Privacy enhancing technologies (PETs) can help organisations unlock the potential of data by putting a “data protection by design approach” into practice.
That’s the opinion of the UK’s Information Commissioner’s Office (ICO) expressed in draft guidance published this month.
PETs can also help IT and data managers comply with the data minimisation principle by ensuring that organisations only process the data they need for their purposes, and provide appropriate levels of security.
Organisations can also use them to enable access to datasets that would otherwise be too sensitive to share, while ensuring that individuals’ data is protected.
However, decision-makers should avoid regarding this class of technologies as a silver bullet for data protection compliance, it warns.
The guidance comes at an interesting time for the ICO. The new Commissioner, John Edwards, appointed at the beginning of this year, was given a clear remit by government to be an enabler of growth by seeking new opportunities to commercialise data.
This was a shift in emphasis from the previous Commissioner’s focus, via GDPR and the Data Protection Act 2018, on protecting the citizen.
However, the government has long been suspicious of PETs and any technology that allows people to communicate more privately or hide their identity.
Edwards’ announcement, therefore, can be seen as a welcome dose of realpolitik: you can’t have one without the other.
The UK can’t simply strip away data protections in a bonfire of European regulations and commercialise citizens’ data at the same time; it’s not that simple, and it isn’t sensible or advisable.
Such a policy of ‘commercialise and be damned’ would also put at risk the UK’s fragile data adequacy agreement with the EU, where much UK data is hosted, processed, stored, or transferred at least some of the time – a factor not mentioned in the guidance note.
Organisations still need to offer data subjects a measure of protection or anonymity – perhaps more than before if regulations such as GDPR are scrapped, post Brexit.
The ICO defines PETs as “software and hardware solutions, ie systems encompassing technical processes, methods or knowledge, to achieve specific privacy or data protection functionality, or to protect against risks of privacy of an individual or a group of natural persons.”
They relate to data protection law by complying with the data minimisation principle, providing greater security, and implementing robust anonymisation or pseudonymisation options, thus minimising the risk of personal data breaches.
This helps reduce the risk to individuals, while enabling “further analysis of personal data without a controller necessarily sharing it, or a processor having access to it”, explains the ICO.
“The ability to share, link, and analyse personal data in this way can provide valuable insights while ensuring you comply with the data protection principles.”
That said, PETs are no cure-all, notes the guidance document: organisations’ processing of data must still be lawful, fair, and transparent.
“Before considering PETs, you should assess the impact of the decision-making process, purpose specification (ie specifying a legitimate purpose for processing), and how you can comply with accuracy and accountability requirements.”
Some PETs may not be sufficiently mature in terms of their scalability, availability of standards, and their robustness to attacks, it adds.
They may also demand skilled employees, concludes the ICO.