Senate

Revised Explanatory Memorandum

(Circulated by authority of the Minister for Home Affairs, the Honourable Karen Andrews MP)

Attachment B - Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Security Legislation Amendment (Critical Infrastructure) Bill 2021

This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

The Bill proposes amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act), including to:

•

Introduce additional critical infrastructure assets , which means that the existing powers under the SOCI Act, and the new powers to be introduced under this Bill, will apply to a broader range of assets. The Bill introduces definitions for the following critical infrastructure sectors and assets:

o

Communication sector: critical telecommunication assets, critical broadcasting assets, broadcasting transmission assets and critical domain name system

o

Data storage or processing sector: critical data storage or processing assets

o

Defence industry sector: critical defence industry assets

o

Financial services and markets sector: critical banking assets, critical superannuation assets, critical insurance assets and critical financial market infrastructure assets

o

Food and grocery sector: critical food and grocery assets

o

Higher education and research sector: critical education assets

o

Health care and medical sector: critical hospitals as critical infrastructure assets

o

Transport sector: critical freight infrastructure assets, critical freight services assets, and critical public transport assets

o

Energy sector: critical liquid fuel assets, and critical energy market operator assets, and

o

Space technology sector: critical space technology assets.

•

In addition to the reporting obligations to the Register of Critical Infrastructure Assets in Part 2 of the current SOCI Act, the Bill will introduce a new positive security obligation (PSO) on owners and operators of critical infrastructure assets to report cyber security incidents to the Government. This will facilitate an enhanced understanding of cyber security threats to critical infrastructure to better inform both proactive and reactive cyber response options.

•

Introduce a regime to support the Government responding to serious cyber security incidents which would allow the Government, in limited circumstances, to take actions to protect critical infrastructure assets that are subject to serious cyber security incidents.

•

Enable the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to conduct a review of the operation, effectiveness and implications of the Bill not less than three years from when the Bill receives Royal Assent.

These amendments will implement an enhanced critical infrastructure security framework which will enhance the security and resilience of critical infrastructure in Australia, build situational awareness and enable the Government to assist industry to effectively prevent, defend against and recover from serious cyber security incidents. This will allow the Government to maintain the continuity of essential services that support Australia's economy, security and sovereignty.

Human rights implications

This Bill broadly supports the following rights:

•

the right to an adequate standard of living, including the right to adequate food in Article 11 of the International Covenant on Economic, Social and Cultural Rights (ICESCR), and

•

the right to the enjoyment of the highest attainable standard of physical and mental health, including medical service and attention in the event of sickness in Article 12 of ICESCR.

This Bill also engages the following rights:

•

the right to a fair and public hearing in Article 14 of the International Covenant on Civil and Political Rights (ICCPR), and

•

the right to privacy in Article 17 of the ICCPR.

The right to an adequate standard of living, including the right to adequate food

Article 11 of the ICESCR provides for the right of everyone to an adequate standard of living, including adequate food. It commits States Parties to the Covenant to improve methods of production, conservation and distribution of food.

The introduction of critical food and grocery assets recognises the role that these assets play in delivering essential supplies that maintain and sustain life. The regime introduced by the Bill will assist to protect the availability of food throughout Australia, through improving business resilience and protecting the assets should they be subject to a significant cyber attack. This will reduce the likelihood of a disruption to distribution networks and other key operations of Australia's major supermarkets which could impact the availability of critical food and groceries.

The right to physical and mental health

Article 12 of the ICESCR provides for the right of everyone to the enjoyment of the highest attainable standard of physical and mental health, including medical service and medical attention in the event of sickness.

Hospitals are crucial to Australia's ability to fulfil this obligation as they provide critical care for patients with a variety of medical, surgical and trauma conditions, and are therefore integral to the sustainment of life.

The introduction of critical hospitals as critical infrastructure assets, but also other critical infrastructure assets with a high degree of interdependency with critical hospitals, will assist to protect these important assets, and in turn, the physical and mental health of all persons in Australia.

For example, an attack on a critical hospital could pose a risk to life. Similarly, the consequences of a prolonged and widespread failure in the energy sector could cause shortages or destruction of essential medical supplies. Improving business resilience and protecting the asset should it be subject to a significant cyber attack will reduce the likelihood of a disruption to the provision of essential medical services and ensure appropriate services remain available in the event of sickness.

