Page:Cybersecurity Act 2018.pdf/46

Rh Duty to keep records

29.—(1) A licensee must—
 * (a) in relation to each occasion on which the licensee is engaged to provide its cybersecurity service, keep a record of the following information:
 * (i) the name and address of the person engaging the licensee for the service;
 * (ii) the name of the person providing the service on behalf of the licensee;
 * (iii) the date on which the service is provided;
 * (iv) details of the type of service provided;
 * (v) such other particulars as may be prescribed; and
 * (b) retain every such record for a period of not less than 3 years after the date of the occasion to which the record relates.

(2) Every licensee must furnish to the licensing officer such records at such time, in such format and through such medium (whether electronic or otherwise) as the licensing officer may require.

(3) If a licensee—
 * (a) knowingly makes a record that—
 * (i) is false or misleading; or
 * (ii) omits any matter or thing without which the record is misleading; and
 * (b) furnishes the record to the licensing officer following a requirement under subsection (2),

the licensee shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both.

(4) Subsection (3) does not apply if the record is not false or misleading in a material particular.