Unauthorised re-identification of anonymised information
14C.—(1)  If —
(a)an individual takes any action to re‑identify or cause re‑identification of a person to whom anonymised information in the possession or under the control of the Authority relates (called in this section the affected person);
(b)the re‑identification is not authorised by the Authority;
(c)the individual is or has been a director or an officer or employee of the Authority; and
(d)the individual does so —
(i)knowing that the re‑identification is not authorised by the Authority; or
(ii)reckless as to whether the re‑identification is or is not authorised by the Authority,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.
[40/2020]
(2)  In proceedings for an offence under subsection (1), it is a defence to the charge for the defendant to prove, on a balance of probabilities, any of the following:
(a)that the information on the identity of the affected person is publicly available;
(b)the action to re‑identify or cause re‑identification is —
(i)permitted or required by or under an Act or other law;
(ii)authorised or required by an order of court; or
(iii)in any other prescribed circumstances or for any other prescribed purpose;
(c)the defendant —
(i)reasonably believed that the re‑identification was for a specified purpose; and
(ii)notified the Authority of the re‑identification as soon as was practicable.
[40/2020]
(3)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the re‑identification of the affected person by or under any other written law or other law.
[40/2020]
(4)  In this section —
“anonymised information” means any information which is in anonymised or de‑identified form;
“specified purpose” means any purpose specified in the Eleventh Schedule to the Personal Data Protection Act 2012.
[40/2020]