SlideShare a Scribd company logo

Sharing Confidential Data in ICPSR

Download as PPTX, PDF
ARDC, profile picture
ARDC

The document discusses the complexities and risks associated with sharing confidential data in research, emphasizing the importance of protecting individual identities to prevent harm. It outlines various strategies for ensuring confidentiality, such as modifying data, implementing safe settings, and developing data use agreements, while highlighting the need for comprehensive institutional protocols. Additionally, it addresses the technical and ethical challenges researchers face in balancing data access with participant privacy.

Education
Related topics:
Data Sharing
1 of 32
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Sharing Confidential Data George Alter University of Michigan
Disclosure: Risk & Harm • What do we promise when we conduct research about people? – That benefits (usually to society) outweigh risk of harm (usually to individual) – That we will protect confidentiality • Why is confidentiality so important? – Because people may reveal information to us that could cause them harm. – Examples: criminal activity, antisocial activity, medical conditions...
Who are We Afraid of? • Parents trying to find out if their child had an abortion or uses drugs • Spouse seeking hidden income or infidelity in a divorce • Insurance companies seeking to eliminate risky individuals • Other criminals and nuisances • NSA, CIA, FBI, KGB, SABOT, SBL, SMERSH, KAOS, etc...
What are We Afraid of... • Direct Identifiers – Inadvertent release of unnecessary information (Name, phone number, SSN…) – Direct identifiers required for analysis (location, genetic characteristics,…) • Indirect Identifiers – Characteristics that identify a subject when combined (sex, race, age, education, occupation)
Deductive Disclosure • A combination of characteristics could allow an intruder to re-identify an individual in a survey “deductively,” even if direct identifiers are removed. • Dependent on – Knowing someone in the survey – Matching cases to a database
Deductive Disclosure Contextual data increases the risk of disclosure – Some attributes can be known by an outsider (age, race) – Individuals are more identifiable in smaller populations • The more specific the geography, the more attention must be paid to disclosure risk.
Contextual data in social science research Geographic context • Neighborhood characteristics, economic conditions, health services, distance to resources, etc. Institutional context • School • Hospital • Prison
Current Survey Designs Increase the Risks of Disclosing Subjects’ Identities • Geographically referenced data • Longitudinal data • Multi-level data: – Student, teacher, school, school district – Patient, clinic, community
Protecting Confidential Data • Safe data: Modify the data to reduce the risk of re-identification • Safe projects: Reviewing research designs • Safe settings: Physical isolation and secure technologies • Safe people: Training and Data use agreements • Safe outputs: Results are reviewed before being released to researchers
Safe data Disclosure risks can be reduced by: • Multiple sites rather than single locations • Keeping sampling locations secret – Releasing characteristics of contexts without providing locations • Oversampling rare characteristics
Safe Data Data masking • Grouping values • Top-coding • Aggregating geographic areas • Swapping values • Suppressing unique cases • Sampling within a larger data collection • Adding “noise” • Replacing real data with synthetic data
Safe Projects • Research plans are reviewed before access is approved • Levels of project review 1. Does the research plan require confidential data? 2. Would the research plan identify individual subjects? 3. Is the research scientifically sound? Does it “serve the public good”? • Scientific review requires standards and expertise
Safe Settings • Data protection plans • Remote submission and execution • Virtual data enclave • Physical enclave
Data Protection Plans should address risks: • unauthorized use of account on computer • computer break-in by exploiting vulnerability • hijacking of computer by malware or botware • interception of network traffic between computers • loss of computer or media • theft of computer or media • eavesdropping of electronic output on computer screen • unauthorized viewing of paper output We often focus too much on technology and not enough on risk. Safe Settings
Improving Data Security Plans • Problems – PIs lack technical expertise – Requirements are inconsistent and confusing – Monitoring compliance is expensive • An alternative: Institution-level data security protocols – Tiered guidelines for different levels of risk – Focus on mitigating risks not specifying technologies – Certification of researchers – Institutional oversight
