UK regulators to criminalise re-identifying anonymised personal data
The latest update to the UK’s data protection rules will ask more of companies that process users’ personal data, including allowing consumers to withdraw consent for their data to be processed.
In a statement of intent published by the government this week, further detail was given around the upcoming data protection bill. In it, regulators outlined their aims and thinking as well as confirming that the existing Data Protection Act will be repealed to avoid any legal conflicts.
Not only will consumers be empowered to withdraw consent for their personal information to pass through companies, but the new laws will let them view any data held on them for free, ask for their past data to be deleted, and to move their data between service providers.
Teenagers, for example, we be able to ask social media sites to delete information posted in their childhood, in what marks an expansion of the EU’s ‘right to be forgotten’ ruling, which currently only applies to search engine indexing of personal data.
The government’s document also reiterates that it will be a criminal offence to re-identify individual from anonymised data, whether intentional or accidental, carrying a maximum penalty of an unlimited fine.
Another new offence, though not yet officially created, will surround the altering of records with intent to prevent disclosure following a subject access request.
The document also updates the definition of personal data to include IP addresses, internet cookies and DNA.
Matt Hancock, the UK’s digital minister, described the rejigged rules as encapsulating a “balance between supporting innovation and data protection”.
He added: ““Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.
“The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world.”