US 20080022414 A1
A universal anonymous data collection and exchange service is provided where individuals and entities initially register with the service utilizing “legally authentic” identity documentation to obtain a “universal ID” (UXID). The UXID consists of a sting of alphanumeric digits selected from a hash function that is performed on a string of personally identifying information. Once registered, the individual and entity UXIDs are used as a means by the service to engage in a pre-defined confidential data collection and exchange protocol between participating, registered UXID holders. The service is designed for use across many applications, individuals and entities, and may support one-time or recurring collection of data.
1. A method of creating a universal, individual identifier (UXID) for controlling data access, collection and exchange between a plurality of registered users and registered entities, the method performed by a UXID service provider and comprising the steps of:
a) receiving legally-recognized documentation of an individual from an individual desiring registration, the legally-recognized documentation including a plurality of fields of personal information;
b) creating a string of selected information as a subset of the personal information within the legally-recognized documentation;
c) supplementing the string created in step b) with a pad string of information known only to the UXID service provider to form a standard string;
d) generating a hash of the standard string created in step c) to form a hexadecimal string of digits;
e) defining a predetermined subset of digits from the string formed in step d) as the individual UXID;
f) creating an initial password for use in association with the individual's UXID;
g) storing the (UXID, password) pair in a database of registered users; and
h) delivering the UXID, password and legally-recognized documentation to the registered individual.
2. The method as defined in
3. The method as defined in
4. The method as defined in
5. The method as defined in
6. The method as defined in
7. The method as defined in
8. The method as defined in
9. The method as defined in
10. The method as defined in
11. The method as defined in
12. The method as defined in
i) receiving, at the UXID service provider, additional legally-recognized documentation defining a relationship between the individual and the pre-registered entity;
j) creating a string of selected information from both the original and additional legally-recognized documentation;
k) supplementing the created string with a pad string of information known only to the UXID service provider to form an entity-application standard string;
l) generating a hash of the entity-application standard string created in step k);
m) defining a predetermined subset of digits from the generated hash of step l) as the individual's EA-UXID;
n) creating an initial password for use in association with the individual's EA-UXID;
n) storing the (EA-UXID, EA-password) pair in a database of registered entity-associated users; and
o) delivering the EA-UXID, EA-password and additional documentation to the registered subscriber.
13. A unique universal ID (UXID) platform for storing individual and entity data and providing processing, anonymizing and reporting of the stored data, the UXID platform comprising
a processor for utilizing a selected hash algorithm to translate a string of user information into UXIDs and EA-UXIDs, as desired;
an individual storage partition including individual UXIDs and EA-UXIDs;
an entity storage partition including entity UXIDs, EA-UXIDs and predetermined protocols utilized for collecting and reporting individual data; and
a UXID service partition for maintaining linkages between UXIDs, EA-UXIDs and the parameters used for their formation.
This application claims the benefit of U.S. Provisional Application No. 60/788,264, filed Mar. 31, 2006, and U.S. application Ser. No. 11/638,226 filed Dec. 31, 2006.
The present invention relates to a system and method of providing unique personal identifiers for use in the anonymous and secure exchange of data and, more particularly, to the implementation of a trusted third party service to generate unique universal IDs (UXIDs) and utilize the UXIDs as the key to a repository of secure data associated with the individual.
There is a widespread need for universal identifiers—database “keys”—to facilitate the collection, merger mid exchange of data across broad-based populations and time scales. Within the United States, the Social Security Number (SSN) has become the de facto standard identifier that is used to associate data with a selected individual. However, since the SSN is so readily tied to the individual, use of the SSN as a database key poses the risk of privacy abuses, including but not limited to identity theft. Since the use of a universal identifier (such as the SSN) is often outside the knowledge or control of the person to whom the identifier is assigned, the potential for continued and ongoing misuse is significant.
Because individual privacy and confidentiality rights cannot be safeguarded with current approaches, governmental efforts to assign unique universal personal identifiers have met with significant legal opposition in the United States. For example, the National Center for Education Statistics (NCES) has proposed the introduction of “unit-level” data collection to allow for the aggregation of a variety of personally-identifiable data about students over the course of their education. Collection of comprehensive educational data is essential for informed decision and policy making, but attempts to implement mandatory national data collection via personally identifiable IDs have met with significant legal challenges, in additional to financial and logistical ones.
