Security Legislation Amendment (Critical Infrastructure) Act 2021 (124 of 2021)

Schedule 1   Security of critical infrastructure

Part 1   General amendments

Security of Critical Infrastructure Act 2018

7   Section 5

Insert:

access , in relation to a computer program, means the execution of the computer program.

access to computer data means:

(a) in a case where the computer data is held in a computer - the display of the data by the computer or any other output of the data from the computer; or

(b) in a case where the computer data is held in a computer - the copying or moving of the data to:

(i) any other location in the computer; or

(ii) another computer; or

(iii) a data storage device; or

(c) in a case where the computer data is held in a data storage device - the copying or moving of the data to:

(i) a computer; or

(ii) another data storage device.

aircraft operator has the same meaning as in the Aviation Transport Security Act 2004.

airport has the same meaning as in the Aviation Transport Security Act 2004.

airport operator has the same meaning as in the Aviation Transport Security Act 2004.

air service has the same meaning as in the Aviation Transport Security Act 2004.

approved staff member of the authorised agency has the meaning given by section 35BJ.

ASD means the Australian Signals Directorate.

asset includes:

(a) a system; and

(b) a network; and

(c) a facility; and

(d) a computer; and

(e) a computer device; and

(f) a computer program; and

(g) computer data; and

(h) premises; and

(i) any other thing.

associated entity has the same meaning as in the Corporations Act 2001.

associated transmission facility means:

(a) an antenna; or

(b) a combiner; or

(c) a feeder system; or

(d) an apparatus; or

(e) an item of equipment; or

(f) a structure; or

(g) a line; or

(h) an electricity cable or wire;

that is associated with a radiocommunications transmitter.

AusCheck scheme has the same meaning as in the AusCheck Act 2007.

Australia , when used in a geographical sense, includes the external Territories.

Australian CS facility licence has the same meaning as in Chapter 7 of the Corporations Act 2001.

Australian derivative trade repository licence has the same meaning as in Chapter 7 of the Corporations Act 2001.

Australian market licence has the same meaning as in Chapter 7 of the Corporations Act 2001.

authorised agency means ASD.

authorised deposit-taking institution has the same meaning as in the Banking Act 1959.

background check has the same meaning as in the AusCheck Act 2007.

banking business has the same meaning as in the Banking Act 1959.

benchmark administrator licence has the same meaning as in the Corporations Act 2001.

broadcasting re-transmission asset means:

(a) a radiocommunications transmitter; or

(b) a broadcasting transmission tower; or

(c) an associated transmission facility;

that is used in connection with the transmission of a service to which, as a result of section 212 of the Broadcasting Services Act 1992, the regulatory regime established by that Act does not apply.

broadcasting service has the same meaning as in the Broadcasting Services Act 1992.

broadcasting transmission asset means:

(a) a radiocommunications transmitter; or

(b) a broadcasting transmission tower; or

(c) an associated transmission facility;

that is used, or is capable of being used, in connection with the transmission of:

(d) a national broadcasting service; or

(e) a commercial radio broadcasting service; or

(f) a commercial television broadcasting service.

broadcasting transmission tower has the same meaning as in Schedule 4 to the Broadcasting Services Act 1992.

business critical data means:

(a) personal information (within the meaning of the Privacy Act 1988) that relates to at least 20,000 individuals; or

(b) information relating to any research and development in relation to a critical infrastructure asset; or

(c) information relating to any systems needed to operate a critical infrastructure asset; or

(d) information needed to operate a critical infrastructure asset; or

(e) information relating to risk management and business continuity (however described) in relation to a critical infrastructure asset.

carriage service has the same meaning as in the Telecommunications Act 1997.

carriage service provider has the same meaning as in the Telecommunications Act 1997.

carrier has the same meaning as in the Telecommunications Act 1997.

chief executive of the authorised agency means the Director-General of ASD.

clearing and settlement facility has the same meaning as in Chapter 7 of the Corporations Act 2001.

commercial radio broadcasting service has the same meaning as in the Broadcasting Services Act 1992.

commercial television broadcasting service has the same meaning as in the Broadcasting Services Act 1992.

communications sector means the sector of the Australian economy that involves:

