Federal Register of Legislation - Australian Government

Primary content

Security of Critical Infrastructure Act 2018

Authoritative Version
Act No. 29 of 2018 as made
An Act to create a framework for managing critical infrastructure, and for related purposes
Administered by: Home Affairs
Originating Bill: Security of Critical Infrastructure Bill 2017
Registered 13 Apr 2018
Date of Assent 11 Apr 2018

Commonwealth Coat of Arms of Australia

 

 

 

 

 

 

Security of Critical Infrastructure Act 2018

 

No. 29, 2018

 

 

 

 

 

An Act to create a framework for managing critical infrastructure, and for related purposes

  

  

  


Contents

Part 1—Preliminary                                                                                                             2

Division 1—Preliminary                                                                                              2

1............ Short title............................................................................................. 2

2............ Commencement................................................................................... 2

3............ Object.................................................................................................. 2

4............ Simplified outline of this Act.............................................................. 3

Division 2—Definitions                                                                                                5

5............ Definitions.......................................................................................... 5

6............ Meaning of interest and control information.................................... 10

7............ Meaning of operational information................................................. 12

8............ Meaning of direct interest holder...................................................... 12

8A......... Meaning of influence or control........................................................ 14

8B......... Meaning of associate........................................................................ 15

8C......... Meanings of subsidiary and holding entity....................................... 16

9............ Meaning of critical infrastructure asset............................................ 16

10.......... Meaning of critical electricity asset................................................... 18

11.......... Meaning of critical port.................................................................... 18

12.......... Meaning of critical gas asset............................................................ 19

Division 3—Constitutional provisions and application of this Act     21

13.......... Application of this Act...................................................................... 21

14.......... Extraterritoriality............................................................................... 21

15.......... This Act binds the Crown................................................................. 21

16.......... Concurrent operation of State and Territory laws.............................. 22

17.......... State constitutional powers................................................................ 22

Part 2—Register of Critical Infrastructure Assets                                          23

Division 1—Simplified outline of this Part                                                       23

18.......... Simplified outline of this Part............................................................ 23

Division 2—Register of Critical Infrastructure Assets                            24

19.......... Secretary must keep Register............................................................ 24

20.......... Secretary may add information to Register........................................ 24

21.......... Secretary may correct or update information in the Register............. 24

22.......... Register not to be made public.......................................................... 24

Division 3—Obligation to give information and notify of events        25

23.......... Initial obligation to give information................................................. 25

24.......... Ongoing obligation to give information and notify of events............ 25

25.......... Information that is not able to be obtained......................................... 28

26.......... Meaning of notifiable event............................................................... 28

27.......... Rules may exempt from requirement to give notice or information... 28

Division 4—Giving of notice or information by agents etc.                   30

28.......... Requirement for executors and administrators to give notice or information for individuals who die      30

29.......... Requirement for corporate liquidators etc. to give notice or information  30

30.......... Agents may give notice or information............................................. 30

Part 3—Directions by the Minister                                                                            31

Division 1—Simplified outline of this Part                                                       31

31.......... Simplified outline of this Part............................................................ 31

Division 2—Directions by the Minister                                                             32

32.......... Direction if risk of act or omission that would be prejudicial to security  32

33.......... Consultation before giving direction................................................. 33

34.......... Requirement to comply with direction............................................... 34

35.......... Exception—acquisition of property................................................... 34

Part 4—Gathering and using information                                                           35

Division 1—Simplified outline of this Part                                                       35

36.......... Simplified outline of this Part............................................................ 35

Division 2—Secretary’s power to obtain information or documents 36

37.......... Secretary may obtain information or documents from entities........... 36

38.......... Copies of documents......................................................................... 37

39.......... Retention of documents..................................................................... 37

40.......... Self‑incrimination.............................................................................. 38

Division 3—Use and disclosure of protected information                       39

Subdivision A—Authorised use and disclosure                                                 39

41.......... Authorised use and disclosure—performing functions etc................ 39

42.......... Authorised use and disclosure—other person’s functions etc........... 39

43.......... Authorised disclosure relating to law enforcement............................ 40

44.......... Secondary use and disclosure of protected information.................... 40

Subdivision B—Offence for unauthorised use or disclosure                        41

45.......... Offence for unauthorised use or disclosure of protected information 41

46.......... Exceptions to offence for unauthorised use or disclosure................. 41

47.......... No requirement to provide information............................................. 42

Part 5—Enforcement                                                                                                         43

Division 1—Simplified outline of this Part                                                       43

48.......... Simplified outline of this Part............................................................ 43

Division 2—Civil penalties, enforceable undertakings and injunctions 44

49.......... Civil penalties, enforceable undertakings and injunctions................. 44

Part 6—Declaration of assets by the Minister                                                    46

Division 1—Simplified outline of this Part                                                       46

50.......... Simplified outline of this Part............................................................ 46

Division 2—Declaration of assets by the Minister                                      47

51.......... Declaration of assets by the Minister................................................ 47

52.......... Notification of change to reporting entities for asset......................... 48

Part 7—Miscellaneous                                                                                                       49

Division 1—Simplified outline of this Part                                                       49

53.......... Simplified outline of this Part............................................................ 49

Division 2—Treatment of certain entities                                                        50

53A....... How certain entities hold interests..................................................... 50

54.......... Treatment of partnerships.................................................................. 50

55.......... Treatment of trusts and superannuation funds that are trusts............. 51

56.......... Treatment of unincorporated foreign companies............................... 52

Division 3—Matters relating to Secretary’s powers                                 53

57.......... Additional power of Secretary.......................................................... 53

58.......... Assets ceasing to be critical infrastructure assets.............................. 53

59.......... Delegation of Secretary’s powers..................................................... 53

Division 4—Periodic reports, reviews and rules                                          54

60.......... Periodic report................................................................................... 54

60A....... Review of this Act............................................................................ 54

61.......... Rules................................................................................................. 55

 


Commonwealth Coat of Arms of Australia

 

 

Security of Critical Infrastructure Act 2018

No. 29, 2018

 

 

 

An Act to create a framework for managing critical infrastructure, and for related purposes

[Assented to 11 April 2018]

The Parliament of Australia enacts:

Part 1Preliminary

Division 1Preliminary

1  Short title

                   This Act is the Security of Critical Infrastructure Act 2018.

2  Commencement

             (1)  Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

 

Commencement information

Column 1

Column 2

Column 3

Provisions

Commencement

Date/Details

1.  The whole of this Act

A single day to be fixed by Proclamation.

However, if the provisions do not commence within the period of 3 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period.

11 July 2018

Note:          This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

             (2)  Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3  Object

                   The object of this Act is to provide a framework for managing risks to national security relating to critical infrastructure, including by:

                     (a)  improving the transparency of the ownership and operational control of critical infrastructure in Australia in order to better understand those risks; and

                     (b)  facilitating cooperation and collaboration between all levels of government, and regulators, owners and operators of critical infrastructure, in order to identify and manage those risks.

4  Simplified outline of this Act

This Act creates a framework for managing risks to national security relating to critical infrastructure.

The framework consists of the following:

       (a)     the keeping of a register of information in relation to critical infrastructure assets (the register will not be made public);

      (b)     requiring certain entities relating to a critical infrastructure asset to provide information in relation to the asset, and to notify if certain events occur in relation to the asset;

       (c)     allowing the Minister to require certain entities relating to a critical infrastructure asset to do, or refrain from doing, an act or thing if the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security;

      (d)     allowing the Secretary to require certain entities relating to a critical infrastructure asset to provide certain information or documents;

       (e)     allowing the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset.

Certain information obtained under, or relating to the operation of, this Act is protected information. There are restrictions on when a person may make a record of, use or disclose protected information.

