Sharing data across research groups is an essential driver of biomedical research. While interactive query-answering systems for biomedical databases aim to facilitate the sharing of aggregate insights without divulging sensitive individual-level data, query answers can still leak private information about the individuals in the database. Here, we draw upon recent advances in differential privacy to introduce query-answering mechanisms that provably maximize the utility (e.g., accuracy) of the system while achieving formal privacy guarantees. We demonstrate our accuracy improvement over existing approaches for a range of use cases, including cohort discovery, variant lookup, and association testing. Our new theoretical results extend the proof of optimality of the underlying mechanism, previously known only for count queries with symmetric utility functions, to more general utility functions needed for key biomedical research workflows. Our work presents a path toward interactive biomedical databases that achieve the optimal privacy-utility trade-offs permitted by the theory of differential privacy.

跨研究组共享数据是生物医学研究的重要推动力。尽管用于生物医学数据库的交互式查询系统旨在促进共享见解的共享，而又不会泄露敏感的个人级数据，但查询答案仍会泄漏有关数据库中个人的私人信息。在这里，我们利用差分隐私的最新进展来介绍查询-应答机制，该机制在实现正式的隐私保证的同时可证明地使系统的效用（例如准确性）最大化。我们展示了在一系列用例（包括同类群组发现，变体查找和关联测试）中，相对于现有方法的准确性提高。我们的新理论结果扩展了潜在机制的最优性证明，以前只针对具有对称效用函数的计数查询，以及关键生物医学研究工作流程所需的更通用的效用函数。我们的工作提出了一条通往交互式生物医学数据库的途径，该数据库可实现差异隐私理论所允许的最佳隐私-效用折衷。