Commonwealth Consolidated Acts Commonwealth Consolidated ActsScope
(1) This section applies if the Minister is satisfied that:
(a) an incident:
(i) has occurred; or
(ii) is occurring; or
(iii) is imminent; and
(b) the incident has had, is having, or is likely to have, one or more relevant impacts on one or more critical infrastructure assets (each of which is a primary asset ); and
(c) there is a material risk that the incident has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice:
(i) the social or economic stability of Australia or its people; or
(ii) the defence of Australia; or
(iii) national security; and
(d) no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident.
(1A) This section also applies if the Minister is satisfied that:
(a) an incident:
(i) has occurred; or
(ii) is occurring; or
(iii) is imminent; and
(b) the incident has had, is having, or is likely to have, one or more relevant impacts on one or more critical infrastructure assets (each of which is a primary asset ); and
(c) the incident relates to an emergency specified in a national emergency declaration (within the meaning of the National Emergency Declaration Act 2020 ) that is in force; and
(d) no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident.
Authorisation
(2) The Minister may, on application by the Secretary, do any or all of the following things:
(a) authorise the Secretary to give directions under section 35AK, relating to the incident and one or more primary assets, to one or more relevant entities;
(b) authorise the Secretary to give directions under section 35AK, relating to the incident and one or more specified critical infrastructure sector assets, to one or more relevant entities;
(c) authorise the Secretary to give to one or more specified entities a specified direction under section 35AQ that relates to the incident and one or more specified primary assets;
(d) authorise the Secretary to give to one or more specified entities a specified direction under section 35AQ that relates to the incident and one or more specified critical infrastructure sector assets;
(e) authorise the Secretary to give one or more specified requests under section 35AX that relate to the incident and one or more specified primary assets;
(f) authorise the Secretary to give one or more specified requests under section 35AX that relate to the incident and one or more specified critical infrastructure sector assets.
Note 1: Section 35AK deals with information gathering directions.
Note 2: Section 35AQ deals with action directions.
Note 3: Section 35AX deals with intervention requests. The Minister must not give an authorisation under paragraph (2)(e) or (f) unless the Minister is satisfied that the incident is a cyber security incident: see subsection (10).
(3) An authorisation under subsection (2) is to be known as a Ministerial authorisation .
(4) Subsection 33(3AB) of the Acts Interpretation Act 1901 does not apply to subsection (2) of this section.
Note: Subsection 33(3AB) of the Acts Interpretation Act 1901 deals with specification by class.
Information gathering directions
(5) A Ministerial authorisation under paragraph (2)(a) or (b):
(a) is generally applicable to the incident and the asset or assets concerned; and
(b) is to be made without reference to any specific directions.
(6) The Minister must not give a Ministerial authorisation under paragraph (2)(a) or (b) unless the Minister is satisfied that the directions that could be authorised by the Ministerial authorisation are likely to facilitate a practical and effective response to the incident.
Action directions
(7) The Minister must not give a Ministerial authorisation under paragraph (2)(c) or (d) in relation to a specified entity unless the Minister is satisfied that:
(a) the specified entity is unwilling or unable to take all reasonable steps to respond to the incident; and
(b) the specified direction is reasonably necessary for the purposes of responding to the incident; and
(c) the specified direction is a proportionate response to the incident; and
(d) compliance with the specified direction is technically feasible.
Note: Section 12P provides examples of responding to an incident (including a cyber security incident).
(8) In determining whether the specified direction is a proportionate response to the incident, the Minister must have regard to:
(a) the impact of the specified direction on:
(i) the activities carried on by the specified entity; and
(ii) the functioning of the asset or assets concerned; and
(b) the consequences of compliance with the specified direction; and
(c) such other matters (if any) as the Minister considers relevant.
(9) The Minister must not give a Ministerial authorisation under paragraph (2)(c) or (d) in relation to a specified entity if the specified direction:
(a) requires the specified entity to permit the authorised agency to do an act or thing that could be the subject of a request under section 35AX; or
(b) requires the specified entity to take offensive cyber action against a person who is directly or indirectly responsible for the incident.
(9A) Without limiting paragraph (2)(c) or (d), a direction referred to in that paragraph may require a specified entity to disclose specified personal information (within the meaning of the Privacy Act 1988 ) held by the entity to another specified entity for a specified purpose.
(9B) However, the Minister must not give a Ministerial authorisation under paragraph (2)(c) or (d), to the extent that it authorises the giving of a direction covered by subsection (9A), unless the Minister has obtained the agreement of the Minister administering the Privacy Act 1988 .
Intervention requests
(10) The Minister must not give a Ministerial authorisation under paragraph (2)(e) or (f) that relates to the incident and an asset unless the Minister is satisfied that:
(aa) the incident is a cyber security incident; and
(a) giving a Ministerial authorisation under paragraph (2)(c) or (d) would not amount to a practical and effective response to the incident; and
(b) if there is only one relevant entity for the asset--the relevant entity is unwilling or unable to take all reasonable steps to respond to the incident; and
(c) if there are 2 or more relevant entities for the asset--those entities, when considered together, are unwilling or unable to take all reasonable steps to respond to the incident; and
(d) the specified request is reasonably necessary for the purposes of responding to the incident; and
(e) the specified request is a proportionate response to the incident; and
(f) compliance with the specified request is technically feasible; and
(g) each of the acts or things specified in the specified request is an act or thing of a kind covered by section 35AC.
Note: Section 12P provides examples of responding to a cyber security incident.
(11) In determining whether the specified request is a proportionate response to the incident, the Minister must have regard to:
(a) the impact of compliance with the specified request on the functioning of the asset; and
(b) the consequences of acts or things that would be done in compliance with the specified request; and
(c) such other matters (if any) as the Minister considers relevant.
(12) The Minister must not give a Ministerial authorisation under paragraph (2)(e) or (f) if compliance with the specified request would involve the authorised agency taking offensive cyber action against a person who is directly or indirectly responsible for the incident.
(13) The Minister must not give a Ministerial authorisation under paragraph (2)(e) or (f) unless the Minister has obtained the agreement of:
(a) the Prime Minister; and
(b) the Defence Minister.
(14) An agreement under subsection (13) may be given:
(a) orally; or
(b) in writing.
(15) If an agreement under subsection (13) is given orally, the Prime Minister or the Defence Minister, as the case requires, must:
(a) do both of the following:
(i) make a written record of the agreement;
(ii) give a copy of the written record of the agreement to the Minister; and
(b) do so within 48 hours after the agreement is given.
Ministerial authorisation is not a legislative instrument
(16) A Ministerial authorisation is not a legislative instrument.
Other powers not limited
(17) This section does not, by implication, limit a power conferred by another provision of this Act.