Bill home page
Download Word
Download PDF
2019-2020-2021-2022
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
SENATE
SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE PROTECTION) BILL 2022
SUPPLEMENTARY EXPLANATORY MEMORANDUM
Amendments to be Moved on Behalf of the Government
(Circulated
by authority of the Minister for
Home Affairs,
the Honourable Karen Andrews MP )
AMENDMENTS TO THE SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE PROTECTION) BILL 2022
OUTLINE
The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of our critical infrastructure. As the threats and risks to Australia’s critical infrastructure evolve in a post-COVID world, so too must our approach to ensuring the ongoing security and resilience of these assets and the essential services they deliver.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) issued its Advisory Report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 in September 2021 (the 2021 PJCIS report). Recommendation 1 of the 2021 PJCIS report was that the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the 2020 Bill) be split in two so that urgent elements of the reforms (mandatory cyber incident reporting and government assistance) be implemented as soon as possible. Government amendments to the 2020 Bill were moved in 2021, and the amended Bill subsequently passed after the amendments were made. This became the Security Legislation Amendment (Critical Infrastructure) Act 2021 (the SLACI Act), which amended the Security of Critical Infrastructure Act 2018 (SOCI Act), in line with this recommendation.
Recommendation 7 of the 2021 PJCIS report was that elements of the 2020 Bill not implemented in what became the SLACI Act be subsequently re-introduced in a separate Bill. Accordingly, the purpose of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the SLACIP Bill) is to amend the SOCI Act, as amended by the SLACI Act, to implement Recommendation 7 of the 2021 PJCIS report.
The SLACIP Bill contains the following measures:
· critical infrastructure risk management programs for critical infrastructure assets (proposed Part 2A of the SOCI Act);
· enhanced cyber security obligations for those assets most important to the nation, described as ‘systems of national significance’, as defined in section 52B of the SOCI Act (proposed Parts 2C and 6A of the SOCI Act); and
· a range of other measures in response to recommendation 7 of the 2021 PJCIS report (and the principles referred to in paragraph 3.49 of that report), feedback received from stakeholders and to improve the efficacy and efficiency of the statutory framework.
Overview of the Government Amendments
The amendments respond to a number of recommendations made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in its Advisory report on the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the 2022 PJCIS report) .
The amendments:
(a) insert new definitions of critical component and critical worker in the SOCI Act;
(b) require the Minister to notify the PJCIS of the declaration of a particular asset to be system of national significance;
(c) insert provisions to provide for periodic reporting to the Minister and the PJCIS relating to the conduct, progress and outcomes of consultations undertaken by the Department of Home Affairs relating to the amendments to the SOCI Act made by the SLACIP Bill (as enacted) and the SLACI Act;
(d) require the Minister to cause an independent review of the operation of the SOCI Act to be conducted and a copy of the report to be tabled in the Parliament.
FINANCIAL IMPACT STATEMENT
These government amendments will have a low financial impact.
STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS
The government amendments to the Bill are compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 .
Overview
The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP Bill) proposes amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act) that will implement the second tranche of an enhanced critical infrastructure security framework, building on the amendments introduced by the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act). These amendments will further enhance the security and resilience of critical infrastructure in Australia, boost situational awareness and enable the Government to partner with entities responsible for Australia’s most critical assets to effectively prevent, defend against and recover from serious cyber security incidents. This will allow the Government to maintain the continuity of essential services that support Australia’s economy, security and sovereignty.
The amendments to the Bill will:
· insert new items 7A and 11A in Schedule 1 of the Bill which will amend section 5 of the SOCI Act to define ‘critical component’ and ‘critical worker’ (as below). These definitions were set out in draft form in the exposure draft of the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules (LIN 22/018) 2022 (draft Rules), which were included in the explanatory memorandum to the SLACIP Bill. The intention is to incorporate these definitions as defined terms in section 5 of the SOCI Act. This ensures that simple and clear definitions of these terms in the Bill and the SOCI Act will provide clarity for responsible entities of critical infrastructure (particularly those proposed to be captured under Part 2A) , without being too prescriptive.
o ‘critical component’ of a critical infrastructure asset is defined to mean a part of the asset, where absence of, damage to, or compromise of, the part of the asset:
a) would prevent the proper function of the asset; or
b) could cause significant damage to the asset;
as assessed by the responsible entity for the asset.
o ‘critical worker’ is defined to mean an individual, where the following conditions are satisfied:
a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies;
b) the absence or compromise of the individual:
i. would prevent the proper function of the asset; or
ii. could cause significant damage to the asset;
as assessed by the responsible entity for the asset;
c) the individual has access to, or control and management of, a critical component of the asset.
Particularly, classes of persons within the scope of ‘individual’ will not be included in these amendments, and discussion of the human rights engagement of the measures within the draft Rules, including those that impact a ‘critical worker’ will be included in the statement of compatibility for the draft Rules.
