UK data regulator considers privacy enhancing technologies to help ‘unlock lawful data sharing’

UK data regulator - the Information Commissioner’s Office (ICO) - has this week published new guidance on privacy enhancing technologies (PETs), which aim to help organizations share and analyze data in a way that aims to put data protection principles at their core. 

The guidance comes shortly after the ICO appointed a new leader, John Edwards, who previously served as New Zealand’s privacy commissioner, and as the UK considers its overall approach to data protection regulations outside of the European Union. Former Prime Minister Boris Johnson and his government outlined ambitions to navigate away from GDPR and introduce a new ‘pro-growth and trusted data regime’ - but it is currently unclear whether new Prime Minister Liz Truss will continue on this path. 

The aim of PETs is to enable organizations to more easily share and analyze data in a legal way, protecting individuals from that data being abused. The hope is that more data sharing will unlock economic opportunities across the UK. However, they are an immature technology set and don’t come without risks. 

The ICO defines PETs as: 

PETs are technologies that can help organisations share and use people’s data responsibly, lawfully, and securely, including by minimizing the amount of data used and by encrypting or anonymizing personal information.

PETs cover a range of technologies, but the European Union Agency for Cybersecurity refers to them as: 

Software and hardware solutions, ie systems, encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons.’

The tools are currently already used by financial organizations when investigating money laundering, for instance, and by the healthcare sector to provide better services to the public. The ICO is seeking feedback on the guidance published to help refine and improve it. 

The ICO believes that PETs can help organizations demonstrate a ‘data protection by design and by default’ approach to processing data, which in turn can potentially allow more data sharing and analysis. 

The ICO says that PETs can do this by: 

• complying with the data minimization principle, by ensuring you only process the data you need for your purposes;

• providing an appropriate level of security;

• implementing robust anonymization or pseudonymization solutions; and

• minimizing the risk that arises from personal data breaches, by rendering the personal data unintelligible to anyone not authorised to access it.

John Edwards, UK Information Commissioner, said:  

Although the use of PETs is in its early stages, it can unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights. In the UK, one example is the NHS building a system for linking patient data across different organizational domains. 

Today’s draft guidance is part of my office’s strategy for the next three years, where we will be supporting the responsible use and sharing of personal information to drive innovation and economic growth. PETs have the potential to do that, so we look forward to hearing from industry and other stakeholders on how our guidance can help them achieve this.”

diginomica recently outlined Edwards’ three year strategy, the ICO25 document, which laid out clear targets for which to measure success against and focused on a number of priorities that include: AI-driven discrimination, biometrics, online tracking, CCTV, deprivation and personal safety. 

The PETs draft guidance has been published ahead of the 2022 roundtable of G7 data protection and privacy authorities taking place in Bonn, Germany on 7-8 September, where the ICO will present its work on PETs to its G7 counterparts and encourage international agreement for the support of responsible and innovative use of PETs. Each G7 authority will present a specific technology or innovation issue of importance to the growing global economy where closer cooperation is needed.

PETs risks

However, the draft guidance also highlights that PETs come with risks, which need to be fully considered. As history has shown us time and time again, when organizations share and process personal data there are negative consequences that arise. 

The risks highlighted by the ICO include: 

• Lack of maturity - some PETs may not be sufficiently mature in terms of their scalability, availability of standards and their robustness to attacks. 

• Lack of expertise - PETs can require significant expertize to set up and use appropriately. Insufficient expertise can lead to mistakes in implementation, and a poor understanding of how to configure the PET to deliver the appropriate balance of privacy and utility. The ICO warns that if your organization does not have required expertise then you should consider using an off-the-shelf product or service which provides an appropriate level of support. 

• Mistakes in implementation - there may be differences between the implementation of a PET in theory and its practical application. Risks to individuals’ rights and freedoms may arise as a result, the ICO says. Attacks and vulnerabilities should be monitored regularly, to ensure that appropriate mitigation measures can be put in place.

The ICO guidance also adds that a lack of appropriate organizational measures can lower or even completely undermine the effectiveness of a PET. In other words, whilst there is potential, much like any other data use case, there are a whole host of technological and people-led risk factors at play. 

UK ICO Edwards is calling on industry to support the development of PETs and said: 

It’s not just regulators that need to take action – we need the industry to step up, too. We want organizations to come to us with codes of conduct and certification schemes, for example, to show their commitment to building services or products that are designed in a privacy-friendly way and that protect people’s data.

My take

I think the issue that organizations will have with this guidance is that it all seems very theoretical at the moment. That’s not a bad thing, the ICO is being cautious in its approach. But what will help support the development of PETs is showcasing best practice examples and use cases that have been successful.