You are here: Resources > FIDIS Deliverables > Forensic Implications > D5.4: Anonymity in electronic government: a case-study analysis of governments? identity knowledge > 
Bibliography  Identification versus anonymity in e-government
 Anonymity and anonymization


Anonymization of official statistical data


Public institutions gather and process data for a wide variety of purposes. In many cases, it is useful for them to process personal data, i.e., data connected to identifiable individuals. However, large-scale processing of personal data allows data-bases to be combined through shared identifiers. This would significantly enhance the identity knowledge capacity of governments; particularly given the sensitive nature of medical data, serious privacy risks are associated with this type of data collection and processing.  

Since for certain types of purposes, such as statistical analysis of official data in the health sector, it is not always necessary to process personal data, anonymization of data is an important tool to mitigate the privacy risks of large-scale data processing. In this chapter, we describe how anonymization can be implemented in a particular public sector without threatening the purposes of the data processing. For this, we have chosen two case studies in the health sector. These are relevant for the purpose of this deliverable, since they show that identification data need not necessarily be processed even when exploiting new opportunities of electronic data processing, in this case to generate statistical data throughout patients’ lifetimes.  

The health sector is a good example to illustrate problems arising from the possession and processing of data. Typically, medical and health data contain identifying data, as well as sensitive data associated with these, namely data about one’s health situation, treatments, etc. These data are considered privacy-sensitive for almost everybody, and any misuse may immediately induce privacy concerns. Misuse may provoke serious disadvantages for people, as databases in the medical sector may contain very sensitive information about one’s life, one’s preferences, one’s problems, etc. 

Data contained in such a database can be used for multiple, questionable, purposes. For instance: 

  1. An insurance company could use health data to measure the risks a person has to suffer from a certain disease and consequently ban him from any contract. 

  2. An employer may be interested in knowing if a female employee wants to conceive children (easy to find: is she buying contraceptives or not?). In most European countries, female employees are protected when expecting a child, but not when trying to conceive. 

  3. A banker may not grant a loan to a client who has a high risk of contracting a cancer.  

Governments try to tackle these problems and to focus on the privacy concerns connected to the processing and possession of health data. Legislation specifies clear procedures to be followed in order to guarantee one’s privacy up to a certain point. Additionally, procedures and protocols can help to guarantee anonymity to some extent in this context.  

We explain in this chapter that anonymization techniques can, from a technical perspective, help to guarantee non-identifiability in patients’ records filed in central medical databases. We show this using two case studies from Switzerland, a federal agency collecting health data, and an international data collection for orthopedic evaluative research.  


Bibliography  fidis-wp5.del5.4-anonymity-egov_01.sxw  Anonymity and anonymization
34 / 45