Seminars (DLA)

Tutorial outline:
The tutorial consists of four parts:
(1)  Data linkage introduction, short history of data linkage, example applications, and the data linkage process (overview of the main steps).
(2)  Detailed discussion of all steps of the data linkage process (data cleaning and standardisation, indexing/blocking, field and record comparisons, classification, and evaluation), and core techniques used in these steps.
(3)  Advanced data linkage techniques, including collective, group and graph linking techniques, as well as advanced indexing techniques that enable large-scale data linkage.
(4)  Major concepts, protocols and challenges in privacy-preserving data linkage, which aims to link databases across organisations without revealing any private or confidential information.  

Assumed knowledge: The aim is to make this tutorial as accessible as possible to a wide ranging audience from various backgrounds. The content will focus on concepts and techniques rather than details of algorithms. Basic understanding in databases, algorithms, and probabilities will be beneficial but not required. The tutorial will loosely be based on the book “Data Matching – Concepts and Techniques for Record Linkage, Entity Resolution and Duplicate Detection” (Springer, 2012) written by the presenter.

The tutorial will introduce differential privacy, a widely studied definition of privacy for statistical databases.

We will begin with the motivation for rigorous definitions of privacy in statistical databases, covering several examples of how seemingly aggregate, high-level statistics can leak information about individuals in a data set. We will then define differential privacy, illustrate the definition with several examples, and discuss its properties. The bulk of the tutorial will cover the principal techniques used for the design of differentially private algorithms. Time permitting, we will touch on applications of differential privacy to problems having no immediate connection to privacy, such as equilibrium selection in game theory and adaptive data analysis in statistics and machine learning.

I introduce common strategies for reducing disclosure risks when releasing public use microdata, i.e., data on individuals. I discuss some of their pros and cons in terms of data quality and disclosure risks, connecting to data linkage where possible. I also talk about a key challenge in data dissemination: how to give feedback to users on the quality of analyses of disclosure-protected data. Such feedback is essential if analysts are to trust results from (heavily) redacted microdata.  They also are essential for query systems that report (perturbed) outputs from statistical models. However, such feedback leaks information about confidential data values. I discuss approaches for feedback that satisfy the risk criterion differential privacy for releasing diagnostics in regression models.

Since the field of statistical disclosure limitation (SDL) was first formalized by Ivan Fellegi in 1972, official statistical agencies have recognized that their publications posed confidentiality risks for the households and businesses who responded. For even longer, agencies have protected the source data for those publications by using secure storage methods and access authorization systems. In SDL, Dalenius (1977) and, in computer science, Goldwasser and Micali (1982) formalized what has become the modern approach to privacy protection in data publication: inferential disclosure limitation/semantic security. The modern approach to physical data security centers on firewall and encryption technologies. And the two sets of risks (disclosure through publication and disclosure through unauthorized access) have become increasingly inter-related. It is important to recognize the distinct issues, however. Secure multiparty computing and the stronger fully homomorphic encryption are formal solutions to the problem of permitting statistical computations without granting access to the decrypted data. Privacy-protected query publication is a formal solution to the problem of insuring that inferential disclosures are bounded and that the bound is respected in all published tables. There are now tractable systems that combine secure multi-party computing with formal privacy protection of the computed statistics (e.g., Shokri and Shmatikov 2015). The challenge to statistical agencies is to learn how these systems work, and move their own protection technologies in this direction. Private companies like Google and Microsoft already do this. Statistical agencies must be prepared to explain the differences in their publication requirements and security protocols that distinguish their chosen data storage methods and publications from those used by private companies.

Related Links

• http://www.brookings.edu/~/media/Projects/BPEA/Spring-2015/2015a_abowd.pdf?la=en - Abowd-Schmutte BPEA Spring 2015

Remote analysis servers and online data centres have been around for quite a few years now, appearing both in the academic literature and in a range of large scale implementations. Such systems are considered to provide good confidentiality protection for protecting privacy in the case of data about people, and for protecting commercial sensitivity in the case of data about businesses and enterprises. A variety of different methods for protecting confidentiality in the outputs of such systems have been proposed and a range of them has been implemented and used in practice. However, much less common are quantitative assessments of risk to confidentiality, and usefulness of the system outputs for the purpose for which they are generated. Indeed, it has been suggested that perhaps such quantitative assessments are trying to measure the wrong things. In this talk we will provide an overview of the current state of literature and practice, and compare it with the overall problem o bjective with a view to determining key open challenges and research frontiers in the area, possibly within a redefined statement of the overall challenge.

