Commonwealth of Australia Bills Commonwealth of Australia Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
2016-2017
The Parliament of the
Commonwealth of Australia
THE SENATE
Presented and read a first time
Security of Critical Infrastructure Bill
2017
No. , 2017
(Attorney-General)
A Bill for an Act to create a framework for
managing critical infrastructure, and for related
purposes
No. , 2017
Security of Critical Infrastructure Bill 2017
i
Contents
Part 1--Preliminary
1
Division 1--Preliminary
1
1
Short title ........................................................................................... 1
2
Commencement ................................................................................. 2
3
Object ................................................................................................ 2
4
Simplified outline of this Act ............................................................ 3
Division 2--Definitions
5
5
Definitions ......................................................................................... 5
6
Meaning of interest and control information ..................................... 9
7
Meaning of operational information ............................................... 11
8
Meaning of direct interest holder .................................................... 11
9
Meaning of critical infrastructure asset .......................................... 12
10
Meaning of critical electricity asset ................................................ 14
11
Meaning of critical port .................................................................. 14
12
Meaning of critical gas asset ........................................................... 15
Division 3--Constitutional provisions and application of this Act
16
13
Application of this Act .................................................................... 16
14
Extraterritoriality ............................................................................. 16
15
This Act binds the Crown ................................................................ 16
16
Concurrent operation of State and Territory laws ............................ 17
17
State constitutional powers .............................................................. 17
Part 2--Register of Critical Infrastructure Assets
18
Division 1--Simplified outline of this Part
18
18
Simplified outline of this Part .......................................................... 18
Division 2--Register of Critical Infrastructure Assets
19
19
Secretary must keep Register........................................................... 19
20
Secretary may add information to Register ..................................... 19
21
Secretary may correct or update information in the Register ........... 19
22
Register not to be made public ........................................................ 19
Division 3--Obligation to give information and notify of events
20
23
Initial obligation to give information ............................................... 20
24
Ongoing obligation to give information and notify of events .......... 20
25
Information that is not able to be obtained ...................................... 23
26
Meaning of notifiable event ............................................................. 23
27
Rules may exempt from requirement to give notice or
information ...................................................................................... 23
ii
Security of Critical Infrastructure Bill 2017
No. , 2017
Division 4--Giving of notice or information by agents etc.
25
28
Requirement for executors and administrators to give notice
or information for individuals who die ............................................ 25
29
Requirement for corporate liquidators etc. to give notice or
information ...................................................................................... 25
30
Agents may give notice or information ........................................... 25
Part 3--Directions by the Minister
26
Division 1--Simplified outline of this Part
26
31
Simplified outline of this Part .......................................................... 26
Division 2--Directions by the Minister
27
32
Direction if risk of act or omission that would be prejudicial
to security ........................................................................................ 27
33
Consultation before giving direction ............................................... 28
34
Requirement to comply with direction ............................................ 29
35
Exception--acquisition of property ................................................. 29
Part 4--Gathering and using information
30
Division 1--Simplified outline of this Part
30
36
Simplified outline of this Part .......................................................... 30
Division 2--Secretary's power to obtain information or
documents
31
37
Secretary may obtain information or documents from entities ........ 31
38
Copies of documents ....................................................................... 32
39
Retention of documents ................................................................... 32
40
Self-incrimination ............................................................................ 33
Division 3--Use and disclosure of protected information
34
Subdivision A--Authorised use and disclosure
34
41
Authorised use and disclosure--performing functions etc. ............. 34
42
Authorised use and disclosure--other person's functions etc. ......... 34
43
Authorised disclosure relating to law enforcement .......................... 35
44
Secondary use and disclosure of protected information................... 35
Subdivision B--Offence for unauthorised use or disclosure
36
45
Offence for unauthorised use or disclosure of protected
information ...................................................................................... 36
46
Exceptions to offence for unauthorised use or disclosure ................ 36
47
No requirement to provide information ........................................... 37
Part 5--Enforcement
38
Division 1--Simplified outline of this Part
38
No. , 2017
Security of Critical Infrastructure Bill 2017
iii
48
Simplified outline of this Part .......................................................... 38
Division 2--Civil penalties, enforceable undertakings and
injunctions
39
49
Civil penalties, enforceable undertakings and injunctions ............... 39
Part 6--Declaration of assets by the Minister
41
Division 1--Simplified outline of this Part
41
50
Simplified outline of this Part .......................................................... 41
Division 2--Declaration of assets by the Minister
42
51
Declaration of assets by the Minister ............................................... 42
52
Notification of change to reporting entities for asset ....................... 43
Part 7--Miscellaneous
44
Division 1--Simplified outline of this Part
44
53
Simplified outline of this Part .......................................................... 44
Division 2--Treatment of certain entities
45
54
Treatment of partnerships ................................................................ 45
55
Treatment of trusts and superannuation funds that are trusts ........... 45
56
Treatment of unincorporated foreign companies ............................. 46
Division 3--Matters relating to Secretary's powers
48
57
Additional power of Secretary ......................................................... 48
58
Assets ceasing to be critical infrastructure assets ............................ 48
59
Delegation of Secretary's powers .................................................... 48
Division 4--Periodic reports and rules
49
60
Periodic report ................................................................................. 49
61
Rules ................................................................................................ 49
No. , 2017
Security of Critical Infrastructure Bill 2017
1
A Bill for an Act to create a framework for
1
managing critical infrastructure, and for related
2
purposes
3
The Parliament of Australia enacts:
4
Part 1--Preliminary
5
Division 1--Preliminary
6
1 Short title
7
This Act is the Security of Critical Infrastructure Act 2017.
8
Part 1 Preliminary
Division 1 Preliminary
Section 2
2
Security of Critical Infrastructure Bill 2017
No. , 2017
2 Commencement
1
(1) Each provision of this Act specified in column 1 of the table
2
commences, or is taken to have commenced, in accordance with
3
column 2 of the table. Any other statement in column 2 has effect
4
according to its terms.
5
6
Commencement information
Column 1
Column 2
Column 3
Provisions
Commencement
Date/Details
1. The whole of
this Act
A single day to be fixed by Proclamation.
However, if the provisions do not commence
within the period of 3 months beginning on
the day this Act receives the Royal Assent,
they commence on the day after the end of
that period.
Note:
This table relates only to the provisions of this Act as originally
7
enacted. It will not be amended to deal with any later amendments of
8
this Act.
9
(2) Any information in column 3 of the table is not part of this Act.
10
Information may be inserted in this column, or information in it
11
may be edited, in any published version of this Act.
12
3 Object
13
The object of this Act is to provide a framework for managing risks
14
to national security relating to critical infrastructure, including by:
15
(a) improving the transparency of the ownership and operational
16
control of critical infrastructure in Australia in order to better
17
understand those risks; and
18
(b) facilitating cooperation and collaboration between all levels
19
of government, and regulators, owners and operators of
20
critical infrastructure, in order to identify and manage those
21
risks.
22
Preliminary Part 1
Preliminary Division 1
Section 4
No. , 2017
Security of Critical Infrastructure Bill 2017
3
4 Simplified outline of this Act
1
This Act creates a framework for managing risks to national
2
security relating to critical infrastructure.
3
The framework consists of the following:
4
(a)
the keeping of a register of information in relation to
5
critical infrastructure assets (the register will not be
6
made public);
7
(b)
requiring certain entities relating to a critical
8
infrastructure asset to provide information in relation to
9
the asset, and to notify if certain events occur in relation
10
to the asset;
11
(c)
allowing the Minister to require certain entities relating
12
to a critical infrastructure asset to do, or refrain from
13
doing, an act or thing if the Minister is satisfied that
14
there is a risk of an act or omission that would be
15
prejudicial to security;
16
(d)
allowing the Secretary to require certain entities relating
17
to a critical infrastructure asset to provide certain
18
information or documents;
19
(e)
allowing the Secretary to undertake an assessment of a
20
critical infrastructure asset to determine if there is a risk
21
to national security relating to the asset.
22
Certain information obtained under, or relating to the operation of,
23
this Act is protected information. There are restrictions on when a
24
person may make a record of, use or disclose protected
25
information.
26
Civil penalty provisions of this Act may be enforced using civil
27
penalty orders or injunctions, and enforceable undertakings may be
28
accepted in relation to compliance with civil penalty provisions.
29
The Regulatory Powers Act is applied for these purposes. Certain
30
other provisions of this Act may be enforced by imposing a
31
criminal penalty.
32
Part 1 Preliminary
Division 1 Preliminary
Section 4
4
Security of Critical Infrastructure Bill 2017
No. , 2017
The Minister may privately declare a particular asset to be a critical
1
infrastructure asset so that this Act applies to it. A private
2
declaration can only be made if there would be a risk to national
3
security if it were publicly known that the asset is critical
4
infrastructure that affects national security.
