Decision support for releasing anonymised data

•Anonymised data bases are vulnerable to de-anonymisation attacks.•The adversarial mutual information is the key factor controlling privacy risk.•An information-theoretic de-anonymisation feasibility limit is derived.•A process for making decisions about the release of anonymised data is described.•Scenarios related to demographic data and to air travel data are discussed.

For legal and privacy reasons it is often prescribed that data bases containing sensitive personal data can be published only in anonymised form. History shows, however, that the privacy of anonymised data in many cases is easily broken by de-anonymisation attacks. This paper defines guiding principles for decisions about releasing anonymised data and provides a simple process for analysing de-anonymisation risk and for making decisions about publishing anonymised personal data. At the heart of this process is an information-theoretic de-anonymisation feasibility limit that is independent of the details of both the anonymisation procedure and the adversarial de-anonymisation algorithms. This feasibility limit relates the adversarial mutual information of the anonymised data and the attacker's background information to the number of records in the anonymised data base and the acceptable risk of privacy violations. Based on this result, we explain, discuss and exemplify the process for making decisions about releasing anonymised data.