Clause 40

a gain in property or a supply of services, whether temporary or permanent; or

an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration;“generally available information” means information that consists of readily observable matter, including information that consists of deductions, conclusions or inferences made or drawn from readily observable matter;“harm”, in relation to an individual, means —

any physical harm; or

harassment, alarm or distress caused to the individual;“loss” means —

a loss in property or a supply of services, whether temporary or permanent; or

a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration,but excludes, in relation to an individual, the loss of personal data about the individual;“personal data” has the meaning given by section 2(1) of the Personal Data Protection Act 2012 (Act 26 of 2012);“prescribed circumstances” or “prescribed purpose” means any circumstances or purpose prescribed in regulations made under section 14D.Preservation of secrecy14A.—

Subject to subsection (3), an individual who is or has been a director or an officer or employee of the Authority must not disclose to any person any information which the individual acquired in the performance of the individual’s duties or the exercise of the individual’s functions.(2) Subject to subsection (3), a person who is or has been —

a contractor supplying goods or services to the Authority;

a consultant or an agent of the Authority; or

an employee of a person mentioned in paragraph (a) or (b),must not disclose to any other person any information (other than personal data about an individual) which the firstmentioned person acquired in the performance of that person’s duties or the exercise of that person’s functions.(3) Subsection (1) or (2) does not apply if the individual or person (as the case may be) (P) discloses the information concerned —

for the purpose of performing P’s duties or exercising P’s functions;

as authorised by the Authority;

as permitted or required by or under any written law;

as authorised or required under an order of court; or

in any other prescribed circumstances or for any other prescribed purpose.(4) To avoid doubt, subsection (3) does not affect any obligation or limitation imposed on, or prohibition of, the disclosure of personal data in the possession or under the control of the Authority by or under any other written law or other law.(5) An individual who contravenes subsection (1), or a person who contravenes subsection (2), shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.Improper use of information14B.—

If —

an individual makes use of any information in the possession or under the control of the Authority which the individual acquired in the performance of the individual’s duties or the exercise of the individual’s functions;

the use is not authorised by the Authority;

the individual is or has been a director or an officer or employee of the Authority;

the individual does so —

knowing that the use is not authorised by the Authority; or

reckless as to whether the use is or is not authorised by the Authority; and

the individual, as a result of that use —

obtains a gain for the individual or another person;

causes harm to another individual; or

causes a loss to another person,the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.(2) If —

a person makes use of information (other than personal data about an individual) in the possession or under the control of the Authority which the person acquired in the performance of the person’s duties or the exercise of the person’s functions;

the use is not authorised by the Authority;

the person is or has been —

a contractor supplying goods or services to the Authority;

a consultant or an agent of the Authority; or

an individual who is an employee of a person mentioned in sub‑paragraph (i) or (ii);

the person does so —

knowing that the use is not authorised by the Authority; or

reckless as to whether the use is or is not authorised by the Authority; and

the person, as a result of that use —

obtains a gain for the person or another person;

causes harm to an individual; or

causes a loss to another person,the person shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.(3) In proceedings for an offence under subsection (1) or (2), it is a defence to the charge for the defendant to prove, on a balance of probabilities, any of the following:

that the information in the possession or under the control of the Authority was, at the time of its use by the defendant, generally available information;

the defendant used the information in the possession or under the control of the Authority —

as permitted or required by or under an Act or other law;

as authorised or required by an order of court; or

in any other prescribed circumstances or for any other prescribed purpose.(4) To avoid doubt, subsection (3) does not affect any obligation or limitation imposed on, or prohibition of, the use of personal data in the possession or under the control of the Authority by or under any other written law or other law.Unauthorised re-identification of anonymised information14C.—

If —

an individual takes any action to re-identify or cause re‑identification of a person to whom anonymised information in the possession of or under the control of the Authority relates (called in this section the affected person);

the re‑identification is not authorised by the Authority;

the individual is or has been a director or an officer or employee of the Authority; and

the individual does so —

knowing that the re-identification is not authorised by the Authority; or

reckless as to whether the re-identification is or is not authorised by the Authority,the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.(2) In proceedings for an offence under subsection (1), it is a defence to the charge for the defendant to prove, on a balance of probabilities, any of the following:

that the information on the identity of the affected person is publicly available;

the action to re‑identify or cause re‑identification is —

permitted or required by or under an Act or other law;

authorised or required by an order of court; or

in any other prescribed circumstances or for any other prescribed purpose;

the defendant —

reasonably believed that the re‑identification was for a specified purpose; and

notified the Authority of the re‑identification as soon as was practicable.(3) To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the re‑identification of the affected person by or under any other written law or other law.(4) In this section —“anonymised information” means any information which is in anonymised or de-identified form;“specified purpose” means any purpose specified in the Eleventh Schedule to the Personal Data Protection Act 2012.Power of Authority to make regulations for sections 14A, 14B and 14C14D. The Authority may make regulations to prescribe anything which may be prescribed for the purposes of sections 14A, 14B and 14C.”.