• Remote submission and execution – User submits program code or scripts, which are executed in a controlled environment • Virtual data enclave – Remote desktop technology prevents moving data to user’s local computer – Requires a data use agreement • Physical enclave – Users must travel to the data Safe Settings
Virtual Data Enclave
The Virtual Data Enclave (VDE) provides remote access to quantitative data in a secure environment.
Safe people • Data use agreements • Training
Safe people • Parts of a data use agreement at ICPSR – Research plan – IRB approval – Data protection plan – Behavior rules – Security pledge – Institutional signature
Informed Consent Interview Data producer Data archive Researcher Data Use Agreement Institution Dataflow Data Dissemination Agreement Research Plan IRB Approval Data Protection Plan
Data Use Agreement: Behavior rules To avoid inadvertent disclosure of persons, families, households, neighborhoods, schools or health services by using the following guidelines in the release of statistics derived from the dataset. 1. In no table should all cases in any row or column be found in a single cell. 2. In no case should the total for a row or column of a cross- tabulation be fewer than ten. 3. In no case should a quantity figure be based on fewer than ten cases. 4. In no case should a quantity figure be published if one case contributes more than 60 percent of the amount. 5. In no case should data on an identifiable case, or any of the kinds of data listed in preceding items 1-3, be derivable through subtraction or other calculation from the combination of tables released.
Data Use Agreement The Recipient Institution will treat allegations, by NAHDAP/ICPSR or other parties, of violations of this agreement as allegations of violations of its policies and procedures on scientific integrity and misconduct. If the allegations are confirmed, the Recipient Institution will treat the violations as it would violations of the explicit terms of its policies on scientific integrity and misconduct.
Problems with DUAs • DUAs are issued by project. – Every PI gets a new DUA, even if the Institution has already signed the DUA for someone else • Language and conditions in DUAs are not standard – Frequent negotiations and lawyering
Reducing the costs of DUAs • Institution-wide agreements – One agreement per institution, not per project – A designated “data steward” adds qualified researchers to the agreement – Example: Databrary Agreement • Covers informed consent, data sharing, data use • Researcher certification covering multiple datasets
Disclosure: Graph with extreme values example no Arrested in last year? yes Data were collected for a sample of 104 people in a county. Among the variables collected were age, gender, and whether the person was arrested within the last year. Box plots below show the distribution of age, one plot for those arrested and one for those who were not. The number labels are case number in the dataset. The potential identifiability represented by outlying values is compounded here by an unusual combination that could probably be identified using public records for a county in the U.S. --someone approximately 90 years old was arrested in the sample. Including extreme values is a disclosure risk for identifiability when combined with other variables in the dataset. N 104 min age 12 max age 95 mean age 51 std dev 15 % female 5.2 % arrested 5.8 Safe People: Disclosure risk online tutorial
• Controlled environments allow review of outputs o Remote submission and execution o Virtual data enclaves o Physical enclaves • Disclosure checks may be automated, but manual review is usually necessary Safe outputs
Weighing Costs and Benefits • Data protection has costs – Modifying data affects analysis – Access restrictions impose burdens on researchers • Protection measures should be proportional to risks – Probability that an individual can be (re-)identified – Severity of harm resulting from re-identification
Gradient of Risk & Restriction SeverityofHarm Probability of Disclosure Tiny Risk Web Access Some Risk Data Use Agreement Moderate Risk - Strong DUA & Technology Rules High Risk Enclosed Data Center Simple Data: minimal harm & very low chance of disclosure Complex Data: low harm & low probability of disclosure Complex data: moderate harm & re-identifiable with difficulty High severity of harm & highly identifiable
Thank you George Alter University of Michigan altergc@umich.edu
What if databases could send data to a trusted third party, who would compute statistics? Database 1 Database 2 Secure Multi-Party Computing MPC does this without the third party. Encryption
Average Income Three people with true salaries S1, S2, S3, which they never reveal. Each computes random numbers Rij (sent from i to j). Report salary plus own random numbers minus those received, i.e., X1 = S1 + (R12 + R13) – (R21 + R31) X2 = S2 + (R21 + R23) – (R12 + R32) + X3 = S3 + (R31 + R32) – (R13 + R23) Σ = S1 + S2 + S3 Example from Daniel Goroff, Alfred P. Sloan Foundation Homomorphic Encryption

