Revised Explanatory Memorandum
(Circulated by authority of the Minister for Home Affairs and the Minister for Immigration and Border Protection, the Honourable Peter Dutton MP)Schedule 1-Amendments consequential on the Security of Critical Infrastructure Act 2017
9. This Schedule details the amendments that will need to be made to the ASIO Act and the FATA Act upon enactment of the Security of Critical Infrastructure Bill.
Amendments to the Australian Security Intelligence Organisation Act 1979
Item 1 - Subsection 35(1) (after paragraph (d) of the definition of prescribed administrative action)
10. This item inserts a provision into the definition of 'prescribed administrative action' in subsection 35(1) of the ASIO Act, so that an exercise of power under subclause 32(2) of the Security of Critical Infrastructure Bill will be 'prescribed administration action'. Subsection 35(1) of the ASIO Act is the interpretation provision for ASIO security assessments. 'Prescribed administrative action' specifically relates to ASIO's 'adverse security assessments', which are assessments that provide an opinion or advice in relation to a person, and recommends that prescribed administrative action be taken in respect of the person.
11. This amendment will enable ASIO to provide advice to inform the exercise of the Ministerial directions power, under subclause 32(2) of the Security of Critical Infrastructure Bill, in the form of a security assessment. Subclause 32(2) of the Security of Critical Infrastructure Bill allows the Minister to direct critical infrastructure owners or operators to do or not do a certain thing to mitigate a risk that has been identified as prejudicial to security. Subclause 32(3)(c) of the Security of Critical Infrastructure Bill provides that the Minister must not give the direction unless 'an adverse security assessment in respect of the entity has been given to the Minister for the purposes of this section'. A direction would be based on addressing a security risk as set out in an ASIO adverse security assessment.
Item 1A - Section 38A (at the end of the heading)
12. This item will insert the new words, 'or directions under the Security of Critical Infrastructure Act' to the end of the heading at section 38A of the ASIO Act. This ensures the heading for section 38A of the ASIO Act accurately reflects that the section will also apply where an adverse security assessment relates to the directions power at clause 32(2) of the Security of Critical Infrastructure Bill 2017, in addition to (as currently drafted) '[n]otification where assessment relates to Telecommunications Act'.
Item 1B - after subsection 38A(1)
13. Where an adverse or qualified security assessment is made in respect of a person (for purposes connected with certain provisions of the Telecommunications Act), section 38A of the ASIO Act requires the Attorney-General, within 14 days of receiving the assessment, to give the assessed person a notice in writing, including a copy of the assessment and information on his or her right to seek merits review. The Attorney-General may not withhold such a notice, but may redact any part of the assessment, the disclosure of which, he or she is satisfied would be prejudicial to the interests of security.
14. This item will insert new subsection 38A(1A) after subsection 38A(1) in the ASIO Act to ensure that the notification requirements in section 38A (outlined above) also apply to an adverse security assessment given in connection with clause 32(2) of the Security of Critical Infrastructure Bill. This aligns the notice requirements of an adverse security assessment relating to the directions power in the Security of Critical Infrastructure Bill with those provided in relation to similar directions powers in the Telecommunications Act.
Amendments to the Foreign Acquisitions and Takeovers Act 1975
Item 2 - After paragraph 122(1)(o)
15. This item inserts the Security of Critical Infrastructure Act (once commenced) into subsection 122(1) of the FATA Act, so that a person may disclose protected information (as defined in the FATA Act) to the Minister, or the accountable authority of the responsible Commonwealth entity, administering the Security of Critical Infrastructure Bill, for the purpose of administering that Bill. The accountable authority of the responsible Commonwealth entity would be the Secretary of the Department responsible for the administration of the Security of Critical Infrastructure Bill.
16. This amendment ensures effective and efficient information sharing between the administrator of the Security of Critical Infrastructure Bill and the department with portfolio responsibility for foreign investment in Australia. Protected information obtained under the FATA Act would allow the administrating agency to verify the accuracy of the Register of critical infrastructure assets. To verify information, the administrating agency will be able to compare information from reporting entities to data that the department with portfolio responsibility for foreign investment in Australia may receive as part of the Foreign Investment Review Board approval process. The Register of critical infrastructure assets provides Government with greater visibility of who owns, controls and has access to Australia's critical infrastructure assets.
Item 3 - At the end of subsections 122(2) and (3)
17. This item inserts national security into subsections 122(2) and 122(3) of the FATA Act, so that a person may disclose protected information to a Minister, or Secretary of a Department administered by that Minister, who is responsible for national security, but only for the purpose of discharging that responsibility.
18. This amendment ensures effective and efficient information sharing between national security agencies and the department with portfolio responsibility for foreign investment in Australia for the purpose of assessing and mitigating national security risks. Sharing of specific foreign investment data and analysis ensures that national security agencies can draw on existing data sets, which they require to identify, assess and mitigate national security risks. These data sets complement information that the administering agency will receive from the Register of critical infrastructure assets. The inclusion of national security will make the information protections in the FATA consistent with the use and disclosure protections in Division 3 of the Security of Critical Infrastructure Bill.