5
The Secretary must give the Minister reports, for presentation to
6
the Parliament, on the operation of this Act.
7
Preliminary Part 1
Definitions Division 2
Section 5
No. , 2017
Security of Critical Infrastructure Bill 2017
5
Division 2--Definitions
1
5 Definitions
2
In this Act:
3
ABN has the same meaning as in the A New Tax System
4
(Australian Business Number) Act 1999.
5
acquisition of property has the same meaning as in
6
paragraph 51(xxxi) of the Constitution.
7
adverse security assessment has the same meaning as in Part IV of
8
the Australian Security Intelligence Organisation Act 1979.
9
appointed officer, for an unincorporated foreign company, means:
10
(a) the secretary of the company; or
11
(b) an officer of the company appointed to hold property on
12
behalf of the company.
13
approved form means a form approved by the Secretary.
14
civil penalty provision has the same meaning as in the Regulatory
15
Powers Act.
16
commencing day means the day this Act commences.
17
critical electricity asset has the meaning given by section 10.
18
critical gas asset has the meaning given by section 12.
19
critical infrastructure asset has the meaning given by section 9.
20
critical port has the meaning given by section 11.
21
critical water asset means a water or sewerage system or network
22
that is used to ultimately deliver services to at least 100,000 water
23
connections or 100,000 sewerage connections under the
24
management of a water utility.
25
Note:
The rules may prescribe that a specified critical water asset is not a
26
critical infrastructure asset (see section 9).
27
Part 1 Preliminary
Division 2 Definitions
Section 5
6
Security of Critical Infrastructure Bill 2017
No. , 2017
direct interest holder, in relation to an asset, has the meaning given
1
by section 8.
2
entity means any of the following:
3
(a) an individual, whether or not resident in Australia or an
4
Australian citizen;
5
(b) a body corporate, whether or not formed, or carrying on
6
business, in Australia;
7
(c) a body politic, whether or not an Australian body politic;
8
(d) a partnership, whether or not formed in Australia;
9
(e) a trust, whether or not created in Australia;
10
(f) a superannuation fund, whether or not created in Australia;
11
(g) an unincorporated foreign company.
12
Note:
See Division 2 of Part 7 for how this Act applies to partnerships,
13
trusts, superannuation funds and unincorporated foreign companies.
14
First Minister means the Premier of a State, or the Chief Minister
15
of the Australian Capital Territory or the Northern Territory.
16
grace period, for an asset, means:
17
(a) for an asset that is, or will be, a critical infrastructure asset at
18
the end of the period of 6 months starting on the commencing
19
day--that 6 month period; or
20
(b) for an asset that becomes a critical infrastructure asset after
21
the end of the period mentioned in paragraph (a)--the period
22
of 6 months starting on the day the asset becomes a critical
23
infrastructure asset.
24
interest and control information, in relation to an entity and an
25
asset, has the meaning given by section 6.
26
international relations means political, military and economic
27
relations with foreign governments and international organisations.
28
national security means Australia's defence, security or
29
international relations.
30
notifiable event has the meaning given by section 26.
31
Preliminary Part 1
Definitions Division 2
Section 5
No. , 2017
Security of Critical Infrastructure Bill 2017
7
operational information, in relation to an asset, has the meaning
1
given by section 7.
2
operator, of an asset, means:
3
(a) for a critical port--a port facility operator (within the
4
meaning of the Maritime Transport and Offshore Facilities
5
Security Act 2003) of a port facility within the port; or
6
(b) for a critical infrastructure asset other than a critical port--an
7
entity that is authorised (however described) to operate the
8
asset or part of the asset.
9
Note:
For some assets, an operator of the asset is also the responsible entity
10
for the asset.
11
port facility has the same meaning as in the Maritime Transport
12
and Offshore Facilities Security Act 2003.
13
protected information means information, in relation to an asset,
14
that:
15
(a) is obtained by a person in the course of exercising powers, or
16
performing duties or functions, under this Act; or
17
(b) is the fact that the asset is declared under section 51 to be a
18
critical infrastructure asset; or
19
(c) was information to which paragraph (a) or (b) applied and is
20
obtained by a person by way of an authorised disclosure
21
under Division 3 of Part 4 or in accordance with section 46.
22
Register means the Register of Critical Infrastructure Assets kept
23
by the Secretary under section 19.
24
Regulatory Powers Act means the Regulatory Powers (Standard
25
Provisions) Act 2014.
26
relevant industry, for an asset, is whichever of the following
27
industries the asset relates to:
28
(a) electricity;
29
(b) water;
30
(c) ports;
31
(d) gas;
32
(e) an industry prescribed by the rules for the purposes of this
33
paragraph.
34
Part 1 Preliminary
Division 2 Definitions
Section 5
8
Security of Critical Infrastructure Bill 2017
No. , 2017
reporting entity, for an asset, means either of the following:
1
(a) the responsible entity for the asset;
2
(b) a direct interest holder in relation to the asset.
3
Note:
An entity may be both the responsible entity for an asset and a direct
4
interest holder in relation to the asset.
5
responsible entity, for an asset, means:
6
(a) for a critical electricity asset or a critical gas asset--the entity
7
that holds the licence, approval or authorisation (however
8
described) to operate the asset to provide the service to be
9
delivered by the asset; or
10
(b) for a critical water asset--the water utility that holds the
11
licence, approval or authorisation (however described), under
12
a law of the Commonwealth, a State or a Territory, to provide
13
the service to be delivered by the asset; or
14
(c) for a critical port--the port operator (within the meaning of
15
the Maritime Transport and Offshore Facilities Security Act
16
2003) of the port; or
17
(d) for an asset declared under section 51 to be a critical
18
infrastructure asset--the entity specified in the declaration as
19
the responsible entity for the asset (see subsection 51(2)); or
20
(e) for an asset prescribed by the rules for the purposes of
21
paragraph 9(1)(f)--the entity specified by the rules for the
22
asset.
23
rules means the rules made by the Minister under section 61.
24
Secretary means the Secretary of the Department.
25
security (other than in references to national security):
26
(a) other than in sections 10 and 12--has the same meaning as in
27
the Australian Security Intelligence Organisation Act 1979;
28
and
29
(b) in sections 10 and 12--has its ordinary meaning.
30
security regulated port has the same meaning as in the Maritime
31
Transport and Offshore Facilities Security Act 2003.
32
Note:
Security regulated ports are declared under section 13 of the Maritime
33
Transport and Offshore Facilities Security Act 2003.
34
Preliminary Part 1
Definitions Division 2
Section 6
No. , 2017
Security of Critical Infrastructure Bill 2017
9
superannuation fund has the meaning given by section 10 of the
1
Superannuation Industry (Supervision) Act 1993.
2
this Act includes the rules.
3
unincorporated foreign company means a body covered by
4
paragraph (b) of the definition of foreign company in section 9 of
5
the Corporations Act 2001.
6
water utility means an entity that holds a licence, approval or
7
authorisation (however described), under a law of the
8
Commonwealth, a State or a Territory, to provide water services.
9
6 Meaning of interest and control information
10
(1) The following information is interest and control information in
11
relation to an entity (the first entity) and an asset (subject to
12
subsection (3)):
13
(a) the name of the first entity;
14
(b) if applicable, the ABN of the first entity, or other similar
15
business number (however described) if the first entity was
16
incorporated, formed or created (however described) outside
17
Australia;
18
(c) for an entity other than an individual:
19
(i) the address of the first entity's head office or principal
20
place of business; and
21
(ii) the country in which the first entity was incorporated,
22
formed or created (however described);
23
(d) for an entity that is an individual:
24
(i) the residential address of the first entity; and
25
(ii) the country in which the first entity usually resides; and
26
(iii) the country or countries of which the first entity is a
27
citizen;
28
(e) the type and level of the interest the first entity holds in the
29
asset;
30
(f) information about the influence or control the first entity is in
31
a position to directly or indirectly exercise in relation to the
32
asset, including:
33
Part 1 Preliminary
Division 2 Definitions
Section 6
10
Security of Critical Infrastructure Bill 2017
No. , 2017
(i) information about the control the first entity has over
1
decisions relating to the running of the asset (such as
2
voting or veto rights and the ability to appoint persons
3
to the body that governs the asset); and
4
(ii) information relating to any person the first entity has
5
appointed to the body that governs the asset (such as the
6
full name of the person and the country or countries of
7
which the person is a citizen);
8
(g) information about the ability of a person, who has been
9
appointed by the first entity to the body that governs the
10
asset, to directly access networks or systems that are
11
necessary for the operation or control of the asset;
12
(h) for each other entity that is in a position to directly or
13
indirectly influence or control the first entity:
14
(i) the information covered by paragraphs (a) to (d) as if a
15
reference in that paragraph to the first entity were a
16
reference to the other entity; and
17
(ii) information about the influence or control the other
18
entity is in a position to directly or indirectly exercise in
19
relation to the first entity;
20
(i) information prescribed by the rules for the purposes of this
21
paragraph.
