An Introduction to the ICO’s Guidance on Privacy-Enhancing Technologies

In June 2023, the UK Information Commissioner’s Office (ICO) published its guidance on enterprise privacy-enhancing technologies (PETs). Alongside it, the regulator has issued a call for organisations to adopt PETs within the next five years. Leaders will want to understand these technical, privacy-preserving solutions to capture the benefits of data collection, sharing and analysis in settings processing large volumes or particularly sensitive information. This article places the ICO’s PETs guidance in context and extracts its key insights.

 What are privacy-enhancing technologies?

Privacy-enhancing technologies (PETs) describe tools and techniques and software and hardware solutions that protect against privacy and security risks and support data protection goals. At their most basic, a PET can be an ad-tracking browser extension or automated prompts to update contact details. However, most discussion centres on sophisticated emerging technologies that promote data use where legal, technical, ethical, or other barriers apply. A practical approach classifies PETs by the privacy objective sought. Homomorphic encryption can enable the processing of encrypted data, for example, thereby allowing its use without compromising confidentiality. Differential privacy can de-identify individuals by inserting noise into datasets. Secure multiparty computation, by contrast, can allow multiple parties to process combined data without requiring any party to share its data with the others. In this way, understanding the applications pf each technology can assist professionals in embedding security, minimisation, and other data protection principles.

Context

Article 25 of the European Union (EU) and United Kingdom (UK) General Data Protection Regulations (GDPRs) introduced a new obligation on organisations to implement ‘appropriate technical and organisational measures’ aimed at protecting personal data. Moreover, Article 25 instructs organisations to implement the GDPR ‘by design and by default’: not as an afterthought but baked into processes, technologies, and services. To achieve this goal of proactive compliance, the GDPR permits organisations to consider ‘the state of the art’ of privacy-preserving technologies. The ICO’s publication is its latest guidance on the potential of technical measures in governance frameworks.

The ICO’s PETs guidance follows previous endorsements by the regulator. When a draft was published in September 2022, Information Commissioner John Edwards praised PETs for their potential to support responsible and lawful use and sharing of data that enables collaborative analysis of, and innovation with, sensitive information without trading privacy rights and compromising security. The draft was initially published as a chapter in a wider work on anonymisation and pseudonymisation. Following consultation, the ICO determined that privacy-enhancing technologies should be a separate guidance product.

The ICO’s guidance is one of the latest contributions advancing work into privacy-preserving technology. The UK Royal Society has published two reports, Protecting privacy in practice (2019) and From privacy to partnership (2023). Its reports place PETs in the commercial context, discussing their cost effectiveness, barriers to adoption, markets for collaborative analysis and the potential impact of PETs. The theme of PETs as facilitators is a prominent one. The Royal Society urges its audience of researchers and analysts to adopt PETs as ‘partnership enhancing,’ ‘trust’ technologies that provide new opportunities for joint computing where risks of using data currently outweigh benefits. Whereas the ICO report is addressed to data protection officers GDPR compliance, the Royal Society reports have a broader focus, advocating to safeguarding sensitive information wherever data is sufficiently valuable, including protecting intellectual property. The 2019 Royal Society report shares the wider lens of its successor. What sets it apart from both the 2023 report and the ICO guidance is that it addresses personal data store technologies that provide individuals with informational autonomy. In this way, it incorporates consumer-facing, as opposed to enterprise, technologies. By contrast, a more in-depth look at user-oriented PETs is available in Privacy-Enhancing Technologies: A Review of Tools and Techniques (November 2017), published by the Office of the Privacy Commissioner of Canada (OPPC). Its discussion features tools that facilitate individual privacy rights by enabling remote audit of terms and conditions, user negotiation, data tracking prevention, and informed consent. The UK Government’s Centre for Data Ethics and Innovation (CDEI) has designed an interactive decision-tree designed to aid users in selecting the best PET for their use case. Its PETs Adoption Guide includes a good practice guide and a database of use cases across sectors, particularly health and social care. Finally, it is important to note that he ICO’s guidance follows other regional and international initiatives. For example, the European Union Agency for Cybersecurity, has published reports on PETs maturity assessments (2017), PETs knowledge management (2018), and data protection engineering (2022) broadly. Additionally, in March 2023, the Organisation for Economic Cooperation and Development (OECD) reviewed the state of the art and current regulatory approaches. Another example comes from the 2019 World Economic Forum white paper which argues for the disruptive impact of PETs for data sharing in financial services. This non-exhaustive sampling of global literature illustrates the increasing prominence of PETs and their broad applications.

 ICO PETs Guidance: An Overview

The ICO guidance supports the practical application of PETs for a non-technical audience. It addresses:

• Processing activities that may pose a risk to individuals and which PETs can mitigate those privacy risks
• How to integrate PETs into data protection impact assessments (DPIAs)
• Detailed overviews of each technology, how they work, the privacy objectives they can achieve and known limitations, trade-offs, and risks
• Standards available for each PET
• Guidance on the relationship between PETs and anonymisation
• Guidance on implementing PETs in practice
• Case studies from the law enforcement and financial services sectors
• The role of organismal measures, such as contracts, data protection information assessments, and training in PETs implementation

  The following overview summarises in general terms the technologies discussed in the report, the compliance problems they can address and the data protection principles they can implement.

  Next Steps

When considering which PETs to select, the ICO urges data protection officers and other users of large datasets to consider four factors:

1. Consider the maturity of the technology: its scalability, the availability of standards, and the tool’s robustness to attacks.
2. Understand which organisational measures are necessary to support a given PET. The guidance is clear that “a lack of appropriate organisational measures can lower or even completely undermine the effectiveness of a PET” (p.6).
3. Consider cost as a factor in deciding which PET to implement rather than as a justification for failing to integrate safeguards at all.
4. Fourth, consider organisational capacity. Where there is insufficient institutional expertise to effectively manage trade-offs between privacy and utility or to implement PETs effectively, PETs may not support compliance goals as intended.

Trilateral’s Data Protection and Cybersecurity team can assess your activities, recommend technical solutions, and guide their implementation. Contact us today to access our expertise in using emerging technology to facilitate data use and overcome compliance challenges.