Data is vital to the functioning of government, helping agencies make informed decisions, improve public services, and drive policy innovation. However, data sharing comes with significant privacy risks, including unauthorized access, data breaches, re-identification of individuals from data associated with them, and potential misuse of sensitive information.

Privacy-enhancing technologies (PETs) offer solutions to address many of these risks by enabling secure and privacy-preserving data use. These technologies allow organizations—whether they are government agencies, private corporations, or nonprofit service providers—to share and analyze data while ensuring compliance with privacy regulations and maintaining public trust. However, PET adoption presents challenges, including technical complexity and resource constraints.

While PETs have a broad range of utility, this report specifically outlines the role of PETs in government operations. It provides an overview of available PET options and serves as a practical guide for data professionals in local, state, and federal government to determine the most suitable PETs for their specific needs. As PETs continue to evolve, governments must invest in capacity-building and policy frameworks to maximize their benefits for public sector innovation and responsible data use.

This report aims to:

• Explain the significance of PETs in protecting sensitive data while enabling responsible data sharing;
• Provide an accessible introduction to different types of PETs and their potential applications; and
• Offer practical guidance to help government data professionals, policymakers, and privacy engineers select PETs based on specific data-sharing requirements.

Governments should and do rely on data to allocate resources, assess policy impact, and improve public services. From tracking public health trends to optimizing educational attainment, data-driven decision-making enables more efficient and informed governance. However, the growing scale of data collection and sharing also heightens privacy risks—particularly as more personal information is aggregated and stored across public and private systems.¹ Consumer data, including financial records, location history, and online activity, is increasingly intertwined with government-held information, creating broader exposure to breaches, misuse, and re-identification.²

Without proper safeguards, sensitive personal data can be exploited, leading to real-world harm. For example, the 2015 U.S. Office of Personnel Management (OPM) breach compromised the records of millions of federal employees, exposing Social Security numbers, personnel records, and even extensive information about employees’ friends and relatives provided as part of applications for security clearance.³ Similar risks exist in the private sector, where high-profile breaches have exposed data from credit card details to genetic information.⁴ Such incidents erode public trust and illustrate the dangers of concentrating vast amounts of sensitive information in centralized, highly accessible systems.⁵

“When data is consolidated across agencies and sectors, insider threats, unauthorized access, and political misuse become greater risks.”

Large, integrated databases offer efficiency and convenience, but they also create single points of failure.⁶ When data is consolidated across agencies and sectors, insider threats, unauthorized access, and political misuse become greater risks.⁷ Recent high-profile cases have underscored how individuals with privileged access—whether through government positions or corporate control—can exploit these databases in ways that put people and systems at risk.⁸

Privacy-enhancing technologies (PETs) can provide technical solutions to mitigate these risks at every stage of the data lifecycle—collection, processing, use, storage, and sharing.⁹ By decentralizing access, limiting exposure of sensitive data, and enabling secure analysis, PETs help balance data utility with privacy protection. As governments and companies continue to modernize their digital infrastructure, PETs must be a core component of responsible data governance, ensuring that data utility does not come at the expense of individual privacy and security.¹⁰

Privacy-enhancing technologies (PETs) refer to a diverse set of tools and methodologies designed to ensure that data can be used, analyzed, and shared without compromising the privacy of the people whose data has been collected.¹¹ These technologies mitigate risks by applying cryptographic techniques, anonymization methods, and secure computation processes.¹² PETs are particularly critical for safeguarding the privacy of individuals whose data is held by governments, businesses, and research institutions—whether it’s citizens interacting with public services, consumers generating digital footprints, or patients contributing to medical research. By reducing the risk of exposure, PETs allow organizations to extract insights from data while maintaining trust and compliance with privacy protections.¹³

Government data breaches can have far-reaching consequences, exposing sensitive personal information and undermining confidence in public institutions.¹⁴ With vast amounts of data—including Social Security numbers, health records, and immigration details—at risk, breaches can lead to identity theft, financial fraud, or personal safety risks.¹⁵ Additionally, compromised government databases can be exploited for political or foreign interference, weakening national security.¹⁶ Public distrust in data security can reduce participation in critical government programs, limiting the effectiveness of services and policy initiatives.¹⁷ By integrating PETs, governments can minimize these risks, enhancing both the security of public data systems and the trust of the people they serve.

