Table of Contents
Fetching ...

Information Leakage in Data Linkage

Peter Christen, Rainer Schnell, Anushka Vidanage

TL;DR

This paper analyzes information leakage in data linkage across organisations, comparing traditional data linkage (TDL) and privacy-preserving record linkage (PPRL). It provides a framework to identify what sensitive information in terms of $QID$, $PD$, and match status can be learned by each party (DO, LU, DM, DA, DU, DP) under single-party access and collusion, highlighting that PPRL does not fully hide these leaks and that DM can see $PD$ for non-matched records in some protocols. It offers a structured set of recommendations—use PPRL where feasible, rename data artifacts to reduce context leakage, enforce encryption and access controls, apply the Five Safes framework, and emphasize training and monitoring. The conclusion notes that none of the examined protocols fully prevent information leakage, motivating future work on designing leakage-resistant linkages with maintained utility.

Abstract

The process of linking databases that contain sensitive information about individuals across organisations is an increasingly common requirement in the health and social science research domains, as well as with governments and businesses. To protect personal data, protocols have been developed to limit the leakage of sensitive information. Furthermore, privacy-preserving record linkage (PPRL) techniques have been proposed to conduct linkage on encoded data. While PPRL techniques are now being employed in real-world applications, the focus of PPRL research has been on the technical aspects of linking sensitive data (such as encoding methods and cryptanalysis attacks), but not on organisational challenges when employing such techniques in practice. We analyse what sensitive information can possibly leak, either unintentionally or intentionally, in traditional data linkage as well as PPRL protocols, and what a party that participates in such a protocol can learn from the data it obtains legitimately within the protocol. We also show that PPRL protocols can still result in the unintentional leakage of sensitive information. We provide recommendations to help data custodians and other parties involved in a data linkage project to identify and prevent vulnerabilities and make their project more secure.

Information Leakage in Data Linkage

TL;DR

This paper analyzes information leakage in data linkage across organisations, comparing traditional data linkage (TDL) and privacy-preserving record linkage (PPRL). It provides a framework to identify what sensitive information in terms of , , and match status can be learned by each party (DO, LU, DM, DA, DU, DP) under single-party access and collusion, highlighting that PPRL does not fully hide these leaks and that DM can see for non-matched records in some protocols. It offers a structured set of recommendations—use PPRL where feasible, rename data artifacts to reduce context leakage, enforce encryption and access controls, apply the Five Safes framework, and emphasize training and monitoring. The conclusion notes that none of the examined protocols fully prevent information leakage, motivating future work on designing leakage-resistant linkages with maintained utility.

Abstract

The process of linking databases that contain sensitive information about individuals across organisations is an increasingly common requirement in the health and social science research domains, as well as with governments and businesses. To protect personal data, protocols have been developed to limit the leakage of sensitive information. Furthermore, privacy-preserving record linkage (PPRL) techniques have been proposed to conduct linkage on encoded data. While PPRL techniques are now being employed in real-world applications, the focus of PPRL research has been on the technical aspects of linking sensitive data (such as encoding methods and cryptanalysis attacks), but not on organisational challenges when employing such techniques in practice. We analyse what sensitive information can possibly leak, either unintentionally or intentionally, in traditional data linkage as well as PPRL protocols, and what a party that participates in such a protocol can learn from the data it obtains legitimately within the protocol. We also show that PPRL protocols can still result in the unintentional leakage of sensitive information. We provide recommendations to help data custodians and other parties involved in a data linkage project to identify and prevent vulnerabilities and make their project more secure.
Paper Structure (15 sections, 4 figures, 2 tables)

This paper contains 15 sections, 4 figures, 2 tables.

Figures (4)

  • Figure 1: Two small example databases containing record identifiers (the ID and RID attributes, respectively), quasi-identifiers (QIDs), and sensitive payload data (PD). The QIDs are used to link records across the two databases into a scientific use file (SUF), where each matched record pair is assigned a unique match identifier (MID). Only PD attributes are included in the SUF, where the attribute 'Age' is generated from the date of birth (DoB) attribute in the health database (assuming the year 2025).
  • Figure 2: The overall data flow in a linkage protocol, where different types of parties are involved, as we describe in Section \ref{['sec:parties']}. The linkage setting and different ways of how parties within this setting communicate in a protocol is the topic of Section \ref{['sec:protocols']}.
  • Figure 3: A TDL protocol that involves three main parties, as based on the separation principle formalised by Kelman et al. Kelman2002anzjph (left). The corresponding PPRL protocol is shown on the right, where we denote with 'eID' and 'eQID' the encoded (or encrypted) versions of the record identifiers and QIDs, respectively. The four main communication steps are shown as (1) to (4).
  • Figure 4: Two versions of a three-party linkage protocol where no data flows back to the DOs (unlike the protocols shown in Figure \ref{['fig:protocols-v1']}). The left side shows the TDL and the right side the PPRL version of this protocol. Compared to the separation principle based protocols shown in Figure \ref{['fig:protocols-v1']}, both versions of this protocol require the set of matched record pairs to contain record identifiers. We denote this set with 'Mid'. The four main communication steps are again shown as (1) to (4).