Privacy-Preserving Record Linkage: Connecting Data Without Exposing It

One of the most common challenges in cross-organizational data work is figuring out whether two records in different systems refer to the same person. A student in a school district's database might also appear in a health department's records and a workforce development program's system. Understanding that these records connect is essential for measuring outcomes across services, but sharing the personally identifiable information needed to make that connection raises serious privacy and legal concerns.

Privacy-preserving record linkage (PPRL) solves this problem by allowing organizations to match records without ever exchanging the underlying personal data. The basic approach works like this: each organization applies a one-way cryptographic hash to their identifying fields (name, date of birth, etc.) and shares only the hashed values with a neutral linkage service. The service finds matches between the hashed tokens and returns linked identifiers back to the participating organizations, without ever seeing the original data.

Why this matters for social sector data

In the social sector, the populations that could benefit most from coordinated services are often the hardest to serve because the data about them is fragmented across agencies that have no mechanism to share it. A family receiving support from multiple programs might be counted three different ways in three different systems, making it impossible to understand whether the combined investment is working.

PPRL changes this dynamic. It gives organizations a way to build longitudinal, cross-system views of the populations they serve while staying within the bounds of FERPA, HIPAA, and state privacy laws. The privacy properties aren't a compromise; they're the feature that makes the whole approach legally and ethically viable.

How Spotlight implements PPRL

Spotlight, the record linkage component of Asemio's Mosaic platform, implements PPRL using a multi-party computation model. Contributing organizations submit hashed records through a secure pipeline. The linkage engine uses probabilistic matching on the hashed tokens, accounting for the kinds of errors and inconsistencies that are inevitable in real administrative data (typos in names, different address formats, missing fields).

The output is a set of anonymous linked identifiers that allow each organization to connect their records to a shared longitudinal view without learning anything about individuals in other organizations' data. The cryptographic design ensures that even if the linkage service were compromised, an attacker would gain no usable personal information.

Getting started

If your organization is working across institutional boundaries and struggling with the "same person, different systems" problem, PPRL is worth investigating. The technology has matured significantly over the past few years, and the legal frameworks for using it in education, health, and social services are increasingly well established.