Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Part 1—Preliminary

Part 1 Preliminary

Division 1 Preliminary

1   Short title

                   This Act is the Security of Critical Infrastructure Act 2017 .

2   Commencement

             (1)  Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

 

Commencement information

Column 1

Column 2

Column 3

Provisions

Commencement

Date/Details

1.  The whole of this Act

A single day to be fixed by Proclamation.

However, if the provisions do not commence within the period of 3 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period.

 

Note:          This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

             (2)  Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3   Object

                   The object of this Act is to provide a framework for managing risks to national security relating to critical infrastructure, including by:

                     (a)  improving the transparency of the ownership and operational control of critical infrastructure in Australia in order to better understand those risks; and

                     (b)  facilitating cooperation and collaboration between all levels of government, and regulators, owners and operators of critical infrastructure, in order to identify and manage those risks.

4   Simplified outline of this Act

This Act creates a framework for managing risks to national security relating to critical infrastructure.

The framework consists of the following:

       (a)     the keeping of a register of information in relation to critical infrastructure assets (the register will not be made public);

      (b)     requiring certain entities relating to a critical infrastructure asset to provide information in relation to the asset, and to notify if certain events occur in relation to the asset;

       (c)     allowing the Minister to require certain entities relating to a critical infrastructure asset to do, or refrain from doing, an act or thing if the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security;

      (d)     allowing the Secretary to require certain entities relating to a critical infrastructure asset to provide certain information or documents;

       (e)     allowing the Secretary to undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset.

Certain information obtained under, or relating to the operation of, this Act is protected information. There are restrictions on when a person may make a record of, use or disclose protected information.

Civil penalty provisions of this Act may be enforced using civil penalty orders or injunctions, and enforceable undertakings may be accepted in relation to compliance with civil penalty provisions. The Regulatory Powers Act is applied for these purposes. Certain other provisions of this Act may be enforced by imposing a criminal penalty.

The Minister may privately declare a particular asset to be a critical infrastructure asset so that this Act applies to it. A private declaration can only be made if there would be a risk to national security if it were publicly known that the asset is critical infrastructure that affects national security .

The Secretary must give the Minister reports, for presentation to the Parliament, on the operation of this Act.

Division 2 Definitions

5   Definitions

                   In this Act:

ABN has the same meaning as in the A New Tax System (Australian Business Number) Act 1999 .

acquisition of property has the same meaning as in paragraph 51(xxxi) of the Constitution.

adverse security assessment has the same meaning as in Part IV of the Australian Security Intelligence Organisation Act 1979 .

appointed officer , for an unincorporated foreign company, means:

                     (a)  the secretary of the company; or

                     (b)  an officer of the company appointed to hold property on behalf of the company.

approved form means a form approved by the Secretary.

civil penalty provision has the same meaning as in the Regulatory Powers Act.

commencing day means the day this Act commences.

critical electricity asset has the meaning given by section 10.

critical gas asset has the meaning given by section 12.

critical infrastructure asset has the meaning given by section 9.

critical port has the meaning given by section 11.

critical water asset means a water or sewerage system or network that is used to ultimately deliver services to at least 100,000 water connections or 100,000 sewerage connections under the management of a water utility.

Note:          The rules may prescribe that a specified critical water asset is not a critical infrastructure asset (see section 9).

direct interest holder , in relation to an asset, has the meaning given by section 8.

entity means any of the following:

                     (a)  an individual, whether or not resident in Australia or an Australian citizen;

                     (b)  a body corporate, whether or not formed, or carrying on business, in Australia;

                     (c)  a body politic, whether or not an Australian body politic;

                     (d)  a partnership, whether or not formed in Australia;

                     (e)  a trust, whether or not created in Australia;

                      (f)  a superannuation fund, whether or not created in Australia;

                     (g)  an unincorporated foreign company.

Note:          See Division 2 of Part 7 for how this Act applies to partnerships, trusts, superannuation funds and unincorporated foreign companies.

First Minister means the Premier of a State, or the Chief Minister of the Australian Capital Territory or the Northern Territory.

grace period , for an asset, means:

                     (a)  for an asset that is, or will be, a critical infrastructure asset at the end of the period of 6 months starting on the commencing day—that 6 month period; or

                     (b)  for an asset that becomes a critical infrastructure asset after the end of the period mentioned in paragraph (a)—the period of 6 months starting on the day the asset becomes a critical infrastructure asset.

interest and control information , in relation to an entity and an asset, has the meaning given by section 6.

international relations means political, military and economic relations with foreign governments and international organisations.

national security means Australia’s defence, security or international relations.

notifiable event has the meaning given by section 26.

operational information , in relation to an asset, has the meaning given by section 7.

operator , of an asset, means:

                     (a)  for a critical port—a port facility operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003 ) of a port facility within the port; or

                     (b)  for a critical infrastructure asset other than a critical port—an entity that is authorised (however described) to operate the asset or part of the asset.