More Related Content

PPTX
Managing sensitive data at the Australian Data Archive
ARDC
 
PDF
Wilbanks Can We Simultaneously Support Both Privacy & Research?
National Information Standards Organization (NISO)
 
PDF
Space Situational Awareness Forum - U.S Air Force Presentation
Space_Situational_Awareness
 
PDF
2015 04-18-wilson cg
Christopher Wilson
 
PPTX
Introduction to Data Management
Amanda Whitmire
 
PPTX
Genome sharing projects around the world nijmegen oct 29 - 2015
Fiona Nielsen
 
PPTX
Finding and Accessing Human Genomics Datasets
Manuel Corpas
 
PPTX
RDM & ELNs @ Edinburgh
EDINA, University of Edinburgh
 
Managing sensitive data at the Australian Data Archive
ARDC
 
Wilbanks Can We Simultaneously Support Both Privacy & Research?
National Information Standards Organization (NISO)
 
Space Situational Awareness Forum - U.S Air Force Presentation
Space_Situational_Awareness
 
2015 04-18-wilson cg
Christopher Wilson
 
Introduction to Data Management
Amanda Whitmire
 
Genome sharing projects around the world nijmegen oct 29 - 2015
Fiona Nielsen
 
Finding and Accessing Human Genomics Datasets
Manuel Corpas
 
RDM & ELNs @ Edinburgh
EDINA, University of Edinburgh
 

What's hot (20)

PDF
Guy avoiding-dat apocalypse
ENUG
 
PDF
Medical image analysis, retrieval and evaluation infrastructures
Institute of Information Systems (HES-SO)
 
PDF
Challenges in medical imaging and the VISCERAL model
Institute of Information Systems (HES-SO)
 
PPTX
Managing Confidential Information – Trends and Approaches
Micah Altman
 
PPTX
Developing data services: a tale from two Oregon universities
Amanda Whitmire
 
PPTX
Introduction to research data management; Lecture 01 for GRAD521
Amanda Whitmire
 
PDF
openEHR v COVID-19
openEHR-Japan
 
PDF
From byte to mind
Benjamin Laken
 
PDF
Fair by design
Pistoia Alliance
 
PPT
Cairo
data_management
 
PPTX
June2014 brownbag privacy
Micah Altman
 
PPTX
Reproducibility from an infomatics perspective
Micah Altman
 
PDF
Graham Pryor
Eduserv
 
PDF
openEHR template development for COVID-19
openEHR-Japan
 
PDF
Dr. Eliot Siegel: Watson and Deep QA Software in Pursuit of Personalized Medi...
National Cancer Institute National Cancer Informatics Program
 
PDF
Altman - Perfectly Anonymous Data is Perfectly Useless Data
National Information Standards Organization (NISO)
 
PPTX
2013 bio it world
Chris Dwan
 
PDF
Guideline based CDSS for COVID-19
openEHR-Japan
 
PDF
Introduction to research data management
Michael Day
 
PPTX
Ethics my own effort
Hina Honey
 
Guy avoiding-dat apocalypse
ENUG
 
Medical image analysis, retrieval and evaluation infrastructures
Institute of Information Systems (HES-SO)
 
Challenges in medical imaging and the VISCERAL model
Institute of Information Systems (HES-SO)
 
