Part 1—Preliminary
1 Name
This instrument is the Telecommunications (Carrier Licence Conditions—Security Information) Declaration 2022.
3 Authority
This instrument is made under subsections 63(1) and (3) of the Telecommunications Act 1997.
4 Repeal
This instrument is repealed three years after the day this instrument is registered.
5 Interpretation
Note 1: A number of expressions used in this instrument are defined in section 7 of the Act, including the following:
(b) carriage service provider;
(f) listed carriage service;
(g) telecommunications network.
Note 2: The expressions ‘Governor’, ‘Minister’, ‘SES employee’, ‘State’ and ‘Territory’ are defined in section 2B of the Acts Interpretation Act 1901, which applies to this instrument because of section 13 of the Legislation Act 2003.
(1) In this instrument:
Act means the Telecommunications Act 1997.
approved form means a form approved by the Home Affairs Secretary for the purposes of this instrument.
asset, of a carrier:
(a) means a tangible asset (excluding customer premises equipment), that is:
(i) owned or operated by a carrier; and
(ii) used to supply a carriage service; and
(b) without limitation to paragraph (a), includes the following to the extent that they are used for the supply of a carriage service:
(i) a component of a telecommunications network;
(ii) a telecommunications network;
(iii) a facility;
(iv) computers;
(v) computer devices;
(vi) computer programs;
(vii) computer data.
authorised ASD officer means either:
(a) the Director‑General of the Australian Signals Directorate (ASD); or
(b) an SES employee of ASD nominated in writing by the Director‑General of ASD to give or receive notices for the purposes of this instrument.
cloud service means any service supplied by a person that provides computing and other information technology services to users on demand over the internet.
cyber security incident means one or more acts, events or circumstances involving any of the following:
(a) unauthorised access to either a computer data or a computer program;
(b) unauthorised modification of computer data or a computer program;
(c) unauthorised impairment of electronic communication to or from a computer;
(d) unauthorised impairment of the availability, reliability, security or operation of any of the following:
(i) a computer;
(ii) computer data;
(iii) a computer program;
(e) unauthorised impairment of an asset operated for the supply of a carriage service by a carrier.
direct interest holder, in respect of an asset owned or operated by a carrier, has the meaning given by section 9.
Home Affairs Department means the Department administered by the Home Affairs Minister from time to time.
Home Affairs Minister means the Minister administering the Security of Critical Infrastructure Act 2018 from time to time.
Home Affairs Secretary means the Secretary of the Home Affairs Department from time to time.
interest and control information has the meaning given by section 8.
maintained data is data that:
(a) relates to an asset of a carrier; and
(b) is maintained by an entity other than the carrier; and
(c) is any of the following:
(i) personal information (within the meaning of the Privacy Act 1988) of at least 20,000 individuals;
(ii) sensitive information (within the meaning of the Privacy Act 1988) that relates to any individual;
(iii) information about any research and development related to the asset;
(iv) information about any systems needed to operate the asset;
(v) information about risk management and business continuity (however described) for the asset;
(vi) information about consumers’ consumption of listed carriage services or any directly‑related product.
operational information has the meaning given by section 7.
software‑as‑a‑service means software that is provided either for free or on a subscription basis, with the software being located on computers or servers owned or operated by another entity, which are accessed over the internet.
technical assistance notice has the same meaning as in Part 15 of the Act.
technical assistance request has the same meaning as in Part 15 of the Act.
technical capability notice has the same meaning as in Part 15 of the Act.
unauthorised: access, modification or impairment has the meaning given by section 6.
(2) In this instrument, the following terms have the same meaning as in the Security of Critical Infrastructure Act 2018:
(a) access to a computer data;
(b) associate;
(c) computer;
(d) computer data;
(e) computer device;
(f) computer program;
(g) data;
(h) entity;
(i) First Minister;
(j) influence or control;
(k) interest;
(l) moneylending agreement.
6 Specific definition—meaning of unauthorised access, modification or impairment
(1) For the purposes of the definition of cyber security incident, access, modification or impairment is unauthorised if the person causing the access, modification or impairment is not entitled to do so.
