This post was written with contributions from the Information Commissioner's Office (ICO) and NHS England. It follows GDS’ first blog post on Using Privacy Enhancing Technologies to Enable International Data Sharing.
Why focus on governance?
In October 2025, we described how DSIT’s Privacy Enhancing Technologies (PETs) pilot allowed England’s National Disease Registration Service (NDRS) and the US National Cancer Institute (NCI) to study ultra-rare childhood tumours without moving patient-level data across borders. This cross-border data access aligns with the blueprint for modern digital government goal of using privacy-preserving data sharing to unlock public value for research and offers concrete model for future digital-innovation projects across government.
However, the technical story was only half the achievement. The other half was governance: proving to information governance boards, legal teams and regulators that the collaboration was safe, lawful and proportionate.
In practical terms, our governance approach allowed us to cut the “pre-research” waiting time from the 12+ months typical for international cancer studies to just two months: from first proposal to an approved Data Protection Impact Assessment (DPIA) and agreement on safeguards at both registries.
This blog explains how we did that, what we learnt, and our advice for practitioners delivering collaborative, PETs-based research initiatives.
Starting information governance at the whiteboard
Traditional projects can treat governance as a late-stage hurdle, but applying PETs allowed us to ensure that data protection compliance requirements were integrated from the design stage right through the processing lifecycle, up to and including the end of data retention. This is a key requirement of data protection by design as described in the ICO’s data protection by design and default guidance.
We collaborated with asset owners, technologists, information governance leads and legal advisors from early in the pilot and structured our project's architecture to fit each element of a DPIA:
- Purpose and lawful basis: population health research in the public interest; no direct marketing or commercial reuse.
- Roles and responsibilities: each disease registry remains data controller for its own records; a joint management function (coordinated by DSIT for the pilot) oversees the PETs service.
- Data flows: only encrypted and aggregate outputs leave national borders; no raw record ever sits outside native infrastructure.
By writing these points before any code was used, reviewers could see that the technology was built to answer regulatory questions, not to dodge them. This helped yield quick positive results, ensuring risks identified in the DPIA were effectively and proactively mitigated.
Mapping PETs to established control frameworks
PETs describe a range of technical methods and can often feel abstract, so we tried to anchor each PET concept in language that the regulators, clinicians and compliance teams would be familiar with:
- Federated querying: a means of ensuring data minimisation and purpose limitation. Rather than source data, only aggregate level statistical information or anonymised query results are shared.
- Trusted Execution Environment (TEE): a confidential processing environment separate to registry environments, that acts like a sealed box whereby neither party can view the other’s intermediate totals (i.e., the summed aggregates from both data owners).
- Differential privacy (DP): a method to ensure effective anonymisation, providing a mathematical guarantee to prevent re-identification of individuals. DP was accompanied by small count suppression: a technique for withholding the results of queries where the total number of records are small (e.g. 5 or fewer).
Presenting our architecture decisions in this way reassured registry governance boards that PETs complement, rather than replace, existing controls.
Streamlining GDPR compliance
ICO guidance stresses proportionality: if the residual risk of data processing is low, the data protection compliance measures should be less involved.
With the PETs in place, the residual risk of processing dropped significantly; query results are anonymous and fall outside UK GDPR data protection law. However, because the underlying processing inside each disease registry still involves patient-level records (i.e. personal data) a DPIA was still required.
We completed a concise DPIA that assured stakeholders that data protection risks had been fully considered and mitigated in all the processing activities leading up to the sharing of aggregated, anonymous outputs. Critically, we were not transferring personal data outside of the UK under UK GDPR. This meant that the overseas transfer rules in UK GDPR did not apply and there was no need to carry out a Transfer Risk Assessment or issue an International Data Transfer Agreement.
Other governance accelerators
During the project, we applied several behind-the-scenes governance practices that eased the overall delivery process, including:
- Dummy data first: we built the entire pipeline using synthetic data, allowing technical assurance, DPIA drafting and ethics discussions to run in parallel.
- Parameter transparency: publishing the selected value of epsilon, (ε) = 1, and the <5 small-count rule gave reviewers concrete numbers to test.
- Sandbox thinking: although not formally in the ICO Regulatory Sandbox, we borrowed its iterative, regulator-in-the-room ethos. Check-ins with legal teams, information governance professionals and ICO technology experts avoided late surprises.
Research benefits
Early analysis from NDRS indicates that by accessing combined registry data instead of UK-only data, researchers were able to increase the analytical power of their queries in two main ways:
- Fewer query suppressions: more queries were successfully returned for a given small count suppression, allowing more research to be performed with the same privacy measures applied.
- Reduced standard deviation: the increased sample size cut standard deviation across some statistics by roughly half, providing more robust results for analysis.
Real-world analyses on combined UK-US childhood cancer data are now under way by our partners at NDRS and NCI, and results will be presented later this year.
Takeaways for practitioners
- Design privacy and governance together: PETs work best when information governance questions shape the architecture, not when they are retrofitted.
- Speak regulators’ language: map each PET to a well-known control, consistent with current definitions captured in data protection legislation.
- Aim for evidence, not volume: a concise DPIA backed by technical attestations that clearly articulates which processing steps touch personal data and how PETs mitigate data protection risks by design is more effective than a long DPIA that requires frequent updates.
- Engage the regulatory community: early, informal feedback from the ICO and NHS England governance teams accelerated approvals and built mutual confidence.
If you would like to know more, please contact us at pets@dsit.gov.uk.
Leave a comment