Carnegie Mellon University

Data Privacy Course

Project Track 5: Provably Anonymous Data

Objective

A tenet in the Data Privacy Lab is to construct privacy solutions such that data can be shared with guarantees of privacy protection while the data remain practically useful. Described in this way, a privacy solution must have a compliance statement addressing the privacy guarantee provided. Likewise, a privacy solution must have a warranty statement addressing the usefulness that remains.

Projects in this track provide privacy solutions for sharing a medical database such that the data can be useful for answering public health questions but the identities of the patients who are the subjects of the data cannot be reliably determined. In these projects, the privacy compliance is to thwart the ability to re-identify the names of the patients by linking to population registers. This much be achieved while also warranting the data remain useful for public health survey.

Raw Materials

Health Data
In Lab 8a, you worked with a sample of hospital visit records of patients who died in the hospital. These records include demographic information, dates of admission, and diagnosis and treatment information. These records do not include any explicit identifiers such as name, address, or Social Security number. A copy is available in Excel .xls format and in HTML format.

ICD-9 Diagnosis Codes
In Lab 8a, you had to interpret ICD-9 diagnosis codes (from a code to an English description) in order to determine the diagnoses of patients during the hospital visit in which they died. A copy of this information is available in Excel .xls format and in HTML format.

Death Registry
In Lab 8a's assignment, the students in the class helped assemble a death registry of people who have some information matching the demographics in the health data. It is believed that most (about 90%) of the patients in the health data appear in this death registry. However, there are some patients in the health data (about 10%) that do not appear in the death registry at all. Conversely, there are some people in the death registry who do not appear in the health data. For example, there are 402 people in the death registry and only 200 people in the health data. A copy of the death registry is available in Excel, tab-delimited text, and HTML formats.

Measuring Identifiability
In Lab 8a's assignment, you estimated the identifiability of the patients in the health data. In lecture, Professor Sweeney described ways of measuring identifiabilty. Here are Professor Sweeney's slides on identifiability.

Anonymization Techniques
In lecture Professor Sweeney described numerous techniques that can be used to distort information to provide privacy protection. She also described formal protection models and introduced computational approaches. Here are Professor Sweeney's slides on techniques and first k-anonymity algorithms.

For related papers, see k-anonmity, and more k-anonmity, Gen-Tree

Project Ideas

The exact nature of your project is up to you with some guidance from the course TAs and Professor Sweeney. If you are interested in working in this track, then you will need to complete at least one of the activities below as your "first assignment." Then, you can complete a second activity below (or propose and complete another related activity of your own design), so that together they comprise your final project in the course.

Activity A
A well-known use by public health of medical data is to compute population-based statistics. In order to appreciate the usefulness of the data, compute the following aggregate statistics on the health data.

Compute the number of people that died per 5-digit ZIP code. Then, show aggregated results for the first 4-digits of the ZIP code and the first 3-digit of the ZIP codes. Report your results using a histogram.
Compute the number of people that died by their age. Then, show aggregated results for every 5 years and every 10 years. Report your results using a histogram.

Compute the number of people that died from terminal cancer. To make this determination, the patient must have at least one diagnosis code (dx, dx1, dx2, dx3, or dx4) having its first 3 digits be the same as one of prefixes listed below. For example, if a patient has diagnosis code 1629, then we claim the patient died of cancer because the first three digits of the code is 162, which appears in the table below (MAL NEO TRACHEA/LUNG). Report your results using a histogram.

ICD9 (first 3 digits)	ICD-9 Description
146	MALIG NEO OROPHARYNX
147	MALIG NEO NASOPHARYNX
148	MALIG NEOPL HYPOPHARYNX
150	MALIGNANT NEO ESOPHAGUS
151	MALIGNANT NEO STOMACH
152	MALIG NEO SMALL BOWEL
155	MALIGNANT NEOPLASM LIVER
156	MAL NEO GB/EXTRAHEPATIC
157	MALIGNANT NEO PANCREAS
158	MALIG NEO PERITONEUM
159	OTH MALIG NEO GI/PERITON
160	MAL NEO NASAL CAV/SINUS
162	MAL NEO TRACHEA/LUNG
163	MALIGNANT NEOPL PLEURA
164	MAL NEO THYMUS/MEDIASTIN
165	OTH/ILL-DEF MAL NEO RESP
170	MAL NEO BONE/ARTIC CART
183	MAL NEO UTERINE ADNEXA
189	MAL NEO URINARY NEC/NOS
191	MALIGNANT NEOPLASM BRAIN
192	MAL NEO NERVE NEC/NOS
194	MAL NEO OTHER ENDOCRINE
196	MALIG NEO LYMPH NODES
197	SECONDRY MAL NEO GI/RESP
198	SEC MALIG NEO OTH SITES
199	MALIGNANT NEOPLASM NOS
200	LYMPHOSARC/RETICULOSARC
201	HODGKIN'S DISEASE
202	OTH MAL NEO LYMPH/HISTIO
203	MULTIPLE MYELOMA ET AL
204	LYMPHOID LEUKEMIA
205	MYELOID LEUKEMIA
206	MONOCYTIC LEUKEMIA
207	OTHER SPECIFIED LEUKEMIA
208	LEUKEMIA-UNSPECIF CELL

In your assignment in Lab 8a, you re-identified many of the patients in the health data. For each person that you have re-identified in the health data that died from a terminal cancer, list the name of the person and the specific diagnosis of the person (use the English description). This list will include not only the basic cancer diagnosis above, but also the descriptions of the other diagnosis codes as well.

Your project presentation should include the histograms showing the usefulness of the health data, as well as the re-identifications. Visitors to your project should be able to scroll through the re-identifications and see the English descriptions of the diagnoses associated with the person.

Activity B
Imagine you are hired as a Data Privacy Officer. Your job is to release the health data so that the distributions computed in Activity A remain virtually the same, even though no one can reliably re-identify the patients by name. You may use any of the anonymization techniques or algorithms of your choice or of your own design. Try to keep as much detail in the data as possible in case there are other uses for the data. Show your results and compare them to those from Activity A.
Your project presentation should include comparative results. Visitors should be convinced that the resulting data remained useful but thwarts the re-identification.
Activity C
Revisit your submission of Lab 8a's assignment to make sure you have accurately re-identified as many patients in the health data as reliably possible. Update your computation of the identifiability of the health data.
Your project presentation will describe your scheme for matching names and provide some examples. Display your identifiability results graphically. In earlier work, Professor Sweeney reports that 87% of the population of the United States is uniquely identified by {date of birth, gender, 5-digit ZIP}; how does this compare with your findings? Vistors to your project should be able to view re-identified records including ambiguous cases.

Final report

Write a summary report of your findings. Include all graphs, tables, spreadsheets and findings reported as part of your project presentation. Submit your final report by email to paddataprivacylab.org. Additionally, FTP any supporing documents you have as spreadsheets or tab-delimited files, into your personal space on dataprivacylab.org.

Graduate credit

If you are taking this course for graduate credit, you must complete at least three of the activities above (not 2). Rather than writing a project report, you will write a conference-style paper on your work.

Fal 2004 Privacy and Anonymity in Data
Professor: Latanya Sweeney, Ph.D. [latanya@dataprivacylab.org]