Producing anonymous results

What does anonymisation mean?

Anonymisation refers to a process in which the material is processed in a way that

• it cannot be used to identify any individual persons either directly or indirectly
• it cannot be used to make any conclusions concerning a specific individual person
• any information concerning a specific person cannot be linked to any other material

The anonymous material must be impossible or exceedingly difficult to return to a form that could be used to identify any individuals. According to the Secondary Use Act, the results must be anonymous.

If there is a need to publish results that cannot be anonymised, this should be taken into account during the study’s planning process by considering using other criteria for carrying out the study, such as obtaining consent from the research subjects.

Note that while an individual result may be anonymous in itself, the risk of disclosure is present when several results are combined together. A typical example of this is the production of several frequency tables that use the same variable classifications. These can usually be combined to create more detailed frequency tables in which the data is defined in relation to several variables. Take into account how your results could be combined with both current and previous analyses. If you are aware of any prior publications whose analyses have utilised the same or nearly the same material or a subset of it, remember to provide at least the links to any such publications.

To protect study participants’ anonymity, the frequency present in the results is five at minimum. This criterion is used to ensure data protection. For justifiable reasons and on a case-by-case basis, deviations from this minimum frequency of <5 may be made and a minimum frequency of <3 may be used, for example, in the case of very small target groups, rare disease studies or studies concerning rare phenomena. This result must represent a significant finding that is necessary to report at this level of accuracy while still ensuring that the criteria for anonymity are met (i.e. the variables cannot be used to identify any specific individuals).

Provide Findata with access to sufficient background information for each analysis type to ensure their anonymity. This information must be displayed in connection with the result, next to the result or as a separate document so that the result and background information can be easily understood.

Findata uses the principles described in the table below as the basis for verifying anonymity.

Classification of disclosure risk by result type

Data type	Result type	General classification
Descriptive statistics
	Frequency table	To be verified
	Quantity table	To be verified
	Maximum, minimum, percentile, median	To be verified
	Mode	Generally safe
	Mean, indices, ratios, indicators	To be verified
	Degree of concentration	Generally safe
	Higher momentum indicators (such as variance, covariance, kurtosis, skewness)	Generally safe
	Graphs: visual representations of the original material	To be verified
Correlations and regression-type analyses
	Linear regression coefficients	Generally safe
	Non-linear regression coefficients	Generally safe
	Estimation residuals	To be verified
	Estimate summary and test variables (R2, χ2 etc.)	Generally safe
	Correlation coefficients	Generally safe
	Factor analysis	Generally safe
	Correspondence analysis	Generally safe

Descriptive indicators and analyses

In the text below, the terms “group” and “target group” refer to the observations from which statistics are calculated.

Minimum, maximum and range

In general, minimum and maximum often refer to individual units, which are the easiest to identify, meaning that they contain a clear disclosure risk. These can be published if the value of the statistics is based on more than one unit. Anonymity of these results can be improved by categorising data, as categories will then include several individuals. Consider using suitable quantiles alongside any minimum and maximum figures.

Fractiles – quantiles, deciles, percentiles, median

These can be published if the underlying frequency is large enough.

Mean, standard deviation

In rare cases, may contain a disclosure risk. Check that the result represents a sufficiently large group and that the entire target group is not issued the same value. Check that these statistics are not reported from several nearly identical groups or subgroups.

Mode

This can be published in principle, but check that it will not disclose the entire group, i.e. that it does not describe the value of the entire target group.

Higher momentum indicators, such as variance

These can be published in principle, as the indicator has been clearly converted from the original individual values. Make sure not to publish an excessive number of indicators from a small group, as they could serve to disclose the entire group.

Correlation coefficients

These can be published in principle when the group under consideration contains a sufficient number of observations.

Degrees of concentration

These can be published in principle when the group under consideration contains a sufficient number of observations.

Linear regression, non-linear regression

Coefficients can be published in principle.

Test variables

These can be published in principle.

Factor analysis

These can be published in principle, but make sure that your factors are not based on a single variable.

Principal component analysis

Main component vectors and their corresponding values can be published in principle. Check any projections of the main components (they correspond to scatter plot, see below).

Indices, ratios, indicators

Indices can be published in principle, but the calculation formula must be taken into account. Indices based on more complex formulas (e.g. Fisher Price) do not usually pose a disclosure risk, while very simple formulas are more prone to this, in which case they must be based on a sufficient number of observations. 