As data use grows across sectors, the need for robust privacy safeguards becomes more urgent. PETs contribute to safeguards by:

• Minimizing trust requirements: Using technical measures to enforce restrictions on data access and processing, instead of relying solely on policies and contracts to protect privacy.
• Enabling secure data collaboration: Facilitating secure data sharing across organizations without exposing raw datasets, preserving confidentiality and privacy.
• Supporting ethical data use and legal compliance: Helping governments and organizations adhere to laws that mandate de-identification, access restrictions, and limitations on purpose and use, safeguarding ethical data-handling practices.¹⁸

One of the key advantages of PETs is their ability to facilitate public-interest data sharing. Governments often need to share information across agencies, with research institutions, or with private-sector partners to drive innovation and improve public services.¹⁹ PETs can enable this type of collaboration while limiting disclosure and without compromising individuals’ privacy.²⁰

Government agencies handle vast amounts of personal, financial, and health-related data. Ensuring that this data is shared and processed securely is critical for:

• Cross-agency collaboration: Enabling government entities to securely analyze and link data across departments while maintaining privacy protections in compliance with legal and ethical standards.
• Public trust and transparency: Encouraging citizen support for data-driven initiatives by ensuring their privacy is safeguarded through secure data practices.
• Privacy policy and regulatory compliance: Helping agencies meet legal and regulatory requirements by ensuring personal data is processed in accordance with privacy laws, including data minimization, consent management, and data retention policies.²¹

In practice, PETs can support a wide range of use cases, such as:

• Health data research: Enabling secure data-sharing frameworks for medical research while protecting patient confidentiality.
• Fraud detection and prevention: Analyzing financial transactions securely without exposing personal financial details.
• Census and demographic analysis: Aggregating census data to analyze trends without accessing personally identifiable information.

By embedding PETs into government data strategies, agencies can unlock the value of data while protecting individuals’ rights and upholding ethical standards.

Privacy-enhancing technologies (PETs) are highly technical. This makes it challenging for non-experts to understand their functions, in turn making it harder to fully understand their benefits. To bridge this gap, this report includes a glossary that provides clear, non-technical explanations of key PETs.

Additionally, after the glossary, there is a table to help practitioners navigate which PET may be best suited for different needs (see Table 1). The goal is to ensure that policymakers, data managers, and engineers can make informed decisions about which PETs to use in different scenarios.

The PETs covered in this report were chosen based on their relevance to government use cases, their ability to protect privacy while maintaining data utility, and their compliance with regulatory requirements. The selection process considered:

• Strength of privacy protections: The extent to which each PET minimizes exposure of sensitive data.
• Suitability for government applications: Whether the PET can be effectively integrated into government workflows and data-sharing initiatives.
• Regulatory and ethical considerations: How well each PET aligns with privacy laws and ethical data-use principles.

By understanding and implementing PETs, government agencies can ensure that data-driven initiatives remain both effective and privacy-compliant. The following sections provide an in-depth look at different PETs, their applications, and how they can be leveraged for secure data sharing.

When deciding which privacy-enhancing technology (PET) to use, there are several key factors to consider. These factors include the type of data, the sensitivity level of the data, the data-sharing needs, the required privacy guarantee level, and scalability requirements. Each of these considerations plays a critical role in determining which PET is best suited for a particular use. Table 1 breaks this down in a more visual way, making it easier to compare and understand how each factor influences the choice of the most appropriate PET for a specific situation. For a more detailed explanation of the questions used to evaluate each PET, please refer to Appendix 2.

The type of data is one of the most important considerations when selecting a PET. For example, if the data contains personally identifiable information (PII), such as names, Social Security numbers, or addresses, the technology chosen must be capable of protecting individuals’ identities. PETs like encryption, tokenization, and differential privacy are specifically designed for handling sensitive PII and ensuring that individual records are protected.²² On the other hand, if the data is aggregated or anonymized—such as trends or summaries without any direct identifiers—the requirements for privacy protection may be less stringent. In these cases, techniques like generalization or federated analytics may be sufficient, as they preserve privacy while allowing for broader data analysis without exposing specific individual information.