22
(2) Information under subsection (1) may include personal information
23
(within the meaning of the Privacy Act 1988).
24
Interest and control information provided by States and Territories
25
(3) If the first entity is a Governor, First Minister, Administrator or
26
Minister of a State or Territory who is a direct interest holder in
27
relation to an asset because of paragraph 8(1)(b), the first entity is
28
not required to provide any interest and control information.
29
(4) However, subsection (3) does not affect the obligation of the State
30
or Territory to provide interest and control information in relation
31
to the asset if the State or Territory is also a direct interest holder in
32
relation to the asset because of paragraph 8(1)(a) or (b).
33
Preliminary Part 1
Definitions Division 2
Section 7
No. , 2017
Security of Critical Infrastructure Bill 2017
11
7 Meaning of operational information
1
(1) The following information is operational information in relation
2
to an asset:
3
(a) the location of the asset;
4
(b) a description of the area the asset services;
5
(c) the following information about each entity that is the
6
responsible entity for, or an operator of, the asset:
7
(i) the name of the entity;
8
(ii) if applicable, the ABN of the entity, or other similar
9
business number (however described) if the entity was
10
incorporated, formed or created (however described)
11
outside Australia;
12
(iii) the address of the entity's head office or principal place
13
of business;
14
(iv) the country in which the entity was incorporated,
15
formed or created (however described);
16
(d) the following information about the chief executive officer
17
(however described) of the responsible entity for the asset:
18
(i) the full name of the officer;
19
(ii) the country or countries of which the officer is a citizen;
20
(e) a description of the arrangements under which each operator
21
operates the asset or a part of the asset;
22
(f) a description of the arrangements under which data
23
prescribed by the rules relating to the asset is maintained;
24
(g) information prescribed by the rules for the purposes of this
25
paragraph.
26
Note:
For paragraph (e), this would include if the control system of the asset
27
is managed by a separate body.
28
(2) Information under subsection (1) may include personal information
29
(within the meaning of the Privacy Act 1988).
30
8 Meaning of direct interest holder
31
(1) An entity is a direct interest holder in relation to an asset if the
32
entity:
33
Part 1 Preliminary
Division 2 Definitions
Section 9
12
Security of Critical Infrastructure Bill 2017
No. , 2017
(a) holds a legal or equitable interest of at least 10% in the asset
1
(including if the interest is held jointly with one or more
2
other entities); or
3
(b) holds a lease of, or an interest in, the asset that puts the entity
4
in a position to directly or indirectly influence or control the
5
asset.
6
(2) Subsection (1) applies to an entity that is:
7
(a) a trust if one or more trustees hold the interest or lease on
8
behalf of the beneficiaries of the trust; or
9
(b) a partnership if one or more partners hold the interest or lease
10
on behalf of the partnership; or
11
(c) a superannuation fund that is a trust if one or more trustees
12
hold the interest or lease on behalf of the beneficiaries of the
13
superannuation fund; or
14
(d) an unincorporated foreign company if one or more appointed
15
officers hold the interest or lease on behalf of the company.
16
Note:
For the definition of appointed officer, see section 5.
17
9 Meaning of critical infrastructure asset
18
(1) An asset is a critical infrastructure asset if it is:
19
(a) a critical electricity asset; or
20
(b) a critical port; or
21
(c) a critical water asset; or
22
(d) a critical gas asset; or
23
(e) an asset declared under section 51 to be a critical
24
infrastructure asset; or
25
(f) an asset prescribed by the rules for the purposes of this
26
paragraph.
27
(2) However, the rules may prescribe that a specified:
28
(a) critical electricity asset; or
29
(b) critical port; or
30
(c) critical water asset; or
31
(d) critical gas asset;
32
is not a critical infrastructure asset.
33
Preliminary Part 1
Definitions Division 2
Section 9
No. , 2017
Security of Critical Infrastructure Bill 2017
13
Prescribing an asset as a critical infrastructure asset
1
(3) The Minister must not prescribe an asset for the purposes of
2
paragraph (1)(f) unless the Minister is satisfied that:
3
(a) the asset is critical to:
4
(i) the social or economic stability of Australia or its
5
people; or
6
(ii) the defence of Australia; or
7
(iii) national security; and
8
(b) there is a risk, in relation to the asset, that may be prejudicial
9
to security.
10
Consultation with State and Territory Ministers
11
(4) The Minister (the Commonwealth Minister) also must not
12
prescribe the asset unless the Commonwealth Minister has:
13
(a) consulted the following persons (the consulted Minister):
14
(i) the First Minister of the State, the Australian Capital
15
Territory or the Northern Territory in which the critical
16
infrastructure asset is located;
17
(ii) each Minister of a State, the Australian Capital
18
Territory, or the Northern Territory, who has
19
responsibility for the regulation or oversight of the
20
relevant industry for the asset in that State or Territory;
21
and
22
(b) given each consulted Minister written notice of the proposal
23
to prescribe the asset; and
24
(c) had regard to any representations given by a consulted
25
Minister under subsection (5) within the period specified for
26
that purpose.
27
(5) The notice must invite each consulted Minister to make written
28
representations to the Commonwealth Minister in relation to the
29
proposal to prescribe the asset within the period specified in the
30
notice, which must be:
31
(a) at least 28 days after the notice is given; or
32
(b) a shorter period if the Commonwealth Minister considers the
33
shorter period is necessary because of urgent circumstances.
34
Part 1 Preliminary
Division 2 Definitions
Section 10
14
Security of Critical Infrastructure Bill 2017
No. , 2017
(6) Subsection (4) does not limit the persons with whom the
1
Commonwealth Minister may consult.
2
10 Meaning of critical electricity asset
3
(1) An asset is a critical electricity asset if it is:
4
(a) a network, system, or interconnector, for the transmission or
5
distribution of electricity to ultimately service at least
6
100,000 customers; or
7
(b) an electricity generation station that is critical to ensuring the
8
security and reliability of electricity networks or electricity
9
systems in a State or Territory, in accordance with
10
subsection (2).
11
Note:
The rules may prescribe that a specified critical electricity asset is not
12
a critical infrastructure asset (see section 9).
13
(2) For the purposes of paragraph (1)(b), the rules may prescribe
14
requirements for an electricity generation station to be critical to
15
ensuring the security and reliability of electricity networks or
16
electricity systems in a particular State or Territory.
17
11 Meaning of critical port
18
An asset is a critical port if it is land that forms part of any of the
19
following security regulated ports:
20
(a) Broome Port;
21
(b) Port Adelaide;
22
(c) Port of Brisbane;
23
(d) Port of Cairns;
24
(e) Port of Christmas Island;
25
(f) Port of Dampier;
26
(g) Port of Darwin;
27
(h) Port of Eden;
28
(i) Port of Fremantle;
29
(j) Port of Geelong;
30
(k) Port of Gladstone;
31
(l) Port of Hay Point;
32
Preliminary Part 1
Definitions Division 2
Section 12
No. , 2017
Security of Critical Infrastructure Bill 2017
15
(m) Port of Hobart;
1
(n) Port of Melbourne;
2
(o) Port of Newcastle;
3
(p) Port of Port Botany;
4
(q) Port of Port Hedland;
5
(r) Port of Rockhampton;
6
(s) Port of Sydney Harbour;
7
(t) Port of Townsville;
8
(u) a security regulated port prescribed by the rules for the
9
purposes of this paragraph.
10
Note:
The rules may prescribe that a specified critical port is not a critical
11
infrastructure asset (see section 9).
12
12 Meaning of critical gas asset
13
(1) An asset is a critical gas asset if it is any of the following:
14
(a) a gas processing facility that has a capacity of at least 300
15
terajoules per day or any other capacity prescribed by the
16
rules;
17
(b) a gas storage facility that has a maximum daily quantity of 75
18
terajoules per day or any other quantity prescribed by the
19
rules;
20
(c) a network or system for the distribution of gas to ultimately
21
service at least 100,000 customers or any other number of
22
customers prescribed by the rules;
23
(d) a gas transmission pipeline that is critical to ensuring the
24
security and reliability of a gas market, in accordance with
25
subsection (2).
26
Note:
The rules may prescribe that a specified critical gas asset is not a
27
critical infrastructure asset (see section 9).
