Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2010 Oct 1;25(6):443-452.
doi: 10.1080/10106049.2010.496496.

Geomasking sensitive health data and privacy protection: an evaluation using an E911 database

William B Allshouse  1 Molly K FitchKristen H HamptonDionne C GesinkIrene A DohertyPeter A LeoneMarc L SerreWilliam C Miller
Affiliations

Geomasking sensitive health data and privacy protection: an evaluation using an E911 database

William B Allshouse et al. Geocarto Int. .

Abstract

Geomasking is used to provide privacy protection for individual address information while maintaining spatial resolution for mapping purposes. Donut geomasking and other random perturbation geomasking algorithms rely on the assumption of a homogeneously distributed population to calculate displacement distances, leading to possible under-protection of individuals when this condition is not met. Using household data from 2007, we evaluated the performance of donut geomasking in Orange County, North Carolina. We calculated the estimated k-anonymity for every household based on the assumption of uniform household distribution. We then determined the actual k-anonymity by revealing household locations contained in the county E911 database. Census block groups in mixed-use areas with high population distribution heterogeneity were the most likely to have privacy protection below selected criteria. For heterogeneous populations, we suggest tripling the minimum displacement area in the donut to protect privacy with a less than 1% error rate.

PubMed Disclaimer

Figures

Figure 1
Figure 1
The locations of all households in Orange County, NC according to the 2007 E911 database.
Figure 2
Figure 2
Each household is geomasked by a random direction and distance, where the distance Di must fall within the donut created by radii Rai and Rbi The geomasked household must also reside in its original census block group so that neighborhood demographic and socio-economic factors for the masked location are the same as the original location.
See this image and copyright information in PMC

References

    1. Armstrong MP, Rushton G, Zimmerman DL. Geographically masking health data to preserve confidentiality. Statist Med. 1999;18:497–525. - PubMed
    1. Armstrong MP, Ruggles AJ. Geographic information technologies and personal privacy. Cartographica. 2005;40(4):63–73.
    1. Boulos MNK, Cai Q, Padget JA, Rushton G. Using software agents to preserve individual health data confidentiality in micro-scale geographical analyses. Journal of Biomedical Informatics. 2006;39:160–170. - PubMed
    1. Brownstein JS, Cassa CA, Mandl KD. No place to hide-reverse identification of patients from published maps. N Engl J Med. 2006;355(16):1741–1742. - PubMed
    1. Cassa CA, Grannis SJ, Overhage JM, Mandl KD. A context-sensitive approach to anonymizing spatial surveillance data: impact on outbreak detection. Journal of the American Medical Informatics Association. 2006;13(2):160–165. - PMC - PubMed

LinkOut - more resources