The sensitivity level of the data also determines the privacy measures needed. Highly sensitive data, such as medical records or financial information, demands more robust security measures to prevent breaches or misuse. For such sensitive datasets, PETs like homomorphic encryption or secure multi-party computation (SMPC) can provide strong privacy guarantees by ensuring that the data remains encrypted even during processing and analysis, thus minimizing the risk of exposure.²³ In contrast, data with medium or low sensitivity, such as business analytics or public records, may not require as strict of protections. For these types of data, techniques like de-identification or k-anonymity may offer a sufficient balance between privacy and usability, as they can anonymize or group data without significantly diminishing its usefulness for analysis.²⁴

Another critical factor to consider is data-sharing needs. The level of privacy protection required can vary greatly depending on whether the data will be shared within a trusted environment or with external partners. For example, if data is being shared within a government agency or between departments with strong internal security controls, the privacy requirements may be less strict, and basic encryption techniques or tokenization might be adequate.²⁵ However, if data is being shared with external entities, such as third-party vendors, contractors, or researchers, stronger privacy protections are necessary to ensure that sensitive information remains secure and that unauthorized access is prevented. In such cases, PETs like federated learning, private set intersection, or differential privacy allow for secure data sharing and analysis while ensuring that individual-level data is not exposed to external parties.²⁶

The required privacy-guarantee level plays a significant role in selecting a PET. Some applications prioritize maximum privacy, even if this means sacrificing data precision. For example, when dealing with extremely sensitive data, high-privacy guarantees may be necessary, even if this reduces the precision of the data. Techniques like differential privacy introduce random noise to datasets, ensuring that the privacy of individuals is protected while allowing for aggregate analysis.²⁷ On the other hand, some use cases require a more balanced approach, where a moderate level of privacy is acceptable but maintaining data precision is still important. In these scenarios, PETs like k-anonymity or tokenization may offer a good compromise, as they protect personal information while still allowing for detailed, actionable insights from the data.²⁸

Finally, scalability requirements are a crucial consideration when selecting a PET. As datasets grow in size, the scalability of the privacy-enhancing technology becomes more important. For smaller datasets, more resource-intensive PETs like homomorphic encryption or SMPC might be feasible because the computational overhead is manageable.²⁹ However, for large datasets, it’s essential to choose a PET that can scale without compromising performance. Techniques such as federated learning or federated analytics are particularly useful in large-scale environments because they allow data to be processed across multiple devices or servers, ensuring that privacy is maintained without the need to centralize sensitive information.³⁰ Additionally, distributed encryption and generalization techniques can scale well to handle large volumes of data while still preserving privacy.³¹

In summary, selecting the appropriate PET depends on the specific data characteristics and the intended use case. By carefully evaluating the type of data, its sensitivity level, sharing needs, privacy guarantees, and scalability requirements, organizations can choose the right PET to meet their privacy and security goals while still enabling effective data analysis.

The combination of privacy-enhancing technologies (PETs) depends on the data flow and lifecycle—which include how data is collected, processed, shared, and analyzed. Aligning PET selection with the data cycle and intended utility helps organizations maximize both privacy and the value of their data.

Some PETs require a sequential approach because certain protections must be in place before the next stage of processing. For example, a government agency managing benefit enrollment might first apply encryption in transit to secure personal and financial information as it moves between systems and then use homomorphic encryption to analyze eligibility criteria without exposing individuals’ raw data. Similarly, k-anonymity might be applied to de-identify enrollment data before generating synthetic datasets that enable policy analysis without revealing specific applicants.

In other cases, PETs can function independently or in parallel, depending on the privacy risks and data-use requirements. For example, differential privacy can be applied directly to reports on program participation to prevent re-identification, while federated learning allows agencies to collaborate on improving benefit delivery without sharing individual records. Since these techniques address different risks, they do not need to be applied in a strict sequence.

