Sorry, not the pets you might be thinking of. As part of the UK’s National Data Strategy, The Centre for Data Ethics and Innovation (CDEI) has released a beta version of a working manual on use of technology to crack the privacy problem.
Privacy Enhancing Technologies (or PETs as they have come to be affectionately known) essentially do what they say on the tin – enhance privacy. We’ll dive into these in a moment, but for now take encryption as an example. Through the application of PETs companies are able to facilitate the use of their data in a way that both respects privacy and maximises R&D and commercial opportunities.
In some cases, they also help satisfy obligations under relevant privacy laws (in our case, the Privacy Act 1988 (Cth) (Privacy Act)), fostering innovation in ways that otherwise would otherwise be prohibited under regulation.
So, tell me more about these PETs
When you first hear the term ‘Privacy Enhancing Technology’ a number of things may spring to mind, from VPN’s to password managers, but in practice the term actually encapsulates a fairly narrow and specific set of 7 privacy ‘techniques’, all of which are directed at expanding the potential uses of data without exposing (or indeed collecting in the first place) the underlying information.
Two of these, which you would already be familiar with are considered ‘traditional PETs’: encryption and de-identification. For the purposes of this article, we won’t dive deeper on these. It is the other subset of 5 ‘emerging’ PETs which are of most interest. These are described by way of brief overview below (see also the guide itself for some helpful diagrammatic aides).
How does the guide work?
At its core, the guide is an interactive flowchart directed at technical personnel (think software engineers, network managers and ultimately product owners) to assist in decision making around (a) whether PETs are appropriate for any given project; (b) which PETs might be most suitable; and (c) their limitations. Helpfully, as touched on above, the guide also incorporates a ‘repository of use-cases’, a list of real-world examples of PET implementation and their benefits from some well known products and institutions.
So if I use a PET, I don’t need to worry about my obligations under the Privacy Act?
Hm, not quite. In the context of any given product or service offering, the use of PET’s is likely to represent just one stage of what is a much broader process. Whilst using PETs may mean that some specific obligations may not be enlivened at certain points in the data journey, compliance with the Privacy Act as a whole still needs to be front of mind.
For example, in the case of homomorphic encryption, a third party processor is able to compute directly upon encrypted data. In theory, this prevents what otherwise may be considered a disclosure of personal information by the data owner, and prevents use or access to personal information from the third party. As a further example, the use of federated learning to generate weighted models on local devices without any transfer of personal data off that device may mean that even though analytics are technically being run on personal information, no actual collection of personal information is taking place. Of course whether this is truly the case will depend on the particular circumstances.
Whilst each PET has its own individual limitations (as set out in the guide), the use of PETs generally is also subject to some scrutiny. Firstly, they should not be considered a ‘silver bullet’ of privacy protection - these methodologies will differ in their implementation and as always, should be deployed within a broader lens of privacy by design. Second, their inherent complexity may mean specific technical talent is required to execute them, whilst increasing the cost of adoption. And last but not least, the inherent confidentiality that is built into these processes by design does offer the potential for misuse by bad actors.
Overall however, the adoption of PETs does appear for the most part to be a win-win: enhanced privacy for data subjects and greater innovation from expanded data use cases. With regulations on personal information tightening across many jurisdictions, PETs can potentially offer a way around the red tape whilst still promoting good data governance.