ICO publishes draft guidance on privacy enhancing technologies

On 7 September 2022, the Information Commissioner’s Office (the ICO) published draft guidance on privacy enhancing technologies (PETs) which, in the ICO’s words, has been designed “to help organisations unlock the potential of data by putting a data protection by design approach into practice”. You can find the ICO’s update on its new draft guidance here.

1. What is a “PET”?

PETs are not defined in law. However:

• The ICO describes PETs as:

  “technologies that can help organisations share and use people’s data responsibly, lawfully, and securely, including by minimising the amount of data used and by encrypting or anonymising personal information. They are already used by financial organisations when investigating money laundering, for example, and by the healthcare sector to provide better health outcomes and services to the public.”

• The European Union Agency for Cybersecurity (ENISA) describes PETs as:

  “software and hardware solutions, ie systems encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons.”

2. What are the data protection benefits of using a “PET”?

PETs can be used by organisations to:

• demonstrate a “data protection by design and default” approach to personal data processing;
• help demonstrate compliance with data minimisation principle;
• ensure an appropriate level of security for personal data processing, including by implementing robust anonymisation and pseudonymisation solutions and minimising risks associated with potential personal data breaches, by rendering the personal data incomprehensible to an unauthorised accessor. As such, PETs can help to reduce the risks to individuals. The draft guidance forms part of the ICO’s draft guidance on anonymisation and pseudonymisation – not all PETs achieve anonymisation, but some can be used as a very helpful anonymisation technique, depending on the circumstances; and
• in some cases where the PET has been appropriately configured, gain access to and insights from personal datasets which would otherwise be deemed too sensitive to share.

3. What are the risks associated with using PETs?

The ICO warns that PETs should not be seen as a “silver bullet” for data protection compliance, and that steps must still be taken to ensure that personal data is processed lawfully.

The ICO also provides caution around risks that are associated with using PETs, such as:

• “Lack of maturity” – some PETs may, for example, not be advanced enough to scale-up;
• “Lack of expertise” – lack a expertise in using the PETs may mean that they are not used properly;
• “Mistakes in implementation” – the PET may not be implemented or used properly in practice; and

4. What does the PET guidance cover?

The draft PETs guidance, a 39-page document, has been split into two key sections:

Section 1, “How can PETs help with data protection compliance”, seeks to explain to organisations the benefits of PETs and how PETs can be used to help ensure their compliance with data protection laws. This section includes information on:

• What are PETs and how do they relate to data protection laws?
• What are the benefits and risks of using PETs?
• Deciding whether or not to use a PET, a summary of which is as follows:
  • The ICO suggests that, generally speaking, PETs will be particularly suitable for large-scale collection and analysis of personal data, such as personal data processing which relates to AI or IoTs apps; and
  • The ICO also recommends completing a DPIA to help determine whether the use of PETs would be appropriate to the circumstances.

Section 2, “What PETs are there?”, sets out the different types of PETs which are available, including:

• Homomorphic encryption, which provides enhanced security and confidentiality by enabling computations on encrypted data without first decrypting it;
• Secure multiparty computation (SMPC), which enables different parties to apply processing operations to a shared dataset without each party needing to share all of its personal data with the other party, thereby supporting data minimisation and security;
• Federated learning, which supports the data minimisation principle by training machines to use learn models in settings which minimise the personal data being shared with each party;
• Trusted execution environments, which allow for the processing of personal data on a secure part of an isolated computer processor which is separate to the main operating system and other apps, thereby providing enhanced security;
• Zero-knowledge proofs, which allow individuals to verify private information in relation to themselves without the need to reveal what that information actually is, thereby supporting the data minimisation principle;
• Differential privacy, which “generates anonymous statistics by adding noise to individual records”; and
• Synthetic data, which can be used in environments where the access to large real-life datasets is not possible and instead provides for “realistic” datasets which can instead be used.

Next steps

Organisations should review the draft ICO guidance and consider, in light of the particular circumstances of the relevant personal data processing, whether PETs may be appropriate to help achieve compliance with the data protection principles, in particular the principles of data minimisation, purpose limitation and security.
At the same time, the ICO is now seeking feedback on the draft PETs guidance for it to improve and refine the final draft – any feedback on the draft guidance should be provided to the ICO.