Per-record Differential Privacy (PrDP)

Updated 1 December 2025

Per-record Differential Privacy is a privacy framework that defines individualized privacy loss guarantees, allowing each record to have a tailored privacy budget.
It employs adaptive noise calibration and domain partitioning techniques to optimize the balance between privacy and utility in heterogeneous datasets.
The framework maintains standard differential privacy properties such as composition and post-processing while enabling robust auditing and practical deployment in real-world applications.

Per-record Differential Privacy (PrDP) is a refinement of classical differential privacy (DP) in which the privacy guarantee is defined at the level of individual records, allowing the privacy budget to vary across records or according to local context. This framework generalizes worst-case DP to enable fine-grained privacy analysis, improved utility in heterogeneous or skewed datasets, adaptive mechanism design, and robust audits for real-world deployments (Wang, 2017, Chen et al., 24 Nov 2025, Seeman et al., 2023, Pradhan et al., 26 Nov 2025).

1. Formal Definitions and Core Properties

Per-record differential privacy formalizes privacy loss for each individual record—either as a function of the data and mechanism (per-instance DP, pDP), a data-independent public policy (functional PrDP), or in terms of underlying adjacency relations. The core definitions are:

Per-instance $(\epsilon,\delta)$ -DP (pDP): For a fixed dataset $Z$ and a particular record $z$ , a randomized mechanism $M$ satisfies $(\epsilon,\delta)$ -pDP at $(Z,z)$ if for every measurable set $S$ ,

$\Pr[M(Z) \in S] \leq e^{\epsilon} \Pr[M(Z \oplus \{z\}) \in S] + \delta,$

and vice versa. The privacy loss random variable is $L(Z,z;\theta) = \log(p_{M(Z)}(\theta)/p_{M(Z\oplus z)}(\theta))$ , with $(\epsilon,\delta)$ -pDP meaning $\Pr[|L(Z,z;\theta)| > \epsilon] \leq \delta$ (Wang, 2017).

Functional PrDP: For a privacy budget function $\mathcal{E}(r)$ and two neighboring datasets $D \sim_r D'$ (differing by $r$ ), mechanism $\mathcal{M}$ is $\mathcal{E}$ -PrDP if for any output $y$ ,

$\Pr[\mathcal{M}(D) = y] \leq \exp(\mathcal{E}(r)) \Pr[\mathcal{M}(D') = y].$

Standard DP is recovered by setting $\mathcal{E}(r) \equiv \epsilon$ (Chen et al., 24 Nov 2025).

Adjacency-Driven PrDP: Using substitute adjacency (swap of any record), rather than the standard add/remove, PrDP protects all attributes of a record, not just its membership (Pradhan et al., 26 Nov 2025).

PrDP (and pDP) retain the essential properties of DP, applied record-wise:

Composition: Sequential composition sums per-record budgets.
Advanced composition: $k$ adaptive $(\epsilon, \delta)$ -pDP mechanisms yield $O(\sqrt{k \log(1/\delta)} \epsilon, k\delta)$ -pDP.
Post-processing: Any post-processing preserves per-record guarantees.
Group privacy: Replacing $k$ specific records yields additive budget over those records.

These properties enable modular analysis and practical mechanism design in scenarios with heterogeneous privacy risks (Wang, 2017, Seeman et al., 2023).

2. Mechanism Design and Frameworks

PrDP admits several methodological advances over uniform DP, particularly with respect to adaptive noise calibration and domain partitioning:

