A Toolbox for Geographic Masking to Protect Confidentiality of Individual-Level Geocoded Data

When locations of individual-level health data are released in the form of paper or digital maps, these individuals could be re-identified through reverse geocoding. Spatial datasets can therefore not be released unless the locations have been modified, for example using aggregation or geographic masking. Masking techniques apply transformations or perturbations to prevent the re-identification of individuals. As part of a larger project on spatial data confidentiality a toolbox was developed for geographic masking of individual-level datasets. Masking techniques include both existing and newly developed algorithms: 1) random direction, fixed radius; 2) random perturbation within a circle; 3) Gaussian displacement; 4) donut masking; 5) bimodal Gaussian displacement; 6) location swapping; and 7) location swapping with donut masking. The GIS-based toolbox was implemented using Modelbuilder and Python scripting. The toolbox includes detailed instructions and has been released in the public domain for use by researchers and health agencies. The performance of the various masking tools was validated using measures of spatial κ-anonymity which provides an empirical estimate of the probability of discovery. The experience of several public health agencies using the toolbox will be discussed.