To ask the Secretary of State for Digital, Culture, Media and Sport, what assessment his Department has made of the remedies that are available for people when so called anonymised data is sold on and they can be personally identified from it, for example through location tracking.
14 December 2020
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) do not apply to personal data that has been truly anonymised in such a way that the individual is not identifiable. If it is possible to use any reasonably available means to re-identify the individual, then the data protection legislation will apply.
The DPA creates a number of recordable criminal offences relating to the misuse of personal data. In particular, Section 171 DPA criminalises the re-identification of personal data that has been de-identified.
If an individual is concerned about the handling of their personal data by any organisation, they can approach the Information Commissioner’s Office (ICO) for advice or to make a complaint. The ICO has a number of powers under the DPA to tackle the unlawful processing of personal data, including the power to serve enforcement notices requiring organisations to stop the processing or to erase the data, and the power to serve civil monetary penalties. The ICO can also investigate and prosecute criminal offences under the DPA. Those guilty of such offences can be subject to unlimited fines in the courts. Details of the ICO’s enforcement activity can be found on its website at: https://ico.org.uk/action-weve-taken/
People have a number of rights to redress under the DPA, including the right to seek a court order to ensure compliance by an organisation, and the right to claim compensation from an organisation through the courts if they have suffered damage as a result of it breaking data protection law. This includes both material damage such as financial loss and non-material damage, including any inconvenience and distress associated with the data breach.