This chapter discusses:
the register of critical infrastructure assets—the Bill places obligations on reporting entities of critical infrastructure assets to notify the Secretary of certain information,
Secretary’s powers—the Bill provides the Secretary with new information-gathering powers and an ability to undertake risk assessment of critical infrastructure assets, and
information sharing and confidentiality—the Bill sets out how information obtained under the Bill may be used and disclosed.
Register of critical infrastructure assets
Section 19 of the Bill requires the Secretary of the Department of Home Affairs to keep a Register of Critical Infrastructure Assets (the Register). The Bill requires that this Register is not made public.
The Bill places reporting obligations on reporting entities, which are direct interest holders and responsible entities:
Direct interest holders must provide notice of interest and control information. The Bill defines direct interest holder as an entity that ‘holds a legal or equitable interest of at least 10 per cent in the asset’, or ‘holds a lease of, or an interest in, the asset that puts the entity in a position to directly or indirectly influence or control the asset’.
Responsible entities must provide notice of operational information. The Bill defines responsible entities differently depending on the sector. For example, for critical electricity assets or critical gas assets, the responsible entity is the entity that holds the licence, approval, or authorisation to operate the asset to provide the service to be delivered by the asset.
The Explanatory Memorandum states that the Register will
assist the Government to identify who owns and controls the asset, its board structure, ownership rights of interest holders, and operational, outsourcing and offshoring information.
Information required to be notified
Section 6 of the Bill defines the following information as interest and control information:
the Australian Business Number (ABN) or other business number,
for non-individuals, the principal address and country of incorporation,
for individuals, citizenship, residential address and country,
the type and level of interest the entity holds in the asset or “first entity”,
information about the influence or control the first entity is able to exert on the asset, including decision-making and governance,
information about the ability of an appointed person to directly access networks or systems, necessary for the operation or control of the asset, and
any other information prescribed by rules.
Section 7 of the Bill defines the following information as operational information:
a description of the area the asset services,
the name, ABN (or other number), address and incorporation country of each entity that is the responsible entity or operator of the asset,
the full name and citizenship of the Chief Executive Officer of the responsible entity,
a description of arrangements under which each operator operates the asset or a part of the asset,
a description of arrangements under which data prescribed by the rules relating to the asset is maintained, and
any other information prescribed by rules.
The Bill requires reporting entities to notify the Secretary within 30 days of a notifiable event. Section 26 of the Bill defines a notifiable event as:
Information previously obtained by the Secretary becoming incorrect or incomplete – for example, an entity needs to update its circumstances due to a change in operation arrangements,
An entity becoming a reporting entity – for example, by acquiring a direct interest of 10 per cent or more in the asset, or
A reporting entity becoming an entity to which the Bill applies – for example, an entity that is not covered by the Bill changes its structure and becomes an incorporated body.
The Explanatory Memorandum states that the Register will ‘impose a minimal compliance burden on industry’.
APGA suggested that the cost of complying with reporting obligations would not be ‘huge’:
As I've already alluded to in the scheme of cost to a business, it is not a huge cost but one of the challenges is, when you have to start providing duplicate information to multiple agencies, they invariably request it in different formats.
The Department of Home Affairs also stated that
the information we are requesting in the baseline reporting is fairly minimal. It's fairly light touch. It's not a lot of information.
The RIS states that leveraging information from existing sources to create a Commonwealth register for critical infrastructure was an option that was considered. In considering this option, the RIS refers to existing information held by the Australian Securities and Investments Commission (ASIC) and the Australian Energy Market Operator (AEMO), but states that
[c]umulatively, these existing registers do not provide sufficient information on ownership and control to address the issues identified by the Centre.
In relation to each state and territory’s existing information holdings, the RIS states that
the scope of information currently collected generally, or as part of a register administered by the Australian Government or states and territories, varies from one jurisdiction to another.
The APGA argued that the Register duplicates reporting obligations on infrastructure owners and operators:
APGA does not support an outcome whereby infrastructure owners and operators have reporting obligations to multiple registers concerned with infrastructure resilience and security. Industry should not be placed in the position of reporting different aspects of information related to resilience and security to different registers at the state and federal level.
