Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Researchers to be free to test anonymisation measures under UK data protection reforms

Planned changes to UK data protection laws will not put security researchers at risk of breaking the law when they test the effectiveness of data anonymization measures, as had been feared.11 Jan 2018

In the original draft Data Protection Bill introduced before parliament in September 2017, the UK government outlined a proposed new offence relating to the re-identification of anonymised data.

According to its plans, taking steps, knowingly or recklessly, to re-identify information that has been "de-identified" could result in a criminal conviction, although one of the defences that could be raised is where that action can be justified in the public interest.

Now amendments (3-page / 104KB PDF) have been put forward by the parliamentary under secretary of state at the Department for Digital, Culture, Media and Sport, Lord Ashton of Hyde, which attempt to make it clearer that security researchers will avoid criminal conviction when testing that anonymisation measures work.

Under the suggested amendments, people who satisfy "effectiveness testing conditions" would have a defence to the proposed new offence.

"The first condition is that the person acted: with a view to testing the effectiveness of the de-identification of personal data, without intending to cause, or threaten to cause, damage or distress to a person, and in the reasonable belief that, in the particular circumstances, reidentifying the information was justified as being in the public interest," according to the amendment proposed.

"The second condition is that the person notified the [information] commissioner or the controller responsible for de-identifying the personal data about the reidentification: without undue delay, and where feasible, not later than 72 hours after becoming aware of it," it said.

The wording of the Data Protection Bill is still subject to change as it passes through the parliamentary process.