(a) supplying a carriage service; or

(b) providing a broadcasting service; or

(c) owning or operating assets that are used in connection with the supply of a carriage service; or

(d) owning or operating assets that are used in connection with the transmission of a broadcasting service; or

(e) administering an Australian domain name system.

computer means all or part of:

(a) one or more computers; or

(b) one or more computer systems; or

(c) one or more computer networks; or

(d) any combination of the above.

computer data means data held in:

(a) a computer; or

(b) a data storage device.

computer device means a device connected to a computer.

connected includes connection otherwise than by means of physical contact, for example, a connection by means of radiocommunication.

constable has the same meaning as in the Crimes Act 1914.

credit facility has the meaning given by regulations made for the purposes of paragraph 12BAA(7)(k) of the Australian Securities and Investments Commission Act 2001.

credit facility business means a business that offers, or provides services in relation to, a credit facility.

critical aviation asset means:

(a) an asset that:

(i) is used in connection with the provision of an air service; and

(ii) is owned or operated by an aircraft operator; or

(b) an asset that:

(i) is used in connection with the provision of an air service; and

(ii) is owned or operated by a regulated air cargo agent; or

(c) an asset that is used by an airport operator in connection with the operation of an airport.

Note: The rules may prescribe that a specified critical aviation asset is not a critical infrastructure asset (see section 9).

critical banking asset has the meaning given by section 12G.

Note: The rules may prescribe that a specified critical banking asset is not a critical infrastructure asset (see section 9).

critical broadcasting asset has the meaning given by section 12E.

Note: The rules may prescribe that a specified critical broadcasting asset is not a critical infrastructure asset (see section 9).

critical data storage or processing asset has the meaning given by section 12F.

Note: The rules may prescribe that a specified critical data storage or processing asset is not a critical infrastructure asset (see section 9).

critical defence capability includes:

(a) materiel; and

(b) technology; and

(c) a platform; and

(d) a network; and

(e) a system; and

(f) a service;

that is required in connection with:

(g) the defence of Australia; or

(h) national security.

critical defence industry asset means an asset that:

(a) is being, or will be, supplied by an entity to the Defence Department, or the Australian Defence Force, under a contract; and

(b) consists of, or enables, a critical defence capability.

Note: The rules may prescribe that a specified critical defence industry asset is not a critical infrastructure asset (see section 9).

critical domain name system has the meaning given by section 12KA.

Note: The rules may prescribe that a specified critical domain name system is not a critical infrastructure asset (see section 9).

critical education asset means a university that is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers.

Note: The rules may prescribe that a specified critical education asset is not a critical infrastructure asset (see section 9).

critical energy market operator asset means an asset that:

(a) is owned or operated by:

(i) Australian Energy Market Operator Limited (ACN 072 010 327); or

(ii) Power and Water Corporation; or

(iii) Regional Power Corporation; or

(iv) Electricity Networks Corporation; and

(b) is used in connection with the operation of an energy market or system; and

(c) is critical to ensuring the security and reliability of an energy market;

but does not include:

(d) a critical electricity asset; or

(e) a critical gas asset; or

(f) a critical liquid fuel asset.

Note: The rules may prescribe that a specified critical energy market operator asset is not a critical infrastructure asset (see section 9).

critical financial market infrastructure asset has the meaning given by section 12D.

Note: The rules may prescribe that a specified critical financial market infrastructure asset is not a critical infrastructure asset (see section 9).

critical food and grocery asset has the meaning given by section 12K.

Note: The rules may prescribe that a specified critical food and grocery asset is not a critical infrastructure asset (see section 9).

critical freight infrastructure asset has the meaning given by section 12B.

Note: The rules may prescribe that a specified critical freight infrastructure asset is not a critical infrastructure asset (see section 9).

critical freight services asset has the meaning given by section 12C.

Note: The rules may prescribe that a specified critical freight services asset is not a critical infrastructure asset (see section 9).

critical hospital means a hospital that has a general intensive care unit.

Note: The rules may prescribe that a specified critical hospital is not a critical infrastructure asset (see section 9).

critical infrastructure sector has the meaning given by section 8D.

critical infrastructure sector asset has the meaning given by subsection 8E(1).

critical insurance asset has the meaning given by section 12H.

