How do you anonymize personal databases and protect people's privacy – over to you, NIST

Who is Bradley Cooper?

And why should I care? Can't you pick someone better known to show getting into a NY cab, like Elvis?

Wow! Six comments already...

Does that mean everyone elseis busy working on it?

Or is everyone working on the obvious conclusion: "Getting into NSA will make me famous."

If people are interested there are a few papers over IPC. The paper I've linked below covers a lot of the examples used by NIST and looks to challenge the view that de-identification of information will simply just lead to the data being later re-identified through the aggregation with other data sets.

It's an interesting area of research, one that is very much in it's infancy but is so important to progress with.

https://www.ipc.on.ca/images/Resources/anonymization.pdf

Pseudonymised NHS data

I wrote some software a few years ago to let GPs/PCTs/CCGs/etc (ie. UK family doctors and the people who pay them and fund medical care) identify anomalies in referral patterns, hospital admissions, length of stay in hospital, "GP performance", "over-referrals" (largely a myth, BTW) and so on. It was funded and used by local GPs - ie. the NHS itself - and the base dataset was the NHS Spine data.

The software was great, but it was useless for the first year or so, because no-one would let me (ie. the GPs) see the raw data with DOBs and gender in it, and you can't do the stats without them. It took a year to get the authorisations, but without postcode (or, equivalently, deprivation) data. Much better, but you can't really be sure what's going on without post/zip code, which makes the data identifiable. I spent about a year trying to get the additional clearance, but there was so much politics in the local NHS that it was next to impossible. The whole system then imploded with the PCT/CCG changeover, and everyone's access to the data was withdrawn, and the funding went, and the NHS disappeared up it's own backside.

So, the software has been unused for 2 years, and no-one in this area (and probably any other area) has any statistically valid way of finding out what's going on in primary care. The govt has now apparently decided that this is important again, so other people are now going to spend a couple of years dicking about trying to get the Spine data, before losing it again. And the whole pointless cycle will repeat again in another 5 years. And the base Spine dataset cost going on for a *billion* to create, plus maintenance.

So, if you're worried about the privacy of your NHS data - don't be. Everyone in charge is so stupid and paranoid that no-one's ever going to see it anyway.

Anonymous aggregates

I cannot imagine that lay people, i.e. politicians and journalists, will ever understand the difference between aggregated data and anonymous data.

Aggregated data would say, for example, the average blood pressure in postal area GU99 is P with standard deviation (*) Q. 'Anonymised' data says that Mr Z of GU99 9ZZ has blood pressure P. When the marketing droids also establish that Mr Z drives a red car and owns five computers, it all becomes uncomfortable.

It would be nice if database queries were restricted to aggregate data, but I don't see that as practical.

(*) Another term I have yet to see any journalist or poitician understand.

Urgent need

I agree that "Given the growing interest in de-identification, there is a clear need for standards and assessment techniques that can measurably address the breadth of data and risks," but standards may take an additional 10 years to agree on and enforcing regulations is always difficult.

We know that NIST is concluding that "Many of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory." It may take many years to fix this issue.

We know that "the risk depends upon the availability of data in the future that may not be available now." So we need a policy driven approach that can be easily adjusted over time as more data is available.

I like to consider employing "a combination of several approaches to mitigate re-identification risk. These include technical controls." I've seen two interesting technical approaches that can provide a balanced combined solution to address the growing issue of privacy and access to data. The first approach is based on a service oriented privacy-preserving data publishing. This service oriented approach can provide policy driven control over how combinations of different data is accessed and the accumulated volume of data that is accessed. The second approach is based on data tokenization and dynamic masking, can secure the data itself against misuse and theft.

I think that a balance between the first and second approach can provide an attractive data centric solution for different sensitivity levels.

I agree that we need a "balance between providing privacy and useful data," and we are running out of time to fix this growing issue.

Ulf Mattsson, CTO Protegrity

Quantization would be a good first step.

Researches don't really need a birthdate accurate to one day, quanize to 1 or 1/2 month.

Group small zip code areas into slightly larger areas.

Quanize other location and time information.

Etc.