Civil penalty provisions of this Act may be enforced using civil penalty orders or injunctions, and enforceable undertakings may be accepted in relation to compliance with civil penalty provisions. The Regulatory Powers Act is applied for these purposes. Certain other provisions of this Act may be enforced by imposing a criminal penalty.

The Minister may privately declare a particular asset to be a critical infrastructure asset so that this Act applies to it. A private declaration can only be made if there would be a risk to national security if it were publicly known that the asset is critical infrastructure that affects national security.

The Secretary must give the Minister reports, for presentation to the Parliament, on the operation of this Act.

Division 2Definitions

5  Definitions

                   In this Act:

ABN has the same meaning as in the A New Tax System (Australian Business Number) Act 1999.

acquisition of property has the same meaning as in paragraph 51(xxxi) of the Constitution.

adverse security assessment has the same meaning as in Part IV of the Australian Security Intelligence Organisation Act 1979.

appointed officer, for an unincorporated foreign company, means:

                     (a)  the secretary of the company; or

                     (b)  an officer of the company appointed to hold property on behalf of the company.

approved form means a form approved by the Secretary.

associate has the meaning given by section 8B.

civil penalty provision has the same meaning as in the Regulatory Powers Act.

commencing day means the day this Act commences.

corporate entity means an entity other than an individual.

critical electricity asset has the meaning given by section 10.

critical gas asset has the meaning given by section 12.

critical infrastructure asset has the meaning given by section 9.

critical port has the meaning given by section 11.

critical water asset means one or more water or sewerage systems or networks that:

                     (a)  are managed by a single water utility; and

                     (b)  ultimately deliver services to at least 100,000 water connections or 100,000 sewerage connections.

Note:          The rules may prescribe that a specified critical water asset is not a critical infrastructure asset (see section 9).

direct interest holder, in relation to an asset, has the meaning given by section 8.

entity means any of the following:

                     (a)  an individual, whether or not resident in Australia or an Australian citizen;

                     (b)  a body corporate, whether or not formed, or carrying on business, in Australia;

                     (c)  a body politic, whether or not an Australian body politic;

                     (d)  a partnership, whether or not formed in Australia;

                     (e)  a trust, whether or not created in Australia;

                      (f)  a superannuation fund, whether or not created in Australia;

                     (g)  an unincorporated foreign company.

Note:          See Division 2 of Part 7 for how this Act applies to partnerships, trusts, superannuation funds and unincorporated foreign companies.

First Minister means the Premier of a State, or the Chief Minister of the Australian Capital Territory or the Northern Territory.

grace period, for an asset, means:

                     (a)  for an asset that is, or will be, a critical infrastructure asset at the end of the period of 6 months starting on the commencing day—that 6 month period; or

                     (b)  for an asset that becomes a critical infrastructure asset after the end of the period mentioned in paragraph (a)—the period of 6 months starting on the day the asset becomes a critical infrastructure asset.

holding entity has the meaning given by subsection 8C(2).

influence or control has a meaning affected by section 8A.

interest in an asset means a legal or equitable interest in the asset.

interest and control information, in relation to an entity and an asset, has the meaning given by section 6.

international relations means political, military and economic relations with foreign governments and international organisations.

moneylending agreement has the meaning given by subsection 8(3).

national security means Australia’s defence, security or international relations.

notifiable event has the meaning given by section 26.

operational information, in relation to an asset, has the meaning given by section 7.

operator, of an asset, means:

                     (a)  for a critical port—a port facility operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003) of a port facility within the port; or

                     (b)  for a critical infrastructure asset other than a critical port—an entity that is authorised (however described) to operate the asset or part of the asset.

Note:          For some assets, an operator of the asset is also the responsible entity for the asset.

port facility has the same meaning as in the Maritime Transport and Offshore Facilities Security Act 2003.

protected information means a document or information that:

                     (a)  is obtained by a person in the course of exercising powers, or performing duties or functions, under this Act; or

                     (b)  records or is the fact that an asset is declared under section 51 to be a critical infrastructure asset; or

                     (c)  was a document or information to which paragraph (a) or (b) applied and is obtained by a person by way of an authorised disclosure under Division 3 of Part 4 or in accordance with section 46.

Register means the Register of Critical Infrastructure Assets kept by the Secretary under section 19.

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.

relevant industry, for an asset, is whichever of the following industries the asset relates to:

                     (a)  electricity;

                     (b)  water;

                     (c)  ports;

                     (d)  gas;

                     (e)  an industry prescribed by the rules for the purposes of this paragraph.

reporting entity, for an asset, means either of the following:

                     (a)  the responsible entity for the asset;

                     (b)  a direct interest holder in relation to the asset.

Note:          An entity may be both the responsible entity for an asset and a direct interest holder in relation to the asset.

responsible entity, for an asset, means:

                     (a)  for a critical electricity asset or a critical gas asset—the entity that holds the licence, approval or authorisation (however described) to operate the asset to provide the service to be delivered by the asset; or

                     (b)  for a critical water asset—the water utility that holds the licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory, to provide the service to be delivered by the asset; or

                     (c)  for a critical port—the port operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003) of the port; or

                     (d)  for an asset declared under section 51 to be a critical infrastructure asset—the entity specified in the declaration as the responsible entity for the asset (see subsection 51(2)); or

                     (e)  for an asset prescribed by the rules for the purposes of paragraph 9(1)(f)—the entity specified by the rules for the asset.

rules means the rules made by the Minister under section 61.

Secretary means the Secretary of the Department.

security (other than in references to national security):

                     (a)  other than in sections 10 and 12—has the same meaning as in the Australian Security Intelligence Organisation Act 1979; and

                     (b)  in sections 10 and 12—has its ordinary meaning.

security regulated port has the same meaning as in the Maritime Transport and Offshore Facilities Security Act 2003.

Note:          Security regulated ports are declared under section 13 of the Maritime Transport and Offshore Facilities Security Act 2003.

senior officer of a corporate entity means:

                     (a)  for a body corporate—a director of the body corporate; or

                     (b)  for a unit trust:

                              (i)  the trustee of which is an individual—the trustee; and

                             (ii)  the trustee of which is a body corporate—a director of the trustee; and

                            (iii)  in any case—any other individual involved in the central management and control of the trust; or

                     (c)  an individual who is, or an individual in a group of individuals who are, in a position to determine the investments or policy of the entity or a trustee of the entity; or

                     (d)  an individual who makes, or participates in making, decisions that affect the whole, or a substantial part of, the business of the entity; or

                     (e)  an individual who has the capacity to affect significantly the financial standing of the entity.

subsidiary has the meaning given by subsection 8C(1).

superannuation fund has the meaning given by section 10 of the Superannuation Industry (Supervision) Act 1993.

this Act includes the rules.

unincorporated foreign company means a body covered by paragraph (b) of the definition of foreign company in section 9 of the Corporations Act 2001.

water utility means an entity that holds a licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory, to provide water services.

6  Meaning of interest and control information

             (1)  The following information is interest and control information in relation to an entity (the first entity) and an asset (subject to subsection (3)):

                     (a)  the name of the first entity;

                     (b)  if applicable, the ABN of the first entity, or other similar business number (however described) if the first entity was incorporated, formed or created (however described) outside Australia;

                     (c)  for an entity other than an individual:

                              (i)  the address of the first entity’s head office or principal place of business; and

                             (ii)  the country in which the first entity was incorporated, formed or created (however described);

                     (d)  for an entity that is an individual:

                              (i)  the residential address of the first entity; and

                             (ii)  the country in which the first entity usually resides; and

                            (iii)  the country or countries of which the first entity is a citizen;

                     (e)  the type and level of the interest the first entity holds in the asset;

                      (f)  information about the influence or control the first entity is in a position to directly or indirectly exercise in relation to the asset;

                     (g)  information about the ability of a person, who has been appointed by the first entity to the body that governs the asset, to directly access networks or systems that are necessary for the operation or control of the asset;

                     (h)  the name of each other entity that is in a position to directly or indirectly influence or control:

                              (i)  the first entity; or

                             (ii)  any entity covered by a previous application of this paragraph;

                   (ha)  in relation to each entity (the higher entity) covered by paragraph (h):

                              (i)  the information in paragraphs (b) to (d), and (e) if appropriate, as if a reference in those paragraphs to the first entity were a reference to the higher entity; and

                             (ii)  information about the influence or control the higher entity is in a position to directly or indirectly exercise in relation to the first entity or any entity covered by paragraph (h);

                      (i)  information prescribed by the rules for the purposes of this paragraph.

