The Information Commissioner’s Office (ICO) has published draft guidelines on using privacy-enhancing technologies (PETs), which can enable organisations to share information securely. The data watchdog’s guidance warns that PETs should be used sparingly, and should not be considered a silver bullet when it comes to secure data sharing.
Published today, the draft guidelines outline the different types of PET on the market and how they can be used in a manner which complies with data protection laws and regulations. It has been published ahead of the 2022 roundtable of G7 data protection and privacy authorities taking place in Germany this week, where the ICO will present its work on PETs to its G7 counterparts and encourage international agreement for the support of responsible and innovative use of PETs.
John Edwards, the UK information commissioner, said: “Today’s draft guidance is part of my office’s strategy for the next three years, where we will be supporting the responsible use and sharing of personal information to drive innovation and economic growth. PETs have the potential to do that, so we look forward to hearing from industry and other stakeholders on how our guidance can help them achieve this.”
What are privacy-enhancing technologies?
PETs are technologies that can help organisations share and use people’s data responsibly, lawfully, and securely, including by minimising the amount of data used and by encrypting or anonymising personal information. They are already used by financial organisations when investigating money laundering, for example, and by the healthcare sector to provide better health outcomes and services to the public.
Examples of PETs include homomorphic encryption, secure multiparty computation, federated learning, trusted execution environments, zero knowledge proofs and others.
Edwards said: “Although the use of PETs is in its early stages, it can unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights. In the UK, one example is the NHS building a system for linking patient data across different organisational domains.”
Sharing data securely is increasingly popular for businesses, as well as public sector organisations, which had led to technology vendors such as AWS and Snowflake developing data “clean rooms”, where businesses can pool information without exposing customer details or commercially sensitive data.
What do the PET guidelines from the ICO say?
The ICO guidelines say PETs can help organisations “demonstrate a ‘data protection by design and by default’ approach” to data processing.
They outline different PETs, their benefits and drawbacks, and offer advice on when to deploy them. The guidelines warn that tech leaders “should not regard PETs as a ‘silver bullet’ for data protection compliance,” adding: “Your processing still needs to be lawful, fair and transparent.”
Businesses are advised to perform a case-by-case assessment, such as through a data protection impact assessment, to determine if PETs are helpful for their work.
The guidelines are open for consultation until 22 September, and Edwards hopes to see the development of industry-led governance, such as codes of conduct and certification schemes, to help organisations use PETs responsibly and help developers and providers to build technology that meets the needs of end users.
“It’s not just regulators that need to take action – we need the industry to step up, too,” Edwards added. “We want organisations to come to us with codes of conduct and certification schemes, for example, to show their commitment to building services or products that are designed in a privacy-friendly way and that protect people’s data.”
Capital Monitor is hosting the second part of its Webinar series, Making Sense of Net Zero, alongside New Statesman and Tech Monitor on September 21. Find out more information on NSMG.live.
- What do you think of the PET guidelines? Email firstname.lastname@example.org with any comments or tips.