Presentation is loading. Please wait.

Presentation is loading. Please wait.

ROLE OF ANONYMIZATION FOR DATA PROTECTION Irene Schluender and Murat Sariyar (TMF)

Published byRosamond Taylor Modified over 8 years ago

Similar presentations

Presentation on theme: "ROLE OF ANONYMIZATION FOR DATA PROTECTION Irene Schluender and Murat Sariyar (TMF)"— Presentation transcript:

1 ROLE OF ANONYMIZATION FOR DATA PROTECTION Irene Schluender and Murat Sariyar (TMF)

2 Background Individual-level data used in health research contexts:  EHRs  hospital discharge databases  Health insurance data  Clinical studies  Genetic datasets: 1000 genomes, HapMap, TCGA, …

3 Legal reasons for anonymisation: Privacy BASIC DATA PROTECTION CONSTRAINTS Legal framework: national Law, EU Law, no international harmonisation, only „softlaw“, e.g. Declaration of Helsinki EU Data Protection Directive: Any processing of personal data is generally prohibited, if not explicitly permitted (Article 7: “Member States shall provide that personal data may be processed only if:…) Permission must be based on law or on the consent of the data subject refer to a specific purpose difficult in „omics“ research and data mining

4 ANONYMISATION AS „MAGIC BULLET“? Article 7: “Member States shall provide that personal data may be processed only if:… Dichotomy of data protection law: anonymous versus personal data: Only personal data is protected by law Anonymous data: no consent or other legal basis needed for processing (Rec. 26: “the principles of protection shall not apply to data rendered anonymous”) Conclusion: anonymise to get rid of any data protection constraints!

5 Anonymisation vs. De-identification No HIPPA List! Removing all 18 identifiers leads to de-identified data, not to anonymous data! The list makes only sense within the context of HIPAA and cannot be transferred into the European legal framework.

6 Context and Trade-off Anonymisation is not static, but dependent on context knowlwdge  „Harry Smith“  De facto anonymity is sufficient („reasonable means“) Trade-off: usefulness and re-identification risk  information is reduced or distorted  some of it may be relevant for research  Challenges: enhanced re-identification technologies, increasing context kowledge

7 Anonymisation of genetic data? DNA sequences alone do not disclose the identity of an individual But it can be enough information to single out a person Opinion on Anonymisation Techniques (Art. 29 Working Party): “Genetic data profiles are an example of personal data that can be at risk of identification if the sole technique used is the removal of the identity of the donor due to the unique nature of certain profiles. It has already been shown in the literature that the combination of publically available genetic resources (e.g. genealogy registers, obituary, results of search engine queries) and the metadata about DNA donors (time of donation, age, place of residence) can reveal the identity of certain individuals even if that DNA was donated ‘anonymously’”.

8 Side-effects (adverse events) of anonymisation Full (unlinked) anonymisation deprives the donor of the possibility to use their right to withdraw consent (critical for biosamples/genetic data) It makes feeding back research results or incidental findings impossible It is not useful in cases where research is linked to treatment (oncology: precision medicine)

9 Therefore … Anonymisation is not a panacea to resolve any data protection issues We will have to rely on „Broad consent“ (for example as agreed with the German Ethics Committee‘s Working Group) + additional safeguards (access control etc.) Broad consent will (hopefully) supported by GDPR (Rec. 25aa)

10 The technical perspective

11 What is anonymization? ISO 29100:2011: “Anonymization is the process by which personally identifiable information (PII) is irreversibly altered in such a way that a PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in collaboration with any other party.”

12 Relevant terms: Kind of Attributes Kind of attributes: (1)Unique Identifiers (e.g., social security number) (2)Quasi-Identifiers (e.g., Zip-Code) => QIDs (3)Sensitive attributes (exhibiting a special characteristic) (4)Non-sensitive attributes

13 Relevant terms: Quasi-Identifier OECD-Definition for a Quasi-Identifier: Variable values or combinations of variable values within a dataset that are not structural uniques but might be empirically unique and therefore in principle uniquely identify a population unit. Should contain an attribute A if an attacker could potentially obtain A from other external resources. QIDs (5-digit ZIP code, birth date, gender) uniquely identify 87% of the population in the U.S.

