Releasing survey microdata with exact cluster locations and additional privacy safeguards

Official statistics are crucial for research and policy, but balancing data release with privacy is challenging. Microdata, containing individual-level information, is valuable but poses re-identification risks. Traditional anonymization techniques like removing identifiers and perturbing locations (e.g., relocating survey clusters within a radius) compromise data utility, especially for analyses that require precise geographic information, such as those combining survey data with auxiliary information from sources like social networks, mobile phones, or remote sensing. These data augmentation techniques often rely on geographic matching, making precise location information crucial. The increasing availability of secondary data exacerbates re-identification risks, highlighting the need for robust privacy protection alongside data utility. This paper addresses this challenge by proposing a novel microdata dissemination strategy that leverages synthetic data generation to enhance privacy without significant information loss.

Existing microdata dissemination strategies often involve a combination of data deletion and perturbation techniques, including location obfuscation. For example, the Demographic and Health Survey (DHS) relocates urban clusters within a 2km radius and rural clusters within a 5-10km radius. While this reduces re-identification risk, it also reduces data utility for spatial analyses that require precise location information. Several approaches to synthetic data generation exist, including imputation methods, parametric models, classification and regression trees, and more recently, Bayesian networks, Generative Adversarial Networks (GANs), and copulas. National statistical offices are increasingly exploring synthetic data for microdata release, such as the US Census Bureau's use of synthetic data from the American Community Survey and Survey on Income and Program Participation. However, these applications often focus on aggregated data rather than individual-level microdata.

The authors propose a new microdata dissemination strategy that involves publishing two datasets: (1) the original microdata without geographic identifiers below the strata level, suitable for analyses at the aggregate level, and (2) synthetic microdata that retains the original cluster locations. This approach aims to preserve the utility of both aggregate and spatially explicit data. The study utilizes data from the 2011 Costa Rican census, which includes socioeconomic attributes at the district level (473 districts). A stratified two-stage cluster sample was created to emulate household survey data. The benchmark anonymization strategy was geomasking, following the DHS approach of relocating cluster centroids within a radius. The alternative strategy used copula-based synthetic data generation. Copulas were chosen due to their computational efficiency, interpretability, and ease of updating. The Synthetic Data Vault was used for data transformation and constraints specification. To evaluate the proposed approach, the researchers used multiple metrics: (1) the re-identification risk of the private attribute (zip code); (2) the respondents' re-identification risk (population uniqueness); and (3) the utility for survey augmentation (performance in estimating the Unsatisfied Basic Needs Index (NBI) using satellite-derived auxiliary information). The NBI is a composite indicator constructed from various survey variables. Satellite-derived covariates from WorldPop were used for data augmentation. The study includes comparisons between the true survey, geomasked survey, and the synthetic survey, across 100 simulations. To evaluate the quality of the synthetic data, the normalized Kullback-Leibler (KL) divergence was calculated.

The proposed dissemination strategy significantly reduced re-identification risk. The re-identification risk of the zip code (private attribute) was much lower for the synthetic dataset than for the geomasked dataset. Population uniqueness, a measure of respondents' re-identification risk, was significantly lower for the synthetic dataset compared to the geomasked and true datasets. The synthetic approach did not outperform the geomasked survey in terms of utility in survey augmentation, but rather improved the utility of the data compared to the true survey. Specifically, it provided predictions for the NBI that were more in line with the census results. This suggests the copula approach reduces the impact of outliers. Additional experiments comparing directly synthesized NBI and NBI reconstructed from synthetic variables demonstrated that the synthetic approach captured the overall number of respondents with unsatisfied needs, but not the individual-level NBI status accurately. Despite this difference, the synthetic approach still showed better performance in survey augmentation than the geomasked survey. In supplementary analyses, the researchers explored the impact of different model fitting levels (whole survey, strata, zip code level), synthetic sample size, encoding schemes, and copula specifications on the results. The study found that selecting strata as the fitting level provided a good balance between sample size and capturing regional variation. Increasing the synthetic sample size improved the model performance and improved the direct survey estimate of the Fay-Herriot model. The choice of encoding scheme and marginal distribution had limited effects on synthetic data quality. The results were stable after 50 simulation rounds.

The findings demonstrate that the proposed strategy of releasing two datasets—one with limited geographic identifiers and one with synthetic data retaining original cluster locations—effectively improves the privacy-utility trade-off compared to traditional geomasking. This approach enables researchers to use fine-granular geolocated survey data while reducing re-identification risks. The use of copulas for synthetic data generation offers advantages in computational efficiency and ease of updating. The results highlight the potential of this strategy for data producers and users, enhancing data access while addressing privacy concerns. This is particularly important in light of increasingly stringent data protection regulations.

This study introduces a promising alternative microdata dissemination strategy that effectively balances privacy protection and data utility. The use of synthetic data with preserved cluster locations reduces re-identification risk without sacrificing the value of the data for analyses requiring accurate spatial information. The approach offers benefits for both data producers and researchers, particularly in contexts involving the integration of survey data with geographically referenced auxiliary data. Future research could explore more sophisticated copula models to improve the representation of hierarchical relationships and explore the integration of differential privacy techniques to further enhance privacy safeguards.

The study's limitations include the reliance on a Gaussian copula model, which assumes normally distributed margins. The model may not perfectly capture all hierarchical relationships within the data. While the study showed promising results, further research should investigate the generalizability of these findings across different contexts and datasets. It's important to note that the released microdata, even with synthetic data, remains pseudonymous and may require further safeguards depending on the jurisdictional context.