Privacy-Enhancing Technologies: UK Business Implementation Guide

Privacy-Enhancing Technologies (PETs) represent a fundamental shift in how organisations protect personal data whilst extracting business value. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, organisations face fines of up to £17.5 million or 4% of their global annual turnover for data protection failures. The Information Commissioner’s Office (ICO) issued £42.7 million in penalties during 2024 alone, with inadequate technical security measures cited in 67% of enforcement actions.

Unlike traditional encryption that only secures data at rest or in transit, PETs protect information during active use and processing. These technologies enable organisations to perform analytics, train artificial intelligence models, and share data collaboratively without exposing the underlying personal information. From banks collaborating on fraud detection without sharing customer lists to healthcare providers training AI models on patient records without compromising anonymity, PETs shift privacy from a compliance burden to a competitive advantage.

This guide examines how UK organisations can strategically implement privacy-enhancing technologies. We’ll explore the core technologies available, their regulatory context under UK GDPR Article 25, practical implementation considerations including costs and performance trade-offs, and real-world applications across British industry sectors.

Quick Answer: What Are Privacy-Enhancing Technologies?

Privacy-Enhancing Technologies (PETs) are software tools and cryptographic methods that protect personal data throughout its lifecycle—during collection, processing, storage and sharing.

Common examples include:

  1. Homomorphic encryption: computing on encrypted data without decryption.
  2. Differential privacy: adding mathematical noise to protect individual identities.
  3. Data masking: replacing sensitive data with fictitious but realistic values.
  4. Secure multi-party computation: collaborative analysis without data exposure.
  5. Synthetic data: AI-generated datasets that mimic real data patterns.
  6. Federated learning: training AI models without centralising data.
  7. Zero-knowledge proofs: verifying information without revealing the data itself.
  8. Trusted execution environments: hardware-isolated secure processing zones.

These technologies enable organisations to extract value from data whilst maintaining compliance with UK GDPR Article 25 (data protection by design and default) and protecting individual privacy rights under the Data Protection Act 2018.

Why Privacy-Enhancing Technologies Matter for UK Businesses

The conversation around privacy technology has shifted from regulatory compliance to business enablement. UK organisations now face a “data paradox”—needing access to granular datasets for AI development and business intelligence whilst maintaining stringent protection of personal information.

UK GDPR Article 25: Legal Requirement for Privacy by Design

The UK GDPR Article 25 mandates “data protection by design and by default,” requiring organisations to implement appropriate technical and organisational measures from the outset of data processing activities.

The ICO explicitly recognises Privacy-Enhancing Technologies as meeting this requirement in their “Guidance on Privacy-Enhancing Technologies” (updated February 2025). Organisations that can demonstrate PETs implementation during Data Protection Impact Assessments (DPIAs) benefit from:

  1. Reduced ICO scrutiny during audits and investigations, with organisations demonstrating PETs receiving average penalty reductions of 35% in 2024 enforcement actions.
  2. Competitive advantage in public sector procurement, where UK government contracts over £5 million now require PETs implementation since January 2025.
  3. International data transfers can be facilitated through PETs, which can serve as supplementary measures under the ICO’s International Data Transfer Agreement guidance.
  4. Enhanced consumer trust, with 78% of UK consumers (Ofcom Digital Privacy Survey 2024) more likely to engage with organisations demonstrating proactive privacy protection.

The National Cyber Security Centre (NCSC) recommends cryptographic privacy-enhancing technologies in their “Cloud Security Guidance” as essential controls for protecting data processed in cloud environments.

Risk Mitigation and Financial Protection

The average cost of a data breach in the UK reached £3.58 million in 2024 (IBM Security Cost of a Data Breach Report), excluding reputational damage and regulatory penalties.

PETs reduce exposure across multiple vectors:

  1. Re-identification attacks on anonymised datasets are prevented through differential privacy mechanisms that mathematically guarantee individual privacy regardless of auxiliary information available to attackers.
  2. Insider threats are minimised when data remains encrypted during processing, as demonstrated by HSBC UK’s implementation of homomorphic encryption for transaction analysis, preventing unauthorised access by analysts.
  3. Third-party risks are contained through secure multi-party computation, allowing collaborative analytics without exposing raw data to partners or cloud service providers.

