Fig. 3

Clinical Trial Data Anonymisation. The overall risk of re-identification is a function of both the data risk and the context risk. The context risk is assessed by examining three re-identification attacks on a dataset: (a) a deliberate attack by an adversary, (b) an inadvertent re-identification by a data analyst where they recognize someone they know, and (c) a data breach occurring. The success of the three attacks is affected by the controls that are in place. The context consists of first the contractual controls which reduce the context risk. The residual risk is managed by security and privacy controls, which are also part of the context. The extent of these controls reduces the overall risk further. Then any residual risk is managed by perturbing or transforming the data