified that Pat Smith resides in Texas, processing reduces the subset of records to five records. Processing loops back to proceed through a series of steps to determine whether the subset of records is at a record completion result (pre-defined process block 515). This looping continues until the subset of records includes no records or is a reduction completion result, in which case decision 520 branches to "No" branch 522 or "Yes" branch 524, respectively.
Figure 6 is a detail level flowchart showing steps taken in identifying whether the subset of records is a reduction completion result. Processing commences at 600, whereupon a determination is made as to whether only one record remains in the subset of records (decision 605). If the subset of records includes only record, decision 605 branches to "Yes" branch 607 whereupon processing identifies the reduction completion result as an explicit matched record (step 610), and returns at 615. On the other hand, if the subset of records includes more than one record, decision 605 branches to "No" branch 609.
A determination is made as to whether the subset of records is an irreducible record set (decision 620). An irreducible record set is a subset of records that is no longer reducible with additional subsequent user provided attributes. If the subset of records is an irreducible record set, decision 620 branches to "Yes" branch 622 whereupon a determination is made as to whether the number of records included in the subset of records is over a maximum record set limit, such as ten records (decision 625). If the number of records included in the subset of records is over the maximum record set limit, decision 625 branches to "Yes" branch 627 whereupon processing identifies the reduction completion result as an over limit response (step 630), in which case zero records will be returned to the user. Processing returns at 635.
On the other hand, if the number of records included in the subset of records is less than a maximum record set limit, decision 625 branches to "No" branch 629 whereupon processing identifies the reduction completion result as an irreducible record set (step 640), and processing returns at 645.
If the subset of records is not an irreducible record set, decision 620 branches to "No" branch 624 whereupon a determination is made as to whether the number of records included in the subset of records is under an allowable threshold value (decision 650). If the number of records is under an allowable threshold value, decision 650 branches to "Yes" branch 652 whereupon processing identifies the reduction completion result as an under threshold set (step 660), and processing returns at 670.
On the other hand, if the number of records included in the subset of records is not an under threshold set, decision 650 branches to "No" branch 658 whereupon processing returns at
680 to further reduce the subset of records.
Figure 7 illustrates information handling system 701 which is a simplified example of a computer system capable of performing the computing operations described herein. Computer system 701 includes processor 700 which is coupled to host bus 702. A level two
(L2) cache memory 704 is also coupled to host bus 702. Host-to-PCI bridge 706 is coupled to main memory 708, includes cache memory and main memory control functions, and provides bus control to handle transfers among PCI bus 710, processor 700, L2 cache 704, main memory 708, and host bus 702. Main memory 708 is coupled to Host-to-PCI bridge 706 as well as host bus 702. Devices used solely by host processor(s) 700, such as LAN card 730, are coupled to PCI bus 710. Service Processor Interface and ISA Access Pass- through 712 provides an interface between PCI bus 710 and PCI bus 714. In this manner, PCI bus 714 is insulated from PCI bus 710. Devices, such as flash memory 718, are coupled to PCI bus 714. In one implementation, flash memory 718 includes BIOS code that incorporates the necessary processor executable code for a variety of low- level system functions and system boot functions.
PCI bus 714 provides an interface for a variety of devices that are shared by host processor(s) 700 and Service Processor 716 including, for example, flash memory 718. PCI- to-ISA bridge 735 provides bus control to handle transfers between PCI bus 714 and ISA bus
