Senate

Revised Explanatory Memorandum

(Circulated by authority of the Minister for Home Affairs and Minister for Cyber Security, the Honourable Tony Burke MP)

GENERAL OUTLINE

The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (the Bill) amends the Intelligence Services Act 2001 (IS Act), to legislate a limited use obligation to protect the information voluntarily provided to, or acquired or prepared by the Australian Signals Directorate (ASD) during an impacted entity's engagement in relation to a cyber security incident or a cyber security incident that may potentially occur. The information protected by this obligation is referred to as 'limited cyber security information' both throughout the Bill, and in this explanatory memorandum.

The amendments in this Bill complement the 'limited use' obligation applicable to the National Cyber Security Coordinator outlined under Part 4 of the Cyber Security Bill 2024.

The Bill also amends the Freedom of Information Act 1982 to include an exemption from Freedom of Information requests for a document given to, or received by, the National Cyber Security Coordinator (the Coordinator) for the purposes set out under Part 4 of the Cyber Security Bill 2024.

Schedule 1: Amendments establishing a limited use obligation on ASD

Schedule 1 of the Bill implements a key initiative of the 2023-2030 Australian Cyber Security Strategy, designed to encourage industry engagement with Government regarding a cyber security incident. Industry engagement is encouraged by providing entities with assurance through a legislative mechanism that information reported to ASD will not be on shared and subsequently used by recipients for reasons other than permitted cyber security purposes.

ASD is the lead technical authority in providing cyber security advice and assistance to Australian Government departments, businesses and individuals. Critical to ASD's success in performing this role is its ability to:

a.

mitigate harms in early stages of cyber incidents through aggregating information derived from diverse sources;

b.

provide advance warning of potential threats to Australia and Australia's interests;

c.

provide technical incident management advice and assistance to entities affected by a cyber security incident;

d.

develop and maintain a comprehensive national cyber threat picture; and

e.

provide advice on the uplift of cyber security.

ASD is best enabled to perform its cyber security function where partnerships are underpinned by high levels of trust that, in turn, enable the free flow of rich cyber security related information between industry and government. The amendments in the Bill are necessary to address a decline in the quality, quantity and timeliness of proactive engagement with ASD in light of the evolving regulatory environment.

Both industry feedback and ASD's operational experience indicates a declining willingness from entities to share technical cyber security incident, network telemetry, and vulnerability information in a timely fashion with ASD. This trend has been driven in part by compliance and risk based considerations as entities assess their obligations against various regulatory regimes, and potential exposure to litigation. This decreasing engagement and information flow between industry and ASD presents a significant risk to Australia's national cyber security posture, as it impedes ASD's ability to maintain a comprehensive national cyber threat picture and provide timely technical cyber security advice and assistance.

Schedule 1 of the Bill amends the IS Act to establish a clear legislative obligation in relation to cyber security information that is voluntarily provided by entities or through their representatives to, or acquired or prepared by, ASD. As amended, the IS Act will make clear that ASD will only on-share limited cyber security information for permitted cyber security purposes. Schedule 1 of the Bill also prescribes how a receiving party may use limited cyber security information when on-shared by ASD.

Cyber security incident information must meet a prescribed threshold in order to be classified as limited cyber security information to be protected by the limited use obligation. The information must relate to a cyber security incident that has occurred, is occurring or has the potential to occur. This broad applicability allows the limited use obligation to protect information relating to the discovery of vulnerabilities on a system, in addition to incident information where exploitation has occurred. Further, Schedule 1 applies to information which has been voluntarily provided to ASD by an impacted entity or a representative of the impacted entity, such as an incident response provider. Information that is acquired or prepared by ASD, through the performance of its functions and with the consent of the entity, is also eligible for classification as limited cyber security information. This enables technical programs administered by ASD where an entity is informed of a breach to be covered by the Schedule, to promote early and open engagement with ASD.

Schedule 1 of the Bill does not restrict ASD's internal use of the relevant information or mandate any sharing of information with others. ASD maintains discretion as to whether and how much information is on-shared for a permitted cyber security purpose. The limited cyber security information will only apply to the information provided to, or acquired or prepared by, ASD and any communication of that information on-shared by ASD. The limited use obligation does not apply to any information relating to the cyber security incident held by the impacted entity that is shared by them through other means at its discretion.

Subject to specific provisions, Schedule 1 also provides protections to limited cyber security information in Commonwealth, State and Territory court proceedings, such that the information is not admissible in court proceedings against the impacted entity, subject to certain exceptions. Additional protections apply to the Director General of ASD and staff members of ASD from being subpoenaed or compelled to provide limited cyber security information in State, Territory or Commonwealth proceedings.

Schedule 1 of the Bill strikes an appropriate balance between providing assurance to entities to encourage early and open engagement with ASD, and protecting broader public interests by not impeding an effective and efficient regulatory environment. The amendments do not:

f.

impact the reporting and notification requirements of entities under existing legislation to Australian regulatory bodies;

g.

preclude other government agencies, including regulators, from seeking or acquiring such information directly from entities under existing information gathering powers; or

h.

provide a shield or safe harbour for entities against legal liability.

Australia's cyber threat environment continues to evolve. Australia's critical infrastructure networks are regularly targeted by opportunistic and persistent threat actors. Malicious cyber actors are quick to exploit critical vulnerabilities and consistently adapt their already disruptive tactics to obtain maximum benefit. The speed with which cyber threats spread and evolve means that no single organisation or person can effectively defend against all threats alone. By promoting early and fulsome engagement with ASD, the limited use obligation will bolster ASD's ability to mitigate harms in early stages of cyber incidents, warn others of potential threats, provide incident management advice and assistance, provide advice on cyber security uplift, and maintain a comprehensive national cyber threat picture. Cooperation on a national scale is one of Australia's greatest advantages against malicious cyber activity.

