Mitch Fifield (Victoria, Liberal Party, Minister for Communications) Share this | Link to this | Hansard source

I present the government’s response to the advisory report of the Parliamentary Joint Committee on Intelligence and Security on its inquiry into the Security and Critical Infrastructure Bill 2017. I seek leave to incorporate the document in Hansard.

Leave granted.

The document read as follows—

Australian Government response to the Parliamentary Joint Committee on Intelligence and Security ' s Advisory report on the Security of Critical Infrastructure Bill 2017

Recommendation 1

The Committee recommends that the Department of Home Affairs, in consultation with the Department of Defence and the Department of the Environment and Energy, review and develop measures to ensure that Australia has a continuous supply of fuel to meet its national security priorities. As part of developed measures, the Department should consider whether critical fuel assets should be subject to the Security of Critical Infrastructure Bill 2017.

The Committee considers that the Department should conclude this review within 6 months.

The Department should brief the Committee on the outcomes of the review following its conclusion.

The Government accepts this recommendation in-principle

The risk of espionage, sabotage and coercive influence in Australia's domestic liquid fuel refinement part of the supply chain has been assessed as relatively low, due to the sector's diversity and the resilience of the market system to respond to any disruption at a particular location. However, the sector is heavily reliant on imports, and critical port infrastructure. The infrastructure at ports that support imports of liquid fuel was a key factor in determining which ports are captured by the Bill. The critical ports captured by the Bill provide 92% of total liquid fuels imports.

The Department of Defence has significant operational and strategic fuel holdings compared to most commercial organisations, and has sufficient fuel to meet our current and expected commitments in the present strategic circumstances.

Notwithstanding these factors, the Government agrees that fuel supply is a critical issue. As such, the Committee's concerns, including whether liquid fuel assets should be covered by the Bill, will be considered in the next National Energy Security Assessment. This work will be led by the Department of the Environment and Energy, in close consultation with the Department of Home Affairs and the Department of Defence.

Recommendation 2

The Committee recommends that the Department of Home Affairs examine the viability of developing a common data entry portal for use across Commonwealth, state and territory databases that require information from the same reporting entities.

The Government accepts this recommendation in-principle.

The Department of Home Affairs will consider options to streamline the provision of information required for the Bill where that information is already provided by industry to government for other purposes. The Department notes legislative restrictions on how information can be obtained and shared, including across jurisdictions, may limit the extent to which data collection may be streamlined.

Australian Government response to the Parliamentary Joint Committee on Intelligence and Security's Advisory report on the Security of Critical Infrastructure Bill 2017

Recommendations 3 and 5

Recommendation 3: The Committee recommends that the Department of Home Affairs develop guidelines for entities subject to the Security of Critical Infrastructure Bill 2017. The guidelines should:

enable an entity to determine whether it is a reporting entity, and

provide the entity with an understanding of the specific information it is required to report. These guidelines should be made available prior to the end of the three-month transition period.

Recommendation 5: The Committee recommends that the Department of Home Affairs include in guidelines to be developed for entities subject to the Security of Critical Infrastructure Bill 2017, information regarding:

the high-level criteria by which the Department will assess risk, and

the process and the engagement that entities should reasonably expect from the Department as part of a risk

assessment.

The Government accepts these recommendations.

The Government is committed to developing and releasing guidance to support the implementation of the Bill to ensure stakeholders understand their obligations and responsibilities. Specifically, these guidelines will:

ensure stakeholders understand the operation, functions and processes of the Bill

enable an entity to determine whether it is the reporting entity

assist a reporting entity with registering on the Register of Critical Infrastructure Assets by providing step-by-step guidance, including detailing the specific information required to be reported

provide high-level criteria by which the Critical Infrastructure Centre will assess foreign involvement risks in critical infrastructure assets, including the process and the engagement entities should reasonably expect as part of a risk assessment, and

provide best practice guidance to assist entities to proactively safeguard their assets from national security risks.

These guidance documents will be available to stakeholders prior to the end of the three-month period before the Bill's commencement.

Recommendation 4

The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to more appropriately define direct interest holder in order to capture the intended full range of ownership arrangements.

Further, the Explanatory Memorandum and the Bill should clarify that:

moneylenders are not direct interest holders, where they hold an interest in a critical infrastructure asset through a financing arrangement, and

intermediate and ultimate holding entities are not direct interest holders.

The Government accepts this recommendation.

The Government will move amendments to the Bill to ensure it more clearly requires a direct interest holder to report on the Register of Critical Infrastructure Assets information relating to all intermediate and other holding entities who are in a position to directly or indirectly influence and control the direct interest holder. The Government will move amendments to the Bill to explicitly

Australian Government response to the Parliamentary Joint Committee on Intelligence and Security's Advisory report on the Security of Critical Infrastructure Bill 2017

define the term 'influence or control' based on the existing guidance in the Explanatory Memorandum.

