A Novel Geographic Partitioning System for Anonymizing Health Care Data
Abstract
With large volumes of detailed health care data being collected, there is a high demand for the release of this data for research purposes. Hospitals and organizations are faced with conflicting interests of releasing this data and protecting the confidentiality of the individuals to whom the data pertains. Similarly, there is a conflict in the need to release precise geographic information for certain research applications and the requirement to censor or generalize the same information for the sake of confidentiality. Ultimately the challenge is to anonymize data in order to comply with government privacy policies while reducing the loss in geographic information as much as possible. In this paper, we present a novel geographicbased system for the anonymization of health care data. This system is broken up into major components for which different approaches may be supplied. We compare such approaches in order to make recommendations on which of them to select to best match user requirements.
keywords:
Data Anonymization, Geographic Partitioning, Health CareMsc:
[2010] 0001, 99001 Introduction
Relevant and detailed data sets are critical for effective health care research. As such, they are in high demand, however, since this data is of a sensitive nature, the privacy of patients and respondents must be protected when data is released 2 (); 4 (); 3 (); 5 (); 7 (); 1 (); 6 (). Government policies place restrictions on how health care data can be released in order to ensure that confidentiality will not be compromised. Thus, in order for a data set to be released it must undergo a process of anonymization that renders it into a state in which the risk of disclosure of confidential information is sufficiently low.
Although any directly identifying information can be trivially stripped from a data set, there is still a susceptibility to reidentification through means such as crossreferencing 3 (). There will always be a tradeoff between the level of protection that can be achieved on a data set and the resultant utility of the data 26 (); 12 (); 25 (); 13 (). Although it is desirable to minimize the loss of any type of information in the data set, in some cases the preservation of geographic information may be of particular interest. Studies which involve the propagation of diseases across geographic areas require a high level of precision in the geographic information of the data set 68 (). Any form of locationcritical research such as spatial epidemiology requires high precision geographic information in order to be carried out 9 (); 8 (); 10 (). However, the release of these precise geographic details greatly increases the risk of disclosure of confidential information due to higher levels of distinctness in the records of the data set. This risk creates a barrier in the disclosure of essential geographic information.
In this paper, we present a novel and configurable system to achieve kanonymity 13 (); 11 () on a data set through the use of geographic partitioning guided by the use of Voronoi diagrams 99 (). This system, named VoronoiBased Aggregation System (VBAS), achieves anonymity in a data set through the generalization (coarsening of the level of precision) of geographic attributes and the suppression of records. By aggregating regions, we avoid the need for the suppression of small regions, which can lead to heavily censored data sets 34 (); 27 (), while maintaining a higher degree of geographic precision than other methods (such as cropping 41 (); 48 ()).
Since any loss in geographic information has negative effects on the ability to effectively analyze a data set, we postulate it is desirable to preserve as much geographic information as possible 47 (). VBAS addresses this problem by aggregating small regions of fine granularity into larger regions that satisfy criteria for achieving a sufficient level of anonymity while reducing the loss of geographic information. In order to evaluate the quality of the resultant aggregation, we employ measures of suppression and compactness as well as information loss metrics.
The configurability of the system refers to the ability to select the desired data set attributes on which to achieve anonymity as well as the ability to choose from different approaches for each component of the system. VBAS is designed in a modular fashion to allow for easy substitution and comparison of different component approaches (that is, different configurations of actual modules for the components of VBAS). This is intended not as a benefit for endusers who are more likely to want a single option to use but rather for domain experts in order to provide a framework that gives the ability to easily compare the merits of the various approaches and their combinations. This configurability allows for additional component approaches to be easily incorporated for further testing while providing the ability to analyze their effectiveness.
Although other systems for the anonymization of data already exist, few of these are geographicbased systems and fewer yet have been implemented. We have developed an implementation of our system which we use for testing. We present and compare a selection of the component approaches that have been implemented for VBAS. Through a comparison of the results produced by the different approaches, we make recommendations to users about which approaches look more promising or appropriate for use based on the requirements of the user.
2 Literature Review
In this section, we first discuss anonymity with health care data sets, then describe geographic partitioning approaches to achieve anonymity, finally we introduce data utility metrics.
2.1 Anonymity with Health Care Data Sets
In order to protect the confidentiality of the patients and respondents in health care data sets, the data must be deidentified before it can be considered safe for release. This process of deidentification is intended to protect against the risk of the data being reidentified and revealing sensitive information about specific individuals 4 (); 3 (); 5 (); 7 (); 1 (); 6 (). Deidentification is typically achieved by removing all directly identifying attributes such as names and identification numbers from the data set and then modifying the quasiidentifiers. Quasiidentifiers are demographictype attributes that can potentially be used through means such as crossreferencing to reassociate directly identifying information with the records of a data set 5 (). The quasiidentifiers must be modified such that they still retain utility for a researcher yet are no longer useful for any attempts of reidentification 4 (); 5 (); 7 (); 6 ().
Methods of deidentification are designed to reduce the risk of reidentification; however, there are no standardized measures for assessing this risk. As such, different strategies exist to evaluate the risk of reidentification. An important factor to consider is the distinctness of the records in a data set. Distinctness refers to the distinction between records in terms of the values they have across their quasiidentifier attributes. The combination of these values determines an equivalence class in which a record can be categorized. Therefore, two records in the same equivalence class are considered to be indistinguishable from each other and a record that is the sole member of its equivalence class is considered to be unique. An example of equivalence classes can be seen in the sample data set of Figure 1. The equivalence classes are based on the quasiidentifiers due to the fact that these attributes can typically be found in other publicly available data sets such as voter registries. Any party attempting reidentification can easily access other such data sets in order to crossreference the records. As a result, if a record is unique and can be crossreferenced with another data set, confidentiality is compromised as it is then possible to identify the record. 4 (); 3 (); 5 (); 6 ().
In order to protect data sets against the risk of reidentification, methods are generally employed to reduce the distinctness of the records. This can be achieved through the application of generalization and suppression. Generalization is typically applied at a global level to modify the granularity of the response categories of quasiidentifiers 14 (); 12 (); 15 (); 13 (); 11 (). The reduction in the number of response categories reduces the number of equivalence classes into which the records can be categorized, causing the cardinalities of the remaining equivalence classes to raise, thus decreasing the levels of distinctness in the data set. Suppression is typically applied at a local level to remove records from the data set that are part of equivalence classes of low cardinalities 14 (); 12 (); 15 (); 13 (); 11 (). For example, if a particular equivalence class has a single record in it, that record could be suppressed to eliminate the risk of disclosure of confidential information for that record.