ASD is subject to a range of legislative requirements in the IS Act. The limited use obligation is not intended to impede on or fetter ASD's existing legislative oversight arrangements. However, information that is provided to, or acquired or prepared by, ASD will fall under existing exemptions under the Freedom of Information Act 1982 (FOI Act) and Privacy Act 1988 (Privacy Act) applicable to ASD information.

CONSULTATION

On 19 December 2023, the Minister for Home Affairs and Minister for Cyber Security released the Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper. Consultation remained open until 1 March 2024. The Department of Home Affairs received over 130 written submissions and stakeholders were broadly supportive of the limited use proposal with feedback focused on ensuring the measure achieves its intended outcomes.

On 4 September 2024, the Department for Home Affairs released a targeted exposure draft of the proposed legislative reform package. The exposure draft period closed on 11 September 2024, with over 60 written submissions received, and over 200 attendees at two closed door virtual town halls. Feedback on the limited use proposal was broadly supportive, with stakeholders keen to ensure the sharing of information is limited in order to achieve the stated intent.

FINANCIAL IMPACT STATEMENT

There are no financial impacts arising from this Bill.

STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS

A Statement of Compatibility with human rights in respect of the amendments contained in the Bill is at Attachment A . The Statement assesses the amendments to be compatible with Australia's human rights obligations.

COMMON ABBREVIATIONS AND ACRONYMS

The following abbreviations and acronyms are used throughout this Explanatory Memorandum.

NOTES ON CLAUSES

Clause 1 Short title

1. This section provides that the short title of this Bill, once enacted, will be the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (the Act).

Clause 2 Commencement

2. Subsection 2(1) provides that each provision of the Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

3. The effect of table items 1 and 2 is that the Act will commence the day after the Act receives Royal Assent, at the same time as the Cyber Security Act 2024 (CS Act).

Schedule 1 Limited use of certain cyber security information

Intelligence Services Act 2001

Item 1 Subsection 3(1)

4. Item 1 provides definitions for terms which facilitate the amendments to the IS Act being made by the Bill.

5. Section 41BA(5) provides for the meaning of Commonwealth body for the purposes of the new Division 1A of Part 6 of the IS Act, and has the same meaning given by the CS Act.

6. Section 41BA(5) provides for the meaning of Commonwealth enforcement body for the purposes of the new Division 1A of Part 6 of the IS Act, and has the same meaning given by the CS Act.

7. Subsection 3(1) provides for the meaning of computer. This term has the same meaning given by the Security of Critical Infrastructure Act 2018 (SOCI Act). This term is intended to capture all or parts of an individual computer, a collection of computers that form a network or system, or any combination of these. A computer has the capability to store or process data, or be used to monitor, control or do anything else that is connected to the functioning of an asset. For example, a Supervisory Control and Data Acquisition (SCADA) system is considered to be a computer.

8. Section 41BA(4) provides for the meaning of a cyber security incident.

9. Subsection 41BA(5) provides for the meaning of an entity for the purposes of the new Division 1A of Part 6 of the IS Act, and has the same meaning given by the CS Act.

10. Subsection 41BA(1) provides for the meaning of limited cyber security information.

11. Subsection 41BA(5) provides for the meaning of a State body for the purposes of the new Division 1A of Part 6 of the IS Act, and has the same meaning given by the CS Act.

Item 2 After Division 1 of Part 6

Division 1A Communication and use of limited cyber security information

41BA Cyber security information for which communication and use is limited by this Division

12. Section 41BA outlines when cyber security information is captured by the limited use obligation. The section defines what constitutes limited cyber security information which is a key term used throughout the Division to refer to the information to which it applies.

13. Subsection (1) provides for the meaning of limited cyber security information. This section provides that information is limited cyber security information if the information:

a.

relates to:

i.

a cyber security incident that has occurred or is occurring; or

ii.

a cyber security incident that may potentially occur; and

b.

has been acquired or prepared by ASD in a circumstance mentioned in subsection (2); and

c.

is not subject to an exception mentioned in subsection (3).

14. Subsection (1) does not capture the original information that an entity holds. The limited use obligation is not designed to create a shield against legal liability or civil regulatory actions, but to protect the information once it is in the hands of ASD.

15. Subsection (2) restricts the application of the Division to information that has been:

a.

voluntarily provided to ASD in the performance of its functions by, or on behalf of, an impacted entity, such as an incident response provider. The impacted entity must:

i.

be, have been, or would reasonably be expected to be, directly or indirectly impacted by a cyber security incident; or

ii.

be, or would reasonably be expected to be, impacted by a potential cyber security incident.

b.

acquired or prepared by ASD in the performance of its functions, with the consent of the impacted entity, such as through an ASD technical program; or

c.

acquired by the National Cyber Security Coordinator (Coordinator) and disclosed to ASD under the limited use obligation in the CS Act.

16. Subsection (3) excludes certain information from the protections in the Division. The section provides that the limited use obligation does not capture:

a.

information provided to ASD, or another Commonwealth body, for mandatory reporting purposes including (but not limited to) the mandatory ransomware reporting obligation under Part 3 of the CS Act; the mandatory cyber incident reporting obligation for critical infrastructure under Part 2B of the SOCI Act; the requirement under the Telecommunications Act 1997; or any other requirement under a prescribed law.

i.

The ability to prescribe laws has been included to enable flexibility in the legislation to account for any future mandatory reporting obligations or inclusions which may be facilitated through ASD.

ii.

ASD is not a Commonwealth enforcement body, or regulator, and does not hold regulatory powers to enforce compliance against mandatory reporting obligations. The exclusion of information that has been provided to ASD for mandatory reporting purposes, obligations or requirements ensures this information can be transferred to the responsible regulator and does not override or displace any legislative responsibilities entities may have in relation to reporting cyber security incidents.

b.

information that has already been made lawfully available to the public;

c.

information about an entity that has been de-identified such that it is no longer about an identifiable or reasonably identifiable entity. The exclusion of de-identified information ensures ASD can continue to provide cyber security advice and mitigations through classified and public avenues, in accordance with ASD's existing functions.