This session will explore a brief history of commercial applications of large data sets in marketing, retailing and consumer targeting.
It will investigate the implications of new data sets, how anonymisation may be achieved and what commercial business is considering with new open data standards

The general idea is to use the addition of random noise with known properties to some or all variables in a released dataset, typically following linkage, where the values of some identifier variables for individuals of interest are also available to an external ‘attacker’ who wishes to identify those individuals so that they can interrogate their records in the dataset. The noise is tuned to achieve any given degree of anonymity to avoid identification by an ‘attacker’ via the linking of patterns based on the values of such variables.  The noise so generated can then be ‘removed’ at the analysis stage since its characteristics are known, requiring disclosure of these characteristics by the linking agency. This leads to consistent parameter estimates, although a loss of efficiency will occur, but the data themselves are not degraded by any form of coarsening such as grouping. 

The literature now contains a large set of methods to privately estimate parameters from a classical statistical model, or to conduct a data mining or machine learning task. However, little is known about how to perform Bayesian statistics privately. In this talk, I will share my thoughts, and a few results, about ways in which Bayesian modelling could be performed to offer some privacy guarantee. In particular, I will discuss some attempts at sampling from posterior predictive distributions under the constraint of differential privacy (DP). I will also discuss empirical differential privacy, a criterion designed to estimate the DP privacy level offered by a certain Bayesian model, and present some recent results on the meaning and limits of this privacy measure. A lot of what I will present is work in progress, and I am hoping that some of you may want to collaborate with me on this research topic.

With: Thilina Ranbaduge, Dinusha Vatsalan, and Sean Randall   Abstract: In this talk I will present results from an empirical study comparing the scalability, linkage quality, and privacy of a standard linkage approach compared to state-of-the-art multi-party privacy-preserving record linkage techniques on real Australian health databases.   Details:  http://www.ipdlnconference2016.org/Programme/Abstract/89

Co-author: Christian Borgs (University of Duisburg Essen)

Using appropriate parameter settings, Bloom filter approaches show linkage results comparable to linkage based on unencrypted identifiers. Furthermore, this approach has been used in real-world settings with data sets containing up to 100 Million records. By the application of suitable blocking strategies, linking can be done in reasonable time. However, Bloom filters have been subject of cryptographic attacks. Previous research has shown that the straight application of Bloom filters has a nonzero re-identification risk. We will present new results on recently developed techniques to defy all known attacks on PPRL Bloom filters. These computationally simple algorithms modify the identifiers by different cryptographic diffusion techniques. The presentation will demonstrate these new algorithms and show their performance concerning precision, recall in large databases. 

Violent inter-state and civil wars are documented with lists of the casualties, each of which constitutes a partial, non-probability sample of the universe of deaths. There are often several lists, with duplicate entries within each list and among the lists, requiring record linkage to dedeuplicate the lists to create a unique enumeration of the known dead.

This talk will explore how we do record linkage, including: new advances in generating and learning from training data; an adaptive blocking approach; pairwise classification with string, date, and integer features and several classifiers; and a hybrid clustering method. Assessment metrics will be proposed for each stage, with real-world results from deduplicating more than 420,000 records of Syrian people killed since 2011.

The U.S. Census Bureau makes extensive use of administrative records and other third-party data to produce statistics on our population and economy.  We use these data to evaluate survey quality, to produce new statistics about the population and economy, and to support evaluation of federal and state programs. Our success hinges on our ability to link external data with data already held at Census, usually at the individual person or housing unit level. We carry out this linkage using a standardized set of practices that has been in place since the early 2000s. This presentation focuses on the lifecycle of the production data linkage carried out at the U.S. Census Bureau, including authorities to obtain identified data, the types of data acquired, ingest and initial processing, linkage practices, evaluations of linkage quality, and the documentation, governance, and uses of linked data files. The presentation will conclude with a discussion of new demands on Census’s linked data infrastructure, and the need to modernize and further streamline governance and processes.