28
(2) For the purposes of paragraph (1)(d), the rules may prescribe:
29
(a) specified gas transmission pipelines that are critical to
30
ensuring the security and reliability of a gas market; or
31
(b) requirements for a gas transmission pipeline to be critical to
32
ensuring the security and reliability of a gas market.
33
Part 1 Preliminary
Division 3 Constitutional provisions and application of this Act
Section 13
16
Security of Critical Infrastructure Bill 2017
No. , 2017
Division 3--Constitutional provisions and application of
1
this Act
2
13 Application of this Act
3
(1) This Act applies to the following:
4
(a) an entity that is a corporation to which paragraph 51(xx) of
5
the Constitution applies;
6
(b) an entity that is a reporting entity for, or an operator of, an
7
asset that is:
8
(i) in a Territory; or
9
(ii) used in the course of, or in relation to, trade or
10
commerce with other countries, among the States,
11
between Territories or between a Territory and a State;
12
or
13
(iii) used for the purposes of the defence of Australia;
14
(c) an entity that is an alien (within the meaning of
15
paragraph 51(xix) of the Constitution).
16
(2) Division 3 of Part 4 (use and disclosure of protected information)
17
also applies to any other entity.
18
Note:
For the definition of entity, see section 5.
19
14 Extraterritoriality
20
This Act applies both within and outside Australia.
21
Note:
This Act extends to every external Territory.
22
15 This Act binds the Crown
23
(1) This Act binds the Crown in each of its capacities.
24
(2) This Act does not make the Crown liable to be prosecuted for an
25
offence.
26
(3) The protection in subsection (2) does not apply to an authority of
27
the Crown.
28
Preliminary Part 1
Constitutional provisions and application of this Act Division 3
Section 16
No. , 2017
Security of Critical Infrastructure Bill 2017
17
16 Concurrent operation of State and Territory laws
1
This Act is not intended to exclude or limit the operation of a law
2
of a State or Territory to the extent that that law is capable of
3
operating concurrently with this Act.
4
17 State constitutional powers
5
This Act does not enable a power to be exercised to the extent that
6
it would impair the capacity of a State to exercise its constitutional
7
powers.
8
Part 2 Register of Critical Infrastructure Assets
Division 1 Simplified outline of this Part
Section 18
18
Security of Critical Infrastructure Bill 2017
No. , 2017
Part 2--Register of Critical Infrastructure Assets
1
Division 1--Simplified outline of this Part
2
18 Simplified outline of this Part
3
The Secretary must keep a Register of Critical Infrastructure
4
Assets, containing information in relation to those assets. The
5
Register must not be made public.
6
The responsible entity for a critical infrastructure asset must give
7
the Secretary operational information in relation to the asset.
8
An entity that is a direct interest holder in relation to a critical
9
infrastructure asset must give the Secretary interest and control
10
information in relation to the entity and the asset.
11
If particular events occur in relation to the asset, the relevant
12
reporting entity for the asset must notify the Secretary of the event
13
and provide certain information.
14
If an entity required to give notice or information dies or is wound
15
up before doing so, the entity's executor or liquidator must give the
16
notice or information. An agent may give notice or information for
17
an entity.
18
The rules may provide for exemptions from these requirements.
19
Register of Critical Infrastructure Assets Part 2
Register of Critical Infrastructure Assets Division 2
Section 19
No. , 2017
Security of Critical Infrastructure Bill 2017
19
Division 2--Register of Critical Infrastructure Assets
1
19 Secretary must keep Register
2
The Secretary must keep a Register of Critical Infrastructure
3
Assets, containing:
4
(a) the information obtained by the Secretary under Division 3
5
(obligation to give information and notify of events); and
6
(b) any information added under section 20; and
7
(c) any corrections or updates of information described in
8
paragraph (a) or (b) that are made under section 21.
9
20 Secretary may add information to Register
10
The Secretary may add to the Register any of the following that is
11
obtained by the Secretary (other than information obtained under
12
Division 3):
13
(a) operational information in relation to a critical infrastructure
14
asset;
15
(b) interest and control information in relation to a direct interest
16
holder and a critical infrastructure asset.
17
21 Secretary may correct or update information in the Register
18
The Secretary may correct or update information in the Register.
19
22 Register not to be made public
20
The Secretary must ensure that the Register is not made public.
21
Note:
See Division 3 of Part 4 for the recording, use and disclosure of
22
protected information that may be contained in the Register.
23
Part 2 Register of Critical Infrastructure Assets
Division 3 Obligation to give information and notify of events
Section 23
20
Security of Critical Infrastructure Bill 2017
No. , 2017
Division 3--Obligation to give information and notify of
1
events
2
23 Initial obligation to give information
3
(1) This section applies if an entity is, or will be, a reporting entity for
4
a critical infrastructure asset at the end of the grace period for the
5
asset.
6
Note:
Once an entity has given information in relation to an asset under this
7
section, the reporting entity for the asset must comply with section 24
8
(ongoing obligation to give information and notify of events).
9
(2) The entity must give the Secretary the following information in
10
accordance with subsection (3):
11
(a) if the reporting entity is the responsible entity for the asset--
12
the operational information in relation to the asset;
13
(b) if the reporting entity is a direct interest holder in relation to
14
the asset--the interest and control information in relation to
15
the entity and the asset.
16
Note 1:
Persons other than the entity may give the information (see section 30
17
(agents may give notice or information) and Division 2 of Part 7
18
(treatment of certain entities)).
19
Note 2:
For an exception to this section, see section 25 (information that is not
20
able to be obtained).
21
Civil penalty:
50 penalty units.
22
(3) The information must be given:
23
(a) in the approved form; and
24
(b) by the later of:
25
(i) the end of the grace period for the asset; and
26
(ii) the end of 30 days after the day the entity becomes a
27
reporting entity for the asset.
28
24 Ongoing obligation to give information and notify of events
29
(1) This section applies to a reporting entity for a critical infrastructure
30
asset if a notifiable event occurs in relation to the asset:
31
Register of Critical Infrastructure Assets Part 2
Obligation to give information and notify of events Division 3
Section 24
No. , 2017
Security of Critical Infrastructure Bill 2017
21
(a) after the entity gives information in relation to the asset under
1
section 23; or
2
(b) after the end of the grace period for the asset.
3
Requirement to give information and notify of events
4
(2) If the reporting entity is required to give information in relation to
5
the event in accordance with subsection (3), the reporting entity for
6
the asset must give the Secretary that information and notice of the
7
event:
8
(a) in the approved form; and
9
(b) by the end of 30 days after the event occurs.
10
Note 1:
Persons other than the entity may give the information (see section 30
11
(agents may give notice or information) and Division 2 of Part 7
12
(treatment of certain entities)).
13
Note 2:
For an exception to this section, see section 25 (information that is not
14
able to be obtained).
15
Civil penalty:
50 penalty units.
16
(3) The following table sets out the information a reporting entity is
17
required to give in relation to the event.
18
19
Ongoing obligation to give information
Item
If the event is ...
this reporting entity ...
must give this
information ...
1
an event covered by
subparagraph 26(a)(i)
the entity that is the
responsible entity for the
asset immediately after
the event occurs
any operational
information in relation
to the asset that is
necessary to correct or
complete the
operational
information, in relation
to the asset, previously
obtained by the
Secretary.
2
an event covered by
subparagraph 26(a)(ii
)
the entity that is the
direct interest holder to
which the information
any interest and control
information in relation
to the entity and the
Part 2 Register of Critical Infrastructure Assets
Division 3 Obligation to give information and notify of events
Section 24
22
Security of Critical Infrastructure Bill 2017
No. , 2017
Ongoing obligation to give information
Item
If the event is ...
this reporting entity ...
must give this
information ...
relates
asset that is necessary
to correct or complete
the interest and control
information, in relation
to the entity and the
asset, previously
obtained by the
Secretary.
3
an event covered by
paragraph 26(b) or
(c) relating to the
responsible entity for
the asset
the responsible entity for
the asset
the operational
information in relation
to the asset.
4
an event covered by
paragraph 26(b) or
(c) relating to a direct
interest holder in
relation to the asset
the direct interest holder
in relation to the asset
the interest and control
information in relation
to the entity and the
asset.
1
Exception to requirement to give information
2
(4) However, subsection (2) does not apply in relation to the event (the
3
first event) if:
4
(a) before the end of 30 days after the first event occurs, another
5
notifiable event (the second event) occurs in relation to the
6
asset; and
7
(b) a result of the second event is that the information in relation
8
to the asset that was required to be given to the Secretary
9
under subsection (2) following the first event is no longer
10
correct.
