To ask the Secretary of State for Digital, Culture, Media and Sport, pursuant to the Answer of 11 January 2021 to Question 130731 on Data Protection, whether it is his Department's policy that a company which shares anonymised data that is then reidentified has responsibility or liability in the circumstances he sets out.
14 January 2021
Section 171 of the Data Protection Act 2018 (DPA) criminalises persons who knowingly or recklessly re-identify personal data without the consent of the controller responsible for de-identifying it, unless a relevant defence applies. It is also an offence for a person to knowingly or recklessly process personal data that has been reidentified in this manner.
Criminal liability for these offences would not generally arise if an organisation shared a pseudonymised data set with another organisation and it was subsequently re-identified without their knowledge. However, all organisations are required to comply with data protection legislation, including principles on processing personal data fairly and securely. When sharing pseudonymous data with another organisation, a data controller may be able to guard against accidental or malicious re-identification by ensuring appropriate technical measures, such as effective encryption, are in place.