• Legal database
Legal database
Senate

Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024

Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024

Revised Explanatory Memorandum

(Circulated by authority of the Minister for Home Affairs and Minister for Cyber Security, the Honourable Tony Burke MP)
THIS EXPLANATORY MEMORANDUM TAKES ACCOUNT OF AMENDMENTS MADE BY THE HOUSE OF REPRESENTATIVES TO THE BILL AS INTRODUCED

NOTES ON CLAUSES

Clause 1 Short title

1. This section provides that the short title of this Bill, once enacted, will be the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 (the Act).

Clause 2 Commencement

2. Subsection 2(1) provides that each provision of the Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

3. The effect of table items 1 and 2 is that the Act will commence the day after the Act receives Royal Assent, at the same time as the Cyber Security Act 2024 (CS Act).

Schedule 1 Limited use of certain cyber security information

Intelligence Services Act 2001

Item 1 Subsection 3(1)

4. Item 1 provides definitions for terms which facilitate the amendments to the IS Act being made by the Bill.

5. Section 41BA(5) provides for the meaning of Commonwealth body for the purposes of the new Division 1A of Part 6 of the IS Act, and has the same meaning given by the CS Act.

6. Section 41BA(5) provides for the meaning of Commonwealth enforcement body for the purposes of the new Division 1A of Part 6 of the IS Act, and has the same meaning given by the CS Act.

7. Subsection 3(1) provides for the meaning of computer. This term has the same meaning given by the Security of Critical Infrastructure Act 2018 (SOCI Act). This term is intended to capture all or parts of an individual computer, a collection of computers that form a network or system, or any combination of these. A computer has the capability to store or process data, or be used to monitor, control or do anything else that is connected to the functioning of an asset. For example, a Supervisory Control and Data Acquisition (SCADA) system is considered to be a computer.

8. Section 41BA(4) provides for the meaning of a cyber security incident.

9. Subsection 41BA(5) provides for the meaning of an entity for the purposes of the new Division 1A of Part 6 of the IS Act, and has the same meaning given by the CS Act.

10. Subsection 41BA(1) provides for the meaning of limited cyber security information.

11. Subsection 41BA(5) provides for the meaning of a State body for the purposes of the new Division 1A of Part 6 of the IS Act, and has the same meaning given by the CS Act.

Item 2 After Division 1 of Part 6

Division 1A Communication and use of limited cyber security information

41BA Cyber security information for which communication and use is limited by this Division

12. Section 41BA outlines when cyber security information is captured by the limited use obligation. The section defines what constitutes limited cyber security information which is a key term used throughout the Division to refer to the information to which it applies.

13. Subsection (1) provides for the meaning of limited cyber security information. This section provides that information is limited cyber security information if the information:

a.
relates to:

i.
a cyber security incident that has occurred or is occurring; or
ii.
a cyber security incident that may potentially occur; and

b.
has been acquired or prepared by ASD in a circumstance mentioned in subsection (2); and
c.
is not subject to an exception mentioned in subsection (3).

14. Subsection (1) does not capture the original information that an entity holds. The limited use obligation is not designed to create a shield against legal liability or civil regulatory actions, but to protect the information once it is in the hands of ASD.

15. Subsection (2) restricts the application of the Division to information that has been:

a.
voluntarily provided to ASD in the performance of its functions by, or on behalf of, an impacted entity, such as an incident response provider. The impacted entity must:

i.
be, have been, or would reasonably be expected to be, directly or indirectly impacted by a cyber security incident; or
ii.
be, or would reasonably be expected to be, impacted by a potential cyber security incident.

b.
acquired or prepared by ASD in the performance of its functions, with the consent of the impacted entity, such as through an ASD technical program; or
c.
acquired by the National Cyber Security Coordinator (Coordinator) and disclosed to ASD under the limited use obligation in the CS Act.