Note: The rules may prescribe that a specified critical insurance asset is not a critical infrastructure asset (see section 9).

critical liquid fuel asset has the meaning given by section 12A.

Note: The rules may prescribe that a specified critical liquid fuel asset is not a critical infrastructure asset (see section 9).

critical public transport asset means a public transport network or system that:

(a) is managed by a single entity; and

(b) is capable of handling at least 5 million passenger journeys per month;

but does not include a critical aviation asset.

Note: The rules may prescribe that a specified critical public transport asset is not a critical infrastructure asset (see section 9).

critical superannuation asset has the meaning given by section 12J.

Note: The rules may prescribe that a specified critical superannuation asset is not a critical infrastructure asset (see section 9).

critical telecommunications asset means:

(a) a telecommunications network that is:

(i) owned or operated by a carrier; and

(ii) used to supply a carriage service; or

(b) a telecommunications network, or any other asset, that is:

(i) owned or operated by a carriage service provider; and

(ii) used in connection with the supply of a carriage service.

Note: The rules may prescribe that a specified critical telecommunications asset is not a critical infrastructure asset (see section 9).

cyber security incident has the meaning given by section 12M.

data includes information in any form.

data storage means data storage that involves information technology, and includes data back-up.

data storage device means a thing (for example, a disk or file server) containing (whether temporarily or permanently), or designed to contain (whether temporarily or permanently), data for use by a computer.

data storage or processing provider means an entity that provides a data storage or processing service.

data storage or processing sector means the sector of the Australian economy that involves providing data storage or processing services.

data storage or processing service means:

(a) a service that enables end-users to store or back-up data; or

(b) a data processing service.

Defence Department means the Department of State that deals with defence and that is administered by the Defence Minister.

defence industry sector means the sector of the Australian economy that involves the provision of critical defence capabilities.

Defence Minister means the Minister administering section 1 of the Defence Act 1903.

derivative trade repository has the same meaning as in Chapter 7 of the Corporations Act 2001.

Electricity Networks Corporation means the Electricity Networks Corporation established by section 4 of the Electricity Corporations Act 2005 (WA).

electronic communication means a communication of information in any form by means of guided or unguided electromagnetic energy.

energy sector means the sector of the Australian economy that involves:

(a) the production, transmission, distribution or supply of electricity; or

(b) the production, processing, transmission, distribution or supply of gas; or

(c) the production, processing, transmission, distribution or supply of liquid fuel.

engage in conduct means:

(a) do an act or thing; or

(b) omit to perform an act or thing.

financial benchmark has the same meaning as in Part 7.5B of the Corporations Act 2001.

financial market has the same meaning as in Chapter 7 of the Corporations Act 2001.

financial services and markets sector means the sector of the Australian economy that involves:

(a) carrying on banking business; or

(b) operating a superannuation fund; or

(c) carrying on insurance business; or

(d) carrying on life insurance business; or

(e) carrying on health insurance business; or

(f) operating a financial market; or

(g) operating a clearing and settlement facility;

(h) operating a derivative trade repository; or

(i) administering a financial benchmark; or

(j) operating a payment system; or

(k) carrying on financial services business; or

(l) carrying on credit facility business.

financial services business has the same meaning as in Chapter 7 of the Corporations Act 2001.

food means food for human consumption.

food and grocery sector means the sector of the Australian economy that involves:

(a) manufacturing; or

(b) processing; or

(c) packaging; or

(d) distributing; or

(e) supplying;

food or groceries on a commercial basis.

gas means a substance that:

(a) is in a gaseous state at standard temperature and pressure; and

(b) consists of naturally occurring hydrocarbons, or a naturally occurring mixture of hydrocarbons and non-hydrocarbons, the principal constituent of which is methane; and

(c) is suitable for consumption.

general intensive care unit means an area within a hospital that:

(a) is equipped and staffed so that it is capable of providing to a patient:

(i) mechanical ventilation for a period of several days; and

(ii) invasive cardiovascular monitoring; and

(b) is supported by:

(i) during normal working hours - at least one specialist, or consultant physician, in the specialty of intensive care, who is immediately available, and exclusively rostered, to that area; and

(ii) at all times - at least one medical practitioner who is present in the hospital and immediately available to that area; and

(iii) at least 18 hours each day - at least one nurse; and

(c) has admission and discharge policies in operation.

government business enterprise has the same meaning as in the Public Governance, Performance and Accountability Act 2013.

health care includes:

(a) services provided by individuals who practise in any of the following professions or occupations:

(i) dental (including the profession of a dentist, dental therapist, dental hygienist, dental prosthetist and oral health therapist);

(ii) medical;

(iii) medical radiation practice;

(iv) nursing;

(v) midwifery;

(vi) occupational therapy;

(vii) optometry;

(viii) pharmacy;

(ix) physiotherapy;

(x) podiatry;

(xi) psychology;

(xii) a profession or occupation specified in the rules; and

(b) treatment and maintenance as a patient at a hospital.

health care and medical sector means the sector of the Australian economy that involves:

(a) the provision of health care; or

(b) the production, distribution or supply of medical supplies.

health insurance business has the same meaning as in the Private Health Insurance Act 2007.

higher education and research sector means the sector of the Australian economy that involves:

(a) being a higher education provider; or

(b) undertaking a program of research that:

(i) is supported financially (in whole or in part) by the Commonwealth; or

(ii) is relevant to a critical infrastructure sector (other than the higher education and research sector).

higher education provider has the same meaning as in the Tertiary Education Quality and Standards Agency Act 2011.

hospital has the same meaning as in the Private Health Insurance Act 2007.

IGIS official means:

(a) the Inspector-General of Intelligence and Security; or

(b) any other person covered by subsection 32(1) of the Inspector-General of Intelligence and Security Act 1986.

impairment of electronic communication to or from a computer includes:

(a) the prevention of any such communication; and

(b) the impairment of any such communication on an electronic link or network used by the computer;

but does not include a mere interception of any such communication.

inland waters means waters within Australia other than waters of the sea.

insurance business has the same meaning as in the Insurance Act 1973.

internet carriage service means a listed carriage service that enables end-users to access the internet.

life insurance business has the same meaning as in the Life Insurance Act 1995.

liquid fuel has the same meaning as in the Liquid Fuel Emergency Act 1984.

listed carriage service has the same meaning as in the Telecommunications Act 1997.

local hospital network has the same meaning as in the National Health Reform Act 2011.

managed service provider , in relation to an asset, means an entity that:

(a) manages:

(i) the asset; or

(ii) a part of the asset; or

(b) manages an aspect of:

(i) the asset; or

(ii) a part of the asset; or

(c) manages an aspect of the operation of:

(i) the asset; or

(ii) a part of the asset.

medical supplies includes:

(a) goods for therapeutic use; and

(b) things specified in the rules.

Ministerial authorisation means an authorisation under section 35AB.

modification :

(a) in respect of computer data - means:

(i) the alteration or removal of the data; or

(ii) an addition to the data; or

(b) in respect of a computer program - means:

(i) the alteration or removal of the program; or

(ii) an addition to the program.

national broadcasting service has the same meaning as in the Broadcasting Services Act 1992.

National Register of Higher Education Providers means the register established and maintained under section 198 of the Tertiary Education Quality and Standards Agency Act 2011.

notification provision means:

(a) subsection 35AE(3); or

(b) subsection 35AE(4); or

(c) subsection 35AE(5); or

(d) subsection 35AE(6); or

(e) subsection 35AE(7); or

(f) subsection 35AE(8); or

(g) subsection 35AH(5); or

(h) subsection 35AH(6); or

(i) subsection 35AH(7); or

(j) subsection 35AY(3); or

(k) subsection 35AY(4); or

(l) subsection 35AY(5); or

(m) subsection 35AY(6); or

(n) subsection 35AY(7); or

(o) subsection 35AY(8); or

(p) subsection 51(3); or

(q) subsection 52(4).

Ombudsman official means:

(a) the Ombudsman; or

(b) a Deputy Commonwealth Ombudsman; or

(c) a person who is a member of the staff referred to in subsection 31(1) of the Ombudsman Act 1976.