Proposed amendments to the United Kingdom’s Data Protection Bill would help protect security researchers working with anonymized data.
Introduced by Lord Ashton of Hyde, Parliamentary Under-Secretary of State at the Department for Culture, Media and Sport, the draft changes (PDF) address Clause 162 of the third generation of data protection law that has entered the UK Parliament thus far.
This particular article makes it “an offence for a person [to] knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.” In other words, a security researcher could potentially face criminal charges for proving that anonymized information can be manipulated in such a way that the subjects to which the data pertains can once again be attributed.
The Data Protection Bill as currently written (PDF) does outline certain “defenses” under which a person could justify their decision to re-identify. Those items include obtaining the consent of either the data subject or controller as well as proving that re-identification served the public interest.
Lord Ashton of Hyde’s changes add on to those possible exceptions with the introduction of “effectiveness testing conditions.” To meet those qualifications, a person would need to have acted with a view of testing the effectiveness of the de-identification measures in the aim of serving the public interest and not causing harm. That person would also need to have notified either the Commissioner or the controller(s) responsible for de-identifying the data about their re-identification within a period of less than 72 hours if possible.
This is a Security Bloggers Network syndicated blog post authored by David Bisson. Read the original post at: The State of Security