Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (33 of 2022)

Schedule 1   Amendments

Security of Critical Infrastructure Act 2018

58   After Part 2B

Insert:

Part 2C - Enhanced cyber security obligations

Division 1 - Simplified outline of this Part

30CA Simplified outline of this Part

• This Part sets out enhanced cyber security obligations that relate to systems of national significance.

• The responsible entity for a system of national significance may be subject to statutory incident response planning obligations.

• The responsible entity for a system of national significance may be required to undertake a cyber security exercise.

• The responsible entity for a system of national significance may be required to undertake a vulnerability assessment.

• If a computer is a system of national significance, or is needed to operate a system of national significance, a relevant entity for the system may be required to:

(a) give ASD periodic reports of system information; or

(b) give ASD event-based reports of system information; or

(c) install software that transmits system information to ASD.

Note: For a declaration of a system of national significance, see section 52B.

Division 2 - Statutory incident response planning obligations

Subdivision A - Application of statutory incident response planning obligations

30CB Application of statutory incident response planning obligations - determination by the Secretary

(1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, determine that the statutory incident response planning obligations apply to the entity in relation to:

(a) the system; and

(b) cyber security incidents.

(2) A determination under this section takes effect at the time specified in the determination.

(3) The specified time must not be earlier than the end of the 30-day period that began when the notice was given.

(4) In deciding whether to give a notice to an entity under this section in relation to a system of national significance, the Secretary must have regard to:

(a) the costs that are likely to be incurred by the entity in complying with Subdivision B; and

(b) the reasonableness and proportionality of applying the statutory incident response planning obligations to the entity in relation to:

(i) the system; and

(ii) cyber security incidents; and

(c) such other matters (if any) as the Secretary considers relevant.

(5) Before giving a notice to an entity under this section in relation to a system of national significance, the Secretary must consult:

(a) the entity; and

(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system - the relevant Commonwealth regulator.

(6) A determination under this section is not a legislative instrument.

30CC Revocation of determination

Scope

(1) This section applies if:

(a) a determination is in force under section 30CB; and

(b) notice of the determination was given to a particular entity.

Power to revoke determination

(2) The Secretary may, by written notice given to the entity, revoke the determination.

Application of the Acts Interpretation Act 1901

(3) This section does not, by implication, affect the application of subsection 33(3) of theActs Interpretation Act 1901to an instrument made under a provision of this Act (other than this Division).

Subdivision B - Statutory incident response planning obligations

30CD Responsible entity must have an incident response plan

If:

(a) an entity is the responsible entity for a system of national significance; and

(b) the statutory incident response planning obligations apply to the entity in relation to:

(i) the system; and

(ii) cyber security incidents;

the entity must:

(c) adopt; and

(d) maintain;

an incident response plan that applies to the entity in relation to:

(e) the system; and

(f) cyber security incidents.

Civil penalty: 200 penalty units.

30CE Compliance with incident response plan

If:

(a) an entity is the responsible entity for a system of national significance; and

(b) the entity has adopted an incident response plan that applies to the entity;

the entity must comply with:

(c) the incident response plan; or

(d) if the plan has been varied on one or more occasions - the plan as varied.

Civil penalty: 200 penalty units.

30CF Review of incident response plan

If:

(a) an entity is the responsible entity for a system of national significance; and

(b) the entity has adopted an incident response plan that applies to the entity;

the entity must review the plan on a regular basis.

Civil penalty: 200 penalty units.

30CG Update of incident response plan

If:

(a) an entity is the responsible entity for a system of national significance; and

(b) the entity has adopted an incident response plan that applies to the entity;

the entity must take all reasonable steps to ensure that the plan is up to date.

Civil penalty: 200 penalty units.

30CH Copy of incident response plan must be given to the Secretary

(1) If:

(a) an entity is the responsible entity for a system of national significance; and

(b) the entity adopts an incident response plan that applies to the entity;

the entity must:

(c) provide a copy of the incident response plan to the Secretary; and

(d) do so as soon as practicable after the adoption.

Civil penalty: 200 penalty units.

(2) If:

(a) an entity is the responsible entity for a system of national significance; and

(b) the entity varies an incident response plan that applies to the entity;

the entity must:

(c) provide a copy of the varied incident response plan to the Secretary; and

(d) do so as soon as practicable after the variation.

Civil penalty: 200 penalty units.