14 Important Anonymization techniques Generalization and Suppression (hide some details in QID)  Replace some values with a parent value in a taxonomy  Full-domain and local (subtree, cell) generalization  Suppression (see former slide) Anatomization and Permutation (structural changes)  Deassociate the relationship between QIDs and sensitive attributes  Partition into groups and shuffle sensitive values within each group Perturbation  Additive Noise (Randomization; independent of other recs => data streams), Data swapping, synthetic data generation

15 Anonymization techniques: Cave These are criteria not techniques: K-Anonymity L-Diversity T-Closeness And there is no hierarchy! K-Anonymity protects against identity disclosure L-diversity and T-Closeness protect against attribute disclosure There are more definitions for L-diversity

16 Anonymization techniques: generalization

17 Conclusion Creating an anonymous dataset whilst retaining as much of the underlying information as required for the task (usefulness) is done by technical means However … The legal perspective should correspond with the technical one (e.g., regarding the definition of sensitive attributes)

18 References BCM Fung et al. Privacy-preserving data publishing: A survey of recent developments. 2010 (ACM Computing Surveys) L Sweeney. K-anonymity: a model for protecting privacy. 2002 (International Journal on Uncertainty, Fuzziness and Knowledge-based Systems) CC Aggarwal. Privacy-Preserving Data Mining: Models and Algorithms (Advances in Database Systems). 2008 (Springer)

Download ppt "ROLE OF ANONYMIZATION FOR DATA PROTECTION Irene Schluender and Murat Sariyar (TMF)"

Similar presentations

NIGB Legal requirements for use of personal data in research OnCore UK / NRES Training workshop Ethical Principles relating to consent for use of samples.

NIGB Legal requirements for use of personal data in research OnCore UK / NRES Training workshop Ethical Principles relating to consent for use of samples.
NATIONAL INFORMATION GOVERNANCE BOARD

NATIONAL INFORMATION GOVERNANCE BOARD
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Data Protection: Health. Data Protection & Health Data Data on physical or mental health or condition or sexual life are ‘sensitive personal data’ with.

Data Protection: Health. Data Protection & Health Data Data on physical or mental health or condition or sexual life are ‘sensitive personal data’ with.
21-1 Last time Database Security  Data Inference  Statistical Inference  Controls against Inference Multilevel Security Databases  Separation  Integrity.

21-1 Last time Database Security  Data Inference  Statistical Inference  Controls against Inference Multilevel Security Databases  Separation  Integrity.
Protecting the Privacy of Family Members in Survey and Pedigree Research Jeffrey R. Botkin, MD, MPH University of Utah.

Protecting the Privacy of Family Members in Survey and Pedigree Research Jeffrey R. Botkin, MD, MPH University of Utah.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Privacy and Information Security Essentials

Privacy and Information Security Essentials
1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, 2013 © Ravi.

1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, © Ravi.
Statistical database security Special purpose: used only for statistical computations. General purpose: used with normal queries (and updates) as well.

Statistical database security Special purpose: used only for statistical computations. General purpose: used with normal queries (and updates) as well.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.
Protecting Participants in a Global Research Community Dr. Jane Kaye University of Oxford, UK.

Protecting Participants in a Global Research Community Dr. Jane Kaye University of Oxford, UK.
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Data Privacy October 30, 2008.

C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Data Privacy October 30, 2008.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Data Privacy.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Data Privacy.
Privacy in Computing Legal & Ethical Issues in Computer …Security Information Security Management …and Security Controls Week-9.

Privacy in Computing Legal & Ethical Issues in Computer …Security Information Security Management …and Security Controls Week-9.
Task 1: Privacy Preserving Genomic Data Sharing Presented by Noman Mohammed School of Computer Science McGill University 24 March 2014.

Task 1: Privacy Preserving Genomic Data Sharing Presented by Noman Mohammed School of Computer Science McGill University 24 March 2014.
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

Similar presentations

Ads by Google