Note 1:       For example, if Holding Entity 1 holds a 10% interest in the first entity, and Holding Entity 2 holds a 10% interest in Holding Entity 1, the information mentioned in paragraphs (1)(h) and (ha) relating to those holding entities, would be given to the Secretary.

Note 2:       For the definition of influence or control, see section 8A.

Note 3:       For interests held by trusts, partnerships, superannuation funds and unincorporated foreign companies, see section 53A.

             (2)  Information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988).

Interest and control information provided by States and Territories

             (3)  If the first entity is a Governor, First Minister, Administrator or Minister of a State or Territory who is a direct interest holder in relation to an asset because of paragraph 8(1)(b), the first entity is not required to provide any interest and control information.

             (4)  However, subsection (3) does not affect the obligation of the State or Territory to provide interest and control information in relation to the asset if the State or Territory is also a direct interest holder in relation to the asset because of paragraph 8(1)(a) or (b).

7  Meaning of operational information

             (1)  The following information is operational information in relation to an asset:

                     (a)  the location of the asset;

                     (b)  a description of the area the asset services;

                     (c)  the following information about each entity that is the responsible entity for, or an operator of, the asset:

                              (i)  the name of the entity;

                             (ii)  if applicable, the ABN of the entity, or other similar business number (however described) if the entity was incorporated, formed or created (however described) outside Australia;

                            (iii)  the address of the entity’s head office or principal place of business;

                            (iv)  the country in which the entity was incorporated, formed or created (however described);

                     (d)  the following information about the chief executive officer (however described) of the responsible entity for the asset:

                              (i)  the full name of the officer;

                             (ii)  the country or countries of which the officer is a citizen;

                     (e)  a description of the arrangements under which each operator operates the asset or a part of the asset;

                      (f)  a description of the arrangements under which data prescribed by the rules relating to the asset is maintained;

                     (g)  information prescribed by the rules for the purposes of this paragraph.

Note:          For paragraph (e), this would include if the control system of the asset is managed by a separate body.

             (2)  Information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988).

8  Meaning of direct interest holder

             (1)  An entity is a direct interest holder in relation to an asset if the entity:

                     (a)  together with any associates of the entity, holds an interest of at least 10% in the asset (including if any of the interests are held jointly with one or more other entities); or

                     (b)  holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.

Note:          For interests held by trusts, partnerships, superannuation funds and unincorporated foreign companies, see section 53A.

Exemption for moneylenders

             (2)  Subsection (1) does not apply to an interest in an asset held by an entity if:

                     (a)  the entity holds the interest in the asset:

                              (i)  solely by way of security for the purposes of a moneylending agreement; or

                             (ii)  solely as a result of enforcing a security for the purposes of a moneylending agreement; and

                     (b)  the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset; and

                     (c)  if the entity is holding the interest solely by way of security—enforcing the security would not put the entity in a position to directly or indirectly influence or control the asset.

             (3)  A moneylending agreement is:

                     (a)  an agreement entered into in good faith, on ordinary commercial terms and in the ordinary course of carrying on a business (a moneylending business) of lending money or otherwise providing financial accommodation, except an agreement dealing with any matter unrelated to the carrying on of that business; or

                     (b)  if the entity:

                              (i)  is carrying on a moneylending business; or

                             (ii)  is a subsidiary or holding entity of a corporate entity that is carrying on a moneylending business;

                            an agreement to acquire an interest arising from a moneylending agreement (within the meaning of paragraph (a)).

8A  Meaning of influence or control

             (1)  An entity is in a position to directly or indirectly influence or control an asset if:

                     (a)  the entity is in a position to exercise voting or veto rights in relation to the body that governs the asset; or

                     (b)  the entity is in a position to make decisions that materially impact on the running of, or strategic direction in relation to, the asset; or

                     (c)  the entity has the ability to appoint:

                              (i)  persons to the body that governs the asset; or

                             (ii)  key personnel involved in running the asset; or

                     (d)  the entity is in a position to influence or determine decisions relating to:

                              (i)  the business plan, or any other management plan, for the asset; or

                             (ii)  major expenditure relating to the asset; or

                            (iii)  major contracts or transactions involving the asset; or

                            (iv)  major loans involving the asset.

Note:          For interests held by trusts, partnerships, superannuation funds and unincorporated foreign companies, see section 53A.

             (2)  An entity (the controlling entity) is in a position to directly or indirectly influence or control another entity (the controlled entity) if the controlling entity:

                     (a)  is in a position to exercise voting or veto rights in relation to the controlled entity; or

                     (b)  is in a position to make decisions that materially impact on the running of, or strategic direction of, the controlled entity; or

                     (c)  has the ability to appoint persons to the board of the controlled entity; or

                     (d)  is in a position to influence or determine decisions relating to:

                              (i)  the business plan, or any other management plan, for the controlled entity; or

                             (ii)  major expenditure relating to the controlled entity; or

                            (iii)  major contracts or transactions involving the controlled entity; or

                            (iv)  major loans involving the controlled entity; or

                     (e)  together with any associates of the controlling entity, holds an interest of at least 10% in the controlled entity (including if any of the interests are held jointly with one or more other entities).

             (3)  This section does not limit when an entity is in a position to directly or indirectly influence or control an asset or other entity.

8B  Meaning of associate

                   Each of the following persons is an associate of a person:

                     (a)  any relative of the person;

                     (b)  any person with whom the person is acting, or proposes to act, in concert in relation to an asset;

                     (c)  any person with whom the person carries on a business in partnership;

                     (d)  any corporate entity of which the person is a senior officer;

                     (e)  if the person is a corporate entity:

                              (i)  any holding entity of the corporate entity; or

                             (ii)  any senior officer of the corporate entity;

                      (f)  any corporate entity whose senior officers are accustomed or under an obligation (whether formal or informal) to act in accordance with the directions, instructions or wishes of:

                              (i)  the person; or

                             (ii)  if the person is a corporate entity—the senior officers of the person;

                     (g)  a corporate entity if the person is accustomed or under an obligation (whether formal or informal) to act in accordance with the directions, instructions or wishes of:

                              (i)  the corporate entity; or

                             (ii)  the senior officers of the corporate entity;

                     (h)  any body corporate in which the person holds an interest;

                      (i)  if the person is a body corporate—a person who holds an interest in the body corporate;

                      (j)  the trustee of a trust in which the person holds an interest;

                     (k)  if the person is the trustee of a trust—a person who holds an interest in the trust;

                      (l)  any other person or body prescribed by the rules.

8C  Meanings of subsidiary and holding entity

Meaning of subsidiary

             (1)  A corporate entity (the lower entity) is a subsidiary of another corporate entity (the higher entity) if:

                     (a)  the higher entity:

                              (i)  is in a position to control more than half the voting power in the lower entity; or

                             (ii)  holds more than half the issued securities in the lower entity (disregarding any securities that carry no right to participate beyond a specified amount in a distribution of either profits or capital); or

                     (b)  the lower entity is a subsidiary of a corporate entity that is the higher entity’s subsidiary (including because of one or more applications of this subsection).

