Embed Size (px)
Citation preview
Disclosure Avoidance:An Overview
Irene Wong
ACCOLEDS/DLI Training
December 8, 2003
Note:
The following slides were prepared in conjunction with the ACCOLEDS/DLI Training presentations at the University of Calgary (Alberta) on December 8, 2003, and are not intended for use as documentation of disclosure risk control and practices.
For more information about the slides, please contact the author
Presentation Outline
• Overview of data confidentiality
• Different types of disclosure and output
• Some examples
• Facing the challenge
Why is keeping data confidentiality so important?
• Retain and Respect Public Trust – Most household/population surveys do not have
mandatory participation
– Respondents volunteer their time and information
– Respondents trust Statistics Canada to ensure their privacy and the confidentiality of their information
– To ensure future data collection
– Statistics Act - judiciously guarding respondents’ confidential information
Types of data
• Aggregated data vs. Microdata– Dictate the data release method
• Enterprise data vs. Household data– Mandatory vs. voluntary participation
• Admin Data and Census vs. Sample Survey– Different degree of risk of disclosure
Confidentiality and Disclosure
• Under the Statistics Act, Statistics Canada must protect the confidentiality of respondents’ data and identity.
• Disclosure relates to the inappropriate attribution of information to a data subject, whether the subject is an individual or an organization.
So what’s the problem?
• Direct Identifiers (name, address, health number, etc.) that uniquely identify a respondent. These are all stripped from released data files.
• Indirect Identifiers refer to variables such as age, marital status, occupation, ethnicity, postal code, type of business etc.). When combined they could be used to identify a respondent.
• Sensitive variables refer to information or characteristics relating to a respondent’s private life or business which are usually unknown to others (income, illness, behaviour etc.).
The concern is…
• Combining indirect identifiers with sensitive variables poses a disclosure risk, but…
• It is usually what researchers like to do– to relate specific characteristics of some response
groups to some specific activities/characteristics– and how/why they are related
• Control method: restricted access, data reduction, disclosure analysis …
Controls on microdata release
• Restricted Access– License and data sharing agreement– Strictly control record linkage (direct identifier)– Survey data access restricted within the organization
• Employee access granted on a “need to know” basis only
– Analytical (confidential) database with direct identifiers removed
• Direct access – authorized employee/deemed employee only• Indirect data access (Remote Access services/Remote Data
Access services) - screening
• Data Reduction – e.g. PUMF
Public Use Microdata File (PUMF)
• Files of anonymous individual records• Created for research purposes• Follows Statistics Canada’s Policy on
Microdata Release • Expect some forms of data reduction and
suppression• Expect suppression of sample design
information (cluster, stratification, etc.)
PUMF disclosure risk control
• Suppress some indirect identifiers (e.g. small geographical code, race details, etc.)
• Avoid unique combination of indirect identifiers that can disclose a response unit (such as gender, age, occupation, chronic conditions, religion, etc.)
• Perform Univariate analyses and look for outliers
• Sometimes maximum/minimum values are capped
• And more…
Protection of confidential data
• Physical protection of the data storage area
• Protection of the computer systems
• Enforcement of data releasers’ and users’ responsibilities to protect respondent confidentiality
• Disclosure analysis on output that leaves the restricted data storage area
Identity Disclosure
• Identity Disclosure - When a respondent can be identified from the released data.– Combine identifier with sensitive variables
Examples:• Spontaneous recognition of well-known
characteristic by others (e.g. from small sample)• Self-disclosure (e.g., respondent self-identifies
when complaining to the media on privacy violation)
Attribute Disclosure
• Attribute Disclosure - When confidential information is revealed and can be attributed to an individual or a group.– Such as, all persons with characteristic x have
characteristic y
Examples:
• People in occupation W make $ 50-60,000/year…• 100% of the respondents of age W in area X
reported that they experimented with …
Residual Disclosure
• Residual disclosure - when confidential information is disclosed by combining previously released output and information.
