I'm not really clear on the use of a guid here. I'm assuming that can be reverse engineered in some way? You would be better using a one-way hash function, I generally use MD5 for this type of thing. You should salt it so it's not susceptible to rainbow table lookups. Even truncated it still has a fairly small likelihood of collision. That would give you the required functionality for anonymity.
Regarding reverse engineering the names from the historical data, surely this is all in the past? Unless you had access to CCTV which clearly corroborated the borrowing habits you simply couldn't see who had which books, it's in the past and I'm guessing all the books are returned or now with new borrowers? And the date obfuscation probably does enough here anyway. Sure it is possible, particularly when the numbers are low - but really, I can't see it actually happening. That isn't a legal stance btw.
Generally the most effective way of making it entirely DPA safe is to not treat it as discrete transactions. Saying that a particular book was borrowed 5 times in any given month for example is fairly safe. But listing those 5 then leads you on to the problems above.
And re the raw data - yes prohibiting access to raw data is a good idea. There's no issue with you seeing it if you're a data controller. Otherwise no one would be able to process anything!
Ian
-----Original Message-----
From: This list is for those interested in Data Protection issues on behalf of Mark van Harmelen
Sent: Wed 27/05/2009 20:31
To: [log in to unmask]
Subject: [data-protection] a problem that worries me
Hi everyone,
Today's emails have got me thinking... and I hope my prognosis is not true.
Some people may be about to give me library records that are purportedly
anonymised in different ways. The most worrying case is captured by the
following example:
jon borrowed from library L war&peace 25 may
jon borrowed from librarly L das capital 1 jun 08
jon borrowed from library L penthouse 1 july 08
(I guess that this is not a run of the mill library :-) but the example
works to demonstrate a point)
Quite possibly Jon may neither want to be identified as a borrower of das
capital, nor of penthouse. Whatever jon's predelicitons, I'm presuming that
the anonimised data should not give rise to anyone being able to ascertain
jon's reading habits
When they are given to me the library use records are anoymised thus
- replace jon's name with a large random number X (for the technically
minded this random number is a GUID, see eg wikipedia for details)
- replace the date with a sequence number starting from 1 in a given year
Thus I might be given
X borrowed war&peace 1st in 08
X borrowed das capital 2nd in 08
X borrowed penthouse 3rd in 08
Also
- any work that is borrowed only once in a year has been removed from
this list,
- anyone who borrows only one work in a year has been removed from the
list.
Let's assume that each of these library holdings have been borrowed many
many times in 08, and my current assumption is that I can therefore NOT
identify Jon from the data if I saw him come out the library with a copy of
war&peace.
I don't really know what the situation is if I saw Jon come out the library
with war&peace one day and then some time later with das capital. For many
borrowings ov these two works over the year, I assme that the data does not
contravene the DPA.
But for a unique sequnce of borrowings, it seems that the prognosis is not
good,: If there is no other person who borrowed war&peace and then, later,
das capital in 08 I can deduce that Jon also borrowed penthouse if I observe
him first with L's war&peace , and then with L's das capital.
So, if this data is about to be delivered to me, then
1) is the DPA possibly to be contravened (I am not registered as a
processor for library L)?
2) is there any transformation or partial eradication of the data that
makes it 'DPA-safe' while preserving both a random number identified user,
and the sequence of loans.
If there is a problem, then I guess the argument that I have never seen any
people walking around with library L's books does not hold, I could have
found out jon's first two loans by any means
(eg, to pick up on messages passim, jon, somewhat paranoid about privacy,
shielded his face with the first two works when he twice saw a google
street view car on the street. I subsequently chanced on the images in
google street view, and knowing jon, recognised him both by his unique
sartorial style, and by the fact that, not knowing much about google street
view, he neglected to cover the side of his face as the car passed, taking
360 degree pictures in the horizontal plane).
What if I never look at the raw data and just use it in rather obscure ways
(ie bury it in a database that is only used for library catalogue search
personalisation purposes, by a search engine that could never reveal what X
borrowed and in what order -- still a problem, I'm presuming, I or anyone
else with access to the raw database, could find out jon's data.
Its a minefield out there...
regards
mark
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--------------------------------------------------------------------------------------------
Please consider the environment before printing this email
--------------------------------------------------------------------------------------------
This email and any attachments are confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Liverpool Community College or associated companies. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient.
The message content of in-coming emails is automatically scanned to identify Spam and viruses otherwise Liverpool Community College does not actively monitor content. However, sometimes it will be necessary for Liverpool Community College to access business communications during staff absence.
Liverpool Community College has taken steps to ensure that this email and any attachments are virus free. However, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Liverpool Community College for any loss or damage arising in any way from its use.
--------------------------------------------------------------------------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