740, universal serial bus (USB) functionality 745, power management functionality 755, and can include other functional elements not shown, such as a real-time clock (RTC), DMA control, interrupt support, and system management bus support. Nonvolatile RAM 720 is attached to ISA Bus 740. Service Processor 716 includes JTAG and I2C busses 722 for communication with processor(s) 700 during initialization steps. JTAG/I2C busses 722 are also coupled to L2 cache 704, Host-to-PCI bridge 706, and main memory 708 providing a communications path between the processor, the Service Processor, the L2 cache, the Host- to-PCI bridge, and the main memory. Service Processor 716 also has access to system power resources for powering down information handling device 701.
Peripheral devices and input/output (I/O) devices can be attached to various interfaces (e.g., parallel interface 762, serial interface 764, keyboard interface 768, and mouse interface 770 coupled to ISA bus 740. Alternatively, many I/O devices can be accommodated by a super I/O controller (not shown) attached to ISA bus 740.
In order to attach computer system 701 to another computer system to copy files over a network, LAN card 730 is coupled to PCI bus 710. Similarly, to connect computer system
701 to an ISP to connect to the Internet using a telephone line connection, modem 765 is connected to serial port 764 and PCI-to-ISA Bridge 735.
While Figure 7 shows one information handling system that employs processor(s) 700, the information handling system may take many forms. For example, information handling system 701 may take the form of a desktop, server, portable, laptop, notebook, or other form factor computer or data processing system. Information handling system 701 may also take other form factors such as a personal digital assistant (PDA), a gaming device, ATM machine, a portable telephone device, a communication device or other devices that include a processor and memory.
One of the preferred implementations of the invention is a client application, namely, a set of instructions (program code) in a code module that may, for example, be resident in the random access memory of the computer. Until required by the computer, the set of instructions may be stored in another computer memory, for example, in a hard disk drive, or in a removable memory such as an optical disk (for eventual use in a CD ROM) or floppy disk (for eventual use in a floppy disk drive), or downloaded via the Internet or other computer network. Thus, the present invention may be implemented as a computer program product for use in a computer. In addition, although the various methods described are conveniently implemented in a general purpose computer selectively activated or reconfigured by software, one of ordinary skill in the art would also recognize that such methods may be carried out in hardware, in firmware, or in more specialized apparatus constructed to perform the required method steps.
While particular embodiments of the present invention have been shown and described, it will be obvious to those skilled in the art that, based upon the teachings herein, that changes and modifications may be made without departing from this invention and its broader aspects. Therefore, the appended claims are to encompass within their scope all such changes and modifications as are within the true spirit and scope of this invention. Furthermore, it is to be understood that the invention is solely defined by the appended claims. It will be understood by those with skill in the art that if a specific number of an introduced claim element is intended, such intent will be explicitly recited in the claim, and in the absence of such recitation no such limitation is present. For non- limiting example, as an aid to understanding, the following appended claims contain usage of the introductory phrases "at least one" and "one or more" to introduce claim elements. However, the use of such phrases should not be construed to imply that the introduction of a claim element by the indefinite articles "a" or "an" limits any particular claim containing such introduced claim element to inventions containing only one such element, even when the same claim includes the introductory phrases "one or more" or "at least one" and indefinite articles such as "a" or "an"; the same holds true for the use in the claims of definite articles.

