Statistical disclosure control

The amount of computer-stored information is growing faster with each passing day. This growth and the way in which the stored data are accessed through a variety of channels have raised the alarm about the protection of the individual privacy of the respondents whose data are being collected and stored. On the one hand, data should be available to researchers and statistical agencies so that the necessary research and planning activities can be conducted. However, on the other hand, the right of respondents to privacy must be protected. Statistical disclosure control (SDC) is the discipline which cares about keeping a balance between data access and privacy protection. k-Anonymity is one particular approach to SDC for individual data (microdata): the record corresponding to a specific respondent is k-anonymous if an intruder can at best link the record to a group of k respondents containing the correct one. This paper surveys the use of a special clustering technique called microaggregation to provide k-anonymity.

Microaggregation is a Statistical Disclosure Con trol (SDC) technique that aims at protecting the privacy of individual respondents before their data are released. Optimally microaggregating multivariate data sets is known to be an NP-hard problem. Thus, using heuristics has been suggested as a possible strategy to tackle it. Specifically, Genetic Algorithms have been shown to be serious candidates that can find good solutions on small data sets. However, due to the very nature of these algorithms and the coding of the microaggregation problem, GA can hardly cope with large data sets. In order to apply them to large data sets, the latter have to be previously partitioned into smaller disjoint subsets that the GA can handle. In this article we summarise several proposals for partitioning data sets, in order to use GA to microaggregate them. In addition, we suggest a new partitioning strategy based on the variable-MDAV algorithm, and we compare it with the most relevant previous proposals. The experimental results show that our method outperforms the previous ones in terms of information loss.

Microaggregation is a clustering problem with cardinality constraints that originated in the area of statistical disclosure control for microdata. This article presents a method for multivariate microaggregation based on genetic algorithms (GA). The adaptations required to characterize the multivariate microaggregation problem are explained and justified. Extensive experimentation has been carried out with the aim of finding the best values for the most relevant parameters of the modified GA: the population size and the crossover and mutation rates. The experimental results demonstrate that our method finds the optimal solution to the problem in almost all experiments when working with small data sets. Thus, for small data sets the proposed method performs better than known polynomial heuristics and can be combined with these for larger data sets. Moreover, a sensitivity analysis of parameter values is reported which shows the influence of the parameters and their best values.

Micro-data protection is a hot topic in the field of Statistical Disclosure Control (SDC), that has gained special interest after the disclosure of 658000 queries by the AOL search engine in August 2006. Many algorithms, methods and properties have been proposed to deal with micro-data disclosure. p-Sensitive k-anonymity has been recently defined as a sophistication of k-anonymity. This new property requires that there be at least p different values for each confidential attribute within the records sharing a combination of key attributes. Like k-anonymity, the algorithm originally proposed to achieve this property was based on generalisations and suppressions; when data sets are numerical this has several data utility problems, namely turning numerical key attributes into categorical, injecting new categories, injecting missing data, and so on. In this article, we recall the foundational concepts of micro-aggregation, k-anonymity and p-sensitive k-anonymity. We show that kanonymity and p-sensitive k-anonymity can be achieved in numerical data sets by means of micro-aggregation heuristics properly adapted to deal with this task. In addition, we present and evaluate two heuristics for p-sensitive kanonymity which, being based on micro-aggregation, overcome most of the drawbacks resulting from the generalisation and suppression method.

Microaggregation is a Statistical Disclosure Con trol (SDC) technique that aims at protecting the privacy of individual respondents before their data are released. Optimally microaggregating multivariate data sets is known to be an NP-hard problem. Thus, using heuristics has been suggested as a possible strategy to tackle it. Specifically, Genetic Algorithms have been shown to be serious candidates that can find good solutions on small data sets. However, due to the very nature of these algorithms and the coding of the microaggregation problem, GA can hardly cope with large data sets. In order to apply them to large data sets, the latter have to be previously partitioned into smaller disjoint subsets that the GA can handle. In this article we summarise several proposals for partitioning data sets, in order to use GA to microaggregate them. In addition, we suggest a new partitioning strategy based on the variable-MDAV algorithm, and we compare it with the most relevant previous proposals. The experimental results show that our method outperforms the previous ones in terms of information loss.

