tables and thus generate nondisclosed information (Fienberg and Slavkovic, 2004).
The approach to risk assessment known as the k-anonymity approach is a computer science method based on the assumption that every combination of key variables has at least k minus one record (Sweeney, 2002). The k-anonymity approach is helpful in understanding the risk of disclosure, but Reiter suggested that one of the downsides of k-anonymity is that it does not necessarily prevent disclosures when the intruder has external information, so it may not be adequately protective.
L-diversity is a protective measure that ensures that any block of key variables has at least L well-represented variables. With this methodology, there is a mix with a minimum number (L) of persons in each grouping, and fewer disclosures are thus possible.
Differential privacy is a mathematical way of representing the idea that the incremental risk of an individual joining a data set would be small. It is a way of depicting the risk to an individual of joining a data set.
Reiter also discussed the possibility of releasing partially synthetic data; that is, data that have been modeled to have the statistical properties of the original data but that are not the same as the original data. Initially suggested by Little (1993), this method would create multiple, partially synthetic data sets for public release so that the released data would comprise a mix of observed and synthetic values and would look like the actual data (Reiter, 2005). In this method, statistical procedures valid for the original data would be valid for the released data. The advantages for the SED tabular data are that it would be possible to publish fine field level of detail for the REG tables and preserve the longitudinal character of the data. The method would be straightforward for analysts and not too difficult to implement, since there is only a small number of variables. This method could also be applied to the microdata files.