• Extra care is needed where risk of residual disclosure is high, such as – Subsequent cycles of longitudinal data files (e.g. NLSCY,
NPHS, etc.)– Sample from dependent surveys (e.g. SLID and LFS)– Research projects using the same data file– Overlapping small geographical area (e.g. Health Region
and Economic Region)
Types of outputs
• Analytic studies (e.g. inferential statistics/model output)– Model parameters such as, regression coefficients, etc.
– Hypothesis test results such as, p-value, t-statistics, etc.
• Descriptive studies (e.g. table output)– Frequencies, percentiles, cross-tabulation, standard
errors, correlation matrix, etc.
To lower disclosure risk
General rules we follow for household sample surveys:• Do not report statistics or table cells with small
number of respondents (e.g. fewer than 5 respondents) • No anecdotal information may be given about specific
respondents• ‘Zero’ and ‘Full’ cell restriction• Min. and Max. value restriction• Saturated models, covariance/correlation matrices
treated like underlying tables• And more…..
Some examples…
Low frequency cells
F, 0 is a low frequency cell.
Solution?
• Collapse column ‘M’ and ‘F’ = column ‘total’
• Collapse row ‘1’ and ‘0’ = row ‘total’
• Report either column ‘M’ and row ‘1’ but not along with the ‘total’
M F total
1 34 14 48
0 15 2 17
total 49 16 65
M F total
1 34 14 48
0 15 X 17
total 49 16 65
Frequency distributions
Frequency curve, e.g.: user wishes to release the the value of observation at the 99th percentile
* child 1: family 1
child 2: family 1
child 3: family 2
child 4: family 2
child 5: family 3….
If < 5 respondents are above the 99th percentile, there is a problem. One solution is to describe the distribution using the 95th percentile.
* If the survey is multilevel (NLSCY), then the 5 or more respondents from level 1 (child) must come from at least 3 different units from level 2 (household).
‘Zero’ and ‘Full’ cell
• (F, 1) is a full cell• (F, 0) is a non-structural zero
cell– Both could pose confidentiality
problem
• (Married, age <12) is a structural zero cell– Not a data confidentiality
problem – Not expect anyone to be in this
category
M F total
1 52 64 116
0 13 0 13
65 64 129
age married single total
<12 0 40 40
13-20 5 35 40
>20 32 8 40
37 83 120
Implied tables - residual disclosure
• Implied tables are tables produced by subtracting results from one or more published tables from another published table
• In this example, ‘non-married’ individuals can easily be calculated
Select if Married = 1
Yes No1 2013 40
2 205 35
3 132 8
2350 83
Select all cases
Yes No1 2020 41
2 209 52
3 430 16
2659 109
When reporting information…
• Writing a report is no different than working with table output, avoid statements such as:
• “… responded incomes ranging from $2,498 to $579,789.”– If necessary, give general indications (e.g. “no income was
above $600,000”.)
• “… all respondents of age 16 reported experimenting with drugs.”– This is equivalent to a full cell situation.
Related Outputs
• If PUMF as well as analytical outputs using confidential data are released for the same survey, the published results should not disclose sensitive information about individual respondents that was suppressed in the PUMF.
• That is, from the reported results, it should not be possible to infer information that allows the identification of a PUMF respondent.
Facing Challenges
• No single control of all the releases – Remote Access, PUMFs, RDCs, survey data
publications, etc.
• Potential residual disclosure
• Can residual disclosure be totally accounted for? Can it be better controlled?
What RDCs are doing now…
• Educate data users to – Take precautions when dealing with confidential
information– Recognize disclosure risk– Make use of alternative reporting and
complementary suppression– Limit intermediary outputs
What else should we do?
• Match against other types of file releases to assess overall disclosure risk?
• Future data reduction in PUMFs and publications?• Follow the American RDC approach? • Different disclosure analysis approach for
different data files?• Stricter screening process?• ……