Choosing the right PET approach requires understanding the full data lifecycle. This means assessing the sensitivity of the data, the risks at each stage, and the level of privacy protection required while ensuring the data remains useful. If data will be shared across agencies or undergo multiple transformations, a sequential approach may be necessary to maintain privacy at every step. If privacy risks are distinct and manageable separately, PETs can be applied independently.

Governments could apply k-anonymity to real census data, ensuring that individuals’ identities are protected by generalizing or suppressing sensitive information. Then, they could generate synthetic datasets to replace specific, identifiable data points, such as exact age or location, enabling continued research and policy development without compromising citizens’ privacy. This approach ensures that demographic trends are studied while minimizing the risk of re-identification.

The combination of tokenization, hashing, and differential privacy in a sequential process works by progressively securing data at each step. First, tokenization replaces sensitive identifiers with non-reversible tokens, making the data less identifiable. Then, hashing further secures the tokenized data by creating a one-way transformation, ensuring that even if data is exposed, it can’t be reverted back to its original form. Finally, differential privacy ensures that the data can be shared or analyzed without revealing individual-specific information by introducing random noise into the dataset. This sequential approach is critical in creating an individual-level anonymized dataset, as seen in the census, where personal identifiers are stripped away to allow for data analysis while protecting privacy.

Tokenization and secure multi-party computation (SMPC) can be used by public sector organizations to enhance privacy while enabling collaboration. Tokenization anonymizes sensitive data, such as health care records, before sharing it between agencies, ensuring personal information remains protected. SMPC allows agencies to analyze the data for public health research without revealing private information. Since tokenization and SMPC operate independently, this approach is non-sequential while maintaining privacy and utility.

Adopting privacy-enhancing technologies (PETs) presents several challenges, including technical complexity, usability issues, and regulatory gaps. These barriers can slow the widespread implementation of PETs and complicate their integration into organizations’ data privacy practices.

Technical complexity is a key barrier to PET adoption. Many PETs, especially those involving advanced cryptographic techniques such as homomorphic encryption or secure multi-party computation, require specialized knowledge and are computationally intensive.³² For example, differential privacy—used by the U.S. Census Bureau in the 2020 Census—adds noise to data to protect individual privacy.³³ However, this approach can reduce accuracy, particularly in small communities with limited data.³⁴ The challenge lies in balancing privacy protection with data utility, as introducing too much noise can lead to inaccurate or unrepresentative insights.

Usability issues in PETs are another obstacle. Many PETs are complex to configure and manage, making them less accessible to non-technical users.³⁵ Poorly designed interfaces can hinder adoption, as organizations may struggle to implement these technologies correctly.³⁶ To overcome this, user-friendly interfaces that abstract the technical complexity of PETs could help organizations deploy these tools more effectively, making privacy protections easier to use without sacrificing security.

Regulatory and standardization gaps also hinder PET adoption. For example, the European Union’s General Data Protection Regulation (GDPR) requires “appropriate technical and organisational measures” to protect personal data but does not specify which PETs ensure compliance.³⁷ This lack of clarity can create confusion about which technologies are legally acceptable, especially when jurisdictions interpret privacy laws differently. Developing standardized guidelines for PET usage would provide clearer compliance paths, helping organizations confidently choose the right technologies for their needs while adhering to legal requirements.³⁸

Cost constraints are a major hurdle in PET adoption. High implementation costs, ongoing maintenance expenses, and integration complexities make it difficult for organizations to justify investment, particularly when privacy protections do not directly contribute to revenue generation.³⁹ Many PETs require specialized infrastructure or technical expertise. Advanced techniques such as homomorphic encryption or secure multi-party computation demand substantial computing resources, driving up costs.⁴⁰ If the return on investment isn’t clear, organizations may deprioritize PET adoption and the data sharing allowed in favor of other pressing technological needs. Having a clear understanding of the value of PET-enabled data sharing can help, as can implementing them in phases.

Operational challenges further complicate PET implementation. Many organizations or government agencies lack the in-house expertise required to deploy and maintain these technologies effectively.⁴¹ Government agencies may struggle with the technical demands of PETs, from configuring privacy-preserving algorithms to ensuring ongoing compliance with evolving regulations and best practices. Without dedicated resources, PETs may become underutilized or misconfigured, reducing their effectiveness. Streamlining PET integration through managed services, a dedicated support staff or team, and a phased approach can help address these operational challenges.

