In an increasingly data driven and technologically advanced world, a lot of the focus (at least from lawyers and regulators) is on mitigating the risks associated with the use of such technologies, including from a data protection compliance perspective. However, on the flip side, not only are there privacy associated risks associated with such new technologies but they can also be used to actually safeguard and protect the privacy of personal data, including from the threats posed by breaches, thefts and surveillance.
In June 2023, the ICO published guidance on the use of such privacy enhancing technologies (PETs) and has recommended that organisations harness their power in order to share personal data 'safely, securely and anonymously'. John Edwards, UK Information Commissioner, has recommended that organisations which process large quantities of data should consider using PETs over the next five years. This is even more relevant if sensitive data such as special category data is being processed.
What are PETs?
As explored by our colleagues in an article in November 2022, in fundamental terms, PETs are technologies that minimise data usage and maximise data security, in order to preserve the privacy of individuals whose data is being processed by an organisation. PETs can be used in conjunction with the data protection by design approach outlined in Article 25(1) of the UK GDPR and therefore serve as a valuable tool for organisations looking to build data protection compliance into the design of their systems.
What types of PETs are the subject of the ICO Guidance?
There are various types of techniques, tools and methodologies that come under the umbrella of PETs. Some of the more familiar PETs include tools which enable anonymisation and pseudonymisation of data; techniques which organisations use to protect the identity of individuals, whilst retaining the ability to utilise the underlying data.
The ICO guidance divides PETs into the following two categories, depending on what type of privacy they provide:
- 'Input privacy' – technologies that reduce the access to personal information from other parties. This is linked with the UK GDPR principles of security, purpose limitation, storage limitation and data minimisation.
- 'Output privacy' – technologies that decrease the risk of third parties obtaining or even inferring personal information from the result of processing e.g. technologies enabling the publishing of anonymous statistics to the public. This is linked with the storage limitation and data minimisation principles of the UK GDPR.
The ICO also breaks down PETs into the following types that can be used to achieve data protection compliance:
- PETs that derive or generate information that reduces or removes people’s identifiability;
- PETs that focus on hiding, or shielding, data; and
- PETs that split datasets.
The guidance provides detailed focus on the following types of PETS that organisations could consider to aid their compliance with data protection legislation:
- Differential privacy
- Synthetic data
- Homomorphic encryption (HE)
- Zero-knowledge proofs
- Trusted execution environments
- Secure multiparty computation (SMPC)
- Private set intersection
- Federated learning
A detailed explanation of these PETs is set out in the ICO's PETs guidance, available here: Privacy-enhancing technologies (PETs) | ICO
The benefits of the ICO Guidance
This recently published guidance from the ICO provides a very useful reference tool for organisations when considering when and how to use PETs, and emphasising the importance of using them as the need to safeguard personal data continues to try and keep up with increasingly sophisticated technologies.
It can be used to help decide whether using PETs is suitable for an organisation and what PETs are most relevant to the processing it undertakes. The guidance also highlights factors to consider when determining the suitability and maturity of PETs, whilst providing a table covering industry standards and weaknesses of the different types available.