Differential Privacy and the Survey Data Pipeline

Music City Center 

The concept of differential privacy (DP) gained substantial attention in recent years, most notably since the U.S. Census Bureau announced the adoption of the concept for its 2020 Decennial Census. However, despite its attractive theoretical properties, implementing the approach in practice is challenging, especially when it comes to survey data. In this talk, I will focus on the fact that the production of survey data is a complex multistage process and discuss its implications for DP. Specifically, I will illustrate that data custodians willing to adopt DP for their surveys need to address two important questions: Firstly, at what point in the pipeline should the DP mechanism start? And secondly, which of the earlier stages of the data pipeline should be considered invariant – i.e., should be treated as fixed – by DP? I will highlight the implications of these decisions and offer guidelines which settings statistical agencies should potentially adopt when implementing DP for their surveys.