Data anonymization

“The technique of noise addition is especially useful when attributes may have an important adverse effect on individuals and consists of modifying attributes in the dataset such that they are less accurate whilst retaining the overall distribution. When processing a dataset, an observer will assume that values are accurate but this will only be true to a certain degree. As an example, if an individual’s height was originally measured to the nearest centimetre the anonymised dataset may contain a height accurate to only ±10cm. If this technique is applied effectively, a third-party will not be able to identify an individual nor should he be able to repair the data or otherwise detect how the data have been modified.

Noise addition will commonly need to be combined with other anonymisation techniques such as the removal of obvious attributes and quasi-identifiers. The level of noise should depend on the necessity of the level of information required and the impact on individuals’ privacy as a result of disclosure of the protected attributes.”

“Permutation consists in shuffling the values of attributes in a table, so that some of them are artificially linked to different data subjects, is useful when it is important to retain the exact distribution of each attribute within the dataset. (…) Permutation techniques alter values within the dataset by just swapping them from one data to another. Such swapping will ensure that range and distribution of values will remain the same, but correlations between values and individuals will not. If two or more attributes have a logical relationship or statistical correlation and are permuted independently, such a relationship will be destroyed. It may therefore be important to permute a set of related attributes so as to not to break the logical relationship, otherwise an attacker could identify the permuted attributes and reverse the permutation.

For instance, if we consider a subset of attributes in a medical dataset such as “reasons for hospitalization/symptoms/department in charge”, a strong logical relationship will link the values in most cases and permutation of only one of the values would thus be detected and could even be reversed.”

“Differential privacy falls within the family of randomization techniques, with a different approach: while, in fact, noise insertion comes into play beforehand when dataset is supposed to be released, differential privacy can be used when the data controller generates anonymised views of a dataset whilst retaining a copy of the original data. Such anonymized views would typically be generated through a subset of queries for a particular third party. The subset includes some random noise deliberately added ex-post. Differential privacy tells the data controller how much noise he needs to add, and in which form, to get the necessary privacy guarantees.”

“Aggregation and K-anonymity techniques aim at preventing a data subject from being singled out by grouping them with, at least, k other individuals. To achieve this, the attribute values are generalized to an extent that each individual shares the same value.

For example, by lowering the granularity of a location from a city to a country a higher number of data subjects are included. Individual dates of birth can be generalized into a range of dates, or grouped by month or year.

Other numerical attributes (e.g. salaries, weight, height, or the dose of a medicine) can be generalized by interval values (e.g. salary €20,000 – €30,000). These methods may be used when the correlation of punctual values of attributes may create quasi- identifiers.”

European Union Article 29 Data Protection Working Party, 0829/14/EN WP216, Opinion 05/2014 on Anonymisation Techniques, 2014, Page 12 of PDF