"After September 11, 2001, many Americans believe they must choose between safety and privacy," says Sweeney, the founder and director of Carnegie Mellon's Laboratory for International Data Privacy and a professor of computer science, technology and policy. "Our commercially available technologies allow medical data to be shared for bio-terrorism surveillance while providing provable assurances of privacy protection. As a result, the American public can enjoy both safety and privacy."
Sweeney's presentation will focus on "Privacert De-identification," easy-to-use automated software that de-identifies a specific dataset in accordance with the scientific de-identification provisions of the federal Health Information Portability and Accountability Act (HIPAA). The resulting data can be shared freely and remain useful for bio-terrorism surveillance.
"Dr. Latanya Sweeney and the Data Privacy Lab are an invaluable resource for state and local governments struggling to keep up with the requirements of the HIPAA as well as the Family Educational Rights and Privacy Act (FERPA) and criminal history records laws," says W. Michael Tupman, deputy attorney general of the Delaware Department of Justice. "Rest assured that your data-sharing practices are consistent with federal and state law, protect individual privacy rights and reduce your litigation risk exposure."
Because of the information explosion, health information is widely available. For example, pharmacy chains maintain electronic records for billions of outpatient prescriptions. Insurance claims typically include diagnosis and medication codes along with the name, address, birth date and social security number of each patient.
Under the current ad hoc model of sharing data, widespread potential abuses are possible. For example, medical records for legislators, judges or law enforcement officials could be reproduced and sensitive information used by terrorists, criminals and others to attempt to influence decisions or compromise positions. Using publicly available hospital discharge data, credit card companies and banks could match individuals having terminal illness with those having credit cards or loans and proceed to adjust individual creditworthiness. Computer programs can prevent such abuses by rendering data sufficiently anonymous.
Provable standards of privacy protection are essential, says Sweeney, because ad hoc techniques that attempt to de-identify data often leave it vulnerable to re-identification or so distorted that it is of limited or no use.
Sweeney will also discuss "Selective Revelation," a computational approach to providing data to a surveillance system with a sliding scale of identifiability, where the level of anonymity matches the scientific need based on suspicious occurrences appearing in the data. "In American jurisprudence, human judges make decisions as to whether information will be shared with law-enforcement," she says. "We envision surveillance systems as normally working with sufficiently de-identified data, like that provided by 'Privacert De-identification.'"
"When sufficient scientific evidence merits more identifiable information, the system provides more identifiable data as warranted. Different levels of anonymity are supported and more identifying information is revealed based on evidentiary and scientific standards. This can be thought of as a computational model of the "probable cause predicate" performed in American jurisprudence. Together, Privacert De-identification and Selective Revelation provide technical solutions that weave into the fabric of American policy to provide an effective guard on privacy while enabling surveillance.
"Computer technology got us into this mess by enabling widespread data sharing," says Sweeney. "But it is also important to know that computer technology can now get us out."
For more information about Sweeney and Carnegie Mellon's Laboratory for International Data Privacy, visit http://privacy.cs.cmu.edu/.