A Systematic Survey of Architectural Approaches and Trade-Offs in Data De-identification

Data de-identification refers to the process of removing or hiding the direct and indirect (quasi-)identifiers from data elements through transformation, generalization, or removal. Through active research over twenty years, diverse de-identification approaches, algorithms and tools have emerged. Existing survey studies focus predominantly on the application of de-identification within specific domains and to different data types, with attention to intrinsic characteristics of the algorithms and methods, and the impact on data utility -the extent to which the data can still serve its functional purpose after de-identification. However, from a software architecture design perspective, de-identification affects a number of additional non-trivial and impactful non-functional attributes, and a comprehensive overview of the involved architectural concerns and trade-offs is currently lacking. To address this gap, we present the outcome of a systematic literature review (SLR) study that: (1) outlines the current state of the art in an architecture tactic tree which classifies different architectural approaches to de-identification, (2) provides a further exploration of the relevant architectural trade-offs discussed in literature.