The ICO has always advocated privacy by design as an essential component of data protection and PETs are closely linked to the attainment of data protection principles. PETs refer to the various measures to protect large datasets, that can be implemented by businesses on a technical level. They are increasingly important in facilitating data protection for example by minimising personal information use and ensuring that only the information that is needed is processed. The various types of PETs include those that provide input privacy and output privacy through suitable encryption methods, generate information which reduces people’s identifiability, enhance data minimisation, hide or shield sensitive data, and split datasets. The Information Commissioner’s Office (ICO) recently published new guidance on PETs aimed at data protection officers and others who are using large personal data sets in finance, healthcare, research, and central and local government. It is recommended that organisations that share large volumes of data, particularly special category data, should start considering using PETs over the next five years.
Why this guidance is important:
PETs are tools that can help maximise data application by minimising risks associated with utilising data. They maximise information security, for instance by implementing robust anonymisation or pseudonymisation solutions which in turn minimises the risk that arises from personal data breaches, by making the personal information unintelligible to anyone not authorised to access it.
Businesses in the finance, healthcare and other fields that handle very large datasets would find an adoption of these technologies immensely helpful especially when considering commodification of data without running the risk of violating intellectual property, privacy and data protection laws. This is because with PETs, one can gain insights from datasets without jeopardising the privacy of the persons whose data is contained in the dataset, conceivably allowing access to datasets that would otherwise be too sensitive to share. A related impact is the reduction of harmful activities: the deployment of PETs can thereby prevent financial crimes and related evils such as fraud, money laundering, and cybercrime.
Deciding on which PETs to adopt:
In its recommendations, the ICO stated that PETs do not provide a one-size-fits-all solution for satisfying data protection requirements. Prior to implementing PETs, organisations should assess the impact of their data processing, be clear about their purpose, research how PETs can help them comply with data protection principles, and address any issues that PETs may pose to compliance (such as accuracy issues).
Also, not every PET is appropriate for every data application, and failure to correctly execute the PET may impair if not negate its usefulness. Notably, certain PETs may not be sufficiently mature in terms of scalability and attack resistance, and lack of skill in setting up and using a PET could also jeopardise its ability to protect individuals in the intended manner. A lack of appropriate technical and organisational measures can exacerbate such issues. Ultimately, when deciding whether or not to use PETs, organisations must consider the nature, scope, context, and purposes of their data processing; the risks which processing poses; whether and how a PET addresses a recognised data protection risk; and whether the PETs are sufficiently mature for the organisations’ purposes.
In its bid to support organisations’ development or adoption of PETs, the ICO seeks to collaborate on a PETs cost-benefit analysis tool, in partnership with the Centre for Data Ethics and Innovation. We will keep you updated on these developments as more will follow on this topic.