The AGPA suggested that the information and documents required under the Bill are
either public documents already or held by another government statutory authority, and there seems to be little need to then have a further information gathering power on the gas transmission industry.
The APGA indicated these other government statutory authorities include the ASIC, the Australian Energy Regulator, the AEMO and state regulators. The APGA also provided a list of various Commonwealth agencies it engages with on terrorism, cyber security, strategic defence, natural disasters and espionage issues.
The Department of Home Affairs suggested that it has looked closely at potential duplication, but
have not been able to find the direct interest and the chain of interest in any of the other mechanisms, nor a complete picture of the operational contractual arrangements or the data management contractual arrangements.
The APGA and WSAA suggested that, depending on the interpretation of the Bill, reporting obligations could require quite granular information, such as information about all supply chain contracts.
In response, the Department of Home Affairs stated:
The intention is to only capture the contractual information associated with an actual operator of an asset, so there are some cases we've seen where an asset may appear at face value to be owned by one entity, even a state government, for example, but the operation of the asset is outsourced. It's that contractual information that we're interested in, not all of their downstream supply chain contracts.
APGA suggested that a common form between Commonwealth agencies would alleviate concerns around duplication. However, the Department of Home Affairs argued that becoming an aggregator for these information is ‘complex in its own right, and there are costs involved in doing that’.
The Department of Home Affairs suggested that in addition to the establishment of the CIC, the transition to the Department of Home Affairs will minimise duplication:
The transition of the Centre into the newly formed Department of Home Affairs provides further opportunities to minimise duplication for industry in engaging with Government. Home Affairs brings the Department of Immigration and Border Protection together with security, law enforcement and national security policy, critical infrastructure and emergency management from the Attorney General’s Department, counter-terrorism and cyber security policy from the Department of the Prime Minister and Cabinet, multicultural affairs from the Department of Social Services and the Office of Transport Security from the Department of Infrastructure and Regional Development.
Direct interest holders
As stated above, subsection 8(1) of the Bill defines a direct interest holder as an entity that either holds an interest of at least 10 per cent in the asset, or holds an interest that puts the entity in a position to directly or indirectly influence or control the asset.
Subsection 8(2) of the Bill clarifies that an entity will still be a direct interest holder if it is a trust, partnership, superannuation fund or an incorporated foreign company. The Explanatory Memorandum states that the provision is ‘included to ensure that the reporting obligations apply to any direct interest holder regardless of the nature of that interest holder’.
The Explanatory Memorandum states that influence and control extends to the ability to:
exercise voting or veto rights,
materially impact the day-to-day operations or strategic direction of the asset,
appoint persons to the body that governs the asset,
influence or determine the business or other management plan for the asset,
influence or determine the appointment of key personnel involved in the day-to-day operation of the asset,
influence or determine major expenditures in relation to the asset or its operations,
influence or determine major contracts or transactions in relation to the asset or its operations, or
influence or determine indebtedness of any kind in relation to the asset or its operations.
In its submission, the Department of Home Affairs noted its intention to amend the definition of direct interest holder:
Some stakeholders have recently indicated that our definition of direct interest holder may not capture some entities that we intended it to (for example, entities whose subsidiaries hold an interest in the critical infrastructure asset). Home Affairs is working with the Office of Parliamentary Counsel to correct this through re-drafting to ensure that the policy intent to capture such ownership is clarified.
The Law Council had concerns about whether the definition of direct interest holder captures intermediate and ultimate interest holders:
[I]t is not clear from the drafting whether a direct interest holder under proposed section 8 is limited to the immediate shareholder or interest holder of the asset or whether it could extend to intermediate or ultimate holding entities of the assets.