Many types of national, state and other initiatives have been under scrutiny and subject to cancellation because they are unable to collect and analyze the data needed to determine program efficacy and cost-effectiveness.
In general, universal identifiers and their use in the collection of personal and confidential data are currently prohibited or protected by a wide body of law, especially in legal, medical, educational and financial contexts. Many social, financial, medical and other types of applications share these types of difficulties and thereby lack the means for collecting data which is needed for rigorous evaluation and scientific investigation.
Thus, a need remains in the art for providing a universal process that may be used to confidentially collect and exchange data from a variety of sources for a variety of purposes.
The needs remaining in the art are addressed by the present invention, which relates to a system and method of providing unique personal identifiers for use in the anonymous and secure exchange of data and, more particularly, to the implementation of a trusted third party service to generate unique universal IDs (UXIDs) and utilize the UXIDs as the key to a repository of secure data associated with the individual.
In accordance with the present invention, a third party service is utilized to generate UXIDs that thereafter allow for the collection, aggregation and exchange of statistics and data in an anonymous fashion between various types of individuals and entities. A novel process has been developed to generate unique universal IDs based upon certifiable legal documentation (e.g., birth certificate), where the trusted third party service obtains the document, selects predetermined information therefrom and performs a “hash” on the selected information to generate the UXID.
Once an individual has subscribed to the service and obtained a unique UXID, the individual may thereafter request to be associated with various entity subscribers to the service (where the individual is then issued a unique entity-associated UXID, or EA-UXID, for each association request) so that various types of personal data will be available (in an anonymous fashion) to the subscriber-entity. For example, a student may have a school-entity UXID that is used to associate his/her school records with him/her regardless of where they live throughout their school years. This same student may have a medical-entity UXID that is used in similar fashion to link the student's personal medical records with him/her. In accordance with the present invention, the utilization of different EA-UXIDs for each entity registration prevents the school-entity subscriber from having access to the student's medical records, and similarly prevents the medical-entity subscriber from having access to the student's school records.
Various other types of entities (for example, governmental services, financial/banking services, etc.) may also subscribe to and use the data collection services of the present invention, particularly since the provision of UXIDs and EA-UXIDs is truly independent of the type of data collected, or the uses to which “trusted” subscriber-entities applies this collected, anonymous data.
In accordance with the present invention, individuals initially register with the service by submitting their birth certificate or other “legally authentic” document (such as required to obtain a passport) to obtain a “universal ID” (UXID). The service creates a string of selected information from the document, such as the individual's name, birth date and birth city, and performs a mathematical hash operation on this string (supplemented in the manner described below) to form a multi-digit hexadecimal result. A selected number of digits from the hexadecimal hash result (preferably, nine digits) is then defined as the UXID. It is a significant aspect of the present invention that an individual's UXID will never change over the individual's lifetime, so that the initial registration generates a UXID that will always remain linked with that person. In order to assure this result, the process of the present invention consistently utilizes the same data items from a birth certificate/legal document to generate the UXID. Therefore, if an individual loses or forgets his UXID, the inventive service may re-generate the UXID from the same birth certificate-based information used to generate the UXID in the first instance.
In the process of generating the UXID, a “pad string” known only to the service provider is appended to the supplied information (thus forming the supplemented string noted above), providing additional assurance that inappropriate third parties cannot hold themselves out as being associated with the anonymous data collection service of the present invention. The pad string is analogous to a “private key” in a (public key, private key) pair, and is known only by the service provider of the present invention. The service provider uses the pad string as an internal control for identifying fake IDs that might be generated by entities misrepresenting themselves as bona fide agents of the service. Different pad strings may be used to generate different entity-associated UXIDs and/or may be changed over time, with the service maintaining a linkage between all UXIDs/EA-UXIDs and the particular pad string used in their generation.
