In the original draft Data Protection Bill introduced before parliament in September 2017, the UK government outlined a proposed new offence relating to the re-identification of anonymised data.
According to its plans, taking steps, knowingly or recklessly, to re-identify information that has been "de-identified" could result in a criminal conviction, although one of the defences that could be raised is where that action can be justified in the public interest.
Now amendments (3-page / 104KB PDF) have been put forward by the parliamentary under secretary of state at the Department for Digital, Culture, Media and Sport, Lord Ashton of Hyde, which attempt to make it clearer that security researchers will avoid criminal conviction when testing that anonymisation measures work.
Under the suggested amendments, people who satisfy "effectiveness testing conditions" would have a defence to the proposed new offence.
"The first condition is that the person acted: with a view to testing the effectiveness of the de-identification of personal data, without intending to cause, or threaten to cause, damage or distress to a person, and in the reasonable belief that, in the particular circumstances, reidentifying the information was justified as being in the public interest," according to the amendment proposed.
"The second condition is that the person notified the [information] commissioner or the controller responsible for de-identifying the personal data about the reidentification: without undue delay, and where feasible, not later than 72 hours after becoming aware of it," it said.
The wording of the Data Protection Bill is still subject to change as it passes through the parliamentary process.