The Department of Home Affairs stated its intention is that intermediate or ultimate interest holders would not be direct interest holders and advised that
the department will seek to clarify that a ‘direct interest holder’ under section 8 is limited to the immediate shareholder or interest holder and does not extend to any intermediate or ultimate holding entities. Information relating to these intermediate or ultimate holding entities is still a key component of the register, but is required to be reported by the ‘direct interest holder’ as a result of paragraph 6(1)(h) of the definition of ‘interest and control information’.
The Law Council also suggested that the Bill would benefit from greater clarity about the application of subsection 8(2) as
it is not clear whether ‘entity’ in proposed subsection 8(1) is limited to the entities listed at proposed paragraphs 8(2)(a)-(d) or whether the entities listed in proposed subsection 8(2) are in addition to the entities in the definition of ‘entity’ in proposed section 5 of the Bill.
In response, the Department of Home Affairs stated:
The department will also clarify that a ‘direct interest holder’ includes, but is not exclusive to, those entities listed in subclause 8(2).
The Law Council also recommended a carve-out for moneylending agreements, noting that
the definition of influence or control could cover ordinary course of business financing arrangements where financiers have a certain level of influence or control over the assets, whether or not the they have enforced their security.
The Department of Home Affairs clarified that its intention was not to capture certain moneylenders:
It is not the intention of the legislation to capture money lenders where their interest in the asset is through a financing arrangement with the true ‘direct interest holder’ and as a result are not in a position to exercise any influence or control. To address these circumstances, we will look to provide a carve-out modelled on regulation 27 of the Foreign Acquisitions and Takeovers Regulation 2015.
Additionally, the Department of Home Affairs sought to provide further clarity around the term ‘influence and control’ under the Bill:
To provide further clarity on the interaction between the term ‘direct interest holder’ and other entities in a position to exercise influence and control, the department will look to introduce a definition of ‘influence and control’ drawing on the guidance already included in the explanatory memorandum (paragraph 150).
The Committee supports the establishment of a register of critical infrastructure assets. The Committee notes that the Department of Home Affairs has analysed existing information sources. The Committee notes the Department of Home Affairs’ conclusion that the reporting obligations under the Bill would require information from critical infrastructure asset owners and operators that is mostly unavailable through existing sources.
The Committee is satisfied that the additional burden on reporting entities is not significant. However, the Committee has concerns that updating distinct government databases with similar industry information may compromise data integrity over time. The Committee recommends that the Department of Home Affairs examine the viability of developing a common data entry portal for use across Commonwealth, state and territory databases that require information from the same reporting entities.
The Committee recommends that the Department of Home Affairs examine the viability of developing a common data entry portal for use across Commonwealth, state and territory databases that require information from the same reporting entities.
The Committee notes that the Explanatory Memorandum includes example forms. Although these forms are a useful first step, the Committee considers that entities require further guidance to understand their reporting obligations. The Committee recommends that the Department of Home Affairs prepare guidelines to advise entities of their reporting requirements in advance of the transition period.
The Committee recommends that the Department of Home Affairs develop guidelines for entities subject to the Security of Critical Infrastructure Bill 2017. The guidelines should:
enable an entity to determine whether it is a reporting entity, and
provide the entity with an understanding of the specific information it is required to report.
These guidelines should be made available prior to the end of the three-month transition period.
The Committee notes concerns about the definition of direct interest holders and evidence from the Department indicating an intention to amend the definition in the Bill. Further, the Bill would benefit from greater clarity about its application to moneylenders, intermediate and ultimate interest holders of critical infrastructure assets. The Committee notes that one of the objectives of the Register is to capture information about beneficial ownership. The Committee notes evidence from the Department of Home Affairs, which indicates that the Bill is not intended to capture moneylenders, intermediate and ultimately holding entities as direct interest holders.
In particular, the Committee recommends that the Bill is amended to clarify that the definition of direct interest holder does not capture moneylenders, intermediate and ultimate interest holders of critical infrastructure assets.
The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to more appropriately define direct interest holder in order to capture the intended full range of ownership arrangements.
Further, the Explanatory Memorandum and the Bill should clarify that:
moneylenders are not direct interest holders, where they hold an interest in a critical infrastructure asset through a financing arrangement, and
intermediate and ultimate holding entities are not direct interest holders.
