Systems and methods to relate multiple unit level datasets without retention of unit identifiable information

US 20060085454A1
Filed: 10/06/2005
Published: 04/20/2006
Est. Priority Date: 10/06/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method of replacing a personally identifiable key with an anonymous key comprising:

establishing a domain of data providers who agree to share elements of their datasets without personally identifiable information in accordance with a domain agreement;

transmitting the source data records to an anonymous key authority, the authority does not have access to non-key data of interest;

generating a consistent anonymous key to replace each personally identifiable key, the anonymous key being unique to the domain agreement;

transmitting the records to the recipient such that the recipient can receive the anonymous key and decrypt the associated non-identifying data values.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method by which researchers may receive unit level data (individual person records) from multiple sources and aggregate that data without receiving personally identifiable data. Since the unconstrained aggregation of seemingly non-identifying data elements can eventually lead to subject identification, the aggregation is limited to a predefined data aggregation domain.

64 Citations

View as Search Results

24 Claims

1. A method of replacing a personally identifiable key with an anonymous key comprising:
- establishing a domain of data providers who agree to share elements of their datasets without personally identifiable information in accordance with a domain agreement;
  
  transmitting the source data records to an anonymous key authority, the authority does not have access to non-key data of interest;
  
  generating a consistent anonymous key to replace each personally identifiable key, the anonymous key being unique to the domain agreement;
  
  transmitting the records to the recipient such that the recipient can receive the anonymous key and decrypt the associated non-identifying data values.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as in claim 1, wherein the scope over which the data records can be linked is limited to the data provided by the parties to the domain agreement.
  - 3. A method as in claim 1, wherein the scope of the domain agreement can be altered by the consent of all responsible parties.
  - 4. A method as in claim 1, wherein the data provider can encrypt the data records so that the key authority can decrypt only a personally identifiable key but no associated data elements, and by which only the data recipient can decrypt the data elements, but does not receive the personally identifiable key.
  - 5. A method as in claim 1, where the anonymous key authority implements a selected one-way hash encryption process to generate an anonymous key that is consistent when generated with the same combination of domain and personally identifiable key, is limited in scope to the domain, and is non-reversible.
  - 6. A method as in claim 1, wherein the anonymous key provider can encrypt the combination of anonymous key and non-key data, exclusive of the original personally identifiable key, so that the recipient can decrypt the new anonymous key and also decrypt the associated data elements.
  - 7. A method as in claim 1, wherein the domain agreement defines a shared definition of the specification of the personally identifiable key to be used in the process.
  - 8. A method as in claim 1, wherein a domain agreement defines a substantially complete list of data items to be shared by all parties, thus enabling each party to the agreement to be satisfied that risk of individual identification through data aggregation is at a predetermined, selected low level.
  - 9. A method as in claim 1, wherein multiple domains, even if generated in whole or in part from the same sources, can not be further aggregated.
  - 10. A method as in claim 1 wherein participants and components are isolated so that encrypted personally identifiable data, anonymous keys, and associated non-key data elements are never in clear text on the same system.

11. A system comprising:
- at least one data provider;
  
  first software that provides a plurality of records, from the data provider, each record having a personal identifier section and an encrypted data section;
  
  an anonymous key authority;
  
  second software that removes the identifier section and associates with each member of the plurality a new identifier which can not disclose the individual identifier; and
  
  third software that combines the new identifier with one or more respective encrypted data sections.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. A system as in claim 11 where the anonymous key authority executes the second software.
  - 13. A system as in claim 11 which includes fourth software that encrypts the combined new identifier and respective data sections.
  - 14. A system as in claim 11 where the anonymous key authority executes the third and fourth software.
  - 15. A system as in claim 11 where the anonymous key authority maintains an audit trail.
  - 16. A system as in claim 11 which includes an agreement between at least the one data provider and an intended recipient, maintained by the anonymous key authority relative to at least the records.
  - 17. A system as in claim 11 which includes software to transfer the combined identifiers and encrypted data sections to at least one recipient.
  - 18. A system as in claim 16 which includes software to transfer the combined identifiers and encrypted data sections to at least one recipient.
  - 19. A system as in claim 11 where the at least one data provider includes software that encrypts both the identifier section and the data section.
  - 20. A system as in claim 19 where the key authority can decrypt the identifier section to the exclusion of the data section.
  - 21. A system as in claim 20 where an intended end user recipient can decrypt the data section without having access to the respective identifier section.

22. A method of replacing a personally identifiable key with an anonymous key comprising:
- establishing a domain of data providers who agree to share elements of their datasets without personally identifiable information in accordance with a domain agreement;
  
  transmitting the source data records to an anonymous key authority, the authority does not have access to non-key data of interest;
  
  generating a consistent anonymous key to replace each personally identifiable key, the anonymous key being unique to at least portions of the personally identifiable key and the domain agreement; and
  
  transmitting the records to the recipient such that the recipient can receive the anonymous key and decrypt the associated non-identifying data values.
- View Dependent Claims (23, 24)
- - 23. A method as in claim 22 which includes generating at least a second consistent anonymous key, the second key being unique to at least portions of the personally identifiable key and the domain agreement.
  - 24. A method as in claim 22 which includes generating a plurality of different, consistent anonymous keys, the members of the plurality being unique to at least portions of the personally identifiable key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Andrew R. Rolfe, John L. Blegen
Original Assignee
Andrew R. Rolfe, John L. Blegen
Inventors
Rolfe, Andrew R., Blegen, John L.

Application Number

US11/244,968
Publication Number

US 20060085454A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6254 by anonymising data, e.g. d...

Systems and methods to relate multiple unit level datasets without retention of unit identifiable information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods to relate multiple unit level datasets without retention of unit identifiable information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links