The Information Commissioner’s Office published draft guidance on privacy enhancing technologies that can be used to comply with privacy-by-design requirements.
On 7 September 2022, the Information Commissioner’s Office (ICO) published a draft guidance on privacy-enhancing technologies (Draft Guidance) in which it explains what privacy enhancing technologies (PETs) are and how organizations can use them to meet privacy-by-design requirements. PETs incorporate data protection principles by (amongst others) minimizing use of personal data, ensuring security, and facilitating data subject rights. Organizations that want to use PETs should first conduct a data protection impact assessment to determine whether such technologies are indeed adequate for their processing activities.
According to the Draft Guidance, PETs are particularly suitable in contexts that involve large-scale collection and analysis of personal data, such as artificial intelligence applications, Internet of Things, and cloud computing services. The ICO specifically states that PETs are not a “silver bullet”, and does not impose a specific obligation regarding their use. Further, the ICO flags certain downsides associated with these technologies, such as lack of scalability, lack of sufficient information/research regarding some PETs, and the potential for inadequate or erroneous implementation.
The ICO classifies PETs into three categories:
- PETs that derive or generate data that reduces or removes the identifiability of individual, which aim to weaken the connection between an individual in the original personal data and the derived data
- PETs that focus on hiding or shielding data, which aim to protect individuals’ privacy while not affecting data utility and accuracy
- PETs that split datasets or control access to certain parts of the data, which aim to minimize the volume of shared data and ensure security whilst not affecting the utility and data accuracy
The Draft Guidance sets out various types of PETs (without providing an exhaustive list), their associated advantages/disadvantages, and some example use cases. Below is a brief summary of these PETs analysed by the ICO.