On Tue, Apr 25, 2006 at 01:23:50PM +1000, Tim Churches wrote: > I didn't mention it on the openEHR list (maybe I should) but merely > removing the direct identifiers (names, DOB etc) does not de-identify or > anonymise that data. It does, indeed, de-identify (not anonymise) but only so much (remember, it's a continuum).
> For example, if the record reveals "32 yr old male, > with medical visits on 23/4/04, 12/6/05 and 14/01/06" then that record > has a very high probability of being unique to an individual in even a > large population. True. But a) I don't know the population in the given case and b) It's practically hard for *me* to find out things about *Syan's* patient's. Hence it may be de-identified enough for the purpose. > Hence if I know your age and sex (easily discovered or > ascertained) and I know that you had medical appointments on those dates > (eg if I had access to your work leave records, as staff in the > personnel department of your employer may have), then I can fairly > easily which record belongs to you. Quite a few ifs. Note that this is similar to a cryptographic attack where there are plaintext clues for a given ciphered message. > Also, anonymity of data is a continuum - it is not > dichotomous, and often it comes down to a risk judgement and some > assumptions about what additional information an 'attacker' who might > try to re-identify records might possess. Precisely. > If the data are to be made > publicly available, you can't make any assumptions about what an > attacker might or might not already know about a person, so you need to > be very conservative. That wasn't quite the objective just yet. Karsten -- GPG key ID E4071346 @ wwwkeys.pgp.net E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346 _______________________________________________ Gnumed-devel mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnumed-devel
