Unauthorised re-identification of anonymised information
14C.—(1)  If —
(a)an individual takes any action to re-identify or cause re-identification of a person to whom anonymised information in the possession of or under the control of the Authority relates (called in this section the affected person);
(b)the re-identification is not authorised by the Authority;
(c)the individual is or has been a director or an officer or employee of the Authority; and
(d)the individual does so —
(i)knowing that the re-identification is not authorised by the Authority; or
(ii)reckless as to whether the re-identification is or is not authorised by the Authority,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.
(2)  In proceedings for an offence under subsection (1), it is a defence to the charge for the defendant to prove, on a balance of probabilities, any of the following:
(a)that the information on the identity of the affected person is publicly available;
(b)the action to re-identify or cause re-identification is —
(i)permitted or required by or under an Act or other law;
(ii)authorised or required by an order of court; or
(iii)in any other prescribed circumstances or for any other prescribed purpose;
(c)the defendant —
(i)reasonably believed that the re-identification was for a specified purpose; and
(ii)notified the Authority of the re-identification as soon as was practicable.
(3)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the re-identification of the affected person by or under any other written law or other law.
(4)  In this section —
“anonymised information” means any information which is in anonymised or de-identified form;
“specified purpose” means any purpose specified in the Eleventh Schedule to the Personal Data Protection Act 2012.
[Act 40 of 2020 wef 01/02/2021]