171 Re-identification of de-identified personal data
171 Re-identification of de-identified personal data

(1)     It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.

(2)     For the purposes of this section and section 172—

(a)     personal data is “de-identified” if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;

(b)     a person “re-identifies” information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).

(3)     It is a defence for a person charged with an offence under subsection (1) to prove that the re-identification—

(a)     was necessary for the purposes of preventing or detecting crime,

(b)     was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

(c)     in the particular circumstances, was justified as being in the public interest.

(4)     It is also a d

Popular documents