Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gillian Raab, Chris Dibben, & Paul Burton UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, 2015 Running an analysis of combined.

Published byGerald Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "Gillian Raab, Chris Dibben, & Paul Burton UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, 2015 Running an analysis of combined."— Presentation transcript:

1 Gillian Raab, Chris Dibben, & Paul Burton UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, 2015 Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation }

2 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation What is multi-party computation?  The data to contribute to an analysis are distributed across several sites  Confidentiality concerns prevent them being pooled for analysis  Methods have been developed to allow analyses to be carried out without pooling the data

3 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Methods developed for this  Since around 2005  By statisticians who call it the analysis of distributed data  And computer scientists who call it privacy- preserving data mining (PPDM)

4 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Horizontally or vertically partitioned data ? v1V2v3V4 v1V2v3V4 Study 1 Study 2 v1v2v3v4v5v6 Study 2 Study 1

5 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Horizontally partitioned data - examples  Genomic data  Adverse drug effects  Comparable surveys or censuses collected by different agencies

6 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation The UK Longitudinal Studies  Three studies each run by a different agency  England and Wales – (ONS LS)  Scottish Longitudinal Study – (SLS)  Norther Ireland Longitudinal study (NILS)  Each run by a different National Agency  Data needs to be held very securely (Census act)  The servers that hold the data have no internet access

7 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation The UK Longitudinal Studies  Three studies each run by a different agency  England and Wales – (ONS LS)  Scottish Longitudinal Study – (SLS)  Norther Ireland Longitudinal study (NILS)  Each run by a different National Agency  Data needs to be held very securely (Census act)  The servers that hold the data have no internet access

8 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Methods for multi-party computation  Rely on exchanging and combining sufficient statistics from the different studies  For horizontally partitioned data, the sufficient statistics for the pooled data are just the sum over those from the individual studies  E.g. For regression inferences can be obtained from the sum of the information matrices (I)(X’X) and the score statistics (S) X’Y.  Coefficients are (∑I ) -1 ∑S  For iterative methods (e.g. GLMs) these quantities need to be exchanged at each iteration until the models converge.

9 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Iterative estimation for GLMs  An analysis computer (AC) can control the estimation  Data is held on several data computers (DCs)  The following steps are needed  Starting values for the coefficients are sent to all DCs  Each DC returns their current I and S to the AC  The AC calculates a new value of the coefficients and checks if model converged  These steps are repeated until convergence

10 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation The DataSHIELD project  www.datasheild.org www.datasheild.org  Provides open source code to carry out these computations in the R package  They also provide a means of setting up an interface (opal server) between the AC and the DCs that restricts what objects can be transferred  In this protocol the AC controls all the analyses  After data harmonisation between the sites the AC establishes communication with each one and can then run a limited number of commands to extract data summaries from the DCs

11 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation The DataSHIELD protocol  AC (yellow) controls the whole analysis  The interface restricts what can be extracted from the DCs

12 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation The E-DataSHIELD protocol

13 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation At each iteration an analyst at a DC must  receive a vector of coefficients from the AC by email  transfer it to the secure server via a secure data stick (for some LSs this transfer can only be done by agency staff, not be the individual researcher)  read it into their R workspace  run a routine to update the information matrix and score vector write them to a file  export the file from the secure setting via the secure data stick  email it to the AC.

14 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation At each iteration an analyst at a DC must  receive a vector of coefficients from the AC by email  transfer it to the secure server via a secure data stick (for some LSs this transfer can only be done by agency staff, not be the individual researcher)  read it into their R workspace  run a routine to update the information matrix and score vector write them to a file  export the file from the secure setting via the secure data stick  email it to the AC.

15 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Features of the E-DataSHIELD method  Automatic calculation of starting values  Fits a whole set of models together and stops when they have all converged  Generates the names of the files to transfer automatically at each iteration, and then checks that everything is as it should be.  Other routines available for pre-analysis harmonisation and summaries of data and presentation of results  Two projects using the LSs have used this methodology successfully

16 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Secure multi-part computation  The individual parts of the summaries are encrypted using homomorphic encryption  Simplest example of this (used by statisticians) is for the first DS to add a random number to their result and pass it round the others, then when it comes back to the first one the random number is subtracted  Computer scientists use more sophisticated ones  But it wouldn’t work with DataShield

17 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation The DataSHIELD protocol  DCs don’t communicate with each other  But no reason why it should not work with E-DataShield

18 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation E-DataSHIELD with secure summaries

19 Will shortly to be submitted to CRAN http://cran.r-project.org/package=eds E-DataSHIELD package eds

20 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Sample eds code At each DC >eds.glm.update("spine",itno=1,data=SEast,quietly=T) File written Project_spine_Itno_1_Study_2.R Now email file to analysis computer At the AC > eds.joint.update(project="spine",itno=1,studies=1:3,quietly=T) which gives the message 0 out of 3 models converged File written: Joint_fit_project_spine_Itno_2.R.

21 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Sample eds code with secure summaries At the first DC >eds.glm.update("spine",itno=1,data=London,quietly=F,secure=T) Result read from file Start_project_spine_Itno_1.R Fitting 3 models for project spine at iteration 1 File with random objects is written as Project_spine_Itno_1_Randoms.R Result for project spine iteration 1 study 1 written to file Project_spine_Itno_1_Study_1.R Now email file to next data computer, study 2 At the next DC Same commands but the random file is only written by the first DC And at the next iteration the first DC reads it before the Joint update and writes a new one for the next iteration.