Under section 37 of the Bill, the Secretary can require a reporting entity or operator to give information or produce document. Subsection 37(1) of the Bill limits this power to circumstances where the Secretary has reason to believe that the entity has information or documents that
is relevant to the exercise of a power, duty or function under the Bill, or
may assist with determining whether a power under the Bill should be exercised.
The Explanatory Memorandum states that this power will allow
the Secretary to ensure that the information provided by reporting entities is correct and up to date, and
further information to be sought, where that information is required to gain a clearer national security risk picture in respect of the critical infrastructure asset.
Under subsection 37(3), prior to giving the entity notice, the Secretary:
must have regard to the costs that would be likely to be incurred by the entity in complying with the notice, and
may have regard to any other matters the Secretary considers relevant.
The Explanatory Memorandum states that these considerations will ensure that
wherever possible the notice directly targets the information sought and does not create unnecessary expense or burden on the entity.
Powers to undertake risk assessments
Section 57 of the Bill allows the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset. The Register will inform risk assessments to identify and manage national security risks in critical infrastructure assets.
The Explanatory Memorandum states that
any risk assessment conducted by the Secretary would be conducted in collaboration with the asset’s owners and operators, as well as relevant state and territory agencies and regulators.
The WSAA suggested that the Bill include a ‘trigger’ so that ASIO must furnish an adverse security assessment prior to the Secretary undertaking a risk assessment. The WSAA stated that its concerns are that the Secretary’s risk assessments will require ‘undue attention compared to all the other risks—climate change, natural disasters and the like’ and that the risk assessment may require ‘potentially unnecessary costs on customers’.
The Department of Home Affairs argued that requiring an ASIO adverse security assessment as a pre-condition to the Secretary’s risk assessment would prevent the Bill from achieving its intent:
From a proactive stance, the reason we would do the risk assessment would be to understand what those vulnerabilities are and then try and mitigate them before we get to a point where there is in fact a concern. So, again, if people are prepositioning, once you have realised they are prepositioned, it is probably better to have mitigated that up-front. Conceptually, I am not sure that trigger actually meets the intent of what we are trying to achieve, which is to forestall the ability for these things to occur.
The WSAA suggested that greater disclosure around the Secretary’s risk assessment methodology and criteria may alleviate its concerns with the process:
It would be good to have greater transparency in the requirements, definitely, and potentially some sort of case study or clear guidance around what the risk assessments would entail and what things you would have to prepare to streamline the process but also to give surety on the likely cost.
The APGA echoed this sentiment and sought further clarity about the criteria and factors that may go to assessing the risk of a foreign actor. The Department of Home Affairs suggested that it intends to ‘provide some guidance to industry on the nature of our risk assessment process’.
In addition to the need for further clarity, the potential financial burden was raised by industry. Both WSAA and APGA expressed concerns about the cost implications of implementing risk mitigations that may eventuate from the Secretary’s risk assessment.
The Department of Home Affairs argued that that the cost of risk mitigations is part of the ordinary course of business, similar to other types of risks, such as fire hazards. However, the Department of Home Affairs would consider the proportionality of mitigations and the cost impact as part of the process. Additionally, the Department of Home Affairs stated that mechanisms exist within the regulator markets to deal with cost pressures. The Department of Home Affairs stated that it has had some discussions with regulators
who have indicated that a direction would constitute a change of law event that could be taken into account.
Protection of information
Section 5 of the Bill makes the following information, in relation to a critical infrastructure asset, ‘protected information’:
information obtained by a person in the course of exercise powers, duties or functions under the Bill,
the fact that an asset is privately declared, under section 51, and
information obtained by way of authorised disclosure under the Bill.
Section 45 of the Bill creates an offence to make a record of, or disclose, protected information unless authorised. The offence is punishable by imprisonment for 2 years or 120 penalty units, or both.