Managing Confidential Information – Trends and Approaches
Micah Altman
 
Developing data services: a tale from two Oregon universities
Amanda Whitmire
 
Introduction to research data management; Lecture 01 for GRAD521
Amanda Whitmire
 
openEHR v COVID-19
openEHR-Japan
 
From byte to mind
Benjamin Laken
 
Fair by design
Pistoia Alliance
 
Cairo
data_management
 
June2014 brownbag privacy
Micah Altman
 
Reproducibility from an infomatics perspective
Micah Altman
 
Graham Pryor
Eduserv
 
openEHR template development for COVID-19
openEHR-Japan
 
Dr. Eliot Siegel: Watson and Deep QA Software in Pursuit of Personalized Medi...
National Cancer Institute National Cancer Informatics Program
 
Altman - Perfectly Anonymous Data is Perfectly Useless Data
National Information Standards Organization (NISO)
 
2013 bio it world
Chris Dwan
 
Guideline based CDSS for COVID-19
openEHR-Japan
 
Introduction to research data management
Michael Day
 
Ethics my own effort
Hina Honey
 
Ad

Similar to Sharing Confidential Data in ICPSR (20)

PPTX
Research Ethics and Use of Restricted Access Data
libbiestephenson
 
PPTX
2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx
VITNetflix
 
PDF
Reality Check
removed_62798267384a091db5c693ad7f1cc5ac
 
PPTX
Ethics and Politics of Big Data
robkitchin
 
PPTX
Use of data in safe havens: ethics and reproducibility issues
Louise Corti
 
PPTX
Data Sharing with ICPSR: Fueling the Cycle of Science through Discovery, Acce...
ICPSR
 
PDF
Publishing and sharing sensitive data 28 June
ARDC
 
PDF
Cyber Summit 2016: Privacy Issues in Big Data Sharing and Reuse
Cybera Inc.
 
PPTX
Confidential data management_key_concepts
Micah Altman
 
PDF
Enabling Science with Trust and Security – Guest Keynote
Globus
 
PPTX
week 7.pptx
StephenGwadi
 
PDF
Preparing Research Data for Sharing
London School of Hygiene and Tropical Medicine
 
PPTX
HCF 2019 Panel 5: Nicolas Ball
Chemicals Forum Association
 
PPTX
Duality Technologies_Driving Secure Collaboration in Healthcare_mHealth Israel
Levi Shapiro
 
PPTX
Data-Ethics-and-Privacy-What-Every-Analyst-Should-Know
Ozias Rondon
 
PPTX
A Lifecycle Approach to Information Privacy
Micah Altman
 
PPTX
Managing data responsibly to enable research interity
IUPUI
 
PDF
Hivos and Responsible Data
Tom Walker
 
PPTX
Respect Thy Data: The Gospel
Jill Gilbert
 
PPTX
Burton - Security, Privacy and Trust
National Information Standards Organization (NISO)
 
Research Ethics and Use of Restricted Access Data
libbiestephenson
 
2014 NCSAM - Data Security and Compliance—What You Need to Know.pptx
VITNetflix
 
Reality Check
removed_62798267384a091db5c693ad7f1cc5ac
 
Ethics and Politics of Big Data
robkitchin
 
Use of data in safe havens: ethics and reproducibility issues
Louise Corti
 
Data Sharing with ICPSR: Fueling the Cycle of Science through Discovery, Acce...
ICPSR
 
Publishing and sharing sensitive data 28 June
ARDC
 
Cyber Summit 2016: Privacy Issues in Big Data Sharing and Reuse
Cybera Inc.
 
Confidential data management_key_concepts
Micah Altman
 
Enabling Science with Trust and Security – Guest Keynote
Globus
 
week 7.pptx
StephenGwadi
 
Preparing Research Data for Sharing
London School of Hygiene and Tropical Medicine
 
HCF 2019 Panel 5: Nicolas Ball
Chemicals Forum Association
 
Duality Technologies_Driving Secure Collaboration in Healthcare_mHealth Israel
Levi Shapiro
 
