Information Leakage in Data Linkage
Peter Christen, Rainer Schnell, Anushka Vidanage
TL;DR
This paper analyzes information leakage in data linkage across organisations, comparing traditional data linkage (TDL) and privacy-preserving record linkage (PPRL). It provides a framework to identify what sensitive information in terms of $QID$, $PD$, and match status can be learned by each party (DO, LU, DM, DA, DU, DP) under single-party access and collusion, highlighting that PPRL does not fully hide these leaks and that DM can see $PD$ for non-matched records in some protocols. It offers a structured set of recommendations—use PPRL where feasible, rename data artifacts to reduce context leakage, enforce encryption and access controls, apply the Five Safes framework, and emphasize training and monitoring. The conclusion notes that none of the examined protocols fully prevent information leakage, motivating future work on designing leakage-resistant linkages with maintained utility.
Abstract
The process of linking databases that contain sensitive information about individuals across organisations is an increasingly common requirement in the health and social science research domains, as well as with governments and businesses. To protect personal data, protocols have been developed to limit the leakage of sensitive information. Furthermore, privacy-preserving record linkage (PPRL) techniques have been proposed to conduct linkage on encoded data. While PPRL techniques are now being employed in real-world applications, the focus of PPRL research has been on the technical aspects of linking sensitive data (such as encoding methods and cryptanalysis attacks), but not on organisational challenges when employing such techniques in practice. We analyse what sensitive information can possibly leak, either unintentionally or intentionally, in traditional data linkage as well as PPRL protocols, and what a party that participates in such a protocol can learn from the data it obtains legitimately within the protocol. We also show that PPRL protocols can still result in the unintentional leakage of sensitive information. We provide recommendations to help data custodians and other parties involved in a data linkage project to identify and prevent vulnerabilities and make their project more secure.
