Privacy enhancing technologies and how they can help

Driving innovation without overlooking privacy controls

As new technologies and ‘big data’ solutions evolve and gain traction across the globe, organisations are increasingly gathering and using people’s data in more creative and innovative ways.

We often hear how the volume of data generated in the past two years alone is greater than that gathered in all previous human history.

Against this backdrop, there’s a growing need to make sure we protect the privacy of individuals whose data we handle. Organisations need to use appropriate and effective technical and organisational measures to protect people’s data. This is the essence of Data Protection by Design.

We need to consider both legal and ethical issues, as well as the reputation risk from a data breach.

Are some organisations becoming too risk-adverse? We’ve seen it happen where an exciting new project with the potential to create huge benefits for customers (even society at large) is side-lined because the associated privacy risks are considered to significant.

How do we strike the right balance?

Balancing innovation and privacy

Privacy enhancing technologies (PETs) are designed to minimise personal data use, maximise security and give individuals control of their data. The use of PETs can reduce or potentially eliminate privacy risks.

The adoption of such technologies are often seen as a key component for successful data innovation, opening up new opportunities and benefits from personal data.

The term PETs includes a wide range of existing and emerging technologies. Generally speaking, these can be categorized as ‘hard’ and ‘soft’ privacy technologies. Here’s some examples – this list is by no means exhaustive.

‘Soft’ privacy technologies

These are used by organisations to keep information secure and keep full control of how data is being used. They may rely on data minimisation, anonymisation and/or pseudonymisation. Examples include:

  • Access controls – to restrict access to personal data
  • Encryption – both for data in transit and at rest
  • Differential privacy – a cryptographic algorithm which adds statistical ‘noise’ to the dataset which enables patterns within the dataset whilst maintaining the privacy of individuals.
  • Other de-identification techniques – such as redaction, tokenisation, hashing or zero-knowledge proofs (ZKP).

‘Hard’ privacy technologies

These give online users control over their privacy when using digital services and applications. Examples include:

  • Virtual Private Networks (VPNs) – which allow the user to have their own private network while browsing the internet.
  • Onion routing – an internet-based encryption technique where messages are embedded within encryption layers. Tor (which stands for ‘The Onion Router’) is a popular free-to-use anonymous browser based on onion routing.

The above examples are by no means exhaustive.

Selecting the right PETs for your organisation

The types of PETs your organisation uses will depend on the nature of your business, the sensitivity of the data you handle, the ways in which you use it, who you share it with, and so on.

Particularly private or sensitive data will clearly need a greater level of protection. It’s all about recognising where the risks lie and taking a proportionate approach.

Sharing data via secure APIs

A very common way to automate safe data sharing is via secure Application Programming Interfaces (APIs). APIs are regularly used to share selected data between internal systems, as well as with third parties. This is much more efficient and secure than sharing datasets via email by attaching spreadsheets, for example.

Where’s the ICO on PETs?

The ICO is currently preparing updated guidance on ‘Anonymisation, Pseudonymisation and Privacy Enhancing Technologies’, following a consultation which began in 2021. Alongside this, early this year the Regulator began consulting with health organisations to shape their thinking on PETs.

Healthcare sector data use

Data driven technology and increased adoption of AI offer huge potential to improve service delivery in the public sector – not least in healthcare. From early diagnosis to infrastructure improvements and more personalised services.

The use of data for public services has never been more vital. Yet sharing more data also poses risks and challenges. Public trust in the way data is shared and used is vital and has to be earned.

In an environment like this, the adoption of effective privacy enhancing solutions is key. For example, the use of access control to give restricted access to patient data based on the user’s role (e.g. doctor, consultant).

Stephen Almond, Director of Technology and Innovation at the ICO:

“Privacy-enhancing technologies (PETs) help organisations build trust and unlock the potential of data by putting data protection by design into practice.

“The healthcare sector handles highly sensitive data that could lead to life-changing, life-saving innovations. Yet organisations are not tapping into the benefits of PETs and we want to find out how to help them adopt these emerging technologies.”

To conclude…

Nobody wants to stifle innovation. We need to be able to balance great ideas and innovation with respect for people and their data.

Privacy enhancing technologies can be a valuable part of your privacy and information security toolkit, giving you the confidence to develop new products and services, knowing you have tackled the privacy risks.