Quality Indicators for Statistical Disclosure Methods: A Case Study on the Structure of Earnings Survey

Abstract Scientific- or public-use files are typically produced by applying anonymisation methods to the original data. Anonymised data should have both low disclosure risk and high data utility. Data utility is often measured by comparing well-known estimates from original data and anonymised data, such as comparing their means, covariances or eigenvalues. However, it is a fact that not every estimate can be preserved. Therefore the aim is to preserve the most important estimates, that is, instead of calculating generally defined utility measures, evaluation on context/data dependent indicators is proposed. In this article we define such indicators and utility measures for the Structure of Earnings Survey (SES) microdata and proper guidelines for selecting indicators and models, and for evaluating the resulting estimates are given. For this purpose, hundreds of publications in journals and from national statistical agencies were reviewed to gain insight into how the SES data are used for research and which indicators are relevant for policy making. Besides the mathematical description of the indicators and a brief description of the most common models applied to SES, four different anonymisation procedures are applied and the resulting indicators and models are compared to those obtained from the unmodified data. The disclosure risk is reported and the data utility is evaluated for each of the anonymised data sets based on the most important indicators and a model which is often used in practice.

Download Full-text

Providing Data With High Utility And No Disclosure Risk For The Public and Researchers: An Evaluation By Advanced Statistical Disclosure Risk Methods

Austrian Journal of Statistics ◽

10.17713/ajs.v43i4.43 ◽

2014 ◽

Vol 43 (4) ◽

pp. 247-254

Author(s):

Matthias Templ

Keyword(s):

Data Privacy ◽

Data Sets ◽

Real World Data ◽

Data Set ◽

The Public ◽

Disclosure Control ◽

High Data ◽

Disclosure Risk ◽

Statistical Disclosure ◽

High Utility

The demand of data from surveys, registers or other data sets containing sensibleinformation on people or enterprises have been increased significantly over the last years.However, before providing data to the public or to researchers, confidentiality has to berespected for any data set containing sensible individual information. Confidentiality canbe achieved by applying statistical disclosure control (SDC) methods to the data. Theresearch on SDC methods becomes more and more important in the last years because ofan increase of the awareness on data privacy and because of the fact that more and moredata are provided to the public or to researchers. However, for legal reasons this is onlyvisible when the released data has (very) low disclosure risk.In this contribution existing disclosure risk methods are review and summarized. Thesemethods are finally applied on a popular real-world data set - the Structural EarningsSurvey (SES) of Austria. It is shown that the application of few selected anonymisationmethods leads to well-protected anonymised data with high data utility and low informationloss.

Download Full-text

Measuring Disclosure Risk and Data Utility for Flexible Table Generators

Journal of Official Statistics ◽

10.1515/jos-2015-0019 ◽

2015 ◽

Vol 31 (2) ◽

pp. 305-324 ◽

Cited By ~ 5

Author(s):

Natalie Shlomo ◽

Laszlo Antal ◽

Mark Elliot

Keyword(s):

Original Data ◽

Web Based ◽

Data Utility ◽

Output Table ◽

Disclosure Control ◽

Disclosure Risk ◽

Final Output ◽

Statistical Disclosure ◽

Original Table ◽

Use Of The Internet

Abstract Statistical agencies are making increased use of the internet to disseminate census tabular outputs through web-based flexible table-generating servers that allow users to define and generate their own tables. The key questions in the development of these servers are: (1) what data should be used to generate the tables, and (2) what statistical disclosure control (SDC) method should be applied. To generate flexible tables, the server has to be able to measure the disclosure risk in the final output table, apply the SDC method and then iteratively reassess the disclosure risk. SDC methods may be applied either to the underlying data used to generate the tables and/or to the final output table that is generated from original data. Besides assessing disclosure risk, the server should provide a measure of data utility by comparing the perturbed table to the original table. In this article, we examine aspects of the design and development of a flexible table-generating server for census tables and demonstrate a disclosure risk-data utility analysis for comparing SDC methods. We propose measures for disclosure risk and data utility that are based on information theory.

