Measuring The Impact of Spatial Perturbations on The Relationship Between Data Privacy and Validity of Descriptive Statistics

doi:10.21203/rs.3.rs-77449/v1

PDF

Research

Measuring The Impact of Spatial Perturbations on The Relationship Between Data Privacy and Validity of Descriptive Statistics

https://doi.org/10.21203/rs.3.rs-77449/v1

This work is licensed under a CC BY 4.0 License

Journal Publication

published 07 Jan, 2021

Read the published version in International Journal of Health Geographics →

You are reading this latest preprint version

Background: Like many scientific fields, epidemiology is addressing issues of research reproducibility. Spatial epidemiology, which often uses the inherently identifiable variable of participant address, must balance reproducibility with participant privacy. In this study, we assess the impact of several different data perturbation methods on key spatial statistics and patient privacy.

Methods: We analyzed the impact of perturbation on spatial patterns in the full set of address- level mortality data from Lawrence, MA during the period from 1911-1913. The original death locations were perturbed using seven different published approaches to stochastic and deterministic spatial data anonymization. Key spatial descriptive statistics were calculated for each perturbation, including changes in spatial pattern center, Global Moran’s I, Local Moran’s I, distance to the k-th nearest neighbors, and the L-function (a normalized form of Ripley’s K). A spatially adapted form of k-anonymity was used to measure the privacy protection conferred by each method, and the its compliance with HIPAA privacy standards.

Results: Random perturbation at 50 meters, donut masking between 5 and 50 meters, and Voronoi masking maintain the validity of descriptive spatial statistics better than other perturbations. Grid center masking with both 100x100 and 250x250 meter cells led to large changes in descriptive spatial statistics. None of the perturbation methods adhered to the HIPAA standard that all points have a k-anonymity > 10. All other perturbation methods employed had at least 265 points, or over 6%, not adhering to the HIPAA standard.

Conclusions: Using the set of published perturbation methods applied in this analysis, HIPAA- compliant de-identification was not compatible with maintaining key spatial patterns as measured by our chosen summary statistics. Further research should investigate alternate methods to balancing tradeoffs between spatial data privacy and preservation of key patterns in public health data that are of scientific and medical importance.

Geographic Information Systems

epidemiology

Data Privacy

HIPAA