Background: The task of record linkage is increasingly being undertaken by dedicated record linkage units with secure environments and specialised linkage personnel. In addition to the complexity of undertaking record linkage, these units face additional technical challenges in providing record linkage ‘as a service’. The extent of this functionality, and approaches to solving these issues has had little focus in record linkage literature.

Methods: This session identifies and discusses the range of functions that are required or undertaken in the provision of record linkage services. These include managing routine, on-going linkage; storing and handling changing data; handling different linkage scenarios; accommodating ever increasing datasets. Current linkage methods also include analysis of data attributes such as data completeness, consistency, constancy and field discriminating power. This information is used to develop appropriate linkage strategies.

Results: In order to maximise matching quality and efficiency, linkage systems must address real-world operational requirements to manage linked data over time. By maintaining a full history of links, and storing pairwise information, many of the challenges around handling ‘open’ records, and providing automated managed extractions are solved. Automation of linkage processes (including clerical processes) is another way of ensuring consistency of results and scalability of service. Several of these solutions have been implemented as part of developments by the PHRN Centre for Data Linkage in Australia.

Conclusions: Increasing demand for and complexity of, linkage services present challenges to linkage units as they seek to offer accurate and efficient services to government and the research community. Linkage units need to be both flexible and scalable to meet this demand. It is hoped that the solutions presented will help overcome these difficulties.

Individuals increasingly leave behind information in resources managed by disparate organizations.  There is an interest in making this information available for a wide array of endeavors (e.g., policy assessment, discovery-based research, and surveillance activities).  Given the distribution of data, it is critical to ensure that it is sufficiently integrated before conducting any statistical investigation to prevent duplication (and thus overcounting of events) and fragmentation (and thus undercounting of events).  This problem is resolved through record linkage procedures, techniques that have been refined for over half a century.  However, these methods often rely on explicit- or potentially identifying features, which often conflict with the expectations of privacy regulations.  More recently, privacy preserving record linkage (PPRL) methods have been proposed which rely on randomized transformations of data, as well as cryptographically secure processing methods. However, it is often unclear how the various steps of a record lifecycle, including standardization, parameter estimation, blocking, record pair comparison, and ccommunication between all of the various parties involved in the process can take place. In this talk, I will review recent developments in PPRL methods, discuss how they have been engineered into working software systems, and provide examples of how they have been applied in several distributed networks in the healthcare community to facilitate biomedical research and epidemiological investigations.

Co-authors: Gareth Hagger-Johnson (Administrative Data Research Centre for England, University College London), Ruth Gilbert (Institute of Child Health, University College London), Harvey Goldstein (University of Bristol and University College London)

Background: Linkage of administrative data with no unique identifier often relies on probabilistic linkage. Variation in data quality on individual or organisational levels can adversely affect match weight estimation, and potentially introduce selection bias to the linked data if subgroups of individuals are more likely to link than others. We quantified individual and organisational variation in identifier error in a large administrative dataset (Hospital Episode Statistics; HES) and incorporated this information within a match probability estimation model. Methods: A stratified sample of 10,000 admission records were extracted from 2011/2012 HES for three cohorts of ages 0-1, 5-6 and 18-19 years. A reference standard was created by linking via NHS number with the Personal Demographic Service for up-to-date identifiers. Based on aggregate tables, we calculated identifier error rates for sex, date of birth and postcode and investigated whether these errors were dependent on individual characteristics and evaluated variation between organisations. We used a log-linear model to estimate match probabilities, and used a simulation study to compare readmission rates based on traditional match weights. Results: Match probabilities differed significantly according to age (p

Co-author: Peter Christen (The Australian National University)

