Stephen Almond is the ICO's Director of Regulatory Risk.
Quantum technologies are advancing at pace, offering huge potential to improve our lives. For example, researchers are already using the next generation of certain quantum sensors to collect highly granular information about people’s brain patterns to improve medical research and diagnostics, while there are ongoing efforts to test real world applications for early stage quantum computers.
As the UK’s data protection regulator, we are committed to supporting quantum technology innovation in a way that protects people’s personal information and fundamental rights. Through our emerging tech work, our priority has been to build our understanding of this new frontier and explore how these technologies may impact people’s privacy.
Our new report explores emerging possibilities for quantum technology involving personal data and looks at everything from quantum computing and communications to quantum sensing, timing and imaging. By identifying the privacy and data protection implications of emerging technologies now, we are better placed to enable innovators to consider data protection in development.
It’s not just the ICO that needs to prepare for quantum: organisations processing personal data need to do so too. In particular, quantum computers could one day break widely used cryptographic algorithms that help protect everything from personal data to national security information. While quantum computers powerful enough to do this may be many years, or even decades away, the process of preparing for such a shift has already begun.
The main proposed approach to addressing the risk is post-quantum cryptography (PQC), which is endorsed by the National Cyber Security Centre. The US National Institute of Standards and Technology (NIST) released the first three PQC standards in August this year. Transitioning to these new types of cryptography may take time and implementation is likely to be an ongoing process.
Large organisations, such as digital service providers and financial institutions, should start to prepare for the transition now, for example by identifying and reviewing at-risk information, systems and cryptography. All organisations must still ensure that their systems are secure against existing risks to personal information like phishing attacks, ransomware, and data breaches. Keeping cybersecurity policies up-to-date, practicing good “cyber hygiene” and ensuring software is updated will provide a strong foundation for the future.
At the ICO, we are eager to learn alongside organisations and developers as these technologies evolve. We are already working with the National Cyber Security Centre, the National Quantum Computing Centre and the Office for Quantum as well as our partners in the Digital Regulation Cooperation Forum. We also encourage organisations handling sensitive or personal information to engage with us early.
Whether organisations are developing quantum technology applications involving personal information or preparing for the transition to quantum-secure systems, the ICO is here to help. Should you be exploring a use case likely to involve personal information and to come to market in the next three years, you can apply to be part of our Regulatory Sandbox programme. You can also connect with our Emerging Technology team at [email protected] to discuss our work in this area further.