(2) For the purposes of subsection (1), it is immaterial whether the person can be identified.
(3) For the purposes of, and without limitation to, subsection (1), if:
(a) a person causes any access, modification or impairment of a kind mentioned in that subsection; and
(b) the person does so:
(i) under a warrant issued under a law of the Commonwealth, a State or a Territory; or
(ii) under an emergency authorisation given to the person under Part 3 of the Surveillance Devices Act 2004, under section 31A of the Telecommunications (Interception and Access) Act 1979, or under a law of a State or Territory that makes provision to similar effect; or
(iii) under a tracking device authorisation given to the person under section 39 of the Surveillance Devices Act 2004 or section 26G of the Australian Security Intelligence Organisation Act 1979; or
(iv) in accordance with a technical assistance request; or
(v) in compliance with a technical assistance notice; or
(vi) in compliance with a technical capability notice;
the person is entitled to cause that access, modification or impairment.
7 Specific definition—meaning of operational information
(1) For the purposes of this instrument, operational information in relation to an asset of a carrier means:
(a) the location of the asset; and
(b) a description of the area for which carriage services are supplied using the asset; and
(c) the following information about the carrier:
(i) its full legal name;
(ii) if the carrier is a body corporate:
A. incorporated in Australia—its Australian Business Number (ABN); or
B. incorporated outside of Australia—the applicable business number or identifier (however described);
(iii) the address of the carrier’s head office or principal place of business;
(iv) the country in which the entity was incorporated, formed or created (however described);
(v) the full name of the carrier’s chief executive officer (however described) and the country or countries of which that officer is a citizen; and
(d) a description of the arrangements under which the carrier operates the asset or a part of the asset; and
(e) a description of the arrangements for the maintained data.
(2) The description of the arrangements for maintained data under paragraph (1)(e) above must include:
(a) the full legal name of the entity that maintains the data, including, if the entity is a body corporate:
(i) incorporated in Australia—its Australian Business Number (ABN); or
(ii) incorporated outside of Australia—the applicable business number or other identifier (however described); and
(b) the address of the entity’s head office or principal place of business; and
(c) the country in which the entity was incorporated, formed or created (however described); and
(d) the physical address where the data is held, including, to the extent practicable, the physical address where computers or servers holding the data are located, whether or not the computers or servers are part of a cloud service or software‑as‑a‑service; and
(e) for data held using a cloud service or using software‑as‑a‑service—the name of the cloud service or software‑as‑a‑service; and
(f) the kind of data that the entity maintains.
8 Specific definition—meaning of interest and control information
(1) For the purposes of this instrument, the following information is interest and control information in relation to a direct interest holder in an asset of a carrier (other than the carrier):
(a) the full legal name of the direct interest holder;
(b) if the direct interest holder is a body corporate:
(i) incorporated in Australia—its Australian Business Number (ABN); or
(ii) incorporated outside of Australia —the applicable business number or other identifier (however described);
(c) if the direct interest holder is not an individual:
(i) the address of the direct interest holder’s head office or principal place of business; and
(ii) the country in which the direct interest holder was incorporated, formed or created (however described);
(d) if the direct interest holder is an individual:
(i) the residential address of the direct interest holder; and
(ii) the country in which the direct interest holder usually resides; and
(iii) the country or countries of which the direct interest holder is a citizen;
(e) the type and level of the interest held in the asset;
(f) information about the influence or control the direct interest holder is in a position to directly or indirectly exercise in relation to the asset;
(g) (where applicable) information about the ability of another person, who has been appointed by the direct interest holder, to directly access networks or systems that are necessary for the operation or control of the asset;
(h) the name of each other entity that is in a position to directly or indirectly influence or control:
(i) the direct interest holder; or
(ii) any entity covered by a previous application of this subsection;
(i) in relation to each entity covered by paragraph (h) above (the higher entity):
(i) the information in paragraphs (b) to (d), and (e) if appropriate, as if any reference in those paragraphs to the direct interest holder were a reference to the higher entity; and
(ii) information about the influence or control the higher entity is in a position to directly or indirectly exercise in relation to the direct interest holder or any entity covered by paragraph (h).
(2) For the avoidance of doubt, information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988).
