The ICO has published draft guidance on privacy-enhancing technologies. The guidance aims to help organisations unlock the potential of data by putting a data protection by design approach into practice.
PETs are technologies which can help organisations share and use people’s data responsibly, lawfully, and securely. Among other things, they can do this by minimising the amount of data used and by encrypting or anonymising personal information. The guidance includes examples of their current use such as by financial organisations when investigating money laundering, and by the healthcare sector to provide better health outcomes and services to the public.
The draft PETs guidance explains the benefits and different types of PETs currently available, as well as how they can help organisations comply with data protection law. It is part of the ICO’s draft guidance on anonymisation and pseudonymisation, and the ICO is seeking feedback to help refine and improve the final guidance.
The ICO says that by enabling organisations to share and collaboratively analyse sensitive data in a privacy-preserving manner, PETs create opportunities to harness the power of data through innovative and trustworthy applications and potentially to help with global societal challenges. However, it also points out that PETs should not be regarded as a silver bullet to meet all data protection requirements. An organisati9on’s processing must still be lawful, fair and transparent. Before considering PETs, it should assess the impact of the decision-making process, purpose specification (i.e. specifying a legitimate purpose for processing) and how it can comply with accuracy and accountability requirements.
G7 roundtable
The PETs draft guidance was published ahead of the 2022 roundtable of G7 data protection and privacy authorities taking place in Germany this week, where the ICO will present its work on PETs to its G7 counterparts and encourage international agreement to support responsible and innovative use of PETs. As part of this, the ICO was due to call for the development of industry-led governance, such as codes of conduct and certification schemes, to help organisations use PETs responsibly and to help PETs developers and providers to build the technology with data protection and privacy at the forefront.