Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

Researchers to be free to test anonymisation measures under UK data protection reforms

Planned changes to UK data protection laws will not put security researchers at risk of breaking the law when they test the effectiveness of data anonymization measures, as had been feared.11 Jan 2018

In the original draft Data Protection Bill introduced before parliament in September 2017, the UK government outlined a proposed new offence relating to the re-identification of anonymised data.

According to its plans, taking steps, knowingly or recklessly, to re-identify information that has been "de-identified" could result in a criminal conviction, although one of the defences that could be raised is where that action can be justified in the public interest.

Now amendments (3-page / 104KB PDF) have been put forward by the parliamentary under secretary of state at the Department for Digital, Culture, Media and Sport, Lord Ashton of Hyde, which attempt to make it clearer that security researchers will avoid criminal conviction when testing that anonymisation measures work.

Under the suggested amendments, people who satisfy "effectiveness testing conditions" would have a defence to the proposed new offence.

"The first condition is that the person acted: with a view to testing the effectiveness of the de-identification of personal data, without intending to cause, or threaten to cause, damage or distress to a person, and in the reasonable belief that, in the particular circumstances, reidentifying the information was justified as being in the public interest," according to the amendment proposed.

"The second condition is that the person notified the [information] commissioner or the controller responsible for de-identifying the personal data about the reidentification: without undue delay, and where feasible, not later than 72 hours after becoming aware of it," it said.

The wording of the Data Protection Bill is still subject to change as it passes through the parliamentary process.