30CJ Incident response plan

(1) An incident response plan is a written plan:

(a) that applies to an entity that is the responsible entity for a system of national significance; and

(b) that relates to the system; and

(c) that relates to cyber security incidents; and

(d) the purpose of which is to plan for responding to cyber security incidents that could have a relevant impact on the system; and

(e) that complies with such requirements (if any) as are specified in the rules.

(2) Requirements specified under paragraph (1)(e):

(a) may be of general application; or

(b) may relate to one or more specified systems of national significance; or

(c) may relate to one or more specified types of cyber security incidents.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

(3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of theActs Interpretation Act 1901.

30CK Variation of incident response plan

An incident response plan may be varied, so long as the varied plan is an incident response plan.

30CL Revocation of adoption of incident response plan

If an entity has adopted an incident response plan that applies to the entity, this Division does not prevent the entity from:

(a) revoking that adoption; and

(b) adopting another incident response plan that applies to the entity.

Division 3 - Cyber security exercises

30CM Requirement to undertake cyber security exercise

(1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:

(a) undertake a cyber security exercise in relation to:

(i) the system; and

(ii) all types of cyber security incidents; and

(b) do so within the period specified in the notice.

(2) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:

(a) undertake a cyber security exercise in relation to:

(i) the system; and

(ii) one or more specified types of cyber security incidents; and

(b) do so within the period specified in the notice.

(3) The period specified in a notice under subsection (1) or (2) must not be earlier than the end of the 30-day period that began when the notice was given.

(4) A notice under subsection (1) or (2) may also require the entity to do any or all of the following things:

(a) allow one or more specified designated officers to observe the cyber security exercise;

(b) provide those designated officers with access to premises for the purposes of observing the cyber security exercise;

(c) provide those designated officers with reasonable assistance and facilities that are reasonably necessary to allow those designated officers to observe the cyber security exercise;

(d) allow those designated officers to make such records as are reasonably necessary for the purposes of monitoring compliance with the notice;

(e) give those designated officers reasonable notice of the time when the cyber security exercise will begin.

(5) In deciding whether to give a notice to an entity under subsection (1) or (2), the Secretary must have regard to:

(a) the costs that are likely to be incurred by the entity in complying with the notice; and

(b) the reasonableness and proportionality of the requirement in the notice; and

(c) such other matters (if any) as the Secretary considers relevant.

(6) Before giving a notice to an entity under subsection (1) or (2) in relation to a system of national significance, the Secretary must consult:

(a) the entity; and

(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system - the relevant Commonwealth regulator.

30CN Cyber security exercise

(1) A cyber security exercise is an exercise:

(a) that is undertaken by the responsible entity for a system of national significance; and

(b) that relates to the system; and

(c) that either:

(i) relates to all types of cyber security incidents; or

(ii) relates to one or more specified types of cyber security incidents; and

(d) if the exercise relates to all types of cyber security incidents - the purpose of which is to:

(i) test the entity's ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and

(ii)test the entity's preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and

(iii) test the entity's ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system; and

(e) if the exercise relates to one or more specified types of cyber security incidents - the purpose of which is to:

(i) test the entity's ability to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and

(ii)test the entity's preparedness to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and

(iii) test the entity's ability to mitigate the relevant impacts that those types of cyber security incidents could have on the system; and

(f) that complies with such requirements (if any) as are specified in the rules.

(2) Requirements specified under paragraph (1)(f):

(a) may be of general application; or

(b) may relate to one or more specified systems of national significance; or

(c) may relate to one or more specified types of cyber security incidents.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

(3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of theActs Interpretation Act 1901.

30CP Compliance with requirement to undertake cyber security exercise

An entity must comply with a notice given to the entity under section 30CM.

Civil penalty: 200 penalty units.

30CQ Internal evaluation report

(1) If an entity undertakes a cyber security exercise under section 30CM, the entity must:

(a) do both of the following:

(i) prepare an evaluation report relating to the cyber security exercise;

(ii) give a copy of the report to the Secretary; and

(b) do so:

(i) within 30 days after the completion of the exercise; or

(ii) if the Secretary allows a longer period - within that longer period.

Civil penalty: 200 penalty units.

(2) An evaluation report prepared by an entity under subsection (1) is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection (1) of this section or subsection 30CR(6)).

30CR External evaluation report

Scope

(1) This section applies if an entity has undertaken a cyber security exercise under section 30CM, and:

(a) all of the following conditions are satisfied:

(i) the entity has prepared, or purported to prepare, an evaluation report under section 30CQ relating to the exercise;

(ii) the entity has given a copy of the report to the Secretary;

(iii) the Secretary has reasonable grounds to believe that the report was not prepared appropriately; or

(b) the entity has contravened section 30CQ.