17. The exclusions in subsection (3) (paragraphs (b) and (c)) ensure that once information is appropriately de-identified ASD can continue to provide cyber security advice and mitigation, to relevant partners and the public.

18. As per existing legislative arrangements, ASD's exemptions under the Privacy Act 1988 (Privacy Act) and the Freedom of Information Act 1982 (FOI Act) remain. .

19. Subsection (4) provides for the meaning of a cyber security incident. This section provides that a cyber security incident includes:

a.

one or more acts, events or circumstances:

i.

of a kind covered by the meaning of cyber security incident in the SOCI Act;

ii.

involving unauthorised impairment of electronic communication to or from a computer, but as if that phrase did not exclude the mere interception of any such communication; or

b.

the discovery of unintended or unexpected vulnerabilities in a computer, computer data, or a computer program, that, if exploited, would result in a cyber security incident within the meaning of paragraph (a).

20. Subsection (4) (paragraph (a)(ii)) ensures that the definition of a cyber security incident incorporates acts, events or circumstances which involve the unauthorised interception of a communication that impairs electronic communication to or from a computer. For the conduct to be unauthorised, it must have occurred without valid authorisation, whether by legislation, contract, or other agreement or arrangement.

21. A cyber security incident includes, but is not restricted to, the following:

a.

data breaches - unauthorised access and disclosure of data;

b.

denial of service and distributed denial of service attacks - overwhelming a service with traffic, sometimes impacting availability;

c.

industrial control system compromises - unauthorised access to an industrial control system;

d.

malware infections - a Trojan, virus, worm or any other malicious software that can harm systems, services or networks;

e.

phishing attacks - deceptive messaging designed to elicit users' sensitive data (such as banking logins or business login credentials) or used to execute malicious code to enable remote access; and

f.

ransomware attacks - a tool used to lock or encrypt victims' files until a ransom is paid.

22. Subsection (4) (paragraph (b)) expands the meaning of a cyber security incident to capture vulnerabilities that have the potential to be exploited and cause a cyber security incident.

23. The meaning of vulnerabilities is intended to capture unintended or unexpected weaknesses in a computer's security requirements, design, implementation or operation that could be accidentally triggered or intentionally exploited and result in a violation of the computer's security policy.

24. Reporting and engaging with ASD on vulnerabilities gives vendors and developers more time to mitigate the vulnerabilities and enable affected systems of national interest to reduce their exposure, minimising the potential harm caused if the vulnerabilities were to be exploited.

25. Encouraging entities to report the discovery of vulnerabilities to ASD provides greater opportunity for vendors and entities to mitigate risk and better protect systems of national interest.

26. A vulnerability includes, but is not restricted to, the following:

a.

outdated software - by using outdated software, critical security updates may be missed, giving cybercriminals more opportunities to access data and systems;

b.

misconfigured access controls - insufficient controls on user accounts may allow cybercriminals to access information and systems from across a user network;

c.

lack of multi-factor authentication - without multi-factor authentication, cybercriminals can use previously stolen passwords to try and access other accounts; and

d.

insecure macro settings: malicious macros can access sensitive information, download malware, and erase data.

27. Subsection (5) provides for the meaning of a Commonwealth body, Commonwealth enforcement body, entity and State body. These terms have the same meaning given by the CS Act.

41BB Limited cyber security information can only be communicated by ASD for permitted cyber security purposes

28. Section 41BB imposes specific limitations on the communication of limited cyber security information by ASD.

29. Subsection (1) places a restriction on staff members of ASD, including the Director-General of ASD, to only communicate limited cyber security information to a person who is not a staff member of ASD for a permitted cyber security purpose.

30. Subsection (1) (paragraph (a)) allows ASD to communicate limited cyber security information for the purpose of undertaking any of ASD's functions under the IS Act. This includes, assisting an impacted entity to respond to, mitigate or resolve an actual or potential cyber security incident, or providing technical assistance or advice to an entity on the prevention of a cyber security incident or potential cyber security incident.

a.

ASD does not have a function to assist in the investigation or enforcement of any regulatory action. The permitted cyber security purposes have been drafted such as to constrain the communication of limited cyber security information to circumstances where ASD has pre-existing legislative authority.

b.

Subsection (1) (paragraph (a)) should not be read down in light of paragraphs (b) through (i). If the communication of limited cyber security information is within ASD's functions per paragraph (a), then the communication does not have to also fall within another permitted cyber security purpose.

31. Subsection (1) (paragraph (b)) allows ASD to inform and advise relevant Ministers about a cyber security incident or potential cyber security incident. This purpose ensures that, where necessary, Ministers can be made aware of, and be provided with relevant advice, about emerging and ongoing threats to Australia's national security.

a.

In the occurrence of a major or significant cyber security incident, this purpose ensures Ministers can be briefed by ASD on the details of an incident to support their understanding and severity of the incident. For example, ASD could rely upon this purpose to inform the Attorney-General on the significance of a cyber security incident, as related to the exercise of ministerial powers to declare a data breach.

32. Subsection (1) (paragraph (c)) allows ASD to communicate limited cyber security information to a Commonwealth body for the performance of their functions relating to responding to, mitigating or resolving a cyber security incident or potential cyber security incident.

a.

This purpose does not include a Commonwealth enforcement body, which is captured by paragraph (i).

33. Subsection (1) (paragraph (d)) allows ASD to communicate limited cyber security information to a State body for the performance of their functions relating to responding to, mitigating or resolving a cyber security incident (within the meaning of the CS Act).

a.