The amount of computer-stored information is growing faster with each passing day. This growth and the way in which the stored data are accessed through a variety of channels have raised the alarm about the protection of the individual privacy of the respondents whose data are being collected and stored. On the one hand, data should be available to researchers and statistical agencies so that the necessary research and planning activities can be conducted. However, on the other hand, the right of respondents to privacy must be protected. Statistical disclosure control (SDC) is the discipline which cares about keeping a balance between data access and privacy protection. k-Anonymity is one particular approach to SDC for individual data (microdata): the record corresponding to a specific respondent is k-anonymous if an intruder can at best link the record to a group of k respondents containing the correct one. This paper surveys the use of a special clustering technique called microaggregation to provide k-anonymity.

Microaggregation is a family of methods for statistical disclosure control (SDC) of microdata (records on individuals and/or companies), that is, for masking microdata so that they can be released without disclosing private information on the underlying individuals. Microaggregation techniques are currently being used by many statistical agencies. The principle of microaggregation is to group original database records into small aggregates prior to publication. Each aggregate should contain at least k records to prevent disclosure of individual information, where k is a constant value preset by the data protector. In addition to it being a good masking method, microaggregation has recently been shown useful to achieve k-anonymity. In k-anonymity, the parameter k specifies the maximum acceptable disclosure risk, so that, once a value for k has been selected, the only job left is to maximize data utility: if microaggregation is used to implement k-anonymity, maximizing utility can be achieved by microaggregating optimally, i.e. with minimum within-groups variability loss. Unfortunately, optimal microaggregation can only be computed in polynomial time for univariate data. For multivariate data, it has been shown to be NP-hard. We present in this paper a polynomial-time approximation to microaggregate multivariate numerical data for which bounds to optimal microaggregation can be derived at least for two different optimality criteria: minimum within-groups Euclidean distance and minimum within-groups sum of squares. Beyond the theoretical interest of being the first microaggregation proposal with proven approximation bounds for any k, our method is empirically shown to be comparable to the best available heuristics for multivariate microaggregation.

Increased corporate, government and academic demand has prompted official statistics to release individual respondent data (microdata) in addition to the traditional tabular data. Microdata must be masked by a statistical disclosure control (SDC) method before being published, because otherwise the statistical confidentiality of respondents would be compromised. A novel application of watermarking is discussed in this paper which allows multilevel access to numerical microdata: depending on her clearance, the data user can remove more or less of the masking. Nonprivileged users just see the published data, but as the clearance of a user increases she can get a data set which is closer and closer to the original one.

Unlike aggregated census tabulations, census microdata provide information about individual persons and households. This makes it possible for researchers to design analyses tailored to their particular research questions. Other microdata sources—such as demographic and labor force surveys—often offer greater subject coverage and detail than do census data, but no alternate source offers comparable sample density, chronological depth, and geographic coverage.

The application of many anonymization methods is complex and requires knowledge of the methods and access to suitable tools for implementation. For users comfortable with using R, the package sdcMicro [1] provides a tool for the application of a comprehensive suite of methods commonly used and described in literature on disclosure control. Users not familiar with R [2], but who have an immediate need for tools to anonymize data, would benefit from a friendly Graphic User Interface (GUI) for the sdcMicro package. To provide a GUI environment for the non-R user we have developed a Shiny [3] application called sdcApp, which is included in the sdcMicro package. Users of the GUI are able to implement the most widely used anonymization methods present in the sdcMicro package without requiring in-depth knowledge of R. In addition to the anonymization methods implemented in the sdcMicro package, the GUI offers a comprehensive set of risk and utility measures. This includes functions to meas...

Blocking is a well-known technique used to partition a set of records into several subsets of manageable size. The standard approach to blocking is to split the records according to the values of one or several attributes (called blocking attributes). This paper presents a new blocking method based on 2 d -trees for intelligently partitioning very large data sets for microaggregation. A number of experiments has been carried out in order to compare our method with the most typical univariate one.