Generalization and suppression are commonly applied together to make a particular guarantee about the level of privacy that is achieved on the resultant data set. One such guarantee is kanonymity 14 (); 12 (); 15 (); 13 (); 11 (). Protection is offered through kanonymity by ensuring that equivalence class cardinalities are sufficiently high. In order for a data set to be considered kanonymous, every equivalence class must have a cardinality greater than or equal to k, which is a user selected value. By ensuring that all equivalence classes meet this requirement, it becomes much more difficult for a party to reidentify the data as each record has a small group of other records from which they are indistinguishable.
2.2 Geographic Partitioning to Achieve Anonymity
One strategy that can be applied to anonymize a data set is to focus on the population sizes of the geographic regions into which the data records are grouped. Since the reduction of distinctness is one method that can be used to protect confidentiality, records can be grouped together into larger regions in order to achieve this. When the set of geographic attributes (hereafter referred to as the geographic identifier) of a data set is finegrained, records will be grouped into very small regions, preventing the creation of equivalence classes of high cardinalities since the geographic identifier is part of the quasiidentifiers. The coarsening of this geographic granularity therefore enables the cardinalities to become higher. This is essentially a form of generalization applied only to the geographic identifier.
Research done on this concept has shown that when the population of a region is sufficiently high, the data records within the region will have an acceptable level of anonymity if they are all given the same geographic identifier value 29 (); 28 (); 27 (). This means that the reduction of geographic precision can effectively be used as a means to achieve anonymity. Although there are methods of anonymization that make use of this fact, there remains an important tradeoff to consider as geographic information is lost during this process.
A simple approach to achieve anonymity through geographic generalization is to determine an appropriate cutoff size for a data set to act as an indicator for the population size that must be met in order for a region to have a sufficient level of anonymity. Any regions which do not have a population that exceeds the cutoff size are considered to be atrisk regions and will have all of their records suppressed. An example of this approach can be seen in the United States where The Bureau of Census employs a 100, 000 population size cutoff 27 (). Similarly, Statistics Canada uses a 70,000 population size cutoff for their Canadian Community Health Survey 30 () and the British Census uses a 120,000 population size cutoff 31 (). A downfall of this approach is the need to study each data set in order to determine an appropriate cutoff size. Differences in factors such as the quasiidentifiers of the data sets prevent the use of a single general cutoff size. Another issue is that the suppression of atrisk regions has the potential to produce a highly censored data set due to the removal of complete regions.
Another approach is to reduce the precision of the geographic identifier. Cropping 41 (), for example, involves the removal of the last three characters of postal code regions in order to modify the geographic identifiers such that they refer to much larger areas. Alternatively, a generalization hierarchy can be employed to achieve the same effect. This may, for example, involve generalization from postal code areas to cities, and from cities to provinces. Methods such as these, however, have the potential to cause a far greater reduction in geographic precision than what is actually necessary, resulting in an unnecessary loss of information 97 (); 34 ().
This loss of geographic precision can be addressed by using smaller increments during the reduction of precision, however without a predefined hierarchy of geographic generalization to assist in this, it is necessary to find an alternative approach. The two main problems that arise when attempting to arbitrarily widen the regions referred to by the geographic identifiers are determining how large the new regions should be, and determining borders for these regions. While the concept of the cutoff size can address the first problem, it is not desirable to manually study each data set in order to determine a cutoff size. Instead a method to dynamically compute the cutoff size can be applied 34 (); 35 (). This dynamic cutoff calculation analyzes the quasiidentifiers of an input data set in order to approximate an appropriate cutoff size.
The problem of determining the borders of the new regions can be addressed by simply merging together the original regions in order to produce aggregated regions that can be continuously grown in this way until they reach a sufficient population size. One approach employs this concept by running an iterative process of geographic aggregation 63 (). Adjacent regions are merged together in order to produce a set of aggregated regions that satisfy the cutoff size requirement.
2.3 Data Utility Metrics
When preparing a data set for release, it is important to consider the sideeffects of the anonymization process. The modification of the quasiidentifiers causes a loss in information which affects the usefulness of the resultant data set. Although there is no standardized measurement for the amount of information that is lost, different metrics can be used to measure various aspects of the information loss. Let us mention two:
Discernibility Metric
The discernibility metric was first introduced in 67 () and has been applied in other systems 26 (); 12 () as well. This metric assigns a penalty for each record in the data set that is indistinguishable from other records. Although it is useful in terms of privacy protection to make records indistinguishable from each other, it also hinders the ability to analyze the data. The discernibility of records therefore acts as a measure in the usefulness of the resultant data set.
NonUniform Entropy Metric
A nonuniform entropy metric was introduced in 25 () and has been applied in 12 (). This metric measures information loss based on the probability of correctly guessing the original attribute values of records given their anonymized values. The nonuniform aspect of the metric assigns a higher value of information loss in cases where there is an even distribution of attribute values than in cases where the distribution is nonuniform. This is due to the fact that it is assumed to be easier to make a correct guess in cases of nonuniform distribution.
3 VBAS Components and Approaches
VBAS is designed to anonymize a data set by performing aggregation on an initial regionalization of fine granularity such that the aggregated regions will have sufficient levels of anonymity. In order to do this, two files are taken as input: one which contains information about the initial regionalization and one which contains information about the data set to be anonymized. The initial regionalization must be represented in the plane as a point set in order for the system to perform aggregation. This is done by either using coordinates supplied with the initial regions or by computing centroids of the regions. The initial region points are then grouped together into disjoint sets that indicate the regions to be aggregated together.
The process of grouping the regions is guided by the use of a Voronoi diagram 99 (). Voronoi diagrams have been used in many different fields and applications 98 () as a tool for algorithms and processes. In 2d, using the Euclidean metric, the Voronoi diagram takes a set of points, referred to as sites, as input and divides the plane into convex regions where each region corresponds to one of the input sites. Each region consists of the area of the plane closer to its site than to any of the other sites. The storage space needed for this representation is linear in the number of sites. As there will be a smaller number of sites than the number of initial regions, the Voronoi diagram requires a relatively small amount of storage space.
To group the initial region points, we construct the Voronoi diagram on top of them. All points that fall within the same Voronoi region are grouped together. In order for these groupings to produce a regionalization of desirable qualities, it is essential to carefully select the number of sites for the Voronoi diagram, as well as their locations. The complete process is therefore broken up into four main components:

Approximating an appropriate number of aggregated regions

Selecting locations at which to place Voronoi sites

Constructing the Voronoi diagram and performing aggregation

Rating the aggregation
A screenshot of the application with an aggregation on display can be seen in Figure 2. Each of the system components has a particular task to complete and may be supplied with any approach that is able to complete that task. The system is set up in this way to allow for an ease of configuration through the selection of different component approaches. This serves as a benefit both when selecting appropriate approaches for a scenario in practice as well as for testing different approaches and their combinations.
3.1 Site Number Approximation
The task of the first component is to select an appropriate number of sites to be used for the Voronoi diagram. Since each site will produce a single Voronoi region; the number of sites can be thought of as the number of aggregated regions that will be created. This number must be carefully selected. An approximation that is too high will result in a large number of aggregated regions, leaving the records spread too thin and resulting in levels of anonymity that remain too low. Alternatively, if the approximation is too low, there will be very few aggregated regions and their levels of anonymity will be greater than necessary, resulting in a greater loss of geographic precision than necessary.
3.1.1 Dynamic GAPS Cutoff Approximation
We present here two different approaches for the site number approximation, both of which are derived from different models for an approximation of a dynamic Geographic Area Population Size (GAPS) cutoff 34 () for the input data set. The dynamic GAPS cutoff models are intended to serve as a method to compute the required population cutoff size for any given data set based on its quasiidentifiers. This avoids the need to study each data set individually in order to manually determine the cutoff size.
The dynamic GAPS method has one model to compute the cutoff size based on the entropy of the data set and an alternative model to compute the cutoff size based on a max combinations value calculated from the quasiidentifiers (as explained below). Currently there are only dynamic GAPS cutoff models for Canadian regions 34 () as shown in Table 1.
Region  Entropy Model  MaxCombs Model 

Western Canada  1588  1588 
Central Canada  1436  1436 
Eastern Canada  1978  1978 
The entries in the table show the equations used for each of the GAPS models for the 3 regions of Canada that were studied.
We have adapted the two dynamic GAPS cutoff models into site number approximation approaches by using the cutoff size as an approximation of a desirable average population for the aggregated regions. By dividing the total population of the data set by the cutoff size, we are able to make an approximation of the number of aggregated regions needed to achieve this cutoff as the average population. Since the number of aggregated regions is equal to the number of Voronoi sites, this serves as the approximation for the number of sites to place.
Entropy Model
The entropy model requires the entropy of the input data set to first be computed using the calculation shown in Equation 1 below:
Let:

be the size of the largest equivalence class

be the number of equivalence classes of size k

be the total number of records in the data set
(1) 
Once computed, this value can then be plugged into the entropy model as shown in the following Equation 2 in order to compute the cutoff size.
(2) 
Finally, we use this value to approximate the number of Voronoi sites as shown in Equation 3 below:
(3) 
Max Combinations Model
The approach using the max combinations model is very similar to that of the entropy model; the only difference is seen in the computation of the max combinations value. This value is the total number of equivalence classes in the data set and is calculated by taking the product of the numbers of response categories for each quasiidentifier as shown in Equation 4 below:
Let:

be the set of quasiidentifiers in the data set

be the number of response categories in a quasiidentifier
(4) 
With the max combinations value calculated, we then plug this into the appropriate dynamic cutoff model, just as with the entropy model. This is shown in Equation 5 below:
(5) 
Next, we apply the same final calculation to make our approximation of the number of sites to use as seen in Equation 6 below:
(6) 
3.2 Site Location Selection
Once the number of Voronoi sites has been selected, the next task is to select the locations at which to place them. The selection of these locations also plays a large part in determining the levels of anonymity present in the aggregated regions as well as the amount of information that is lost during aggregation. It is easy to see that a dense cluster of sites placed in a region of very low population density would result in aggregated regions with very low populations that would cause very low levels of anonymity. Additionally, the locations of the sites with respect to each other determine the shape and size of the Voronoi regions. These properties of the regions determine the level of precision in the geographic information that is released.
For this component, we provide two different approaches that can be applied.
3.2.1 Balanced Density
The goal of the balanced density approach is to divide the plane into a set of cells such that the number of cells is equal to the number of sites to be placed and each cell has roughly the same population within it. Each cell will then be assigned a single site to be placed at the median of the initial region points that fall within the cell. Although in this approach we refer to cells, there are no actual boundaries being drawn. The concept of cells is simply used to aid in the visualization of the groupings of initial region points. For ease of organization, the cells are grouped together into rows such that all cells in a row have the same upper and lower boundaries (those of the row) and occupy the entire space covered by the row.
The cells are given roughly the same populations in order to make the distribution of the Voronoi sites similar to the distribution of the population. In order to do this, a number of rows of cells is first approximated by taking the square root of the number of sites to place as shown in Equation 7 below. This makes an initial assumption of an even distribution of the population by assuming that the number of rows and the number of cells per row will be roughly equivalent. Although this is unlikely to actually be the case, it is of little consequence as the number of rows as well as the number of cells per row are adjusted as the approach proceeds; this simply serves as a starting point.
Let:

be the number of rows

be the required number of sites

be a function which rounds x to the nearest integer value
(7) 
The reason that we do not make a more precise calculation for the number of rows and cells per row at first is due to the fact that the initial region points are neither guaranteed to have similar populations nor to have an even distribution. As such, it is difficult to predict the population of an arbitrary cell without explicitly counting the population of the points within its boundaries.
Using the initial number of rows, the ideal population per row is approximated as the total population of the data set divided by the number of rows and rounded to the nearest integer. This calculation is shown in the following Equation 8:
Let:

be the total population

be the ideal population per row
(8) 
We must then determine the division between each row in order to allot a population as close to this approximation as possible to each row. This is done by first sorting all of the initial region points by their ycoordinates and then walking upwards through the points starting from the point with the lowest ycoordinate until a number of points has been passed such that the sum of the population across these points is greater than or equal to the ideal population per row. Recall that each point represents an initial region and thus has a population associated with it. If the sum after the addition of the final point is closest to the approximation then the final point is kept in the row. Otherwise, the sum without the final point was closer so the point is left to be added to the next row. The mathematical representation of this decision is shown in Equation 9 below:
Let:

be the population of a row just before it passes the ideal population

be the population of a row just after it passes the ideal population

be an indicator function for a row r where its value is 1 when the final point should be included in the row and 0 when it should not
(9) 
Each time the points of a row are determined, they are stored in a container. As mentioned, there are no actual boundaries drawn; this is just to aid in the conceptualization of the divisions of points.
Due to the population of a row increasing by intervals that correspond to the population of each point added, it is not possible to guarantee that each row will have the ideal row population. There are two possible scenarios in which the ideal for the number of rows cannot be met. The first scenario occurs when enough rows take on a larger population than intended and there is an insufficient population left to fill up the remaining rows. In the other scenario, the opposite occurs. If enough rows have a smaller population than intended, the final row may end up with a population far greater than it should be. It is for this reason that the number of rows may end up being adjusted.
In the scenario where there is an insufficient population left to fill the remaining rows, the number of rows is simply reduced down to the last row that could be sufficiently filled. Although the number of rows is reduced, this only means that each row will end up with a greater number of cells. Since the only requirements of the approach are that there must be a number of cells equal to the number of sites to place and that the cells should each have roughly the same population, the reduction in the number of rows does nothing which violates the requirements.
In the scenario of having too great a portion of a population left for the final row, it is simply a matter of splitting the final row into multiple rows. The same process of walking along the points until the required row population is met can be applied for an arbitrary number of rows until the remaining population has been used up. Once again, this only means that the rows will have an adjusted number of cells per row as a result.
Once the rows have been created, it is possible to set up the cells. Each row must be addressed individually as there is no guarantee that each row will have the same number of cells. The number of cells in a row is determined by the population that was alloted to the row by calculating the percentage of the population that exists in the row and calculating how many sites correspond to that percentage of the approximated number of sites made in the previous component. Each row will have at least one cell and trivially cannot have more cells than there are sites to be placed. The calculations for the number of cells in a row are shown in Equations 10 and 11.
Let:

be the population of a row

be the decimal percentage (between 0 and 1) of the total population in a row

be the number of cells assigned to a row
(10) 
(11) 
Divisions are made between the cells of a row using the same method as was applied for the division between the rows. The points of the row are sorted by their xcoordinates and then are traversed from left to right, making a division between two cells when the appropriate population per cell has been reached. Each group of points which belong to a cell are stored in a container.
Just as with the rows, the cells are not guaranteed to have exactly the desired population so there may be a need to make some adjustments. In this case, however, it is now necessary to maintain the same number of cells in order to match the final number of cells to the number of sites. In the scenario where the final cell has a population greater than the desired level, it is simply given this larger population. Although this means that one of the cells will have a population that differs form the others, it ensures that the appropriate number of cells is maintained. In the scenario where there is an insufficient population left for the remaining cells, the remaining population is assigned to a single cell. For all other cells that must still be created, the largest cells of the row are split in half to make two cells until the required number of cells has been reached.
By applying this method to each of the rows, a number of cells equal to the number of sites will be created. The populations of the cells will not be exactly the same but they will be fairly similar to each other.
Finally, one site is placed per cell at the median of the points in that cell. Equations 12 and 13 show the computation of the median for a cell.
Let:

be the set of points in a cell

be the xcoordinate of a point

be the ycoordinate of a point

be the xcoordinate of the median

be the ycoordinate of the median
(12) 
(13) 
3.2.2 AnonymityDriven Clustering
The AnonymityDriven Clustering (ADC) approach selects site locations as the resultant locations of cluster centers after running a process of iterative cluster optimization based on the framework of the kmeans algorithm 37 (). In order to adapt this to create clusters that suit our needs, it was necessary to design clustering criteria based on levels of anonymity. As such, the following modifications were made to the algorithm:

An objective function that aims to reduce global anonymity is employed.

The relocation of cluster centers during the optimization step has been redesigned to ensure that the move is beneficial for the new objective function.