Data-Ethics-and-Privacy-What-Every-Analyst-Should-Know
Ozias Rondon
 
A Lifecycle Approach to Information Privacy
Micah Altman
 
Managing data responsibly to enable research interity
IUPUI
 
Hivos and Responsible Data
Tom Walker
 
Respect Thy Data: The Gospel
Jill Gilbert
 
Burton - Security, Privacy and Trust
National Information Standards Organization (NISO)
 
Ad

More from ARDC (20)

PPTX
Introduction to ADA
ARDC
 
PPTX
Architecture and Standards
ARDC
 
PPTX
Data Sharing and Release Legislation
ARDC
 
PPT
Australian Dementia Network (ADNet)
ARDC
 
PPTX
Investigator-initiated clinical trials: a community perspective
ARDC
 
PPTX
NCRIS and the health domain
ARDC
 
PPTX
International perspective for sharing publicly funded medical research data
ARDC
 
PPTX
Clinical trials data sharing
ARDC
 
PPTX
Clinical trials and cohort studies
ARDC
 
PPTX
Introduction to vision and scope
ARDC
 
PPTX
FAIR for the future: embracing all things data
ARDC
 
PDF
ARDC 2018 state engagements - Nov-Dec 2018 - Slides - Ian Duncan
ARDC
 
PDF
Skilling-up-in-research-data-management-20181128
ARDC
 
PDF
Research data management and sharing of medical data
ARDC
 
PPTX
Findable, Accessible, Interoperable and Reusable (FAIR) data
ARDC
 
PPTX
Applying FAIR principles to linked datasets: Opportunities and Challenges
ARDC
 
PDF
How to make your data count webinar, 26 Nov 2018
ARDC
 
PDF
Ready, Set, Go! Join the Top 10 FAIR Data Things Global Sprint
ARDC
 
PDF
How FAIR is your data? Copyright, licensing and reuse of data
ARDC
 
PDF
Peter neish DMPs BoF eResearch 2018
ARDC
 
Introduction to ADA
ARDC
 
Architecture and Standards
ARDC
 
Data Sharing and Release Legislation
ARDC
 
Australian Dementia Network (ADNet)
ARDC
 
Investigator-initiated clinical trials: a community perspective
ARDC
 
NCRIS and the health domain
ARDC
 
International perspective for sharing publicly funded medical research data
ARDC
 
Clinical trials data sharing
ARDC
 
Clinical trials and cohort studies
ARDC
 
Introduction to vision and scope
ARDC
 
FAIR for the future: embracing all things data
ARDC
 
ARDC 2018 state engagements - Nov-Dec 2018 - Slides - Ian Duncan
ARDC
 
Skilling-up-in-research-data-management-20181128
ARDC
 
Research data management and sharing of medical data
ARDC
 
Findable, Accessible, Interoperable and Reusable (FAIR) data
ARDC
 
Applying FAIR principles to linked datasets: Opportunities and Challenges
ARDC
 
How to make your data count webinar, 26 Nov 2018
ARDC
 
Ready, Set, Go! Join the Top 10 FAIR Data Things Global Sprint
ARDC
 
How FAIR is your data? Copyright, licensing and reuse of data
ARDC
 
Peter neish DMPs BoF eResearch 2018
ARDC
 

Recently uploaded (20)

PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
Trump Administration's workforce development strategy
Mebane Rash
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
master seminar digital applications in india
ananyaray35
 
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Lesson notes of climatology university.
sgladness67
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Trump Administration's workforce development strategy
Mebane Rash
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 

