...

DataSHIELD server-side functions contain disclosure traps, preventing analysis that could return disclosive information and perform real-time disclosure checks during analysis. Disclosure traps are mapped to current best practice for disclosure checking (Welpton, Richard (2019): SDC Handbook. figshare. Book. https://doi.org/10.6084/m9.figshare.9958520.v1) and are configurable by data custodians in Opal to align with their governance needs and the spectrum of data sensitivity. From DataSHIELD v5 onwards there are several disclosure traps that can be deployed in server-side functions, listed below. A summary of disclosure utilised in each function is available at: Disclosure checks . 

...

The maximum number of the unique levels of a categorical variable that are allowed to be returned to the client. If nfilter.levels is set to 0.33 (its default value), and if a categorical variable (i.e. factor) has X distinct categories then if X is greater than the 33% of the variable's length then the categories (i.e. levels) are not returned to the client. This disclosure filter protects against the disclosure of all the unique values in a numerical variable when it is converted to a factor variable. This option has been deprecated.

nfilter.levels.density

Anchor
nfilterlevelsdensity nfilterlevelsdensity

The maximum proportion of unique levels of a categorical variable with respect to the number of that variables that is regarded as non-disclosive. For example, if the resulting contains 1000 levels, and were derived from 4000 rows what would be a proportion of 0.25 (25%) so would be regarded as being non-disclosive. Default value is 0.33.

...