List of Recommendations

Recommendation 1

3.28

The Committee recommends that the Department of Home Affairs and the Cyber and Infrastructure Security Centre establish a fresh round of consultation with critical infrastructure industry representatives, relevant employee representative bodies, and trade unions to enable further feedback to be incorporated into the draft Rules for risk management programs under the proposed amendments.

This consultation can ensure that the timeframes established in the Rules for implementation and commencement of said Rules is agreed and may vary for specific assets.

Recommendation 2

3.29

The Committee recommends that the Department of Home Affairs and the Cyber and Infrastructure Security Centre continue industry roundtables for review and improvement of the Rules and guidance materials in alignment with the undertakings identified in its submission, in public hearing evidence, and in accordance with Recommendation 6 of the Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018.

These roundtables can also be used for continued review of the ‘fit for purpose’ nature of sector and asset definitions to inform further potential legislative amendment or Ministerial declarations.

Recommendation 3

3.32

The Committee recommends that section 60 of the Security of Critical Infrastructure Act 2018 be amended to require the Minister to provide a written periodic report to the Parliamentary Joint Committee on Intelligence and Security regarding the conduct, progress and outcomes of ongoing consultations undertaken by the Department of Home Affairs or Cyber and Infrastructure Security Centre in relation to the expanded provisions included in the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 as well as those enabled by the Security Legislation Amendment (Critical Infrastructure) Act 2021.

These reports should include detail regarding the participants involved and how stakeholder feedback has been incorporated into resultant rules, resources or proposed regulation or legislative change.

Recommendation 4

3.44

The Committee recommends that the Explanatory Memorandum to the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be updated to confirm that the Bill does not negate responsibilities of employers under the Fair Work Act 2009, Work Health and Safety legislation, or any other currently legally mandated or protected action. This should include the detail that an employee who is subject to action as a result of an employer’s background check, AusCheck or otherwise, is protected by all existing rights at work, such as the right to appeal a decision with the Fair Work Tribunal.

Recommendation 5

3.48

The Committee recommends that the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be amended so that section 5 of the Security of Critical Infrastructure Act 2018 include the definitions of critical worker and critical component as currently proposed in the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022

Recommendation 6

3.63

The Committee recommends that the Explanatory Memorandum for the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be amended at current paragraphs 461 to 540, as per the undertaking from representatives of the Department of Home Affairs at the Public Hearing of 16 March 2022, to clarify the circumstances and scope of the intended operation of Part 2C, Division 5 of the Bill, and outlining that the Department and the Australian Signals Directorate will work proactively with a proposed Part 6 systems of national significance declared entity to avoid the imposition of section 30DJ notices wherever possible.

Recommendation 7

3.76

The Committee recommends that proposed subsection 52B(3) of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be amended to include a provision that after a critical infrastructure asset is declared as a system of national significance by the Minister, the Parliamentary Joint Committee on Intelligence and Security be notified in writing within 30 days, in the appropriately classified manner, identifying the asset sector and entity details, to the extent negotiated with the entity in regard to capability sensitivities.

Recommendation 8

3.79

The Committee recommends that the Australian Government consider establishing a legislative basis for merits review for some or all of the decisions exercised by the Minister or Department of Home Affairs officials under the Security of Critical Infrastructure Act 2018 and the proposed amendments contained in the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, noting the economic and operational implications of such decisions on Australian businesses.

Recommendation 9

3.89

The Committee recommends that, subject to the amendments outlined above, the resultant Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 be passed.

Recommendation 10

3.97

The Committee recommends that the government commission an independent review of the operation of the Security of Critical Infrastructure Act 2018 after one year of operation after the Bill receives Royal Assent.

This review must report within one year of its commencement to the Minister for Home Affairs, who must then present the report to Parliament within 30 days and cause it to be made publicly available.

Recommendation 11

3.101

The Committee recommends that section 60A of the Security of Critical Infrastructure Act 2018 be repealed, to remove any confusion regarding the status of pending statutory reviews of the Act.

| Contents |