The Government will also move amendments to clause 8 in the Bill to include a limited carve-out of moneylenders as direct interest holders. The carve-out will apply where the moneylender's interest in the asset is:

held solely by way of security for the purposes of a moneylending agreement, and

the moneylender is not in a position to directly or indirectly influence or control the asset.

The exemption will not apply if the moneylender, by taking security or by enforcing that security, acquires the ability to influence or control a critical infrastructure asset.

The Government will provide further detailed guidance and examples in the Explanatory Memorandum to demonstrate how the amended provisions are intended to operate.

Recommendation 6

The Committee recommends that the Explanatory Memorandum to the Security of Critical Infrastructure Bill 2017 be amended to list the factors that the Secretary must have regard to, when deciding whether to disclose protected information under sections 42 and 43 of the Bill. Factors should include:

whether the disclosure is consistent with the objects of the Bill, and

whether the purpose of the disclosure is proportionate to the sensitivity of the information being disclosed.

The Government accepts this recommendation.

The Government will clarify in the Addendum Explanatory Memorandum that when determining whether to disclosure protected information under clause 42 and 43, the Secretary should have regard to whether the disclosure is consistent with the objects of the Bill and is proportionate to the sensitivity of the information disclosed.

Recommendation 7

The Committee recommends that the Explanatory Memorandum to the Security of Critical Infrastructure Bill 2017 be amended to clarify that the Bill does not affect the operation of existing privacy obligations.

In particular, the Explanatory Memorandum should clarify that section 39 does not affect the operation of Australian Privacy Principle 11.2 and the Department of Home Affairs, as the administering agency, would need to destroy personal information if it was no longer necessary.

The Government accepts this recommendation.

The Government will provide further clarity in the Addendum Explanatory Memorandum to specify that once the Secretary deems that information provided under clause 37 is no longer required for the purpose for which it was provided, reasonable steps will be required to be taken to destroy that information or ensure the information is de-identified. Specifically, the explanatory memorandum will be amended to state the Secretary must have consideration for the Australian Privacy Principle 11 in determining if it is appropriate to retain personal information, and, accordingly, if reasonable steps are required to be taken to destroy that information or ensure the information is de-identified.

Australian Government response to the Parliamentary Joint Committee on Intelligence and Security's Advisory report on the Security of Critical Infrastructure Bill 2017

Recommendation 8

The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to require the relevant Minister to provide, to the subject entity, notice of an adverse security assessment given in connection to the Bill and merits review rights.

The Committee considers that the Bill should be amended to align with requirements under section 38A of the Australian Security Intelligence Organisation Act 1979.

The Government accepts this recommendation.

The Government will move amendments to the Security of Critical infrastructure (Consequential and Transitional Provisions) Bill 2017 to ensure the notification requirements in section 38A of the Australian Security Intelligence Organisation Act 1975 also apply to an adverse security assessment given in connection with clause 32(2) of the Security of Critical Infrastructure Bill. This amendment aligns the notice requirements for an adverse security assessment relating to the directions power in the Security of Critical Infrastructure Bill with similar requirements to be included in the Telecommunications Act 1997. Specifically it will require the Minister, within 14 days of receiving the adverse security assessment, to provide the assessed person with written notice of the assessment (including a copy of the assessment) and information on his or her right to apply for merits review in the Administrative Appeals Tribunal. Notice of the adverse security assessment will not be able to be withheld from the assessed person, only parts of the assessment itself may be withheld or redacted if disclosure of that part would be prejudicial to the interests of security.

Recommendation 9

The Committee recommends that the Security of Critical Infrastructure Bill 2017 be amended to require the Parliamentary Joint Committee on Intelligence and Security to review the operation, effectiveness and implications of the reforms, commencing within three years of the Bill receiving Royal Assent.

The review should consider the appropriateness of a unified scheme to cover all critical infrastructure assets, including telecommunications assets.

The review should also consider circumstances that the Minister has used the private declaration power under section 51.

The Government accepts this recommendation.

The Government will move amendments to include a review mechanism requiring the Parliamentary Joint Committee on Intelligence and Security to review the Bill, commencing within three years of the Bill receiving Royal Assent. The proposed review provision will specifically require the Committee to consider the:

operation, effectiveness and implications of the Bill

appropriateness of a unified scheme to cover all critical infrastructure assets, including telecommunications assets, and

circumstances that the Minister has used the private declaration power under section 51.