The convergence criteria has been modified to accommodate these changes.
The initial region points are provided as the input point set for the algorithm. The Voronoi site locations taken as the output of the algorithm are determined by the locations of the cluster centers at the time of convergence. The clusters, as determined by kmeans membership (where each point belongs to the nearest cluster center) are particularly useful in this context as membership is determined by the Voronoi diagram in the same way. This means that when providing the final cluster centers as sites to the Voronoi diagram algorithm, the points in each cluster are exactly the points that will be grouped together by the Voronoi region that pertains to the site that was the center of the cluster. In other words, each cluster of points accurately represents an aggregated region. This fact allows for the ability to evaluate at any time the quality of the aggregation represented by the current clusters.
It should be noted that the selection of the initial cluster centers has an impact on the quality of the results produced. While the clustering can be run by selecting the initial centers at random, it is recommended to use another site location approach as a seeding method for the initial centers. As such, we consider ADC more as an augmentation to a site location approach than as a standalone approach. Once the cluster centers have been placed, the initial clusters can be computed and will then be evaluated using the objective function.
AnonymityBased Objective Function
In order to evaluate the clusters, we use an objective function which is monotonic with respect to the levels of anonymity in the aggregation represented by the current clusters. Ultimately, we want to evaluate the quality of the aggregation in order to improve it during the clustering process. To do this, we have designed an objective function which considers the level of anonymity of the whole aggregation as well as the levels of anonymity in each cluster.
The main factor to consider is the level of anonymity that applies to the data set as a whole, in other words, the global level of anonymity. Using kanonymity as our measure of protection, this would therefore be the lowest level of anonymity across all aggregated regions. This is used as the dominating factor of the objective function such that an aggregation with a higher global level of anonymity than another aggregation will always have a better objective function rating. In order to also consider local aspects of the aggregation, another term can be included additively in the objective function to evaluate the levels of anonymity of each aggregated region. This term is used to compare aggregations which have the same global level of anonymity. Although there are many ways in which this can potentially be configured, different configurations will influence the decisions made by the algorithm during optimization as well as the number of iterations that will take place until convergence is reached. A configuration which was found to produce acceptable results during testing is shown in Equation 14 below. In this version, the first term accounts for the global anonymity and dominates the function while the second term provides a reward for improving the local anonymity of aggregated regions that are sitting at the lowest level of anonymity.
Let:

be the current global anonymity

be the set of aggregated regions

be the set of aggregated regions with an anonymity of
(14) 
In this objective function, higher values indicate a better aggregation. It is important to note that when the global level of anonymity increases, there is potential for a large change in the value of the second term of the function. The factor applied to the first term is used to offset this in order to ensure monotonicity. The derivation in Equations 1517 below shows that the objective function maintains its monotonicity in this scenario.
(15) 
(16) 
(17) 
Optimization Step
With the objective function set up to evaluate the levels of anonymity in the aggregation, it is necessary to design an optimization step that is capable of improving the levels of anonymity. Following the general framework, cluster centers are adjusted during this step. This means that the centers must be relocated such that the anonymity of the clusters is improved. Since we are using kanonymity to determine the levels of anonymity in each region, a cluster will always have its level of anonymity determined by one or more bottlenecking equivalence classes. If all equivalence classes sitting at the lowest cardinality in a cluster could have their cardinalities increased, the anonymity of the cluster would increase.
The cardinality of an equivalence class in a cluster can be increased by adding more members to that equivalence class. In order to do this, the cluster must take these members from its neighbors. We therefore want to move the cluster center in such a way that this cluster can acquire additional members for equivalence classes in which it is deficient. Thus, to increase the cardinality of a bottlenecking equivalence class in a cluster, we search a neighborhood of the cluster for initial region points that contain members in the bottlenecking equivalence class. We define the neighborhood of a cluster as the union of two polygons. The first polygon is the Voronoi region corresponding to the cluster which is being improved. The second polygon is formed by starting at the site of any Voronoi region adjacent to the Voronoi region of the current cluster and traversing the sites of its adjacent regions in clockwise order until the starting adjacent region is reached once again. An edge of the polygon is drawn from each traversal from one site to the next such that the edge added on the final traversal completes the polygon. We use the Voronoi region of the original cluster in order to ensure that all of its existing members will be included in the neighborhood. The polygon formed by the adjacent regions is used to allow the movement of the center to be influenced by other nearby members while keeping the area of influence restricted enough to prevent very volatile movements. The inclusion of points outside of this neighborhood would create a potential for the center to move well beyond the centers of its adjacent regions, which could cause major changes in other regions that cannot be easily evaluated prior to the move.
Once the points containing members in the bottlenecking equivalence class within the neighborhood have been determined, the cluster center is relocated to a weighted median based on these points. Each point containing members is given a weight equal to the number of members that it contains. This is done to draw the center more strongly towards areas of higher member density. The calculation of the new cluster center location based on the weighted median is shown in Equations 18 and 19 below:
Let:

be the set of weighted points in the neighborhood

be the weight of a point

be the xcoordinate of a point

be the ycoordinate of a point

be the xcoordinate of the weighted median

be the ycoordinate of the weighted median
(18) 
(19) 
Prior to actually committing the change for the new cluster center location, a check is performed to verify that the objective function value will actually increase. This is done in order to provide the guarantee that each step of optimization that is committed will actually improve the objective function value.
Using this process as the optimization step, iterative optimization is run on each cluster sitting at the lowest level of anonymity by trying to make a step of optimization for each bottlenecking equivalence class in that cluster. If the local anonymity of a cluster is improved at any point during this process, then optimization of that cluster ceases as it is no longer necessarily one of the clusters at the lowest level of anonymity. When this occurs, the process begins once again on each cluster at the lowest level of anonymity.
Convergence
The final consideration for the algorithm is its convergence criteria. There are two scenarios in which optimization will cease. The first occurs if all clusters have reached a sufficient level of anonymity (the user specified value of k for kanonymity). The other scenario occurs if iterative optimization has checked every bottlenecking equivalence class of every cluster at the lowest level of anonymity without committing a single change. If this occurs then the clustering was unable to find any further moves of optimization and thus convergence has been reached. This convergence represents a local maximum with respect to the quality of the solution. Although different moves of optimization, such as improvements to nonbottlenecking equivalence classes, may result in an aggregation with lower levels of suppression, they may also prolong the process or may simply be much more difficult to analyze.
3.3 Construction of Geographic Aggregation
For the construction of the aggregation, we currently provide a single approach. It simply consists in taking the site locations, as determined by the previous component, and providing them as the input sites to construct a Voronoi diagram 99 (). With the diagram constructed, each initial region point must be categorized based on the Voronoi region in which it falls. Point location can be run efficiently for these points since the Voronoi diagram is a planar subdivision. The resultant Voronoi groupings of initial region points represent the initial regions that will be aggregated together.
In order to verify the anonymity of the aggregated regions, we must determine their equivalence classes. These equivalence classes are based on the members of the equivalence classes in the initial regions being merged together. In order to ensure kanonymity at this point, any resultant equivalence classes that do not have a cardinality greater than or equal to k will have all of their records suppressed.
3.4 Evaluation of Aggregation
Once the regions have been aggregated, we must be able to measure the quality of the aggregation that has been produced. Although the measurements applied here may be broken up into groups of related measurements in order to form different approaches for this component, we provide a single approach here that contains all of the relevant measurements for the comparisons used in this paper in order to facilitate the testing. These measurements consist of:

