In September, the UK Information Commissioner’s Office (ICO) issued new guidance on privacy-enhancing technologies (PETs). The ICO then presented on the topic to the 2022 roundtable of G7 data protection and privacy authorities.
These benefits were not lost on the G7 group, which responded warmly to the ICO’s presentation, recognising the “significant benefits to innovators, governments and the wider public” that PETs offer. The group has committed to promoting the “responsible and innovative” use of these technologies.
This sounds extremely positive and immediately raises questions for any organisation looking to shore up its data privacy compliance: what are PETs and how can they be implemented?
What are PETs?
‘PET’ is something of a catch-all term covering several hardware and software solutions, but examples include:
- Trusted research environments, which allow safe access to data by individuals by creating highly secure remotely accessible digital environments, removing the need for data to leave these secure locations.
- Federated learning, a decentralised form of machine learning that trains an algorithm across multiple decentralised devices or servers without sharing the locally held data.
- Differential privacy, a system which can publicly share information about a dataset without revealing information about individuals in that dataset.
- Zero-knowledge proofs, which enable one party to prove to another party that something is true without revealing the underlying data.
- Secure multiparty consultation, where cryptographic methods are used to let parties jointly compute a function while keeping inputs private.
- Homomorphic encryption, which enables computation to be performed on encrypted data without revealing the plaintext.
This collection of technologies can help organisations meet the principles of data privacy by design and default, including by minimising the amount of data used and by encrypting or anonymising personal information.
PETs are well suited to sharing personal data responsibly, lawfully, and securely, especially when dealing with large amounts of confidential data which cannot easily be shared securely. The application of these technologies is at an early stage, but they have significant potential.
They also have relevance for any businesses that needs to share data with processors or third parties for reasons such as data analytics. They would also be useful for cases where a wide range of individuals to be able to access all or parts of a dataset.
Are PETs useful?
The commonality between the various approaches that fall under the PET umbrella is that they seek to solve some serious privacy headaches that come with sharing personal data or allowing multiple users or devices to access data held in a central location. These technologies all use different methods to achieve this, but each essentially looks to safeguard personal data (and demonstrate an organisation’s compliance with data privacy and protection regulations) either through a) reducing the identifiability of individuals; b) hiding or shielding personal data; or c) splitting or controlling access to personal data.
In short, PETs can help reduce the risk to individuals, while still allowing analysis of personal data without a controller necessarily sharing it, or a processor having access to it. The ability to share, link and analyse personal data in this way means businesses can still distil insights from datasets while safely meeting their obligations. Namely, the obligations of complying with data minimisation requirements as per the GDPR, improving security, adding anonymisation or pseudonymisation, and, above all, reducing the impact of a breach.
While not yet used extensively, PETs have found practical applications in the financial services sector when investigating money laundering cases. The same is true of healthcare, where they can be used to allow data subjects to have access to better services without sacrificing any privacy rights. A live example would be in the NHS, which is building a system for linking patient data across different organisational domains.
Limitations of PETs
With all that said, PETs may seem like the ultimate data privacy no-brainer, able to protect organisations and allow them to share data effectively ‘risk-free’. However, there are reasons why the ICO stress that PETs are not a “silver bullet”.
The ICO warns in its guidance that there are three main risks that accompany PETs and organisations wishing to implement these measures:
- Lack of maturity – some PETs might not be sufficiently mature in terms of their scalability, availability of standards and robustness to attack.
- Requirement of expertise – the complexity of some of these solutions requires specialist knowledge and expertise to implement correctly and securely.
- Mistakes in implementation – ineffective organisational methods and controls can undermine the effectiveness of any PET.
The ICO, while not wishing to dampen the enthusiasm for these emerging technologies and their ability to meet data privacy and protection needs, has urged caution. The organisation has also stressed that risk assessments and careful consideration of an organisation’s data privacy requirements must come first.
Simply put, businesses can never blindly put their faith in any technology solution if they do not have the skills to implement and maintain it or the governance structures to support it. Such an approach turns a shortcut to success into an inevitable road to ruin. However, with the right infrastructure and support, PETs undoubtedly have the potential to revolutionise an organisation’s privacy management, simplifying compliant data sharing.
If you would like any further information or advice on how to make sure your organisation is managing its data and meeting data privacy requirements, contact us and speak to one of our team today.