Meaning of holding entity

             (2)  A corporate entity (the higher entity) is a holding entity of another corporate entity (the lower entity) if the lower entity is a subsidiary of the higher entity.

9  Meaning of critical infrastructure asset

             (1)  An asset is a critical infrastructure asset if it is:

                     (a)  a critical electricity asset; or

                     (b)  a critical port; or

                     (c)  a critical water asset; or

                     (d)  a critical gas asset; or

                     (e)  an asset declared under section 51 to be a critical infrastructure asset; or

                      (f)  an asset prescribed by the rules for the purposes of this paragraph.

             (2)  However, the rules may prescribe that a specified:

                     (a)  critical electricity asset; or

                     (b)  critical port; or

                     (c)  critical water asset; or

                     (d)  critical gas asset;

is not a critical infrastructure asset.

Prescribing an asset as a critical infrastructure asset

             (3)  The Minister must not prescribe an asset for the purposes of paragraph (1)(f) unless the Minister is satisfied that:

                     (a)  the asset is critical to:

                              (i)  the social or economic stability of Australia or its people; or

                             (ii)  the defence of Australia; or

                            (iii)  national security; and

                     (b)  there is a risk, in relation to the asset, that may be prejudicial to security.

Consultation with State and Territory Ministers

             (4)  The Minister (the Commonwealth Minister) also must not prescribe the asset unless the Commonwealth Minister has:

                     (a)  consulted the following persons (the consulted Minister):

                              (i)  the First Minister of the State, the Australian Capital Territory or the Northern Territory in which the critical infrastructure asset is located;

                             (ii)  each Minister of a State, the Australian Capital Territory, or the Northern Territory, who has responsibility for the regulation or oversight of the relevant industry for the asset in that State or Territory; and

                     (b)  given each consulted Minister written notice of the proposal to prescribe the asset; and

                     (c)  had regard to any representations given by a consulted Minister under subsection (5) within the period specified for that purpose.

             (5)  The notice must invite each consulted Minister to make written representations to the Commonwealth Minister in relation to the proposal to prescribe the asset within the period specified in the notice, which must be:

                     (a)  at least 28 days after the notice is given; or

                     (b)  a shorter period if the Commonwealth Minister considers the shorter period is necessary because of urgent circumstances.

             (6)  Subsection (4) does not limit the persons with whom the Commonwealth Minister may consult.

10  Meaning of critical electricity asset

             (1)  An asset is a critical electricity asset if it is:

                     (a)  a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at least 100,000 customers; or

                     (b)  an electricity generation station that is critical to ensuring the security and reliability of electricity networks or electricity systems in a State or Territory, in accordance with subsection (2).

Note:          The rules may prescribe that a specified critical electricity asset is not a critical infrastructure asset (see section 9).

             (2)  For the purposes of paragraph (1)(b), the rules may prescribe requirements for an electricity generation station to be critical to ensuring the security and reliability of electricity networks or electricity systems in a particular State or Territory.

11  Meaning of critical port

                   An asset is a critical port if it is land that forms part of any of the following security regulated ports:

                     (a)  Broome Port;

                     (b)  Port Adelaide;

                     (c)  Port of Brisbane;

                     (d)  Port of Cairns;

                     (e)  Port of Christmas Island;

                      (f)  Port of Dampier;

                     (g)  Port of Darwin;

                     (h)  Port of Eden;

                      (i)  Port of Fremantle;

                      (j)  Port of Geelong;

                     (k)  Port of Gladstone;

                      (l)  Port of Hay Point;

                    (m)  Port of Hobart;

                     (n)  Port of Melbourne;

                     (o)  Port of Newcastle;

                     (p)  Port of Port Botany;

                     (q)  Port of Port Hedland;

                      (r)  Port of Rockhampton;

                      (s)  Port of Sydney Harbour;

                      (t)  Port of Townsville;

                     (u)  a security regulated port prescribed by the rules for the purposes of this paragraph.

Note:          The rules may prescribe that a specified critical port is not a critical infrastructure asset (see section 9).

12  Meaning of critical gas asset

             (1)  An asset is a critical gas asset if it is any of the following:

                     (a)  a gas processing facility that has a capacity of at least 300 terajoules per day or any other capacity prescribed by the rules;

                     (b)  a gas storage facility that has a maximum daily quantity of at least 75 terajoules per day or any other quantity prescribed by the rules;

                     (c)  a network or system for the distribution of gas to ultimately service at least 100,000 customers or any other number of customers prescribed by the rules;

                     (d)  a gas transmission pipeline that is critical to ensuring the security and reliability of a gas market, in accordance with subsection (2).

Note:          The rules may prescribe that a specified critical gas asset is not a critical infrastructure asset (see section 9).

             (2)  For the purposes of paragraph (1)(d), the rules may prescribe:

                     (a)  specified gas transmission pipelines that are critical to ensuring the security and reliability of a gas market; or

                     (b)  requirements for a gas transmission pipeline to be critical to ensuring the security and reliability of a gas market.

Division 3Constitutional provisions and application of this Act

13  Application of this Act

             (1)  This Act applies to the following:

                     (a)  an entity that is a corporation to which paragraph 51(xx) of the Constitution applies;

                     (b)  an entity that is a reporting entity for, or an operator of, an asset that is:

                              (i)  in a Territory; or

                             (ii)  used in the course of, or in relation to, trade or commerce with other countries, among the States, between Territories or between a Territory and a State; or

                            (iii)  used for the purposes of the defence of Australia;

                     (c)  an entity that is an alien (within the meaning of paragraph 51(xix) of the Constitution).

             (2)  Division 3 of Part 4 (use and disclosure of protected information) also applies to any other entity.

Note:          For the definition of entity, see section 5.

14  Extraterritoriality

                   This Act applies both within and outside Australia.

Note:          This Act extends to every external Territory.

15  This Act binds the Crown

             (1)  This Act binds the Crown in each of its capacities.

             (2)  This Act does not make the Crown liable to be prosecuted for an offence.

             (3)  The protection in subsection (2) does not apply to an authority of the Crown.

16  Concurrent operation of State and Territory laws

                   This Act is not intended to exclude or limit the operation of a law of a State or Territory to the extent that that law is capable of operating concurrently with this Act.

17  State constitutional powers

                   This Act does not enable a power to be exercised to the extent that it would impair the capacity of a State to exercise its constitutional powers.

Part 2Register of Critical Infrastructure Assets

Division 1Simplified outline of this Part

18  Simplified outline of this Part

The Secretary must keep a Register of Critical Infrastructure Assets, containing information in relation to those assets. The Register must not be made public.

The responsible entity for a critical infrastructure asset must give the Secretary operational information in relation to the asset.

An entity that is a direct interest holder in relation to a critical infrastructure asset must give the Secretary interest and control information in relation to the entity and the asset.

If particular events occur in relation to the asset, the relevant reporting entity for the asset must notify the Secretary of the event and provide certain information.

If an entity required to give notice or information dies or is wound up before doing so, the entity’s executor or liquidator must give the notice or information. An agent may give notice or information for an entity.

The rules may provide for exemptions from these requirements.

Division 2Register of Critical Infrastructure Assets

19  Secretary must keep Register

                   The Secretary must keep a Register of Critical Infrastructure Assets, containing:

                     (a)  the information obtained by the Secretary under Division 3 (obligation to give information and notify of events); and

                     (b)  any information added under section 20; and

                     (c)  any corrections or updates of information described in paragraph (a) or (b) that are made under section 21.

20  Secretary may add information to Register

                   The Secretary may add to the Register any of the following that is obtained by the Secretary (other than information obtained under Division 3):

                     (a)  operational information in relation to a critical infrastructure asset;

                     (b)  interest and control information in relation to a direct interest holder and a critical infrastructure asset.

21  Secretary may correct or update information in the Register

                   The Secretary may correct or update information in the Register.