Suppression

Compactness

Discernibility

NonUniform Entropy

Running Time
Suppression
The measurement of suppression is simply used to observe the quality of the aggregation based on how many records were suppressed. If a large number of records were suppressed then it likely indicates a poor aggregation as this means that the equivalence classes of the aggregated regions did not have sufficient cardinalities. Thus, lower levels of suppression are preferable.
Compactness
The compactness of the final regions can be used as a measure for the level of geographic precision that has been produced. More compact regions are desirable as this would provide greater geographic detail for researchers. This measurement is taken as the sum of distances between the initial region points and the site of their aggregated region. The calculation is shown in Equation 20 below:
Let:

be the set of initial regions

be the point representation of region r

be the site of the aggregated region to which r belongs
(20) 
Discernibility
We employ the discernibility 26 (); 12 () information loss metric in order to determine how much geographic information has been lost by checking for overburdened equivalence classes. The calculation for this metric is shown in Equation 21 below. Higher values indicate a greater amount of lost information, thus, lower values are preferable.
Let:

be the set of equivalence classes

be an equivalence class from the set E

be the desired level of anonymity
(21) 
NonUniform Entropy
We also employ the nonuniform entropy 12 (); 15 () information loss metric to measure the loss in geographic information based on the probability of correctly guessing the original geographic region of a record given its aggregated region. The calculation of this probability is shown in Equation 22 below:
Let:

be the original value of the attribute

be the generalized value of the attribute

be the number of entries in the data set

be the indicator function

be original attribute value of the i entry

be the generalized attribute value of the i entry
(22) 
We can then use this probability to measure information loss across the records of the data set as shown in Equation 23. As with discernibility, higher values indicate a greater amount of information loss.
Let:

be original geographic identifier of the i entry

be the generalized geographic identifier of the i entry

be the number of entries in the data set
(23) 
Running Time
The final measurement is simply a measure of how long the whole process of aggregation takes from start to finish. This is used to determine how the use of the various approaches will affect the time taken to achieve anonymity.
3.5 Approach Summary
The list below summarizes the component approaches which we have implemented here for testing. It should be noted that these approaches have potential variants however the testing of these variants is outside of the scope of this paper.

Site Number Approximation

Dynamic GAPS Cutoff (MaxCombs)

Dynamic GAPS Cutoff (Entropy)