In accordance with the present invention, various accepted “one way” hashes may be used by the service to preserve the anonymity of the registered individuals, while insuring that the information remains secure. For example, the MD5 or SHA-1 hashes, well known in the art, may be used. Alternatively, a private, proprietary hash known only to the service provider may be employed, adding yet another degree of security to the process. Again, the UXID platform of the present invention is capable of retaining a linkage between each UXID/EA-UXID and the specific hash algorithm used for its generation.
The UXID platform of the present invention can further check the to-be-assigned UXID against already issued UXIDs in order to ensure that the proposed UXID has not already been assigned (i.e., that a “collision” was created by generating a hash of this new data). If a collision has occurred, the process will adjust one (or perhaps more) of the digits in the to-be-assigned UXID and again search the issued UXID database for collisions. This process would continue, as necessary, until the newly-formed UXID is “unique”.
The generated UXID is then conveyed to the individual, preferably by mail, email or in person, along with the return of their original documentation (i.e., birth certificate), and an associated “secret user string” (SUS). The SUS is analogous to a PIN or password, and is thereafter utilized to permit/deny access of the individual to the UXID platform of the present invention.
Once registered, the individual's UXID is used to control their interactions with the trusted third party service of the present invention. As mentioned above, to safeguard UXID privacy and use, various “entity-application” UXIDs (EA-UXIDs) and EA-SUSs are thereafter issued to an individual for each specific entity to which he/she subscribes. As will be described in detail hereinbelow, an EA-UXID is created from a hash string derived from the individual's UXID and possibly other entity-related information. The act of registration also allows the inventive service to collect data associated with the individual, where the data may be supplied by participating entities (such as schools, banks, etc.)
Various embodiments of the present invention include the provision of a “verification level” (VL) assessment to be associated with a generated UXID/EA-UXID, which may be based upon the original documentation used to generate the ID. For example, if an individual does not have/cannot find his original birth certificate, and uses a valid driver's license to obtain a UXID, that UXID may be issued with a lower “verification” level, since a driver's license is not considered as “authentic” as an original birth certificate. In other embodiments, a “temporary” or “provisional” UXID may be issued, where the UXID includes an expiration date. Such a UXID may be required in situations where the individual has not yet obtained the required documentation, but needs the UXID for other reasons.
Other and further aspects of the inventive UXID system and method of the present invention will become apparent during the course of the following discussion and by reference to the accompanying drawings.
Referring now to the drawings,
The generation and utilization of unique universal IDs (UXIDs) in accordance with the present invention is intended to be a third party service offered to individuals (as “sources” of collected data) and entities (as “users” of the collected data), albeit that individuals may also be “users” of the data in certain cases. The use of UXIDs allows for the collected data to be passed along in anonymous fashion to the entities, thus allowing various types of agencies, financial/educational/medical institutions, and the like, to perform vital services without compromising the identity of any individuals associated with the data. Some entities, for example, medical research programs or educational survey institutions are therefore able to collect and utilize significant, valid data in an anonymous fashion to provide services such as tracking individuals involved in a new drug trial, investor activity in different businesses, and the like.
As will be described in detail below, the system and method of the present invention begins with an individual subscriber obtaining a UXID in the form of a unique sequence of digits that is generated using a novel process and based on verified legal documents so that a correspondence between a UXID and only one individual is assured. The individual submits a legally-verifiable original document (or notarized copy thereof) to the service, where in most cases a birth certificate is the preferred documentation. A set of predetermined fields of information from the submitted document are then used to form a string of information. A hash algorithm is applied to this information string (supplemented in the manner discussed below) to generate a string of hexadecimal digits from which a subset of digits is selected to create the UXID. The UXID is thereafter used by the subscriber to set up their preferences and to make selections to participate in various entity applications (e.g., education, medical, financial, etc.). The UXID may also be used by the subscriber to monitor “activity” associated with their data, in terms of an audit trail of data collection/dispersement activities conducted on their behalf.