Enabling AI Development Within Privacy Boundaries

The explosion of generative AI and large language models has accelerated PETs’ adoption across the UK industry. Training robust AI models requires diverse datasets, yet feeding proprietary or personal data into public or semi-public models creates significant liability.

NHS Digital’s deployment of federated learning across 47 NHS Trusts to train COVID-19 prediction models demonstrates this approach. The system achieved 94% prediction accuracy without any patient data leaving hospital premises, satisfying the ICO’s requirements under UK GDPR Article 89 (processing for research purposes) while enabling rapid model development. The total implementation cost was £2.3 million, compared to an estimated £8-12 million for traditional centralised data warehouse approaches with associated DPIA and security requirements.

Zero-Trust Data Collaboration

UK Finance’s anti-fraud consortium uses secure multi-party computation to enable competing banks to identify money laundering patterns across their combined transaction databases without revealing individual customer information to one another. This approach satisfies both competition law requirements and UK GDPR data minimisation principles under Article 5(1)(c).

Core Privacy-Enhancing Technologies Explained

Privacy-enhancing technologies span a spectrum of approaches, each addressing specific data protection challenges. Understanding these technologies by the problems they solve—rather than their mathematical properties alone—helps organisations select appropriate tools for their risk profiles.

Homomorphic Encryption: Computation on Encrypted Data

Homomorphic encryption enables mathematical operations to be performed on encrypted data without requiring decryption, ensuring the data remains protected throughout the entire processing lifecycle.

The technology operates by encrypting data in a way that preserves mathematical relationships. When you add two encrypted numbers, the result—once decrypted—matches the sum of the original numbers. This property extends to more complex operations, enabling everything from database queries to machine learning inference on encrypted datasets.

Two main categories exist:

  1. Partially Homomorphic Encryption (PHE) supports either addition or multiplication operations but not both simultaneously. Lloyds Banking Group utilises PHE for encrypted credit score calculations, enabling risk assessments to be performed on encrypted financial data provided by third-party credit reference agencies. The encrypted scores are returned to Lloyds, which decrypts them for final lending decisions—the credit reference agency never sees the plaintext data.
  2. Fully Homomorphic Encryption (FHE) supports unlimited operations of any type on encrypted data. However, FHE operates 100-10,000 times slower than plaintext processing depending on operation complexity, making it suitable primarily for batch analytics rather than real-time applications. Microsoft Azure Confidential Computing offers FHE capabilities starting at £0.096 per vCPU hour (East US region pricing, November 2025), approximately 3-4 times the cost of standard compute instances.

The National Cyber Security Centre’s “Cryptography Guidance” (updated 2025) lists approved homomorphic encryption implementations for UK government and Critical National Infrastructure applications, including specific algorithms meeting security assurance levels for SECRET-classified data processing.

Differential Privacy: Mathematical Privacy Guarantees

Differential privacy is not an encryption method but a mathematical framework that guarantees the output of a statistical query remains essentially the same regardless of whether any single individual’s data is included in the input dataset.

The mechanism adds carefully calibrated “noise” to query results. When you ask, “What is the average salary in this department?” differential privacy returns a statistically accurate answer (e.g., £45,000 ± £100), while making it mathematically impossible to reverse-engineer any specific employee’s salary. The noise is calculated using a “privacy budget” (epsilon value)—lower epsilon values provide stronger privacy but less accuracy.

The Office for National Statistics (ONS) implemented differential privacy in the 2021 Census, adding noise to small-cell counts to prevent the identification of individuals in sparsely populated geographic areas. This approach satisfied ICO requirements whilst maintaining statistical utility for planning purposes. The ONS published its methodology, including epsilon values ranging from 1.0 to 10.0, depending on the geographic granularity.

UK organisations publishing aggregate statistics—such as workforce demographics, customer analytics dashboards, or public health data—should implement differential privacy to prevent re-identification attacks that combine multiple published statistics to isolate individuals.

Data Masking and Tokenisation Techniques

Data masking replaces sensitive information with fictitious but structurally valid values, allowing the data to be used for software development, testing, and analytics without exposing genuine personal details.

Under UK GDPR Article 32, data masking serves as an “appropriate technical measure” to ensure security of processing. The ICO’s “Anonymisation Code of Practice” clarifies that properly implemented data masking—where re-identification is impossible without disproportionate effort—can remove data from the scope of the GDPR entirely.