Site Location Selection

Balanced Density

AnonymityDriven Clustering


Construction of Geographic Aggregation

Voronoi Aggregation


Evaluation of Aggregation

Testing Measurements

4 Testing
In order to test and compare different component approaches, we have generated test data sets using other data sets that are publicly available from Statistics Canada. With these testing sets, we have run various scenarios to observe the effectiveness of the approaches. All tests were run on a machine using 16 GB of RAM and a 4.01 GHz processor.
4.1 Generation of Testing Data
The data sets that we have used to generate the testing data are the public use microdata file from the 2011 National Household Survey 49 () (NHS) and the Canadian dissemination areas data set 50 (), both from Statistics Canada. As required by Statistics Canada’s data use regulations, it is stated that the results or views expressed here are not those of Statistics Canada.
We have used the NHS data set, which contains respondent level information across a wide range of demographic attributes for a 2.7% sample of the Canadian population, to make approximations for the distributions of attribute values across the response categories of a selection of the demographic attributes. Since the NHS data set has geographic precision at the granularity of provinces and territories, the approximations were made for each of the selected attributes in each province and territory.
Since a much finer degree of geographic precision is needed to conduct our tests, we have combined these approximations of the distributions with the dissemination areas data set to create our testing sets. Each dissemination area has a population targeted to be between 400 and 700 50 (). We have therefore randomly generated a population within this range for each dissemination area and have filled it with a corresponding number of records. Each record generated in this way is given a value in each of the selected attributes by selecting from among the response categories of the attribute with a probability of selection in each category corresponding to the approximated distribution that was made for that attribute in the province or territory in which the dissemination area exists. Additionally, each record is given a geographic attribute indicating the dissemination area to which it pertains.
This process of data generation produces a testing set with a population roughly equal to that of Canada and with a geographic precision at the level of dissemination areas. The population does not exactly match that of Canada due to the random generation of the dissemination area populations. In order to produce testing sets for different regions to work with, this set for all of Canada is broken up into three subsets: Western Canada, Central Canada, and Eastern Canada. Since the system requires an input file with information about the initial regionalization, the dissemination areas data set is also broken up into three corresponding subsets.
With these subsets created, any pair of respondent data and the matching dissemination areas subset can be supplied as the input files to VBAS in order to run tests.
4.2 Testing Scenarios
In order to test the component approaches, six different selections of quasiidentifiers on which to achieve anonymity have been made and these selections have been run using the Eastern and Western region testing sets for a total of twelve different test scenarios. We have employed various selections of quasiidentifiers in different regions due to the fact that these variables will influence the measurements which are taken. Thus, with a range of results from different scenarios, we can identify relationships between the different approaches in order to determine which of them consistently perform well in the various measurements taken. In each test scenario, all component approaches were tested. The tests employing ADC used the balanced density approach as a seeding method for the cluster centers. The results of these tests have been recorded in all measurements indicated in the evaluation component.
5 Discussion of Results
5.1 Comparison of Site Number Approximation Approaches
From the recorded results, a clear relationship can be seen between the number of sites used for aggregation and the measurements taken during evaluation. A higher number of sites results in higher levels of suppression, more compact regions, and lower values of information loss. These findings are rather intuitive since the number of sites corresponds to the number of aggregated regions. A greater number of regions implies higher levels of geographic precision that accounts for the lower values of information loss and compactness. Additionally, with a greater number of regions, the records are spread more thinly across them, causing a greater amount of suppression.
When testing the two site number approximation approaches, it was found that the max combinations approach consistently made lower approximations than the entropy approach. Averaged across the measured results, the max combinations approach produced levels of suppression that were 13.2% percent of those produced with the entropy approach. The entropy approach, however, produced compactness measurements at 48.7% of those with max combinations (Figure 3), discernibility at 35.8% of max combinations (Figure 4), and nonuniform entropy at 64.2% (Figure 5). The two approaches thus produce results that differ according to how a larger or smaller number of sites was found to influence the measurements. This means that the selection between these approaches can serve as a means to allow the results to be tuned towards user requirements. If a user should prioritize reduction of suppression over reduction of geographic information loss then the max combinations approach is preferable. For a user that prioritizes the reduction of the geographic information loss, the entropy approach is the preferable choice.
When comparing the running times between the tests using the two approaches, there were no significant differences.
5.2 Comparison of Site Location Selection Approaches
For most of the measurements, the two site location approaches show very similar results. To a certain degree, this is expected as ADC uses the balanced density approach for its cluster center seeding. Since the objective function and optimization step are designed to target improvements in terms of levels of anonymity, the major difference would be expected in the measurements of suppression. The measurements of compactness and information loss are quite comparable between the two approaches. In terms of the measurements of suppression, some scenarios show significant improvements with ADC whereas others show measurements that are quite similar. The improvements obtained through ADC are dependent upon the ability of the algorithm to find steps of optimization. If optimizations cannot be found then the algorithm may reach early convergence and produce a result that does not show any useful improvement.
The inability of ADC to make improvements in some scenarios suggests that modifications to the algorithm may produce better results. These modifications could be made in a number of places such as in the objective function, the optimization step, or the convergence criteria. As previously mentioned however, a balance must be struck between the ability of the algorithm to explore different solutions and the number of iterations taken until convergence is reached.
A very noticeable difference between the two approaches in some scenarios was the running time. In certain cases, ADC took much longer than the balanced density approach. It was observed that this occurred in scenarios with large numbers of records in the input set or large number of equivalence classes across the quasiidentifiers. In addition to raising the number of items which the algorithm must check, these increased values may also contribute towards a greater number of iterations of optimization before convergence is reached. The balanced density approach is much less sensitive to these values and, in fact, contributes very little towards the total running time, which is generally dominated by the time taken to initially load in all data records prior to the actual anonymization process.