Entities, such as businesses, schools, private organizations and the like desiring to participate in an anonymous data exchange must also register with the service of the present invention. The entity registration involves the submission of consent and authorization forms, as well as other appropriate entity identification proof(s) that can be verified by the inventive service (and possibly confirmed by other third parties, if necessary). Specific identification proofs and documentation required for registration with the service may vary according to the type of entity and the nature of the anonymous data exchange protocol being employed by the service. In order to participate as a subscribing entity, various “officers” or other individuals associated with the entity must also apply for individual UXIDs, and further obtain EA-UXIDs, where these IDs will allow the registered individuals to request and collect data on behalf of their specific entity. Examples of an “entity application” may include tracking of student progression from kindergarten through college, tracking of unemployment benefits eligibility and participant usage, tracking of medical records and storage location, tracking of illnesses and cause of death for pedigreed animals, anonymous age verification, etc.
In order to be associated with a specific data-using entity (e.g., school, drug trial), an individual must also obtain an entity-application UXID (EA-UXID), and paired EA-SUS, that will be recognized by that specific entity and used to control the specific type of (anonymous) data transmitted to that entity. An “entity application” in accordance with the present invention refers to data which the inventive service collects on UXID subscribers for a particular purpose. More formally, an “entity application” is defined as a specific, pre-defined protocol of data collection and viewing for a set of entities and/or individuals.
Similar to the process of obtaining a passport, a critical component of the UXID service of the present invention is the submission of a tangible, physical document that may be separately authenticated by the service provider. While an “original” document may be submitted, it is also contemplated that a copy of a legal document that is accompanied by a notarized statement regarding its authenticity may be used. The provided data may be stored by the service provider in tabular form, as showed below in Table I for an exemplary individual “James Doe”:
The process of creating a unique UXID for James Doe based on this information then proceeds by formatting this data into a standard string (SS) form. One exemplary standard string that may be used by the trusted third party service of the present invention is shown below:
A key step in the formation of a unique, verifiable UXID is to generate a one-way hash of the complete string, where a portion of the hash is then defined as that individual's unique UXID. Exemplary well-known hashes that may be used for this purpose include, but are not limited to, MD4, MD5 and SHA-1. The following discussion will utilize the MD5 hash to generate the translated string only for the purposes of further explaining the additional attributes of the present invention. For the complete string as shown above, the resultant MD5 hash is the 32 hexadecimal digit number shown below:
Obviously, such a random appearing 32 digit number is too long to be remembered by James Doe and would thus not be acceptable for use as a UXID that needs to be remembered and used on a regular basis. The number of possible permutations of this string is 1632—a significant indication that such a long string would be “overkill” in providing a secure ID. The following Table II lists the possible number of permutations that may be represented by “n” hexadecimal digits, for values from n=1 to n=14:
To provide further assurance of “unique-mess” of the assigned UXID, the verification service of the present invention may first check the to-be-issued UXID against all previously-issued values. If a “match” is found (oftentimes referred to as a “collision” in the encryption arts), the UXID (in the form of, for example, a 9-digit hexadecimal number) may be incremented (or decremented) by 1, and the modified UXID again checked; with this process continuing until a truly “unique” UXID can be assigned and issued to James Doe. It is considered that the possibility of a collision will be rare, but if such an event does occur, the simple increment/decrement solution is available.
While this particular example utilizes the last nine digits of the hash, it is to be understood that any pre-defined set of nine digits (or other desired number of digits) may be used. For example, the first nine digits may be used to form the UXID, or the first five digits and the last four digits, or any other combination as dictated by the service provider.
When the UXID value is communicated to James Doe, the UXID service of the present invention will also provide a “secret user string” (i.e., password, and hereinafter referred to as an “SUS”) that James Doe must use in conjunction with his UXID to gain access to the service platform and access the types of activities associated with his stored data. The number of bytes used to encode the SUS will depend upon the security requirements of the UXID service provider. For example, a high security application might require a secret string of 1024 bytes, while a less secure application may need a secret key that is only 64 bits long. In this case, the keys can either be encoded as 16 hexadecimal digits (4 bits/character) or as 11 printable ASCII characters (6 bits/character). It is presumed that an SUS as used in accordance with the present invention might need to be entered only once into a crypto key-ring (such as are available on personal computers running the Linux operating system) or other device (e.g., smartcard) for easy storage and use. For the purposes of the present invention, it is presumed that the SUS “nobodyknows” is sent to Jarnes Doe to be used in conjunction with his UXID. Importantly, the UXID service provider stores the UXID/SUS pair in its database of registered individuals, where these values are later retrieved (as will be discussed in detail below) in each instance where an individual desires to gain access to the UXID platform.
