Differential privacy
A mathematical privacy guarantee: published statistics barely change whether or not you are in the dataset — provably.
In one line
Differential privacy (DP) adds carefully calibrated noise to query results or model training so that no output meaningfully depends on any single individual's record — with a tunable, provable bound (epsilon) on how much one person can matter.
How it works
The guarantee: results are nearly indistinguishable whether your record is included or removed. Mechanisms add noise scaled to a query's sensitivity; a privacy budget (epsilon) accumulates across queries — ask too much, and the budget is spent. Lower epsilon = stronger privacy, noisier answers; choosing it is policy, not just math. DP-SGD applies the same idea to model training; secure aggregation pairs it with federated learning.
Where it shows up in digital health
Publishing health statistics without re-identification risk (small rural cohorts make naive "anonymisation" famously breakable); releasing research datasets; privacy-bounded analytics on national health programmes. The sober truth DP formalises: aggregation alone is not anonymity — and a provable bound beats a promise.