Gini coefficients

Gini coefficients must be calculated for a sufficiently large number of observations. Data needed for the verification process: calculation formula and possibly frequencies underlying the figures.

Graphs

The data protection evaluation process for graphs relies on aggregated tabular presentations, as they make it easier to perceive the frequency of the observations underlying the points or plots in a graph, which would usually be impossible to discern from the graph itself. Therefore, a table specifying the underlying frequencies should be provided with the graph if it is used to depict individual observations or a small target group.

Histogram

When using histograms, the data should be classified in a way that each individual class contains a sufficient number of observations. This can be particularly challenging for the tail ends of any normal distributions, for example. This instruction is proportional to the case of descriptive statistics, and it may thus limit the depiction of the entire tail.

Scatter chart or scatter plot

As a rule, each individual point in a scatter chart describes a single unit. Therefore, these types of charts and plots are not publishable without first grouping the data so that each point contains several observations. These can be published only if the data which the chart or plot is based on could be published as a table. However, the assessment process should also take into account whether a combination of the variables you have used would allow for the identification of any individuals. You can improve the anonymity of scatter charts by replacing them with a graph depicting the frequency of observations in grid cells or by adding randomness to your points.

Box plots

Box plots pose a disclosure risk in principle, as they contain dots that pertain to individual observations, and abnormal observations in particular could lead to the disclosure of someone’s identity. Means may also pose a disclosure risk. This instruction is proportional to the case of descriptive statistics, and any outlier observations pose a particular disclosure risk.

Residuals

Residuals refer to a single observation. When depicting any residuals, it is recommended to use a graph format instead of a graph that is based on individual points. If a graph based on individual points is used, avoid disclosing the values of the axes.

Survival analysis, Kaplan-Meier curve

These may include a disclosure risk, depending on the definition of the analysis. These may be published if each step of the curve corresponds to a sufficient number of observations. If it is clear that the data behind the curve cannot be used to determine any exact ages or dates, also steps with single observations can be allowed. Closer consideration needs to be done if the curve includes steps with single observations. That is because it is possible that detailed backround information may enable individual persons recognization.

Spatial analysis

Particularly challenging in terms of data protection, as location information usually plays a key role in the disclosure of an individual. Usually requires a great deal of reclassification and, preferably, presenting the data as thermal maps instead of observation points.

Other result types

Photographs and other imaging materials

Imaging materials are verified on a case-by-case basis. It is very difficult to define any general guidelines for imaging materials, as they represent such a diverse group of materials. Naturally, these types of materials may never contain any direct text-based identifiers, and the rougher an image is the more difficult it will be to identify. The persons who handle imaging materials are usually the best at determining the disclosure risk presented by each piece of material. For example, an image of a single tooth will rarely reveal the identity of its owner, but an entire tooth chart could be used for that purpose.

Hereditary genetic data

In terms of hereditary genetic data, indicators concerning a sufficiently small number of variants calculated from a sufficiently large group can be considered anonymous. However, these must be verified on a case-by-case basis.

Machine learning

In terms of neural networks and other machine learning models (decision trees, etc.), the actual publication of these materials is rarely needed. However, the need may arise for disclosing such results outside Kapseli, and the verification of these results will be carried out on a case-by-case basis. General instructions will be provided at a later date.

Individual-level data

The anonymity of individual-level data must always be ensured on a case-by-case basis. Contact Findata for more detailed instructions.

References

• Bond et al.: Guidelines for Output Checking (PDF file, 1515 kB)
• Brandt et al. (2009): Guidelines for the checking of output based on microdata research (ec.europa.eu)
• Griffiths, E. et al. (2019). Handbook on Statistical Disclosure Control for Outputs, version 1.0 2019
• Hundepool, Anco; Domingo-Ferrer, Josep; Franconi, Luisa; Giessing, Sarah; Schulte-Nordholt, Eric; Spicer, Keith & de Wolf, Peter-Paul (2012). Statistical Disclosure Control. Wiley

Publishing the results

In this context publication means bringing information to the public and spreading it to the surrounding society. Publication is defined as the presentation of results outside your own working group.

Publication may take place in a scientific or other journal, thesis, textbook or manual, conference or other presentation, or in an abstract, report, review or some form of internet publication.