Re-identifying folks from anonymised data will be a crime in the UK
Government draft confirms only minor deviations from GDPR
The British government is planning to impose criminal sanctions on people who intentionally re-identify individuals from data that should have protected their identities.
The plans will be set out in the Blighty's Data Protection Bill – due to be introduced to Parliament next month – and could see an unlimited fine levied on people guilty of the new offence. The wider scope of the Bill promises to give individuals more control over how organisations use their personal information, including requests to delete posts or photos. This goes beyond the "right to be forgotten" rules that already exist in the case of search engines. Individuals will find it easier to require an organisation to disclose the personal data it holds about them without charge, if draft proposals go through.
In a statement of intent (PDF), published today, the government says "intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data" will be an offence. Those who knowingly handle or process such data will also be committing a crime, it adds.
A separate offence will be created for altering records with the intention of stopping them being disclosed if an individual requests access to the data, which they will be able to do once the EU's General Data Protection Regulation comes into force in May 2018.
At that time, the GDPR will be directly applicable to organisations in the UK, and much of the government's intentions for the Data Protection Bill mirror the rules that are set out in that regulation.
This includes cranking up the fines that businesses that fail to properly protect people's data. At the moment the UK's data watchdog can issue a maximum fine of £500,000. Once the GDPR is in force it will go up to £17m or 4 per cent of global turnover for the worst offenders.
Organisations also have a much shorter deadline in which to inform the Information Commissioner about data breaches – down to 72 hours – and the definition of personally identifiable information is extended to include IP addresses, internet cookies and biometrics.
In addition, the new regulations set out provisions to ensure consent is active – spelling an end for pre-ticked boxes and default opt-outs on webforms – and make it easier for people to withdraw that consent. "We will ensure that the default reliance on the use of default opt-out or pre-selected 'tick boxes' – which are, in any case, largely ignored – will become a thing of the past," the statement promises.
Other changes to existing laws are to give people the right to request that data held on them is corrected if it's wrong, and for them to find out what data is held on them free of charge.
However, the UK's Data Protection Bill exempts research organisations from the responsibility of changing data on people in cases where this would "seriously impede their ability to complete their work" – for instance if archiving inaccurate data might make help analyse why a decision was taken and how it could be improved on.
The UK had the right to make some deviations from the GDPR as agreed on by the EU member states, which include that the UK's legislation will require that parents have to give consent for children to access online service for kids aged under 13. The GDPR's default age is 16.
There is also confirmation that the UK will continue to allow some bodies to access personal data on criminal convictions and offences. The GDPR grants this access to bodies with official authority to do this, but the UK has for some time allowed other organisations – employers, for example – to access this.
The statement of intent makes it clear that the UK is hoping to ensure "unhindered flow of data" with the EU member states once it leaves the bloc, but does not indicate whether this will be through an adequacy agreement.
Such a decision, from the EU, would certify that it provides the right standard of protection and has been described by peers as the "least burdensome" approach for businesses.
Rashmi Knowles, from RSA Security, commented: "The biggest challenge is going to be process; particularly around issues such as data availability and consent. This is not an annual audit that companies need to comply with, the audit can come at any time so businesses need to be focused on continuous compliance, which is a huge task – technology alone is not the answer. For anyone who was in doubt that GDPR will impact them come May 2018, this move by the government is a clear indication that it will – regardless of Brexit."
The new Data Protection Bill replaces the existing Data Protection Act (1998). The old law only protected personally identifiable information, and had a much narrower definition of what that constituted. ®