Sharing Confidential Data in ICPSR

  • 2. Disclosure: Risk & Harm • What do we promise when we conduct research about people? – That benefits (usually to society) outweigh risk of harm (usually to individual) – That we will protect confidentiality • Why is confidentiality so important? – Because people may reveal information to us that could cause them harm. – Examples: criminal activity, antisocial activity, medical conditions...
  • 3. Who are We Afraid of? • Parents trying to find out if their child had an abortion or uses drugs • Spouse seeking hidden income or infidelity in a divorce • Insurance companies seeking to eliminate risky individuals • Other criminals and nuisances • NSA, CIA, FBI, KGB, SABOT, SBL, SMERSH, KAOS, etc...
  • 4. What are We Afraid of... • Direct Identifiers – Inadvertent release of unnecessary information (Name, phone number, SSN…) – Direct identifiers required for analysis (location, genetic characteristics,…) • Indirect Identifiers – Characteristics that identify a subject when combined (sex, race, age, education, occupation)
  • 5. Deductive Disclosure • A combination of characteristics could allow an intruder to re-identify an individual in a survey “deductively,” even if direct identifiers are removed. • Dependent on – Knowing someone in the survey – Matching cases to a database
  • 6. Deductive Disclosure Contextual data increases the risk of disclosure – Some attributes can be known by an outsider (age, race) – Individuals are more identifiable in smaller populations • The more specific the geography, the more attention must be paid to disclosure risk.
  • 7. Contextual data in social science research Geographic context • Neighborhood characteristics, economic conditions, health services, distance to resources, etc. Institutional context • School • Hospital • Prison
  • 8. Current Survey Designs Increase the Risks of Disclosing Subjects’ Identities • Geographically referenced data • Longitudinal data • Multi-level data: – Student, teacher, school, school district – Patient, clinic, community
  • 9. Protecting Confidential Data • Safe data: Modify the data to reduce the risk of re-identification • Safe projects: Reviewing research designs • Safe settings: Physical isolation and secure technologies • Safe people: Training and Data use agreements • Safe outputs: Results are reviewed before being released to researchers
  • 10. Safe data Disclosure risks can be reduced by: • Multiple sites rather than single locations • Keeping sampling locations secret – Releasing characteristics of contexts without providing locations • Oversampling rare characteristics
  • 11. Safe Data Data masking • Grouping values • Top-coding • Aggregating geographic areas • Swapping values • Suppressing unique cases • Sampling within a larger data collection • Adding “noise” • Replacing real data with synthetic data
  • 12. Safe Projects • Research plans are reviewed before access is approved • Levels of project review 1. Does the research plan require confidential data? 2. Would the research plan identify individual subjects? 3. Is the research scientifically sound? Does it “serve the public good”? • Scientific review requires standards and expertise
  • 13. Safe Settings • Data protection plans • Remote submission and execution • Virtual data enclave • Physical enclave
  • 14. Data Protection Plans should address risks: • unauthorized use of account on computer • computer break-in by exploiting vulnerability • hijacking of computer by malware or botware • interception of network traffic between computers • loss of computer or media • theft of computer or media • eavesdropping of electronic output on computer screen • unauthorized viewing of paper output We often focus too much on technology and not enough on risk. Safe Settings
  • 15. Improving Data Security Plans • Problems – PIs lack technical expertise – Requirements are inconsistent and confusing – Monitoring compliance is expensive • An alternative: Institution-level data security protocols – Tiered guidelines for different levels of risk – Focus on mitigating risks not specifying technologies – Certification of researchers – Institutional oversight
  • 16. • Remote submission and execution – User submits program code or scripts, which are executed in a controlled environment • Virtual data enclave – Remote desktop technology prevents moving data to user’s local computer – Requires a data use agreement • Physical enclave – Users must travel to the data Safe Settings
  • 18. The Virtual Data Enclave (VDE) provides remote access to quantitative data in a secure environment.
  • 19. Safe people • Data use agreements • Training
  • 20. Safe people • Parts of a data use agreement at ICPSR – Research plan – IRB approval – Data protection plan – Behavior rules – Security pledge – Institutional signature