Noise Variance Optimization (NVO) Game: Laplace noise scales are individualized per record in a sequential game. At equilibrium, all pDP constraints are satisfied. The minimum allowed scale $b_{\min}$ is explicitly characterized as $b_{\min} \geq 1/\ln (1 + (n-1)(e^{\epsilon}-1))$ , and best-response dynamics or genetic algorithms efficiently compute Nash equilibria with theoretical pDP guarantees. Empirically, NVO dramatically improves utility compared to worst-case DP (Ryu et al., 24 Apr 2024).
Privacy-Specified Domain Partitioning: To ensure utility depends on the actual lowest privacy budget among records (not the global minimum over the universe), PrDP-counting mechanisms privately partition the privacy-budget range into dyadic intervals, apply parallel composition, and select the minimal live interval via noisy thresholding. This achieves error scales $O(1/\epsilon_{\min(D)})$ without leaking the active privacy budget (Chen et al., 24 Nov 2025).
Per-record Zero-Concentrated DP (PzCDP): The zCDP formalism is generalized by parameterizing the Rényi divergence bound by a public function $P(r)$ , yielding mechanisms where per-record privacy loss is a function of the record value. The unit-splitting construction is particularly suitable for heavy-tailed or skewed datasets: records exceeding a threshold $T$ are split, and group-composed privacy loss grows as $P(r) = \rho m(r)^2$ , dramatically improving utility for the majority of records (Seeman et al., 2023).
Slowly-Scaling Mechanisms: Mechanisms are constructed so that per-record privacy loss grows only logarithmically in record influence. This is achieved via (i) transformation-based mechanisms adding Gaussian noise in a concave transformation space (e.g., log or $k$ -root) or (ii) additive fat-tailed mechanisms (generalized Gaussian or exponential-polylog). These reduce maximal per-record privacy loss vs. traditional quadratic scaling, critical for aggregate statistics dominated by a small number of large contributors (Finley et al., 26 Sep 2024).

3. Theoretical Guarantees and Utility Analysis

PrDP mechanisms yield tight privacy-utility trade-offs that adapt to the heterogeneity of the data:

Error Bounds: For counting and sum queries, PrDP mechanisms achieve error $O(1/\epsilon_{\min(D)})$ or $O(\operatorname{Max}(D)/\epsilon_{\min(D)})$ , substantially better than uniform-DP, where error is driven by a fixed worst-case $\epsilon_{\min}$ or global sensitivity (Chen et al., 24 Nov 2025, Seeman et al., 2023).
Generalization: pDP implies generalization guarantees: if the expected moment generating function of per-instance loss $\phi(Z)$ is near $1$ (and $\delta$ is small), the generalization gap between empirical and true risk is tightly controlled (Wang, 2017).
Per-instance Sensitivity and Risk: In smooth ERM, per-instance sensitivity (in an appropriate metric) predicts per-record privacy risk, and in linear regression it decomposes as the product of the out-of-sample leverage score and the leave-one-out prediction error. Explicit formulas for per-instance privacy loss enable targeted analysis (Wang, 2017).
Federated & Local Models: In federated learning, PrDP enables record-level privacy budgets via precise mapping between each record's sampling probability and its privacy guarantee, solved by simulation and curve fitting to efficiently handle highly non-linear privacy-accounting equations. The local model also admits PrDP protocols with similar error scaling (Liu et al., 29 Jan 2024, Chen et al., 24 Nov 2025).

4. Application Domains and Practical Guidance

PrDP, and its variants, directly address several applied challenges:

Skewed and Heavy-Tailed Data: By calibrating per-record privacy guarantees, PrDP enables accurate aggregate release without sacrificing all utility to outlier-driven sensitivity. In economic, census, or transactional data, PzCDP and slowly-scaling mechanisms maintain unbiased sums with bounded error even for rare, large contributions (Seeman et al., 2023, Finley et al., 26 Sep 2024).
Fine-grained Auditing: Substitute adjacency (PrDP under record swap) provides the correct formalism when attribute privacy is required (e.g., labels in supervised learning). Empirical audits with crafted canaries demonstrate that add/remove DP underestimates attribute inference risks, and practical guidance mandates using substitute-adjacency accountants and extensive empirical lower-bound audits (Pradhan et al., 26 Nov 2025).
Publishing Personalized Privacy Loss: For objective-perturbed ERM, per-instance privacy loss fields can be privately released, allowing users to assess their personalized risk. Both tight data-dependent and “free” data-independent upper bounds are available at no or minimal publish-time privacy cost (Redberg et al., 2021).
Cross-silo Federated Learning: Adopting per-record privacy budgets enables significant utility gains over minimum-budget uniform DP and tailored dropout baselines, with analysis demonstrating trade-off curves near those of privacy-free algorithms (Liu et al., 29 Jan 2024).

