Commonwealth Consolidated Acts Commonwealth Consolidated Acts(1) This Division applies to information ( limited cyber security information ) if:
(a) the information relates to:
(i) a cyber security incident that has occurred or is occurring; or
(ii) a cyber security incident that may potentially occur; and
(b) the information has been acquired or prepared by ASD in a circumstance mentioned in subsection (2); and
(c) the information is not excepted under subsection (3).
(2) This Division only applies to information that ASD has acquired or prepared in one of the following circumstances:
(a) the information has been voluntarily provided to ASD, in the performance of its functions, by, or on behalf of, an entity (the impacted entity ) that:
(i) is, was or could reasonably be expected to be directly or indirectly impacted by the cyber security incident; or
(ii) would be or would reasonably be expected to be impacted by the cyber security incident that may potentially occur;
(b) the information has been acquired or prepared by ASD, in the performance of its functions, with the consent of the impacted entity;
(c) the information has been:
(i) acquired by the National Cyber Security Coordinator under subsection 35(2) of the Cyber Security Act 2024 in relation to the cyber security incident; and
(ii) disclosed to ASD under subsection 38(1), 39(2) or 40(2) of that Act.
(3) This Division does not apply to information if:
(a) the information has been provided to the Commonwealth about the cyber security incident to comply with:
(i) a requirement in Part 3 of the Cyber Security Act 2024 ; or
(ii) a requirement in Part 2B of the Security of Critical Infrastructure Act 2018 ; or
(iii) a requirement under the Telecommunications Act 1997 ; or
(iv) a requirement under a prescribed law; or
(b) the information has already been lawfully made available to the public; or
(c) the information is about an entity and has been de - identified so that it is no longer about an identifiable entity or an entity that is reasonably identifiable.
(4) A cyber security incident is:
(a) one or more acts, events or circumstances:
(i) of a kind covered by the meaning of cyber security incident in the Security of Critical Infrastructure Act 2018 ; or
(ii) involving unauthorised impairment of electronic communication to or from a computer, within the meaning of that phrase in that Act , but as if that phrase did not exclude the mere interception of any such communication ; or
(b) the discovery of unintended or unexpected vulnerabilities in a computer, computer data or a computer program that, if exploited, would result in a cyber security incident within the meaning of paragraph (a).
(5) For the purposes of this Division:
(a) Commonwealth body has the same meaning as in the Cyber Security Act 2024 ; and
(b) Commonwealth enforcement body has the same meaning as in the Cyber Security Act 2024 ; and
(c) entity has the same meaning as in the Cyber Security Act 2024 ; and
(d) State body has the same meaning as in the Cyber Security Act 2024 .