22  Register not to be made public

                   The Secretary must ensure that the Register is not made public.

Note:          See Division 3 of Part 4 for the recording, use and disclosure of protected information that may be contained in the Register.

Division 3Obligation to give information and notify of events

23  Initial obligation to give information

             (1)  This section applies if an entity is, or will be, a reporting entity for a critical infrastructure asset at the end of the grace period for the asset.

Note:          Once an entity has given information in relation to an asset under this section, the reporting entity for the asset must comply with section 24 (ongoing obligation to give information and notify of events).

             (2)  The entity must give the Secretary the following information in accordance with subsection (3):

                     (a)  if the reporting entity is the responsible entity for the asset—the operational information in relation to the asset;

                     (b)  if the reporting entity is a direct interest holder in relation to the asset—the interest and control information in relation to the entity and the asset.

Note 1:       Persons other than the entity may give the information (see section 30 (agents may give notice or information) and Division 2 of Part 7 (treatment of certain entities)).

Note 2:       For an exception to this section, see section 25 (information that is not able to be obtained).

Civil penalty:          50 penalty units.

             (3)  The information must be given:

                     (a)  in the approved form; and

                     (b)  by the later of:

                              (i)  the end of the grace period for the asset; and

                             (ii)  the end of 30 days after the day the entity becomes a reporting entity for the asset.

24  Ongoing obligation to give information and notify of events

             (1)  This section applies to a reporting entity for a critical infrastructure asset if a notifiable event occurs in relation to the asset:

                     (a)  after the entity gives information in relation to the asset under section 23; or

                     (b)  after the end of the grace period for the asset.

Requirement to give information and notify of events

             (2)  If the reporting entity is required to give information in relation to the event in accordance with subsection (3), the reporting entity for the asset must give the Secretary that information and notice of the event:

                     (a)  in the approved form; and

                     (b)  by the end of 30 days after the event occurs.

Note 1:       Persons other than the entity may give the information (see section 30 (agents may give notice or information) and Division 2 of Part 7 (treatment of certain entities)).

Note 2:       For an exception to this section, see section 25 (information that is not able to be obtained).

Civil penalty:          50 penalty units.

             (3)  The following table sets out the information a reporting entity is required to give in relation to the event.

 

Ongoing obligation to give information

Item

If the event is ...

this reporting entity ...

must give this information ...

1

an event covered by subparagraph 26(a)(i)

the entity that is the responsible entity for the asset immediately after the event occurs

any operational information in relation to the asset that is necessary to correct or complete the operational information, in relation to the asset, previously obtained by the Secretary.

2

an event covered by subparagraph 26(a)(ii)

the entity that is the direct interest holder to which the information relates

any interest and control information in relation to the entity and the asset that is necessary to correct or complete the interest and control information, in relation to the entity and the asset, previously obtained by the Secretary.

3

an event covered by paragraph 26(b) or (c) relating to the responsible entity for the asset

the responsible entity for the asset

the operational information in relation to the asset.

4

an event covered by paragraph 26(b) or (c) relating to a direct interest holder in relation to the asset

the direct interest holder in relation to the asset

the interest and control information in relation to the entity and the asset.

 

Exception to requirement to give information

             (4)  However, subsection (2) does not apply in relation to the event (the first event) if:

                     (a)  before the end of 30 days after the first event occurs, another notifiable event (the second event) occurs in relation to the asset; and

                     (b)  a result of the second event is that the information in relation to the asset that was required to be given to the Secretary under subsection (2) following the first event is no longer correct.

Note:          An entity that wishes to rely on subsection (4) in proceedings for a civil penalty order bears an evidential burden in relation to the matter in that subsection (see section 96 of the Regulatory Powers Act).

25  Information that is not able to be obtained

                   Section 23 (initial obligation to give information) or 24 (ongoing obligation to give information and notify of events) does not apply in relation to particular information that a person is required to provide under that section if:

                     (a)  the person uses the person’s best endeavours to obtain the information; and

                     (b)  the person is not able to obtain the information.

Note:          An entity that wishes to rely on this section in proceedings for a civil penalty order bears an evidential burden in relation to the matter in that subsection (see section 96 of the Regulatory Powers Act).

26  Meaning of notifiable event

                   An event is a notifiable event in relation to a critical infrastructure asset if:

                     (a)  the event has the effect that either of the following previously obtained by the Secretary for the purposes of this Act becomes incorrect or incomplete:

                              (i)  the operational information in relation to the asset;

                             (ii)  the interest and control information in relation to a direct interest holder and the asset; or

                     (b)  the event is an entity becoming a reporting entity for the asset; or

                     (c)  the event is a reporting entity for the asset becoming an entity to which this Act applies (see section 13).

Note:          If an asset becomes a critical infrastructure asset after the end of the period of 6 months starting on the commencing day, a reporting entity for the asset initially has a period of between 30 days and 6 months in which to provide information in relation to the asset (see section 23).

27  Rules may exempt from requirement to give notice or information

                   The rules may provide that this Division, or specified provisions of this Division, do not apply in relation to:

                     (a)  any entity; or

                     (b)  specified classes of entities; or

                     (c)  specified entities;

either generally or in specified circumstances.

Note:          An entity that wishes to rely on an exemption in the rules in relation to a contravention of section 23 or 24 bears an evidential burden (see section 96 of the Regulatory Powers Act).

Division 4Giving of notice or information by agents etc.

28  Requirement for executors and administrators to give notice or information for individuals who die

                   If an individual, who is required by section 23 or 24 to give notice or information, dies before giving the notice or information, the executor or administrator of the individual’s estate must give the notice or information in accordance with that section.

29  Requirement for corporate liquidators etc. to give notice or information

                   If an entity that is required by section 23 or 24 to give notice or information is a corporation that:

                     (a)  is placed into voluntary administration, liquidation or receivership before giving the notice or information; and

                     (b)  is no longer in a position to give the notice or information;

the voluntary administrator, liquidator or receiver of the corporation must give the notice or information in accordance with that section.

30  Agents may give notice or information

                   An entity required by section 23 or 24 to give notice or information is taken to have complied with the requirement if someone else gives the notice or information, in accordance with that section, on the entity’s behalf.

Part 3Directions by the Minister

Division 1Simplified outline of this Part

31  Simplified outline of this Part

The Minister may require a reporting entity for, or an operator of, a critical infrastructure asset to do, or refrain from doing, an act or thing, if the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security.

The Minister may give the direction only if particular criteria are met and certain consultation has been undertaken.

Division 2Directions by the Minister

32  Direction if risk of act or omission that would be prejudicial to security

             (1)  This section applies if in connection with the operation of, or the delivery of a service by, a critical infrastructure asset the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security.

Direction to do, or refrain from doing, an act or thing

             (2)  The Minister may, subject to subsections (3) and (4), give an entity that is a reporting entity for, or an operator of, a critical infrastructure asset a written direction requiring the entity to do, or refrain from doing, a specified act or thing within the period specified in the direction.

             (3)  The Minister must not give the direction unless:

                     (a)  the Minister is satisfied that requiring the entity to do, or to refrain from doing, the specified act or thing is reasonably necessary for purposes relating to eliminating or reducing the risk mentioned in subsection (1); and

                     (b)  the Minister is satisfied that reasonable steps have been taken to negotiate in good faith with the entity to achieve an outcome of eliminating or reducing the risk without a direction being given under subsection (2); and

                     (c)  an adverse security assessment in respect of the entity has been given to the Minister for the purposes of this section; and

                     (d)  the Minister is satisfied that no existing regulatory system of the Commonwealth, a State or a Territory could instead be used to eliminate or reduce the risk mentioned in subsection (1).

Note:          The Minister must also undertake consultation before giving a direction (see section 33).