  • 21. Informed Consent Interview Data producer Data archive Researcher Data Use Agreement Institution Dataflow Data Dissemination Agreement Research Plan IRB Approval Data Protection Plan
  • 22. Data Use Agreement: Behavior rules To avoid inadvertent disclosure of persons, families, households, neighborhoods, schools or health services by using the following guidelines in the release of statistics derived from the dataset. 1. In no table should all cases in any row or column be found in a single cell. 2. In no case should the total for a row or column of a cross- tabulation be fewer than ten. 3. In no case should a quantity figure be based on fewer than ten cases. 4. In no case should a quantity figure be published if one case contributes more than 60 percent of the amount. 5. In no case should data on an identifiable case, or any of the kinds of data listed in preceding items 1-3, be derivable through subtraction or other calculation from the combination of tables released.
  • 23. Data Use Agreement The Recipient Institution will treat allegations, by NAHDAP/ICPSR or other parties, of violations of this agreement as allegations of violations of its policies and procedures on scientific integrity and misconduct. If the allegations are confirmed, the Recipient Institution will treat the violations as it would violations of the explicit terms of its policies on scientific integrity and misconduct.
  • 24. Problems with DUAs • DUAs are issued by project. – Every PI gets a new DUA, even if the Institution has already signed the DUA for someone else • Language and conditions in DUAs are not standard – Frequent negotiations and lawyering
  • 25. Reducing the costs of DUAs • Institution-wide agreements – One agreement per institution, not per project – A designated “data steward” adds qualified researchers to the agreement – Example: Databrary Agreement • Covers informed consent, data sharing, data use • Researcher certification covering multiple datasets
  • 26. Disclosure: Graph with extreme values example no Arrested in last year? yes Data were collected for a sample of 104 people in a county. Among the variables collected were age, gender, and whether the person was arrested within the last year. Box plots below show the distribution of age, one plot for those arrested and one for those who were not. The number labels are case number in the dataset. The potential identifiability represented by outlying values is compounded here by an unusual combination that could probably be identified using public records for a county in the U.S. --someone approximately 90 years old was arrested in the sample. Including extreme values is a disclosure risk for identifiability when combined with other variables in the dataset. N 104 min age 12 max age 95 mean age 51 std dev 15 % female 5.2 % arrested 5.8 Safe People: Disclosure risk online tutorial
  • 27. • Controlled environments allow review of outputs o Remote submission and execution o Virtual data enclaves o Physical enclaves • Disclosure checks may be automated, but manual review is usually necessary Safe outputs
  • 28. Weighing Costs and Benefits • Data protection has costs – Modifying data affects analysis – Access restrictions impose burdens on researchers • Protection measures should be proportional to risks – Probability that an individual can be (re-)identified – Severity of harm resulting from re-identification
  • 29. Gradient of Risk & Restriction SeverityofHarm Probability of Disclosure Tiny Risk Web Access Some Risk Data Use Agreement Moderate Risk - Strong DUA & Technology Rules High Risk Enclosed Data Center Simple Data: minimal harm & very low chance of disclosure Complex Data: low harm & low probability of disclosure Complex data: moderate harm & re-identifiable with difficulty High severity of harm & highly identifiable
  • 30. Thank you George Alter University of Michigan altergc@umich.edu
  • 31. What if databases could send data to a trusted third party, who would compute statistics? Database 1 Database 2 Secure Multi-Party Computing MPC does this without the third party. Encryption
  • 32. Average Income Three people with true salaries S1, S2, S3, which they never reveal. Each computes random numbers Rij (sent from i to j). Report salary plus own random numbers minus those received, i.e., X1 = S1 + (R12 + R13) – (R21 + R31) X2 = S2 + (R21 + R23) – (R12 + R32) + X3 = S3 + (R31 + R32) – (R13 + R23) Σ = S1 + S2 + S3 Example from Daniel Goroff, Alfred P. Sloan Foundation Homomorphic Encryption

Editor's Notes

  • #7: Type I disclosure: when an intruder has knowledge that a given person (or organization) is included in a survey and the intruder attempts to find this record. Type II disclosure occurs when an intruder does not know the identity ahead of time and uses externally available resources (linking databases) to attempt to find survey respondents.
  • #12: Or, how do we Protect Waldo?
  • #18: The visual.