9 Specific definition—meaning of direct interest holder
General definition
(1) An entity is a direct interest holder, in an asset that is owned or operated by a carrier, if the entity:
(a) together with any associates of the entity, holds an interest of at least 10% in the asset (including if any of the interests are held jointly with one or more other entities); or
(b) holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.
Exclusions to general definition
(2) Subsection (1) does not apply to an interest in an asset held by a Governor, First Minister, Administrator or Minister of a State or Territory.
(3) Subsection (1) does not apply to an interest in an asset if:
(a) the entity holds the interest in the asset solely:
(i) by way of security for the purposes of a moneylending agreement; or
(ii) as a result of enforcing a security for the purposes of a moneylending agreement; and
(b) the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset; and
(c) if the entity is holding the interest solely by way of security—enforcing the security would not put the entity in a position to directly or indirectly influence or control the asset.
How certain interests are held
(4) For the purposes of this instrument, and without limitation, an interest in an asset that is owned or operated by a carrier is taken to be held if:
(a) one or more trustees hold the interest on behalf of the beneficiaries of the trust; or
(b) one or more partners hold the interest on behalf of the partnership; or
(c) one or more trustees hold the interest on behalf of the beneficiaries of the superannuation fund; or
(d) one or more appointed officers hold the interest on behalf of the company.
Part 2—Conditions
Division 1—General
10 Carrier licence conditions
(1) Each person that holds a carrier licence at the time this instrument commences, must, at all times during which they are a carrier, comply with the conditions specified in the following sections of this instrument:
(a) section 11;
(b) section 12;
(c) section 13;
(d) section 14.
(2) In the event that a carrier licence is granted to a specified person any time after this instrument commences, the person must, at all times during which they are a carrier, comply with the conditions specified in the following sections of this instrument:
(a) section 11;
(b) section 12;
(c) section 13;
(d) section 14.
Division 2—Specific conditions
11 Notification of critical cyber security incidents
(1) Subject to subsection (5), when a carrier becomes aware that:
(a) a cyber security incident has occurred or is occurring; and
(b) the incident has had, or is having, a significant impact (whether direct or indirect) on the availability of any of its assets; and
(c) the carrier must:
(i) give the ASD a report about the incident; and
(ii) do so as soon as practicable, and in any event within 12 hours, after the carrier becomes so aware.
Significant impact
(2) For the purposes of subsection (1), a cyber security incident has a significant impact (whether direct or indirect) on the availability of an asset if, and only if, both:
(a) the asset is used in connection with the provision of essential goods or services; and
(b) the incident has materially disrupted the availability of those essential goods or services.
Form of report
(3) A report under subsection (1) may be given:
(a) orally; or
(b) in writing in the approved form.
(4) If a report under subsection (1) is given orally, the carrier must:
(a) do both of the following:
(i) make a written record of the report in the approved form;
(ii) give a copy of the written record of the report to the authorised ASD officer; and
(b) do so within 84 hours after the report is given.
(5) The obligation under subsection (1) does not apply in respect of a particular cyber security incident if an authorised ASD officer has provided advice in writing to the carrier that a report about the incident is not required. For the avoidance of doubt, such a notice is not a legislative instrument.
12 Notification of other cyber security incidents
(1) Subject to subsection (5), when a carrier becomes aware that:
(a) a cyber security incident has occurred, is occurring or is imminent; and
(b) the incident has had, is having, or is likely to have, a relevant impact on an asset of the carrier;
the carrier must:
(c) give the ASD, a report about the incident, and
(d) do so as soon as practicable, and in any event within 72 hours, after the carrier becomes so aware.
Relevant impact
(2) For the purposes of subsection (1), each of the following is a relevant impact of a cyber security incident on an asset:
(a) an impact (whether direct or indirect) of the incident on the availability of the asset;
(b) an impact (whether direct or indirect) of the incident on the integrity of the asset;
(c) an impact (whether direct or indirect) of the incident on the reliability of the asset;
(d) an impact (whether direct or indirect) of the incident on the confidentiality of:
(i) information about the asset; or
(ii) if information is stored in the asset—that information; or
(iii) if the asset is computer data—that computer data.