Note:          For some assets, an operator of the asset is also the responsible entity for the asset.

port facility has the same meaning as in the Maritime Transport and Offshore Facilities Security Act 2003 .

protected information means information, in relation to an asset, that:

                     (a)  is obtained by a person in the course of exercising powers, or performing duties or functions, under this Act; or

                     (b)  is the fact that the asset is declared under section 51 to be a critical infrastructure asset; or

                     (c)  was information to which paragraph (a) or (b) applied and is obtained by a person by way of an authorised disclosure under Division 3 of Part 4 or in accordance with section 46.

Register means the Register of Critical Infrastructure Assets kept by the Secretary under section 19.

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014 .

relevant industry , for an asset, is whichever of the following industries the asset relates to:

                     (a)  electricity;

                     (b)  water;

                     (c)  ports;

                     (d)  gas;

                     (e)  an industry prescribed by the rules for the purposes of this paragraph.

reporting entity , for an asset, means either of the following:

                     (a)  the responsible entity for the asset;

                     (b)  a direct interest holder in relation to the asset.

Note:          An entity may be both the responsible entity for an asset and a direct interest holder in relation to the asset.

responsible entity , for an asset, means:

                     (a)  for a critical electricity asset or a critical gas asset—the entity that holds the licence, approval or authorisation (however described) to operate the asset to provide the service to be delivered by the asset; or

                     (b)  for a critical water asset—the water utility that holds the licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory, to provide the service to be delivered by the asset; or

                     (c)  for a critical port—the port operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003 ) of the port; or

                     (d)  for an asset declared under section 51 to be a critical infrastructure asset—the entity specified in the declaration as the responsible entity for the asset (see subsection 51(2)); or

                     (e)  for an asset prescribed by the rules for the purposes of paragraph 9(1)(f)—the entity specified by the rules for the asset.

rules means the rules made by the Minister under section 61.

Secretary means the Secretary of the Department.

security (other than in references to national security):

                     (a)  other than in sections 10 and 12—has the same meaning as in the Australian Security Intelligence Organisation Act 1979 ; and

                     (b)  in sections 10 and 12—has its ordinary meaning.

security regulated port has the same meaning as in the Maritime Transport and Offshore Facilities Security Act 2003 .

Note:          Security regulated ports are declared under section 13 of the Maritime Transport and Offshore Facilities Security Act 2003 .

superannuation fund has the meaning given by section 10 of the Superannuation Industry (Supervision) Act 1993 .

this Act includes the rules.

unincorporated foreign company means a body covered by paragraph (b) of the definition of foreign company in section 9 of the Corporations Act 2001 .

water utility means an entity that holds a licence, approval or authorisation (however described), under a law of the Commonwealth, a State or a Territory, to provide water services.

6   Meaning of interest and control information

             (1)  The following information is interest and control information in relation to an entity (the first entity ) and an asset (subject to subsection (3)):

                     (a)  the name of the first entity;

                     (b)  if applicable, the ABN of the first entity, or other similar business number (however described) if the first entity was incorporated, formed or created (however described) outside Australia;

                     (c)  for an entity other than an individual:

                              (i)  the address of the first entity’s head office or principal place of business; and

                             (ii)  the country in which the first entity was incorporated, formed or created (however described);

                     (d)  for an entity that is an individual:

                              (i)  the residential address of the first entity; and

                             (ii)  the country in which the first entity usually resides; and

                            (iii)  the country or countries of which the first entity is a citizen;

                     (e)  the type and level of the interest the first entity holds in the asset;

                      (f)  information about the influence or control the first entity is in a position to directly or indirectly exercise in relation to the asset, including:

                              (i)  information about the control the first entity has over decisions relating to the running of the asset (such as voting or veto rights and the ability to appoint persons to the body that governs the asset); and

                             (ii)  information relating to any person the first entity has appointed to the body that governs the asset (such as the full name of the person and the country or countries of which the person is a citizen);

                     (g)  information about the ability of a person, who has been appointed by the first entity to the body that governs the asset, to directly access networks or systems that are necessary for the operation or control of the asset;

                     (h)  for each other entity that is in a position to directly or indirectly influence or control the first entity:

                              (i)  the information covered by paragraphs (a) to (d) as if a reference in that paragraph to the first entity were a reference to the other entity; and

                             (ii)  information about the influence or control the other entity is in a position to directly or indirectly exercise in relation to the first entity;

                      (i)  information prescribed by the rules for the purposes of this paragraph.