Protecting personal data is essential to guarantee the rule of law 1 . Due to the new Information and Communication Technologies (ICTs) unprecedented amounts of personal data can be stored and analysed. Thus, if the proper measures are not taken, individual privacy could be in jeopardy. Being the aim to protect individual privacy, a great variety of statistical disclosure control (SDC) techniques has been proposed. Amongst many others, k-anonymity is a promising property that, if properly achieved, can help protect individual privacy. In this paper, we propose a new post-processing method that can be applied after a k-anonymity algorithm, being the aim to lessen the errors resulting from the aggregation of data. We show that our method can be extended to work with many other SDC techniques and we provide some experimental results which emphasise the usefulness of our proposal.

k-Anonymity is a privacy model requiring that all combinations of key attributes in a database be repeated at least for k records. It has been shown that k-anonymity alone does not always ensure privacy. A number of sophistications of k-anonymity have been proposed, like p-sensitive k-anonymity, l-diversity and t-closeness. We identify some shortcomings of those models and propose a new model called (k, p, q, r)anonymity. Also, we propose a computational procedure to achieve this new model that relies on microaggregation.

Microaggregation is a clustering problem with cardinality constraints that originated in the area of statistical disclosure control for microdata. This article presents a method for multivariate microaggregation based on genetic algorithms (GA). The adaptations required to characterize the multivariate microaggregation problem are explained and justified. Extensive experimentation has been carried out with the aim of finding the best values for the most relevant parameters of the modified GA: the population size and the crossover and mutation rates. The experimental results demonstrate that our method finds the optimal solution to the problem in almost all experiments when working with small data sets. Thus, for small data sets the proposed method performs better than known polynomial heuristics and can be combined with these for larger data sets. Moreover, a sensitivity analysis of parameter values is reported which shows the influence of the parameters and their best values.

Statistical Disclosure Control (SDC) is an active research area in the recent years. The goal is to transform an original dataset X into a protected one X , such that X does not reveal any relation between confidential and (quasi-)identifier attributes and such that X can be used to compute reliable statistical information about X. Many specific protection methods have been proposed and analyzed, with respect to the levels of privacy and utility that they offer. However, when measuring utility, only differences between the statistical values of X and X are considered. This would indicate that datasets protected by SDC methods can be used only for statistical purposes. We show in this paper that this is not the case, because a protected dataset X can be used to construct good classifiers for future data. To do so, we describe an extensive set of experiments that we have run with different SDC protection methods and different (real) datasets. In general, the resulting classifiers are very good, which is good news for both the SDC and the Privacy-preserving Data Mining communities. In particular, our results question the necessity of some specific protection methods that have appeared in the privacy-preserving data mining (PPDM) literature with the clear goal of providing good classification.

Microaggregation for Statistical Disclosure Control (SDC) is a family of methods to protect microdata from individual identification. SDC seeks to protect microdata in such a way that can be published and mined without providing any private information that can be linked to specific individuals. The aim of SDC is to modify the original microdata in such a way that the modified data and the original data are similar. Microaggregation works by partitioning the microdata into groups, also called clusters of at least k records and then replacing the records in each group with the centroid of the group. In this work we introduce a new microaggregation method, where the centroid is considered as median. The new method guarantees that the microaggregated data and the original data are similar by using statistical test. Another contribution of this work is that we propose a distance metric, called absolute deviation from median (ADM) to evaluate the amount of mutual information among records in microdata. We showed that ADM is always less than the most commonly used measure of distortion called sum of squares of errors (SSE) for any dataset. Thus ADM causes least information loss and can be used as a measure of information loss for a microaggregated microdata set.