In the era of Big Data the collection of person-specific data disseminated in diverse databases provides enormous opportunities for businesses and governments by exploiting data linked across these databases. Linked data empowers quality analysis and decision making that is not possible on individual databases. Therefore, linking databases is increasingly being required in many application areas, including healthcare, government services, crime and fraud detection, national security, and business applications. Linking data from different databases requires comparison of quasi-identifiers (QIDs), such as names and addresses. These QIDs are personal identifying attributes that contain sensitive and confidential information about the entities represented in these databases. The exchange or sharing of QIDs across organisations for linkage is often prohibited due to laws and business policies. Privacy-preserving record linkage (PPRL) has been an active research area over the past two decades addressing this problem through the development of techniques that facilitate the linkage on masked (encoded) records such that no private or confidential information needs to be revealed.

Most of the work in PPRL thus far has concentrated on linking two databases only. Linking multiple databases has only recently received more attention as it is being required in a variety of application areas. We have developed several advanced techniques for practical PPRL of multiple large databases addressing the scalability, linkage quality, and privacy challenges. Our approaches perform linkage on masked records using Bloom filter encoding, which is a widely used masking technique for PPRL. In this talk, we will first highlight the challenges of PPRL of multiple databases, then describe our developed approaches, and then discuss future research directions required to leverage the huge potential that linked data from multiple databases can provide for businesses and government services.

Massive amounts of data, collected by a wide variety of organizations, need to be integrated and matched in order to facilitate data analyses that may be highly beneficial to businesses, governments, and academia. Record linkage, also known as entity resolution, is the process of identifying records that refer to the same real-world entity from disparate data sets. Privacy Preserving Record Linkage (PPRL) techniques are employed to perform the linkage process in a secure manner, when the data that need to be matched are sensitive. In PPRL, input records undergo an anonymization process that embeds the records into a space, where the underlying data can be matched but not understood by naked eye.

The PPRL problem is picking up a lot of steam lately due to a ubiquitous need for cross matching of records that usually lack common unique identifiers and their field values contain variations, errors, misspellings, and typos. The PPRL process as it is applied to massive ammounts of data comprises of an anonymization phase, a searching phase and a matching phase.

Several searching and anonymization approaches have been developed with the aim to scale the PPRL process to big data without sacrificing quality of the results. Recently, redundant randomized methods have been proposed, which insert each record into multiple independent blocks in order to amplify the probability of bringing together similar records for comparison. The key feature of these methods is the formal guarantees, they provide, in terms of accuracy in the generated results.

In this talk, we present both state-of-the-art private searching methods and anonynimization techniques, by exposing their characteristics, including their strengths and weaknesses, and we also present a comparative evaluation.

Record linkage techniques allow us to combine different sources of information from a common population in the absence of unique identifiers. Linking multiple files is an important task in a wide variety of applications, since it permits us to gather information that would not be otherwise available, or that would be too expensive to collect. In practice, an additional complication appears when the datafiles to be linked contain duplicates. Traditional approaches to duplicate detection and record linkage output independent decisions on the coreference status of each pair of records, which often leads to non-transitive decisions that have to be reconciled in some ad-hoc fashion. The joint task of linking multiple datafiles and finding duplicate records within them can be alternatively posed as partitioning the datafiles into groups of coreferent records. We present an approach that targets this partition as the parameter of interest, thereby ensuring transitive decisions. Our Bayesian implementation allows us to incorporate prior information on the reliability of the fields in the datafiles, which is especially useful when no training data are available, and it also provides a proper account of the uncertainty in the duplicate detection and record linkage decisions. We show how this uncertainty can be incorporated in certain models for population size estimation. Throughout the document we present a case study to detect killings that were reported multiple times to organizations recording human rights violations during the civil war of El Salvador. 

