Re: [Gnumed-devel] experiments with gnumed - multiusers vnc, importing an au emr

[Karsten Hilbert]

On Tue, Apr 25, 2006 at 01:23:50PM +1000, Tim Churches wrote:

> I didn't mention it on the openEHR list (maybe I should) but merely
> removing the direct identifiers (names, DOB etc) does not de-identify or
> anonymise that data.
It does, indeed, de-identify (not anonymise) but only so
much (remember, it's a continuum).

> For example, if the record reveals "32 yr old male,
> with medical visits on 23/4/04, 12/6/05 and 14/01/06" then that record
> has a very high probability of being unique to an individual in even a
> large population.
True. But a) I don't know the population in the given case
and b) It's practically hard for *me* to find out things
about *Syan's* patient's. Hence it may be de-identified
enough for the purpose.

> Hence if I know your age and sex (easily discovered or
> ascertained) and I know that you had medical appointments on those dates
> (eg if I had access to your work leave records, as staff in the
> personnel department of your employer may have), then I can fairly
> easily which record belongs to you.
Quite a few ifs. Note that this is similar to a
cryptographic attack where there are plaintext clues for a
given ciphered message.

> Also, anonymity of data is a continuum - it is not
> dichotomous, and often it comes down to a risk judgement and some
> assumptions about what additional information an 'attacker' who might
> try to re-identify records might possess.
Precisely.

> If the data are to be made
> publicly available, you can't make any assumptions about what an
> attacker might or might not already know about a person, so you need to
> be very conservative.
That wasn't quite the objective just yet.

Karsten
-- 
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346