Requirement

(2) The Secretary may, by written notice given to the entity, require the entity to:

(a) appoint an external auditor; and

(b) arrange for the external auditor to prepare an evaluation report (the new evaluation report ) relating to the exercise; and

(c) arrange for the external auditor to give the new evaluation report to the entity; and

(d) give the Secretary a copy of the new evaluation report within:

(i) the period specified in the notice; or

(ii) if the Secretary allows a longer period - that longer period.

(3) The notice must specify:

(a) the matters to be covered by the new evaluation report; and

(b) the form of the new evaluation report and the kinds of details it is to contain.

Consultation

(4) Before giving a notice to an entity under this section in connection with a cyber security exercise that relates to a system of national significance, the Secretary must consult:

(a) the entity; and

(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system - the relevant Commonwealth regulator.

Eligibility for appointment as an external auditor

(5) An individual is not eligible to be appointed as an external auditor by the entity if the individual is an officer, employee or agent of the entity.

Compliance

(6) An entity must comply with a requirement under subsection (2).

Civil penalty: 200 penalty units.

Immunity

(7) The new evaluation report is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection (6)).

30CS Meaning of evaluation report

An evaluation report , in relation to a cyber security exercise that was undertaken in relation to a system of national significance, is a written report:

(a) if the exercise relates to all types of cyber security incidents - the purpose of which is to:

(i) evaluate the entity's ability to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and

(ii)evaluate the entity's preparedness to respond appropriately to all types of cyber security incidents that could have a relevant impact on the system; and

(iii) evaluate the entity's ability to mitigate the relevant impacts that all types of cyber security incidents could have on the system; and

(b) if the exercise relates to one or more specified types of cyber security incidents - the purpose of which is to:

(i) evaluate the entity's ability to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and

(ii)evaluate the entity's preparedness to respond appropriately to those types of cyber security incidents that could have a relevant impact on the system; and

(iii) evaluate the entity's ability to mitigate the relevant impacts that those types of cyber security incidents could have on the system; and

(c) that complies with such requirements (if any) as are specified in the rules.

30CT External auditors

(1) The Secretary may, by writing, authorise a specified individual to be an external auditor for the purposes of this Act.

Note: For specification by class, see subsection 33(3AB) of theActs Interpretation Act 1901.

(2) An authorisation under subsection (1) is not a legislative instrument.

Division 4 - Vulnerability assessments

30CU Requirement to undertake vulnerability assessment

(1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:

(a) undertake, or cause to be undertaken, a vulnerability assessment in relation to:

(i) the system; and

(ii) all types of cyber security incidents; and

(b) do so within the period specified in the notice.

(2) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:

(a) undertake, or cause to be undertaken, a vulnerability assessment in relation to:

(i) the system; and

(ii) one or more specified types of cyber security incidents; and

(b) do so within the period specified in the notice.

(3) In deciding whether to give a notice to an entity under subsection (1) or (2), the Secretary must have regard to:

(a) the costs that are likely to be incurred by the entity in complying with the notice; and

(b) the reasonableness and proportionality of the requirement in the notice; and

(c) such other matters (if any) as the Secretary considers relevant.

(4) Before giving a notice to an entity under subsection (1) or (2) in relation to the system of national significance, the Secretary must consult:

(a) the entity; and

(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system - the relevant Commonwealth regulator.

30CV Compliance with requirement to undertake a vulnerability assessment

An entity must comply with a notice given to the entity under section 30CU.

Civil penalty: 200 penalty units.

30CW Designated officers may undertake a vulnerability assessment

Scope

(1) This section applies if:

(a) an entity is the responsible entity for a system of national significance; and

(b) either:

(i) the Secretary has reasonable grounds to believe that if the entity were to be given a notice under subsection 30CU(1) or (2), the entity would not be capable of complying with the notice; or

(ii) the entity has not complied with a notice given to the entity under subsection 30CU(1) or (2).

Request

(2) The Secretary may give a designated officer a written request to:

(a) undertake a vulnerability assessment in relation to:

(i) the system; and

(ii) all types of cyber security incidents; and

(b) do so within the period specified in the request.

(3) The Secretary may give a designated officer a written request to:

(a) undertake a vulnerability assessment in relation to:

(i) the system; and

(ii) one or more specified types of cyber security incidents; and

(b) do so within the period specified in the request.