However, ASD must not communicate limited cyber security information to a State body under this Division unless a Minister of the State or Territory has 'opted in', or provided consent, to this Division applying to the State body outlined in section 41BD(5). This ensures that ASD does not impermissibly burden or impose undue obligations on how a State body could use the information that is provided to them by ASD.

34. Subsection (1) (paragraph (e)) allows ASD to communicate limited cyber security information to the Coordinator for the performance of their functions under Part 4 of the CS Act relating to a cyber security incident (within the meaning of CS Act).

a.

This ensures the Coordinator can be notified of, and be provided with information relevant to, a significant cyber security incident such that they can co-ordinate whole of government responses (where appropriate and necessary).

35. Subsection (1) (paragraph (f)) allows ASD to communicate limited cyber security information to listed intelligence agencies for the performance of their functions. The intelligence agencies to which ASD can communicate such information include the Australian Secret Intelligence Service (ASIS), Australian Geospatial-Intelligence Organisation (AGO), Australian Security Intelligence Organisation (ASIO), Defence Intelligence Organisation (DIO) and Office of National Intelligence (ONI).

a.

This ensures that ASD does not adversely impact or hinder the abilities of other intelligence agencies in the performance of their functions. The Bill will not confer any new functions on a recipient intelligence agency.

36. Subsection (1) (paragraph (g)) allows ASD to communicate limited cyber security information to the Inspector-General of Intelligence and Security (IGIS) for the performance of their functions.

a.

To support the effective performance of our statutory functions, ASD have been entrusted with significant powers. These significant powers are balanced by both appropriate and effective oversight such as to ensure that ASD acts with legality, propriety and consistency with human rights.

37. Subsection (1) (paragraph (h)) allows ASD to communicate limited cyber security information to the Australian Criminal Intelligence Commission (ACIC) for the performance of its functions.

38. Subsection (1) (paragraph (i)) allows ASD to communicate limited cyber security information to a Commonwealth enforcement body for the performance of their functions. This purpose is restricted, however, to circumstances that relate to either the investigation or enforcement of the Division or a law that imposes a penalty or sanction for a criminal offence.

39. Subsections (b)-(i) do not limit how ASD may communicate limited cyber security information in the performance of any of ASD's functions under the IS Act as set out in subsection (a).

40. The permitted cyber security purposes do not create an obligation on ASD to communicate limited cyber security information to any person who is not a staff member of ASD. ASD will maintain discretion as to whether (if at al l) limited cyber security information is shared to others, and how much limited cyber security information is shared to others.

41. The permitted cyber security purposes strike a reasonable and necessary balance between facilitating the performance of the functions of ASD, the Australian intelligence community and broader government, and protecting the information shared by an impacted entity in relation to cyber security incident or potential cyber security incident. It is intended that these restrictions will provide improved awareness and assurance of how ASD shares information, and thereby facilitate greater information sharing between industry and ASD.

42. Subsection (2) provides restrictions on the use and communication of limited cyber security information for civil or regulatory action. It specifies the Director-General of ASD, or a staff member of ASD, must not communicate such information for the purpose of investigating or enforcing, or assisting in the investigation or the enforcement, of any contravention of a Commonwealth, State or Territory law where:

a.

the contravention is by an impacted entity that;

i.

originally voluntarily provided the information to ASD;

ii.

consented to the information being acquired or prepared by ASD; or

iii.

originally voluntarily provided the information to the Coordinator; and

b.

the contravention is not a contravention by an impacted entity of:

i.

this Division; or

ii.

a law that imposes a penalty or a sanction for a criminal offence.

43. Subsection (2) is applicable only to the limited cyber security information that has been voluntarily provided to, or acquired or prepared by, ASD. This subsection ensures that information captured by the limited use obligation cannot be used for civil or regulatory action against the impacted entity. However, this does not prevent regulatory agencies from using their own powers to acquire the information directly from the impacted entity.

44. Subsection (3) specifies that subsection (1) does not authorise the Director-General of ASD, or a staff member of ASD, to communicate limited cyber security information to the extent that is prohibited or limited by or under this Act.

41BC Limitations on secondary use and communication of limited cyber security information

45. Section 41BC imposes limitations on the secondary use and communication of limited cyber security information by an entity (where the entity is a Commonwealth Corporation), Commonwealth body or State body. Further, this section gives effect to the limited use obligation by establishing a civil penalty for a contravention of the section.

46. Subsection (1) specifies that the circumstances in which the limited use obligation would apply to limited cyber security information includes where:

a.

the information has been acquired under subsection 41BA(1) or under this subsection by:

i.

a Commonwealth body;

ii.

a State body;

iii.

an entity that is a corporation to which paragraph 51(xx) of the Constitution applies, and

b.

the information is held by the entity, Commonwealth body or State body.

47. Subsection (1) does not apply to information that is held by the entity, Commonwealth body or State body to the extent that it has been otherwise acquired.

48. Subsection (2) imposes specific limitations on the use or communication of limited cyber security information by the entity, Commonwealth body or State body. This subsection provides that a recipient of the limited cyber security information from ASD may only use or communicate that information for a narrowly defined and constrained set of permitted cyber security purposes. This ensures that when limited cyber security information is on-shared, there are restrictions and protections on the information.

a.

The note to subsection (2) refers to the limitations in the new section 41BD(4) which provides that limited cyber security information must not be communicated to a State body unless a Minister of the State or Territory has consented to this Division applying to the State body.

49. Subsection (3) provides a restriction on the use and disclosure of limited cyber security information for civil or regulatory action. It specifies an entity, Commonwealth body or State body must not communicate such information for the purpose of investigating or enforcing, or assisting in the investigation or the enforcement, of any contravention of a Commonwealth, State or Territory law, subject to certain exceptions.

