23.—(1) The Minister may, if satisfied that it is necessary for the purposes of preventing, detecting or countering any serious and imminent threat to —| (a) | the provision of any essential service; or | | (b) | the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, |
| by a certificate under the Minister’s hand, authorise or direct any person or organisation specified in the certificate (called in this section the specified person) to take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer system or any class of computers or computer systems. |
(2) The measures and requirements mentioned in subsection (1) may include, without limitation —| (a) | the exercise by the specified person of the powers in sections 39(1)(a) and (b) and (2)(a) and (b) and 40(2)(a), (b) and (c) of the Criminal Procedure Code 2010; | | (b) | requiring or authorising the specified person to direct another person to provide any information that is necessary to identify, detect or counter any such threat, including —| (i) | information relating to the design, configuration or operation of any computer, computer program or computer system; and | | (ii) | information relating to the cybersecurity of any computer, computer program or computer system; |
| | (c) | providing to the Minister or the Commissioner any information (including real‑time information) obtained from any computer controlled or operated by the specified person, or obtained by the specified person from another person pursuant to a measure or requirement under paragraph (b), that is necessary to identify, detect or counter any such threat, including —| (i) | information relating to the design, configuration or operation of any computer, computer program or computer system; and | | (ii) | information relating to the cybersecurity of any computer, computer program or computer system; and |
| | (d) | providing to the Minister or the Commissioner a report of a breach or an attempted breach of cybersecurity of a description specified in the certificate under subsection (1), relating to any computer controlled or operated by the specified person. |
|
(3) Any measure or requirement mentioned in subsection (1), and any direction given by a specified person for the purpose of taking any such measure or complying with any such requirement —| (a) | does not confer any right to the production of, or of access to, information subject to legal privilege; and | | (b) | subject to paragraph (a), has effect despite any obligation or limitation imposed or right, privilege or immunity conferred by or under any law, contract or rules of professional conduct, including any restriction on the disclosure of information imposed by law, contract or rules of professional conduct. |
|
| (4) A specified person who, without reasonable excuse, fails to take any measure or comply with any requirement directed by the Minister under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both. |
(5) Any person who, without reasonable excuse —| (a) | obstructs a specified person in the taking of any measure or in complying with any requirement under subsection (1); or | | (b) | fails to comply with any direction given by a specified person for the purpose of the specified person taking any such measure or complying with any such requirement, |
| shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both. |
|
(6) No civil or criminal liability is incurred by —| (a) | a specified person for doing or omitting to do any act if the specified person had done or omitted to do the act in good faith and for the purpose of or as a result of taking any measure or complying with any requirement under subsection (1); or | | (b) | a person for doing or omitting to do any act if the person had done or omitted to do the act in good faith and for the purpose of or as a result of complying with a direction given by a specified person for the purpose of taking any such measure or complying with any such requirement. |
|
(7) The following persons are not considered to be in breach of any restriction upon the disclosure of information imposed by law, contract or rules of professional conduct:| (a) | a specified person who, in good faith, obtains any information for the purpose of taking any measure under subsection (1) or complying with any requirement under that subsection, or who discloses any information to the Minister or the Commissioner, in compliance with any requirement under that subsection; | | (b) | a person who, in good faith, obtains any information, or discloses any information to a specified person, in compliance with a direction given by the specified person for the purpose of taking any measure under subsection (1) or complying with any requirement under that subsection. |
|
(8) The following persons, namely:| (a) | a specified person to whom a person has provided information in compliance with a direction given by the specified person for the purpose of taking any measure under subsection (1) or complying with any requirement under that subsection; | | (b) | a person to whom a specified person provides information in compliance with any requirement under subsection (1), |
| must not use or disclose the information, except — |
| (c) | with the written permission of the person from whom the information was obtained or, where the information is the confidential information of a third person, with the written permission of the third person; | | (d) | for the purpose of preventing, detecting or countering a threat to a computer, computer system or class of computers or computer systems; | | (e) | to disclose to any police officer or other law enforcement authority any information which discloses the commission of an offence under this Act or any other written law; or | | (f) | in compliance with a requirement of a court or the provisions of this Act or any other written law. |
|
| (9) Any person who contravenes subsection (8) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both. |
(10) Where an offence is disclosed in the course of or pursuant to the exercise of any power under this section —| (a) | no information for that offence may be admitted in evidence in any civil or criminal proceedings; and | | (b) | no witness in any civil or criminal proceedings is obliged —| (i) | to disclose the name, address or other particulars of any informer who has given information with respect to that offence; or | | (ii) | to answer any question if the answer would lead, or would tend to lead, to the discovery of the name, address or other particulars of the informer. |
|
|
| (11) If any book, document, data or computer output which is admitted in evidence or liable to inspection in any civil or criminal proceedings contains any entry in which any informer is named or described or which may lead to the informer’s discovery, the court must cause those entries to be concealed from view or to be obliterated so far as may be necessary to protect the informer from discovery. |
|