(1) It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.
(2) For the purposes of this section and section 172 -
(a) personal data is "de-identified" if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;
(b) a person "re-identifies" information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).
(3) It is a defence for a person charged with an offence under subsection (1) to prove that the re-identification -
(a) was necessary for the purposes of preventing or detecting crime,
(b) was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
(c) in the particular circumstances, was justified as being in the public interest.
(4) It is also a defence for a pers
…