Singapore legislation

Clause 74

Duty to conduct assessment of cybersecurity incident

(1)

Where a relevant person has reason to believe that a cybersecurity incident in respect of the national electronic records system or any relevant computer or computer system used by the relevant person to process health information or relevant information has occurred, the relevant person must conduct, in a reasonable and expeditious manner, an assessment of whether the cybersecurity incident is a notifiable cybersecurity incident.

(2)

Where a relevant HDI of a contributor or user has reason to believe that a cybersecurity incident has occurred in respect of any relevant computer or computer system used by the relevant HDI to process health information on behalf of and for the purposes of the contributor or user (as the case may be) under this Act —

(a)

the relevant HDI must, without undue delay, notify the contributor or user, as the case may be; and

(b)

the contributor or user (as the case may be) must, upon notification by the relevant HDI, conduct an assessment of whether the cybersecurity incident is a notifiable cybersecurity incident.

(3)

The relevant person must carry out the assessment mentioned in subsection (1) or (2)(b) in accordance with the prescribed requirements (if any).

Read in full context — Health Information Bill →