50. Subsection (3) ensures that information captured by the limited use obligation cannot be used for civil or regulatory action against the impacted entity. However, this does not prevent regulatory agencies from using their own powers to acquire the information directly from the impacted entity. Further, this does not prevent a Commonwealth law enforcement body from using the information to investigate or enforce a criminal offence perpetrated by an impacted entity.

51. Subsection (5) specifies that subsection (2) does not prohibit the use or communication of limited cyber security information where:

a.

the information is personal information about an individual, where the entity is an individual;

b.

the information is limited cyber security information, where the impacted entity has provided consent to an entity, Commonwealth body or State body, and:

i.

originally voluntarily provided the information to ASD;

ii.

consented to the information being acquired or prepared by ASD; or

iii.

originally voluntarily provided the information to the Coordinator; or

c.

the information is for the purpose of carrying out a State's constitutional functions, powers or duties.

52. Subsection (5) (paragraph (b)) specifies that limited cyber security information can be used or communicated where the impacted entity has provided consent. This ensures that the impacted entity is able to share the limited cyber security information to others for purposes outside of those outlined in subsection (2).

53. Subsection (6) provides the circumstances in which an entity would be liable to a civil penalty. An entity will be liable to a civil penalty of 60 penalty units where:

a.

the entity contravenes subsection (2); and

b.

the entity is not a Commonwealth officer within the meaning of Part 5.6 of the Criminal Code Act 1995 (Criminal Code); and

c.

any of the following circumstances apply:

i.

the information is sensitive information within the meaning of the Privacy Act about the individual, and the individual has not consented to the use or communication of that information;

ii.

the information is confidential or commercially sensitive; or

iii.

the use or communication of the information would, or could reasonably be expected to cause, damage to the security, defence or international relations of the Commonwealth.

54. The Commonwealth Guide to Framing Offences, Infringement Notices and Enforcement Powers (the Guide) has been considered in framing the penalty provisions in this section. The principle set out in 3.1.2 of the Guide provides that penalties should be consistent with penalties for existing offences of a similar kind or of a similar seriousness. There are a large variety of secrecy offences across Commonwealth legislation, each with a civil penalty applied that is adapted and proportionate to the harm caused by the unauthorised record, use or disclosure of that information.

55. The quantum of the civil penalty in subsection (6) is designed to ensure appropriate levels of deterrence and be sufficiently high to justify the need for enforcement by a court. The penalty is also proportionate to the seriousness of the contravention in this Act. That is, it is the unauthorised disclosure or use of sensitive information, information that is confidential or commercially sensitive, or is information that the record, use or disclosure would, or could reasonably be expected to, cause damage to the security, defence or international relations of the Commonwealth.

56. The penalty unit amounts are consistent across all the civil penalty provisions within this Act. In addition, the penalty unit amount of 60 penalty units is considered to be proportionate to the consequence of contravention of the civil penalty provisions in this Act. At the time this explanatory memorandum was prepared, a penalty unit was $330, as of July 2024.

57. This section is not intended to displace the operation of any provision under the Criminal Code or any other Act of the Commonwealth and should be read to be consistent with such Acts.

41BD Application of section 41BC to the Crown

58. Section 41BD provides that the Crown is bound in right of each of its capacities, and is not liable to be prosecuted for an offence. Section 41BD also introduces a consent mechanism to allow for the communication of limited cyber security information to a State body under this Division.

59. Subsection (4) establishes a consent mechanism to ensure that limited cyber security information can be communicated, where necessary, to a State body. Limited cyber security information can only be communicated to a State body where:

a.

a Minister of the State body has informed the responsible Minister for ASD, in writing, that they consent to the provisions of this Division applying to them; and

b.

a Minister of the State body has not informed the responsible Minister for ASD, in writing, that they have withdrawn their consent to the provisions of this Division applying to them.

60. Subsection (4) ensures the limited cyber security information has the same protections at a State and Territory level as at the Commonwealth level.

61. Subsection (5) allows a Minister of a State or Territory to decide on the extent to which the Division is applicable to all bodies of that State or Territory.

41BE Legal Professional Privilege

62. Subsection (1) specifies that where an entity has provided limited cyber security information to ASD it does not otherwise affect a claim of legal professional privilege that anyone may make in any of the specified proceedings.

63. While protection of privilege information cannot be assured, the limitations on secondary use and communication, and the protections from admissibility under section 41BF are intended to provide a level of protection to the information and encourage disclosure.

41BF Admissibility of limited cyber security information voluntarily given by an impacted entity

64. Section 41BF limits the admissibility of limited cyber security information in criminal or civil proceedings against the impacted entity, subject to certain exceptions. The section specifies that limited cyber security information held by ASD, a Commonwealth body or State body, is inadmissible insofar as:

a.

the information relates to a cyber security incident; and

b.

the information either:

i.

has been voluntarily provided to ASD by, or on behalf of, an entity; or

ii.

has been acquired or prepared by ASD with the consent of entity; and

c.

the information has been prepared by, as referred to in paragraph 41BA(2)(b), acquired by, as referred to in paragraph 41BA(2)(a) or (b), or acquired under subsection 41BB(1) or section 41BC by a Commonwealth body or a State body; and the information is held by the Commonwealth body or State body.

65. The section ensures adequate protections around the information shared to ASD, and subsequently on-shared under limited use obligation, are established to encourage open and timely sharing of information between ASD and industry without fear of exposure to litigation. However, the limited use obligation is not intended to be a safe harbour to shield an entity from legal liability. This obligation is not intended to restrict law enforcement or regulators gathering information directly from the originating entity using their existing powers, and information gathered in that way would not be covered by the restriction on admissibility.

66. The inclusion of notes under this section serves to clarify the application of the provisions, and note the fact that ASD is a Commonwealth body.