k-anonymous microaggregation is a standard technique to improve privacy of individuals whose personal data is used in microdata databases. Unlike semantic privacy requirements like differential privacy, k-anonymity allows the unrestricted publication of data, suitable for all kinds of analysis since every individual is hidden in a cluster of size at least k. Microaggregation can preserve a high level of utility, that means small information loss caused by the aggregation procedure, compared to other anonymization techniques like generalization or suppression. Minimizing the information loss in k-anonymous microaggregation is an NP-hard clustering problem for k ≥ 3. Even more, no efficient approximation algorithms with a nontrivial approximation ratio are known. Therefore, a bunch of heuristics have been developed to restrain high utility -all with quadratic time complexity in the size of the database at least. We improve this situation in several respects providing a tradeoff between computational effort and utility. First, a quadratic time algorithm ONA * is presented that achieves significantly better utility for standard benchmarks. Next, an almost linear time algorithm is developed that gives worse, but still acceptable utility. This is achieved by a suitable adaption of the Mondrian clustering algorithm. Finally, combining both techniques a new class MONA of parameterized algorithms is designed that deliver competitive utility for user-specified time constraints between almost linear and quadratic. a

This paper describes a geographically intelligent approach to disclosure control for protecting flexibly aggregated census data. Increased analytical power has stimulated user demand for more detailed information for smaller geographical areas and customized boundaries. Consequently it is vital that improved methods of statistical disclosure control are developed to protect against the increased disclosure risk. Traditionally methods of statistical disclosure control have been aspatial in nature. Here we present a geographically intelligent approach that takes into account the spatial distribution of risk. We describe empirical work illustrating how the flexibility of this new method, called local density swapping, is an improved alternative to random record swapping in terms of risk-utility.

44 45 46 (58) Field of Classification Search ................ 358/1.13, 358/1.18, 1.15, 1.16; 709/231, 234 See application file for complete search history. (56) References Cited U.S. PATENT DOCUMENTS 4,649,513 A * 3/1987 Martin et al. ............... 71.5/210 4,651.278 A * 3/1987 Herzog et al. .............. 358,118 5,713,032 A 1/1998 Spencer ...................... 715,209 5,717.922 A * 2/1998 Hohensee et al. ..... ... 707/100 5,727,220 A * 3/1998 Hohensee et al. ........... T15,234 5,768.488 A 6/1998 Stone et al. ................ 358,118 5,813,020 A * 9/1998 Hohensee et al. ........... T15,234 5,982,997 A 11/1999 Stone et al. ................ 358,115 6,010,261 A 1/2000 Maekawa ................... 400,605 6,097.498 A * 8/2000 Debry et al. ............... 358,113 6,327,624 B1* 12/2001 Mathewson et al. ......... TO9,231 6,407,821 B1* 6/2002 Hohensee et al. .......... 358,115

This document provides a comprehensive critical literature analysis of Statistical Disclosure Control (SDC), highlighting its methodologies, applications, and implications for data protection. The significance of SDC lies in its critical role in ensuring privacy during the dissemination of sensitive data. As data becomes increasingly prevalent in various sectors, the demand for robust privacy mechanisms has amplified, urging the need for effective SDC strategies

The assessment of statistical disclosure risk often requires the linking of data. There are effective means of linking data for simple scenarios; but it is not clear how best to approach linkage for more complex scenarios. We examine linkage approaches for three simple scenarios and argue that they might be combined.

An important aspect of disclosure control is the isolation and control of individual-level records that have a high probability of being identified (as their contents, or variables. are unusual) consider, for example, a sixteen-year-old widow. However, many such datasets contain temporal information relating specifically to an individual which needs to be addressed when making such decisions. An unusual temporal sequence of events pertaining to an individual has the potential to lead to disclosure but is missed if the analysis is restricted to a single period in time. Algorithms have been specifically designed to conduct a comprehensive search for "risky" records in survey-type data in a single period of time. This paper examines the extension of one of these for finding temporal sequences which may pose a disclosure risk to individuals in a datasets. Preliminary results indicates that this methodology has the potential to enhance disclosure control techniques significantly.

The Key Variable Mapping System (KVMS) is an approach for identifying matching possibilities across datasets within a data environment. It is a formalised approach for identifying key variables. An overview of KVMS is provided in Elliot et al. (2010). The original KVMS was implemented in a spreadsheet. The user had to enter information about datasets and variable categorisations manually across several sheets. The KVMS incorporated the idea of a harmonization graph which related the various categorisations of a variable across different forms, although these had to be constructed manually and were not used within the KVMS. The new KVMS is based on a more formal mathematical definition of a harmonization graph, and the harmonization graph is constructed automatically from graphical models created on data entry. Data entry is simplified and inconsistencies in categorisations are identified immediately by reference to the underlying graphical models that drive the system. Inferences re...