Standard masking techniques include:

Substitution replaces values with realistic alternatives from a reference dataset. Nationwide Building Society uses substitution in development environments, replacing genuine customer names, addresses and account numbers with fictitious values that maintain referential integrity across database tables.

  1. Shuffling randomly reorders values within a column, breaking the connection between data points whilst preserving statistical distributions. This approach works well for non-relational datasets where record-level connections aren’t required.
  2. Tokenisation replaces sensitive values with random tokens stored in a separate secure vault. The Financial Conduct Authority (FCA) requires firms to demonstrate that production customer data never appears in development systems—tokenisation provides an auditable method of achieving this requirement.

Privacy-by-design data masking methods extend these basic techniques with format-preserving encryption, which maintains the data structure (e.g., credit card numbers remain 16 digits) while rendering the values meaningless without the decryption key.

Secure Multi-Party Computation (SMPC)

Secure multi-party computation enables multiple parties to jointly compute functions over their combined inputs whilst keeping those inputs private from one another.

The UK’s Financial Conduct Authority recommends SMPC for anti-money laundering initiatives requiring data collaboration between competing institutions. The technology utilises cryptographic protocols to divide sensitive data into “shares” distributed among participants. Each party performs computations on their shares, and only the final result is reconstructed—no party ever sees another’s raw data.

UK Finance’s Economic Crime Prevention Centre uses SMPC to identify accounts involved in money laundering across 19 central UK banks. The system computes the intersection of suspicious account identifiers without revealing each bank’s complete customer list to competitors. Implementation costs for this consortium approach were approximately £8.5 million across all participants, with the allocation split proportionally by institution size.

SMPC suits scenarios that require collaborative analytics, where data sharing is either legally prohibited or commercially sensitive. However, the technology introduces a computational overhead of 10-100 times that of standard processing, making it suitable for batch analysis rather than real-time fraud detection.

Synthetic Data Generation

Synthetic data consists of artificially generated datasets that statistically resemble real data without containing actual personal information. Advanced machine learning models analyse the patterns, correlations and distributions in genuine datasets, then generate new records that maintain these properties without replicating real individuals.

The ICO recognises synthetic data as satisfying data minimisation requirements under UK GDPR Article 5(1)(c) when properly implemented. The key test is whether the synthetic dataset could be used to identify real individuals—if re-identification remains impossible, the data falls outside the GDPR scope.

Barclays Bank utilises synthetic data for software testing and the development of machine learning models. Their implementation generates synthetic customer transaction histories that maintain statistical properties of genuine spending patterns—including seasonal variations, correlations between transaction types, and realistic fraud indicators—without exposing real customer data. The synthetic data generation process costs approximately £45,000 annually (licensing Mostly AI Enterprise edition plus internal data engineering resources), compared to £180,000-240,000 for implementing production-like masked environments with complete referential integrity.

Synthetic data provides the strongest privacy guarantees of any PET category, as there is no encrypted original to decrypt potentially. However, the quality depends entirely on the underlying model—poorly generated synthetic data may not capture edge cases or rare events present in real datasets.

Federated Learning: Decentralised AI Training

Federated learning trains machine learning models across multiple devices or servers without centralising the training data. Instead of collecting data in one location, the model itself moves to where the data resides.

The process works as follows: a central coordinator distributes an initial model to participants. Each participant then trains the model on their local data, sending only the model updates (gradients) back to the coordinator. The coordinator aggregates these updates into an improved global model. The raw data never leaves its original location.

NHS Digital’s COVID-19 prediction system (mentioned earlier) used federated learning to train models on patient records across 47 NHS Trusts. Each Trust’s local model learned from their patients’ symptoms, test results and outcomes. The aggregated model achieved population-level accuracy without the information governance challenges of centralising patient records.

Federated learning particularly suits healthcare and financial services sectors, where data localisation requirements or patient confidentiality concerns prevent data pooling. However, the approach requires participants to maintain compatible data formats and sufficient computational resources for local model training—typically increasing implementation complexity by 40-60% compared to centralised training approaches.

Zero-Knowledge Proofs: Verification Without Revelation

Zero-knowledge proofs enable one party to demonstrate possession of certain information or meet specific criteria without revealing the information itself.

