Data Protection Act 2018

171Re-identification of de-identified personal dataU.K.

This section has no associated Explanatory Notes

(1)It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.

(2)For the purposes of this section and section 172—

(a)personal data is “de-identified” if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;

(b)a person “re-identifies” information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).

(3)It is a defence for a person charged with an offence under subsection (1) to prove that the re-identification—

(a)was necessary for the purposes of preventing or detecting crime,

(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

(c)in the particular circumstances, was justified as being in the public interest.

(4)It is also a defence for a person charged with an offence under subsection (1) to prove that—

(a)the person acted in the reasonable belief that the person—

(i)is the data subject to whom the information relates,

(ii)had the consent of that data subject, or

(iii)would have had such consent if the data subject had known about the re-identification and the circumstances of it,

(b)the person acted in the reasonable belief that the person—

(i)is the controller responsible for de-identifying the personal data,

(ii)had the consent of that controller, or

(iii)would have had such consent if that controller had known about the re-identification and the circumstances of it,

(c)the person acted—

(i)for the special purposes,

(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and

(iii)in the reasonable belief that in the particular circumstances the re-identification was justified as being in the public interest, or

(d)the effectiveness testing conditions were met (see section 172).

(5)It is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified where the person does so—

(a)without the consent of the controller responsible for de-identifying the personal data, and

(b)in circumstances in which the re-identification was an offence under subsection (1).

(6)It is a defence for a person charged with an offence under subsection (5) to prove that the processing—

(a)was necessary for the purposes of preventing or detecting crime,

(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

(c)in the particular circumstances, was justified as being in the public interest.

(7)It is also a defence for a person charged with an offence under subsection (5) to prove that—

(a)the person acted in the reasonable belief that the processing was lawful,

(b)the person acted in the reasonable belief that the person—

(i)had the consent of the controller responsible for de-identifying the personal data, or

(ii)would have had such consent if that controller had known about the processing and the circumstances of it, or

(c)the person acted—

(i)for the special purposes,

(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and

(iii)in the reasonable belief that in the particular circumstances the processing was justified as being in the public interest.

(8)In this section—

(a)references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the [F1UK GDPR] or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);

(b)where there is more than one controller, such references are references to the consent of one or more of them.