Method and system for deleting multi copy personal data efficiently and securely

What is claimed is: 1 . A method for deleting multi-copy personal data efficiently and securely, being executed among data domains, the method comprising: signing and uploading personal data and an identifier of a personal data subject to the data domains, so that the data domains store the personal data along with the subject identifier as personal data copies; having the personal data copies, with its source and destination recorded therein, circulated among the data domains; when any of the data domains receives a deletion instruction, having the data domain transmit the deletion instruction to all relevant data domains based on the identifier of the personal data subject and destination data in the personal data copy and perform deletion; and after the data domain completes the deletion, having the data domain deposit a domain identifier of itself and feedback data it receives into a log, and feed the log back to its superior data domain; wherein during the storing step the method further comprises: performing a Hash operation based on the personal data and the identifier of the personal data subject, and using a private key of the personal data subject to perform a signature operation on a Hash value obtained through the Hash operation, thereby obtaining a digital signature; wherein the identifier of the personal data subject acts as a globally unique identifier, and having the personal data subject upload the identifier of the personal data subject, the personal data, and digital signature to a data source domain that is the data domain acting as the source of the personal data; wherein the personal data copy stored in the data source domain as backup at least stores the identifier of the personal data subject, the personal data, the digital signature, a source domain identifier, and a destination domain identifier, wherein the source domain identifier and the destination domain identifier are initialized as empty; wherein the source domain identifier stores the identifier of the superior data domain from which the current data copy is circulated, and the destination domain identifier stores the identifier of the inferior data domain to which the current data copy is circulated. 2 . The method of claim 1 , wherein during the circulating step the method further comprises: having the current propagation domain make a request to the superior domain for backup of the personal data copy based on the identifier of the personal data subject, and alter the source domain identifier and the destination domain identifier in the personal data copy backuped to the current propagation domain, wherein the source domain identifier is altered into the identifier of the superior domain, and the destination domain identifier is reset into empty; and having the current propagation domain feed the destination domain identifier in the altered personal data copy and the domain identifier of itself back to the superior domain as feedback, so that the superior domain updates the personal data copy of the superior domain based on the feedback of the current propagation domain. 3 . The method of claim 2 , wherein during the circulating step the method further comprises: the superior domain updates the personal data copy based on the feedback of the current propagation domain through: adding any domain identifier that exists in the feedback but does not exist in the destination domain identifier to the destination domain identifier; and repeating the step of feeding back and updating, until the data source domain completes updating. 4 . The method of claim 3 , wherein during the deleting and depositing steps the method further comprises: having the personal data subject send the deletion instruction to the data source domain, so that the data source domain determines the personal data copy to delete based on the identifier of the personal data subject, and sends the deletion instruction to the directly associated data domain based on the destination domain identifier related to the personal data copy; and having the current propagation domain receiving the deletion request identify the current data copy to delete based on the identifier of the personal data subject, send the deletion instruction to the directly associated data domain based on the destination domain identifier of the current data copy, and then delete the current data copy. 5 . The method of claim 4 , wherein during the deleting and depositing steps the method further comprises: if the destination domain identifier of the current propagation domain is empty, having the current propagation domain store the identifier of the personal data subject and the domain identifier of itself into the log; or if the destination domain identifier of the current propagation domain is not empty, having the current propagation domain store the identifier of the personal data subject, the domain identifier of the current propagation domain, and the domain identifier recorded in a deposited log that is fed back by the inferior domain to the current propagation domain, into the log. 6 . The method of claim 5 , wherein during the deleting and depositing steps the method further comprises: after the current propagation domain deposit the log, having it sign the deposited log using the private key of the current propagation domain, and feed back the signed deposited log to the superior domain; and having the superior domain unsign the deposited log using the private key of the current propagation domain so as to acquire the domain identifier in the log fed back by the current propagation domain. 7 . The method of claim 6 , wherein while the data domain accesses the personal data copy the method further comprises: having the current propagation domain download the desired current data copy based on the identifier of the personal data subject; having the current propagation domain preliminarily analyze the current data copy so as to acquire the digital signature, and select the expected public key based on the identifier of the personal data subject to verify the digital signature; and if verification succeeds, having the current propagation domain unsign the current data copy so as to acquire the personal data. 8 . The method of claim 7 , wherein every data domain verifies the acquired personal data copy to ensure the acquired personal data Data are not tampered; the propagation domain D i downloads the personal data copy shared by the source domain according to needs and based on the logic file name LFN having the globally unique identifier.