Based on these findings, we recommend the balanced density approach as the preferable approach in general; however ADC should be kept in mind for scenarios in which it is appropriate for use. More specifically, when the number of records and number of equivalence classes are sufficiently low, ADC may be a preferable choice as it is capable of further reducing the levels of suppression in the resultant data set.
6 Conclusion
In this paper, we have presented a system of geographicbased anonymization. The use of a Voronoi diagram to guide a process of geographic aggregation serves as a novel approach to the problem of preserving geographic information during the anonymization of health care data. The system that we present, VBAS, is designed in a modular fashion to allow for different approaches to be supplied for each of its components. This provides the ability to easily supply different approaches and test their effectiveness. We have developed a working implementation of the system which we use for testing. We provide different approaches that can be used in the components and run a series of tests using synthetic data sets which we have generated. Based on the results of these tests, we have made recommendations to users about which approaches are appropriate based on the user’s requirements in the anonymization process.
Acknowledgment
The authors gratefully acknowledge financial support from the Natural Sciences and Engineering Research Council of Canada (NSERC) under Grant No. 3719772009 RGPIN.
References
 (1) P. Arzberger, P. Schroeder, A. Beaulieu, et al., Promoting Access to Public Research Data for Scientific, Economic, and Social Development. Data Sci. J., vol. 3, pp. 135152, 2004.
 (2) K. S. Babu, N. Reddy, N. Kumar, et al., Achieving kanonymity Using Improved Greedy Heuristics for Very Large Relational Databases. Transactions on Data Privacy, vol. 6, pp. 117, Apr. 2013.
 (3) R. J. Bayardo, R. Agrawal, Data Privacy Through Optimal kAnonymization. Proc. 21st ICDE ’05, pp. 217228, Jan. 2005. doi:10.1109/ICDE.2005.42
 (4) K. Benitez, B. Malin, Evaluating Reidentication Risks with Respect to the HIPAA Privacy Rule. J. Am. Med. Inform. Assoc., vol. 17, pp. 169177, Mar. 2010. http://dx.doi.org/10.1136/jamia.2009.000026
 (5) M. Boulos, Towards EvidenceBased, GISdriven National Spatial Health Information Infrastructure and Surveillance Services in the United Kingdom. Int. J. Health Geogr., vol. 3, pp. 1, Jan. 2004. doi:10.1186/1476072X31
 (6) M. Boulos, Q. Cai, J. A. Padget, et al., Using software agents to preserve individual health data confidentiality in microscale geographical analyses. J. Biomed. Inform. vol. 39, pp. 160170, Apr. 2006. doi:10.1016/j.jbi.2005.06.003
 (7) Canadian Institutes of Health Research. (2005, Spt.). CIHR Best Practices for Protecting Privacy in Health Research (September 2005). [Online], Available: http://www.cihrirsc.gc.ca/e/29072.html
 (8) J. Durham, kCenter Problems. Graphs, Combinatorics and Convex Optimization Reading Group, 2008.
 (9) K. E. Emam, L. Arbuckle Disclosing Small Geographic Areas while Protecting PrivacyâGeoLeader. TOPHC ’13, Mar. 2013.
 (10) K. E. Emam, A. Brown, P. AbdelMalik, Evaluating Predictors of Geographic Area Population Size Cutoffs to Manage Reidentification Risk. J. Am. Med. Inform. Assoc., vol. 16, pp. 256266, Apr. 2009. doi:10.1197/jamia.M2902
 (11) K. E. Emam, A. Brown, P. AbdelMalik, et al., A Method for Managing ReIdentification Risk from Small Geographic Areas in Canada. BMC Med. Inform. Decis., vol. 10, pp. 18, Apr. 2010. doi:10.1186/147269471018
 (12) K. E. Emam, D. Buckeridge, R. Tamblyn, et al., The reidentification risk of Canadians from longitudinal demographics. BMC Med. Inform. Decis, vol. 11, pp. 46, Jun. 2011. doi:10.1186/147269471146
 (13) K. E. Emam, F. K. Dankar, Protecting Privacy Using kAnonymity. J. Am. Med. Inform. Assoc.,â¯vol. 15, pp. 627637, Oct 2008. doi:10.1197/jamia.M2716
 (14) K. E. Emam, F. K. Dankar, R. Issa, et al., A Globally Optimal kAnonymity Method for the DeIdentification of Health Data. J. Am. Med. Inform. Assoc., vol. 16, pp. 670682, Sep. 2009. http://dx.doi.org/10.1197/jamia.M3144
 (15) K. E. Emam, F. K. Dankar, A. Neisa, et al., Evaluating the Risk of Patient Reidentification from Adverse Drug Event Reports. BMC Med. Inform. Decis., vol. 13, pp. 114, Oct. 2013. doi:10.1186/1472694713114
 (16) K. E. Emam, F. K. Dankar, R. Vaillancourt, et al., Evaluating the Risk of Reidentification of Patients from Hospital Prescription Records. Can. J. Hosp. Pharm., vol. 62, pp. 307319, Aug. 2009.
 (17) A. Gionis, T. Tassa, kAnonymization with Minimal Loss of Information. IEEE Trans. Knowl. Data Eng., vol. 21, pp. 206219, Jul. 2008. doi:10.1109/TKDE.2008.129
 (18) B. Greenberg, L. Voshell, The Geographic Component of Disclosure Risk for Microdata. Bureau of the Census Stat. Research Division Report Series SRD Research Report Number: Census/SRD/RR90/13, Oct. 1990.
 (19) B. Greenberg, L. Voshell, Relating Risk of Disclosure for Microdata and Geographic Area Size. Proc. SRMS, Am. Stat. Assoc., 1990, pp.450455.
 (20) S. Hawala, Enhancing the ”100,000 Rule” on the Variation of the Per Cent of Uniques in a Microdata Sample and the Geographic Area Size Identified on the File. Proc. Annu. Meeting Am. Stat. Assoc., 2001.
 (21) H.W. Jung, K. E. Emam, A Linear Programming Model for Preserving Privacy when Disclosing Patient Spatial Information for Secondary Purposes. Int. J. Health Geogr., vol. 13, pp. 16, May 2014. doi:10.1186/1476072X1316
 (22) S. Fortune, A Sweepline Algorithm for Voronoi Diagrams. Proc. 2nd Annu. SOGC, 1986, pp. 313322. doi:10.1007/BF01840357
 (23) A. K. Lyseen, C. Nohr, E. M. Sorensen, et al., A Review and Framework for Categorizing Current Research and Development in Health Related Geographical Information Systems (GIS) Studies. Yearb. Med. Inform., vol. 9 , pp. 110124, Aug. 2014. doi:10.15265/IY20140008
 (24) N. Mohammed, B. C. M. Fung, P. C. K. Hung, et al., Anonymizing Healthcare Data: A Case Study on the Blood Transfusion Service. Proc. 15th ACM SIGKDD Int. Conf. Knowl. Discov. Data, 2009, pp. 12851294. doi:10.1145/1557019.1557157
 (25) C. Marsh, A. Dale, C. Skinner, Safe Data Versus Safe Settings: Access to Microdata from the British Census. Int. Stat. Rev., vol. 62, pp. 3553, Apr. 1994.
 (26) W. Lowrance, Access to Collections of Data and Materials for Health Research: A Report to the Medical Research Council and the Wellcome Trust. Medical Research Council and the Wellcome Trust, Mar. 2006.
 (27) K. L. Olson, S. J. Grannis, K. D. Mandl, Privacy Protection Versus Cluster Detection In Spatial Epidemiology. Am. J. Public Health, vol. 96, pp. 11, 2002.
 (28) M. Rezaeian, G. Dunn, S. St Leger, et al., Geographical Epidemiology, Spatial Analysis and Geographical Information Systems: a Multidisciplinary Glossary. J. Epidemiol. Commun. H., vol. 61, pp. 98102, Feb. 2007. doi:10.1136/jech.2005.043117
 (29) P. Samarati, Protecting Respondents Identities in Microdata Release. IEEE Trans. Knowl. Data Eng., vol. 13, pp. 10101027, Nov. 2001. doi:10.1109/69.971193
 (30) Statistics Canada, Canadian Community Health Survey (CCHS)  Cycle 3.1 (2005)  Public Use Microdata File (PUMF)  User Guide. June 2006.
 (31) Statistics Canada. (2011). Individuals File, 2011 National Household Survey (Public Use Microdata Files), National Household Survey year 2011. [Online], Available: http://www5.statcan.gc.ca/olccel/olc.action?objId=99M0001X2011001&objType=46&lang=en&limit=0.
 (32) Statistics Canada. (2011). Dissemination Area (DA). [Online], Available: http://www12.statcan.gc.ca/censusrecensement/2011/ref/dict/geo021eng.cfm
 (33) K. Sugihara, Why Are Voronoi Diagrams so Fruitful in Application? 8th ISVD, Jun. 2011. doi:10.1109/ISVD.2011.10
 (34) L. Sweeney, Achieving kAnonymity Privacy Protection Using Generalization and Suppression. Int. J. Uncertain. Fuzz., vol. 10, pp. 571588, Oct. 2002. doi:10.1142/S021848850200165X
 (35) L. Sweeney, kAnonymity: A Model for Protecting Privacy. Int. J. Uncertain. Fuzz., vol. 10, pp. 557570, Oct. 2002. doi:10.1142/S0218488502001648
 (36) A. Vora, D. S. Burke, D. A. T. Cummings, The Impact of a Physical Geographic Barrier on the Dynamic of Measles. Epidemiol. Infect., vol. 136, pp. 713720, May 2008.