As data mining is used to extract valuable information from large amount of data. But this is harmful in some cases so some kind of protection is required for sensitive information. So privacy preserving mining is emerge with the goal to provide protection from mining. There are many research branches in this area. This paper focus on analyzing different techniques of privacy persevering and specify there requirement for special type of cases.

This paper surveys the fields of Statistical Disclosure Control (SDC) and Micro-Aggregation Techniques (MATs), which are both areas fundamental to the science of secure Statistical DataBases (SDBs). The paper is written from the perspective of a computer scientist with the hope that it will prove to be a source of reference material useful to researchers and practitioners in the field. The paper first introduces the concept of SDC and describes the domain of its applications and the various data types that are currently used in SDBs. It then proceeds to focus on the family of micro-data types in SDBs. At this juncture, we introduce the importance of the relevant measures, namely the metrics termed as the Information Loss (IL) and the Disclosure Risk (DR), after which we survey the various methods of resolving the conflicting goals that these metrics represent. Thereafter, the paper summarizes the perturbative and nonperturbative SDC methods for micro-data protection, and it focuses on the families of MATs by formally stating the Micro-Aggregation Problem and surveying it in a comprehensive manner. Apart from the paper including a historical view of the field of MATs, it describes a broad selection of work that has been reported more recently. Indeed, we believe that this paper represents a complete overview of the state-of-theart techniques.

data user is assessed on two dimensions ing information Ways exist however to resolve the horizontal axis is the level of knowledge about this value paradox in an important context Sta-the legitimate object of empirical inquiry the verti tistical information can be provided while preserving cal axis is the level of knowledge about the confidential specified level of confidentiality protection The gen-item era approach is to provide disclosure-limited data that maximize their statistical utility subject to confidential-Figure Characterization of Data Users Knowledge ity constraints Disclosure limitation based on Markov chain methods that respect the underlying uncertainty in real data is examined For use with categorical data tables method called Markov perturbation is proposed II Dt as an extension of the PRAM method of Kooiman Confidential Willenborg and Gouweleeuw 1997 Markov pertur-Items bation allows cross-classified marginal totals to be main tained and promises to provide more information than Maximum the commonly used cell suppression technique

With the surging demand for Internet of Things (IoT) healthcare applications, a myriad of data privacy concerns come to light. Cloud computing inherits the risks of exposing data to re-identification vulnerabilities. A secure solution is storing and processing data locally on edge, but it lacks the provision of powerful machine learning (ML) needs. An improved computing framework is required to incorporate ML capabilities and user-data confidentiality. We perform a systematic study of IoT healthcare systems and propose a three-tier architecture that protects and enables data sharing. The edge anonymizes data using differential privacy (DP); transmits it to the cloud to train ML classifier; sent back trained classifier to edge to make inferences. Our findings show 1) XgBoost classifier performs relatively well; classifiers accuracy trained using DP data is close to that of original data 2) Round-trip execution performance of architecture shows high average mean and variance with high...

In this paper we will give an overview of the CENEX project and concentrate on the current state of affairs with respect to the ARGUS-software twins. The CENEX (Centre of Excellence) is a new initiative by Eurostat. The main idea behind the CENEX-concept is to join the forces of the national NSI's and together bring the skills of the NSI's on a higher level. The CENEX on Statistical Disclosure Control is a first pilot CENEX-project both aiming at testing the feasibility of the CENEX idea and working on SDC. This project will make a start of writing a handbook on SDC, after an inventory and extend the ARGUS software with an emphasis on issues of practical use. Within this CENEX we will organise the transfer of technology via courses, a WEB-site and this conference. Finally a roadmap for future work will hopefully lead to a follow-up CENEX. In this paper we will summarise this CENEX-project and give a short overview of the current versions of ARGUS.