When performing probabilistic data linkage on real world data we, by the fact we need to link it, do not know the true linkage. Therefore, the success of our linkage approach is difficult to evaluate. Often small hand linked datasets are used as a ‘gold-standard’ for the linkage approach to be evaluated against. However, errors in the hand-linkage and the limited size and number of these datasets do not allow for robust evaluation. The research focuses on the creation of longitudinal synthetic datasets for the domain of population reconstruction. In this talk I will cover the previous and current models we have created to achieve this and detail the approaches to how we: define the desired behaviour in the model to avoid clashes between input distributions, verify the statistical correctness of the population, and initialise the model such that the starting population meets the temporal requirements of the desired behaviour. To conclude I will outline the model’s intended use for linkage evaluation, its other potential uses and also take questions.

Co-author: John M. Abowd (Cornell University and U.S. Census Bureau)

We consider the problem of the public release of statistical information about a population–explicitly accounting for the public-good properties of both data accuracy and privacy loss. We first consider the implications of adding the public-good component to recently published models of private data publication under differential privacy guarantees using a Vickery-Clark-Groves mechanism and a Lindahl mechanism. We show that data quality will be inefficiently under-supplied. Next, we develop a standard social planner’s problem using the technology set implied by (ε,δ) -differential privacy with (α,β) -accuracy for the Private Multiplicative Weights query release mechanism to study the properties of optimal provision of data accuracy and privacy loss when both are public goods. Using the production possibilities frontier implied by this technology, explicitly parameterized interdependent preferences, and the social welfare function, we disp lay properties of the solution to the social planner’s problem. Our results directly quantify the optimal choice of data accuracy and privacy loss as functions of the technology and preference parameters. Some of these properties can be quantified using population statistics on marginal preferences and correlations between income, data accuracy preferences, and privacy loss preferences that are available from survey data. Our results show that government data custodians should publish more accurate statistics with weaker privacy guarantees than would occur with purely private data publishing. Our statistical results using the General Social Survey and the Cornell National Social Survey indicate that the welfare losses from under-providing data accuracy while over-providing privacy protection can be substantial.

Related Links

• http://digitalcommons.ilr.cornell.edu/ldi/22/ - Working paper 

Joint work with Arpita Ghosh, Aaron Roth, and Grant Schoenebeck

We consider the  problem  of  designing  a  survey  to  aggregate  non-verifiable  information  from a privacy-sensitive population: an analyst wants to compute some aggregate statistic from the private bits held by each member of a population, but cannot verify the correctness of the bits reported by participants in his survey. Individuals in the population are strategic agents with a cost for privacy, i.e., they not only account for the payments they expect to receive from the mechanism, but also their privacy costs from any information revealed about them by the mechanism’s outcome—the computed statistic as well as the payments—to determine their utilities. How can the analyst design payments to obtain an accurate estimate of the population statistic when individuals strategically decide both whether to participate and whether to truthfully report their sensitive information?

In this talk, we will discuss an approach to this problem based on ideas from peer prediction and differential privacy.

In this talk

When synthetic data are produced to overcome potential disclosure they can be used either in place of the original data or, more commonly, to allow researchers to develop code that will ultimately be run on the original data.  The utility of synthetic data can be measured by comparing the results of the final analysis with the synthetic and original data. This is not possible until the final analysis is complete.  General utility measures that measure the overall differences between the original and synthetic data are more useful for those creating synthetic data. This presentation will discuss two such >measures. The first is a propensity score measure originally proposed by Woo et. al., 2009 and the second is one based on comparing tables, suggested by Voas and Williamson, 2001. Their null distributions, when the synthesis model is "correct" will be discussed as well as their practical implementation as part of the synthpop package.

Adaptivity is an important aspect of data analysis -- that is, the choice of questions to ask about a dataset is often informed by previous use of the same dataset. However, statistical validity is typically only guaranteed in a non-adaptive model, in which the questions must be specified before the dataset is collected. A recent line of work initiated by Dwork et al. (STOC 2015) provides a formal model for studying the power of adaptive data analysis.   This talk will show that there are sophisticated techniques -- using tools from information theory and differential privacy -- that enable us to ensure that adaptive data analysis provides statistically valid answers that generalise to the overall population from which the dataset was drawn. This talk will also discuss how adaptive data analysis is inherently more powerful than non-adaptive data analysis, namely there is an exponential separation between the number of adaptive queries needed to overfit a dataset and the number of non-adaptive queries needed.  

