security and global viruses have elevated concerns about the security of online data. Most of these incidents have not involved health-related data, but they have fostered the perception that any online data poses a security threat (Eng, 2001). Today’s technology allows databases to be designed to provide security against direct query of certain attributes. Any specific user can be given restricted access to specific parts of a database. Such a multilevel database stores data according to different security classifications and allows users access to data only if their security level is greater than or equal to the security classification of the data (National Research Council, 1993).
Another concern is what Lunt and collegues (1990) call an inference channel. An inference channel is said to exist in a multilevel database when a user can infer information classified at a high level for which he or she does not have access based on repeated queries of information classified at a lower level to which the user does have access. Techniques (e.g., query restriction, response modification) exist to limit the potential for such inferences, and consideration should be given to these approaches in designing data systems. Extensive security protocols in place for public health bioterrorism systems also provide possible models.
The Census Bureau has implemented an approach that makes sensitive individual-level data available to researchers in seven data centers across the country (see Box 6-5). This approach demonstrates that there are viable strategies for making individual data available without compromising confidentiality, representing an initial step toward improving access to data. However, accessibility under this model is limited, the relatively small number of centers makes the process somewhat cumbersome, and it can require significant expense by researchers who are not located near a center. Additional and expanded approaches should be developed to continue to make Census Bureau and other datasets, such as those available through the NCHS, more accessible. Although NCHS has a mechanism in place to make sensitive data available at their headquarters, the process is more cumbersome than the Census Bureau’s approach and currently does not meet the needs of data analysts outside the center.
Another set of complex ethical issues arises from the relatively new ability to collect and store biological specimens for long periods of time. For example, all states collect drops of blood from newborn infants on special absorbent cards. These are used for mandatory newborn screens for inborn errors of metabolism and other congenital conditions. There is inconsistency in the screening procedures used across states and in the procedures used to handle such specimens after collection. However, it is technically possible to take anonymous fragments of these specimens to look at population exposures to infectious diseases (such as to determine rates of HIV transmission) or noxious chemicals (e.g., pesticides or