· at item 75 of Schedule 1 of the Bill, insert new section 60AAA to the SOCI Act to add the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as an additional recipient of the periodic reporting on the operation of the SOCI Act. This amendment will require the Minister to provide a written report to the PJCIS every six months regarding the conduct, progress and outcomes of ongoing consultations undertaken by the Department of Home Affairs in relation to:
o the amendments in the SLACIP Bill 2022 (as enacted)
o the amendment to the SOCI Act by the SLACI Act .
New section 60AAA(3) provides that the report must not include personal information within the meaning of the Privacy Act 1988 .
· at item 76 of Schedule 1 of the Bill repeal section 60A and substitute new section 60A to the SOCI Act requiring the Minister to cause an independent review of the operation of the SOCI Act (as amended) to be conducted after the end of the period of 12 months beginning on the day after the SLACI Act (as enacted) receives the Royal Assent. The amendments require that copies of the report be tabled in Parliament within 15 sitting days of the report being given to the Minister.
These amendments will provide clarity to responsible entities of critical infrastructure in Australia regarding ‘critical workers’ and ‘critical component’ (particularly those entities proposed to be captured under Part 2A), enhance accountability and transparency of the reporting regimes, and ensure that an objective review assesses whether the definitions, operations and mechanisms in the amended SOCI Act are working as intended, as well as ensuring that any Government Assistance measures or obligations exercised or imposed are reasonable. This will contribute towards the Government’s overarching objective to maintain the continuity of essential services that support Australia’s economy, security and sovereignty.
Human rights implications
The amendments do not engage any of the applicable rights or freedoms and do not further limit the human rights engaged and discussed in detail in the Statement of Compatibility with Human Rights in the explanatory memorandum to the Bill.
Conclusion
The amendments to the Bill are compatible with human rights as they do not raise any human rights issues.
AMENDMENTS TO THE SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE PROTECTION) BILL 2022
NOTES ON AMENDMENTS
Amendment (1) - Schedule 1, page 4 (after line 14), after item 7, insert:
1. This amendment amends Schedule 1 to the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP Bill) to insert new item 7A.
2. Item 7A inserts the following definition of critical component in section 5 of the Security of Critical Infrastructure Act 2018 (SOCI Act):
critical component of a critical infrastructure asset, means a part of the asset, where absence of, damage to, or compromise of, the part of the asset:
(a) would prevent the proper function of the asset; or
(b) could cause significant damage to the asset;
as assessed by the responsible entity for the asset.
3. This amendment is made in response to recommendation 5 of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in its Advisory Report on the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (the Advisory Report).
4. An exposure draft of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022 (the draft RMP rules) was provided in the explanatory memorandum to the SLACIP Bill. The draft RMP rules provide that a responsible entity that undertakes AusCheck background checks for its critical workers is taken to be appropriately assessing the ongoing suitability to have access to critical components of an asset. The draft RMP rules include a definition of critical component .
5. As a result of the definition of critical component being inserted in the SOCI Act, it is intended that the proposed definition of critical component in the RMP rules will be removed from those rules. The RMP rules, once implemented, will then rely on the definition of critical component in the SOCI Act.
Amendment (2) - Schedule 1, page 5 (after line 21), after item 11, insert:
6. This amendment amends Schedule 1 to the SLACIP Bill to insert new item 11A.
7. Item 11A inserts the following definition of critical worker in section 5 of the SOCI Act:
critical worker means an individual, where the following conditions are satisfied:
(a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies;
(b) the absence or compromise of the individual:
(i) would prevent the proper function of the asset; or
(ii) could cause significant damage to the asset;
as assessed by the responsible entity for the asset;
(c) the individual has access to, or control and management of, a critical component of the asset.
8. This amendment is made in response to recommendation 5 in the Advisory Report.
9. An exposure draft of the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 22/018) 2022 (the draft RMP rules) was provided in the explanatory memorandum to the SLACIP Bill. The draft RMP rules provide that a responsible entity that undertakes AusCheck background checks for its critical workers is taken to be appropriately assessing the ongoing suitability to have access to critical components of an asset. The draft RMP rules provided a definition of critical worker .
10. As a result of the definition of critical worker being inserted in the SOCI Act, it is intended that the proposed definition of critical worker in the RMP rules will be removed from those rules. The RMP rules, once implemented, will then rely on the definition of critical worker in the SOCI Act.
Amendment (3) - Schedule 1, item 71, page 64 (after line 25), after paragraph 52B(3)(a)
11. This amendment amends Schedule 1 to the SLACIP Bill to include a reference to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in new subsection 52B(3) as inserted in the SOCI Act by item 71 of Schedule 1 to the SLACIP Bill.
12. New subsection 52B(3) of the SOCI Act provides that the Minister must notify the entities listed in that subsection of a declaration of a particular asset to be system of national significance under proposed subsection 52B(1).
