Which practice involves combining deidentified data with other data sources to re-link with individuals?

Reidentification is the act of turning deidentified data back into identifiable information by cross-referencing it with other data sources. Even when direct identifiers are removed, combining data with external datasets can reveal quasi-identifiers—like birth year, ZIP code, and gender—that, together, point to a specific person. This is why reidentification is a privacy risk: it re-links data to individuals. Tokenization replaces sensitive data with non-reversible tokens, so it remains meaningless to outsiders; data scrubbing removes or masks data to reduce identifiability but doesn't describe linking back to a person; an alert is simply a notification mechanism. Therefore, the scenario described—merging deidentified data with other data sources to re-link with individuals—fits reidentification.