Revised Explanatory Memorandum
(Circulated by authority of the Minister for Home Affairs and Minister for Cyber Security, the Honourable Tony Burke MP)Attachment A Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024
This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.
Overview of the Bill
The Bill proposes amendments to the Intelligence Services Act 2001 (IS Act) and consequential amendments arising from the Cyber Security Act 2024 (CS Act) to place restrictions on the use and communication of certain cyber security information.
The Bill prescribes limited purposes, referred to as permitted cyber security purposes, for which the Australian Signals Directorate (ASD) can communicate certain information relating to cyber security incidents. This information is referred to as limited cyber security information. Amongst other measures, the Bill prevents ASD from communicating limited cyber security information for the purposes of investigating or enforcing a contravention of a Commonwealth, State or Territory law (other than a criminal offence) against the impacted entity.
The Bill also provides limitations on secondary use and communication of limited cyber security information. For example, the information cannot be used or communicated for the purposes of investigating or enforcing a contravention of a Commonwealth, State or Territory law (other than a criminal offence) by the impacted entity.
The Bill places specific limitations on the admissibility of limited cyber security information in certain civil or criminal proceedings. The admissibility restrictions apply where limited cyber security information is held by ASD but has not yet been communicated to another entity. The Bill also specifies that the provision of cyber security information does not otherwise affect a claim of legal professional privilege in relation to that information.
The Bill further provides that staff members of ASD are not compellable as witnesses in relation to limited cyber security information in a direction, or civil or criminal proceeding, of a federal court or a court of a State or Territory.
These measures are designed to encourage industry engagement with ASD in relation to cyber security incidents. It does so by providing an impacted entity with the assurance that the information they provide to ASD will only be communicated for a set of prescribed purposes, and that there are protections in place that limit the circumstances where the information could be used against them for contraventions of Commonwealth, State or Territory laws.
Human Rights Implications
The Bill's amendments would engage the following human rights in the International Covenant on Civil and Political Rights (ICCPR):
- a.
- The right to a fair and public hearing under Article 14(1) and the right not to be compelled to testify under Article 14(3)(g);
- b.
- The prohibition on interference with privacy under Article 17; and
- c.
- The right to freedom of expression under Article 19(2).
Schedule 1 Right to a fair and public hearing and the right not to be compelled to testify
Some of the proposed measures of the Bill engage the right to a fair and public hearing contained in Article 14(1) and the right not to be compelled to testify in Article 14(3)(g) of the ICCPR, which provides (in part):
(1) All persons shall be equal before the courts and tribunals. In the determination of any criminal charge against him, or of his rights and obligations in a suit at law, everyone shall be entitled to a fair and public hearing by a competent, independent and impartial tribunal established by law.
(3)(g) In the determination of any criminal charge against him, everyone shall be entitled to not to be compelled to testify against himself or to confess guilt.
A broad range of protections including, but not limited to, the right that no person shall be compelled to testify against themselves or to confess guilt, to be presumed innocent until proved guilty, and to have their conviction and sentence reviewed by a higher tribunal, are contained in Article 14 of the ICCPR. Any limitation to the right to a fair and public hearing are permissible insofar as the limitations are reasonable, proportionate and for a legitimate objective.
Schedule 1, Item 2, would engage the right to a fair and public hearing. New sections 41BF imposes specific limitations on the admissibility of limited cyber security information in civil or criminal proceedings against an impacted entity in a federal court or a court of a State or Territory.
To the extent that these additional safeguards against the use in criminal proceedings of limited cyber security information voluntarily given by an impacted entity, other than in the manner set out in section 41BF, Article 14(3)(g) will be engaged where the entity is an individual. Because these expand the application of admissibility protections, this Bill promotes human rights because it provides additional safeguards.
New section 41BG provides that the Director-General of ASD, and staff members of ASD, are generally not compellable as witnesses in relation to limited cyber security information.
Rational Connection to a Legitimate Objective
The legitimate objective of new sections 41BF and 41BG is increasing cyber security incident reporting to ASD, and mitigating the associated consequences and adverse harms caused by such incidents.
ASD requires access to information relating to cyber security incidents and vulnerabilities in order to appropriately prepare for and respond to those incidents or any future incidents of that kind. ASD requires legislative provisions that enables limited cyber security information to be voluntarily provided in order to facilitate the preparation and response to cyber security incidents and vulnerabilities by the Commonwealth.
