On March 8, 2014, Micah Altman from MIT Libraries and David O’Brien and Alexandra Wood from the Berkman Center submitted comments to the Occupational Safety and Health Administration (OSHA) on behalf of the Privacy Tools for Sharing Research Data project.
OSHA has proposed a rule that would make more data related to workplace health and safety available to employees, the government, and the public. Under the proposed rule, the agency would require the electronic submission and public disclosure of certain occupational injury and illness records that are currently compiled by a large number of U.S. employers. The records to be publicly released include incident dates and times, descriptions of the injuries or illnesses and where and how they occurred, and the job titles of the employees involved.
The comments argue that a more nuanced approach to data disclosure is needed to balance privacy and data utility. Although OSHA intends to remove information such as name, address, date of birth, and gender from the public release, such traditional de-identification methods and standards may not be sufficient to protect employee privacy. Many examples from the privacy science literature suggest that the combination of information that would be released is likely to be uniquely identifying for many of the employees in the records.
In addition to describing potential risks, the comments provide a brief overview of alternative privacy-aware models that are used to share and disclose data, such as contingency tables, synthetic data, data visualizations, and interactive mechanisms. These models may be combined with tiered-access controls, legal protections, and other mechanisms to selectively release data at different granularity levels. More access-restrictive tiers could, for example, be used to maximize data utility by enabling the release of minimally-redacted data only to trusted, authenticated researchers who agree to conditions of use. Less restrictive tiers could provide the public and others with access to coarser, less sensitive data.
The authors note that the management of confidentiality in a public data release should be informed by a sophisticated analysis of re-identification risks, information sensitivity, potential harms, mitigation techniques, and legal remedies. The comments conclude with a recommendation that OSHA consult with experts to reevaluate the data to be collected and design useful and safe mechanisms for its release.
The full comments can be viewed and downloaded from Regulations.gov.