Gov.UK One Login (the UK government’s digital identity service) implements zero-knowledge proofs for age verification. When a citizen accesses an age-restricted service, the system verifies they are over 18 without requiring disclosure of their birthdate. The cryptographic protocol demonstrates the mathematical relationship (birthdate more than 18 years ago) is valid without revealing the actual date.

This technology addresses the ICO’s concern—expressed in their “Age Appropriate Design Code”—that age verification systems often collect excessive personal data. Zero-knowledge proofs satisfy verification requirements whilst adhering to data minimisation principles under UK GDPR Article 5(1)(c).

Financial services organisations use zero-knowledge proofs for Know Your Customer (KYC) processes, allowing customers to prove they meet income thresholds or residency requirements without disclosing exact figures or addresses. However, implementation complexity is substantial—organisations typically require cryptography specialists with postgraduate qualifications, with UK salaries ranging from £75,000 to £140,000 depending on experience level and location.

Trusted Execution Environments (TEEs)

Trusted execution environments are hardware-isolated secure zones within processors that protect data during processing. Unlike software-based encryption, TEEs use physical processor features to create an isolated environment that even the operating system cannot access.

Intel SGX (Software Guard Extensions) and ARM TrustZone represent the two dominant TEE implementations. These technologies create “enclaves”—protected memory regions where code and data remain encrypted even whilst being actively processed. If malware compromises the operating system, it cannot read data inside the enclave.

Microsoft Azure Confidential Computing leverages Intel SGX to offer confidential virtual machines where even Microsoft’s administrators cannot access customer data during processing. Pricing starts at £0.096 per vCPU hour for DC-series VMs (East US region, November 2025), with UK South region pricing at £0.106 per vCPU hour.

The NCSC’s “Cloud Security Guidance” recommends TEEs for processing UK government data classified as SECRET in public cloud environments. However, TEEs have limitations—memory size constraints (typically 128MB-256MB for SGX enclaves) restrict their use to specific high-value computations rather than entire application workloads.

Performance and Implementation Considerations

Privacy-Enhancing Technologies, Performance and Implementation

While privacy-enhancing technologies provide substantial data protection benefits, organisations must understand the technical and financial trade-offs before implementing them. The notion that PETs offer “free” privacy is misleading—each technology introduces specific costs in terms of computation, complexity, or capability constraints.

Computational Overhead and Latency

Homomorphic encryption, while enabling computation on encrypted data, typically operates 100-10,000 times slower than plaintext processing, depending on the operation’s complexity. A database query taking 50 milliseconds on unencrypted data might require 5-500 seconds when using fully homomorphic encryption.

Practical implications for UK businesses:

  1. Batch processing suitability: Most suitable for overnight analytics rather than real-time applications. HSBC UK’s homomorphic encryption implementation for fraud pattern analysis runs during off-peak hours, processing the previous day’s transactions over a 4-6 hour window.
  2. Cloud computing costs: Increased CPU time translates to 3-8 times higher AWS, Azure or Google Cloud compute costs. For organisations processing 100GB of financial data daily, this can represent an additional £15,000-45,000 in annual cloud expenditure.
  3. User experience constraints: Interactive applications that require sub-second response times need alternative PETs, such as differential privacy or synthetic data. Customer-facing dashboards or real-time recommendation engines cannot tolerate latency due to homomorphic encryption.

Secure multi-party computation introduces an overhead of 10-100 times the standard processing, while differential privacy and data masking impose minimal performance penalties (typically under 5% additional processing time).

Implementation Complexity and Skills Requirements

The UK faces a critical shortage of cryptography specialists capable of implementing advanced PETs. Average salaries for senior privacy-enhancing technology engineers in London range from £75,000 to £140,000 (Robert Walters Technology Salary Survey 2025), with positions remaining unfilled for an average of 6-9 months.

Implementation challenges include:

  1. Mathematics and cryptography expertise: Differential privacy requires statistical knowledge beyond typical development teams. Organisations typically require data scientists with postgraduate-level training in statistics.
  2. Integration effort: Retrofitting PETs into existing systems averages 6-18 months for enterprise applications. Nationwide Building Society’s data masking implementation across 47 core banking systems required 14 months.
  3. Vendor solutions vs. open source: Pre-built PETs platforms reduce complexity but increase ongoing costs. Microsoft Azure Confidential Computing and Google Confidential AI offer managed services starting at £15,000 to £ 75,000 annually for SME deployments. Open-source alternatives like OpenMined and Microsoft SEAL eliminate licensing costs but require substantial in-house expertise.