11
Note:
An entity that wishes to rely on subsection (4) in proceedings for a
12
civil penalty order bears an evidential burden in relation to the matter
13
in that subsection (see section 96 of the Regulatory Powers Act).
14
Register of Critical Infrastructure Assets Part 2
Obligation to give information and notify of events Division 3
Section 25
No. , 2017
Security of Critical Infrastructure Bill 2017
23
25 Information that is not able to be obtained
1
Section 23 (initial obligation to give information) or 24 (ongoing
2
obligation to give information and notify of events) does not apply
3
in relation to particular information that a person is required to
4
provide under that section if:
5
(a) the person uses the person's best endeavours to obtain the
6
information; and
7
(b) the person is not able to obtain the information.
8
Note:
An entity that wishes to rely on this section in proceedings for a civil
9
penalty order bears an evidential burden in relation to the matter in
10
that subsection (see section 96 of the Regulatory Powers Act).
11
26 Meaning of notifiable event
12
An event is a notifiable event in relation to a critical infrastructure
13
asset if:
14
(a) the event has the effect that either of the following previously
15
obtained by the Secretary for the purposes of this Act
16
becomes incorrect or incomplete:
17
(i) the operational information in relation to the asset;
18
(ii) the interest and control information in relation to a
19
direct interest holder and the asset; or
20
(b) the event is an entity becoming a reporting entity for the
21
asset; or
22
(c) the event is a reporting entity for the asset becoming an entity
23
to which this Act applies (see section 13).
24
Note:
If an asset becomes a critical infrastructure asset after the end of the
25
period of 6 months starting on the commencing day, a reporting entity
26
for the asset initially has a period of between 30 days and 6 months in
27
which to provide information in relation to the asset (see section 23).
28
27 Rules may exempt from requirement to give notice or
29
information
30
The rules may provide that this Division, or specified provisions of
31
this Division, do not apply in relation to:
32
(a) any entity; or
33
(b) specified classes of entities; or
34
Part 2 Register of Critical Infrastructure Assets
Division 3 Obligation to give information and notify of events
Section 27
24
Security of Critical Infrastructure Bill 2017
No. , 2017
(c) specified entities;
1
either generally or in specified circumstances.
2
Note:
An entity that wishes to rely on an exemption in the rules in relation to
3
a contravention of section 23 or 24 bears an evidential burden (see
4
section 96 of the Regulatory Powers Act).
5
Register of Critical Infrastructure Assets Part 2
Giving of notice or information by agents etc. Division 4
Section 28
No. , 2017
Security of Critical Infrastructure Bill 2017
25
Division 4--Giving of notice or information by agents etc.
1
28 Requirement for executors and administrators to give notice or
2
information for individuals who die
3
If an individual, who is required by section 23 or 24 to give notice
4
or information, dies before giving the notice or information, the
5
executor or administrator of the individual's estate must give the
6
notice or information in accordance with that section.
7
29 Requirement for corporate liquidators etc. to give notice or
8
information
9
If an entity that is required by section 23 or 24 to give notice or
10
information is a corporation that:
11
(a) is placed into voluntary administration, liquidation or
12
receivership before giving the notice or information; and
13
(b) is no longer in a position to give the notice or information;
14
the voluntary administrator, liquidator or receiver of the
15
corporation must give the notice or information in accordance with
16
that section.
17
30 Agents may give notice or information
18
An entity required by section 23 or 24 to give notice or information
19
is taken to have complied with the requirement if someone else
20
gives the notice or information, in accordance with that section, on
21
the entity's behalf.
22
Part 3 Directions by the Minister
Division 1 Simplified outline of this Part
Section 31
26
Security of Critical Infrastructure Bill 2017
No. , 2017
Part 3--Directions by the Minister
1
Division 1--Simplified outline of this Part
2
31 Simplified outline of this Part
3
The Minister may require a reporting entity for, or an operator of, a
4
critical infrastructure asset to do, or refrain from doing, an act or
5
thing, if the Minister is satisfied that there is a risk of an act or
6
omission that would be prejudicial to security.
7
The Minister may give the direction only if particular criteria are
8
met and certain consultation has been undertaken.
9
Directions by the Minister Part 3
Directions by the Minister Division 2
Section 32
No. , 2017
Security of Critical Infrastructure Bill 2017
27
Division 2--Directions by the Minister
1
32 Direction if risk of act or omission that would be prejudicial to
2
security
3
(1) This section applies if in connection with the operation of, or the
4
delivery of a service by, a critical infrastructure asset the Minister
5
is satisfied that there is a risk of an act or omission that would be
6
prejudicial to security.
7
Direction to do, or refrain from doing, an act or thing
8
(2) The Minister may, subject to subsections (3) and (4), give an entity
9
that is a reporting entity for, or an operator of, a critical
10
infrastructure asset a written direction requiring the entity to do, or
11
refrain from doing, a specified act or thing within the period
12
specified in the direction.
13
(3) The Minister must not give the direction unless:
14
(a) the Minister is satisfied that requiring the entity to do, or to
15
refrain from doing, the specified act or thing is reasonably
16
necessary for purposes relating to eliminating or reducing the
17
risk mentioned in subsection (1); and
18
(b) the Minister is satisfied that reasonable steps have been taken
19
to negotiate in good faith with the entity to achieve an
20
outcome of eliminating or reducing the risk without a
21
direction being given under subsection (2); and
22
(c) an adverse security assessment in respect of the entity has
23
been given to the Minister for the purposes of this section;
24
and
25
(d) the Minister is satisfied that no existing regulatory system of
26
the Commonwealth, a State or a Territory could instead be
27
used to eliminate or reduce the risk mentioned in
28
subsection (1).
29
Note:
The Minister must also undertake consultation before giving a
30
direction (see section 33).
31
Part 3 Directions by the Minister
Division 2 Directions by the Minister
Section 33
28
Security of Critical Infrastructure Bill 2017
No. , 2017
Matters etc. to which regard must be had
1
(4) Before giving the entity the direction, the Minister must have
2
regard to the following:
3
(a) the adverse security assessment mentioned in
4
paragraph (3)(c);
5
(b) the costs that would be likely to be incurred by the entity in
6
complying with the direction;
7
(c) the potential consequences that the direction may have on
8
competition in the relevant industry for the critical
9
infrastructure asset;
10
(d) the potential consequences that the direction may have on
11
customers of, or services provided by, the entity;
12
(e) any representations given by the entity or a consulted
13
Minister under subsection 33(2) within the period specified
14
for that purpose.
15
(5) The Minister:
16
(a) must give the greatest weight to the matter mentioned in
17
paragraph (4)(a); and
18
(b) may also have regard to any other matter the Minister
19
considers relevant.
20
33 Consultation before giving direction
21
Consultation with relevant State or Territory Ministers
22
(1) Before giving an entity a direction under subsection 32(2), the
23
Minister (the Commonwealth Minister) must:
24
(a) consult the following persons (the consulted Minister):
25
(i) the First Minister of the State, the Australian Capital
26
Territory or the Northern Territory in which the critical
27
infrastructure asset is located;
28
(ii) each Minister of the State, the Australian Capital
29
Territory, or the Northern Territory, who has
30
responsibility for the regulation or oversight of the
31
relevant industry for the critical infrastructure asset in
32
that State or Territory; and
33
Directions by the Minister Part 3
Directions by the Minister Division 2
Section 34
No. , 2017
Security of Critical Infrastructure Bill 2017
29
(b) after reasonable steps have been taken to negotiate in good
1
faith with the entity as described in paragraph 32(3)(b), give
2
the entity and each consulted Minister written notice of the
3
proposed direction.
4
(2) The notice must invite the entity and each consulted Minister to
5
make written representations to the Commonwealth Minister in
6
relation to the proposed direction within the period specified in the
7
notice, which must be:
8
(a) at least 28 days after the notice is given; or
9
(b) a shorter period if the Commonwealth Minister considers the
10
shorter period is necessary because of urgent circumstances.
11
(3) Subsection (1) does not limit the persons with whom the
12
Commonwealth Minister may consult.
13
34 Requirement to comply with direction
14
An entity must comply with a direction given to the entity under
15
subsection 32(2).
16
Note:
If the entity is not a legal person, see Division 2 of Part 7.
17
Civil penalty:
250 penalty units.
18
35 Exception--acquisition of property
19
Section 34 does not apply to the extent (if any) that its operation
20
would result in an acquisition of property from a person otherwise
21
than on just terms.
22
Note:
An entity that wishes to rely on this section in proceedings for a civil
23
penalty order bears an evidential burden in relation to the matter in
24
this section (see section 96 of the Regulatory Powers Act).