Download Full-text

Examining Disclosure Risk and Data Utility: An Administrative Data Case Study

International Journal of Digital Curation ◽

10.2218/ijdc.v9i1.297 ◽

2014 ◽

Vol 9 (1) ◽

pp. 12-24

Author(s):

Michael Comerford

Keyword(s):

Administrative Data ◽

Real World ◽

Data Sources ◽

Sufficient Data ◽

Ethical Challenges ◽

Data Utility ◽

Disclosure Risk ◽

Individual Privacy

The plethora of new data sources, combined with a growing interest in increased access to previously unpublished data, poses a set of ethical challenges regarding individual privacy. This paper sets out one aspect of those challenges: the need to anonymise data in such a form that protects the privacy of individuals while providing sufficient data utility for data users. This issue is discussed using a case study of Scottish Government’s administrative data, in which disclosure risk is examined and data utility is assessed using a potential ‘real-world’ analysis.

Download Full-text

ON ASSESSING THE DISCLOSURE RISK OF CONTROLLED ADJUSTMENT METHODS FOR STATISTICAL TABULAR DATA

International Journal of Uncertainty Fuzziness and Knowledge-Based Systems ◽

10.1142/s0218488512400314 ◽

2012 ◽

Vol 20 (06) ◽

pp. 921-941 ◽

Cited By ~ 8

Author(s):

JORDI CASTRO

Keyword(s):

Minimum Distance ◽

Optimization Problems ◽

Statistical Disclosure Control ◽

Tabular Data ◽

Perturbative Approach ◽

Disclosure Control ◽

High Data ◽

Disclosure Risk ◽

Statistical Disclosure ◽

Theoretical Results

Minimum distance controlled tabular adjustment is a recent perturbative approach for statistical disclosure control in tabular data. Given a table to be protected, it looks for the closest safe table, using some particular distance. Controlled adjustment is known to provide high data utility. However, the disclosure risk has only been partially analyzed using theoretical results from optimization. This work extends these previous results, providing both a more detailed theoretical analysis, and an extensive empirical assessment of the disclosure risk of the method. A set of 25 instances from the literature and four different attacker scenarios are considered, with several random replications for each scenario, both for L1 and L2 distances. This amounts to the solution of more than 2000 optimization problems. The analysis of the results shows that the approach has low disclosure risk when the attacker has no good information on the bounds of the optimization problem. On the other hand, when the attacker has good estimates of the bounds, and the only uncertainty is in the objective function (which is a very strong assumption), the disclosure risk of controlled adjustment is high and it should be avoided.

Download Full-text

Data Anonymization through Collaborative Multi-view Microaggregation

Journal of Intelligent Systems ◽

10.1515/jisys-2020-0026 ◽

2020 ◽

Vol 30 (1) ◽

pp. 327-345

Author(s):

Sarah Zouinina ◽

Younès Bennani ◽

Nicoleta Rogovschi ◽

Abdelouahid Lyhyaoui

Keyword(s):

Vector Quantization ◽

Experimental Results ◽

Quantization Method ◽

Data Utility ◽

Data Anonymization ◽

Disclosure Risk ◽

Main Challenge ◽

Collaborative Clustering ◽

The Will ◽

Utility Measures

Abstract The interest in data anonymization is exponentially growing, motivated by the will of the governments to open their data. The main challenge of data anonymization is to find a balance between data utility and the amount of disclosure risk. One of the most known frameworks of data anonymization is k-anonymity, this method assumes that a dataset is anonymous if and only if for each element of the dataset, there exist at least k − 1 elements identical to it. In this paper, we propose two techniques to achieve k-anonymity through microaggregation: k-CMVM and Constrained-CMVM. Both, use topological collaborative clustering to obtain k-anonymous data. The first one determines the k levels automatically and the second defines it by exploration. We also improved the results of these two approaches by using pLVQ2 as a weighted vector quantization method. The four methods proposed were proven to be efficient using two data utility measures, the separability utility and the structural utility. The experimental results have shown a very promising performance.

