Illustration of the -anonymity concept using record linkage. Medical records contain a number of different fields which are removed to protect confidentiality, including name and address. When combined with voting records, however, it becomes possible to uniquely identify individuals in the medical records by combining fields for ZIP code, birthday, and sex. The -anonymity provided by the released data is unacceptably low. By removing the field for birthdate (or replacing it with birth year), the -anonymity is substantially increased and may reach acceptable levels. The concept of -anonymity provides a quantitative measure of confidentiality protection. More specifically, it is a number that can be calculated for each subset of the data. For the example of medical record and voting records, values for -anonymity can be calculated prior to release for all combination of ZIP code and sex or any other field of interest. Adapted from [66].