UK information commissioner's office publishes new guidance on the use of PETs

On 19 June 2023, the Information Commissioner’s Office (ICO) announced the launch of its new guidance in relation to Privacy Enhancing Technologies (PETs), which it hopes will positively support UK businesses in their development and innovation of new technologies, whilst respecting the privacy of individuals.

The new guidance (which is standalone from its anonymisation and pseudonymisation counterpart) is divided into two parts.

1. Part I: The first section focuses on how PETs can help organisations achieve compliance with data protection law and is predominantly aimed at data protection offices (DPOs) and others who are using large personal data sets.
2. Part II: The second section, which the ICO specifies is intended for a more ‘technical audience’, offers an introduction to eight different types of PETs, and addresses the risk and benefit profile of each.

The full guidance can be accessed here.

Key Takeaways

What are PETs?

Whilst PETs are not defined under data protection law, the ICO guidance explains that PETs are software and hardware systems that assist with minimising personal information use, whilst maximising information security and/or empowering people.

PETs are closely connected to the concept of ”data protection by design” – a general obligation under UK GDPR that ensures an organisation implements appropriate technical and organisational measures, to show that it has considered privacy and data protection within its processing activities.

What are the Benefits of PETs?

In its opening note, the ICO explain that PETs offer “unprecedented opportunities for organisations to harness the power of personal data through innovative and trustworthy applications, by allowing them to share, link and analyse people’s personal information without having access to it”.

Organisations will therefore be able to use PETs to obtain valuable insights from information relating to individuals, whilst ensuring that they are: (i) compliant with data protection principles, and (ii) not compromising the privacy of those individuals.

Are there any Risks?

In addition to the numerous benefits that the use of PETs offers to organisations, the new guidance highlights common risks that organisations should take caution from.

The ICO makes clear that PETs are not a complete solution for compliance with data protection requirements, for various reasons including:

• Lack of maturity: certain PETs may not be ‘sufficiently mature’ in terms of their availability of standards and their robustness to attacks.
• Lack of expertise: some PETs require a certain level of expertise to be set up and used appropriately.
• Lack of appropriate organisational measures: a PET may be deemed ineffective where there is a lack if appropriate organisational measures in place in the first instance.

With the above in mind, the ICO recommends that organisations who are contemplating the use of PETs consider: (i) how PETs can help them comply with their data protection requirements; and (ii) the issues that PETs may pose in complying with those requirements.

When to use PETs?

The new guidance recognises that the use of a PET (or various combinations of PETs) will largely depend on the circumstances of a particular organisation.

With that said, however, organisations should consider the implementation of PETs during the design phase of its project, in particular where a project is ‘data-heavy’ or where it determines that there may be possible ‘risky’ uses of personal information.

During the design phase, organisations should also examine how it intends on complying with each of the data protection requirements where it opts to use a PET.

Our View

The guidance provides organisations with an accessible, comprehensive introduction to PETs, their use profile and associated benefits and risks

.The ICO makes clear, however, that the use of PETs should not be regarded as a “silver bullet” for an organisation to meet all of its data protection requirements. The guidance therefore serves as a useful reminder that organisations have a continuing obligation to ensure that all data processing remains lawful, fair and transparent.