Leveraging PETs to support data sharing for good
You got a friend in me- Leveraging PETs to support data sharing for good
With 270,000 messages sent across instant messaging platforms like WhatsApp, iMessage, and Telegram every single day, these platforms are undeniably the bedrock of modern-day communication. However, as this frenetic exchange of information travels through a mish-mash of cables and wires, to make its way from the sender to the receiver, there's more at stake here than just numbers. Most of these interactions involve the sharing of personal data, making it crucial for these platforms to not only facilitate smooth communication but also to safeguard the privacy of individuals. This is where Privacy-Enhancing Technologies (PETs) can play a significant role. PETs such as the end-to-end encryption (E2EE) employed by platforms like WhatsApp, iMessage, and Telegram ensure that as our digital footprints expand, our personal information remains secure and, where we intend it to, confidential.
But the safe transmission of personal data across the internet is just one aspect of how PETs assist organisations. They empower data-driven organisations to glean deeper insights from the data they control while facilitating ethical data sharing for beneficial purposes. Importantly, they ensure the privacy of individuals is not compromised and help organisations stay clear of legal and regulatory breaches.
In this article, we’ll explore PETs in the context of the General Data Protection Regulation (GDPR) and the Data Sharing Code from the Information Commissioner’s Office (the UK supervisory authority), discussing how these technologies support compliance and enhance privacy. We'll delve into specific considerations under these regulations when personal data sharing is involved and outline how leveraging PETs can help organisations meet these legal requirements.
Interaction of PETs and GDPR
PETs are at the heart of implementing 'Data Protection by Design', a concept embedded in the very core of the GDPR. This principle obligates organisations to weave data protection into the very fabric of their operations, from inception to completion. PETs support this integration by offering ‘technical and organisational measures’ to minimise data exposure, anonymise personal details, and bolster security, thus helping organisations preemptively align with GDPR stipulations.
Incorporating PETs in line with GDPR means proactively embedding data protection into business processes and services. Techniques like anonymisation and pseudonymisation are prime examples of PETs that enable organisations such as researchers to analyse aggregated datasets to uncover insights, without infringing on individual privacy, fostering innovation within legal boundaries. PETs are also instrumental in risk management, aiding in the early detection and mitigation of potential data protection challenges such as reidentification risk.
By integrating PETs, organisations can make privacy considerations an intrinsic part of their operational philosophy. This alignment not only boosts trust and compliance but also equips organisations to navigate the intricate digital terrain with a privacy-first approach.
Considerations under GDPR when personal data sharing is involved
Data sharing is a cornerstone of progress in data-driven organisations. Organisations such as medical research organisations involved in conducting clinical trials rely extensively on sharing data for validating findings, accelerating scientific discovery, and improving outcomes. In the medical field, sharing and connecting patient datasets, followed by their analysis using AI techniques like Machine Learning and Deep Learning, have become both commonplace and vital. Such sharing can facilitate groundbreaking discoveries through effective and efficient pattern identification and forecasting, as we saw during the COVID-19 pandemic. Similarly, in sectors like environmental science, sharing data on climate patterns helps in devising more effective strategies for combating climate change.
The GDPR along with the ICO’s Data Sharing Code prepared under the Data Protection Act (UK) 2018 outlines a rigorous framework that organisations need to follow for personal data handling, guiding the ethical and legal dimensions of data sharing. This framework includes:
Accountability, demonstrating compliance with the GDPR and DPA 2018 following an evidentiary or justifiable approach.
Fairness and Transparency, ensuring data sharing has no negative impact on the data subject and that they are fully informed of the processing involving sharing.
Lawfulness of processing, ensuring data sharing is justified under at least one of the available lawful bases.
Security, ensuring appropriate organisational and technical measures are in place during and after data sharing.
Processing of special categories of personal data, necessitating extra caution and, in some cases, explicit consent when handling sensitive data.
In addition to the above, the following points also need to be considered before the data is shared, as stipulated in the Data Sharing Code:
Purpose of sharing
Assessing potential benefits or risks of sharing
Fairness of sharing
Necessity and proportionality of sharing to purpose
Minimum data to achieve purpose
Safeguards against adverse effects
Applicable exemptions in DPA 2018
Adhering to this framework allows organisations to respect privacy rights while leveraging data for societal benefits and ensures compliance with the law at every step of the way.
