Designation of critical information infrastructure
7.—(1) The Commissioner may, by written notice to the owner of a computer or computer system, designate the computer or computer system as a critical information infrastructure for the purposes of this Act, if the Commissioner is satisfied that —
(a)
the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore; and
(b)
the computer or computer system is located wholly or partly in Singapore.
(2) A notice issued under subsection (1) must —
(a)
identify the computer or computer system that is being designated as a critical information infrastructure;
(b)
identify the owner of the computer or computer system so designated as a critical information infrastructure;
(c)
inform the owner of the computer or computer system, regarding the owner’s duties and responsibilities under this Act that arise from the designation;
(d)
provide the name and contact particulars of the officer assigned by the Commissioner to supervise the critical information infrastructure;
(e)
inform the owner of the computer or computer system that any representations against the designation are to be made to the Commissioner by a specified date, being a date not earlier than 14 days after the date of the notice; and
(f)
inform the owner of the computer or computer system that the owner may appeal to the Minister against the designation, and provide information on the applicable procedure.
(3) Any designation under subsection (1) has effect for a period of 5 years, unless it is withdrawn by the Commissioner before the expiry of the period.
(4) The person who receives a notice under subsection (1) may request the Commissioner to proceed under subsection (5) upon showing proof that —
(a)
the person is not able to comply with the requirements in this Part for the reason that the person has neither effective control over the operations of the computer or computer system, nor the ability or right to carry out changes to the computer or computer system; and
(b)
another person has effective control over the operations of the computer or computer system and the ability and right to carry out changes to the computer or computer system.
(5) If the Commissioner is satisfied that the conditions mentioned in subsection (4)(a) and (b) are met, the Commissioner may amend the notice issued to the person under subsection (1), and address and send that amended notice to the person mentioned in subsection (4)(b).
(6) During the period when a notice amended under subsection (5) is in effect, the provisions of this Part apply to the person mentioned in subsection (4)(b) as if every reference to the owner of a critical information infrastructure is a reference to the person mentioned in subsection (4)(b).
(7) Where —
(a)
a notice issued under this section and amended under subsection (5) is addressed and sent to the person mentioned in subsection (4)(b); and
(b)
the person mentioned in subsection (4)(b) then ceases to have the control, ability and right mentioned in that provision,
the owner of the critical information infrastructure must notify the Commissioner of this without delay.
(8) Where a critical information infrastructure is owned by the Government and operated by a Ministry, the Permanent Secretary allocated to the Ministry who has responsibility for the critical information infrastructure is treated as the owner of the critical information infrastructure for the purposes of this Act.
(9) A notice issued under this section need not be published in the Gazette.