Hi everyone,
Today's emails have got me thinking... and I hope my prognosis is not true.
Some people may be about to give me library records that are purportedly
anonymised in different ways. The most worrying case is captured by the
following example:
jon borrowed from library L war&peace 25 may
jon borrowed from librarly L das capital 1 jun 08
jon borrowed from library L penthouse 1 july 08
(I guess that this is not a run of the mill library :-) but the example
works to demonstrate a point)
Quite possibly Jon may neither want to be identified as a borrower of das
capital, nor of penthouse. Whatever jon's predelicitons, I'm presuming that
the anonimised data should not give rise to anyone being able to ascertain
jon's reading habits
When they are given to me the library use records are anoymised thus
- replace jon's name with a large random number X (for the technically
minded this random number is a GUID, see eg wikipedia for details)
- replace the date with a sequence number starting from 1 in a given year
Thus I might be given
X borrowed war&peace 1st in 08
X borrowed das capital 2nd in 08
X borrowed penthouse 3rd in 08
Also
- any work that is borrowed only once in a year has been removed from
this list,
- anyone who borrows only one work in a year has been removed from the
list.
Let's assume that each of these library holdings have been borrowed many
many times in 08, and my current assumption is that I can therefore NOT
identify Jon from the data if I saw him come out the library with a copy of
war&peace.
I don't really know what the situation is if I saw Jon come out the library
with war&peace one day and then some time later with das capital. For many
borrowings ov these two works over the year, I assme that the data does not
contravene the DPA.
But for a unique sequnce of borrowings, it seems that the prognosis is not
good,: If there is no other person who borrowed war&peace and then, later,
das capital in 08 I can deduce that Jon also borrowed penthouse if I observe
him first with L's war&peace , and then with L's das capital.
So, if this data is about to be delivered to me, then
1) is the DPA possibly to be contravened (I am not registered as a
processor for library L)?
2) is there any transformation or partial eradication of the data that
makes it 'DPA-safe' while preserving both a random number identified user,
and the sequence of loans.
If there is a problem, then I guess the argument that I have never seen any
people walking around with library L's books does not hold, I could have
found out jon's first two loans by any means
(eg, to pick up on messages passim, jon, somewhat paranoid about privacy,
shielded his face with the first two works when he twice saw a google
street view car on the street. I subsequently chanced on the images in
google street view, and knowing jon, recognised him both by his unique
sartorial style, and by the fact that, not knowing much about google street
view, he neglected to cover the side of his face as the car passed, taking
360 degree pictures in the horizontal plane).
What if I never look at the raw data and just use it in rather obscure ways
(ie bury it in a database that is only used for library catalogue search
personalisation purposes, by a search engine that could never reveal what X
borrowed and in what order -- still a problem, I'm presuming, I or anyone
else with access to the raw database, could find out jon's data.
Its a minefield out there...
regards
mark
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
