A perspective on data sharing in digital food safety systems

Figures & data

Table 1. List of abbreviations related to modeling and data privacy protection techniques.

Acronym	Explanation
ABM	Agent-based model
CDP	Central differential privacy
DP	Differential privacy
FL	Federated learning
GIS	Geographic information system
LDP	Local differential privacy
ML	Machine learning
QMRA	Quantitative microbial risk assessment
SVM	Support vector machine

Table 2. Data security vs. privacy: definitions, risks, and technical solutions.

Term	Definition	Risks	Technical solutions
Data security	Actions to prevent unauthorized access to data	Cyberattack	Blockchain; Encryption and cryptography
Data privacy	Adherence to regulations about the accessing, sharing, and using the data	Breach of confidential information	Privacy-preserving record linkage; synthetic data; differential privacy; federated learning

Figure 1. A simplified sample system of fresh produce supply chain.

Figure 2. An illustration of (A) central differential privacy (CDP) and (B) local differential privacy (LDP). In CDP, each farm shares its own input data (e.g., soil quality, concentration of indicator microorganisms) to the central server. The data are stored at the central server and the model performance should be indistinguishable if the data from any single farm is modified. In LDP each individual farm does not share the original data, but instead share the privatized data that reveal little information about the farm.

Figure 3. An illustration of the privatized federated Learning framework. Each client maintains its own local data. The clients use the local data to perform local updates which are then sent to the central server in a privatized/encrypted manner. The central server aggregates the local updates from the clients to obtain a new global model which is shared with the clients for the next iteration.

Figure 4. An illustration of various data modification strategies for pathogen data, location data, and land use data collected on multiple farms, depending on the data categories and privacy sensitivity. In this example, the presence of pathogen is flipped with a certain probability to grant the data provider plausible deniability. The GPS locational data can be privatized by adding with a random noise (using local or central differential privacy approaches). The land use data is public, and thus needs no privatization.

Table 3. Examples of food safety data available for various compartments of a simplified food system, including possible data uses and privacy concerns.

Data categoriesa	Data usagea	Importance for data sharing	Level of privacy concerns	Potential solutions to privacy concernsa
1. Farm level
Pathogen detection in produce growing field and irrigation water	GIS models to predict times and locations where field or water may have an increased risk of pathogen presence Targeted control strategies (e.g., water treatment to reduce the probability of water contamination) can be implemented to mitigate the predicted risk	High; data shared across farms enhance predictive accuracy and generalizability	High; information on enhanced pathogen presence risk for a location may reduce land value	FL with DP
Indicators for hygienic conditions and contamination risk (detection of microbes or chemicals that indicate conditions that may increase risk of pathogen presence, e.g., coliform detection) in field and water	GIS models Targeted controlled strategies can be implemented (similar to 1.1.) to mitigate the predicted risk	Medium; data shared across farms may allow for models with improved predictive accuracy and generalizability	Medium; information not as sensitive as 1.1	CDP
1.3. GIS soil data	GIS model to predict times and locations where soil may have an increased risk of pathogen presence If soil is predicted to have a high risk of pathogen contamination, the field could be preventively used to grow crops that are cooked before consumption	High; sharing of GIS data is needed to develop generalizable GIS models with high predictive accuracy	Low; diverse soil data are typically publicly available through national data repositories (e.g., USGS) and easily acquired; high if GIS data are linked to sensitive data (e.g., 1.1)	CDP with augmentation from public datasets
Structured and unstructured data on food safety risk factors (e.g., video surveillance for wildlife intrusion into fields	GIS models that predict times and locations where field or water may have an increased risk of pathogen presence Identifies fields that should not be harvested	Medium; data shared across farms provide additional predictors that can enhance predictive accuracy	Medium; information not as sensitive as 1.1	Label DP
2. Processor level
2.1. Pathogen detection in facility environment	ABM that predicts the presence of foodborne pathogen at various locations in a facility	High; data shared across different facilities can lead to deeper understanding on pathogen transmission across different agents	High; enhanced risk at the facility may be considered to indicate unhygienic conditions or increased food safety risks. Data hence may compromise a firm’s reputation	FL combined with CDP
2.2. Pathogen detection in finished product	QMRA: Verify the contamination level of pathogen predicted by the model ML models: Identify risk factors that increase the likelihood of pathogen contamination of finished product	Medium; data shared across different facilities can form a larger validation dataset	High; finished product with pathogen contamination may be subject to recall	FL and CDP with augmentation from shared data across different facilities.
2.3. Indicator microorganisms for hygienic conditions in a facility	ABM: Predict areas with enhanced risk ML models: Rank the relative importance of indicators	Medium; While data can be too specific to the facility, sharing of this data category can help identify reliable indicators for enhanced risk	Medium; less sensitive than 2.1 and 2.2	CDP
2.4. Structured and unstructured data on food safety risk factors (e.g., video coverage of employee movements, data on maintenance frequency etc.	ABM: Predict the association between various risk factors and enhanced risk of contamination in the facility	Medium; While data can be too specific to the facility, sharing of this data category can reveal common patterns that lead to increased risk	Medium; less sensitive than 2.1 and 2.2	CDP
3. Retail level
3.1. Indicators for pathogen contamination risk in retail environment (e.g., ATP)	ABM: Predict areas with enhanced risk ML: Identify risk factors that increase the likelihood of pathogen contamination in retail environment	Medium; While data can be too specific to the retail store, sharing of this data category can help identify reliable indicators for pathogen contamination	Medium; less sensitive than 3.1 and 3.2 but could be considered as indictor of the hygienic status of a retail environment	CDP
3.2. Structured and unstructured data on food safety risk factors (e.g., temperature data, data on sanitation frequency etc.	ABM: Predict the association between various risk factors and enhanced risk of contamination in the retail environment	Medium; While data can be too specific to the retail store, sharing of this data category can reveal common patterns that lead to increased risk	Medium; less sensitive than 3.1 and 3.2	CDP
4. System level
4.1 Production and processing volume and supplier-distributor relationships and distribution network	QMRA: Develop a system-level model to manage risks across the entire supply chain Likelihood ratio approach: Facilitate outbreak investigations by matching food distribution data with outbreak data	High; sharing of this data category can facilitate systematic risk analysis at various stages of supply chain	High; may be confidential to company	FL with CDP

a See Table 1 for a list of abbreviations.