Download Full-text

Releasing Microdata: Disclosure Risk Estimation, Data Masking and Assessing Utility

Journal of Privacy and Confidentiality ◽

10.29012/jpc.v2i1.584 ◽

2010 ◽

Vol 2 (1) ◽

Cited By ~ 5

Author(s):

Natalie Shlomo

Keyword(s):

Risk Assessment ◽

Risk Estimation ◽

Utility Assessment ◽

Data Utility ◽

Social Surveys ◽

Disclosure Risk ◽

Recent Developments ◽

Data Masking ◽

Statistical Agencies ◽

Utility Approach

Statistical Agencies need to make informed decisions when releasing sample microdata from social surveys with respect to the level of protection required in the data and the mode of access. These decisions should be based on objective quantitative measures of disclosure risk and data utility. This paper reviews recent developments in disclosure risk assessment and discusses how these can be integrated with established methods of data masking and utility assessment for releasing microdata. We illustrate the Disclosure risk-Data Utility approach based on samples drawn from a Census where the population is known and can be used to investigate sample-based methods and validate results.

Download Full-text

Statistical Disclosure Limitation: New Directions and Challenges

Journal of Privacy and Confidentiality ◽

10.29012/jpc.684 ◽

2018 ◽

Vol 8 (1) ◽

Author(s):

Natalie Shlomo

Keyword(s):

Data Dissemination ◽

Differential Privacy ◽

Synthetic Data ◽

Remote Access ◽

Disclosure Limitation ◽

Disclosure Risk ◽

Statistical Disclosure Limitation ◽

Statistical Disclosure ◽

Statistical Agencies ◽

Definition Of

An overview of traditional types of data dissemination at statistical agencies is provided including definitions of disclosure risks, the quantification of disclosure risk and data utility and common statistical disclosure limitation (SDL) methods. However, with technological advancements and the increasing push by governments for openand accessible data, new forms of data dissemination are currently being explored. We focus on web-based applications such as flexible table builders and remote analysis servers, synthetic data and remote access. Many of these applications introduce new challenges for statistical agencies as they are gradually relinquishing some of their control on what data is released. There is now more recognition of the need for perturbative methods to protect the confidentiality of data subjects. These new forms of data dissemination are changing the landscape of how disclosure risks are conceptualized and the types of SDL methods that need to be applied to protect thedata. In particular, inferential disclosure is the main disclosure risk of concern and encompasses the traditional types of disclosure risks based on identity and attribute disclosures. These challenges have led to statisticians exploring the computer science definition of differential privacy and privacy- by-design applications. We explore how differential privacy can be a useful addition to the current SDL framework within statistical agencies.

Download Full-text

A CRITIQUE OF THE SENSITIVITY RULES USUALLY EMPLOYED FOR STATISTICAL TABLE PROTECTION

International Journal of Uncertainty Fuzziness and Knowledge-Based Systems ◽

10.1142/s0218488502001636 ◽

2002 ◽

Vol 10 (05) ◽

pp. 545-556 ◽

Cited By ~ 11

Author(s):

JOSEP DOMINGO-FERRER ◽

VICENÇ TORRA

Keyword(s):