67. Subsection (2) provides that limited cyber security information is not admissible as evidence against the impacted entity in Commonwealth, State or Territory criminal proceedings, subject to limited exceptions dealing with false or misleading information, or in certain Commonwealth, State or Territory civil proceedings dealing with obstruction of Commonwealth public officials.

68. Subsection (2) (paragraph (a)) does not prevent a Commonwealth enforcement body from using limited cyber security information in investigating or enforcing a contravention of a criminal law, however such information would not be admissible in proceedings for contravention by the impacted entity of a criminal law. This ensures the limited use obligation does not provide a shield against criminal activity by impacted entity, or fetter a Commonwealth enforcement body's existing powers to seek the information directly from the impacted entity.

69. Subsection (2) (paragraph (b), (c) and (d)) provides that limited cyber security information is not admissible in civil proceedings for a contravention of a civil penalty, or for proceedings for a breach, of any other Commonwealth, State or Territory law, or in proceedings before a Tribunal.

70. Subsection (3) notes that the limitation on admissibility of limited cyber security information does not apply to:

a.

a coronial inquiry or a Royal Commission in Australia; or

b.

proceedings in the federal court exercising original jurisdiction involving a writ of mandamus or prohibition or injunction sought against a Commonwealth Officer.

41BG Director-General of ASD and staff members of ASD not compellable as witnesses in relation to limited cyber security information

71. Section 41BH prevents the Director-General and staff members of ASD, both former and current, from being compelled to comply with certain court orders in relation to limited cyber security information. Similar to section 41BF, this section provides an additional protection around limited cyber security information that an entity shares with ASD.

41BH How this division applies to non-legal persons

72. Section 41BI specifies how permissions and rights are conferred and exercised, and how obligations and duties are imposed and discharged, on an entity that is a non-legal person. The section also applies a civil penalty provision on a non-legal person that contravenes this Division.

41BI Contravening a civil penalty of this Division

73. For the purposes of enforcing the civil offence of this Division, the Department of Home Affairs will be the responsible regulatory body.

Schedule 2 - Other Amendments

Freedom of Information Act 1982

Item 1 After subsection 7(2G)

1. This item inserts a new subsection (2H) to section 7 of the Freedom of Information Act 1982. This subsection sets out that a document given to, or received by, the National Cyber Security Coordinator (the Coordinator) for the purposes set out under Part 4 of the Cyber Security Act 2024 are exempt from the operation of the Freedom of Information Act 1982.

2. Part 4 of the Cyber Security Act 2024 establishes a complementary regime to the new Division 1A of Part 6 of the IS Act. That Part establishes a 'limited use' obligation that restricts how cyber security incident information provided to the Coordinator during a cyber security incident can be used or disclosed. The intention of the regime is to provide confidence to entities that engage with the Coordinator that the information will only be used for permitted cyber security purposes. Such information is inadmissible in proceedings against that entity and certain entities that handle the information are not compellable as witnesses in relation to that information.

3. Part 4 of the Cyber Security Act 2024 is intended to incentivise rapid information sharing to ensure that the affected entity, the Coordinator and any recipients of the information for prescribed cyber security purposes are able to respond to, mitigate or resolve the cyber security incident as quickly as possible. For non-government entities, the chief objective is to incentivise rapid and open information sharing and to minimise fear of regulatory reprisal. As such, information is likely to be provided very quickly by affected entities, during a cyber incident, when they will not necessarily have the time to thoroughly vet, caveat or classify the information that is provided to the Coordinator.

4. New subsection (2H) to section 7 of the Freedom of Information Act 1982 provides a complementary additional safeguard for the information collected under that regime. While there are a series of robust exemptions under Part 4 of the Freedom of Information Act 1982, they are not complete and are not sufficient to capture all types of information that may be provided during a cyber incident. It is possible that an entity would provide information to the Coordinator that is not subject to an existing exemption, where that information is pertinent to a response to, mitigation of or resolution to a cyber security incident, but where that entity would refuse to voluntarily provide that information as a result of a concern that the information could become public information through a relevant request under the Freedom of Information Act 1982.

5. Furthermore, certain exemptions within that Act are conditional on a public interest test. The objective of this carve out for information obtained under Part 4 of the Cyber Security Act 2024 is to ensure that the entity does not have to undergo an assessment of whether such a conditional exemption would apply and have full confidence that the information will be handled confidentially by government.

Attachment A Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024

This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

The Bill proposes amendments to the Intelligence Services Act 2001 (IS Act) and consequential amendments arising from the Cyber Security Act 2024 (CS Act) to place restrictions on the use and communication of certain cyber security information.

The Bill prescribes limited purposes, referred to as permitted cyber security purposes, for which the Australian Signals Directorate (ASD) can communicate certain information relating to cyber security incidents. This information is referred to as limited cyber security information. Amongst other measures, the Bill prevents ASD from communicating limited cyber security information for the purposes of investigating or enforcing a contravention of a Commonwealth, State or Territory law (other than a criminal offence) against the impacted entity.

The Bill also provides limitations on secondary use and communication of limited cyber security information. For example, the information cannot be used or communicated for the purposes of investigating or enforcing a contravention of a Commonwealth, State or Territory law (other than a criminal offence) by the impacted entity.

The Bill places specific limitations on the admissibility of limited cyber security information in certain civil or criminal proceedings. The admissibility restrictions apply where limited cyber security information is held by ASD but has not yet been communicated to another entity. The Bill also specifies that the provision of cyber security information does not otherwise affect a claim of legal professional privilege in relation to that information.

The Bill further provides that staff members of ASD are not compellable as witnesses in relation to limited cyber security information in a direction, or civil or criminal proceeding, of a federal court or a court of a State or Territory.

These measures are designed to encourage industry engagement with ASD in relation to cyber security incidents. It does so by providing an impacted entity with the assurance that the information they provide to ASD will only be communicated for a set of prescribed purposes, and that there are protections in place that limit the circumstances where the information could be used against them for contraventions of Commonwealth, State or Territory laws.

