Secure pseudonymisation for privacy-preserving probabilistic record linkage

Record linkage is becoming an increasingly important tool in many areas of research - particularly medical research, where the relevant data often reside in more than one location. In the absence of a reliable and unique identifier probabilistic approaches to linkage are often employed. This linkage generally exploits the information contained in the fields that are common to a record pair. In classical record linkage the values in common fields are simply compared for equality. As values might contain typographical ( or other) errors the performance of classical record linkage can often be significantly improved if similarities between value pairs are also exploited. In applications where the data used for matching must be kept private the raw values are replaced by pseudonyms. For better linkage performance these pseudonyms should also convey information regarding similarities. Existing approaches are often based on Bloom filters, yet these are susceptible to attack. Secure schemes based on Bloom filters inevitably involve additional security measures. Here we introduce a new scheme that produces pseudonyms that are far more secure than Bloom filters. It can be used a drop-in replacement for many schemes that use Bloom filters. The new scheme allows similarity scores to be estimated from pairs of pseudonyms with negligible bias and with known variance for a given similarity score. (C) 2017 Elsevier Ltd. All rights reserved.