* Posts by ctdh

1 post • joined 3 May 2018

UK Data Protection Bill tweaked to protect security researchers


Did I miss something...?

The EU GDPR regulation appears to specifically place our of it's scope fully anonymised data, it also makes the distinction of 'pseudonymised' data which remains in scope. This makes sense.

The EU GDPR Recital 26 says "...The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. "

However the draft Data Protection Bill makes no reference to the use of anonymised or 'pseudonymised', it simply refers to 'any' data 'relating to' a data subject. The draft Bill states: “Personal data” means any information relating to an identified or identifiable living individual."

Anonymised, 'pseudonymised' or plain data may all 'relate' to an identified or identifiable living individual. It does not say the individual has to be identified or identifiable from the data.

However the draft Bill goes on to discuss the criminality of re-identification of de-identified personal data in section 167. There is a loose implication of the benefits of de-identified of personal data, but it goes no further. Also de-identified data held by one person may be pseudonymised data to another person because they have further confidential information required to re-associate the records to an individual.

So under the proposed Bill is it still possible to process properly anonymised data, is such data out of scope of the draft Bill? The problem seems to be in the original definition in the draft Bill of 'personal data'


Biting the hand that feeds IT © 1998–2022