I'm interested to hear any approaches I can use to avoid exposing data that's sensitive when personally identifiable but analytically interesting when aggregated
It's easy enough to remove or mask user names etc. but when you start applying filters on a set of data it's easy to imagine scenarios problems. For example, say I have HR data with an Average Pay measure, and I add a filter for Department and Role. If there are any roles in a given department being performed by one employee (quite a common scenario) then the Average Pay measure is in fact that individuals pay, and that exposes sensitive data.
Thus far the only solution I have come up with is to add a condition in a measure that returns blank if disticnt count of masked user identifiers is below a threshold (and hiding from report view the column). Something like this:
Average Pay:= IF( DISTINCTCOUNT([MaskedUserId]) < 10, BLANK(), AVERAGE('HrData'[Pay]) )
Does anyone have a more elegant / comprehensive solution? In particular this only works where users aren't allowed to edit the report
Thanks!