16. Subsection (3) excludes certain information from the protections in the Division. The section provides that the limited use obligation does not capture:

a.
information provided to ASD, or another Commonwealth body, for mandatory reporting purposes including (but not limited to) the mandatory ransomware reporting obligation under Part 3 of the CS Act; the mandatory cyber incident reporting obligation for critical infrastructure under Part 2B of the SOCI Act; the requirement under the Telecommunications Act 1997; or any other requirement under a prescribed law.

i.
The ability to prescribe laws has been included to enable flexibility in the legislation to account for any future mandatory reporting obligations or inclusions which may be facilitated through ASD.
ii.
ASD is not a Commonwealth enforcement body, or regulator, and does not hold regulatory powers to enforce compliance against mandatory reporting obligations. The exclusion of information that has been provided to ASD for mandatory reporting purposes, obligations or requirements ensures this information can be transferred to the responsible regulator and does not override or displace any legislative responsibilities entities may have in relation to reporting cyber security incidents.

b.
information that has already been made lawfully available to the public;
c.
information about an entity that has been de-identified such that it is no longer about an identifiable or reasonably identifiable entity. The exclusion of de-identified information ensures ASD can continue to provide cyber security advice and mitigations through classified and public avenues, in accordance with ASD's existing functions.

17. The exclusions in subsection (3) (paragraphs (b) and (c)) ensure that once information is appropriately de-identified ASD can continue to provide cyber security advice and mitigation, to relevant partners and the public.

18. As per existing legislative arrangements, ASD's exemptions under the Privacy Act 1988 (Privacy Act) and the Freedom of Information Act 1982 (FOI Act) remain. .

19. Subsection (4) provides for the meaning of a cyber security incident. This section provides that a cyber security incident includes:

a.
one or more acts, events or circumstances:

i.
of a kind covered by the meaning of cyber security incident in the SOCI Act;
ii.
involving unauthorised impairment of electronic communication to or from a computer, but as if that phrase did not exclude the mere interception of any such communication; or

b.
the discovery of unintended or unexpected vulnerabilities in a computer, computer data, or a computer program, that, if exploited, would result in a cyber security incident within the meaning of paragraph (a).

20. Subsection (4) (paragraph (a)(ii)) ensures that the definition of a cyber security incident incorporates acts, events or circumstances which involve the unauthorised interception of a communication that impairs electronic communication to or from a computer. For the conduct to be unauthorised, it must have occurred without valid authorisation, whether by legislation, contract, or other agreement or arrangement.

21. A cyber security incident includes, but is not restricted to, the following:

a.
data breaches - unauthorised access and disclosure of data;
b.
denial of service and distributed denial of service attacks - overwhelming a service with traffic, sometimes impacting availability;
c.
industrial control system compromises - unauthorised access to an industrial control system;
d.
malware infections - a Trojan, virus, worm or any other malicious software that can harm systems, services or networks;
e.
phishing attacks - deceptive messaging designed to elicit users' sensitive data (such as banking logins or business login credentials) or used to execute malicious code to enable remote access; and
f.
ransomware attacks - a tool used to lock or encrypt victims' files until a ransom is paid.

22. Subsection (4) (paragraph (b)) expands the meaning of a cyber security incident to capture vulnerabilities that have the potential to be exploited and cause a cyber security incident.

23. The meaning of vulnerabilities is intended to capture unintended or unexpected weaknesses in a computer's security requirements, design, implementation or operation that could be accidentally triggered or intentionally exploited and result in a violation of the computer's security policy.

24. Reporting and engaging with ASD on vulnerabilities gives vendors and developers more time to mitigate the vulnerabilities and enable affected systems of national interest to reduce their exposure, minimising the potential harm caused if the vulnerabilities were to be exploited.

25. Encouraging entities to report the discovery of vulnerabilities to ASD provides greater opportunity for vendors and entities to mitigate risk and better protect systems of national interest.

26. A vulnerability includes, but is not restricted to, the following:

a.
outdated software - by using outdated software, critical security updates may be missed, giving cybercriminals more opportunities to access data and systems;
b.
misconfigured access controls - insufficient controls on user accounts may allow cybercriminals to access information and systems from across a user network;
c.
lack of multi-factor authentication - without multi-factor authentication, cybercriminals can use previously stolen passwords to try and access other accounts; and
d.
insecure macro settings: malicious macros can access sensitive information, download malware, and erase data.

27. Subsection (5) provides for the meaning of a Commonwealth body, Commonwealth enforcement body, entity and State body. These terms have the same meaning given by the CS Act.

41BB Limited cyber security information can only be communicated by ASD for permitted cyber security purposes

28. Section 41BB imposes specific limitations on the communication of limited cyber security information by ASD.

29. Subsection (1) places a restriction on staff members of ASD, including the Director-General of ASD, to only communicate limited cyber security information to a person who is not a staff member of ASD for a permitted cyber security purpose.

