Correspondence from Mr Edward Vaizey MP,
Minister for Digital Economy (BIG0089)
Big data dilemma inquiry: criminal penalties
As you will be aware, there have been massive advances in digital technology since the DPA came into force nearly 20 years ago. The original intention of section 55 was to address the problem of third parties obtaining personal data by deception and most prosecutions under this provision have dealt with these types of offences. It is unlikely that it was intended for the purposes of dealing with the de-anonymisation, which was not thought to be a major issue at the time. The Government recognises that the sanctions available for the misuse of data must, where possible, keep pace with the advances in technology and that there are appropriate safeguards and deterrents to meet the challenges presented by the increased use of big data. Other measures, such as transparency of processing, raising the public’s awareness of how their personal data may be used, and the adoption of robust measures by organisations to mitigate the risks of re-identification, are also important. The Information Commissioner’s Office provides advice and guidance to organisations on the issue of anonymisation, including in their code of practice, ‘Anonymisation: managing data protection risk’.
The forthcoming General Data Protection Regulation (GDPR) will give us an opportunity to stress test the existing sanctions available in relation to the misuse of personal data to make sure they are fit for purpose for the digital age. In particular, we will review current penalties for data protection breaches and aim for sanctions that act as effective deterrents against the misuse of personal data in all contexts.