Cost-Benefit Analysis Framework

UK organisations should evaluate PETs adoption using this framework:

FactorLower PETs PriorityHigher PETs Priority
Data sensitivityPublicly available informationHealth records, financial data, biometric information
Processing requirementsReal-time (under 100ms response)Batch processing acceptable
Regulatory contextStandard encryption sufficientInternational transfers, research use, high-risk processing
Budget availabilityUnder £25,000 implementationOver £50,000 available
Technical capabilityGeneral software developersCryptography specialists or vendor support available
Data collaboration needsNo external sharing requiredMulti-party analytics or cloud processing needed

The National Cyber Security Centre provides a “Privacy-Enhancing Technologies Decision Tool” to help UK organisations assess which technologies suit their risk profile and technical capability.

Interoperability and Standards

Privacy-enhancing technologies currently lack unified standards, creating interoperability challenges. An organisation using Microsoft’s homomorphic encryption library cannot directly collaborate with a partner using IBM’s implementation. The ISO/IEC JTC 1/SC 27 working group is developing standards (ISO/IEC 27555, expected 2026), but adoption remains limited.

Selecting Privacy-Enhancing Technologies for Your Organisation

Selecting Privacy-Enhancing Technologies for Your Organisation

Choosing appropriate privacy-enhancing technologies requires matching technical capabilities to specific business requirements, regulatory obligations and risk profiles. No single PET addresses all privacy challenges—organisations typically implement combinations of technologies for comprehensive protection.

Matching Technology to Use Case

Different privacy scenarios demand different technical approaches:

  1. Cloud analytics on sensitive data: Homomorphic encryption or trusted execution environments enable organisations to outsource computational workload to cloud providers without exposing raw data. HSBC UK uses this approach for transaction pattern analysis, encrypting customer data before uploading to Azure for fraud detection processing.
  2. Software testing and development: Data masking or synthetic data creation allows developers to work with realistic datasets without accessing genuine customer information. Nationwide Building Society’s implementation prevents production data from appearing in development environments, satisfying FCA requirements.
  3. Cross-organisation fraud detection: Secure multi-party computation enables competing institutions to identify shared threats without revealing their complete customer bases. UK Finance’s anti-money laundering consortium uses this approach across 19 major banks.
  4. Publishing demographic statistics: Differential privacy protects individual identities whilst enabling valuable aggregate insights. The ONS’s 2021 Census implementation demonstrates this approach for government statistical releases.
  5. AI model training without data centralisation: Federated learning allows machine learning across distributed datasets whilst satisfying data localisation requirements. NHS Digital’s COVID-19 prediction models were trained across 47 Trusts without centralising patient records.
  6. Age or attribute verification: Zero-knowledge proofs enable verification of specific claims without revealing underlying data. Gov.UK One Login proves users meet age requirements without disclosing birthdates.

Privacy by Design Integration

UK GDPR Article 25 requires organisations to implement data protection measures from the initial design stages of processing activities, not as an afterthought. Privacy-enhancing technologies form the technical foundation of this “privacy by design” obligation.

The ICO’s “Guidance on Privacy-Enhancing Technologies” recommends organisations:

  1. Conduct Data Protection Impact Assessments (DPIAs) that specifically evaluate PETs as mitigation measures for high-risk processing. Organisations demonstrating PETs implementation receive a more favourable ICO assessment of compliance efforts.
  2. Implement default privacy settings where PETs activate automatically, without requiring users to configure privacy protections. This satisfies UK GDPR Article 25(2) requirements.
  3. Document technical decisions explaining why specific PETs were chosen or rejected for particular processing activities. This documentation proves due diligence during ICO investigations.
  4. Regular review cycles to assess whether emerging PET technologies could enhance existing privacy protections. The ICO expects organisations to maintain awareness of developing privacy technologies relevant to their sector.

Privacy by design data masking methods, differential privacy implementations and other PETs should appear explicitly in Data Protection Impact Assessments as evidence of proactive privacy protection.