Reasonable, Necessary and Proportionate to the Objectives of the Limitation
Specific restrictions on how limited cyber security information could be provided in certain court proceedings is reasonable, necessary and proportionate given the parameters of the limitations.
With respect to new sections 41BF, the range of court proceedings has been confined to those of most concern to industry and designed only to apply to the impacted entity. The measure is intended to encourage disclosure of cyber security incidents and vulnerabilities by preventing information provided during that disclosure from being used in criminal or civil proceedings. The measure works in favour of an impacted entity and, as such, does not adversely impact the right of an impacted entity or any other entity to a fair trial. The sections do not limit or affect any right, privilege or immunity that the impacted entity has, apart from those in the relevant sections, as a defendant in any proceedings.
With respect to new section 41BG, the restrictions on the compellability of staff members of ASD has been limited to court proceedings of most concern to industry and designed only to apply to evidence relating to limited cyber security information. The measure is intended to protect national security by preventing information relating to the internal processes of ASD from being inadvertently disclosed, and to encourage disclosure of cyber security incidents and vulnerabilities by preventing information provided during that disclosure from being compelled from staff members of ASD as evidence in civil or criminal proceedings. The measure works in favour of an impacted entity and, as such, does not adversely impact the right of an impacted entity or any other entity to a fair trial.
Schedule 1 Right to Freedom of Expression
Some of the proposed measures of the Bill engage the right to freedom of expression contained in Article 19(2) of the ICCPR, which provides (in sum):
(2) Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art or through any other media of his choice.
The right in Article 19(2) protects freedom of expression in any medium, for example, written and oral communications, the media, public protest, broadcasting, artistic works and commercial advertising.
Under Article 19(3) freedom of expression may be limited as provided for by law and where necessary to protect the rights and reputations of others, national security, public order, or public health or morals. Limitations must be prescribed by legislation, necessary to achieve the desired purpose and proportionate to the need on which the limitation is predicated.
Schedule 1, Item 2, would limit the right to freedom of expression. New section 41BB imposes specific limitations on the communication of limited cyber security information by staff members of ASD.
New section 41BC imposes specific limitations on the secondary use or communication of limited cyber security information by an entity that is a corporation to which paragraph 51(xx) of the Constitution applies, Commonwealth body or State body.
Rational Connection to a Legitimate Objective
The legitimate objective of new sections 41BB and 41BC is increasing cyber security incident reporting to ASD, mitigating the associated consequences and adverse harms caused by such incidents, and protecting national security.
ASD requires access to information relating to cyber security incidents and vulnerabilities in order to appropriately prepare for and respond to those incidents or any future incidents of that kind. ASD requires legislative provisions that enables the communication of limited cyber security information by staff members of ASD, and the communication or use of limited cyber security information by the entity, Commonwealth body or State body, in order to facilitate the preparation and response to cyber security incidents and vulnerabilities by the relevant authority, agency, body or entity.
Reasonable, Necessary and Proportionate to the Objectives of the Limitation
Specific restrictions on how limited cyber security information could be communicated or used is reasonable, necessary and proportionate given the narrow parameters of the permitted cyber security purposes.
With respect to new section 41BB, the range of permitted cyber security purposes has been narrowly confined to the purposes of ASD's statutory functions as already defined in the IS Act and other purposes necessary to deal with a cyber security incident. Most purposes relate to the sharing of limited cyber security information to certain State bodies or Commonwealth entities to assist (or another equivalent) in the performance of their functions. The measure is intended to encourage disclosure of cyber security incidents and vulnerabilities by preventing information provided during that disclosure from being used (amongst other measures) for the purposes of a Commonwealth enforcement body enforcing or investigating a penalty or sanction (other than a penalty or sanction for a criminal offence) against the impacted entity. The measure strikes an appropriate balance of protecting an impacted entity from regulatory action relating to the disclosed information and retaining / preserving the ability to communicate such information for the investigation or enforcement of a criminal offence.
With respect to new section 41BC, the range of permitted cyber security purposes has been narrowly confined to the purposes of the recipient entities' functions as already defined in their relevant legislation. These purposes will not confer any new functions on the recipient entities. The measure is intended to encourage disclosure of cyber security incidents and vulnerabilities by preventing information provided during that disclosure from being used (amongst other measures) for the purposes of a Commonwealth enforcement body enforcing or investigating a penalty or sanction (other than a penalty or sanction for a criminal offence) against the impacted entity. The measure is further intended to protect national security by preventing the use or communication of confidential or commercially sensitive information, or information that would, or could reasonably be expected to cause, damage to the security, defence or international relations of the Commonwealth. New subsection 41BC(6) imposes a civil penalty of 60 penalty units for a breach of an obligation in new section 41BC; this penalty has been deliberately calibrated to reflect the minimum required to ensure compliance with the obligations.