Awareness and expertise gaps—a lack of awareness and understanding of PETs among key stakeholders—present another significant barrier. Many decision makers are unfamiliar with PETs’ functionality, potential integration with existing systems and data lifecycles, and benefits to improving data use and sharing efforts, leading to hesitation around investing.⁴² Moreover, PETs are often perceived as more complex or resource-intensive than they are, which makes it difficult to appropriately build a strong case for their implementation. In areas where privacy risks or data-sharing efforts are not immediately pressing, organizations and agencies may prioritize more familiar measures, or just default to not sharing the data generally.⁴³ Adopting PETs also requires cross-functional collaboration, yet expertise is typically confined to specific departments or data-sharing initiatives, such as the census. This can result in fragmented efforts that reduce the overall utility of PETs. Overcoming these gaps with targeted training and knowledge sharing can help integrate PETs more effectively into data-governance strategies.

To incentivize the implementation of privacy-enhancing technologies (PETs), governments, research institutes, philanthropic organizations, and private partners should focus on creating an ecosystem that fosters both development and widespread adoption. Given the growing importance of privacy-preserving data sharing, these stakeholders can take key steps to drive this transformation in public sector data practices.

First, governments should align procurement policies with criteria that prioritize affordability, scalability, and effectiveness in real-world, public-sector applications. For instance, the Massive Data Institute’s Privacy-Enhancing Technologies initiative provides guidance to school districts and education agencies on how to use PETs to securely use student data to improve service delivery and learner outcomes.⁴⁴ By establishing clear benchmarks—particularly for solutions that can be adapted across various use cases—that support both privacy and data utility, governments can encourage vendors to competitively bid on their ability to deliver strong, secure, and efficient technologies.⁴⁵ Long-term contracts or public-private partnerships can further encourage innovation by providing a predictable revenue stream, motivating vendors to invest in scalable solutions that meet evolving needs.

Secondly, governments should also issue clear guidelines for determining when PETs are sufficient for meeting privacy and security requirements. Defining specific use cases where specific PETs—such as encryption or anonymization—are effective in mitigating risks while maintaining data utility can ensure that solutions are both secure and practical. These guidelines and frameworks also empower government users to confidently adopt a range of PET solutions, knowing they are in compliance with regulatory and privacy requirements.

Thirdly, the market alone may not fully address the need for effective PETs, especially given that the case for data sharing to improve government programs and services may not always be prioritized. To fill this gap, governments and other stakeholders should provide incentives for innovation through mechanisms like targeted grants or collaborative research initiatives. The Future of Privacy Forum’s Privacy-Enhancing Technologies Research Collaboration Network, supported by the U.S. National Science Foundation and Department of Energy, seeks to build a repository of existing use cases; this effort is an example of how government-supported collaboration can foster development and use-case clarity.⁴⁶

International partnerships like the one between the U.K. Information Commissioner’s Office and the U.S. National Institute of Standards and Technology demonstrate the value of cross-border efforts. A key initiative supported by these entities was a global competition in which experts from academic institutions and private companies competed for a combined $1.6 million prize pool.⁴⁷ These efforts show that when countries align, they can lower costs and drive the development of emerging technologies.

As data becomes increasingly essential for effective governance, protecting privacy remains critical. Privacy-enhancing technologies (PETs) provide a means for governments to unlock the value of data while safeguarding sensitive information. By promoting innovation, fostering collaboration, and offering clear guidelines, governments can create an environment where data serves the public good without compromising privacy. This guide aims to lower barriers to understanding the benefits and applications of various PETs. There is an urgent need for public sector stakeholders to prioritize securely using data to drive positive outcomes while upholding the privacy and rights of individuals.