The right to a fair and public hearing

Article 14 of the ICCPR provides for the proper administration of justice by upholding, among other things, the right to a fair and public hearing. These rights include that all persons are equal before courts and tribunals and have a right to a fair and public hearing before a competent, independent and impartial tribunal established by law. Article 14 also includes the right of protection against self-incrimination stating that no person shall be 'compelled to testify against himself or confess guilt'.

Any limitations to the right to a fair and public hearing under Article 14 are permissible if the limitations are reasonable, proportionate and for a legitimate objective.

The right to a fair and public hearing is attached only to individuals, not to businesses. However 'entity' as defined in current section 5 of the SOCI Act includes individuals, as well as body corporates, partnerships and trusts. Whilst the definition of 'entity' under the current SOCI Act includes individuals, it is only in very rare instances (for example, where a critical infrastructure asset is owned or operated by an individual rather than a corporation) that the measures in the Bill that relate to the right to a fair and public hearing would apply to individuals.

In these rare instances, the following measures in the Bill may engage the right to a fair and public hearing and protection against self-incrimination under Article 14 of the ICCPR and will be discussed in greater detail below:

•

Government assistance measures will permit the Government to provide active assistance as a last resort in response to the most serious and significant of cyber security incidents that are or may impact a critical infrastructure asset and Australia's national interest (new Part 3A of the SOCI Act).

•

The existing Ministerial directions power allows the Minister to issue a direction to an owner or operator of a critical infrastructure asset to mitigate risks that are prejudicial to security (current Part 3 of the SOCI Act).

•

The existing Secretary's power to obtain information or documents will empower the Secretary to request certain information from reporting entities and operators of critical infrastructure assets (current Part 4 of the SOCI Act).

Government assistance: Ministerial authorisation relating to serious cyber security incidents

Under new Part 3A of the SOCI Act, the Minister has the power to authorise the Secretary of Home Affairs to issue:

•

a direction to an entity requiring them to provide certain information

•

a direction to an entity to take particular measures, or

•

a request to the chief executive of the Australian Signals Directorate (ASD) to take specified action to respond to the serious cyber security incident.

Any decision made under new Part 3A of the SOCI is not a 'decision to which this Act applies'. This means that a decision made under new Part 3A in response to a 'serious cyber security incident' is not subject to judicial review under the Administrative Decisions (Judicial Review) Act 1977 (ADJR Act) and therefore limits an entity's right to a fair and public hearing.

When making a decision under new Part 3A of the SOCI Act, the Minister must be satisfied that there is a material risk that a 'cyber security incident' (as defined by new section 12M) has seriously prejudiced, is seriously prejudicing, or is likely to seriously prejudice, the social or economic stability of Australia or its people, the defence of Australia or Australia's national security. Decisions of this nature are likely to be based on sensitive and classified information and deal with the capabilities of intelligence agencies as well as security vulnerabilities. This could include intelligence information and covert investigation methods and procedures, the disclosure of which may impact ongoing investigations, compromise intelligence methodologies or otherwise damage Australia's national security and defence. The same applies equally to decisions of the Secretary and the authorised agency under new Part 3A who operationalise the Ministerial authorisations.

For this reason, it is reasonable to exempt decisions made under new Part 3A of the SOCI Act from review under the ADJR Act as the public dissemination of the sensitive information and capabilities that may be used to make decisions under new Part 3A would pose a risk to the national security and defence of Australia.

However new Part 3A does not have the effect of entirely excluding judicial review of decisions under Part 3A of the SOCI Act. A person who is the subject of a decision under Part 3A is still entitled to seek judicial review under section 39B of the Judiciary Act 1903 or subsection 75(v) of the Constitution.

Furthermore, this limitation to the right to a fair and public hearing is reasonable, proportionate and for a legitimate objective, as the ministerial authorisation power is only permissible if:

•

a cyber security incident has had, is having, or is likely to have a relevant impact on a critical infrastructure asset (new paragraphs 35AB(1)(a)-(b));

•

there is a material risk that the incident has seriously prejudiced, is seriously prejudicing or is likely to seriously prejudice the social or economic stability of Australia or its people; the defence of Australia; or Australia's national security (new paragraph 35AB(1)(c));

•

no existing regulatory system of the Commonwealth, a State or a Territory could be used to provide a practical and effective response to the incident (new paragraph 35AB(1)(d));

•

the Ministerial authorisation ceases after a maximum period of 20 days (new subsection 35AG(2)), unless the Minister has revoked the authorisation earlier, or where an emergency continues beyond this time period, the Minister makes another authorisation in relation to the particular incident (new subsection 35AG(3));