Claims

1. A method comprising: receiving a request from a user that includes an initial user provided attribute; identifying a subset of records from a plurality of records using the initial user provided attribute, the subset of records including more than one of the plurality of records and each of the subset of records including a first record attribute value that matches the initial user provided attribute; in response to the identifying of the subset of records, sending a subset discriminating request to the user; receiving a subsequent user provided attribute from the user in response to the sending of the subset discriminating request; reducing, in response to receiving the subsequent user provided attribute, the subset of records to a reduction completion result, the reduction completion result including one or more records that each include a second record attribute value that matches the subsequent user provided attribute; and providing the reduction completion result to the user.
2. The method of claim 1 wherein the reduction completion result is: (a) only one record from the subset of records, the one record being an explicit matched record;
(b) an irreducible record set that comprises a reduced subset of records, each of the reduced subset of records including record attribute values such that the reduced subset of records is not further reducible using additional subsequent user provided attributes; or (c) selected from the group consisting of an explicit matched record, an irreducible record set, and under threshold set, and an over limit response.
3. The method of claim 1 or 2 further comprising: concealing, from the user, each of the subset of records during the identifying, the sending, the receiving, and the reducing; and concealing, from the user, each of the subset of records other than those in the reduction completion result during the providing.
4. The method of claim 1,2 or 3 further comprising: computing conjoint probabilities among record attributes using their corresponding record attribute values; and determining, based upon the computing of the conjoint probabilities, discrimination factors that have the highest calculated conjoint probabilities of appearing together in the subset of records.
5. The method of one of claims 1 to 4 wherein the subsequent user provided attributes are selected from the group consisting of a demographic attribute, a non-demographic attribute, a biographical attribute, a descriptive attribute, a condition attribute, a state attribute, a transactional attribute, a geo-spatial attribute, and a temporal attribute.
6. The method of any one of claims 1 to 5 wherein the subset discriminating requests are based upon at least one discrimination factor that is selected from the group consisting of a probability factor, an expert rules factor, and a policy factor.
7. The method of any one of claims 1 to 6 further comprising: determining that the subset of records is the reduction completion result by only using the initial user provided attribute; and performing the providing in response to determining that the subset of records is the reduction completion result by only using the initial user provided attribute.
8. The method of claim 1 further comprising one of:
(a) determining that the reducing results in a non-compliant amount of records based upon a maximum record set limit, resulting in the reduction completion result being an over limit response, and providing zero records to the user in response to the determining of the over limit response; or
(b) determining that the reducing results in an amount of records that are less than an allowable threshold value, resulting in the reduction completion result being an under threshold set, and providing the records included in the under threshold set to the user in response to the determining of the under threshold set.
9. An information handling system comprising: one or more processors; a memory accessible by the processors; a storage device accessible by the processors; and a record selection tool for selecting records, the record selection tool being effective to: receive a request from a user that includes an initial user provided attribute; identify a subset of records from a plurality of records using the initial user provided attribute, the subset of records including more than one of the plurality of records and each of the subset of records including a first record attribute value that matches the initial user provided attribute; in response to the identifying of the subset of records, send a subset discriminating request to the user; receive a subsequent user provided attribute from the user in response to the sending of the subset discriminating request; reduce, in response to receiving the subsequent user provided attribute, the subset of records to a reduction completion result, the reduction completion result including one or more records that each include a second record attribute value that matches the subsequent user provided attribute; and provide the reduction completion result to the user.
10. A computer program product stored on a computer operable media, the computer operable media containing instructions for execution by a computer, which, when executed by the computer, cause the computer to implement a method for selecting records from a plurality of records, the method comprising: receiving a request from a user that includes an initial user provided attribute; identifying a subset of records from the plurality of records using the initial user provided attribute, the subset of records including more than one of the plurality of records and each of the subset of records including a first record attribute value that matches the initial user provided attribute; in response to the identifying of the subset of records, sending a subset discriminating request to the user; receiving a subsequent user provided attribute from the user in response to the sending of the subset discriminating request; reducing, in response to receiving the subsequent user provided attribute, the subset of records to a reduction completion result, the reduction completion result including one or more records that each include a second record attribute value that matches the subsequent user provided attribute; and providing the reduction completion result to the user.
PCT/EP2007/060593 2006-10-06 2007-10-05 System and method for selecting records from a list with privacy protections WO2008040800A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/539,260 2006-10-06
US11/539,260 US7644068B2 (en) 2006-10-06 2006-10-06 Selecting records from a list with privacy protections

Publications (2)

Publication Number Publication Date
WO2008040800A2 true WO2008040800A2 (en) 2008-04-10
WO2008040800A3 WO2008040800A3 (en) 2009-03-19

Family

ID=38788359

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2007/060593 WO2008040800A2 (en) 2006-10-06 2007-10-05 System and method for selecting records from a list with privacy protections

Country Status (2)

Country Link
US (1) US7644068B2 (en)
WO (1) WO2008040800A2 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7082426B2 (en) 1993-06-18 2006-07-25 Cnet Networks, Inc. Content aggregation method and apparatus for an on-line product catalog
US6714933B2 (en) * 2000-05-09 2004-03-30 Cnet Networks, Inc. Content aggregation method and apparatus for on-line purchasing system
US20140095508A1 (en) 2012-10-01 2014-04-03 International Business Machines Efficient selection of queries matching a record using a cache
US9495400B2 (en) 2012-10-01 2016-11-15 International Business Machines Corporation Dynamic output selection using highly optimized data structures
US9311504B2 (en) * 2014-06-23 2016-04-12 Ivo Welch Anti-identity-theft method and hardware database device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001050400A1 (en) * 2000-01-06 2001-07-12 Privacy Council Policy notice method and system
WO2006104810A2 (en) * 2005-03-28 2006-10-05 Bea Systems, Inc. Security policy driven data redaction

