Call Detail Records (CDRs) are sensitive in a number of important ways and must have robust protections.

In particular, CDRs are personal data and must have strong protections to preserve the privacy of individuals within the dataset. The aggregation and anonymisation can help protect individual privacy by preventing individuals from being identified from the resulting mobility aggregates.

CDR data and associated cell tower location data can also be sensitive in other ways. The locations of cell towers or indicators derived from CDR that reveal a mobile network operator’s (MNO) market share may be commercially sensitive. Cell towers are also an important part of the national telecommunications infrastructure and information on cell tower locations may also have national security implications. It is therefore essential to also consider how the requirements of these other stakeholders relate to data security when working with CDR data.

However, there is a trade-off between the strength of protection and data quality.

In order to protect individual privacy and the interests of other stakeholders, we must reduce the amount of information available to the end-users of the data. For example, greater aggregation of CDR data will decrease the risk of individual subscribers being reidentified but provides a less detailed picture for decision-makers. It is therefore important to understand how suitably minimise the risk to each stakeholder while providing sufficiently detailed information to meet the needs of the end-users.


In this section we explain how to anonymise mobility data to prevent reidentification, describe best practice for securing the data pipeline, and present FlowGeek as an example of how this can be achieved.