SURV735: Data Confidentiality and Statistical Disclosure Control

Data Output/Access

Statistical agencies and other data collecting institutions constantly face the dilemma between providing broad access to their data and maintaining the confidentiality of the individuals included in the collected data. To address this trade-off various statistical disclosure control (SDC) methods have been developed which help to ensure that no sensitive information can be disclosed based on the disseminated data. However, applying these methods usually comes at the price of information loss or potentially biased inferences based on the protected data.

This course will introduce the data protection strategies that are commonly used by statistical agencies and discuss their advantages and limitations. We will also briefly look at the computer science perspective on data privacy. We will discuss the differences to the SDC perspective and what the SDC community could learn from the approaches developed in computer science. The main part of the course will focus on a relatively new approach to statistical disclosure control that has been implemented successfully for some data products recently: Generating synthetic data. With this approach statistical models are fitted to the original data and draws from these models are released instead of the original data. If the synthesis models are selected carefully, most of the relationships found in the original data are preserved.

You will learn about the general idea of synthetic data and the two main approaches for generating synthetic datasets. The close relationship to multiple imputation for nonresponse will also be discussed.

The quality of the synthetic data crucially depends on the quality of the models used for generating the data. Thus, the course will present various parametric and nonparametric modeling strategies in great detail.

The quality needs to be evaluated in two dimensions: (i) How well is the analytical validity preserved, i.e. how close are analysis results based on the synthetic data to results obtained from the original data? (ii) What is the remaining risk of disclosure for the released data? Several strategies to measure these two dimensions will be introduced. All steps of the synthesis process from generating the data, over analyzing the data, to evaluating the analytical validity and disclosure risk will be illustrated using simulated and real data examples in R.

Course objectives: 

By the end of the course participants will

  • know which measures are typically taken by statistical agencies to guarantee confidentiality for the survey respondents if data are disseminated to the public.
  • be aware of potential limitations of these measures.
  • have a practical understanding of the concept of synthetic data.
  • be able to judge in which situations the approach could be useful.
  • know how to generate synthetic data from their own data.
  • have a number of tools available to evaluate the analytical validity of the synthetic datasets.
  • know how to assess the disclosure risk of the generated data.

Grading will be based on participation in the weekly online meetings, engagement in discussions during the meetings and/or submission of questions via e-mail, 2 online quizzes, 3 homework assignments and a final online exam.


The students should be familiar with the statistical software R. Some background regarding general linear modelling is expected. Familiarity with the concept of Bayesian statistics is helpful, but not required.

Course Dates


Spring Term (March – May)


Spring Term (March – May)