In this paper, we explore how anonymizing data to preserve privacy affects the utility of the classification rules discoverable in the data. In order for an analysis of anonymized data to provide useful results, the data should have as much of the information contained in the original data as possible. Therein lies a problem – how does one make sure that anonymized data still contains the information it had before anonymization? This question is not the same as asking if an accurate classifier can be built from the anonymized data. Often in the literature, the prediction accuracy of a classifier made from anonymized data is used as evidence that the data are similar to the original. We demonstrate that this is not the case, and we propose a new methodology for measuring the retention of the rules that existed in the original data. We then use our methodology to design three measures that can be easily implemented, each measuring aspects of the data that no pre-existing techniques ca...

During the whole process of data mining (from data collection to knowledge discovery) various sensitive data get exposed to several parties including data collectors, cleaners, preprocessors, miners and decision makers. The exposure of sensitive data can potentially lead to breach of individual privacy. Therefore, many privacy preserving techniques have been proposed recently. In this paper we present a framework that uses a few novel noise addition techniques for protecting individual privacy while maintaining ahigh data quality. We add noise to all attributes, both numerical and categorical. We present a novel technique for clustering categorical values and use it for noise addition purpose. A security analysis is also presented for measuring the security level of a data set.

We develop a non-parametric imputation method for item non-response based on the wellknown hot-deck approach. The proposed imputation method is developed for imputing numerical data that ensure that all record-level edit rules are satisfied and previously estimated or known totals are exactly preserved. We propose a sequential hot-deck imputation approach that takes into account survey weights. Original survey weights are not changed, rather the imputations themselves are calibrated so that weighted estimates will equal known or estimated population totals. Edit rules are preserved by integrating the sequential hot-deck imputation with Fourier-Motzkin elimination which defines the range of feasible values that can be used for imputation such that all record-level edits will be satisfied. We apply the proposed imputation method under different scenarios of random and nearest-neighbour hot-deck on two data sets: an annual structural business survey and a synthetically generated data set with a large proportion of missing data. We compare the proposed imputation methods to standard imputation methods based on a set of evaluation measures.

We define the disclosure risk scenarios that led to the statistical disclosure control (SDC) methods for the 2001 UK Census. We examine the SDC methods that were implemented based on a disclosure risk-data utility framework and assess whether the methods managed the disclosure risk while maintaining the utility and quality of the outputs. We conclude with final remarks and goals for forming strategies for future Censuses.

An overview of traditional types of data dissemination at statistical agencies is provided including definitions of disclosure risks, the quantification of disclosure risk and data utility and common statistical disclosure limitation (SDL) methods. However, with technological advancements and the increasing push by governments for openand accessible data, new forms of data dissemination are currently being explored. We focus on web-based applications such as flexible table builders and remote analysis servers, synthetic data and remote access. Many of these applications introduce new challenges for statistical agencies as they are gradually relinquishing some of their control on what data is released. There is now more recognition of the need for perturbative methods to protect the confidentiality of data subjects. These new forms of data dissemination are changing the landscape of how disclosure risks are conceptualized and the types of SDL methods that need to be applied to protec...

Statistical agencies are considering making more use of the internet to disseminate census tabular outputs through flexible table generation servers that allow users to define and generate their own tables. The key questions when considering the development of these servers is what data should be used in the background for producing tables and what method of statistical disclosure control (SDC) should be applied. For 'on-the-fly' table generation, the server has to measure the disclosure risk in the table, apply a perturbation method and reassess the disclosure risk. SDC methods may be applied on the underlying data in the server where all tables generated would be considered safe, or applied on the final output table generated from original data. Besides disclosure risk, the server should provide measures of information loss in the perturbed table compared to the original table. In this paper, we examine the development of a flexible table generating server and compare different applications and the timing of SDC through disclosure risk and data utility measures. These measures are based on Information Theory which is particularly useful for assessing attribute disclosure arising from the structural zeros in the table.