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974389A (en) * 1996-03-01 1999-10-26 Clark; Melanie Ann Medical record management system and process with improved workflow features
US5924090A (en) * 1997-05-01 1999-07-13 Northern Light Technology Llc Method and apparatus for searching a database of records
US6032145A (en) * 1998-04-10 2000-02-29 Requisite Technology, Inc. Method and system for database manipulation
IT1303603B1 (en) * 1998-12-16 2000-11-14 Giovanni Sacco DYNAMIC TAXONOMY PROCEDURE FOR FINDING INFORMATION ON LARGE HETEROGENEOUS DATABASES.
US6829604B1 (en) * 1999-10-19 2004-12-07 Eclipsys Corporation Rules analyzer system and method for evaluating and ranking exact and probabilistic search rules in an enterprise database
US6633885B1 (en) * 2000-01-04 2003-10-14 International Business Machines Corporation System and method for web-based querying
EP1182581B1 (en) * 2000-08-18 2005-01-26 Exalead Searching tool and process for unified search using categories and keywords
US20030130867A1 (en) * 2002-01-04 2003-07-10 Rohan Coelho Consent system for accessing health information
GB0224589D0 (en) * 2002-10-22 2002-12-04 British Telecomm Method and system for processing or searching user records
US20050234890A1 (en) * 2004-02-19 2005-10-20 Urs Enzler Generation of database queries from database independent selection conditions
US7324998B2 (en) * 2004-03-18 2008-01-29 Zd Acquisition, Llc Document search methods and systems
EP2487601A1 (en) * 2004-05-04 2012-08-15 Boston Consulting Group, Inc. Method and apparatus for selecting, analyzing and visualizing related database records as a network
US20050273452A1 (en) * 2004-06-04 2005-12-08 Microsoft Corporation Matching database records
US7302426B2 (en) * 2004-06-29 2007-11-27 Xerox Corporation Expanding a partially-correct list of category elements using an indexed document collection
JP2006031442A (en) * 2004-07-16 2006-02-02 Toshiba Corp Space data analysis apparatus, space data analysis method, and space data analysis program
US20060085391A1 (en) * 2004-09-24 2006-04-20 Microsoft Corporation Automatic query suggestions
US20060074875A1 (en) * 2004-09-30 2006-04-06 International Business Machines Corporation Method and apparatus for predicting relative selectivity of database query conditions using respective cardinalities associated with different subsets of database records
US20060085470A1 (en) * 2004-10-15 2006-04-20 Matthias Schmitt Database record templates

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001050400A1 (en) * 2000-01-06 2001-07-12 Privacy Council Policy notice method and system
WO2006104810A2 (en) * 2005-03-28 2006-10-05 Bea Systems, Inc. Security policy driven data redaction

Also Published As

Publication number Publication date
US20080086452A1 (en) 2008-04-10
US7644068B2 (en) 2010-01-05
WO2008040800A3 (en) 2009-03-19

Similar Documents

Publication Publication Date Title
US7866542B2 (en) System and method for resolving identities that are indefinitely resolvable
WO2020143620A1 (en) Method for displaying block chain data, block chain browser, user node and medium
US7158979B2 (en) System and method of de-identifying data
US9262584B2 (en) Systems and methods for managing a master patient index including duplicate record detection
US10454932B2 (en) Search engine with privacy protection
US9904798B2 (en) Focused personal identifying information redaction
US8990252B2 (en) Anonymity measuring device
US10572461B2 (en) Systems and methods for managing a master patient index including duplicate record detection
US20140283097A1 (en) Anonymizing Sensitive Identifying Information Based on Relational Context Across a Group
CN107992477A (en) Text subject determines method, apparatus and electronic equipment
US10592982B2 (en) System and method for identifying related credit inquiries
US7934093B2 (en) Assigning security levels to a shared component
US7644068B2 (en) Selecting records from a list with privacy protections
WO2022064348A1 (en) Protecting sensitive data in documents
CN108427702B (en) Target document acquisition method and application server
US20190295694A1 (en) Methods and systems for a healthcare provider search
US20160267085A1 (en) Providing answers to questions having both rankable and probabilistic components
US20180300392A1 (en) Accumulated retrieval processing method, device, terminal, and storage medium
US20170032484A1 (en) Systems, devices, and methods for detecting firearm straw purchases
US20240005024A1 (en) Order preserving dataset obfuscation
CN113254791A (en) Data matching method and device, computer readable storage medium and equipment
CN112347489B (en) Data processing method, device and storage medium
CN113987134A (en) Work order retrieval method, work order retrieval device, electronic equipment and storage medium
WO2022238948A1 (en) Method and system for transforming personally identifiable information
CN113254790A (en) Information recommendation method and device, computer readable storage medium and equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07820967

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07820967

Country of ref document: EP

Kind code of ref document: A2