Consider the ethical implications of your data when formulating your data management plan. The contents of your data may obligate you to store and share your data with special care. Consult the table below to determine the risk-level of your data and best practices for protection, storage, access, and transfer. As a best practice, if in doubt, assume that your data is sensitive and poses a high risk. The table below is adapted with permission from Chandra Kavanagh, Ethics Officer for the NL Health Research Ethics Authority (HREA).

If your research data contains personal or otherwise sensitive information, it will have to be anonymized before you upload it to an open repository and share it.

The following guidelines, from the Inter-university Consortium for Political and Social Research at the University of Michigan, provide an overview of a number of considerations to take when anonymizing your data. These guidelines provide a general overview only; it is the responsibility of the researcher to ensure that their anonymization procedures are sufficient for their particular datasets.

Why anonymize research data?

“Once data are released to the public, it is impossible to monitor use to ensure that other researchers respect respondent confidentiality. Thus, it is common practice in preparing public-use datasets to alter the files so that information that could imperil the confidentiality of research subjects is removed or masked before the dataset is made public. At the same time, care must be used to make certain that the alterations do not unnecessarily reduce the researcher’s ability to reproduce or extend the original study findings.”

What kinds of data can identify individuals?

 “Direct identifiers: These are variables that point explicitly to particular individuals or units. They may have been collected in the process of survey administration and are usually easily recognized. For instance, in the United States, Social Security numbers uniquely identify individuals who are registered with the Social Security Administration. Any variable that functions as an explicit name can be a direct identifier -- for example, a license number, phone number, or mailing address. Data depositors should carefully consider the analytic role that such variables fulfill and should remove any identifiers not necessary for analysis.

“Indirect identifiers: Data depositors should also carefully consider a second class of problematic variables -- indirect identifiers. Such variables make unique cases visible. For instance, a United States ZIP code field may not be troublesome on its own, but when combined with other attributes like race and annual income, a ZIP code may identify unique individuals (e.g., extremely wealthy or poor) within that ZIP code, which means that answers the respondent thought would be private are no longer private. Some examples of possible indirect identifiers are detailed geography (e.g., state, county, or census tract of residence), organizations to which the respondent belongs, educational institutions from which the respondent graduated (and year of graduation), exact occupations held, places where the respondent grew up, exact dates of events, detailed income, and offices or posts held by the respondent. Indirect identifiers often are items that are useful for statistical analysis. The data depositor must carefully assess their analytic importance. Do analysts need the ZIP code, for example, or will data aggregated to the county or state levels suffice?

“Geographic identifiers: Some projects collect data containing direct geographic identifiers such as coordinates that can be used with a mapping application. These data can be classified and displayed with geographic information system (GIS) software. Direct geographic identifiers are actual addresses (e.g., of an incident, a business, a public agency, etc.). As described above, the role of these variables should be considered and only included if necessary for analysis. Indirect geographic identifiers include location information such as state, county, census tract, census block, telephone area codes, and place where the respondent grew up.”

What can I do to anonymize my data?

“If, in the judgment of the principal investigator, a variable might act as an indirect identifier (and thus could be used to compromise the confidentiality of a research subject), the investigator should treat that variable in a special manner when preparing a public-use dataset. Commonly used types of treatment are as follows:

• Removal -- eliminating the variable from the dataset entirely.
• Top-coding -- restricting the upper range of a variable.
• Collapsing and/or combining variables -- combining values of a single variable or merging data recorded in two or more variables into a new summary variable.
• Sampling -- rather than providing all of the original data, releasing a random sample of sufficient size to yield reasonable inferences.
• Swapping -- matching unique cases on the indirect identifier, then exchanging the values of key variables between the cases. This retains the analytic utility and covariate structure of the dataset while protecting subject confidentiality. Swapping is a service that archives may offer to limit disclosure risk. (For more in-depth discussion of this technique, see O’Rourke, 2003 and 2006.)
• Disturbing -- adding random variation or stochastic error to the variable. This retains the statistical properties between the variable and its covariates, while preventing someone from using the variable as a means for linking records.”

Example

“An example from a national survey of physicians (containing many details of each doctor’s practice patterns, background, and personal characteristics) illustrates some of these categories of treatment of variables to protect confidentiality. Variables identifying the school from which the physician’s medical degree was obtained and the year graduated should probably be removed entirely, due to the ubiquity of publicly available rosters of college and university graduates. The state of residence of the physician could be bracketed into a new 'Region' variable (substituting more general geographic categories such as 'East,' 'South,' 'Midwest,' and 'West'). The upper end of the range of the 'Physician’s Income' variable could be top-coded (e.g., '$150,000 or More') to avoid identifying the most highly paid individuals. Finally, a series of variables documenting the responding physician’s certification in several medical specialties could be collapsed into a summary indicator (with new categories such as 'Surgery,' 'Pediatrics,' 'Internal Medicine,' and 'Two or More Specialties').”

Reproduced from:

Inter-university Consortium for Political and Social Research (ICPSR). (2012). Guide to Social Science Data Preparation and Archiving: Best Practice Throughout the Data Life Cycle (5th ed.). Ann Arbor, MI. ISBN 978-0-89138-800-5. https://doi.org/10.3886/GuideToSocialScienceDataPreparationAndArchiving