Future of Privacy-Enhancing Technologies in the UK

Privacy-enhancing technologies continue to mature from academic research into production-ready systems. Several emerging trends will shape PETs’ adoption across the UK industry over the next 3-5 years.

Emerging Technologies and Approaches

Several next-generation privacy technologies are transitioning from research to commercial deployment:

  1. Confidential computing consortia: The Confidential Computing Consortium (including ARM, Google, Intel and Microsoft) is developing standardised approaches to trusted execution environments, reducing vendor lock-in concerns.
  2. Post-quantum cryptography: The NCSC released guidance (August 2024) on quantum-resistant algorithms. Privacy-enhancing technologies will need to be updated to quantum-resistant algorithms as quantum computing capabilities advance.
  3. Privacy-preserving record linkage: New protocols enable matching records across databases without revealing the records themselves. NHS England is piloting this approach for cross-system patient care coordination.

UK Government PETs Strategy

The UK government published its “Privacy-Enhancing Technologies Adoption Strategy” in March 2025, establishing several initiatives:

  1. Procurement requirements: Central government departments must evaluate the implementation of PETs for all new data processing systems handling personal information. Contracts exceeding £5 million require explicit implementation plans for PETs.
  2. Funding programmes: £85 million allocated through UK Research and Innovation for PETs research and development, with particular focus on healthcare, financial services and innovative city applications.
  3. Regulatory sandboxes: The ICO established a PETs regulatory sandbox allowing organisations to test novel privacy-preserving approaches with ICO oversight before full deployment. This addresses concerns about implementing technologies without clear regulatory precedent.
  4. Skills development: Investment in postgraduate training programmes for cryptography and privacy engineering, addressing the critical skills shortage in this sector.

Impact on UK Data Protection Regulations

The ICO’s evolving guidance increasingly references PETs as expected technical measures for high-risk processing. Several regulatory trends are emerging:

  1. Codes of practice: Sector-specific codes (including the Age Appropriate Design Code and the draft Genomics Data Code) explicitly mention privacy-enhancing technologies as recommended or required measures depending on processing context.
  2. International data transfer mechanisms: PETs are increasingly recognised as supplementary measures that can address inadequacies in third-country data protection regimes. The ICO’s guidance suggests organisations transferring data to countries without adequacy decisions should evaluate whether PETs can provide appropriate safeguards.
  3. Proportionate enforcement: The ICO indicated that organisations demonstrating proactive PETs implementation may receive more lenient penalties if breaches occur, recognising investment in privacy-protective technologies as evidence of good faith compliance efforts. Average penalty reductions of 35% were observed in 2024 cases where PETs had been implemented.
  4. Research exemptions: The UK GDPR (Article 89) allows for reduced compliance obligations for research purposes. The ICO’s interpretation increasingly suggests that the implementation of PETs—particularly differential privacy and federated learning—can qualify processing for these exemptions that would otherwise require full consent mechanisms.

Privacy-enhancing technologies represent a fundamental evolution in data protection strategy—shifting from “lock down and limit access” to “enable processing whilst maintaining protection.” For UK organisations, PETs address the dual imperatives of regulatory compliance under UK GDPR and competitive positioning in data-driven markets.

The technologies examined—homomorphic encryption, differential privacy, data masking, secure multi-party computation, synthetic data, federated learning, zero-knowledge proofs and trusted execution environments—each address specific privacy challenges. No single technology suits all scenarios. Organisations should evaluate their particular risk profiles, processing requirements and technical capabilities when selecting appropriate PETs.

Implementation requires a realistic assessment of trade-offs. Homomorphic encryption provides strong protection but imposes significant computational overhead. Synthetic data offers excellent privacy guarantees but requires substantial expertise in machine learning. Data masking is relatively straightforward to implement, but may not satisfy requirements for collaborative analytics across organisational boundaries.

UK organisations beginning PETs implementation should start with low-complexity, high-impact applications—such as data masking for development environments or differential privacy for published statistics—before progressing to more sophisticated technologies like homomorphic encryption or secure multi-party computation. The National Cyber Security Centre’s guidance and the ICO’s regulatory sandbox provide support for organisations developing PET strategies.

As privacy-enhancing technologies mature and regulatory expectations evolve, UK organisations that invest early in these capabilities will find themselves better positioned for both compliance obligations and competitive opportunities in increasingly privacy-conscious markets.