(4) Before giving a request under subsection (2) or (3) in relation to the system of national significance, the Secretary must consult:

(a) the entity; and

(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system - the relevant Commonwealth regulator.

Requirement

(5) If a request under subsection (2) or (3) is given to a designated officer, the Secretary may, by written notice given to the entity, require the entity to do any or all of the following things:

(a) provide the designated officer with access to premises for the purposes of undertaking the vulnerability assessment;

(b) provide the designated officer with access to computers for the purposes of undertaking the vulnerability assessment;

(c) provide the designated officer with reasonable assistance and facilities that are reasonably necessary to allow the designated officer to undertake the vulnerability assessment.

Notification of request

(6) If a request under subsection (2) or (3) is given to a designated officer, the Secretary must give a copy of the request to the entity.

30CX Compliance with requirement to provide reasonable assistance etc.

An entity must comply with a notice given to the entity under subsection 30CW(5).

Civil penalty: 200 penalty units.

30CY Vulnerability assessment

(1) A vulnerability assessment is an assessment:

(a) that relates to a system of national significance; and

(b) that either:

(i) relates to all types of cyber security incidents; or

(ii) relates to one or more specified types of cyber security incidents; and

(c) if the assessment relates to all types of cyber security incidents - the purpose of which is to test the vulnerability of the system to all types of cyber security incidents; and

(d) if the assessment relates to one or more specified types of cyber security incidents - the purpose of which is to test the vulnerability of the system to those types of cyber security incidents; and

(e) that complies with such requirements (if any) as are specified in the rules.

(2) Requirements specified under paragraph (1)(e):

(a) may be of general application; or

(b) may relate to one or more specified systems of national significance; or

(c) may relate to one or more specified types of cyber security incidents.

Note: For specification by class, see subsection 13(3) of theLegislation Act 2003.

(3) Subsection (2) of this section does not, by implication, limit subsection 33(3A) of theActs Interpretation Act 1901.

30CZ Vulnerability assessment report

(1) If an entity undertakes, or causes to be undertaken, a vulnerability assessment under section 30CU, the entity must:

(a) do both of the following:

(i) prepare, or cause to be prepared, a vulnerability assessment report relating to the assessment;

(ii) give a copy of the report to the Secretary; and

(b) do so:

(i) within 30 days after the completion of the assessment; or

(ii) if the Secretary allows a longer period - within that longer period.

Civil penalty: 200 penalty units.

(2) If a designated officer undertakes a vulnerability assessment in accordance with a request given to the designated officer under section 30CW, the designated officer must:

(a) do both of the following:

(i) prepare a vulnerability assessment report relating to the assessment;

(ii) give a copy of the report to the Secretary; and

(b) do so:

(i) within 30 days after the completion of the assessment; or

(ii) if the Secretary allows a longer period - within that longer period.

(3) If an entity prepares, or causes to be prepared, a report under subsection (1), the report is not admissible in evidence against the entity in civil proceedings relating to a contravention of a civil penalty provision of this Act (other than subsection (1)).

30DA Meaning of vulnerability assessment report

A vulnerability assessment report , in relation to a vulnerability assessment that was undertaken in relation to a system of national significance,is a written report:

(a) if the assessment relates to all types of cyber security incidents - the purpose of which is to assess the vulnerability of the system to all types of cyber security incidents; and

(b) if the assessment relates to one or more specified types of cyber security incidents - the purpose of which is to assess the vulnerability of the system to those types of cyber security incidents; and

(c) that complies with such requirements (if any) as are specified in the rules.

Division 5 - Access to system information

Subdivision A - System information reporting notices

30DB Secretary may require periodic reporting of system information

Scope

(1) This section applies if:

(a) a computer:

(i) is needed to operate a system of national significance; or

(ii) is a system of national significance; and

(b) the Secretary believes on reasonable grounds that a relevant entity for the system of national significance is technically capable of preparing periodic reports consisting of information that:

(i) relates to the operation of the computer; and

(ii) may assist with determining whether a power under this Act should be exercised in relation to the system of national significance; and

(iii) is not personal information (within the meaning of thePrivacy Act 1988).

Requirement

(2) The Secretary may, by written notice given to the entity, require the entity to:

(a) prepare periodic reports that:

(i) consist of any such information; and

(ii) relate to such regular intervals as are specified in the notice; and

(b) prepare those periodic reports:

(i) in the manner and form specified in the notice; and

(ii) in accordance with the information technology requirements specified in the notice; and

(c) give each of those periodic reports to ASD within the period ascertained in accordance with the notice in relation to the periodic report concerned.

