The CDEI has been researching the role of privacy enhancing technologies (PETs) in enabling safe, private and trustworthy use of data.
Privacy is a fundamental right. Organisations have an obligation to protect privacy, and must consider important legal, ethical, and reputational concerns when working with personal or sensitive data. Our report on public sector data sharing found that these concerns can lead to risk aversion that may inhibit data from being fully utilised to provide benefits for society. The use of PETs can help manage and mitigate some of the risks involved, potentially unlocking avenues to innovation.
What are privacy enhancing technologies?
In the broadest sense, a privacy enhancing technology is any technical method that protects the privacy of personal or sensitive information. This definition includes relatively simple technologies such as ad-blocking browser extensions, as well as the encryption infrastructure we rely on every day to secure the information we communicate over the internet. Of particular interest to the CDEI is a narrower set of emerging PETs. This is a group of relatively young technologies which are being implemented in an increasing number of real world projects to help overcome privacy and security challenges.
This set of emerging PETs is not rigidly defined, but there are a handful of technologies and techniques that are most prominent in current conversations. These include:
- Homomorphic encryption, which allows computations to be performed on encrypted data.
- Trusted execution environments, which can protect code and data in a processing environment that is isolated from a computer’s main processor and memory.
- Secure multi-party computation, in which multiple organisations collaborate to perform joint analysis on their collective data, without any one organisation having to reveal their raw data to any of the others involved.
- Federated analytics, an approach for applying data science techniques by moving code to the data, rather than the traditional approach of collecting data centrally.
- Differentially private algorithms, which enable useful population-level insights about a dataset to be derived, whilst limiting what can be learned about any individual in the dataset.
- Synthetic data, the generation of data that is statistically consistent with a real dataset. This generated data can replace or augment sensitive data used in data-driven applications.
These technologies support a range of use-cases involving secure data processing, trustworthy data sharing, and privacy-preserving machine learning. They may be particularly useful in sectors where highly sensitive data is the norm, such as healthcare and finance. Indeed, the pandemic has brought into focus the importance of being able to effectively utilise sensitive data at scale. The need to maintain privacy and security over this data has led to rapid innovations, such as the OpenSAFELY secure analytics platform which is enabling researchers to carry out analyses across over 24 million patient records. This large-scale analysis has enabled risk factors associated with COVID-19 to be identified, without exposing the personal information of individuals.
Our work on privacy enhancing technologies
These emerging technologies have the potential to be disruptive, enabling valuable data sharing and analysis whilst protecting privacy and confidentiality. For this potential to be fully realised, effective policy and governance frameworks are needed. The National Data Strategy calls on the CDEI to work with wider government to explore the role of PETs in enhancing consumer control and confidence, and ensuring trustworthy use of data. We are carrying out research that aims to address a number of related research questions:
- What are the barriers inhibiting more widespread adoption of PETs in both the public and private sectors?
- How does the use of PETs affect compliance with data protection regulation? Are there regulatory ambiguities that require clarification?
- In what ways could PETs be used for harm? How can we mitigate those?
- Where PETs are used beneficially, how can this be effectively communicated to build consumer confidence and public trust?
The CDEI is engaging with stakeholders in the public sector, industry, and academia to address these research questions, and are eager to talk to individuals and organisations who are developing or utilising privacy technologies.
We are particularly interested in learning of examples where privacy enhancing technologies have been piloted, or successfully used in production environments. By collating examples and conducting in-depth case studies, we hope to be able to draw out common learnings, and identify areas where more widespread use of PETs has the potential to bring about significant benefits.
If you would like to speak to us about this work, please contact firstname.lastname@example.org or get in touch via the comments section below.
About the CDEI
The CDEI was set up by the government in 2018 to advise on the governance of AI and data-driven technology. We are led by an independent Board of experts from across industry, civil society, academia and government. Publications from the CDEI do not represent government policy or advice.