This paper provides a review of common statistical disclosure control (SDC) methods implemented at Statistical Agencies for standard tabular outputs containing whole population counts from a Census (either enumerated or based on a register). These methods include record swapping on the microdata prior to its tabulation and rounding of entries in the tables after they are produced. The approach for assessing SDC methods is based on a disclosure risk-data utility framework and the need to find the balance between managing disclosure risk while maximizing the amount of information that can be released to users and ensuring high quality outputs. To carry out the analysis, quantitative measures of disclosure risk and data utility are defined and methods compared. Conclusions from the analysis show that record swapping as a sole SDC method leaves high probabilities of disclosure risk. Targeted record swapping lowers the disclosure risk, but there is more distortion to distributions. Small cell adjustments (rounding) give protection to Census tables by eliminating small cells but only one set of variables and geographies can be disseminated in order to avoid disclosure by differencing nested tables. Full random rounding offers more protection against disclosure by differencing, but margins are typically rounded separately from the internal cells and tables are not additive. Rounding procedures protect against the perception of disclosure risk compared to record swapping since no small cells appear in the tables. Combining rounding with record swapping raises the level of protection but increases the loss of utility to Census tabular outputs. For some statistical analysis, the combination of record swapping and rounding balances to some degree opposing effects that the methods have on the utility of the tables.

Statistical offices are faced with the problem of multiple-database data mining at least for two reasons. On one side, there is a trend to avoid direct collection of data from respondents and use instead administrative data sources to build statistical data; such administrative sources are typically diverses and scattered across several administration level. On the other side, intruders may attempt disclosure of confidential statistical data by using the same approach, i.e. by linking whatever databases they can obtain. This paper discusses issues related to multipledatabase data mining, with a special focus on a method for linking records across databases which do not share any variables .

This study examines how the adoption of International Financial Reporting Standard (IFRS) 8, Operating Segments , changed the entity-wide geographic segment reporting by European, Australian and New Zealand blue chip companies. The focus is on the revised requirements that companies disclose revenues for the country of domicile and other material countries. Specifically, it investigates the materiality level companies use to determine material countries and whether the revised requirements result in a finer set of geographic information than previously disclosed under International Accounting Standard (IAS) 14R. The study finds a significant decrease in the number of companies reporting only broad geographic regions and a significant increase in the number of companies reporting country specific segments and a mix of countries and regions after the adoption of IFRS 8. The increase in companies reporting country specific and mixed segments indicates that the requirement to disclose material countries under IFRS 8 resulted in a significant number of companies reporting disaggregated revenues at the individual country level. To the extent country specific information is more useful, financial analysts and the International Accounting Standards Board (IASB) should welcome this result. All three fineness measures increase significantly with the adoption of IFRS 8. These results indicate that the adoption of IFRS 8 did improve the fineness of the geographic disclosures provided by companies and suggests that the geographic data provided under IFRS 8 is less aggregated than the disclosures under IAS 14R.

The Five Safes framework is increasingly widely used for data governance. Since its conception in 2003, it has influenced data management in many ways, particularly in the public sector. As it has become established, both the advantages and limitations have come to the fore, along with an understanding of modern data management principles. This paper explores the history, strengths and limitations in the Five Safes, as well as recent suggestions for deepening or extending the framework. It places the Five Safes in the context of contemporary developments in principles-based design, user-centred planning, and the evidence-based decision-making. It discusses the different variations on the framework over time, and questions whether there is a need for a fundamental rethink. The paper argues that the framework works best when aligned simultaneously to an accreditation process, a principles-based design ethos, an evidence-base, and a user-centred decision-making process. It examines two...

Traditional models of incentivising people suggest that positive incentives are more effective than negative ones. We argue that in data access the opposite can be true, as the assumptions made at the design stage can fundamentally change the user environment and hence perceptions of the ‘right’ way to act. Such assumptions also affect the ‘legitimacy’ of any control measures: empathy can encourage positive reinforcement. Both of these issues are dependent upon the training given to data users, particularly if this can develop a self-policing ethos. Hence training (of the ‘right kind’) should be seen as a positive investment to improve the benefit:cost ratio, rather than unavoidable expenditure. The focus on policing rather than engagement is particularly acute when considering the vast research potential of the data resources in the public sector. Although evidence-based policymaking is widely supported, specific costs and diffuse benefits encourage an overly risk-averse environmen...