Correspondence from Mr Edward Vaizey MP,

Minister for Digital Economy (BIG0089)

 

Big data dilemma inquiry: criminal penalties

I was delighted to have the opportunity to appear before your Committee on 1 December to contribute to your Big Data Dilemma Inquiry. During the course of my session, I agreed to write to you about a concern the Information Commissioner raised with you during his appearance before the inquiry. The Information Commissioner was concerned that the unauthorised re-identification of anonymised big data sets was not currently an offence covered by section 55 of the Data Protection Act 1998 (DPA) and the Committee was keen to understand whether the Government has tested the legislation in this respect.

 

As you will be aware, there have been massive advances in digital technology since the DPA came into force nearly 20 years ago. The original intention of section 55 was to address the problem of third parties obtaining personal data by deception and most prosecutions under this provision have dealt with these types of offences. It is unlikely that it was intended for the purposes of dealing with the de-anonymisation, which was not thought to be a major issue at the time. The Government recognises that the sanctions available for the misuse of data must, where possible, keep pace with the advances in technology and that there are appropriate safeguards and deterrents to meet the challenges presented by the increased use of big data. Other measures, such as transparency of processing, raising the public’s awareness of how their personal data may be used, and the adoption of robust measures by organisations to mitigate the risks of re-identification, are also important. The Information Commissioner’s Office provides advice and guidance to organisations on the issue of anonymisation, including in their code of practice, ‘Anonymisation: managing data protection risk’.

 

The forthcoming General Data Protection Regulation (GDPR) will give us an opportunity to stress test the existing sanctions available in relation to the misuse of personal data to make sure they are fit for purpose for the digital age. In particular, we will review current penalties for data protection breaches and aim for sanctions that act as effective deterrents against the misuse of personal data in all contexts.

 

January 2016