13. This amendment is made in response to recommendation 7 in the Advisory Report.
14. This amendment will add new paragraph 52B(3)(aa) to proposed subsection 52B(3) of the SOCI Act to provide that the Minister must also notify the PJCIS of a declaration of a particular asset to be system of national significance. As a result of this amendment, subsection 52B(3) provides that within 30 days of declaring an asset to be a system of national significance the Minister must, in writing, notify the PJCIS of the declaration.
Amendment (4) - Schedule 1, page 68 (after line 29), at the end of the Schedule, add:
15. This amendment inserts new item 75 in Schedule 1 to the SLACIP Bill. Item 75 amends the SOCI Act by inserting new section 60AAA, to provide for periodic reporting relating to the conduct, progress and outcomes of consultations to the Minister and the PJCIS on consultation undertaken by the Department of Home Affairs relating to the amendments made to the SOCI Act by the SLACIP Bill (as enacted) Act and the SLACI Act.
16. This amendment is made in response to recommendation 3 in the Advisory Report.
17. New subsection 60AAA(1) provides that the Secretary must give the Minister a report relating to the conduct, progress and outcomes of consultations undertaken by the Department of Home Affairs in relation to:
· the amendments made to the SOCI Act by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (paragraph (a)); and
· the amendments made to the SOCI Act by the Security Legislation Amendment (Critical Infrastructure) Act 2021 ;
18. Under subsection 60AAA(1), the Secretary must give the Minister the report during a designed reporting period (as defined in new subsection 60AAA(4)).
19. New subsection 60AAA(2) provides that the Minister must give a copy of a report under subsection (1) to the PJCIS. Subsection 60AAA(2) does not specify a particular timeframe in which the report must be given. Generally, the Minister should give the report to the PJCIS in a reasonable timeframe given the overall requirements of section 60AAA for the Secretary to provide a report to the Minister during each designated reporting period .
20. New subsection 60AAA(3) provides report under subsection (1) must not include personal information, as defined in the Privacy Act 1988. Where a participant in consultation during the relevant reporting period is an individual, the report may include information about the entity or organisation they represent, but must not include that individual’s personal information.
21. New subsection 60AAA(4) sets out the meaning of designated reporting period . This term relates to the period during which the Secretary must give the Minister a report under subsection 60AAA(1).
22. Paragraph 60AAA(4)(a) covers the initial designated reporting period . The effect of paragraph 60AAA(4)(a) is that the initial designated reporting period (in which the Secretary must give the report to the Minister under subsection 60AAA(1)) begins at the commencement of section 60AAA and ends either (i) 6 months after that date, or (ii) when the PJCIS begins to conduct a review under section 60B of the SOCI Act, whichever is the earlier.
23. Paragraph 60AAA(4)(b) covers each subsequent designated reporting period . The effect of paragraph 60AAA(4)(b) is that each subsequent designated reporting period (in which the Secretary must give the report to the Minister under subsection 60AAA(1)) begins immediately after the end of the immediately preceding designated reporting period and ends either (i) 6 months after the immediately preceding designated reporting period or (ii) when the PJCIS begins to conduct a review under section 60B of the SOCI Act.
Amendment (5) Schedule 1, page 68, at the end of the Schedule (after proposed item 75), add:
24. This amendment inserts new item 76 in Schedule 1 to the Bill. The amendment in item 76 repeals and substitutes section 60A of the SOCI Act.
25. This amendment is made in response to recommendations 10 and 11 of the Advisory Report.
26. Current section 60A of the SOCI Act provides for the PJCIS to review the operation, effectiveness and implications of the SOCI Act.
27. New section 60A requires the Minister to commission an independent review of the SOCI Act, to commence after the end of the first year of operation of the amendments to the SOCI Act by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (as enacted).
28. New section 60A is inserted in response to recommendation 10 in the Advisory Report.
29. New subsection 60A(1) provides that Minister must cause an independent review to be conducted of the operation of the SOCI Act.
30. New subsection 60A(2) provides that the review must be conducted after the end of the 12-month period that began at the commencement of new section 60A of the SOCI Act, after the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 is enacted.
31. New subsection 60A(3) provides that the person or persons conducting the review must:
· give the Minister a written report of the review (paragraph (a)); and
· do so within 12 months after the commencement of the review (paragraph (b)).
32. New subsection 60A(4) provides that the Minister must cause copies of the report to be tabled in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister. This will also ensure that the report is made publicly available, in line with the recommendation 10.
33. With the inclusion of the requirement for an independent review in the SOCI Act in new section 60A, current section 60A of the SOCI Act is to be repealed. In line with recommendation 11 in the Advisory Report, the intention of repealing current section 60A is to avoid any confusion that might otherwise result from the proposed independent Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 review, and the current provision in section 60B of the SOCI Act for the PJCIS to review the operation, effectiveness and implications of the SOCI Act.