Data security laws changed to protect researchers

The government has announced it will amend the data protection bill to ensure the protection of data security researchers who are responsible for uncovering any issues concerning the abuse of personal data.

The change follows calls from a number of reports that suggested the bill could mistakenly criminalise genuine research into data security, and has been welcomed by one of the data security researchers who urged changes to the law.

"I am very happy with the amendments," said Lukasz Olejnik, an independent cybersecurity and privacy researcher. "I’m especially impressed with designing a responsible way of submitting privacy weaknesses directly to the Information Commissioner's Office (ICO)."

"The whole case underlines the need of careful analysis of proposed regulations, whether in UK or beyond" he added.

The bill will currently include a clause that makes the intentional or reckless re-identification of people from anonymised data a criminal offence, with a potentially unlimited fine on offer for those who break the law. However, security researchers feared they could fall foul of the clause if they were to carry out any research that contained poor anonymisation on the part of other people.

The alteration to the bill, however, will ensure any data security experts carrying out "effectiveness testing" are exempt from the rules as long as they identify the ICO within three days of successfully accessing the data. The researchers would also have to demonstrate that they had acted in the public interest, rather than with criminal intent.

Commenting on the planned amendments, culture and digital secretary Matt Hancock said: "We are strengthening Britain’s data protection laws to make them fit for the digital age by giving people more control over their own data."

"This amendment will safeguard our world-leading cybersecurity researchers to continue their vital work to uncover abuses of personal data."