David Shoebridge (NSW, Australian Greens) Share this | Hansard source

The next two amendments, although they're to different pieces of legislation—one to the Cyber Security Bill and one to the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill—effectively do the same thing, although in reverse. I think it would be most convenient if I move the amendment on sheet 3171 first, in relation to the Cyber Security Bill. I move:

(1) Page 46 (after line 14), after clause 39, insert:

39A Limitations on disclosure to ASD

(1) Despite any other provision of this Act, the National Cyber Security Coordinator must not disclose information that has been:

(a) provided to the Coordinator under this Act; and

(b) provided by, or on behalf, of an entity;

to the Director-General of ASD, or a staff member of ASD, unless:

(c) the entity has consented to the disclosure; or

(d) if urgent or other exceptional circumstances exist—the Coordinator has taken reasonable steps to obtain the consent of the entity to the disclosure, but the entity has not responded to the request for consent.

(2) If the Coordinator discloses information under this section in urgent or other exceptional circumstances without the consent of the entity, the Coordinator must notify the entity of the disclosure as soon as practicable after the disclosure occurs.

This amendment would require the National Cyber Security Coordinator, before disclosing to the ASD information obtained by an entity, to seek the consent of that entity and take reasonable steps to obtain that consent. Why do we say this is important? This is about building that environment of trust and relationship of trust, and stakeholders have said that this is important. If they're going to have confidence in sharing information with the National Cyber Security Coordinator, they want that relationship of trust, and that would include in every reasonable case seeking the consent of the entity before the information is passed on to the ASD, because, of course, the ASD then would use it for quite distinct purposes from which the National Cyber Security Coordinator would use it.

This amendment also recognises that there may be urgent or other exceptional circumstances where it's not possible to get that consent, even though reasonable efforts will have been made, and will permit the sharing even where there isn't consent in those urgent and exceptional circumstances. But it then says that if that happens they have to inform the entity about the information being shared. I heard from both the opposition and the government that they will be opposing this because they say that there needs to be the ability to share information in urgent and exceptional circumstances. I point out that the amendment incorporates that concern. What I also don't understand is why the government and the opposition are resisting at least telling entities that the information has been shared. There's nothing in the Cyber Security Bill that tells entities when the information has been shared without their consent. If you want a relationship of trust, if you want the information to flow, keeping entities in the dark does not assist. So I commend that amendment to the chamber.

I'll speak briefly to the amendment on sheet 3172, which does exactly the same thing for the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill, only in that case it provides that, where the Director-General of the ASD has information, they can't communicate that information to the National Cyber Security Coordinator without consent. Again, it provides for the 'urgent and exceptional circumstances' exception to that and then also requires, as do the amendments on sheet 3171, the Director-General to inform an entity if the information has been provided without their consent.