(3) A notice under subsection (2) is to be known as a system information periodic reporting notice .

(4) In deciding whether to give a system information periodic reporting notice to the entity, the Secretary must have regard to:

(a) the costs that are likely to be incurred by the entity in complying with the notice; and

(b) the reasonableness and proportionality of the requirements in the notice; and

(c) such other matters (if any) as the Secretary considers relevant.

Matters to be set out in notice

(5) A system information periodic reporting notice must set out the effect of section 30DF.

Other powers not limited

(6) This section does not, by implication, limit a power conferred by another provision of this Act.

30DC Secretary may require event-based reporting of system information

Scope

(1) This section applies if:

(a) a computer:

(i) is needed to operate a system of national significance; or

(ii) is a system of national significance; and

(b) the Secretary believes on reasonable grounds that, each time a particular kind of event occurs, a relevant entity for the system of national significance will be technically capable of preparing a report consisting of information that:

(i) relates to the operation of the computer; and

(ii) may assist with determining whether a power under this Act should be exercised in relation to the system of national significance; and

(iii) is not personal information (within the meaning of thePrivacy Act 1988).

Requirement

(2) The Secretary may, by written notice given to the entity, require the entity to do the following things each time an event of that kind occurs:

(a) prepare a report that consists of any such information;

(b) prepare that report:

(i) in the manner and form specified in the notice; and

(ii) in accordance with the information technology requirements specified in the notice;

(c) give that report to ASD as soon as practicable after the event occurs.

(3) A notice under subsection (2) is to be known as a system information event-based reporting notice .

(4) In deciding whether to give a system information event-based reporting notice to the entity, the Secretary must have regard to:

(a) the costs that are likely to be incurred by the entity in complying with the notice; and

(b) the reasonableness and proportionality of the requirements in the notice; and

(c) such other matters (if any) as the Secretary considers relevant.

Matters to be set out in notice

(5) A system information event-based reporting notice must set out the effect of section 30DF.

Other powers not limited

(6) This section does not, by implication, limit a power conferred by another provision of this Act.

30DD Consultation

Before giving:

(a) a system information periodic reporting notice; or

(b) a system information event-based reporting notice;

to a relevant entity for a system of national significance, the Secretary must consult:

(c) the relevant entity; and

(d) if the relevant entity is not the responsible entity for the system of national significance - the responsible entity for the system of national significance.

30DE Duration of system information periodic reporting notice or system information event-based reporting notice

(1) A system information periodic reporting notice or a system information event-based reporting notice:

(a) comes into force:

(i) when it is given; or

(ii) if a later time is specified in the notice - at that later time; and

(b) remains in force for the period specified in the notice.

(2) The period specified in the notice must not be longer than 12 months.

(3) If a system information periodic reporting notice (the original notice ) is in force, this Act does not prevent the Secretary from giving a fresh system information periodic reporting notice that:

(a) is in the same, or substantially the same, terms as the original notice; and

(b) comes into force immediately after the expiry of the original notice.

(4) If a system information event-based reporting notice (the original notice ) is in force, this Act does not prevent the Secretary from giving a fresh system information event-based reporting notice that:

(a) is in the same, or substantially the same, terms as the original notice; and

(b) comes into force immediately after the expiry of the original notice.

30DF Compliance with system information periodic reporting notice or system information event-based reporting notice

An entity must comply with:

(a) a system information periodic reporting notice; or

(b) a system information event-based reporting notice;

to the extent that the entity is capable of doing so.

Civil penalty: 200 penalty units.

30DG Self-incrimination etc.

(1) An entity is not excused from giving a report under section 30DB or 30DC on the ground that the report might tend to incriminate the entity.

(2) If, at general law, an individual would otherwise be able to claim the privilege against self-exposure to a penalty (other than a penalty for an offence) in relation to giving a report under section 30DB or 30DC, the individual is not excused from giving a report under that section on that ground.

Note: A body corporate is not entitled to claim the privilege against self-exposure to a penalty.

30DH Admissibility of report etc.

If a report is given under section 30DB or 30DC:

(a) the report; or

(b) giving the report;

is not admissible in evidence against an entity:

(c) in criminal proceedings other than proceedings for an offence against section 137.2 of theCriminal Code that relates to this Act; or

(d) in civil proceedings other than proceedings for recovery of a penalty in relation to a contravention of section 30DF.

