<p>Section 171 of the Data Protection Act 2018 (DPA) criminalises persons who knowingly or recklessly re-identify personal data without the consent of the controller responsible for de-identifying it, unless a relevant defence applies. It is also an offence for a person to knowingly or recklessly process personal data that has been reidentified in this manner.</p><p><strong><br></strong>Criminal liability for these offences would not generally arise if an organisation shared a pseudonymised data set with another organisation and it was subsequently re-identified without their knowledge. However, all organisations are required to comply with data protection legislation, including principles on processing personal data fairly and securely. When sharing pseudonymous data with another organisation, a data controller may be able to guard against accidental or malicious re-identification by ensuring appropriate technical measures, such as effective encryption, are in place.</p>