Matters etc. to which regard must be had

             (4)  Before giving the entity the direction, the Minister must have regard to the following:

                     (a)  the adverse security assessment mentioned in paragraph (3)(c);

                     (b)  the costs that would be likely to be incurred by the entity in complying with the direction;

                     (c)  the potential consequences that the direction may have on competition in the relevant industry for the critical infrastructure asset;

                     (d)  the potential consequences that the direction may have on customers of, or services provided by, the entity;

                     (e)  any representations given by the entity or a consulted Minister under subsection 33(2) within the period specified for that purpose.

             (5)  The Minister:

                     (a)  must give the greatest weight to the matter mentioned in paragraph (4)(a); and

                     (b)  may also have regard to any other matter the Minister considers relevant.

33  Consultation before giving direction

Consultation with relevant State or Territory Ministers

             (1)  Before giving an entity a direction under subsection 32(2), the Minister (the Commonwealth Minister) must:

                     (a)  consult the following persons (the consulted Minister):

                              (i)  the First Minister of the State, the Australian Capital Territory or the Northern Territory in which the critical infrastructure asset is located;

                             (ii)  each Minister of the State, the Australian Capital Territory, or the Northern Territory, who has responsibility for the regulation or oversight of the relevant industry for the critical infrastructure asset in that State or Territory; and

                     (b)  after reasonable steps have been taken to negotiate in good faith with the entity as described in paragraph 32(3)(b), give the entity and each consulted Minister written notice of the proposed direction.

             (2)  The notice must invite the entity and each consulted Minister to make written representations to the Commonwealth Minister in relation to the proposed direction within the period specified in the notice, which must be:

                     (a)  at least 28 days after the notice is given; or

                     (b)  a shorter period if the Commonwealth Minister considers the shorter period is necessary because of urgent circumstances.

             (3)  Subsection (1) does not limit the persons with whom the Commonwealth Minister may consult.

34  Requirement to comply with direction

                   An entity must comply with a direction given to the entity under subsection 32(2).

Note:          If the entity is not a legal person, see Division 2 of Part 7.

Civil penalty:          250 penalty units.

35  Exception—acquisition of property

                   Section 34 does not apply to the extent (if any) that its operation would result in an acquisition of property from a person otherwise than on just terms.

Note:          An entity that wishes to rely on this section in proceedings for a civil penalty order bears an evidential burden in relation to the matter in this section (see section 96 of the Regulatory Powers Act).

Part 4Gathering and using information

Division 1Simplified outline of this Part

36  Simplified outline of this Part

The Secretary may require a reporting entity for, or an operator of, a critical infrastructure asset to provide certain information or documents.

Information, in relation to a critical infrastructure asset, that is obtained under this Act is protected information. The fact that an asset is declared under section 51 to be a critical infrastructure asset is also protected information. If information is disclosed in accordance with Division 3 or subsection 51(3) or 52(4), the information is still protected information.

The making of a record, or the use or disclosure, of protected information is authorised in particular circumstances but is otherwise an offence.

The privilege against self‑incrimination does not apply in relation to a requirement to provide information or documents under this Part.

Division 2Secretary’s power to obtain information or documents

37  Secretary may obtain information or documents from entities

             (1)  This section applies if the Secretary has reason to believe that an entity that is a reporting entity for, or an operator of, a critical infrastructure asset has information or a document that:

                     (a)  is relevant to the exercise of a power, or the performance of a duty or function, under this Act in relation to the asset; or

                     (b)  may assist with determining whether a power under this Act should be exercised in relation to the asset.

Requirement to give information or documents

             (2)  The Secretary may, by notice in writing given to the entity, require the entity to:

                     (a)  give any such information; or

                     (b)  produce any such documents; or

                     (c)  make copies of any such documents and to produce those copies;

to the Secretary within the period, and in the manner, specified in the notice.

Matters to which regard must be had

             (3)  Before giving the entity the notice, the Secretary:

                     (a)  must have regard to the costs that would be likely to be incurred by the entity in complying with the notice; and

                     (b)  may have regard to any other matters the Secretary considers relevant.

Compliance with notice

             (4)  An entity must comply with a notice given to the entity under subsection (2).

Note 1:       This subsection is not subject to the privilege against self‑incrimination, but there are limits on the uses to which the information, document or copy may be put (see section 40).

Note 2:       If the entity is not a legal person, see Division 2 of Part 7.

Civil penalty:          150 penalty units.

Matters to be set out in notice

             (5)  The notice must set out the effect of the following provisions:

                     (a)  subsection (4);

                     (b)  Part 5 (enforcement);

                     (c)  sections 137.1 and 137.2 of the Criminal Code (false or misleading information or documents).

Compensation for producing copies of documents

             (6)  An entity is entitled to be paid by the Commonwealth reasonable compensation for complying with a requirement covered by paragraph (2)(c).

38  Copies of documents

             (1)  The Secretary may inspect a document or copy produced under section 37 and may make and retain copies of such a document.

             (2)  The Secretary may retain possession of a copy of a document produced in accordance with a requirement covered by paragraph 37(2)(c).

39  Retention of documents

             (1)  The Secretary may take, and retain for as long as is necessary, possession of a document produced under section 37.

             (2)  The entity otherwise entitled to possession of the document is entitled to be supplied, as soon as practicable, with a copy certified by the Secretary to be a true copy.

             (3)  The certified copy must be received in all courts and tribunals as evidence as if it were the original.

             (4)  Until a certified copy is supplied, the Secretary must, at such times and places as the Secretary thinks appropriate, permit the entity otherwise entitled to possession of the document, or a person authorised by that entity, to inspect and make copies of the document.

40  Self‑incrimination

             (1)  An entity is not excused from giving information or producing a document or copy of a document under subsection 37(4) on the ground that the information or the production of the document or copy might tend to incriminate the entity or expose the entity to a penalty.

             (2)  However, in the case of an individual:

                     (a)  the information given or the document or copy produced; or

                     (b)  giving the information or producing the document or copy; or

                     (c)  any information, document or thing obtained as a direct or indirect consequence of giving the information or producing the document or copy;

is not admissible in evidence against the individual:

                     (d)  in criminal proceedings other than proceedings for an offence against section 137.1 or 137.2 of the Criminal Code that relates to this Act; or

                     (e)  in civil proceedings other than proceedings for recovery of a penalty in relation to a contravention of subsection 37(4).

Division 3Use and disclosure of protected information

Subdivision AAuthorised use and disclosure

41  Authorised use and disclosure—performing functions etc.

                   An entity may make a record of, use or disclose protected information if the entity makes the record, or uses or discloses the information, for the purposes of:

                     (a)  exercising the entity’s powers, or performing the entity’s functions or duties, under this Act; or

                     (b)  otherwise ensuring compliance with a provision of this Act.

Note:          This section is an authorisation for the purposes of other laws, including the Australian Privacy Principles.

42  Authorised use and disclosure—other person’s functions etc.

             (1)  The Secretary may:

                     (a)  disclose protected information to a person mentioned in subsection (2); and

                     (b)  make a record of or use protected information for the purpose of that disclosure;

for the purposes of enabling or assisting the person to exercise his or her powers or perform his or her functions or duties.

Note:          This subsection is an authorisation for the purposes of other laws, including the Australian Privacy Principles.

             (2)  The persons to whom the Secretary may disclose protected information are the following:

                     (a)  a Minister of the Commonwealth who has responsibility for any of the following:

                              (i)  national security;

                             (ii)  law enforcement;

                            (iii)  foreign investment in Australia;

                            (iv)  taxation policy;

                             (v)  industry policy;

                            (vi)  promoting investment in Australia;

                           (vii)  defence;

                          (viii)  the regulation or oversight of the relevant industry for the critical infrastructure asset to which the protected information relates;

                     (b)  a Minister of a State, the Australian Capital Territory, or the Northern Territory, who has responsibility for the regulation or oversight of the relevant industry for the critical infrastructure asset to which the protected information relates;

                     (c)  a person employed as a member of staff of a Minister mentioned in paragraph (a) or (b);

                     (d)  the head of an agency (including a Department) administered by a Minister mentioned in paragraph (a) or (b), or an officer or employee of that agency.