30. Subsection (1) (paragraph (a)) allows ASD to communicate limited cyber security information for the purpose of undertaking any of ASD's functions under the IS Act. This includes, assisting an impacted entity to respond to, mitigate or resolve an actual or potential cyber security incident, or providing technical assistance or advice to an entity on the prevention of a cyber security incident or potential cyber security incident.

a.
ASD does not have a function to assist in the investigation or enforcement of any regulatory action. The permitted cyber security purposes have been drafted such as to constrain the communication of limited cyber security information to circumstances where ASD has pre-existing legislative authority.
b.
Subsection (1) (paragraph (a)) should not be read down in light of paragraphs (b) through (i). If the communication of limited cyber security information is within ASD's functions per paragraph (a), then the communication does not have to also fall within another permitted cyber security purpose.

31. Subsection (1) (paragraph (b)) allows ASD to inform and advise relevant Ministers about a cyber security incident or potential cyber security incident. This purpose ensures that, where necessary, Ministers can be made aware of, and be provided with relevant advice, about emerging and ongoing threats to Australia's national security.

a.
In the occurrence of a major or significant cyber security incident, this purpose ensures Ministers can be briefed by ASD on the details of an incident to support their understanding and severity of the incident. For example, ASD could rely upon this purpose to inform the Attorney-General on the significance of a cyber security incident, as related to the exercise of ministerial powers to declare a data breach.

32. Subsection (1) (paragraph (c)) allows ASD to communicate limited cyber security information to a Commonwealth body for the performance of their functions relating to responding to, mitigating or resolving a cyber security incident or potential cyber security incident.

a.
This purpose does not include a Commonwealth enforcement body, which is captured by paragraph (i).

33. Subsection (1) (paragraph (d)) allows ASD to communicate limited cyber security information to a State body for the performance of their functions relating to responding to, mitigating or resolving a cyber security incident (within the meaning of the CS Act).

a.
However, ASD must not communicate limited cyber security information to a State body under this Division unless a Minister of the State or Territory has 'opted in', or provided consent, to this Division applying to the State body outlined in section 41BD(5). This ensures that ASD does not impermissibly burden or impose undue obligations on how a State body could use the information that is provided to them by ASD.

34. Subsection (1) (paragraph (e)) allows ASD to communicate limited cyber security information to the Coordinator for the performance of their functions under Part 4 of the CS Act relating to a cyber security incident (within the meaning of CS Act).

a.
This ensures the Coordinator can be notified of, and be provided with information relevant to, a significant cyber security incident such that they can co-ordinate whole of government responses (where appropriate and necessary).

35. Subsection (1) (paragraph (f)) allows ASD to communicate limited cyber security information to listed intelligence agencies for the performance of their functions. The intelligence agencies to which ASD can communicate such information include the Australian Secret Intelligence Service (ASIS), Australian Geospatial-Intelligence Organisation (AGO), Australian Security Intelligence Organisation (ASIO), Defence Intelligence Organisation (DIO) and Office of National Intelligence (ONI).

a.
This ensures that ASD does not adversely impact or hinder the abilities of other intelligence agencies in the performance of their functions. The Bill will not confer any new functions on a recipient intelligence agency.

36. Subsection (1) (paragraph (g)) allows ASD to communicate limited cyber security information to the Inspector-General of Intelligence and Security (IGIS) for the performance of their functions.

a.
To support the effective performance of our statutory functions, ASD have been entrusted with significant powers. These significant powers are balanced by both appropriate and effective oversight such as to ensure that ASD acts with legality, propriety and consistency with human rights.

37. Subsection (1) (paragraph (h)) allows ASD to communicate limited cyber security information to the Australian Criminal Intelligence Commission (ACIC) for the performance of its functions.

38. Subsection (1) (paragraph (i)) allows ASD to communicate limited cyber security information to a Commonwealth enforcement body for the performance of their functions. This purpose is restricted, however, to circumstances that relate to either the investigation or enforcement of the Division or a law that imposes a penalty or sanction for a criminal offence.

39. Subsections (b)-(i) do not limit how ASD may communicate limited cyber security information in the performance of any of ASD's functions under the IS Act as set out in subsection (a).

40. The permitted cyber security purposes do not create an obligation on ASD to communicate limited cyber security information to any person who is not a staff member of ASD. ASD will maintain discretion as to whether (if at al l) limited cyber security information is shared to others, and how much limited cyber security information is shared to others.

