Commonwealth Consolidated Acts Commonwealth Consolidated Acts(1) An asset is a critical data storage or processing asset if:
(a) it is owned or operated by an entity that is a data storage or processing provider; and
(b) it is used wholly or primarily to provide a data storage or processing service that relates to business critical data and that is provided by the entity to an end - user that is:
(i) the Commonwealth; or
(ii) a body corporate established by a law of the Commonwealth; or
(iii) a State; or
(iv) a body corporate established by a law of a State; or
(v) a Territory; or
(vi) a body corporate established by a law of a Territory; and
(c) the entity knows that the asset is used as described in paragraph (b); and
(d) the asset is not a critical infrastructure asset that is covered by a paragraph of subsection 9(1) (other than paragraph 9(1)(d)).
Note 1: The rules may prescribe that a specified critical data storage or processing asset is not a critical infrastructure asset (see section 9).
Note 2: A critical data storage or processing asset that is owned or operated by a carrier may also be a critical telecommunications asset.
(2) An asset is a critical data storage or processing asset if:
(a) it is owned or operated by an entity that is a data storage or processing provider; and
(b) it is used wholly or primarily to provide a data storage or processing service that:
(i) is provided by the entity to an end - user that is the responsible entity for a critical infrastructure asset; and
(ii) relates to business critical data; and
(c) the entity knows that the asset is used as described in paragraph (b); and
(d) the asset is not a critical infrastructure asset that is covered by a paragraph of subsection 9(1) (other than paragraph 9(1)(d)).
Note 1: The rules may prescribe that a specified critical data storage or processing asset is not a critical infrastructure asset (see section 9).
Note 2: A critical data storage or processing asset that is owned or operated by a carrier may also be a critical telecommunications asset.
(3) If:
(a) an entity (the first entity ) is the responsible entity for a critical infrastructure asset; and
(b) the first entity becomes aware that a data storage or processing service:
(i) is provided by another entity on a commercial basis to the first entity; and
(ii) relates to business critical data;
the first entity must:
(c) take reasonable steps to inform that other entity that the first entity has become aware that the data storage or processing service:
(i) is provided by the other entity on a commercial basis to the first entity; and
(ii) relates to business critical data; and
(d) do so as soon as practicable after becoming so aware.
Civil penalty for contravention of this subsection: 50 penalty units.