(3) A report under subsection (1) may be given:
(a) orally; or
(b) in writing in the approved form.
(4) If a report under subsection (1) is given orally, the carrier must:
(a) do both of the following:
(i) make a written record of the report in the approved form;
(ii) give a copy of the written record of the report to the authorised ASD officer; and
(b) do so within 48 hours after the report is given.
(5) The obligation under subsection (1) does not apply in respect of a particular cyber security incident if an authorised ASD officer has provided advice in writing to the carrier that a report about the incident is not required.
Note: Staff members of ASD are subject to section 40G of the Intelligence Services Act 2001 (Cth), which makes imposes an offence for those staff members, relating the intentional unauthorised dealings with certain records obtained by reason of his or her being, or having been, a staff member of ASD. A breach of section 40G carries a maximum penalty of imprisonment for 3 years.
13 Initial obligation to give information
(1) Subject to section 15, a carrier must give the Home Affairs Secretary the following information in writing:
(a) the operational information in relation to each asset of the carrier;
(b) where an entity other than the carrier holds a direct interest in an asset owned or operated by the carrier—the interest and control information of direct interest holders in the asset.
(2) The information must be given:
(a) in the approved form; and
(b) by the later of:
(i) the day on which this section commences; and
(ii) 30 days after being licensed as a carrier.
(3) For the purposes of subsection (1) above, the operational information about assets should, where practicable, be provided by the carrier at the level of component systems of telecommunications networks, constituent network units, and associated control or administrative systems, identifying these by each distinct operational region (as applicable).
14 Ongoing obligation to give information and notify of events
(1) Subject to section 15 and subsections (3) and (4) of this section, if a carrier is required to give information in relation to an event in accordance with subsection (2), the carrier must give the Home Affairs Secretary that information and notice of the event:
(a) in the approved form; and
(b) by the end of 30 days after the event occurs.
(2) The following table sets out the information a carrier is required to give in relation to an event.
Ongoing obligation to give information |
Item | If the event ... | the carrier must give this information: |
1 | has the effect that the operational information in relation to an asset previously obtained by the Home Affairs Secretary under this instrument becomes incorrect or incomplete | any operational information in relation to the asset that is necessary to correct or complete the operational information, in relation to the asset, previously obtained by the Home Affairs Secretary. |
2 | has the effect that the interest and control information in relation to a direct interest holder in an asset previously obtained by the Home Affairs Secretary under this instrument becomes incorrect or incomplete | any interest and control information in relation to the direct interest holder and the asset that is necessary to correct or complete the interest and control information, in relation to the direct interest holder and the asset, previously obtained by the Home Affairs Secretary. |
3 | has the effect that a direct interest holder: (i) acquires an interest; or (ii) changes its interest; in an asset of a carrier | the operational information in relation to the asset, and the interest and control information in relation to the direct interest holder and the asset. |
(3) Subsection (1) does not apply to an event in relation to an asset (the first event) if:
(a) before the end of 30 days after the first event occurs, another notifiable event (the second event) occurs in relation to the same asset; and
(b) a result of the second event is that the information in relation to the asset that was required to be given to the Home Affairs Secretary under subsection (1) following the first event is no longer correct.
(4) Subsection (1) does not apply to an event in relation to an asset if the Home Affairs Secretary has provided advice in writing to the carrier that a report about the event is not required.
Note: Section 122.4 of the Schedule to the Criminal Code Act 1995 makes it an offence for a current or former Commonwealth officer to communicate information obtained by reason of being a Commonwealth officer, or otherwise being engaged to perform work for a Commonwealth entity, if there is a Commonwealth statutory duty not to disclose the information. Under section 13 of the Public Service Act 1999, APS officers (a class of Commonwealth officers) are subject to various statutory duties including in relation to not improperly using confidential information. A breach of section 122.4 carries a maximum penalty of imprisonment for 2 years.
15 Circumstances where the information is not able to be obtained
The obligations under section 13 (initial obligation to give information) and section 14 (ongoing obligation to give information and notify of events) do not apply if the carrier has used its best endeavours to obtain the required information and has not been able to obtain the information.