•

the Minister has, before giving a ministerial authorisation, consulted with the specified entity unless the resulting delay would frustrate the effectiveness of the Ministerial authorisation (new section 35AD);

•

the specified entity is unwilling or unable to take all reasonable steps to respond to the incident (new paragraph 35AB(7)(a) and paragraphs 35AB(10)(b)-(c)); and

•

the specified direction is reasonably necessary for the purposes of responding to the incident (new paragraph 35AB(7)(b) and paragraph 35AB(10)(d)); the specified direction is a proportionate response to the incident (new paragraph 35AB(7)(c) and paragraph 35AB(10)(e)); and compliance with the specified direction is technically feasible (new paragraph 35AB(7)(d) and paragraph 35AB(10)(f)).

Directions by the Minister

The current SOCI Act places regulatory obligations on specific entities in the electricity, gas, water and ports sectors.

As Government has improved visibility of how interconnected Australia's critical infrastructure is, this has highlighted a need to expand the types of critical infrastructure entities subject to the Act to include critical infrastructure entities in a wider range of sectors. Entities across all critical infrastructure sectors are facing increasing threats and require enhanced protections.

By broadening the scope of the SOCI Act, the Minister's existing powers to issue directions to reporting entities or operators of critical infrastructure assets to do, or refrain from doing, an act or thing (Part 3, Division 2 of the SOCI Act) is expanded to a larger number of entities.

The human rights implications of the Minister's directions powers are outlined in the Statement of Compatibility with Human Rights for the Security of Critical Infrastructure Bill 2017. This outlines that the right to a fair trial are supported through the legislated safeguards which apply prior to the Minister issuing a direction and the availability of appropriate review mechanisms. The changes in the Bill do not alter this position.

Gathering and using information powers

By broadening the scope of the SOCI Act, the Secretary's powers to obtain information or documents from entities, even if it exposed an individual or a body corporate to criminal or civil liability (Part 4, Division 2 of the current SOCI Act), is expanded to a larger number of entities.

The additional critical infrastructure assets to be included in the SOCI Act are assets that have been determined to be fundamental to the Australian economy, security and sovereignty.

The human rights implications of the powers relating to information gathering and use are outlined in the Statement of Compatibility with Human Rights for the Security of Critical Infrastructure Bill 2017. This outlines that the right to a fair trial are supported through the broad protections for individuals against criminal or civil proceedings if the information is self-incriminating. The changes in the Bill do not alter this position.

Right to privacy

Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with their privacy. Interferences with privacy may be permissible provided that it is authorised by law and is not arbitrary. For an interference with the right to privacy not to be arbitrary, the interference must be for a reason consistent with the provisions, aims and objectives of the ICCPR and be reasonable in the particular circumstances. ^[9]

The United Nations Human Rights Committee has interpreted 'reasonableness' in this context to mean that 'any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case'. The term unlawful means that no interference can take place except as authorised under domestic law.

Article 17 of the ICCPR does not set out the reasons for which the guarantees in it may be limited. However, limitations contained in other articles, for example, those which are necessary in a democratic society in the interests of national security, public order, the protection of public health or the protection of the rights and freedoms of others, may be considered legitimate objectives in appropriate circumstances in respect of the prohibition on interference with privacy.

Article 17 of the ICCPR only applies to interference with privacy for individuals. Whilst the definition of 'entity' under the current SOCI Act includes individuals, it is highly unlikely that the measures in the Bill would apply to individuals. The exception to this is the requirement for the provision of information on the board members of an entity under the Register of Critical Infrastructure Assets.

The responsible entity for a critical infrastructure asset will be an individual (e.g. in the water sector) in a very small number of cases. The vast majority of critical infrastructure assets are managed by corporations, to which the right to privacy does not apply.

Where the responsible entity for a critical infrastructure asset is an individual, the following measures in the Bill may engage the right to privacy under Article 17 of the ICCPR:

•

Government assistance: Ministerial authorisation relating to cyber security incidents (new Part 3A, Division 2 of the SOCI Act);

•

the increased coverage of the existing obligation of a reporting entity for a critical infrastructure asset to give information and notify of events for the Register of Critical Infrastructure Assets (Part 2, Division 2 of the current SOCI Act); and

•

the increased coverage of the existing Secretary's powers to obtain information or documents (Part 4, Division 2 of the current SOCI Act).

