ICO issues new guidance on privacy enhancing technologies

On 19 June 2023, the UK Information Commissioner's Office (ICO) launched new guidance in respect of privacy enhancing technologies (PETs) and encouraged organisations to use PETs to share personal information safely, securely and anonymously.  The guidance is intended to assist data protection officers (DPOs) and those who utilise large personal data sets in the context of finance, central and local government, healthcare and research.  

The first part of the guidance concentrates on how PETs can assist in achieving compliance with data protection law and is targeted at DPOs and others with specific data protection responsibilities in more sizeable organisations.  The second part outlines eight different kinds of PETs, explaining their risks and advantages, and is more technical in nature.

What are PETs?

The guidance explains that PETs are technologies that encapsulate fundamental data protection principles by minimising personal information use, maximising information security, or empowering people.  Although data protection law does not define PETs, the European Union Agency for Cybersecurity (ENISA) provides the following helpful definition: "Software and hardware solutions, ie systems encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons."

The ICO notes that PETs can be utilised in the sharing of anonymised personal data to facilitate the detection and prevention of financial crimes and related matters including cybercrime, fraud and money laundering.

PETs are connected with "data protection by design" and are relevant to the technical and organisational measures that organisations implement.  PETs can assist in ensuring robust compliance with applicable data protection principles and the incorporation of appropriate safeguards into personal data processing.

How can PETs assist with data protection compliance?

The guidance confirms that PETs can help organisations to comply with their data protection obligations in a number of ways.  For example, they can help to show an organisation's "data protection by design and by default" approach, assist in complying with the data minimisation principle and provide suitable security for personal data processing.  PETs can also implement rigorous anonymisation or pseudonymisation techniques and facilitate access to data sets which would otherwise be too sensitive to disclose to others, while minimising risks arising from personal data breaches and ensuring that personal data is protected (by rendering such data unintelligible to those not permitted to access it).  

Processing of any personal data in the context of PETs should always be fair, lawful and transparent.  The ICO stresses that risks to data subjects should be considered by carrying out a case-by-case assessment of the processing (such as through a data protection impact assessment (DPIA)) to help decide whether PETs will be useful in minimising such risks.  

The guidance also observes that not all PETs lead to effective anonymisation of personal data and that anonymisation can also be accomplished without PETs.

What are the benefits and risks of PETs?

The benefits of PETs are highlighted, including the fact that they can reduce risks to individuals while allowing further analysis of personal information to gain knowledge and understanding from datasets without impacting upon individuals' privacy.  

It is noted, however, that PETs are not a total solution to data protection compliance for various reasons (such as lack of maturity of the relevant PET, lack of expertise in implementing PETs, mistakes in implementation and insufficient organisational measures).  

Different types of PETs

The guidance observes that there are various different kinds of PETs which can be used to assist compliance with data protection by design requirements.  PETs that provide input privacy can greatly curtail the number of persons with access to personal information that is being processed and mean that the party carrying out the processing cannot: 

• access the personal information you are processing; 
• generally access intermediate values or statistical results during processing; or 
• derive inputs by using techniques, such as side-channel attacks (attacks based on extra information that can be gathered from the way a trusted execution environment communicates with other parts of a computer) that use observable changes during processing to obtain the input.

Such PETs can assist with compliance with the purpose limitation, data minimisation, security and storage limitation principles set out in the UK GDPR.

PETs providing output privacy reduce the risk that people can gain access to or infer personal information from the result of a processing activity.  Such PETs can facilitate compliance with data minimisation and storage limitation.  The guidance makes clear that PETs can be combined to ensure that any personal data processing is compliant both in terms of input and output privacy.

The guidance considers in detail a number of different types of PETs including differential privacy, synthetic data, homomorphic encryption, zero-knowledge proofs, trusted execution environments, secure multiparty computation, private set intersection and federated learning.

When should use of PETs be considered?

Organisations are advised to consider using PETs during the design stages of projects, particularly if projects are data heavy, or necessitate possibly risky uses of personal information.  Relevant organisations must also give thought as to how to achieve compliance with applicable data protection principles if a PET is used.  In the context of DPIAs, if risks to people have been identified, then use of PETs should be considered to try to reduce those risks.

Types of processing that can benefit from using PETs

The ICO considers the types of processing that can benefit from using PETs by minimising the dangers to rights and freedoms that certain personal data processing may result in (e.g., PETs can be appropriate technical and organisational measures for processing likely to result in high risks to people, or processing involving large-scale personal data collection and analysis, such as artificial intelligence (AI) applications or cloud computing services).  

The guidance sets out a table of examples of certain personal data processing activities, together with the risks to people that may result from such activities and the type of PETs that may assist with data protection compliance.  Such activities include:

• processing involving AI, machine learning and deep learning applications;
• processing involving data matching that involves combining, comparing or matching personal information obtained from multiple sources (e.g. sharing financial transactions to prevent fraud);
• processing involving internet of things applications (e.g. smart technologies);
• processing involving data sharing between organisations, especially sharing likely to result in a high risk to people;
• processing involving cloud computing applications; and
• processing involving anonymisation of personal information.

The ICO also provides some helpful suggestions to assist organisations in deciding whether or not to use PETs and how to assess the maturity of PETs.  The guidance also includes a number of useful case studies.

Comment

It is clear that the ICO continues to see PETs as an area of interest, with John Edwards, the UK Information Commissioner, confirming that the ICO and it's G7 counterparts are focused on encouraging international support for appropriate adoption of PETs.  Mr. Edwards also confirmed that "We are also looking at emerging technologies, such as the rapid development and deployment of generative AI technologies, to ensure organisations across the world are innovating in a way that respects people's information and privacy".  

The new guidance will likely be welcomed by organisations seeking to develop or utilise PETs and should provide greater regulatory clarity around the creation and adoption of these useful technologies.