Risk Assessment ◽

A Priori ◽

Tabular Data ◽

Disclosure Control ◽

Disclosure Risk ◽

Dominance Rule ◽

Statistical Table ◽

Statistical Disclosure ◽

A Cell ◽

Statistical Agencies

In statistical disclosure control of tabular data, sensitivity rules are commonly used to decide whether a table cell is sensitive and should therefore not be published. The most popular sensitivity rules are the dominance rule, the p%-rule and the pq-rule. The dominance rule has received critiques based on specific numerical examples and is being gradually abandoned by leading statistical agencies. In this paper, we construct general counterexamples which show that none of the above rules does adequately reflect disclosure risk if cell contributors or coalitions of them behave as intruders: in that case, releasing a cell declared non-sensitive can imply higher disclosure risk than releasing a cell declared sensitive. As possible solutions, we propose an alternative sensitivity rule based on the concentration of relative contributions. More generally, we suggest to complement a priori risk assessment based on sensitivity rules with a posteriori risk assessment which takes into account tables after they have been protected.

Download Full-text

Data trajectories: tracking reuse of published data for transitive credit attribution

International Journal of Digital Curation ◽

10.2218/ijdc.v11i1.425 ◽

2016 ◽

Vol 11 (1) ◽

pp. 1-16 ◽

Cited By ~ 2

Author(s):

Paolo Missier

Keyword(s):

Data Model ◽

Open Data ◽

Original Data ◽

Open Science ◽

Data Reuse ◽

Published Data ◽

Data Sets ◽

In The Wild ◽

Context Data ◽

Direct Measures

The ability to measure the use and impact of published data sets is key to the success of the open data/open science paradigm. A direct measure of impact would require tracking data (re)use in the wild, which is difficult to achieve. This is therefore commonly replaced by simpler metrics based on data download and citation counts. In this paper we describe a scenario where it is possible to track the trajectory of a dataset after its publication, and show how this enables the design of accurate models for ascribing credit to data originators. A Data Trajectory (DT) is a graph that encodes knowledge of how, by whom, and in which context data has been re-used, possibly after several generations. We provide a theoretical model of DTs that is grounded in the W3C PROV data model for provenance, and we show how DTs can be used to automatically propagate a fraction of the credit associated with transitively derived datasets, back to original data contributors. We also show this model of transitive credit in action by means of a Data Reuse Simulator. In the longer term, our ultimate hope is that credit models based on direct measures of data reuse will provide further incentives to data publication. We conclude by outlining a research agenda to address the hard questions of creating, collecting, and using DTs systematically across a large number of data reuse instances in the wild.

Download Full-text

Segment-Based Approach for Assessing Hazard Risk of Coastal Highways in Hawai‘i

Transportation Research Record Journal of the Transportation Research Board ◽

10.1177/0361198118821679 ◽

2019 ◽

Vol 2673 (1) ◽

pp. 83-91 ◽

Cited By ~ 2

Author(s):

Harrison Togia ◽

Oceana P. Francis ◽

Karl Kim ◽

Guohui Zhang

Keyword(s):

Qualitative Method ◽

Data Sets ◽

Regional Environment ◽

The Road ◽

Hazard Exposure ◽

Multiple Indicators ◽

System Data ◽

Rural Highway ◽

Geographic Information System Data

Hazards to roadways and travelers can be drastically different because hazards are largely dependent on the regional environment and climate. This paper describes the development of a qualitative method for assessing infrastructure importance and hazard exposure for rural highway segments in Hawai‘i under different conditions. Multiple indicators of roadway importance are considered, including traffic volume, population served, accessibility, connectivity, reliability, land use, and roadway connection to critical infrastructures, such as hospitals and police stations. The method of evaluating roadway hazards and importance can be tailored to fit different regional hazard scenarios. It assimilates data from diverse sources to estimate risks of disruption. A case study for Highway HI83 in Hawai‘i, which is exposed to multiple hazards, is conducted. Weakening of the road by coastal erosion, inundation from sea level rise, and rockfall hazards require adaptation solutions. By analyzing the risk of disruption to highway segments, adaptation approaches can be prioritized. Using readily available geographic information system data sets for the exposure and impacts of potential hazards, this method could be adapted not only for emergency management but also for planning, design, and engineering of resilient highways.

Download Full-text