41. The permitted cyber security purposes strike a reasonable and necessary balance between facilitating the performance of the functions of ASD, the Australian intelligence community and broader government, and protecting the information shared by an impacted entity in relation to cyber security incident or potential cyber security incident. It is intended that these restrictions will provide improved awareness and assurance of how ASD shares information, and thereby facilitate greater information sharing between industry and ASD.

42. Subsection (2) provides restrictions on the use and communication of limited cyber security information for civil or regulatory action. It specifies the Director-General of ASD, or a staff member of ASD, must not communicate such information for the purpose of investigating or enforcing, or assisting in the investigation or the enforcement, of any contravention of a Commonwealth, State or Territory law where:

a.
the contravention is by an impacted entity that;

i.
originally voluntarily provided the information to ASD;
ii.
consented to the information being acquired or prepared by ASD; or
iii.
originally voluntarily provided the information to the Coordinator; and

b.
the contravention is not a contravention by an impacted entity of:

i.
this Division; or
ii.
a law that imposes a penalty or a sanction for a criminal offence.

43. Subsection (2) is applicable only to the limited cyber security information that has been voluntarily provided to, or acquired or prepared by, ASD. This subsection ensures that information captured by the limited use obligation cannot be used for civil or regulatory action against the impacted entity. However, this does not prevent regulatory agencies from using their own powers to acquire the information directly from the impacted entity.

44. Subsection (3) specifies that subsection (1) does not authorise the Director-General of ASD, or a staff member of ASD, to communicate limited cyber security information to the extent that is prohibited or limited by or under this Act.

41BC Limitations on secondary use and communication of limited cyber security information

45. Section 41BC imposes limitations on the secondary use and communication of limited cyber security information by an entity (where the entity is a Commonwealth Corporation), Commonwealth body or State body. Further, this section gives effect to the limited use obligation by establishing a civil penalty for a contravention of the section.

46. Subsection (1) specifies that the circumstances in which the limited use obligation would apply to limited cyber security information includes where:

a.
the information has been acquired under subsection 41BA(1) or under this subsection by:

i.
a Commonwealth body;
ii.
a State body;
iii.
an entity that is a corporation to which paragraph 51(xx) of the Constitution applies, and

b.
the information is held by the entity, Commonwealth body or State body.

47. Subsection (1) does not apply to information that is held by the entity, Commonwealth body or State body to the extent that it has been otherwise acquired.

48. Subsection (2) imposes specific limitations on the use or communication of limited cyber security information by the entity, Commonwealth body or State body. This subsection provides that a recipient of the limited cyber security information from ASD may only use or communicate that information for a narrowly defined and constrained set of permitted cyber security purposes. This ensures that when limited cyber security information is on-shared, there are restrictions and protections on the information.

a.
The note to subsection (2) refers to the limitations in the new section 41BD(4) which provides that limited cyber security information must not be communicated to a State body unless a Minister of the State or Territory has consented to this Division applying to the State body.

49. Subsection (3) provides a restriction on the use and disclosure of limited cyber security information for civil or regulatory action. It specifies an entity, Commonwealth body or State body must not communicate such information for the purpose of investigating or enforcing, or assisting in the investigation or the enforcement, of any contravention of a Commonwealth, State or Territory law, subject to certain exceptions.

50. Subsection (3) ensures that information captured by the limited use obligation cannot be used for civil or regulatory action against the impacted entity. However, this does not prevent regulatory agencies from using their own powers to acquire the information directly from the impacted entity. Further, this does not prevent a Commonwealth law enforcement body from using the information to investigate or enforce a criminal offence perpetrated by an impacted entity.

51. Subsection (5) specifies that subsection (2) does not prohibit the use or communication of limited cyber security information where:

a.
the information is personal information about an individual, where the entity is an individual;
b.
the information is limited cyber security information, where the impacted entity has provided consent to an entity, Commonwealth body or State body, and:

i.
originally voluntarily provided the information to ASD;
ii.
consented to the information being acquired or prepared by ASD; or
iii.
originally voluntarily provided the information to the Coordinator; or

c.
the information is for the purpose of carrying out a State's constitutional functions, powers or duties.

52. Subsection (5) (paragraph (b)) specifies that limited cyber security information can be used or communicated where the impacted entity has provided consent. This ensures that the impacted entity is able to share the limited cyber security information to others for purposes outside of those outlined in subsection (2).