Subdivision B - System information software

30DJ Secretary may require installation of system information software

Scope

(1) This section applies if:

(a) a computer:

(i) is needed to operate a system of national significance; or

(ii) is a system of national significance; and

(b) the Secretary believes on reasonable grounds that a relevant entity for the system of national significance would not be technically capable of preparing reports under section 30DB or 30DC consisting of information that:

(i) relates to the operation of the computer; and

(ii) may assist with determining whether a power under this Act should be exercised in relation to the system of national significance; and

(iii) is not personal information (within the meaning of thePrivacy Act 1988).

Requirement

(2) The Secretary may, by written notice given to the entity, require the entity to:

(a) both:

(i) install a specified computer program on the computer; and

(ii) do so within the period specified in the notice; and

(b) maintain the computer program installed in accordance with paragraph (a); and

(c) take all reasonable steps to ensure that the computer is continuously supplied with an internet carriage service that enables the computer program to function.

(3) A notice under subsection (2) is to be known as a system information software notice .

(4) In deciding whether to give a system information software notice to the entity, the Secretary must have regard to:

(a) the costs that are likely to be incurred by the entity in complying with the notice; and

(b) the reasonableness and proportionality of the requirements in the notice; and

(c) such other matters (if any) as the Secretary considers relevant.

(5) A computer program may only be specified in a system information software notice if the purpose of the computer program is to:

(a) collect and record information that:

(i) relates to the operation of the computer; and

(ii) may assist with determining whether a power under this Act should be exercised in relation to the system of national significance; and

(iii) is not personal information (within the meaning of thePrivacy Act 1988); and

(b) cause the information to be transmitted electronically to ASD.

Matters to be set out in notice

(6) A system information software notice must set out the effect of section 30DM.

Other powers not limited

(7) This section does not, by implication, limit a power conferred by another provision of this Act.

30DK Consultation

Before giving a system information software notice to a relevant entity for a system of national significance, the Secretary must consult:

(a) the relevant entity; and

(b) if the relevant entity is not the responsible entity for the system of national significance - the responsible entity for the system of national significance.

30DL Duration of system information software notice

(1) A system information software notice:

(a) comes into force:

(i) when it is given; or

(ii) if a later time is specified in the notice - at that later time; and

(b) remains in force for the period specified in the notice.

(2) The period specified in the notice must not be longer than 12 months.

(3) If a system information software notice (the original notice ) is in force, this Act does not prevent the Secretary from giving a fresh system information software notice that:

(a) is in the same, or substantially the same, terms as the original notice; and

(b) comes into force immediately after the expiry of the original notice.

30DM Compliance with system information software notice

An entity must comply with a system information software notice to the extent that the entity is capable of doing so.

Civil penalty: 200 penalty units.

30DN Self-incrimination etc.

(1) An entity is not excused from complying with a system information software notice on the ground that complying with the notice might tend to incriminate the entity.

(2) If, at general law, an individual would otherwise be able to claim the privilege against self-exposure to a penalty (other than a penalty for an offence) in relation to complying with a system information software notice, the individual is not excused from complying with the notice on that ground.

Note: A body corporate is not entitled to claim the privilege against self-exposure to a penalty.

30DP Admissibility of information etc.

If:

(a) a computer program is installed in compliance with a system information software notice; and

(b) information is transmitted to ASD as a result of the operation of the computer program;

the information is not admissible in evidence against an entity:

(c) in criminal proceedings; or

(d) in civil proceedings other than proceedings for recovery of a penalty in relation to a contravention of section 30DM.

Division 6 - Designated officers

30DQ Designated officer

(1) A designated officer is an individual appointed by the Secretary, in writing, to be a designated officer for the purposes of this Act.

(2) The Secretary must not appoint an individual under subsection (1) unless:

(a) the individual is a Departmental employee; or

(b) both:

(i) the individual is a staff member of ASD; and

(ii) the Director-General of ASD has agreed to the appointment.

(3) The Secretary may, in writing, declare that each Departmental employee included in a specified class of Departmental employees is a designated officer.

(4) The Secretary may, in writing, declare that each staff member of ASD included in a specified class of staff members of ASD is a designated officer.

(5) The Secretary must not make a declaration under subsection (4) unless the Director-General of ASD has agreed to the declaration.

(6) For the purposes of this section, Departmental employee means an APS employee in the Department.

(7) For the purposes of this section, staff member of ASD has the same meaning as in theIntelligence Services Act 2001.

(8) A declaration under this section is not a legislative instrument.