In the absence of a national privacy policy, many states have enacted their own such laws to address increasing privacy concerns. Still, experts argue that further work is needed to secure data, especially as AI poses new data security risks.
The report, How to Protect Government Data with Privacy-Enhancing Technology, aims to do several things: 1) explain PETs’ role in protecting sensitive data to enable responsible data sharing; 2) provide an introduction to the types of PETs and their uses; and 3) offer guidance to government data professionals, policymakers, and privacy engineers in selecting PETs for their needs.
WHAT ARE PETS?
PETs encompass a range of tools and methods for protecting data privacy by mitigating risk throughout the process of the data life cycle. The technologies apply cryptographic techniques, anonymization methods and secure computation processes.
Types of PETs include those for de-identification, differential privacy, encryption, federated data science, private set intersection, secure multiparty computation, synthetic data, tokenization, trusted execution environment and zero-knowledge proof.
For example, de-identified student data helps support compliance with the U.S. Family Educational Rights and Privacy Act by removing personally identifiable information so that the data can be shared without consent for research while mitigating the risk of unintended disclosure. As another example, a synthetic data set could be used as a digital twin of a real population to protect personal data while being able to use statistical properties.
“PETs must be a core component of responsible data governance, ensuring that data utility does not come at the expense of individual privacy and security,” the report states.
PETs minimize trust requirements, enable secure data sharing, and support ethical data use. This can serve governments in their cross-agency collaboration efforts, work to increase public trust, and regulatory compliance needs.
DETERMINING THE BEST PET FOR AN AGENCY
The report also includes information to guide agencies’ decision-making processes in determining which PET is best suited for their needs.
A table in the report answers questions about common types of PETs, such as whether they can be used for secure data sharing with external partners and whether the original data can be reconstructed.
The report recommends that agencies exploring PET adoption consider the type of data in question, the sensitivity level of that data, data-sharing needs, and the required privacy-guarantee level. Scalability requirements are described by the report as a “crucial consideration” when selecting a PET.
In some cases, more than one PET may be the best way for an organization to protect its data.
However, some barriers exist that may hinder PET adoption, including usability issues, regulatory gaps, cost constraints, operational challenges and awareness gaps.
“Overcoming these gaps with targeted training and knowledge sharing can help integrate PETs more effectively into data-governance strategies,” the report states.
It recommends governments “align procurement policies with criteria that prioritize the affordability, scalability, and effectiveness in real-world, public-sector applications.” It also recommends governments issue clear guidelines for determining when PETs sufficiently meet privacy requirements. Finally, governments should incentivize innovation through grants and research initiatives to ensure the market can meet the need for effective PETs.
“There is an urgent need for public sector stakeholders to prioritize securely using data to drive positive outcomes while upholding the privacy and rights of individuals,” the report concludes.
