Privacy Enhancing Technologies: An Empirical Study into their Adoption and usage in UK Organisations

Richard Howley and Gilesh Pattni


Privacy Enhancing Technologies (PETs) have been widely promoted as offering technological safeguards to data privacy and security for more than a decade. Indeed, the development of a European system for data protection that resulted from the 1995 European Directive, and the UK 1998 Data Protection Act were predicated on a presumption that PETs would feature prominently in providing privacy enhancements. Given this background it is somewhat surprising that the UK Information Commissioner recently announced that since the security breach at HM Revenue and Customs in November 2007, almost 100 data breaches by public, private and third sector organisations have been reported. Some of the most notable of these occurred in financial institutions, government agencies and UK National Health Service organisations and involve the loss of unencrypted laptops, computer disks and memory sticks. Several high profile losses have occurred whilst unencrypted data has been lost in transit from one location to another; precisely the circumstances that PETs were expected to protect us from! Clearly, there are UK organisations that are either not using PETs at all or not using them effectively to protect our data. Given the proposition that PETs would play a significant role in protecting data, the authors of this paper were somewhat surprised to witness significant data breaches occurring with what appeared to alarming regularity. Notwithstanding, the methodological impurities about the use of the term ‘regularity’, it was noted that a large number of data breaches were being reported to the British public and that many of these breaches appeared to be of a type that the application of a basic set of PETs would secure against. This is the context that gave rise to the research reported in this paper.

This research reviews the literature that exists in the area of PETs, focusing on their types, uses and levels of adoption. The findings of the literature review are reported and show the ways in which a variety of PETs contribute to data privacy and security, where and when they can be used, and the organisational context of PETs. Significantly, literature was not found on current levels of PET adoption and it was this omission that led to the development of a research instrument to further explore the nature and extent of PET usage and adoption in the UK.

The research instrument, a questionnaire, was designed and piloted before being used with respondent groups. The questionnaire sought insights into three related aspects of PET usage:

  • Uses of PETs, including a consideration of which PETs are used and why.
  • The privacy context of PETs, focusing on policies and procedures.
  • Evaluation of PETs as providing effective privacy protection.

The analysis of the data in each of these categories is supported by an analysis of the overall respondent profile of those contributing to this research.

The main findings emerging include:

  • The respondent group are mainly IT Managers in large organisations, and interestingly, very few replies came from government agencies or financial institutions.
  • The majority of organisations taking part in this research reported their use of PETs and a profile is offered showing which PETs are used and the degree of their adoption.
  • There is uncertainty as to what PETs actually are and what their benefits are. Representatives from other organisations, however, were able to list the benefits they feel that PETs provide. These are presented and reviewed.
  • The obstacles to PET adoption are identified and explored. Clearly, this is an important issue if wider adoption and usage is seen as desirable.
  • Amongst those organisations that use PETs, their application to business processes and or data is not uniformly applied. The implications of this apparent ‘optionality’ are considered in more detail and reported in the full paper.
  • The usage of removable storage devices is frequently regulated and controlled and these controls are identified and their effectiveness explored.
  • The range of protection procedures applied to laptops being taken off-site are identified and evaluated with regard to any tensions that may exist between business process efficiency and data privacy and protection.
  • Procedures for updating PETs and or the adoption of new PETs are reported.

This research is a timely contribution to the body of privacy literature. It also serves as a basis for assessing the contribution of PETs in safeguarding our data privacy and security. In a world in which citizens are increasingly processed and or identified by digital representations the technology that is identified as being a key provider of privacy has to be known, understood and applied. This research concludes that much more needs to be done before UK organisations can fully benefit from PETs and before their data subjects can rest assured that they are fully protected.