Part 4, Subdivision 3A of the Bill provides a number of authorised uses and disclosures of protected information, including:
the Secretary may disclose protected information to a Commonwealth Minister, state or territory minister, a staff member of the Minister, the department of a Minister, for Ministers responsible for:
Foreign investment in Australia
Promoting investment in Australia
The regulation or oversight of the relevant industry for the critical infrastructure asset
the Secretary may disclose to an enforcement body, as defined by the Privacy Act 1988.
Section 44 of the Bill also allows an entity to use or disclose protected information that it obtains, for the purpose that the information was originally disclosed to the entity.
The Explanatory Memorandum states that these authorised uses and disclosures are consistent with the Bill’s objective to promote a collaborative and cooperative approach to managing national security risks.
Section 46 of the Bill provides a number of exceptions to the offence:
disclosure or use that is required under Commonwealth, or state or territory laws prescribed by the rules,
an entity acting in good faith and in purported compliance with an authorised use or disclosure, or the Minister’s private declaration powers, and
disclosing protected information to the subject entity, the subject entity is the disclosing entity, or disclosure occurs with the express or implied consent of the subject entity.
In relation to these exceptions, the Explanatory Memorandum states:
Recognising the severity of a criminal sanction as the highest form of punishment or deterrence, these exceptions ensure that the criminal penalty does not extend to situations where there is no criminal culpability, such as in complying with another law, or disclosing the information with the consent of the person to whom the information relates.
Subsections 6(2) and 7(2) of the Bill state that interest and control information and operational information may be personal information within the meaning of the Privacy Act 1988 (Privacy Act).
Box 4.1: Information about the Australian Privacy Principles
The Australian Privacy Principles (APPs) are contained in schedule 1 of the Privacy Act. They outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.
While the APPs are not prescriptive, each APP entity needs to consider how the principles apply to its own situation. The principles cover:
an individual having the option of transacting anonymously or using a pseudonym where practicable,
the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection,
how personal information can be used and disclosed (including overseas),
maintaining the quality of personal information,
keeping personal information secure, and
rights for individuals to access and correct their personal information.
Section 39 of the Bill allows the Secretary to retain a document for as long as is necessary. The Explanatory Memorandum states that this section would
enable the document to be used for the purpose for which it was obtained, as well as for any other purpose authorised under Part 4, Division 3.
APP 11.2 requires that an APP entity take reasonable steps to destroy or de‑identify personal information where it is no longer necessary. The Law Council suggested that the Secretary’s ability to retain documents may be inconsistent with this APP:
The Law Council queries whether the Secretary’s ability to retain documents for an unlimited time period may be inconsistent with APP 11.2. This requires that where an APP entity holds personal information, and they no longer need to the information for which it was used or disclosed by the entity, the entity must take reasonable steps to destroy the information or to ensure that the information is de-identified.
To ensure that the Bill is consistent with APP 11.2, the Law Council recommends that section 39 of the Bill be amended to reflect the requirement that the Secretary must take reasonable steps to destroy the information when it is no longer necessary.
In response, the Department of Home Affairs stated that
provisions in the Bill have been developed to be consistent with the Australian Privacy Principles (APPs). The department will consider amendments to the explanatory memorandum to clarify that the Centre in administering the legislation will comply with all relevant Australian Privacy Principles.
The Explanatory Memorandum states that sharing information with states and territories is important, as they have responsibilities as owners and regulators:
The information obtained under the Bill may have broader policy implications for states and territories, particularly in relation to maintaining the security and resilience of critical infrastructure assets. This acknowledges that the states and territories, as owners and regulators of critical infrastructure assets share the responsibility with the Government to manage national security risks.
The WSAA expressed concerns about whether laws in states and territories would protect sensitive, critical infrastructure information adequately:
The sensitive information protections currently existing at the State/Territory level are inconsistent, to prevent sensitive Critical Infrastructure information from being released into the public domain (e.g. through State Audit reports, Regulatory Reports or Freedom of Information requests). Therefore the need to ensure a consistent approach to sharing and protection of critical infrastructure related information is imperative and an obvious gap in the current legislation.