The “secret user string” (SUS) is then assigned to the generated UXID (step 160), and both the UXID and SUS are stored in a UXID database under the control of the UXID service provider (step 170). The generated UXID, SUS and original birth certificate (or other form of submitted authentication) are then delivered to the requester (step 180). It is presumed that some type of mail/direct delivery service is used to send the information to the requester.
In one preferred implementation of the present invention, a generated UXID may be first checked against all previously-issued UXIDs to ensure that a “collision” will not occur (that is, that the same UXID is sent to two different individuals). As mentioned above, one intention of the present invention is that the UXID will be unique to each registered individual. The flowchart of
As mentioned above, each entity that wishes to use the data collection services of the present invention must also register with the service, obtaining a separate UXID and EA-UXID for each authorized representative of the entity. A process similar to that outlined above is used to form the UXIDs, where the flowchart of
Returning to the flowchart of
Referring to the flowchart of
In accordance with the present invention, an individual must also register with each separate entity (who must be a previously-registered entity) to whom the individual will permit access to personal data. One foreseen embodiment is in the educational context, where a child will be registered with an educational entity so that his/her personal school records will “follow” that child throughout the complete educational process from kindergarten through twelfth grade, and possibly further on.
As mentioned above, the process of creating an EA-UXID is identical to that used in the creation of the UXID in the first instance. Differences lie in the selection of the information used to form the “standard string”, as well as in the documentation required to be submitted with the completed form in the first instance. Referring to the flowchart of
As before, the standard string is supplemented with a “pad string” for extra security (step 430) and a hash process is performed (step 440) to generate a hexadecimal transformation of this string. The EA-UXID assigned to James Doe is selected from this string (step 450) and forwarded, along with an associated SUS (460), to James Doe (step 480). The transmitted EA-UXID/SUS pair is stored at the UXID platform (step 470), within the individual registration partition. Although not shown in
Entity data partition 16 includes similar information as found in individual partition 14, in this case collected and utilized for each registered entity. A first database 24 includes a listing of all registered entities, keyed by their assigned UXIDs. Since an entity may have several different types of data that may be collected and used for different reasons (e.g., an insurance company may have a first set of data associated with insured individuals and a second set of data associated with drug trial studies), an entity may also have several different EA-UXIDs, which are stored (in pairs with their SUSs) in an entity EA-UXID database 26. The various established rules (protocols) associated with data collection and manipulation for each registered entity is stored in a separate protocol database 28, as shown, where protocol database is keyed by the various EA-UXID. In general, the protocol defines one or more of the following:
The ability to track and report on “Study Groups” is a special feature of the service of the present invention. A Study Group may be defined for any group of entities and/or individuals which possess features of interest. Certain standard study groups (e.g., students in the expected graduating class of 2009 from Anytown High School, etc.) may be automatically assigned to participants in selected Entity-Applications supported by the service (such as School Entity-Applications designed to track student graduation rates and student movement between schools).
The UXID service data partition 18 is utilized to store and track the various elements associated with the generation of UXIDs and EA-UXIDs. In this particular embodiment, service data partition 18 includes a hashing database 30 that stores an association between a generated UXID and the particular hash algorithm used to generate it in the first instance. As mentioned above, there are various well-known hash algorithm (as well as proprietary algorithms) that may be used, and in fact different algorithms may be used as desired, since database 30 will retain the identity information of the selected hash for a particular UXID/EA-UXID. A single string database 32 is also included within service data partition 18 and is utilized to store a definition of the original individual information “fields” used to create the standard string. Examples of the “standard string” for the UXID and an educational EA-UXID have been given above. Further, since the service of the present invention may be utilized worldwide, the “standard string” used to create UXIDs for citizens of another country may use a different collection of information than that presented above for use in the United States, and may even use a different character set (e.g., Unicode) than the conventional ASCII code utilized in the United States. Single string database 32, therefore, will maintain a record of this information so that, if necessary, a UXID or EA-UXID may be re-generated.