Human Rights Implications

The Bill's amendments would engage the following human rights in the International Covenant on Civil and Political Rights (ICCPR):

a.

The right to a fair and public hearing under Article 14(1) and the right not to be compelled to testify under Article 14(3)(g);

b.

The prohibition on interference with privacy under Article 17; and

c.

The right to freedom of expression under Article 19(2).

Schedule 1 Right to a fair and public hearing and the right not to be compelled to testify

Some of the proposed measures of the Bill engage the right to a fair and public hearing contained in Article 14(1) and the right not to be compelled to testify in Article 14(3)(g) of the ICCPR, which provides (in part):

(1) All persons shall be equal before the courts and tribunals. In the determination of any criminal charge against him, or of his rights and obligations in a suit at law, everyone shall be entitled to a fair and public hearing by a competent, independent and impartial tribunal established by law.

(3)(g) In the determination of any criminal charge against him, everyone shall be entitled to not to be compelled to testify against himself or to confess guilt.

A broad range of protections including, but not limited to, the right that no person shall be compelled to testify against themselves or to confess guilt, to be presumed innocent until proved guilty, and to have their conviction and sentence reviewed by a higher tribunal, are contained in Article 14 of the ICCPR. Any limitation to the right to a fair and public hearing are permissible insofar as the limitations are reasonable, proportionate and for a legitimate objective.

Schedule 1, Item 2, would engage the right to a fair and public hearing. New sections 41BF imposes specific limitations on the admissibility of limited cyber security information in civil or criminal proceedings against an impacted entity in a federal court or a court of a State or Territory.

To the extent that these additional safeguards against the use in criminal proceedings of limited cyber security information voluntarily given by an impacted entity, other than in the manner set out in section 41BF, Article 14(3)(g) will be engaged where the entity is an individual. Because these expand the application of admissibility protections, this Bill promotes human rights because it provides additional safeguards.

New section 41BG provides that the Director-General of ASD, and staff members of ASD, are generally not compellable as witnesses in relation to limited cyber security information.

Rational Connection to a Legitimate Objective

The legitimate objective of new sections 41BF and 41BG is increasing cyber security incident reporting to ASD, and mitigating the associated consequences and adverse harms caused by such incidents.

ASD requires access to information relating to cyber security incidents and vulnerabilities in order to appropriately prepare for and respond to those incidents or any future incidents of that kind. ASD requires legislative provisions that enables limited cyber security information to be voluntarily provided in order to facilitate the preparation and response to cyber security incidents and vulnerabilities by the Commonwealth.

Reasonable, Necessary and Proportionate to the Objectives of the Limitation

Specific restrictions on how limited cyber security information could be provided in certain court proceedings is reasonable, necessary and proportionate given the parameters of the limitations.

With respect to new sections 41BF, the range of court proceedings has been confined to those of most concern to industry and designed only to apply to the impacted entity. The measure is intended to encourage disclosure of cyber security incidents and vulnerabilities by preventing information provided during that disclosure from being used in criminal or civil proceedings. The measure works in favour of an impacted entity and, as such, does not adversely impact the right of an impacted entity or any other entity to a fair trial. The sections do not limit or affect any right, privilege or immunity that the impacted entity has, apart from those in the relevant sections, as a defendant in any proceedings.

With respect to new section 41BG, the restrictions on the compellability of staff members of ASD has been limited to court proceedings of most concern to industry and designed only to apply to evidence relating to limited cyber security information. The measure is intended to protect national security by preventing information relating to the internal processes of ASD from being inadvertently disclosed, and to encourage disclosure of cyber security incidents and vulnerabilities by preventing information provided during that disclosure from being compelled from staff members of ASD as evidence in civil or criminal proceedings. The measure works in favour of an impacted entity and, as such, does not adversely impact the right of an impacted entity or any other entity to a fair trial.

Schedule 1 Right to Freedom of Expression

Some of the proposed measures of the Bill engage the right to freedom of expression contained in Article 19(2) of the ICCPR, which provides (in sum):

(2) Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art or through any other media of his choice.

The right in Article 19(2) protects freedom of expression in any medium, for example, written and oral communications, the media, public protest, broadcasting, artistic works and commercial advertising.

Under Article 19(3) freedom of expression may be limited as provided for by law and where necessary to protect the rights and reputations of others, national security, public order, or public health or morals. Limitations must be prescribed by legislation, necessary to achieve the desired purpose and proportionate to the need on which the limitation is predicated.

Schedule 1, Item 2, would limit the right to freedom of expression. New section 41BB imposes specific limitations on the communication of limited cyber security information by staff members of ASD.

New section 41BC imposes specific limitations on the secondary use or communication of limited cyber security information by an entity that is a corporation to which paragraph 51(xx) of the Constitution applies, Commonwealth body or State body.

Rational Connection to a Legitimate Objective

The legitimate objective of new sections 41BB and 41BC is increasing cyber security incident reporting to ASD, mitigating the associated consequences and adverse harms caused by such incidents, and protecting national security.

ASD requires access to information relating to cyber security incidents and vulnerabilities in order to appropriately prepare for and respond to those incidents or any future incidents of that kind. ASD requires legislative provisions that enables the communication of limited cyber security information by staff members of ASD, and the communication or use of limited cyber security information by the entity, Commonwealth body or State body, in order to facilitate the preparation and response to cyber security incidents and vulnerabilities by the relevant authority, agency, body or entity.

Reasonable, Necessary and Proportionate to the Objectives of the Limitation

Specific restrictions on how limited cyber security information could be communicated or used is reasonable, necessary and proportionate given the narrow parameters of the permitted cyber security purposes.