The WSAA suggested that the Bill could address its concern through wholly exempting protected information from freedom of information laws. However, under the Freedom of Information Act 1982, a range of exemptions already exist that allow an agency or minister to refuse release of documents, including exemptions for national security, documents containing material obtained in confidence, and Commonwealth-State relations.
The Department of Home Affairs stated that it will establish security measures to protect the Register:
Given the sensitivity of the information required to be provided and stored in aggregate, the Register will be held on a classified network. This will ensure that all information provided for the Register, including commercially sensitive information, is kept secure.
The Committee did not receive evidence of concerns about the scope or exercise of the Secretary’s information-gathering powers. As such, the Committee makes no comment about these powers and supports these provisions in the Bill.
The Committee notes industry concerns about the Secretary’s power to undertake a risk assessment. The Committee does not consider that an ASIO adverse security assessment should be a pre-condition to the Secretary’s ability to undertake a risk assessment. The Committee notes that this pre‑condition could limit the ability to mitigate risks proactively, which is the intent of the regime.
The Committee notes industry concerns about potential cost implications that may arise from the implementation of risk mitigations. The Committee notes advice from the Department of Home Affairs that the Secretary would consider the proportionality of risk mitigations and the cost impact as part of a risk assessment process.
While the Committee supports the need for greater clarity around the intended risk assessment process, it does not support publicly detailing the entirety of the risk assessment process as this may reveal sensitive national security information. The Committee notes that the Department indicated it intended to provide ‘some guidance’ on the risk assessment process. The Committee considers that the timely provision of such advice is warranted, and recommends that the Department of Home Affairs develop high-level guidance for reporting entities and operators about the risk assessment process.
The Committee recommends that the Department of Home Affairs include in guidelines to be developed for entities subject to the Security of Critical Infrastructure Bill 2017, information regarding:
the high-level criteria by which the Department will assess risk, and
the process and the engagement that entities should reasonably expect from the Department as part of a risk assessment.
The Committee notes that the Bill enables the Secretary to use or disclose protected information to a significant number of ministers and government agencies at the Commonwealth, state and territory level. The Committee acknowledges that collaboration between the Commonwealth, industry, states and territories is important for building a secure and resilient critical infrastructure landscape. The Committee notes that existing laws protect the use and disclosure of personal information, including the Privacy Act 1988, the Australian Security Intelligence Organisation Act 1979, and the Notifiable Data Breaches scheme.
However, the Committee considers that the Bill’s information-sharing provisions can be strengthened to ensure greater transparency of decision-making. In particular, the Committee recommends that the Explanatory Memorandum to the Bill clarify the factors that the Secretary must take into account when exercising discretion to disclose protected information. This addition would increase the public’s confidence in the integrity of the process and that disclosure occurs only after proper consideration.
The Committee recommends that the Explanatory Memorandum to the Security of Critical Infrastructure Bill 2017 be amended to list the factors that the Secretary must have regard to, when deciding whether to disclose protected information under sections 42 and 43 of the Bill. Factors should include:
whether the disclosure is consistent with the objects of the Bill, and
whether the purpose of the disclosure is proportionate to the sensitivity of the information being disclosed.
The Committee notes concerns about section 39 of the Bill, which enables the Secretary to retain documents for as long as necessary. The Committee considers that this provision does meets the requirements under APP 11.2.
The Committee appreciates that further clarity of the interaction between APP 11.2 and section 39 of the Bill would be beneficial. The Committee recommends that the Explanatory Memorandum be amended to clarify that these provisions are to be read consistent with the obligations under the Privacy Act.
The Committee recommends that the Explanatory Memorandum to the Security of Critical Infrastructure Bill 2017 be amended to clarify that the Bill does not affect the operation of existing privacy obligations.
In particular, the Explanatory Memorandum should clarify that section 39 does not affect the operation of Australian Privacy Principle 11.2 and the Department of Home Affairs, as the administering agency, would need to destroy personal information if it was no longer necessary.