43  Authorised disclosure relating to law enforcement

                   The Secretary may disclose protected information to an enforcement body (within the meaning of the Privacy Act 1988) for the purposes of one or more enforcement related activities (within the meaning of that Act) conducted by or on behalf of the enforcement body.

Note:          This section is an authorisation for the purposes of other laws, including the Australian Privacy Principles.

44  Secondary use and disclosure of protected information

                   An entity may make a record of, use or disclose protected information if:

                     (a)  the entity obtains the information under this Subdivision (including this section); and

                     (b)  the entity makes the record, or uses or discloses the information, for the purposes for which the information was disclosed to the entity.

Note:          This section is an authorisation for the purposes of other laws, including the Australian Privacy Principles.

Subdivision BOffence for unauthorised use or disclosure

45  Offence for unauthorised use or disclosure of protected information

             (1)  An entity commits an offence if:

                     (a)  the entity obtains information; and

                     (b)  the information is protected information; and

                     (c)  the entity makes a record of, discloses or otherwise uses the information; and

                     (d)  the making of the record, or the disclosure or use, is not authorised under Subdivision A or required by subsection 51(3) or 52(4).

Note 1:       For exceptions to this offence, see section 46.

Note 2:       Information includes the fact that an asset is declared under section 51 to be a critical infrastructure asset (see the definition of protected information in section 5).

Note 3:       If the entity is not a legal person, see Division 2 of Part 7.

Penalty:  Imprisonment for 2 years or 120 penalty units, or both.

             (2)  Section 15.1 of the Criminal Code (extended geographical jurisdiction—category A) applies to an offence against subsection (1).

46  Exceptions to offence for unauthorised use or disclosure

Required or authorised by law

             (1)  Section 45 does not apply if the making of the record, or the disclosure or use, of the information is required or authorised by or under:

                     (a)  a law of the Commonwealth, other than Subdivision A or subsection 51(3) or 52(4); or

                     (b)  a law of a State or Territory prescribed by the rules.

             (2)  For the purposes of subsection (1) of this section, the following laws:

                     (a)  the Corporations Act 2001, except a provision of that Act prescribed by the rules;

                     (b)  a law, or a provision of a law, of the Commonwealth prescribed by the rules;

are taken not to require or authorise the making of a record, or the disclosure, of the fact that an asset is declared under section 51 to be a critical infrastructure asset.

Good faith

             (3)  Section 45 does not apply to an entity to the extent that the entity makes a record of, discloses or otherwise uses protected information in good faith and in purported compliance with Subdivision A or subsection 51(3) or 52(4).

Person to whom the protected information relates

             (4)  Section 45 does not apply to an entity if:

                     (a)  the entity discloses protected information to the entity to whom the information relates; or

                     (b)  the entity is the entity to whom the protected information relates; or

                     (c)  the making of the record, or the disclosure or use, of the protected information is in accordance with the express or implied consent of the entity to whom the information relates.

Note:          A defendant bears an evidential burden in relation to the matters in this section (see subsection 13.3(3) of the Criminal Code).

47  No requirement to provide information

                   Except where it is necessary to do so for the purposes of giving effect to this Act, an entity is not to be required to disclose protected information, or produce a document containing protected information, to:

                     (a)  a court; or

                     (b)  a tribunal, authority or person that has the power to require the answering of questions or the production of documents.

Part 5Enforcement

Division 1Simplified outline of this Part

48  Simplified outline of this Part

Civil penalty orders may be sought under Part 4 of the Regulatory Powers Act in relation to contraventions of civil penalty provisions of this Act.

Undertakings to comply with civil penalty provisions of this Act may be accepted and enforced under Part 6 of the Regulatory Powers Act.

Injunctions under Part 7 of that Act may be used to restrain a person from contravening a civil penalty provision of this Act or to compel compliance with a civil penalty provision of this Act.

Division 2Civil penalties, enforceable undertakings and injunctions

49  Civil penalties, enforceable undertakings and injunctions

Enforceable provisions

             (1)  Each civil penalty provision of this Act is enforceable under:

                     (a)  Part 4 of the Regulatory Powers Act (civil penalty provisions); and

                     (b)  Part 6 of that Act (enforceable undertakings); and

                     (c)  Part 7 of that Act (injunctions).

Note 1:       Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.

Note 2:       Part 6 of that Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.

Note 3:       Part 7 of that Act creates a framework for using injunctions to enforce provisions.

Authorised applicant

             (2)  For the purposes of Part 4 of the Regulatory Powers Act, as that Part applies in relation to a civil penalty provision of this Act, each of the following is an authorised applicant:

                     (a)  the Minister;

                     (b)  the Secretary.

Authorised person

             (3)  For the purposes of Parts 6 and 7 of the Regulatory Powers Act, as those Parts apply in relation to a civil penalty provision of this Act, each of the following is an authorised person:

                     (a)  the Minister;

                     (b)  the Secretary.

Relevant court

             (4)  For the purposes of Parts 4, 6 and 7 of the Regulatory Powers Act, as those Parts apply in relation to a civil penalty provision of this Act, each of the following is a relevant court:

                     (a)  the Federal Court of Australia;

                     (b)  the Federal Circuit Court of Australia;

                     (c)  a court of a State or Territory that has jurisdiction in relation to matters arising under this Act.

Extension outside Australia

             (5)  Parts 4, 6 and 7 of the Regulatory Powers Act, as those Parts apply in relation to a civil penalty provision of this Act, extends outside Australia (including to every external Territory).

Part 6Declaration of assets by the Minister

Division 1Simplified outline of this Part

50  Simplified outline of this Part

The Minister may privately declare an asset to be a critical infrastructure asset if the Minister is satisfied that:

       (a)     the asset is critical infrastructure that affects national security; and

      (b)     there would be a risk to national security if it were publicly known that the asset is critical infrastructure that affects national security.

The Minister must notify each reporting entity for a declared asset.

If a reporting entity for a declared asset ceases to be such a reporting entity, or becomes aware of another reporting entity for the asset, the entity must notify the Secretary.

It is an offence to disclose that an asset has been so declared (see section 45).

Division 2Declaration of assets by the Minister

51  Declaration of assets by the Minister

             (1)  The Minister may, in writing, declare a particular asset to be a critical infrastructure asset if:

                     (a)  the asset is not otherwise a critical infrastructure asset; and

                     (b)  the asset relates to a relevant industry; and

                     (c)  the Minister is satisfied that:

                              (i)  the asset is critical infrastructure that affects national security; and

                             (ii)  there would be a risk to national security if it were publicly known that the asset is critical infrastructure that affects national security.

Note 1:       A relevant industry is electricity, water, ports, gas or an industry prescribed by the rules (see the definition of relevant industry in section 5).

Note 2:       It is an offence to disclose the fact that an asset is declared to be a critical infrastructure asset (see section 45).

             (2)  The declaration must specify the entity that is the responsible entity for the asset.

             (3)  The Minister must notify the following of the declaration, in writing, within 30 days after making the declaration:

                     (a)  each reporting entity for the asset;

                     (b)  the First Minister of the State, the Australian Capital Territory or the Northern Territory in which the asset is located.

             (4)  A notice under subsection (3) must specify the obligations of a reporting entity under this Act.

             (5)  A declaration under subsection (1) is not a legislative instrument.

52  Notification of change to reporting entities for asset

             (1)  This section applies if a reporting entity (the first entity) for an asset declared under subsection 51(1) to be a critical infrastructure asset:

                     (a)  ceases to be a reporting entity for the asset; or

                     (b)  becomes aware of another reporting entity for the asset (whether or not as a result of the first entity ceasing to be a reporting entity).

