Sunday, August 2, 2015

2015-033: Data anonymization and Valuation, Privacy, and Ethical medical research


Katherine Carpenter is a pivacy consultant who has worked all over the world helping to develop guidelines for ethical medical research, sharing of anonymized data, and helping companies understand privacy issues association with storing and sharing of medical data.

 

This week, we discuss how companies should assign value to their data, the difficulties of doing research with anonymized data, and the ramifications of research organizations that share data irresponsibly.

 

email contact: carpenter.katherinej@gmail.com






http://jama.jamanetwork.com/article.aspx?articleid=192740

 

https://depts.washington.edu/bioethx/topics/consent.html



https://en.wikipedia.org/wiki/De-anonymization

https://en.wikipedia.org/wiki/Data_anonymization

https://en.wikipedia.org/wiki/De-identification

 

https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles

 

http://www.nature.com/news/privacy-protections-the-genome-hacker-1.12940

 

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html

 

https://en.wikipedia.org/wiki/Information_privacy_law

 

http://www.theguardian.com/technology/2015/apr/06/data-privacy-europe-facebook

 

http://www.theguardian.com/technology/2015/jun/15/eu-privacy-laws-data-regulations

 

http://www.theatlantic.com/technology/archive/2013/01/obscurity-a-better-way-to-think-about-your-data-than-privacy/267283/

 

http://fusion.net/story/171429/app-genetic-access-control-genes-dna-for-password/



###

 

Katherine’s note, comment, and links.

It is good to be thinking about de-identification (especially regarding health care data)

 

I think a better question to ask is how easy is it to re-identify information that has been de-identified. The HIPAA rule has 18 Identifiers which count as Personally Identifiable Information (PII) or Personal Health Information (PHI) include birth date, zip code, and IP address; When data is collected in non-health contexts, these identifiers are not considered PII/PHI (for example: this kind of information can be used for marketing purposes or financial/credit-related purposes).

 

A brief history on the topic:

in 1997 a precocious grad student IDed the Governor of MA using purchased voter records to reID deIDed health information that was released. (This study was one motivator to pass HIPAA.) Further research along the same lines of the previous project can be summed up with a simple and scary statistic: in 2000, 87% of Americans may be uniquely identified by combining zip code, birthday and sex(gender).

 

For this reason, health information is threatened not only by deID’n & reID’n, but by the combination of and other types of information that are publicly available or available for purchase and could reveal things about an individual that would contribute to reID of individual’s health info.

 

Here are a bunch of articles that discuss the topic from different angles.

 

http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/

 

https://datafloq.com/read/re-identifying-anonymous-people-with-big-data/228

 

http://www.bloomberg.com/news/articles/2013-06-05/states-hospital-data-for-sale-puts-privacy-in-jeopardy

 

https://epic.org/privacy/reidentification/

 

http://news.harvard.edu/gazette/story/2011/10/you%E2%80%99re-not-so-anonymous/

 

Dwork, C. and Yekhanin, S. (2008), “New Efficient Attacks on Statistical Disclosure Control Mechanisms,” Advances in Cryptology—CRYPTO 2008, to appear, also at http://research.microsoft.com/research/sv/DatabasePrivacy/dy08.pdf

 

Is Deidentification Sufficient to Protect Health Privacy in Research?

Mark A. Rothsteinhttp://www.ncbi.nlm.nih.gov/pmc/articles/PMC3032399/




Here is a new episode of Brakeing Down Security!

No comments: