To ask the Secretary of State for Digital, Culture, Media and Sport, pursuant to the Answer of 14 December 2020 to Question 126871, what sanctions are available to companies who share anonymised data which is then re-identified by a third party.
Answered on
11 January 2021
Section 171 of the Data Protection Act 2018 (DPA) criminalises the re-identification of personal data that has been de-identified. It is unlawful to knowingly or recklessly re-identify personal data without the consent of the controller responsible for de-identifying it, unless a relevant defence applies. It is also an offence to process personal data that has been re-identified in this manner.
The penalties for offences under section 171 of the DPA are set out in section 196 of the DPA. A person who is convicted of an offence under section 171 of the DPA is liable to an unlimited fine in the courts. Under section 199 of the DPA, the offence is recordable which means that the company or individual committing the offence will have a criminal record on conviction.
As with other offences under the DPA, where an offence under section 171 has been committed by a company, that company’s directors, managers and others acting in such a capacity can be convicted where the relevant individual or individuals consented, connived or neglected in taking their responsibilities seriously and contributed as a result to the offence being committed.