Jump to ContentJump to Main Navigation
Show Summary Details
In This Section

Journal of Official Statistics

The Journal of Statistics Sweden

4 Issues per year

IMPACT FACTOR 2016: 0.411
5-year IMPACT FACTOR: 0.776

CiteScore 2016: 0.63

SCImago Journal Rank (SJR) 2015: 0.410
Source Normalized Impact per Paper (SNIP) 2015: 0.810

Open Access
See all formats and pricing
In This Section

Disclosure-Protected Inference with Linked Microdata Using a Remote Analysis Server

James O. Chipperfield
  • Senior Research Fellow, National Institute for Applied Statistics Research Australia, University of Wollongong, and Assistant Director, Methodology Division, Australian Bureau of Statistics, Canberra, ACT, 2617, Australia
  • Email:
Published Online: 2014-02-14 | DOI: https://doi.org/10.2478/jos-2014-0007


Large amounts of microdata are collected by data custodians in the form of censuses and administrative records. Often, data custodians will collect different information on the same individual. Many important questions can be answered by linking microdata collected by different data custodians. For this reason, there is very strong demand from analysts, within government, business, and universities, for linked microdata. However, many data custodians are legally obliged to ensure the risk of disclosing information about a person or organisation is acceptably low. Different authors have considered the problem of how to facilitate reliable statistical inference from analysis of linked microdata while ensuring that the risk of disclosure is acceptably low. This article considers the problem from the perspective of an Integrating Authority that, by definition, is trusted to link the microdata and to facilitate analysts’ access to the linked microdata via a remote server, which allows analysts to fit models and view the statistical output without being able to observe the underlying linked microdata. One disclosure risk that must be managed by an Integrating Authority is that one data custodian may use the microdata it supplied to the Integrating Authority and statistical output released from the remote server to disclose information about a person or organisation that was supplied by the other data custodian. This article considers analysis of only binary variables. The utility and disclosure risk of the proposed method are investigated both in a simulation and using a real example. This article shows that some popular protections against disclosure (dropping records, rounding regression coefficients or imposing restrictions on model selection) can be ineffective in the above setting.

Keywords: Confidentiality; remote analysis; record linkage; statistical disclosure control


  • Bleninger, P., Drechsler, J., and Ronning, G. (2010). Remote Data Access and the Risk of Disclosure from Linear Regression: An Empirical Study. Privacy in statistical databases, J. Domingo-Ferrer and E. Magkos (eds). New York: Springer.

  • Chambers, R.L. and Skinner, C.J. (2003). Analysis of Survey Data. Hoboken, NJ: John Wiley and Sons.

  • Churches, T. and Christen, P. (2004). Some methods for blindfolded record linkage. BMC Medical Informatics and Decision Making, 4, Available at: http://www. pubmedcentral.nih.gov/tocrender.fcgi?iid¼10563 (accessed June 2012).

  • Cox, L.H., Karr, A.F., and Kinney, S.K. (2011). Risk-Utility Paradigms for Statistical Disclosure Limitation: How to Think but not How to Act. International Statistical Review, 79, 160-183. DOI : http://dx.doi.org/10.1111/j.1751-5823.2011.00140.x Dwork, C. and Smith, A. (2009). Differential Privacy for Statistics: What We Know and What We Want to Learn. Journal of Privacy and Confidentiality, 1, 135-154. [Web of Science] [Crossref]

  • Gomatam, S., Karr, A., Reiter, J., and Sanil, A. (2005). Data Dissemination and Disclosure Limitation in a World Without Microdata: A Risk-Utility Framework for Remote Access Systems. Statistical Science, 20, 163-177. DOI : http://dx.doi.org/10.1214/088342305000000043 [Crossref]

  • Herzog, T.N., Scheuren, F.L., and Winkler, W.E. (2007). Data Quality and Record Linkage. Berlin: Springer.

  • Hosmer, D.W. and Lemeshow, S. (2000). Applied Logistic Regression. Hoboken, NJ: John Wiley and Sons Inc.

  • Karr, A.F., Lin, X., Sanil, A.P., and Reiter, J.P. (2009). Privacy Preserving Analysis of Vertically Partitioned Data Using Secure Matrix Products. Journal of Official Statistics, 25, 125-138.

  • Kohnen, C. and Reiter, J.P. (2009). Multiple Imputation for Combining Confidential Data Owned by Two Agencies. Journal of the Royal Statistical Society Series A, 172, 511-528. DOI : http://dx.doi.org/10.1111/j.1467-985x.2008.00574.x [Crossref] [Web of Science]

  • Lucero, J. and Zayatz, L. (2010). The Microdata Analysis System at the U.S. Census Bureau. Privacy in Statistical Databases, J. Domingo-Ferrer and E. Magkos (eds). New York: Springer.

  • McCullagh, P. and Nelder, J. (1989). Generalized Linear Models (2nd ed.). London: Chapman and Hall.

  • O’Keefe, C. and Chipperfield, J.O. (2013). A Summary of Attack Methods and Confidentiality Protection Measures for Fully Automated Remote Analysis Systems. International Statistical Review. DOI : http://dx.doi.org/10.1111/insr.12021 [Crossref] [Web of Science]

  • O’Keefe, C. and Good, N. (2009). Regression Output from a Remote Analysis System. Data & Knowledge Engineering, 68, 1175-1186. DOI : http://dx.doi.org/10.1016/j.datak.2009.06.009 [Crossref]

  • O’Keefe, C., Sparks, R., McAullay, D., and Loong, B. (2012). Confidentialising the Output of a Survival Analysis in a Remote Analysis System (to appear). Journal of Privacy and Confidentiality, 4, 127-154.

  • Reiter, J. (2002). Satisfying Disclosure Restrictions with Synthetic Data Sets. Journal of Official Statistics, 18, 511-530.

  • Shao, J. and Tu, D. (1995). The Jackknife and Bootstrap. Hoboken, NJ: John Wiley and Sons.

  • Shlomo, N. (2007). Statistical Disclosure Control Methods for Census Frequency Tables. International Statistical Review, 75, 199-217. DOI : http://dx.doi.org/10.1111/j.1751-5823.2007.00010.x [Web of Science] [Crossref]

  • Skinner, C. and Shlomo, N. (2008). Assessing Identification Risk in Survey Microdata Using Log-Linear Models. Journal of American Statistical Association, 103, 989-1001. DOI : http://dx.doi.org/10.1198/016214507000001328 [Crossref]

  • Sparks, R., Carter, C., Donnelly, J., O’Keefe, C., Duncan, J., and Keighley, T. (2008). Remote Access Methods for Exploratory Data Analysis and Statistical Modelling: Privacy-Preserving Analyticse. Computer Methods and Programs in Biomedicine, 91, 208-222. [Web of Science]

About the article

Published Online: 2014-02-14

Published in Print: 2014-03-01

Citation Information: Journal of Official Statistics, ISSN (Online) 2001-7367, DOI: https://doi.org/10.2478/jos-2014-0007. Export Citation

This content is open access.

Citing Articles

Here you can find all Crossref-listed publications in which this article is cited. If you would like to receive automatic email messages as soon as this article is cited in other publications, simply activate the “Citation Alert” on the top of this page.

James Chipperfield, Daniel Gow, and Bronwyn Loong
Statistical Journal of the IAOS, 2016, Volume 32, Number 1, Page 53

Comments (0)

Please log in or register to comment.
Log in