             (2)  Information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988 ).

Interest and control information provided by States and Territories

             (3)  If the first entity is a Governor, First Minister, Administrator or Minister of a State or Territory who is a direct interest holder in relation to an asset because of paragraph 8(1)(b), the first entity is not required to provide any interest and control information.

             (4)  However, subsection (3) does not affect the obligation of the State or Territory to provide interest and control information in relation to the asset if the State or Territory is also a direct interest holder in relation to the asset because of paragraph 8(1)(a) or (b).

7   Meaning of operational information

             (1)  The following information is operational information in relation to an asset:

                     (a)  the location of the asset;

                     (b)  a description of the area the asset services;

                     (c)  the following information about each entity that is the responsible entity for, or an operator of, the asset:

                              (i)  the name of the entity;

                             (ii)  if applicable, the ABN of the entity, or other similar business number (however described) if the entity was incorporated, formed or created (however described) outside Australia;

                            (iii)  the address of the entity’s head office or principal place of business;

                            (iv)  the country in which the entity was incorporated, formed or created (however described);

                     (d)  the following information about the chief executive officer (however described) of the responsible entity for the asset:

                              (i)  the full name of the officer;

                             (ii)  the country or countries of which the officer is a citizen;

                     (e)  a description of the arrangements under which each operator operates the asset or a part of the asset;

                      (f)  a description of the arrangements under which data prescribed by the rules relating to the asset is maintained;

                     (g)  information prescribed by the rules for the purposes of this paragraph.

Note:          For paragraph (e), this would include if the control system of the asset is managed by a separate body.

             (2)  Information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988 ).

8   Meaning of direct interest holder

             (1)  An entity is a direct interest holder in relation to an asset if the entity:

                     (a)  holds a legal or equitable interest of at least 10% in the asset (including if the interest is held jointly with one or more other entities); or

                     (b)  holds a lease of, or an interest in, the asset that puts the entity in a position to directly or indirectly influence or control the asset.

             (2)  Subsection (1) applies to an entity that is:

                     (a)  a trust if one or more trustees hold the interest or lease on behalf of the beneficiaries of the trust; or

                     (b)  a partnership if one or more partners hold the interest or lease on behalf of the partnership; or

                     (c)  a superannuation fund that is a trust if one or more trustees hold the interest or lease on behalf of the beneficiaries of the superannuation fund; or

                     (d)  an unincorporated foreign company if one or more appointed officers hold the interest or lease on behalf of the company.

Note:          For the definition of appointed officer , see section 5.

9   Meaning of critical infrastructure asset

             (1)  An asset is a critical infrastructure asset if it is:

                     (a)  a critical electricity asset; or

                     (b)  a critical port; or

                     (c)  a critical water asset; or

                     (d)  a critical gas asset; or

                     (e)  an asset declared under section 51 to be a critical infrastructure asset; or

                      (f)  an asset prescribed by the rules for the purposes of this paragraph.

             (2)  However, the rules may prescribe that a specified:

                     (a)  critical electricity asset; or

                     (b)  critical port; or

                     (c)  critical water asset; or

                     (d)  critical gas asset;

is not a critical infrastructure asset.

Prescribing an asset as a critical infrastructure asset

             (3)  The Minister must not prescribe an asset for the purposes of paragraph (1)(f) unless the Minister is satisfied that:

                     (a)  the asset is critical to:

                              (i)  the social or economic stability of Australia or its people; or

                             (ii)  the defence of Australia; or

                            (iii)  national security; and

                     (b)  there is a risk, in relation to the asset, that may be prejudicial to security.

Consultation with State and Territory Ministers

             (4)  The Minister (the Commonwealth Minister ) also must not prescribe the asset unless the Commonwealth Minister has:

                     (a)  consulted the following persons (the consulted Minister ):

                              (i)  the First Minister of the State, the Australian Capital Territory or the Northern Territory in which the critical infrastructure asset is located;

                             (ii)  each Minister of a State, the Australian Capital Territory, or the Northern Territory, who has responsibility for the regulation or oversight of the relevant industry for the asset in that State or Territory; and

                     (b)  given each consulted Minister written notice of the proposal to prescribe the asset; and

                     (c)  had regard to any representations given by a consulted Minister under subsection (5) within the period specified for that purpose.