In this seminar we investigate if generating synthetic data can be a viable strategy to provide access to detailed geocoding information for external researchers without compromising the confidentiality of the units included in the database. This research was motivated by a recent project at the Institute for Employment Research (IAB) that linked exact geocodes to the Integrated Employment Biographies, a large administrative database containing several million records. Based on these data we evaluate the performance of several synthesizers in terms of addressing the trade-off between preserving analytical validity and limiting the risk of disclosure. We propose strategies for making the synthesizers scalable for such large files, introduce analytical validity measures for the generated data and provide general recommendations for statistical agencies considering the synthetic data approach for disseminating detailed geographical information.

We explore two different aspects of differential privacy. First we explore the optimality of noise distributions in noise addition. In particular, we show that the Laplace distribution is nearly optimal in the univariate case, but not in the multivariate case. Optimal distributions are described. Then we explore the generation of differentially private data sets via perturbative masking of the original records. This approach is
remarkably more efficient than histogram-based approaches but a naive application of it may completely damage the data utility. In particular, we analyze the use of microaggregation to reduce the
 sensitivity and, thus, the amount of noise required to attain differential privacy.

Applications of data swapping and noise are among the most widely used methods for Statistical Disclosure Limitation (SDL) by statistical agencies for public-use non-interactive data release. The core ideas of swapping and noise are conceptually easy to understand and are naturally suited for masking purposes. We believe that they are worth revisiting with a special emphasis given to the utility aspects of these methods and to the ways of combining the methods to increase their efficiency and reliability.  Indeed, many data collecting agencies use complex sample designs to increase the precision of their estimates and often allocate additional funds to obtain larger samples for particular groups in the population. Thus, it is particularly undesirable and counterproductive when SDL methods applied to these data significantly change the magnitude of estimates and/or their levels of precision. We will present and discuss two methods of disclosure limitation based on swapping and noise, which can work together in synergy while protecting continuous and categorical variables. The first method is a version of multiplicative noise that preserves means and covariance together with some structural constraints in the data. The second method is loosely based on swapping. It is designed with the goal of preserving the relationships between strata-defining variables with other variables in the survey. We will show how these methods can be applied together enhancing each other’s efficiency.

Willing Anonymous HIV Salivary (WASH) surveillance studies in Scottish prisons changed the focus on drugs in prisons - not always for the better. Barred from work in Scottish prisons, we turned to powerful record-linkage studies to quantify drugs-related deaths soon after prison-release (and how to reduce them); reveal that female injectors' risk of drugs-related death was half that of male injectors; but that the female advantage narrowed with age; and is not evident for methadone-specific deaths. Explanations for these strong, validated empirical findings are the next step.

The uses of data and algorithms are publicly under debate on an unprecedented scale. Listening carefully to the concerns of rights advocates, researchers, and other data consumers and collectors suggests many possible current and future problems in which theoretical computer science can play a positive role.  The talk will discuss the nascent mathematically rigorous study of fairness in classification and scoring.

Differential privacy is well-known because of the strong privacy guarantees it offers: the results of a data analysis must be indistinguishable between data sets that differ in one record. However, the use of differential privacy may limit the accuracy of the results significantly. Essentially, we are limited to data analyses with small global sensitivity (although some workarounds have been proposed that improve the accuracy of the results when the local sensitivity is small). We introduce individual differential privacy (iDP), a relaxation of differential privacy that: (i) preserves the strong privacy guarantees that differential privacy gives to individuals, and (ii) improves the accuracy of the results significantly. The improvement in the accuracy comes from the fact that the trusted party does a more precise assessment of the risk associated to a given data analysis. This is possible because we allow the trusted party to take advantage of all the available information, namely the actual data set.

Co-authors: Thomas Steinke (IBM Research - Almaden), Jonathan Ullman (Northeastern University)
 
We consider the problem of answering queries about a sensitive dataset subject to differential privacy. The queries may be chosen adversarially from a larger set of allowable queries via one of three interactive models. These models capture whether the queries are given to the mechanism all in a single batch (“offline”), whether they are chosen in advance but presented to the mechanism one at a time (“online”), or whether they may be chosen by an analyst adaptively (“adaptive”).
 