22 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Further points in the written paper  Examples of how the results of the analyses can be computed  How covariate by study interactions are fitted  An example using synthetic data generated from one of the LSs  References to other papers

23 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Conclusions  We have a package that works for the LSs  We plan to make it publicly available via CRAN  And hope it will be useful to others  More details and future directions in the published paper Farr Institute International Conference 2015 | Joshua Snoke, Beata Nowok, Gillian M. Raab, Chris Dibben, and Aleksandra B. Slavković | 27 August 2015

24 UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, October 2015 Raab, Dibben, Burton Running an analysis of combined data when the individual records cannot be combined: practical issues in secure computation Acknowledgments Farr Institute International Conference 2015 | Joshua Snoke, Beata Nowok, Gillian M. Raab, Chris Dibben, and Aleksandra B. Slavković | 27 August 2015 We are grateful to the DataSHIELD project for having introduced us to these ideas and shared their code with us. Also to the staff of the LSs for helping us to develop eds. The DataSHIELD project is supported by funding from: the European Union’s Seventh Framework Programme - BioSHaRE- EU (Biobank Standardisation and Harmonisation for Research Excellence in the European Union); a strategic award from MRC and Wellcome Trust for the ALSPAC project; and the Welsh and Scottish Farr Institutes, MRC funded E-Health Informatics Research Centres (EHIRCs ).

Download ppt "Gillian Raab, Chris Dibben, & Paul Burton UNECE-Eurostat Work Session on Statistical Data Confidentiality, Helsinki, 2015 Running an analysis of combined."

Similar presentations

Alternative Approaches to Data Dissemination and Data Sharing Jerome Reiter Duke University

Alternative Approaches to Data Dissemination and Data Sharing Jerome Reiter Duke University
Secure Statistics Software Francisco Vera National Institute of Statistical Sciences.

Secure Statistics Software Francisco Vera National Institute of Statistical Sciences.
Managing data using CSPro

Managing data using CSPro
Centre for Reviews and Dissemination May 2013 Registering a systematic review on PROSPERO.

Centre for Reviews and Dissemination May 2013 Registering a systematic review on PROSPERO.
Integrating Data for Analysis, Anonymization, and SHaring Supported by the NIH Grant U54HL108460 to the University of California, San Diego Shuang Wang,

Integrating Data for Analysis, Anonymization, and SHaring Supported by the NIH Grant U54HL to the University of California, San Diego Shuang Wang,
Using synthetic data to improve the accessibility of the SLS Susan Carsley, SLS Project Manager.

Using synthetic data to improve the accessibility of the SLS Susan Carsley, SLS Project Manager.
Administrative Data Research Centre – Scotland Chris Dibben.

Administrative Data Research Centre – Scotland Chris Dibben.
Analysis and Communication of US News Rankings using Monte Carlo Simulations: A Comparison to Regression Modeling Presented by Chris Maxwell Purdue University.

Analysis and Communication of US News Rankings using Monte Carlo Simulations: A Comparison to Regression Modeling Presented by Chris Maxwell Purdue University.
Networking Theory (Part 1). Introduction Overview of the basic concepts of networking Also discusses essential topics of networking theory.

Networking Theory (Part 1). Introduction Overview of the basic concepts of networking Also discusses essential topics of networking theory.
Privacy Preserving K-means Clustering on Vertically Partitioned Data Presented by: Jaideep Vaidya Joint work: Prof. Chris Clifton.

Privacy Preserving K-means Clustering on Vertically Partitioned Data Presented by: Jaideep Vaidya Joint work: Prof. Chris Clifton.
Valid Statistical Analysis for Logistic Regression with Multiple Sources Rob Hall (Dept of Machine Learning, CMU) Joint work with Yuval Nardi and Steve.

Valid Statistical Analysis for Logistic Regression with Multiple Sources Rob Hall (Dept of Machine Learning, CMU) Joint work with Yuval Nardi and Steve.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
Using EDC-Rave to Conduct Clinical Trials at Genentech

Using EDC-Rave to Conduct Clinical Trials at Genentech
Linking lives through time www.lscs.ac.uk Marital Status, Health and Mortality: The Role of Living Arrangement Paul Boyle, Peteke Feijten and Gillian Raab.

Linking lives through time Marital Status, Health and Mortality: The Role of Living Arrangement Paul Boyle, Peteke Feijten and Gillian Raab.
Balance of Payments Collection and Compilation 23 Feb 2012 Central Statistics Office Ireland.

Balance of Payments Collection and Compilation 23 Feb 2012 Central Statistics Office Ireland.
Measuring recycling in the UK Cindy Lee Waste Data Strategy Manager.

Measuring recycling in the UK Cindy Lee Waste Data Strategy Manager.
Chemistry CPD Presentation Programme Welcome and outline for event Overview of Internal Assessment in Chemistry Verification –brief outline Key messages.

Chemistry CPD Presentation Programme Welcome and outline for event Overview of Internal Assessment in Chemistry Verification –brief outline Key messages.
Microdata Simulation for Confidentiality of Tax Returns Using Quantile Regression and Hot Deck Jennifer Huckett Iowa State University June 20, 2007.

Microdata Simulation for Confidentiality of Tax Returns Using Quantile Regression and Hot Deck Jennifer Huckett Iowa State University June 20, 2007.
Good practice in Research Data Management Module 6: Tools, training and support.

Good practice in Research Data Management Module 6: Tools, training and support.
Copyright 2010, The World Bank Group. All Rights Reserved. Prosecution Statistics Part 2 Crime, Justice & Security Statistics Produced in Collaboration.

Copyright 2010, The World Bank Group. All Rights Reserved. Prosecution Statistics Part 2 Crime, Justice & Security Statistics Produced in Collaboration.

Similar presentations

Ads by Google