             (5)  The notice must invite each consulted Minister to make written representations to the Commonwealth Minister in relation to the proposal to prescribe the asset within the period specified in the notice, which must be:

                     (a)  at least 28 days after the notice is given; or

                     (b)  a shorter period if the Commonwealth Minister considers the shorter period is necessary because of urgent circumstances.

             (6)  Subsection (4) does not limit the persons with whom the Commonwealth Minister may consult.

10   Meaning of critical electricity asset

             (1)  An asset is a critical electricity asset if it is:

                     (a)  a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at least 100,000 customers; or

                     (b)  an electricity generation station that is critical to ensuring the security and reliability of electricity networks or electricity systems in a State or Territory, in accordance with subsection (2).

Note:          The rules may prescribe that a specified critical electricity asset is not a critical infrastructure asset (see section 9).

             (2)  For the purposes of paragraph (1)(b), the rules may prescribe requirements for an electricity generation station to be critical to ensuring the security and reliability of electricity networks or electricity systems in a particular State or Territory.

11   Meaning of critical port

                   An asset is a critical port if it is land that forms part of any of the following security regulated ports:

                     (a)  Broome Port;

                     (b)  Port Adelaide;

                     (c)  Port of Brisbane;

                     (d)  Port of Cairns;

                     (e)  Port of Christmas Island;

                      (f)  Port of Dampier;

                     (g)  Port of Darwin;

                     (h)  Port of Eden;

                      (i)  Port of Fremantle;

                      (j)  Port of Geelong;

                     (k)  Port of Gladstone;

                      (l)  Port of Hay Point;

                    (m)  Port of Hobart;

                     (n)  Port of Melbourne;

                     (o)  Port of Newcastle;

                     (p)  Port of Port Botany;

                     (q)  Port of Port Hedland;

                      (r)  Port of Rockhampton;

                      (s)  Port of Sydney Harbour;

                      (t)  Port of Townsville;

                     (u)  a security regulated port prescribed by the rules for the purposes of this paragraph.

Note:          The rules may prescribe that a specified critical port is not a critical infrastructure asset (see section 9).

12   Meaning of critical gas asset

             (1)  An asset is a critical gas asset if it is any of the following:

                     (a)  a gas processing facility that has a capacity of at least 300 terajoules per day or any other capacity prescribed by the rules;

                     (b)  a gas storage facility that has a maximum daily quantity of 75 terajoules per day or any other quantity prescribed by the rules;

                     (c)  a network or system for the distribution of gas to ultimately service at least 100,000 customers or any other number of customers prescribed by the rules;

                     (d)  a gas transmission pipeline that is critical to ensuring the security and reliability of a gas market, in accordance with subsection (2).

Note:          The rules may prescribe that a specified critical gas asset is not a critical infrastructure asset (see section 9).

             (2)  For the purposes of paragraph (1)(d), the rules may prescribe:

                     (a)  specified gas transmission pipelines that are critical to ensuring the security and reliability of a gas market; or

                     (b)  requirements for a gas transmission pipeline to be critical to ensuring the security and reliability of a gas market.

Division 3 Constitutional provisions and application of this Act

13   Application of this Act

             (1)  This Act applies to the following:

                     (a)  an entity that is a corporation to which paragraph 51(xx) of the Constitution applies;

                     (b)  an entity that is a reporting entity for, or an operator of, an asset that is:

                              (i)  in a Territory; or

                             (ii)  used in the course of, or in relation to, trade or commerce with other countries, among the States, between Territories or between a Territory and a State; or

                            (iii)  used for the purposes of the defence of Australia;

                     (c)  an entity that is an alien (within the meaning of paragraph 51(xix) of the Constitution).

             (2)  Division 3 of Part 4 (use and disclosure of protected information) also applies to any other entity.

Note:          For the definition of entity , see section 5.

14   Extraterritoriality

                   This Act applies both within and outside Australia.

Note:          This Act extends to every external Territory.

15   This Act binds the Crown

             (1)  This Act binds the Crown in each of its capacities.

             (2)  This Act does not make the Crown liable to be prosecuted for an offence.

             (3)  The protection in subsection (2) does not apply to an authority of the Crown.

16   Concurrent operation of State and Territory laws

                   This Act is not intended to exclude or limit the operation of a law of a State or Territory to the extent that that law is capable of operating concurrently with this Act.

17   State constitutional powers

                   This Act does not enable a power to be exercised to the extent that it would impair the capacity of a State to exercise its constitutional powers.