25
Part 4 Gathering and using information
Division 1 Simplified outline of this Part
Section 36
30
Security of Critical Infrastructure Bill 2017
No. , 2017
Part 4--Gathering and using information
1
Division 1--Simplified outline of this Part
2
36 Simplified outline of this Part
3
The Secretary may require a reporting entity for, or an operator of,
4
a critical infrastructure asset to provide certain information or
5
documents.
6
Information, in relation to a critical infrastructure asset, that is
7
obtained under this Act is protected information. The fact that an
8
asset is declared under section 51 to be a critical infrastructure
9
asset is also protected information. If information is disclosed in
10
accordance with Division 3 or subsection 51(3) or 52(4), the
11
information is still protected information.
12
The making of a record, or the use or disclosure, of protected
13
information is authorised in particular circumstances but is
14
otherwise an offence.
15
The privilege against self-incrimination does not apply in relation
16
to a requirement to provide information or documents under this
17
Part.
18
Gathering and using information Part 4
Secretary's power to obtain information or documents Division 2
Section 37
No. , 2017
Security of Critical Infrastructure Bill 2017
31
Division 2--Secretary's power to obtain information or
1
documents
2
37 Secretary may obtain information or documents from entities
3
(1) This section applies if the Secretary has reason to believe that an
4
entity that is a reporting entity for, or an operator of, a critical
5
infrastructure asset has information or a document that:
6
(a) is relevant to the exercise of a power, or the performance of a
7
duty or function, under this Act in relation to the asset; or
8
(b) may assist with determining whether a power under this Act
9
should be exercised in relation to the asset.
10
Requirement to give information or documents
11
(2) The Secretary may, by notice in writing given to the entity, require
12
the entity to:
13
(a) give any such information; or
14
(b) produce any such documents; or
15
(c) make copies of any such documents and to produce those
16
copies;
17
to the Secretary within the period, and in the manner, specified in
18
the notice.
19
Matters to which regard must be had
20
(3) Before giving the entity the notice, the Secretary:
21
(a) must have regard to the costs that would be likely to be
22
incurred by the entity in complying with the notice; and
23
(b) may have regard to any other matters the Secretary considers
24
relevant.
25
Compliance with notice
26
(4) An entity must comply with a notice given to the entity under
27
subsection (2).
28
Part 4 Gathering and using information
Division 2 Secretary's power to obtain information or documents
Section 38
32
Security of Critical Infrastructure Bill 2017
No. , 2017
Note 1:
This subsection is not subject to the privilege against
1
self-incrimination, but there are limits on the uses to which the
2
information, document or copy may be put (see section 40).
3
Note 2:
If the entity is not a legal person, see Division 2 of Part 7.
4
Civil penalty:
150 penalty units.
5
Matters to be set out in notice
6
(5) The notice must set out the effect of the following provisions:
7
(a) subsection (4);
8
(b) Part 5 (enforcement);
9
(c) sections 137.1 and 137.2 of the Criminal Code (false or
10
misleading information or documents).
11
Compensation for producing copies of documents
12
(6) An entity is entitled to be paid by the Commonwealth reasonable
13
compensation for complying with a requirement covered by
14
paragraph (2)(c).
15
38 Copies of documents
16
(1) The Secretary may inspect a document or copy produced under
17
section 37 and may make and retain copies of such a document.
18
(2) The Secretary may retain possession of a copy of a document
19
produced in accordance with a requirement covered by
20
paragraph 37(2)(c).
21
39 Retention of documents
22
(1) The Secretary may take, and retain for as long as is necessary,
23
possession of a document produced under section 37.
24
(2) The entity otherwise entitled to possession of the document is
25
entitled to be supplied, as soon as practicable, with a copy certified
26
by the Secretary to be a true copy.
27
(3) The certified copy must be received in all courts and tribunals as
28
evidence as if it were the original.
29
Gathering and using information Part 4
Secretary's power to obtain information or documents Division 2
Section 40
No. , 2017
Security of Critical Infrastructure Bill 2017
33
(4) Until a certified copy is supplied, the Secretary must, at such times
1
and places as the Secretary thinks appropriate, permit the entity
2
otherwise entitled to possession of the document, or a person
3
authorised by that entity, to inspect and make copies of the
4
document.
5
40 Self-incrimination
6
(1) An entity is not excused from giving information or producing a
7
document or copy of a document under subsection 37(4) on the
8
ground that the information or the production of the document or
9
copy might tend to incriminate the entity or expose the entity to a
10
penalty.
11
(2) However, in the case of an individual:
12
(a) the information given or the document or copy produced; or
13
(b) giving the information or producing the document or copy; or
14
(c) any information, document or thing obtained as a direct or
15
indirect consequence of giving the information or producing
16
the document or copy;
17
is not admissible in evidence against the individual:
18
(d) in criminal proceedings other than proceedings for an offence
19
against section 137.1 or 137.2 of the Criminal Code that
20
relates to this Act; or
21
(e) in civil proceedings other than proceedings for recovery of a
22
penalty in relation to a contravention of subsection 37(4).
23
Part 4 Gathering and using information
Division 3 Use and disclosure of protected information
Section 41
34
Security of Critical Infrastructure Bill 2017
No. , 2017
Division 3--Use and disclosure of protected information
1
Subdivision A--Authorised use and disclosure
2
41 Authorised use and disclosure--performing functions etc.
3
An entity may make a record of, use or disclose protected
4
information if the entity makes the record, or uses or discloses the
5
information, for the purposes of:
6
(a) exercising the entity's powers, or performing the entity's
7
functions or duties, under this Act; or
8
(b) otherwise ensuring compliance with a provision of this Act.
9
Note:
This section is an authorisation for the purposes of other laws,
10
including the Australian Privacy Principles.
11
42 Authorised use and disclosure--other person's functions etc.
12
(1) The Secretary may:
13
(a) disclose protected information to a person mentioned in
14
subsection (2); and
15
(b) make a record of or use protected information for the purpose
16
of that disclosure;
17
for the purposes of enabling or assisting the person to exercise his
18
or her powers or perform his or her functions or duties.
19
Note:
This subsection is an authorisation for the purposes of other laws,
20
including the Australian Privacy Principles.
21
(2) The persons to whom the Secretary may disclose protected
22
information are the following:
23
(a) a Minister of the Commonwealth who has responsibility for
24
any of the following:
25
(i) national security;
26
(ii) law enforcement;
27
(iii) foreign investment in Australia;
28
(iv) taxation policy;
29
(v) industry policy;
30
(vi) promoting investment in Australia;
31
Gathering and using information Part 4
Use and disclosure of protected information Division 3
Section 43
No. , 2017
Security of Critical Infrastructure Bill 2017
35
(vii) defence;
1
(viii) the regulation or oversight of the relevant industry for
2
the critical infrastructure asset to which the protected
3
information relates;
4
(b) a Minister of a State, the Australian Capital Territory, or the
5
Northern Territory, who has responsibility for the regulation
6
or oversight of the relevant industry for the critical
7
infrastructure asset to which the protected information
8
relates;
9
(c) a person employed as a member of staff of a Minister
10
mentioned in paragraph (a) or (b);
11
(d) the head of an agency (including a Department) administered
12
by a Minister mentioned in paragraph (a) or (b), or an officer
13
or employee of that agency.
14
43 Authorised disclosure relating to law enforcement
15
The Secretary may disclose protected information to an
16
enforcement body (within the meaning of the Privacy Act 1988) for
17
the purposes of one or more enforcement related activities (within
18
the meaning of that Act) conducted by or on behalf of the
19
enforcement body.
20
Note:
This section is an authorisation for the purposes of other laws,
21
including the Australian Privacy Principles.
22
44 Secondary use and disclosure of protected information
23
An entity may make a record of, use or disclose protected
24
information if:
25
(a) the entity obtains the information under this Subdivision
26
(including this section); and
27
(b) the entity makes the record, or uses or discloses the
28
information, for the purposes for which the information was
29
disclosed to the entity.
30
Note:
This section is an authorisation for the purposes of other laws,
31
including the Australian Privacy Principles.
32
Part 4 Gathering and using information
Division 3 Use and disclosure of protected information
Section 45
36
Security of Critical Infrastructure Bill 2017
No. , 2017
Subdivision B--Offence for unauthorised use or disclosure
1
45 Offence for unauthorised use or disclosure of protected
2
information
3
(1) An entity commits an offence if:
4
(a) the entity obtains information; and
5
(b) the information is protected information; and
6
(c) the entity makes a record of, discloses or otherwise uses the
7
information; and
8
(d) the making of the record, or the disclosure or use, is not
9
authorised under Subdivision A or required by
10
subsection 51(3) or 52(4).
11
Note 1:
For exceptions to this offence, see section 46.
