Following on from the recent G7 roundtable on data privacy, the ICO has released draft guidance on “Privacy Enhancing Technologies” (PETs). The guidance looks at anonymisation, pseudonymisation and privacy enhancing techniques so is particularly useful for companies and organisations in the healthcare and financial sectors, which often carry out large scale data analysis and use statistical models of sensitive data.
The ICO is keen to encourage industry to adopt these technologies. Implementing PETs could offer businesses novel opportunities to use sensitive data in a safe and ethical way. It has been estimated that secure data sharing could unlock nearly $3 trillion of annual GDP over the next 20 years.
What does the ICO guidance say?
PETs can help industry comply with data privacy laws and strengthen their own data privacy policies. According to the draft guidelines – a copy of which is here: Guidance – implementing PETs can provide evidence of:
- adhering to data protection principles under the UK GDPR
- data minimisation
- purpose limitation
- compliance with technological and organisational security requirements
- supporting companies’ data governance policies
- provide evidence of steps taken to mitigate data breach risks
However, the draft guidance stresses that use of PETs alone are not a “silver bullet” for data protection compliance. Use of PETs on their own are not enough, organisations and businesses still need to make sure they fully comply with all GDPR rules and analyse data in a transparent, fair and lawful way.
What are PETs?
The guidance specifically gives examples of PETs which are technologies and techniques that enable the safe sharing and analysis of personal data. For example, they can be used to assist in statistical analysis to seek to ensure that data cannot be traced back to the people who provide it. PETs specifically protect data when it is being used or processed – as opposed to when data is simply at rest or being transferred (for which other privacy technologies exist).
While there are numerous PETs with different safeguarding methods, most of them attempt to pseudonymise, anonymise, hide or encrypt personal data. These techniques allow programmes to conduct valuable data analysis without actually identifying the underlying input personal data.
Why are PETs relevant to businesses?
Running statistical models on large amounts of data gathered from international sources can be part of the business process especially for the healthcare and financial sectors. In healthcare for example, models built using patients’ statistics can be used to track and compare rates of infection to predict global pandemics like COVID. For financial organisations it opens up novel ways of investigating international money laundering – by collating global international payments and flagging up anomalous transactions for example.