The Royal Society has published a report on Privacy Enhancing Technologies (PETs) to consider their potential to “revolutionise the safe and rapid use of sensitive data for wider public benefit”.
The report, entitled ‘From privacy to partnership: the role of Privacy Enhancing Technologies in data governance and collaborative analysis’, was undertaken in collaboration with the Alan Turing Institute. It aims to examine how PETs can support data governance and enable new, innovative uses of data for public benefit; the primary barriers and enabling factors around adoption of PETs and how they can be addressed; and how PETs can be factored into frameworks for assessing and balancing risks, harms and benefits when working with personal data.
The report focuses on evidence from a number of sources such as consultations with stakeholders across several sectors, a synthetic data explainer and commissioned reviews on PET adoption, standards and assurances.
It covers a number of key areas: the role of technology in privacy-preserving data flows; building the PETs marketplace; standards, assessments and assurances; and use cases.
The role of technology in privacy-preserving data flows
“Data privacy tools can include technologies, legal instruments or physical components (such as hardware keys) that mitigate the risk of problematic data actions,” the report states. “However, data privacy can mean many things, and can be subjective or contextual.”
It adds that a specific definition of privacy may be “less useful than considering what privacy is for and what is at stake by examining potential downstream harms.”
The report goes on to explore how PETs can explore downstream harms through bolstering data protection practices. It shares a taxonomy of harms here (page 26) to provide a “conceptual overview of how data might be used or shared, alongside the harms that may follow problematic data actions.”
The taxonomy is not an exhaustive list, it notes, but “provides an illustrative tool designed to encourage a harms-based approach to data protection risks.”
Building the PETs marketplace
The report notes that market research commissioned by the Royal Society and CDEI indicates that the market for PETs is starting to show its potential. A growing number of examples demonstrate PETs in use across a range of contexts, “with a substantial number of large organisations expected to use one or more privacy-enhanced computation techniques by 2025, particularly in secure cloud infrastructures.”
Some barriers to adoption are acknowledged, including general knowledge and awareness around PETs and their benefits; the risk associated with using new and less-understood technologies; and a lack of understanding around PETs within wider data protection requirements.
“Other barriers are institutional in nature,” the report states; “where technical expertise does exist in-house, these individuals are often organisationally removed from decision makers.”
Some suggestions are made, including enhancing market confidence through better data readiness and the development of standards, and privacy professionals undertaking certifications and online courses to raise awareness and expertise.
“A flourishing PETs market will require both trust in the technology and users’ ability to discern appropriate applications,” the report concludes in this area. “PETs vendors can help address scepticism by integrating PETs in wider data governance approaches, rather than promoting one-size-fits-all solutions. Where public sentiment around the use of PETs is unknown, further research – including focus groups or public dialogues – could be used toward ensuring end-user acceptance of (and demand for) the technologies.”
Standards, assessments and assurances
“Given their current state of maturation, PETs are generally best used in a systems approach to data privacy by addressing the twin goals of compliance and trust,” the document states. This section of the report reviews the role of trust and assurance in PETs implementation.
It notes that trust in privacy systems can be split into two main parts: trust that the PET will be used in a way that protects the rights of the data subject, and trust in the technical ability of PET as a security tool.
On page 43, the report highlights the assurances and trust relationships in the use of PETs, notably PETs users, executives and PETs vendors, and data subjects. It supplies the questions around moral trustworthiness versus trust in the technology’s competence, and lists some of the assurances required.
The document states that “standardisation of approach to PETs will be essential in developing a higher-level guidance for ‘best practice’ and codes of conduct” along with facilitating the early phases of PETs adoption and incorporating PETs into privacy frameworks and impact assessments in an informed, responsible manner.
Standards for PETs “are being developed through a range of international, national and sector-specific Standards Developing Organisations,” the report continues. “In addition, there is an emergence of open standards initiatives. These initiatives seek to make standards on PETs accessible by anyone and can entail a collaborative approach to standards development, involving community-led groups and stakeholders from government, industry and academia.”
There is a growing movement for this standardisation approach, it adds, particularly within emerging technologies.
Finally, the report shares a set of use cases highlighting the various roles PETs are playing or could play in real-world data governance scenarios.
It notes that efficacy and appropriateness of PETs in data governance is highly dependent on context, so the scenarios are not intended to prescribe solutions, but rather to inspire discussion, illustrate importance of context-based solutions, and showcase where PETs could play an important role in data-driven problem solving.
The suggested scenarios involve privacy in biometric data for health research and diagnostics, use with the internet of things and enabling digital twins for net zero; synthetic data for population-scale insights; and more.
The use cases can be found in detail from page 57.
The Royal Society’s current working group includes: Professor Alison Noble OBE FREng FIET FRS (Chair), Professor Jon Crowcroft FREng FRS, Mr George Balston, Dr Anthony Finkelstein CBE FREng, Mr Guy Cohen, Dr Benjamin Curtis, Professor Emiliano de Cristofaro, Dr Marion Oswald, Professor Carsten Maple and Dr Suzanne Weller.