My Lords, I turn to the new offence of reidentifying de-identified personal data. As a new clause, with no corresponding parallel in the 1998 Act, it has been a hot topic throughout the passage of the Bill and the Government welcome the insightful debates on it that took place in Committee. Those debates have influenced our thinking on aspects of the clause and I will elaborate on the amendments we have tabled in response to concerns raised by noble Lords.
By way of background, Clause162(3) and (4) provides a number of defences for circumstances where reidentification may be lawful, including where it was necessary for the prevention or detection of crime, to comply with a legal obligation, or was otherwise justified as being in the public interest. Further defences are available where the controller responsible for de-identifying the personal data, or the data subjects themselves, consented to its reidentification.
As noble Lords will recall, concerns were raised in Committee that researchers who acted in good faith to test the robustness of an organisation’s de-identification mechanisms may not be adequately protected by the defences in the current clause. Although we continue to believe that the public interest defence would be broad enough to cover this type of activity, we recognise that the perception of a gap in the law may itself be capable of creating harm. We therefore tabled Amendments 151A, 156A and 161A to fix this. These amendments introduce a new, bespoke defence for those for whom reidentification is a product of their testing of the effectiveness of the de-identification systems used by other controllers.
A number of safeguards are included to prevent abuse. I particularly draw noble Lords’ attention to the requirement to notify either the original controller or the Information Commissioner. In addition, the researcher cannot intend to cause, or threaten to cause, damage or distress to a legal person. That means, for example, that those self-styled researchers who attempt
to use their discovery to extort money from either the data controller or the data subjects they have reidentified are not protected by this new defence.
We fully appreciate the importance of the work undertaken by legitimate security researchers. I assured noble Lords in Committee that it was in no way our intention to put a halt on this activity where it is done in good faith, and the amendments I am moving today make good on that commitment. On that basis, I beg to move.