             (2)  The first entity must, within 30 days, notify the Secretary of the following:

                     (a)  the fact in paragraph (1)(a) or (b) (as the case requires);

                     (b)  if another entity is a reporting entity for the asset—the name of each other entity and the address of each other entity’s head office or principal place of business (to the extent known by the first entity).

Note:          If the entity is not a legal person, see Division 2 of Part 7.

Civil penalty:          150 penalty units.

             (3)  The first entity must use the entity’s best endeavours to determine the name and relevant address of any other entity for the purposes of paragraph (2)(b).

             (4)  If the Secretary is notified of another entity under paragraph (2)(b), the Secretary must notify the other entity of the declaration under subsection 51(1), in writing, within 30 days after being notified under that paragraph.

             (5)  A notice under subsection (4) must specify the obligations of a reporting entity under this Act.

Part 7Miscellaneous

Division 1Simplified outline of this Part

53  Simplified outline of this Part

This Act applies to partnerships, trusts, superannuation funds and unincorporated foreign companies (amongst other entities), but with some modifications.

The Secretary has certain powers and obligations under this Part, including the power to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset.

The Secretary must give the Minister a report each financial year for presentation to the Parliament. The report relates to the operation of this Act.

This Part also deals with miscellaneous matters, such as delegations and rules.

Division 2Treatment of certain entities

53A  How certain entities hold interests

                   For the purposes of this Act, a trust, partnership, superannuation fund or unincorporated foreign company (as the case requires) is taken to hold an interest in an asset or entity if:

                     (a)  one or more trustees hold the interest on behalf of the beneficiaries of the trust; or

                     (b)  one or more partners hold the interest on behalf of the partnership; or

                     (c)  one or more trustees hold the interest on behalf of the beneficiaries of the superannuation fund; or

                     (d)  one or more appointed officers hold the interest on behalf of the company.

Note:          For the definition of appointed officer, see section 5.

54  Treatment of partnerships

             (1)  This Act applies to a partnership as if it were an entity, but with the changes set out in this section.

             (2)  An obligation that would otherwise be imposed on the partnership by this Act is imposed on each partner instead, but may be discharged by any of the partners.

             (3)  An offence against this Act that would otherwise have been committed by the partnership is taken to have been committed by each partner in the partnership, at the time the offence was committed, who:

                     (a)  did the relevant act or made the relevant omission; or

                     (b)  aided, abetted, counselled or procured the relevant act or omission; or

                     (c)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the partner).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

             (5)  For the purposes of this Act, a change in the composition of a partnership does not affect the continuity of the partnership.

55  Treatment of trusts and superannuation funds that are trusts

             (1)  This Act applies to a trust or a superannuation fund that is a trust as if it were an entity, but with the changes set out in this section.

Trusts or superannuation funds with a single trustee

             (2)  If the trust or superannuation fund has a single trustee:

                     (a)  an obligation that would otherwise be imposed on the trust or superannuation fund by this Act is imposed on the trustee instead; and

                     (b)  an offence against this Act that would otherwise have been committed by the trust or superannuation fund is taken to have been committed by the trustee.

Trusts or superannuation funds with multiple trustees

             (3)  If the trust or superannuation fund has 2 or more trustees:

                     (a)  an obligation that would otherwise be imposed on the trust or superannuation fund by this Act is imposed on each trustee instead, but may be discharged by any of the trustees; and

                     (b)  an offence against this Act that would otherwise have been committed by the trust or superannuation fund is taken to have been committed by each trustee of the trust or superannuation fund, at the time the offence was committed, who:

                              (i)  did the relevant act or made the relevant omission; or

                             (ii)  aided, abetted, counselled or procured the relevant act or omission; or

                            (iii)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the trustee).

Contraventions of civil penalty provisions

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

56  Treatment of unincorporated foreign companies

             (1)  This Act applies to an unincorporated foreign company as if it were an entity, but with the changes set out in this section.

             (2)  An obligation that would otherwise be imposed on the unincorporated foreign company by this Act is imposed on each appointed officer for the company instead, but may be discharged by any of the appointed officers.

Note:          For the definition of appointed officer, see section 5.

             (3)  An offence against this Act that would otherwise have been committed by the unincorporated foreign company is taken to have been committed by each appointed officer for the company, at the time the offence was committed, who:

                     (a)  did the relevant act or made the relevant omission; or

                     (b)  aided, abetted, counselled or procured the relevant act or omission; or

                     (c)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the appointed officer).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

Division 3Matters relating to Secretary’s powers

57  Additional power of Secretary

                   Without limiting any other provision of this Act, the Secretary may undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset.

58  Assets ceasing to be critical infrastructure assets

                   The Secretary must, in writing, notify the reporting entity for an asset if the Secretary becomes aware that the asset has ceased to be a critical infrastructure asset.

59  Delegation of Secretary’s powers

             (1)  The Secretary may, by written instrument, delegate to an SES employee, or an acting SES employee, in the Department any of the Secretary’s powers, functions or duties under this Act.

Note:          The expressions SES employee and acting SES employee are defined in section 2B of the Acts Interpretation Act 1901.

             (2)  In exercising powers, performing functions or discharging duties under a delegation, the delegate must comply with any written direction given by the Secretary to the delegate.

Division 4Periodic reports, reviews and rules

60  Periodic report

             (1)  The Secretary must give the Minister, for presentation to the Parliament, a report on the operation of this Act for a financial year.

             (2)  Without limiting subsection (1), the report must deal with:

                     (a)  the number of notifications that were made during the financial year to the Secretary under Division 3 of Part 2 (obligation to give information and notify of events); and

                     (b)  any directions given during the financial year by the Minister under section 32 (direction if risk of act or omission that would be prejudicial to security); and

                     (c)  the use during the financial year of the Secretary’s powers under Division 2 of Part 4 (Secretary’s power to obtain information or documents); and

                     (d)  any action taken during the financial year against an entity under the Regulatory Powers Act as a result of Part 5 (enforcement) of this Act; and

                     (e)  the number of declarations of assets as critical infrastructure assets that were made during the financial year by the Minister under section 51.

             (3)  A report under subsection (1) must not include personal information (within the meaning of the Privacy Act 1988).

Note:          See also section 34C of the Acts Interpretation Act 1901, which contains extra rules about periodic reports.

60A  Review of this Act

             (1)  The Parliamentary Joint Committee on Intelligence and Security must:

                     (a)  review the operation, effectiveness and implications of this Act; and

                     (b)  without limiting paragraph (a), consider whether it would be appropriate to have a unified scheme that covers all infrastructure assets (including telecommunication assets) that are critical to:

                              (i)  the social or economic stability of Australia or its people; or

                             (ii)  the defence of Australia; or

                            (iii)  national security; and

                     (c)  review the circumstances in which any declarations have been made under Part 6 of this Act (declarations of assets by the Minister); and

                     (d)  report the Committee’s comments and recommendations to each House of the Parliament.

             (2)  The Committee must begin the review before the end of 3 years after this Act receives the Royal Assent.

61  Rules

             (1)  The Minister may, by legislative instrument, makes rules prescribing matters:

                     (a)  required or permitted by this Act to be prescribed by the rules; or

                     (b)  necessary or convenient to be prescribed for carrying out or giving effect to this Act.

             (2)  To avoid doubt, the rules may not do the following:

                     (a)  create an offence or civil penalty;

                     (b)  provide powers of:

                              (i)  arrest or detention; or

                             (ii)  entry, search or seizure;

                     (c)  impose a tax;

                     (d)  set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;

                     (e)  directly amend the text of this Act.


[Minister’s second reading speech made in—

Senate on 7 December 2017

House of Representatives on 28 March 2018]

(289/17)