• Algorithm: a step-by-step set of instructions a computer follows to solve a problem or perform a task.
• Cryptographic method: a technique used to secure data by transforming it into a format that is unreadable to unauthorized users, often used to protect sensitive information.
• Data aggregation: the process of collecting and summarizing data from multiple sources to form a comprehensive set or report, often used for analysis and reporting.
• Data de-identification: the process of removing or modifying personally identifiable information from datasets, so that individuals cannot be readily identified from the data, while maintaining its utility for analysis.
• Data integrity: the accuracy and reliability of data.
• Data lifecycle: the stages through which data passes from creation or collection, through processing and analysis, to sharing, storage, and eventual deletion or archival.
• Data processor: a person or company that handles data on behalf of another organization.
• Data sharing: the practice of making data available for access, use, or collaboration with other parties.
• Input data: the information that goes into a system (i.e., a search term you type into Google).
• Machine learning model: a type of computer program that learns patterns from data and makes predictions or decisions without being explicitly programmed.
• Noise: random data or alterations deliberately introduced into a dataset to protect individual privacy by preventing re-identification, commonly used in techniques like differential privacy.
• Operating system: the software that runs on a computer or phone and manages all its basic functions, like running apps, storing files, and connecting to the internet.
• Output data: the result that comes back from a search (i.e., the list of results you see).
• Risk of exposure: the likelihood or potential for sensitive data to be accessed, disclosed, or misused by unauthorized individuals, systems, or entities.
• Security measures: the technical, administrative, and physical actions taken to safeguard data against unauthorized access, alteration, destruction, or theft.
• Sensitive information: any data in need of extra protection due to its confidential nature, such as health records, financial details, or Social Security numbers that carry more harm if exposed.
• Server: a powerful computer that stores and processes data and makes it available to other devices. When visiting a website, for example, you’re getting information from a server.
• Statistical properties: the characteristics of data, such as averages, trends, and distributions, that can be used to understand patterns without revealing specific personal details.
• Transaction: the process of transferring or exchanging data between parties, such as in financial exchanges or when querying databases.
• Unintended disclosure: the accidental or inadvertent disclosure of sensitive data, potentially due to technical flaws or human error.

This appendix outlines the series of key questions used to evaluate privacy-enhancing technologies (PETs) in Table 1. Each question is designed to assess specific aspects of a PET, such as its ability to maintain data privacy, prevent re-identification, and ensure scalability, among other factors. The answers to these questions help determine a PET’s strengths, limitations, and suitability for different use cases, supporting informed decisions in the adoption of these technologies for privacy protection.

1. Does this PET allow personal data to be re-identified? This checks whether the method or process could enable unauthorized parties to re-identify personal data, either in transit or after protection is applied.
2. Does this PET provide strong anonymity protections? This checks whether the method ensures that individual data points are indistinguishable within a dataset.
3. Does this PET prevent re-identification in publicly shared data? This asks whether the technology ensures that personal data cannot be re-identified when shared publicly, such as in a dataset or report.
4. Does this PET help prevent linkage attacks across datasets? This checks whether the PET helps prevent adversaries from combining or correlating datasets to re-identify individuals.
5. Does this PET introduce accuracy trade-offs? Some PETs may reduce the quality or accuracy of data to protect privacy. This question asks whether accuracy is sacrificed.
6. Is this PET reversible (i.e., can the original data be reconstructed)? This assesses whether the protected data can be reversed or mapped back to the original data, such as through decryption or re-identification techniques.
7. Does this PET support computations on encrypted or anonymized data? This checks whether analysis or operations can be performed on encrypted or anonymized data without first decrypting or de-anonymizing it.
8. Does this PET support secure data sharing with external partners? This determines if the technology enables data to be securely shared with outside entities while maintaining privacy protections.
9. Is this PET best suited for use within a single organization? This checks whether the PET is mainly intended for internal use rather than multi-party collaboration.
10. Does this PET require trust in a central authority or intermediary? Some PETs rely on a central entity to manage access, keys, or data processing. This checks whether trust in such an intermediary is required.
11. Is this PET scalable for large datasets? Scalability refers to whether the PET can handle large volumes of data efficiently without performance degradation, which is essential for big data applications.
12. Does this PET require substantial computing power? Some PETs, especially advanced cryptographic techniques, can be computationally intensive. This checks if the PET is resource-heavy relative to other PETs.
13. Is this PET easy to implement? This evaluates how practical and straightforward it is to adopt and integrate the PET into existing systems, including infrastructure and technical support.