PETs for GDPR compliance
Leveraging Privacy-Enhancing Technologies (PETs) is a critical strategy for forward-thinking data-driven companies such as AI startups or research organisations aiming to fulfil compliance requirements and prioritising the privacy of their data subjects when personal data sharing is involved. These technologies enable a balance between the utilisation of data for business or research purposes and the protection of individual privacy rights. Here’s a detailed exploration of how PETs can be used to enhance privacy and ensure compliance:
Key PETs and their application in data sharing
Data Minimisation and Anonymisation:
Purpose: These techniques are employed to reduce the amount of personal data collected and to remove identifiable information from data sets.
Application: Highly useful in medical research where the use of patient data is critical but must be de-identified to protect privacy. Anonymised data (when personal identifiers are irreversibly deleted) is not subject to GDPR, which significantly reduces regulatory burdens.
Techniques: Hashing, masking, and tokenisation are common methods used to anonymise data.
Secure Multi-Party Computation (SMPC):
Purpose: Allows multiple entities to compute a result based on their inputs, without actually revealing those inputs to each other.
Application: Enables collaborative research among different organisations without compromising the privacy of the data subjects or the intellectual property of the data holders.
Benefits: Facilitates secure data sharing and analysis across borders and sectors, ensuring confidentiality and privacy.
Differential Privacy:
Purpose: Introduces randomness (noise) into the data or its analysis, ensuring that the output does not compromise individual privacy.
Application: Useful for organisations that wish to publish aggregated data or statistical summaries without revealing sensitive information.
Implementation: Algorithms that guarantee differential privacy can be used in data analysis to provide insights while safeguarding individual data points.
Homomorphic Encryption:
Purpose: Allows computations to be carried out on ciphertexts, generating an encrypted result which, when decrypted, matches the result of operations performed on the plaintext.
Application: Enables data processing and analysis in encrypted domains, ensuring data privacy even in third-party environments.
Advantages: Data remains encrypted throughout the process, providing a high level of security and privacy protection.
Federated Learning:
Purpose: A machine learning approach that trains an algorithm across multiple decentralised devices or servers holding local data samples, without exchanging them.
Application: Can be used for predictive modelling in healthcare by leveraging data from various sources without compromising patient privacy.
Benefits: Enhances privacy by keeping sensitive data localised, reducing the risk of data breaches.
Things to Consider
In the digital realm where privacy is paramount, Privacy Enhancing Technologies (PETs) are your allies. Here's how to seamlessly integrate PETs for compliance and heightened privacy into the very fabric of your organisation:
Adoption Strategies:
Assess data processing activities to identify where PETs can enhance privacy protections.
Conduct Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) to understand how data processing or data sharing might affect individual privacy and how PETs can mitigate these risks.
Training and Awareness:
Provide training for staff on the importance of privacy and how to use PETs effectively.
Raise awareness about the benefits of PETs in protecting privacy and ensuring compliance.
Policy and Governance:
Develop policies that mandate the use of PETs in relevant data processing involving data sharing.
Establish governance mechanisms to monitor and review the use of PETs to ensure they continue to provide the intended privacy protections.
PETs are the digital age's guardians and as a data-driven organisation your true ‘best friend’, as part of a proactive risk-based approach that brings together people, processes, and technology. They can help make data a force for good while protecting privacy. They're not just about compliance; they're about building trust and sparking innovation in a data-driven world.
This article was authored by Ritesh Katal, CIPP/E. This article is should not be taken as legal advice.
Enjoyed this article? You may also find ‘Your data is anonymous: how we can fix dangerous assumptions at the heart of big data exchange’ by Trace Founder Sorcha Lorimer and our Smart Data Foundry data governance case study useful.
About Trace:
Trace help global companies navigate global data regulations and implement practical steps for a risk-based and pragmatic approach to data governance and global privacy compliance with the relevant laws and frameworks. Looking for support with data governance framework design, data sharing guidance and applied Privacy by Design for your company? Book your free consultancy call now.