12
Note 2:
Information includes the fact that an asset is declared under section 51
13
to be a critical infrastructure asset (see the definition of protected
14
information in section 5).
15
Note 3:
If the entity is not a legal person, see Division 2 of Part 7.
16
Penalty: Imprisonment for 2 years or 120 penalty units, or both.
17
(2) Section 15.1 of the Criminal Code (extended geographical
18
jurisdiction--category A) applies to an offence against
19
subsection (1).
20
46 Exceptions to offence for unauthorised use or disclosure
21
Required or authorised by law
22
(1) Section 45 does not apply if the making of the record, or the
23
disclosure or use, of the information is required or authorised by or
24
under:
25
(a) a law of the Commonwealth, other than Subdivision A or
26
subsection 51(3) or 52(4); or
27
(b) a law of a State or Territory prescribed by the rules.
28
(2) For the purposes of subsection (1) of this section, the following
29
laws:
30
Gathering and using information Part 4
Use and disclosure of protected information Division 3
Section 47
No. , 2017
Security of Critical Infrastructure Bill 2017
37
(a) the Corporations Act 2001, except a provision of that Act
1
prescribed by the rules;
2
(b) a law, or a provision of a law, of the Commonwealth
3
prescribed by the rules;
4
are taken not to require or authorise the making of a record, or the
5
disclosure, of the fact that an asset is declared under section 51 to
6
be a critical infrastructure asset.
7
Good faith
8
(3) Section 45 does not apply to an entity to the extent that the entity
9
makes a record of, discloses or otherwise uses protected
10
information in good faith and in purported compliance with
11
Subdivision A or subsection 51(3) or 52(4).
12
Person to whom the protected information relates
13
(4) Section 45 does not apply to an entity if:
14
(a) the entity discloses protected information to the entity to
15
whom the information relates; or
16
(b) the entity is the entity to whom the protected information
17
relates; or
18
(c) the making of the record, or the disclosure or use, of the
19
protected information is in accordance with the express or
20
implied consent of the entity to whom the information
21
relates.
22
Note:
A defendant bears an evidential burden in relation to the matters in
23
this section (see subsection 13.3(3) of the Criminal Code).
24
47 No requirement to provide information
25
Except where it is necessary to do so for the purposes of giving
26
effect to this Act, an entity is not to be required to disclose
27
protected information, or produce a document containing protected
28
information, to:
29
(a) a court; or
30
(b) a tribunal, authority or person that has the power to require
31
the answering of questions or the production of documents.
32
Part 5 Enforcement
Division 1 Simplified outline of this Part
Section 48
38
Security of Critical Infrastructure Bill 2017
No. , 2017
Part 5--Enforcement
1
Division 1--Simplified outline of this Part
2
48 Simplified outline of this Part
3
Civil penalty orders may be sought under Part 4 of the Regulatory
4
Powers Act in relation to contraventions of civil penalty provisions
5
of this Act.
6
Undertakings to comply with civil penalty provisions of this Act
7
may be accepted and enforced under Part 6 of the Regulatory
8
Powers Act.
9
Injunctions under Part 7 of that Act may be used to restrain a
10
person from contravening a civil penalty provision of this Act or to
11
compel compliance with a civil penalty provision of this Act.
12
Enforcement Part 5
Civil penalties, enforceable undertakings and injunctions Division 2
Section 49
No. , 2017
Security of Critical Infrastructure Bill 2017
39
Division 2--Civil penalties, enforceable undertakings and
1
injunctions
2
49 Civil penalties, enforceable undertakings and injunctions
3
Enforceable provisions
4
(1) Each civil penalty provision of this Act is enforceable under:
5
(a) Part 4 of the Regulatory Powers Act (civil penalty
6
provisions); and
7
(b) Part 6 of that Act (enforceable undertakings); and
8
(c) Part 7 of that Act (injunctions).
9
Note 1:
Part 4 of the Regulatory Powers Act allows a civil penalty provision to
10
be enforced by obtaining an order for a person to pay a pecuniary
11
penalty for the contravention of the provision.
12
Note 2:
Part 6 of that Act creates a framework for accepting and enforcing
13
undertakings relating to compliance with provisions.
14
Note 3:
Part 7 of that Act creates a framework for using injunctions to enforce
15
provisions.
16
Authorised applicant
17
(2) For the purposes of Part 4 of the Regulatory Powers Act, as that
18
Part applies in relation to a civil penalty provision of this Act, each
19
of the following is an authorised applicant:
20
(a) the Minister;
21
(b) the Secretary.
22
Authorised person
23
(3) For the purposes of Parts 6 and 7 of the Regulatory Powers Act, as
24
those Parts apply in relation to a civil penalty provision of this Act,
25
each of the following is an authorised person:
26
(a) the Minister;
27
(b) the Secretary.
28
Part 5 Enforcement
Division 2 Civil penalties, enforceable undertakings and injunctions
Section 49
40
Security of Critical Infrastructure Bill 2017
No. , 2017
Relevant court
1
(4) For the purposes of Parts 4, 6 and 7 of the Regulatory Powers Act,
2
as those Parts apply in relation to a civil penalty provision of this
3
Act, each of the following is a relevant court:
4
(a) the Federal Court of Australia;
5
(b) the Federal Circuit Court of Australia;
6
(c) a court of a State or Territory that has jurisdiction in relation
7
to matters arising under this Act.
8
Extension outside Australia
9
(5) Parts 4, 6 and 7 of the Regulatory Powers Act, as those Parts apply
10
in relation to a civil penalty provision of this Act, extends outside
11
Australia (including to every external Territory).
12
Declaration of assets by the Minister Part 6
Simplified outline of this Part Division 1
Section 50
No. , 2017
Security of Critical Infrastructure Bill 2017
41
Part 6--Declaration of assets by the Minister
1
Division 1--Simplified outline of this Part
2
50 Simplified outline of this Part
3
The Minister may privately declare an asset to be a critical
4
infrastructure asset if the Minister is satisfied that:
5
(a)
the asset is critical infrastructure that affects national
6
security; and
7
(b)
there would be a risk to national security if it were
8
publicly known that the asset is critical infrastructure
9
that affects national security.
10
The Minister must notify each reporting entity for a declared asset.
11
If a reporting entity for a declared asset ceases to be such a
12
reporting entity, or becomes aware of another reporting entity for
13
the asset, the entity must notify the Secretary.
14
It is an offence to disclose that an asset has been so declared (see
15
section 45).
16
Part 6 Declaration of assets by the Minister
Division 2 Declaration of assets by the Minister
Section 51
42
Security of Critical Infrastructure Bill 2017
No. , 2017
Division 2--Declaration of assets by the Minister
1
51 Declaration of assets by the Minister
2
(1) The Minister may, in writing, declare a particular asset to be a
3
critical infrastructure asset if:
4
(a) the asset is not otherwise a critical infrastructure asset; and
5
(b) the asset relates to a relevant industry; and
6
(c) the Minister is satisfied that:
7
(i) the asset is critical infrastructure that affects national
8
security; and
9
(ii) there would be a risk to national security if it were
10
publicly known that the asset is critical infrastructure
11
that affects national security.
12
Note 1:
A relevant industry is electricity, water, ports, gas or an industry
13
prescribed by the rules (see the definition of relevant industry in
14
section 5).
15
Note 2:
It is an offence to disclose the fact that an asset is declared to be a
16
critical infrastructure asset (see section 45).
17
(2) The declaration must specify the entity that is the responsible entity
18
for the asset.
19
(3) The Minister must notify the following of the declaration, in
20
writing, within 30 days after making the declaration:
21
(a) each reporting entity for the asset;
22
(b) the First Minister of the State, the Australian Capital
23
Territory or the Northern Territory in which the asset is
24
located.
25
(4) A notice under subsection (3) must specify the obligations of a
26
reporting entity under this Act.
27
(5) A declaration under subsection (1) is not a legislative instrument.
28
Declaration of assets by the Minister Part 6
Declaration of assets by the Minister Division 2
Section 52
No. , 2017
Security of Critical Infrastructure Bill 2017
43
52 Notification of change to reporting entities for asset
1
(1) This section applies if a reporting entity (the first entity) for an
2
asset declared under subsection 51(1) to be a critical infrastructure
3
asset:
4
(a) ceases to be a reporting entity for the asset; or
5
(b) becomes aware of another reporting entity for the asset
6
(whether or not as a result of the first entity ceasing to be a
7
reporting entity).
8
(2) The first entity must, within 30 days, notify the Secretary of the
9
following:
10
(a) the fact in paragraph (1)(a) or (b) (as the case requires);
11
(b) if another entity is a reporting entity for the asset--the name
12
of each other entity and the address of each other entity's
13
head office or principal place of business (to the extent
14
known by the first entity).
