Difference between revisions of "De-identification"
Line 28: | Line 28: | ||
===Folder Encryption=== | ===Folder Encryption=== | ||
===De-identification=== | ===De-identification=== | ||
==== Drop variables==== | |||
Variables such as individual names (including survey respondent, family members, employees, enumerators), household coordinates, birth dates, contact information, IP address, job position should be dropped. | Variables such as individual names (including survey respondent, family members, employees, enumerators), household coordinates, birth dates, contact information, IP address, job position should be dropped. | ||
====Encode variables==== | |||
Personally identifiable categoric variables that are needed for analysis, such as individual identifier, administrative units, ethnicity, etc, can be de-identified by encoding. That means dropping the value label to the factor variable, so it is possible to tell which individuals are in the same group, but not what group that is. Be careful to use anonymous IDs in this case, not some pre-existing code such as the State code used by the National Statistics Bureau or other authority. | Personally identifiable categoric variables that are needed for analysis, such as individual identifier, administrative units, ethnicity, etc, can be de-identified by encoding. That means dropping the value label to the factor variable, so it is possible to tell which individuals are in the same group, but not what group that is. Be careful to use anonymous IDs in this case, not some pre-existing code such as the State code used by the National Statistics Bureau or other authority. | ||
====Introduce white noise==== | |||
For numeric variables that can be used to identify individuals, such as GPS coordinates | For numeric variables that can be used to identify individuals, such as GPS coordinates, white noise can be introduced. | ||
===Anonymous IDs=== | ===Anonymous IDs=== |
Revision as of 22:16, 16 November 2017
Read First
- Some survey variables allow identification of individual respondents. This is called Personally Identifiable Information (PII)
- It is the responsibility of researchers to make sure this data is private and safely stored
- PII must be saved in encrypted folders and removed from data sets as soon as possible in the project
- No PII can ever be publicly released without explicit consent
Personally Identifiable Information
In the context of a survey, Personally identifiable information (PII) are the variables that can, either on their own or in combination with other variables, lead to identifying a single surveyed individual. Here's a list of variables that may lead to personal identification:
- Names of survey respondent, household members, enumerators and other individuals
- Names of schools, clinics, villages and possibly other administrative units (depending on the survey)
- Dates of birth
- GPS coordinates
- Contact information
- Record identifier (social security number, process number, medical record number, national clinic code, license plate, IP address)
- Pictures (of individuals, houses, etc)
A few examples of sensitive variables that depending on survey context may contain personally identifying information:
- Age
- Gender
- Ethnicity
- Grades, salary, job position
As these variables exemplify, what exactly is PII will depend on the context of each survey. For example, if a survey covers a small farming community, variables such as plot size and crops cultivated can be combined to identify an individual household. Administrative units can be considered PII if there are few individuals in each of them. The guidelines to deal with PII will be discussed below, but three common solutions are (1) drop PII variables, (2) use anonymous codes instead of names, and (3) introduce white noise.
Guidelines
Folder Encryption
De-identification
Drop variables
Variables such as individual names (including survey respondent, family members, employees, enumerators), household coordinates, birth dates, contact information, IP address, job position should be dropped.
Encode variables
Personally identifiable categoric variables that are needed for analysis, such as individual identifier, administrative units, ethnicity, etc, can be de-identified by encoding. That means dropping the value label to the factor variable, so it is possible to tell which individuals are in the same group, but not what group that is. Be careful to use anonymous IDs in this case, not some pre-existing code such as the State code used by the National Statistics Bureau or other authority.
Introduce white noise
For numeric variables that can be used to identify individuals, such as GPS coordinates, white noise can be introduced.
Anonymous IDs
Back to Parent
This article is part of the topic Data Analysis
Additional Resources
- list here other articles related to this topic, with a brief description and link