Designing formally private mechanisms for the p% rule

The \(p\)% rule classifies an aggregate statistic as a disclosure risk if one contributor can use the statistic to determine another contributor’s value to within \(p\)%. This is often possible in economic data when there is a monopoly or a duopoly. Therefore, the \(p\)% rule is an important statistical disclosure control and is frequently used in national statistical organisations. However, the \(p\)% rule is only a method for assessing disclosure risk: While it can say whether a statistic is risky or not, it does not provide a mechanism to decrease that risk. To address this limitation, we encode the \(p\)% rule into a formal privacy definition using the Pufferfish framework and we develop a perturbation mechanism which is provably private under this framework. This mechanism provides official statisticians with a method for perturbing data which guarantees a Bayesian formulation of the \(p\)% rule is satisfied. We motivate this work with an example application to the Australian Bureau of Statistics (ABS).