As mentioned above, the pad string utilized to form the complete string from which the UXID or EA-UXID is generated is preferably changed over time (for security reasons). Thus, a pad string database 34 is included within service data partition 18 to maintain the association, for historical purposes, of the specific pad strings that have been used to generate each specific type of UXID and EA-UXID. A separate activity log 36 may be included within service data partition 18 and used by the trusted third party service to keep track of the various types of searches and data requests that have been undertaken over a given period of time.
There exist many variations in the ways in which the trusted third party data collection system of the present invention may be implemented. Besides the generation of initial UXIDs and EA-UXIDs as mentioned above, various classifications of these identifications can be defined as being either “permanent” or bearing an expiration date (i.e., temporary); or can be defined by a “verification level” that is ascribed to a particular ID. An “expiration date” UXID refers to an identification issued by the inventive service that has a pre-defined expiration date, and may need to be re-issued periodically based upon the submission of updated identity proof. As an example, the trusted third party service may issue an EA-UXID to an individual upon qualification for unemployment benefits. The EA-UXID may be used by a state Department of Labor (i.e., the “registered entity”) to administer and track unemployment benefits, payouts and participant eligibility. In this scenario, individual and employer subscribers might submit documentation to the service that establishes not only the individual's identity, but also their unemployment status and benefit eligibility at a particular point in time. If, for purposes of illustration, the individual is entitled to 26 weeks of unemployment benefits, an expiration-date EA-UXID might be issued that expires at the end of this 26 week period. The service would then provide the state entity with the details of the individual's unemployment EA-UXID and associated data. Of necessity, the EA-UXID used for unemployment tracking and related purposes would be unique and issued only once to avoid the possibility of duplicate payments by the state.
In another variation of the ID service of the present invention, a “temporary” UXID or EA-UXID may be generated for use by a specified entity until such time as the inventive service can complete all of the verification processing needed to issue a fully-authorized UXID or EA-UXID. For example, an entity such as a school may be authorized to issue provisional UXIDs and EA-UXIDs to incoming students who do not have immediately available the requisite identification information required to participate in the school's entity application. Provisional processing of IDs at the school allows the service to collect data on students as soon as they are enrolled. Once the student's information has been verified, all of the required subscriber data that has been captured is stored within the individual database and a permanent EA-UXID is issued.
In a preferred embodiment of the present invention, the trusted third party service may also assign a “verification level” (VL) to UXIDs based upon the type of identity document submitted by the applicant. The VL represents the level of confidence that the individual requesting the UXID has accurately represented their true identity to the service. For example, a sworn affidavit signed by the individual application might be weighted as less credible than an original birth certificate. Additionally, some characteristics may be more easily verified than others by various third parties. Thus, the presumed veracity of the presented identification documentation and the ability to which it can be verified independently may be used to assign a ranking to the UXID credibility. Thus, the inventive service may assign a graded VL to each UXID (e.g., very high, high, moderate, etc.). Alternatively, the VL may simply refer to the number of separate identity documents that the individual has supplied to the service. For example, suppose Susan Doe presents a driver's license to obtain a UXID, while John Smith presents a birth certificate, passport and military ID. The inventive service may assign a VL of “moderate” to Susan's application, while assigning a VL of “very high” to John's application. In some cases, an individual may be able to upgrade the VL assigned to his/her UXID by submitting additional documentation.
