Well, the best way to protect that information would be to not store it at all.
Whenever they select a candidate to vote for, you would place them into match groups bucketed by score (based on their first/second/third choice), maximum group size, and some other criteria like signup date.
You end up with buckets of IDs that are known to match to some degree, and you would know enough to be able to say, "you matched with Bill because he wants to vote for your third choice candidate" without needing any idea about who that might be.
By limiting the sizes of the buckets, you limit the impact of knowing any particular member of the buckets' affiliations should a malicious actor get their hands on the data.
There's plenty of other precautions to take, storing the bucket data encrypted at rest, secure backups, separating bucket data from any PII.
Well, the best way to protect that information would be to not store it at all.
Whenever they select a candidate to vote for, you would place them into match groups bucketed by score (based on their first/second/third choice), maximum group size, and some other criteria like signup date.
You end up with buckets of IDs that are known to match to some degree, and you would know enough to be able to say, "you matched with Bill because he wants to vote for your third choice candidate" without needing any idea about who that might be.
By limiting the sizes of the buckets, you limit the impact of knowing any particular member of the buckets' affiliations should a malicious actor get their hands on the data.
There's plenty of other precautions to take, storing the bucket data encrypted at rest, secure backups, separating bucket data from any PII.