|Page tools: Print Page Print All|
PROTECTING THE CONFIDENTIALITY OF PROVIDERS
2. There are limitations when extending beyond person-level counting type queries;
3. Access to correlated auxiliary data weakens the protection provided by (any) perturbation mechanism; and
4. Implementation requirements may not perturb data beyond levels acceptable to analysts or be practically infeasible.
It is important to note that the theory is still evolving, however, there may be aspects that are potentially useful to augment current approaches. The ABS is assessing the potential benefits of differential privacy and identifying unresolved issues and implications, including implications for practical implementation. The ABS is also engaging with experts and other National Statistical Organisations who face similar challenges to better understand these implications. The US Census Bureau, for example, are incorporating perturbation as part of their confidentialisation method for the 2020 US Census, including an adapted form of differential privacy; and are working to identify and resolve outstanding issues and progress the theoretical foundations.
It is important to remember that the differential privacy framework does not guarantee privacy protection, rather it allows a bound to be placed on the maximum privacy loss for aggregated tables – thereby providing a data-providing agency with a mechanism to control risk. Differential privacy also does not in itself inform the analyst of the utility-loss relevant to their particular analysis - some literature argued that under Differential Privacy, the usefulness of microdata files may be severely damaged.
While there is a growing literature investigating potential relaxations, adaptions and alternatives that attempt to address the issues, the theory is still maturing. Some of the issues include aggregated units (eg, families), descriptive statistics, weighted data, magnitude data, correlated data and longitudinal data. In particular, there is currently no widely accepted way to calculate the accumulated privacy loss over multiple queries (current composition strategies are based on a ‘worst case’ scenario). The ABS is undertaking work to assess the differential privacy measure relevant to the perturbation mechanisms commonly applied.
For more information, please contact Daniel Elazar Methodology@abs.gov.au
These documents will be presented in a new window.