Government assistance: Ministerial authorisation relating to cyber security incidents

To prevent or mitigate a serious cyber security incident that has had, is having, or is likely to have a relevant impact on a critical infrastructure asset (new section 35AB(1)), the Minister has the power to authorise the Secretary of Home Affairs to use:

•

Information gathering direction power (new sections 35AB(2)(a) or (b) and 35AK), that is, to direct an entity to provide information that may assist with determining whether a power under the Act should be exercised in relation to an incident and the asset;

•

Action direction power (new sections 35AB(2)(c) or (d) and 35AQ), that is, to direct an entity to do, or refrain from doing, a specified act or thing within the period specified in the direction;

•

Intervention direction power, that is, to request that the chief executive of ASD take direct action (new sections 35AB(e) or (f) and 35AX). For a request that is in force under new section 35X, an ASD staff member may require an entity to provide the staff member with access to premises or electronic networks, and provide them with specified information or assistance. This does not apply to premises that are used solely or primarily as a residence.

This is a permissible limitation to the right to privacy, as prior to making the authorisation the Minister must be satisfied that:

•

A cyber-security incident has occurred, is occurring or is imminent (new section 35AB(1)(a)).

•

That the incident has had, is having, or is likely to have a relevant impact on a critical infrastructure asset (new section 35AB(1)(b)). New subsection 8G(2) provides the definition of a relevant impact in this context, which includes an impact on the availability, integrity, reliability or confidentiality of the asset. Therefore this power can only be used to protect Australia's critical infrastructure assets.

•

That there is material risk that the incident has seriously prejudiced, or is seriously prejudicing, or is likely to seriously prejudice the social or economic stability of Australia or its people, or the defence of Australia; or Australia's national security (new section 35AB(1)(c)). This requirement ensures that the regime can only be used in the most serious of circumstances where Australia's national interests are being seriously prejudiced. In such circumstances, the Government's responsibility to protect Australia's national interests are engaged.

•

That the action would be a technically feasible, proportionate (considering the impact of compliance with the request and the consequences of compliance) and a reasonably necessary response to the incident, and that the relevant entity is unwilling or unable to take all reasonable steps to respond to the incident (new subsections 35AB(7) and 35AB(10)).

•

For intervention requests, that the Minister has obtained the agreement of the Prime Minister and the Defence Minister before giving the Ministerial authorisation (new section 35AB)).

In the vast majority of cyber security incidents, industry should and will respond to cyber security incidents, with the support of Government where necessary. However, in exceptional circumstances, the enhanced framework will provide the Government with the power to take appropriate steps to prevent and address immediate and serious cyber security incidents that threaten serious harm to Australia's interests, mitigate the impacts of such incidents on critical infrastructure, and restore the functioning of those assets.

Register of Critical Infrastructure Assets - obligations to give information and notify of events

Whilst the collection of personal information will be rare, Part 2 of the current SOCI Act requires the responsible entity of critical infrastructure assets to provide the Secretary of Home Affairs with certain operational information in relation to the asset, and interest and control information in relation to the entity and the asset.

Through the inclusion of additional critical infrastructure assets in Part 1, Division 2, section 9 of the current SOCI Act, the Register obligations will be able to be extended in their current form to these additional assets.

Under the requirements in the Register, which will result in the incidental collection of personal information, the limitation to the right to privacy in Article 17 of the ICCPR are outlined in the Statement of Compatibility with Human Rights for the Security of Critical Infrastructure Bill 2017. This outlines that the Government has taken sufficient steps to ensure that the limitations on the right to privacy are no more restrictive than necessary as the use and disclosure of information on the Register is restricted to purposes authorised under the SOCI Act. The changes in the Bill do not alter this position.

Secretary's powers to obtain information or documents

By broadening the assets regarded as critical infrastructure assets under the SOCI Act, the Secretary's powers to obtain information or documents from entities (Division 2 of the SOCI Act) is expanded to a larger number of entities.

Subection 37(1) of the current SOCI Act empowers the Secretary to request certain information from reporting entities and operators of critical infrastructure assets. The Statement of Compatibility with Human Rights for the Security of Critical Infrastructure Bill 2017 outlines why the Secretary's information gathering power is a permissible limitation to the right to privacy, including because the information gathering power is limited to obtaining information or documents that are directly relevant to the purposes of the legislation, as stated in the objects of the Act, as well as the functions, duties, powers and purposes prescribed in the Act. The changes in the Bill do not alter this position.

Conclusion

The Bill is compatible with human rights because it will promote rights and, to the extent that the Bill limits rights, those limitations are reasonable, necessary and proportionate to the objective of reducing national security risks from foreign involvement in critical infrastructure.