Skip to main content

Data Protection

Question for Department for Digital, Culture, Media and Sport

UIN 135936, tabled on 11 January 2021

To ask the Secretary of State for Digital, Culture, Media and Sport, pursuant to the Answer of 11 January 2021 to Question 130731 on Data Protection, whether it is his Department's policy that a company which shares anonymised data that is then reidentified has responsibility or liability in the circumstances he sets out.

Answered on

14 January 2021

Section 171 of the Data Protection Act 2018 (DPA) criminalises persons who knowingly or recklessly re-identify personal data without the consent of the controller responsible for de-identifying it, unless a relevant defence applies. It is also an offence for a person to knowingly or recklessly process personal data that has been reidentified in this manner.

Criminal liability for these offences would not generally arise if an organisation shared a pseudonymised data set with another organisation and it was subsequently re-identified without their knowledge. However, all organisations are required to comply with data protection legislation, including principles on processing personal data fairly and securely. When sharing pseudonymous data with another organisation, a data controller may be able to guard against accidental or malicious re-identification by ensuring appropriate technical measures, such as effective encryption, are in place.

Named day
Named day questions only occur in the House of Commons. The MP tabling the question specifies the date on which they should receive an answer. MPs may not table more than five named day questions on a single day.