5. Limitations, Challenges, and Comparisons

Budget Privacy Leakage: Naively using the minimum privacy budget among present records can itself leak sensitive information; methods such as privacy-specified domain partitioning and randomized reporting ensure that the effective privacy level remains hidden up to a factor $2$ (Chen et al., 24 Nov 2025).
Comparisons to Personalized DP (PDP): PrDP is strictly more protective than relaxed approaches such as Personalized DP, where privacy may only hold for likely records but not worst-case swaps, and experimental results on fundamental tasks show that PrDP achieves 2–165× lower relative error with robust privacy (Chen et al., 24 Nov 2025).
Parameter Selection: Slowly-scaling mechanisms require choosing transformation or noise tail parameters to precisely manage the trade-off between protection of highly influential records and overall utility. Log transforms or exponential-polylog tails are recommended for bounded-neighbor settings or where adversaries may have significant knowledge of record values (Finley et al., 26 Sep 2024).
Modularity: All standard DP properties (post-processing, (adaptive) composition, group privacy) extend to PrDP straightforwardly, with composition being record-wise and fine-grained privacy tracking possible at the mechanism level (Wang, 2017, Seeman et al., 2023).

6. Empirical Evaluation and Benchmarks

Extensive experiments across mechanisms and tasks demonstrate:

Mechanism/Domain	Dataset	Error vs. Uniform DP	Record-level Risk Distribution
Unit-splitting PzCDP (Seeman et al., 2023)	Pareto, USDA, CBP	$\sim$ 10× lower	$>99\%$ records pay baseline loss
Slowly-scaling (exp-polylog) (Finley et al., 26 Sep 2024)	CBP, Cattle Inventory	Lower max loss, lower ARE	Maximal P(r) steep CDF, best for large records
PrDP-Framework (Chen et al., 24 Nov 2025)	Real finance	2–165× lower RE	Robust to increasing domain size $U$
NVO pDP (Ryu et al., 24 Apr 2024)	NBA, Credit-Profile	Up to 99.5% lower KL	All records meet pDP, utility near non-noisy
rPDP-FL (Liu et al., 29 Jan 2024)	FedHeartDis, MNIST	5–15% higher acc.	DP-privacy per individual record

These results confirm that PrDP mechanisms are both practically efficient and effective for utility-preserving privacy-preserving data analysis compared to uniform DP or relaxed PDP methods.

7. Future Directions and Open Problems

Current research identifies several challenges and frontiers for PrDP:

Robust Local Analysis: Designing mechanisms that maintain strong PrDP guarantees without leaking the “privacy profile” itself, while matching error rates to the instance minimum.
Auditing and Accounting: Systematic frameworks for substitute vs. add/remove adjacency and public release of risk, with efficient canary-based experiments for privacy “sanity checks” (Pradhan et al., 26 Nov 2025).
Composable Per-record Budgets: Extending PrDP to deep composition chains, group settings, or hierarchical domains, maintaining tight accounting and efficient computation (Wang, 2017, Seeman et al., 2023).
Practical Deployment: Parameter auto-tuning, software implementations with floating-point robustness, and integration with privacy policy enforcement engines (Finley et al., 26 Sep 2024).
Federated and Adaptive Learning: Further investigation into heterogeneity-aware privacy in decentralized, federated, and continual learning systems (Liu et al., 29 Jan 2024).

These directions are critical to realizing the promise of per-record, locally adaptive privacy guarantees in large-scale data analysis and machine learning.