4. Section 15A of the principal Act is repealed and the following section substituted therefor:“Cybersecurity measures and requirements |
15A.—(1) Where the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the national security, essential services or defence of Singapore or foreign relations of Singapore, the Minister may, by a certificate under his hand, authorise or direct any person or organisation specified in the certificate (referred to in this section as the specified person) to take such measures or comply with such requirements as may be necessary to prevent, detect or counter any threat to a computer or computer service or any class of computers or computer services.(2) The measures and requirements referred to in subsection (1) may include, without limitation —(a) | the exercise by the specified person of the powers referred to in sections 39(1)(a) and (b) and (2)(a) and (b) and 40(2)(a), (b) and (c) of the Criminal Procedure Code (Cap. 68); | (b) | requiring or authorising the specified person to direct another person to provide any information that is necessary to identify, detect or counter any such threat, including —(i) | information relating to the design, configuration or operation of any computer, computer program or computer service; and | (ii) | information relating to the security of any computer, computer program or computer service; |
| (c) | providing to the Minister or a public officer authorised by him any information (including real-time information) obtained from any computer controlled or operated by the specified person, or obtained by the specified person from another person pursuant to a measure or requirement under paragraph (b), that is necessary to identify, detect or counter any such threat, including —(i) | information relating to the design, configuration or operation of any computer, computer program or computer service; and | (ii) | information relating to the security of any computer, computer program or computer service; and |
| (d) | providing to the Minister or a public officer authorised by him a report of a breach or an attempted breach of security of a description specified in the certificate under subsection (1), relating to any computer controlled or operated by the specified person. |
|
(3) Any measure or requirement referred to in subsection (1), and any direction given by a specified person for the purpose of taking any such measure or complying with any such requirement —(a) | shall not confer any right to the production of, or of access to, information subject to legal privilege; and | (b) | subject to paragraph (a), shall have effect notwithstanding any obligation or limitation imposed or right, privilege or immunity conferred by or under any law, contract or rules of professional conduct, including any restriction on the disclosure of information imposed by law, contract or rules of professional conduct. |
|
(4) A specified person who, without reasonable excuse, fails to take any measure or comply with any requirement directed by the Minister under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both. |
(5) Any person who, without reasonable excuse —(a) | obstructs a specified person in the taking of any measure or in complying with any requirement under subsection (1); or | (b) | fails to comply with any direction given by a specified person for the purpose of the specified person taking any such measure or complying with any such requirement, |
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both. |
|
(6) No civil or criminal liability shall be incurred by —(a) | a specified person for doing or omitting to do any act if the specified person had done or omitted to do the act in good faith and for the purpose of or as a result of taking any measure or complying with any requirement under subsection (1); or | (b) | a person for doing or omitting to do any act if the person had done or omitted to do the act in good faith and for the purpose of or as a result of complying with a direction given by a specified person for the purpose of taking any such measure or complying with any such requirement. |
|
(7) The following persons shall not be treated as being in breach of any restriction upon the disclosure of information imposed by law, contract or rules of professional conduct:(a) | a specified person who, in good faith, obtains any information for the purpose of taking any measure under subsection (1) or complying with any requirement under that subsection, or who discloses any information to the Minister or a public officer authorised by the Minister, in compliance with any requirement under that subsection; | (b) | a person who, in good faith, obtains any information, or discloses any information to a specified person, in compliance with a direction given by the specified person for the purpose of taking any measure under subsection (1) or complying with any requirement under that subsection. |
|
(8) The following persons, namely:(a) | a specified person to whom a person has provided information in compliance with a direction given by the specified person for the purpose of taking any measure under subsection (1) or complying with any requirement under that subsection; | (b) | a person to whom a specified person provides information in compliance with any requirement under subsection (1), |
shall not use or disclose the information, except — |
(i) | with the written permission of the person from whom the information was obtained or, where the information is the confidential information of a third person, with the written permission of the third person; | (ii) | for the purpose of preventing, detecting or countering a threat to a computer, computer service or class of computers or computer services; | (iii) | to disclose to any police officer or other law enforcement authority any information which discloses the commission of an offence under this Act or any other written law; or | (iv) | in compliance with a requirement of a court or the provisions of this Act or any other written law. |
|
(9) Any person who contravenes subsection (8) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both. |
(10) Where an offence is disclosed in the course of or pursuant to the exercise of any power under this section —(a) | no information for that offence shall be admitted in evidence in any civil or criminal proceedings; and | (b) | no witness in any civil or criminal proceedings shall be obliged —(i) | to disclose the name, address or other particulars of any informer who has given information with respect to that offence; or | (ii) | to answer any question if the answer would lead, or would tend to lead, to the discovery of the name, address or other particulars of the informer. |
|
|
(11) If any book, document, data or computer output which is admitted in evidence or liable to inspection in any civil or criminal proceedings contains any entry in which any informer is named or described or which may lead to his discovery, the court shall cause those entries to be concealed from view or to be obliterated so far as may be necessary to protect the informer from discovery. |
(12) In subsection (1), “essential services” means —(a) | services directly related to communications infrastructure, banking and finance, public utilities, public transportation, land transport infrastructure, aviation, shipping, or public key infrastructure; or | (b) | emergency services such as police, civil defence or health services.”. |
|
|
|
|