Privacy-enhancing technologies (PETs) are digital technologies that can assist organisations in sharing and using personal data in a responsible, lawful and secure way. The Organisation for Economic Co-operation and Development (OECD) defines PETs as “digital solutions that allow information to be collected, processed, analysed and shared while protecting data confidentiality and privacy”.
Earlier this year, the ICO published new guidance on PETs and how these technologies can aid organisations in complying with fundamental data protection principles by minimising personal information use, maximising information security and preserving data privacy. The guidance is aimed at data protection officers and others who are using large personal datasets in healthcare and other key sectors.
Within its guidance note, the ICO divides PETs into two categories, based on the type of privacy that they offer. PETs can offer input privacy, by reducing the number of parties with access to the data that is being processed. Alternatively, PETs can offer output privacy, by reducing the risk of third parties obtaining personal information from the outcome of a processing activity.
The guidance goes further to set out three categories of PETs that can be used to achieve data protection compliance:
One of the key takeaways from the guidance is that PETs can be particularly useful for organisations that share large volumes of data, particularly any special category data. PETs can therefore be utilised in the healthcare sector, where the sharing of large volumes of special category health data is essential. Access to and leverage of an individual’s health data is vital for improving the delivery of patient care, but also needs to be balanced against the need to protect patient privacy. Through the use of PETs, healthcare organisations such as Spire Healthcare can share patient data in a safe, secure and anonymised way. This can lead to the analysis of patient data in a way that offers valuable insights and drives innovation.
However, whilst the ICO recommends the use of PETs, it makes it clear that PETs are not a silver bullet enabling healthcare organisations to comply with all data protection requirements. There are a number of reasons for this, such as the lack of maturity of certain PETs and insufficient organisational experience in the implementation of PETs. If implementing PETs, healthcare organisations should seek expert guidance and should also remain aware of the requirement for any processing of personal data to be lawful, fair and transparent.
PETs can be used by healthcare organisations to improve care whilst also protecting the privacy of patients, but those adopting PETs should be mindful of their current limitations. The ICO recommends that any organisation processing or sharing large volumes of data should consider the use and uptake of PETs during the next 5 years.
For more information, please contact the privacy and data team.