53. Subsection (6) provides the circumstances in which an entity would be liable to a civil penalty. An entity will be liable to a civil penalty of 60 penalty units where:

a.
the entity contravenes subsection (2); and
b.
the entity is not a Commonwealth officer within the meaning of Part 5.6 of the Criminal Code Act 1995 (Criminal Code); and
c.
any of the following circumstances apply:

i.
the information is sensitive information within the meaning of the Privacy Act about the individual, and the individual has not consented to the use or communication of that information;
ii.
the information is confidential or commercially sensitive; or
iii.
the use or communication of the information would, or could reasonably be expected to cause, damage to the security, defence or international relations of the Commonwealth.

54. The Commonwealth Guide to Framing Offences, Infringement Notices and Enforcement Powers (the Guide) has been considered in framing the penalty provisions in this section. The principle set out in 3.1.2 of the Guide provides that penalties should be consistent with penalties for existing offences of a similar kind or of a similar seriousness. There are a large variety of secrecy offences across Commonwealth legislation, each with a civil penalty applied that is adapted and proportionate to the harm caused by the unauthorised record, use or disclosure of that information.

55. The quantum of the civil penalty in subsection (6) is designed to ensure appropriate levels of deterrence and be sufficiently high to justify the need for enforcement by a court. The penalty is also proportionate to the seriousness of the contravention in this Act. That is, it is the unauthorised disclosure or use of sensitive information, information that is confidential or commercially sensitive, or is information that the record, use or disclosure would, or could reasonably be expected to, cause damage to the security, defence or international relations of the Commonwealth.

56. The penalty unit amounts are consistent across all the civil penalty provisions within this Act. In addition, the penalty unit amount of 60 penalty units is considered to be proportionate to the consequence of contravention of the civil penalty provisions in this Act. At the time this explanatory memorandum was prepared, a penalty unit was $330, as of July 2024.

57. This section is not intended to displace the operation of any provision under the Criminal Code or any other Act of the Commonwealth and should be read to be consistent with such Acts.

41BD Application of section 41BC to the Crown

58. Section 41BD provides that the Crown is bound in right of each of its capacities, and is not liable to be prosecuted for an offence. Section 41BD also introduces a consent mechanism to allow for the communication of limited cyber security information to a State body under this Division.

59. Subsection (4) establishes a consent mechanism to ensure that limited cyber security information can be communicated, where necessary, to a State body. Limited cyber security information can only be communicated to a State body where:

a.
a Minister of the State body has informed the responsible Minister for ASD, in writing, that they consent to the provisions of this Division applying to them; and
b.
a Minister of the State body has not informed the responsible Minister for ASD, in writing, that they have withdrawn their consent to the provisions of this Division applying to them.

60. Subsection (4) ensures the limited cyber security information has the same protections at a State and Territory level as at the Commonwealth level.

61. Subsection (5) allows a Minister of a State or Territory to decide on the extent to which the Division is applicable to all bodies of that State or Territory.

41BE Legal Professional Privilege

62. Subsection (1) specifies that where an entity has provided limited cyber security information to ASD it does not otherwise affect a claim of legal professional privilege that anyone may make in any of the specified proceedings.

63. While protection of privilege information cannot be assured, the limitations on secondary use and communication, and the protections from admissibility under section 41BF are intended to provide a level of protection to the information and encourage disclosure.

41BF Admissibility of limited cyber security information voluntarily given by an impacted entity

64. Section 41BF limits the admissibility of limited cyber security information in criminal or civil proceedings against the impacted entity, subject to certain exceptions. The section specifies that limited cyber security information held by ASD, a Commonwealth body or State body, is inadmissible insofar as:

a.
the information relates to a cyber security incident; and
b.
the information either:

i.
has been voluntarily provided to ASD by, or on behalf of, an entity; or
ii.
has been acquired or prepared by ASD with the consent of entity; and

c.
the information has been prepared by, as referred to in paragraph 41BA(2)(b), acquired by, as referred to in paragraph 41BA(2)(a) or (b), or acquired under subsection 41BB(1) or section 41BC by a Commonwealth body or a State body; and the information is held by the Commonwealth body or State body.

65. The section ensures adequate protections around the information shared to ASD, and subsequently on-shared under limited use obligation, are established to encourage open and timely sharing of information between ASD and industry without fear of exposure to litigation. However, the limited use obligation is not intended to be a safe harbour to shield an entity from legal liability. This obligation is not intended to restrict law enforcement or regulators gathering information directly from the originating entity using their existing powers, and information gathered in that way would not be covered by the restriction on admissibility.

66. The inclusion of notes under this section serves to clarify the application of the provisions, and note the fact that ASD is a Commonwealth body.