With respect to new section 41BB, the range of permitted cyber security purposes has been narrowly confined to the purposes of ASD's statutory functions as already defined in the IS Act and other purposes necessary to deal with a cyber security incident. Most purposes relate to the sharing of limited cyber security information to certain State bodies or Commonwealth entities to assist (or another equivalent) in the performance of their functions. The measure is intended to encourage disclosure of cyber security incidents and vulnerabilities by preventing information provided during that disclosure from being used (amongst other measures) for the purposes of a Commonwealth enforcement body enforcing or investigating a penalty or sanction (other than a penalty or sanction for a criminal offence) against the impacted entity. The measure strikes an appropriate balance of protecting an impacted entity from regulatory action relating to the disclosed information and retaining / preserving the ability to communicate such information for the investigation or enforcement of a criminal offence.

With respect to new section 41BC, the range of permitted cyber security purposes has been narrowly confined to the purposes of the recipient entities' functions as already defined in their relevant legislation. These purposes will not confer any new functions on the recipient entities. The measure is intended to encourage disclosure of cyber security incidents and vulnerabilities by preventing information provided during that disclosure from being used (amongst other measures) for the purposes of a Commonwealth enforcement body enforcing or investigating a penalty or sanction (other than a penalty or sanction for a criminal offence) against the impacted entity. The measure is further intended to protect national security by preventing the use or communication of confidential or commercially sensitive information, or information that would, or could reasonably be expected to cause, damage to the security, defence or international relations of the Commonwealth. New subsection 41BC(6) imposes a civil penalty of 60 penalty units for a breach of an obligation in new section 41BC; this penalty has been deliberately calibrated to reflect the minimum required to ensure compliance with the obligations.

Schedule 1 and 2 Prohibition on Interference with Privacy

Some of the proposed measures of the Bill engage the right to privacy contained in Article 17 of the ICCPR, which provides (in part):

(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

(2) Everyone has the right to the protection of the law against such interference or attacks.

While the United Nations Human Rights Committee (HRC) has not defined privacy, it should be understood to comprise freedom from unwarranted and unreasonable intrusions into activities that society recognises as falling within the sphere of individual autonomy. In order for an interference with the right to privacy to not be considered arbitrary or unlawful, the interference should be in accordance with the aims, objectives and provisions of the ICCPR, and should be reasonable in the circumstances. The right to privacy may be limited in the pursuit of a legitimate objective and, further, where the limitation is rationally connected to a legitimate objective and is not arbitrary.

Schedule 1, Item 2, would engage the right to privacy. New section 41BB imposes specific limitations on the communication of limited cyber security information by staff members of ASD. New section 41BC imposes specific limitations on the secondary use or communication of limited cyber security information by an entity, Commonwealth body or State body. Both new section 41BB and 41BC provide for the disclosure of limited cyber security information which may in some circumstances include personal information. The inclusion of such information would never be the focus of limited cyber security disclosures, and would most likely be incidental to the communication of other information. The nature of the personal information which will be subject to disclosure will depend on the circumstances of the cyber security incident.

Part 4 of the Cyber Security Act 2024 (CS Act) establishes a complementary regime to the new Division 1A of Part 6 of the IS Act. Part 4 establishes a 'limited use' obligation that restricts how information provided to the National Cyber Security Coordinator (the Coordinator) during a cyber security incident can be used or disclosed, to provide confidence to entities that the information will only be used for permitted cyber security purposes. Limited use information may include incidental personal information.

Schedule 2 of the Bill amends the Freedom of Information Act 1982 (FOI Act) to include an exemption from Freedom of Information requests for a document given to, or received by, the Coordinator. Under new subsection 7(2H)(a) of the FOI Act, a document given to, or received by, the Coordinator for the purposes set out under Part 4 of the CS Act is exempt from the operation of the FOI Act.

Currently, certain exemptions within the FOI Act concerning personal information are conditional on a public interest test. This measure provides an unconditional exemption for information obtained under Part 4 of the CS Act. The exemptions mean that certain documents which may contain personal information cannot be released in relation to an FOI request, promoting the right to privacy for any individuals whose personal information has been supplied in accordance with Part 4 of the CS Act.

Rational Connection to a Legitimate Objective

The legitimate objective of new sections 41BB and 41BC is increasing cyber security incident reporting to ASD, mitigating the associated consequences and adverse harms caused by such incidents, and protecting national security.

ASD requires access to information relating to cyber security incidents and vulnerabilities in order to appropriately prepare for and respond to those incidents or any future incidents of that kind. ASD requires legislative provisions that enables the communication of limited cyber security information by staff members of ASD, and the communication or use of limited cyber security information by an entity that is a corporation to which paragraph 51(xx) of the Constitution applies, Commonwealth body or State body, in order to facilitate the preparation and response to cyber security incidents and vulnerabilities by the relevant authority, agency, body or entity.

The disclosure in limited circumstances of personal information associated with limited cyber security information is connected to this legitimate objective.

Reasonable, Necessary and Proportionate to the Objectives of the Limitation

Specific restrictions on how limited cyber security information could be communicated or used is reasonable, necessary and proportionate given the narrow parameters of the permitted cyber security purposes.

In some circumstances it will be important to include personal information in communications about a cyber security incident as it may provide relevant context about the nature or gravity of the cyber incident. In other circumstances personal information may be so intermingled with other information that it would not be practicable to filter it out without losing relevant context. ASD will continue to apply appropriate practices to ensure that any personal information that is used, stored or disclosed is done in line with relevant standards, consistent with ASD policy reflecting Privacy Act requirements.

The new Division 1A does not apply to information if the information is about an entity, which includes an individual, which has been de-identified so that is no longer about an identifiable entity or an entity that is reasonably identifiable.

Conclusion

The Bill is compatible with human rights as it promotes the protection of human rights and, to the extent it may limit those human rights, those limitations are reasonable, necessary and proportionate.