15
Note:
If the entity is not a legal person, see Division 2 of Part 7.
16
Civil penalty:
150 penalty units.
17
(3) The first entity must use the entity's best endeavours to determine
18
the name and relevant address of any other entity for the purposes
19
of paragraph (2)(b).
20
(4) If the Secretary is notified of another entity under paragraph (2)(b),
21
the Secretary must notify the other entity of the declaration under
22
subsection 51(1), in writing, within 30 days after being notified
23
under that paragraph.
24
(5) A notice under subsection (4) must specify the obligations of a
25
reporting entity under this Act.
26
Part 7 Miscellaneous
Division 1 Simplified outline of this Part
Section 53
44
Security of Critical Infrastructure Bill 2017
No. , 2017
Part 7--Miscellaneous
1
Division 1--Simplified outline of this Part
2
53 Simplified outline of this Part
3
This Act applies to partnerships, trusts, superannuation funds and
4
unincorporated foreign companies (amongst other entities), but the
5
obligations that would be imposed on them are instead imposed on
6
the partners, trustees or appointed officers.
7
The Secretary has certain powers and obligations under this Part,
8
including the power to undertake an assessment of a critical
9
infrastructure asset to determine if there is a risk to national
10
security relating to the asset.
11
The Secretary must give the Minister a report each financial year
12
for presentation to the Parliament. The report relates to the
13
operation of this Act.
14
This Part also deals with miscellaneous matters, such as
15
delegations and rules.
16
Miscellaneous Part 7
Treatment of certain entities Division 2
Section 54
No. , 2017
Security of Critical Infrastructure Bill 2017
45
Division 2--Treatment of certain entities
1
54 Treatment of partnerships
2
(1) This Act applies to a partnership as if it were an entity, but with the
3
changes set out in this section.
4
(2) An obligation that would otherwise be imposed on the partnership
5
by this Act is imposed on each partner instead, but may be
6
discharged by any of the partners.
7
(3) An offence against this Act that would otherwise have been
8
committed by the partnership is taken to have been committed by
9
each partner in the partnership, at the time the offence was
10
committed, who:
11
(a) did the relevant act or made the relevant omission; or
12
(b) aided, abetted, counselled or procured the relevant act or
13
omission; or
14
(c) was in any way knowingly concerned in, or party to, the
15
relevant act or omission (whether directly or indirectly and
16
whether by any act or omission of the partner).
17
(4) This section applies to a contravention of a civil penalty provision
18
in a corresponding way to the way in which it applies to an
19
offence.
20
(5) For the purposes of this Act, a change in the composition of a
21
partnership does not affect the continuity of the partnership.
22
55 Treatment of trusts and superannuation funds that are trusts
23
(1) This Act applies to a trust or a superannuation fund that is a trust as
24
if it were an entity, but with the changes set out in this section.
25
Trusts or superannuation funds with a single trustee
26
(2) If the trust or superannuation fund has a single trustee:
27
Part 7 Miscellaneous
Division 2 Treatment of certain entities
Section 56
46
Security of Critical Infrastructure Bill 2017
No. , 2017
(a) an obligation that would otherwise be imposed on the trust or
1
superannuation fund by this Act is imposed on the trustee
2
instead; and
3
(b) an offence against this Act that would otherwise have been
4
committed by the trust or superannuation fund is taken to
5
have been committed by the trustee.
6
Trusts or superannuation funds with multiple trustees
7
(3) If the trust or superannuation fund has 2 or more trustees:
8
(a) an obligation that would otherwise be imposed on the trust or
9
superannuation fund by this Act is imposed on each trustee
10
instead, but may be discharged by any of the trustees; and
11
(b) an offence against this Act that would otherwise have been
12
committed by the trust or superannuation fund is taken to
13
have been committed by each trustee of the trust or
14
superannuation fund, at the time the offence was committed,
15
who:
16
(i) did the relevant act or made the relevant omission; or
17
(ii) aided, abetted, counselled or procured the relevant act or
18
omission; or
19
(iii) was in any way knowingly concerned in, or party to, the
20
relevant act or omission (whether directly or indirectly
21
and whether by any act or omission of the trustee).
22
Contraventions of civil penalty provisions
23
(4) This section applies to a contravention of a civil penalty provision
24
in a corresponding way to the way in which it applies to an
25
offence.
26
56 Treatment of unincorporated foreign companies
27
(1) This Act applies to an unincorporated foreign company as if it
28
were an entity, but with the changes set out in this section.
29
(2) An obligation that would otherwise be imposed on the
30
unincorporated foreign company by this Act is imposed on each
31
appointed officer for the company instead, but may be discharged
32
by any of the appointed officers.
33
Miscellaneous Part 7
Treatment of certain entities Division 2
Section 56
No. , 2017
Security of Critical Infrastructure Bill 2017
47
Note:
For the definition of appointed officer, see section 5.
1
(3) An offence against this Act that would otherwise have been
2
committed by the unincorporated foreign company is taken to have
3
been committed by each appointed officer for the company, at the
4
time the offence was committed, who:
5
(a) did the relevant act or made the relevant omission; or
6
(b) aided, abetted, counselled or procured the relevant act or
7
omission; or
8
(c) was in any way knowingly concerned in, or party to, the
9
relevant act or omission (whether directly or indirectly and
10
whether by any act or omission of the appointed officer).
11
(4) This section applies to a contravention of a civil penalty provision
12
in a corresponding way to the way in which it applies to an
13
offence.
14
Part 7 Miscellaneous
Division 3 Matters relating to Secretary's powers
Section 57
48
Security of Critical Infrastructure Bill 2017
No. , 2017
Division 3--Matters relating to Secretary's powers
1
57 Additional power of Secretary
2
Without limiting any other provision of this Act, the Secretary may
3
undertake an assessment of a critical infrastructure asset to
4
determine if there is a risk to national security relating to the asset.
5
58 Assets ceasing to be critical infrastructure assets
6
The Secretary must, in writing, notify the reporting entity for an
7
asset if the Secretary becomes aware that the asset has ceased to be
8
a critical infrastructure asset.
9
59 Delegation of Secretary's powers
10
(1) The Secretary may, by written instrument, delegate to an SES
11
employee, or an acting SES employee, in the Department any of
12
the Secretary's powers, functions or duties under this Act.
13
Note:
The expressions SES employee and acting SES employee are defined
14
in section 2B of the Acts Interpretation Act 1901.
15
(2) In exercising powers, performing functions or discharging duties
16
under a delegation, the delegate must comply with any written
17
direction given by the Secretary to the delegate.
18
Miscellaneous Part 7
Periodic reports and rules Division 4
Section 60
No. , 2017
Security of Critical Infrastructure Bill 2017
49
Division 4--Periodic reports and rules
1
60 Periodic report
2
(1) The Secretary must give the Minister, for presentation to the
3
Parliament, a report on the operation of this Act for a financial
4
year.
5
(2) Without limiting subsection (1), the report must deal with:
6
(a) the number of notifications that were made during the
7
financial year to the Secretary under Division 3 of Part 2
8
(obligation to give information and notify of events); and
9
(b) any directions given during the financial year by the Minister
10
under section 32 (direction if risk of act or omission that
11
would be prejudicial to security); and
12
(c) the use during the financial year of the Secretary's powers
13
under Division 2 of Part 4 (Secretary's power to obtain
14
information or documents); and
15
(d) any action taken during the financial year against an entity
16
under the Regulatory Powers Act as a result of Part 5
17
(enforcement) of this Act; and
18
(e) the number of declarations of assets as critical infrastructure
19
assets that were made during the financial year by the
20
Minister under section 51.
21
(3) A report under subsection (1) must not include personal
22
information (within the meaning of the Privacy Act 1988).
23
Note:
See also section 34C of the Acts Interpretation Act 1901, which
24
contains extra rules about periodic reports.
25
61 Rules
26
(1) The Minister may, by legislative instrument, makes rules
27
prescribing matters:
28
(a) required or permitted by this Act to be prescribed by the
29
rules; or
30
(b) necessary or convenient to be prescribed for carrying out or
31
giving effect to this Act.
32
Part 7 Miscellaneous
Division 4 Periodic reports and rules
Section 61
50
Security of Critical Infrastructure Bill 2017
No. , 2017
(2) To avoid doubt, the rules may not do the following:
1
(a) create an offence or civil penalty;
2
(b) provide powers of:
3
(i) arrest or detention; or
4
(ii) entry, search or seizure;
5
(c) impose a tax;
6
(d) set an amount to be appropriated from the Consolidated
7
Revenue Fund under an appropriation in this Act;
8
(e) directly amend the text of this Act.
9