A major use of the UXID service of the present invention is to provide a means for anonymous data collection. The trusted third party service of the present invention may collect data from a variety of sources including, but not limited to, individuals, entities, other third parties, or the service itself. With respect to the latter, the service may generate data through the creation of enrollment records keyed by UXID/EA-UXID. Enrollment records may be used to capture associations between individuals, entities and their respective participation in various entity applications. After the service creates enrollment records, it may further augment them using data obtained from other, independent third parties, both public and private. A set of partial sample enrollment records is shown below in Table III:
For example, various sources of government-complied data include comprehensive school data obtained from the NCES website, census data collected by federal representatives every ten years, statistical health data maintained by the CDC, etc. Entities may provide data directly to the inventive service. As an example, if schools so elect at registration time, they have the option of providing the service with their own student IDs (which may be used within the school's own proprietary enrollment system), where the service can then utilize these IDs in place of the created EA-UXIDs when presenting collected data to school representatives, since a one-to-one mapping can be performed between each student's in-house ID and their issued EA-UXID.
The system of the present invention may also be used to provide subscribers (both individuals and entities) with information on where their records are stored for various entity applications. That is, a “record locator” function within UXID platform 10 can be used to help students locate their school records. In a medical context, the service might be used to locate every pharmacy where a certain individual has prescriptions filled.
The completeness of the record search is dependent upon having all of the parties involved in the record creation registered with the service in the first instance. For example, if a UXID subscriber wants information on where they fill prescriptions, each pharmacy they to go must be a registered entity. Further, each time a pharmacy fills a prescription, a record of the transaction should be created with the inventive service. The actual data collected to record the transaction is determined based upon the entity application requirements and the data collection/exchange protocols for that entity as stored within data base 28 at UXID platform 10. Participating pharmacies would continue to maintain their own proprietary databases to record details of each transaction. In using the inventive service, a pharmacy might request a record search if a batch of medication is recalled, so that the affected individuals can be quickly contacted.
Depending on the entity application, the inventive service may require further consent authorization before record searches are performed. This may be needed to comply with privacy, legal, ethical and possibly other requirements. To this end, the subscriber may be required to submit identity documents (such as passport, birth certificate, signed authorization form, etc.) to verify that he/she is the person associated with the UXID/EA-UXID and has properly authorized the record search.
The service may provide anonymized data to UXID subscribers in the form of reports or data extract files. In accordance with the present invention, data confidentiality is achieved in part through the service's use of UXIDs and EA-UXIDs. Knowledge of an entity or individual UXID/EA-UXID does not provide access to the service. An individual or entity (authorized representative of an entity) may only view UXID service account information with the correct UXID/SUS or EA-UXID/EA-SUS combination. With respect to individual subscribers, they must be properly authorized by both the entity and the service to access system data or review reports collected for the entity.
Data extracts and reports may be aggregated at various level of detail (for example, at an individual level (e.g., student); at an entity level (e.g., school); at a larger entity level (e.g., state school level); or an entity-application level (e.g., specific school program data, such as money spent on after-school programs). The service of the present invention may transform individual and entity EA-UXIDs at each level of aggregation so they cannot be compared against EA-UXIDs attached to records at other levels of aggregation. Thus, each level of data aggregation may permit a different “view” of the EA-UXIDs (which are used as entity and individual record keys). This transformation ensures that the EA-UXIDs remain anonymous.
An EA-UXID that has been transformed for a particular aggregation view is thereafter denoted as EA-UXID-n where “n” refers to the level of aggregation. An EA-UXID-n may use or less digits than UXIDs and EA-UXIDs so as to preserve the confidentiality of data when it is shared among subscribers. The EA-UXID-n may replace all instances of the EA-UXIDs in various reports and/or data extracts which the service distributes to subscribers so there is no way to correlate the ID used at one level of viewing with another merely by looking at the IDs. The transform of an EA-UXID into an EA-UXID-n simultaneously preserves data confidentiality, data integrity and consistency in database coding. By providing local views of the EA-UXID that change depending on use, it is statistically improbable (with a high level of confidence) that any party can successfully deduce the identity of a particular subscriber contained in a system report or database, or to correlate a given view of the subscriber with another view of that subscriber which is coded with a different EA-UXID-n.
Other and further modifications and embellishments to the anonymous data exchange and collection service of the present invention will become apparent to those skilled in the art. Indeed, the subject matter of the present invention is intended to be limited in scope only by the claims appended hereto.