67. Subsection (2) provides that limited cyber security information is not admissible as evidence against the impacted entity in Commonwealth, State or Territory criminal proceedings, subject to limited exceptions dealing with false or misleading information, or in certain Commonwealth, State or Territory civil proceedings dealing with obstruction of Commonwealth public officials.

68. Subsection (2) (paragraph (a)) does not prevent a Commonwealth enforcement body from using limited cyber security information in investigating or enforcing a contravention of a criminal law, however such information would not be admissible in proceedings for contravention by the impacted entity of a criminal law. This ensures the limited use obligation does not provide a shield against criminal activity by impacted entity, or fetter a Commonwealth enforcement body's existing powers to seek the information directly from the impacted entity.

69. Subsection (2) (paragraph (b), (c) and (d)) provides that limited cyber security information is not admissible in civil proceedings for a contravention of a civil penalty, or for proceedings for a breach, of any other Commonwealth, State or Territory law, or in proceedings before a Tribunal.

70. Subsection (3) notes that the limitation on admissibility of limited cyber security information does not apply to:

a.
a coronial inquiry or a Royal Commission in Australia; or
b.
proceedings in the federal court exercising original jurisdiction involving a writ of mandamus or prohibition or injunction sought against a Commonwealth Officer.

41BG Director-General of ASD and staff members of ASD not compellable as witnesses in relation to limited cyber security information

71. Section 41BH prevents the Director-General and staff members of ASD, both former and current, from being compelled to comply with certain court orders in relation to limited cyber security information. Similar to section 41BF, this section provides an additional protection around limited cyber security information that an entity shares with ASD.

41BH How this division applies to non-legal persons

72. Section 41BI specifies how permissions and rights are conferred and exercised, and how obligations and duties are imposed and discharged, on an entity that is a non-legal person. The section also applies a civil penalty provision on a non-legal person that contravenes this Division.

41BI Contravening a civil penalty of this Division

73. For the purposes of enforcing the civil offence of this Division, the Department of Home Affairs will be the responsible regulatory body.

Schedule 2 - Other Amendments

Freedom of Information Act 1982

Item 1 After subsection 7(2G)

1. This item inserts a new subsection (2H) to section 7 of the Freedom of Information Act 1982. This subsection sets out that a document given to, or received by, the National Cyber Security Coordinator (the Coordinator) for the purposes set out under Part 4 of the Cyber Security Act 2024 are exempt from the operation of the Freedom of Information Act 1982.

2. Part 4 of the Cyber Security Act 2024 establishes a complementary regime to the new Division 1A of Part 6 of the IS Act. That Part establishes a 'limited use' obligation that restricts how cyber security incident information provided to the Coordinator during a cyber security incident can be used or disclosed. The intention of the regime is to provide confidence to entities that engage with the Coordinator that the information will only be used for permitted cyber security purposes. Such information is inadmissible in proceedings against that entity and certain entities that handle the information are not compellable as witnesses in relation to that information.

3. Part 4 of the Cyber Security Act 2024 is intended to incentivise rapid information sharing to ensure that the affected entity, the Coordinator and any recipients of the information for prescribed cyber security purposes are able to respond to, mitigate or resolve the cyber security incident as quickly as possible. For non-government entities, the chief objective is to incentivise rapid and open information sharing and to minimise fear of regulatory reprisal. As such, information is likely to be provided very quickly by affected entities, during a cyber incident, when they will not necessarily have the time to thoroughly vet, caveat or classify the information that is provided to the Coordinator.

4. New subsection (2H) to section 7 of the Freedom of Information Act 1982 provides a complementary additional safeguard for the information collected under that regime. While there are a series of robust exemptions under Part 4 of the Freedom of Information Act 1982, they are not complete and are not sufficient to capture all types of information that may be provided during a cyber incident. It is possible that an entity would provide information to the Coordinator that is not subject to an existing exemption, where that information is pertinent to a response to, mitigation of or resolution to a cyber security incident, but where that entity would refuse to voluntarily provide that information as a result of a concern that the information could become public information through a relevant request under the Freedom of Information Act 1982.

5. Furthermore, certain exemptions within that Act are conditional on a public interest test. The objective of this carve out for information obtained under Part 4 of the Cyber Security Act 2024 is to ensure that the entity does not have to undergo an assessment of whether such a conditional exemption would apply and have full confidence that the information will be handled confidentially by government.


View full documentView full documentBack to top