Many differentially private mechanisms are just as efficient in the adaptive model as they are in the offline model. Meanwhile, most lower bounds for differential privacy hold in the offline setting. This suggests that the three models might be equivalent.
 
We prove that these models are all, in fact, distinct. Specifically, we show that there is a family of statistical queries such that exponentially more queries from this family can be answered in the offline model than in the online model. We also exhibit a family of search queries such that many more queries from this family can be answered in the online model than in the adaptive model. We also investigate whether such separations might hold for simple queries, such as threshold queries over the real line.
 
Joint work with Thomas Steinke and Jonathan Ullman.

Related Links

• https://arxiv.org/abs/1604.04618 - Full version of manuscript

Research in modern biomedicine and social science often requires sample sizes so large that they can only be achieved through a pooled co-analysis of data from several studies. But the pooling of information from individuals in a central database that may be queried by researchers raises important governance questions and can be controversial. These reflect important societal and professional concerns about privacy, confidentiality and intellectual property. DataSHIELD provides a novel technological solution that circumvents some of the most basic challenges in facilitating the access of researchers and other healthcare professionals to individual-level data. Commands are sent from a central analysis computer (AC) to several data computers (DCs) that store the data to be co-analysed. Each DC is located at one of the studies contributing data to the analysis. The data sets are analysed simultaneously but in parallel. The separate parallelized analyses are linked by non-disclosive summary statistics and commands that are transmitted back and forth between the DCs and the AC. Technical implementation of DataSHIELD employs a specially modified R statistical environment linked to an Opal database deployed behind the computer firewall of each DC. Analysis is then controlled through a standard R environment at the AC. DataSHIELD is most often configured to carry out a – typically fully-efficient – analysis that is mathematically equivalent to placing all data from all studies in one central database and analysing them all together (with centre-effects, of course, where required). Alternatively, it can be set up for study-level meta-analysis: estimates and standard errors are derived independently from each study and are subject to centralized random effects meta-analysis at the AC. DataSHIELD is being developed as a flexible, easily extendible, open-source way to provide secure data access to a single study or data repository as well as for settings involving several studies. Although the talk will focus on the version of DataSHIELD that represents our current standard implementation, it will also explore some of our recent thinking in relation to issues such as vertically partitioned (record linkage) data, textual data and non-disclosive graphical visualisation. 

This session is for open discussion, to share ideas about opportunities for follow-up to the DLA programme:
- both scientific, regarding what has emerged from the programme and ways that this can be taken forward;
- and more practical, regarding e.g. future events, research programmes and opportunities for interaction.

The perspective of anonymisation is one of ‘I don’t know who you are, but I know this about you’, while the perspective of anti-discrimination legislation is the complementary ‘I don’t know this about you, but I know who you are’. I look at how organisations have attempted to comply with the law, and show that this has led to confusion and lack of compliance. The fundamental problem arises from ambiguous and incompatible definitions, and recent changes to the law have made it worse. I illustrate some of the damaging adverse consequences, for both individuals and for society, that have arisen from this confusion.

A frequent approach for anonymising datasets is for individuals to submit sensitive data records to a central authority. The central authority then is responsible for safely storing and sharing the data, for example by aggregating or perturbing records. However, this approach introduces the risk that the central authority may be compromised, whether this from an externally originated hacking attempt or as a result of an insider attack. As a result, central authorities responsible for handling sensitive data records must be well protected, often at great expense, and even then the risk of compromise will not be eliminated.

In this talk I will discuss an alternative anonymisation approach, where sensitive data records have identifiable information removed before being submitted to the central authority. In order for this approach to work, not only must this first-stage anonymisation prevent the data from disclosing the identity of the submitter, but also the data records must be submitted in such a way as to prevent the central authority from being able to establish the identity of the submitter from submission metadata. I will show how advances in network metadata anonymisation can be applied to facilitate this approach, including techniques to preserve validity of data despite not knowing the identity of contributors.