Schedule 1 and 2 Prohibition on Interference with Privacy
Some of the proposed measures of the Bill engage the right to privacy contained in Article 17 of the ICCPR, which provides (in part):
(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
(2) Everyone has the right to the protection of the law against such interference or attacks.
While the United Nations Human Rights Committee (HRC) has not defined privacy, it should be understood to comprise freedom from unwarranted and unreasonable intrusions into activities that society recognises as falling within the sphere of individual autonomy. In order for an interference with the right to privacy to not be considered arbitrary or unlawful, the interference should be in accordance with the aims, objectives and provisions of the ICCPR, and should be reasonable in the circumstances. The right to privacy may be limited in the pursuit of a legitimate objective and, further, where the limitation is rationally connected to a legitimate objective and is not arbitrary.
Schedule 1, Item 2, would engage the right to privacy. New section 41BB imposes specific limitations on the communication of limited cyber security information by staff members of ASD. New section 41BC imposes specific limitations on the secondary use or communication of limited cyber security information by an entity, Commonwealth body or State body. Both new section 41BB and 41BC provide for the disclosure of limited cyber security information which may in some circumstances include personal information. The inclusion of such information would never be the focus of limited cyber security disclosures, and would most likely be incidental to the communication of other information. The nature of the personal information which will be subject to disclosure will depend on the circumstances of the cyber security incident.
Part 4 of the Cyber Security Act 2024 (CS Act) establishes a complementary regime to the new Division 1A of Part 6 of the IS Act. Part 4 establishes a 'limited use' obligation that restricts how information provided to the National Cyber Security Coordinator (the Coordinator) during a cyber security incident can be used or disclosed, to provide confidence to entities that the information will only be used for permitted cyber security purposes. Limited use information may include incidental personal information.
Schedule 2 of the Bill amends the Freedom of Information Act 1982 (FOI Act) to include an exemption from Freedom of Information requests for a document given to, or received by, the Coordinator. Under new subsection 7(2H)(a) of the FOI Act, a document given to, or received by, the Coordinator for the purposes set out under Part 4 of the CS Act is exempt from the operation of the FOI Act.
Currently, certain exemptions within the FOI Act concerning personal information are conditional on a public interest test. This measure provides an unconditional exemption for information obtained under Part 4 of the CS Act. The exemptions mean that certain documents which may contain personal information cannot be released in relation to an FOI request, promoting the right to privacy for any individuals whose personal information has been supplied in accordance with Part 4 of the CS Act.
Rational Connection to a Legitimate Objective
The legitimate objective of new sections 41BB and 41BC is increasing cyber security incident reporting to ASD, mitigating the associated consequences and adverse harms caused by such incidents, and protecting national security.
ASD requires access to information relating to cyber security incidents and vulnerabilities in order to appropriately prepare for and respond to those incidents or any future incidents of that kind. ASD requires legislative provisions that enables the communication of limited cyber security information by staff members of ASD, and the communication or use of limited cyber security information by an entity that is a corporation to which paragraph 51(xx) of the Constitution applies, Commonwealth body or State body, in order to facilitate the preparation and response to cyber security incidents and vulnerabilities by the relevant authority, agency, body or entity.
The disclosure in limited circumstances of personal information associated with limited cyber security information is connected to this legitimate objective.
Reasonable, Necessary and Proportionate to the Objectives of the Limitation
Specific restrictions on how limited cyber security information could be communicated or used is reasonable, necessary and proportionate given the narrow parameters of the permitted cyber security purposes.
In some circumstances it will be important to include personal information in communications about a cyber security incident as it may provide relevant context about the nature or gravity of the cyber incident. In other circumstances personal information may be so intermingled with other information that it would not be practicable to filter it out without losing relevant context. ASD will continue to apply appropriate practices to ensure that any personal information that is used, stored or disclosed is done in line with relevant standards, consistent with ASD policy reflecting Privacy Act requirements.
The new Division 1A does not apply to information if the information is about an entity, which includes an individual, which has been de-identified so that is no longer about an identifiable entity or an entity that is reasonably identifiable.
Conclusion
The Bill is compatible with human rights as it promotes the protection of human rights and, to the extent it may limit those human rights, those limitations are reasonable, necessary and proportionate.