Confidentiality-Preserving Modes of Access To Files and To Interfile Exchange for Useful Statistical Analysis

Abstract

In releasing individual data for statistical analysis by outsiders, deletion of direct personal identifiers is sometimes insufficient to preserve confidentiality. Restrictions on the release of data that is publicly listed elsewhere or error innoculation of these variables may be required. Microaggregated release is safe, but statistically costly. In-file capacity to run outsiders' analyses, with randomized rounding of frequency tallies, is best. Interfile linkage of confidential data in statistical analyses is of great potential value for program evaluation and can be achieved without the release of individually identified data from either file by the "mutually insulated file linkage"procedure described. Link file brokerage is unacceptable on confidentiality grounds, and microaggregation and synthetic linking by matching are unacceptable on statistical grounds. For both types of use, it would be beneficial for governmental program evaluation to fund internal statistical analysis capability in important administrative archives, including those in the private sector such as health and automobile insurance.