Commonwealth of Australia Explanatory Memoranda

[Index] [Search] [Download] [Bill] [Help]

SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE PROTECTION) BILL 2022

                          2019-2020-2021-2022




    THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA




                                 SENATE




SECURITY LEGISLATION AMENDMENT (CRITICAL INFRASTRUCTURE
                   PROTECTION) BILL 2022




       ADDENDUM TO THE EXPLANATORY MEMORANDUM




         (Circulated by authority of the Minister for Home Affairs,
                       the Hon Karen Andrews MP)
                                               1


SECURITY LEGISLATION               AMENDMENT           (CRITICAL        INFRASTRUCTURE
PROTECTION) BILL 2022


The purpose of this addendum is to provide additional clarifying material to the Explanatory
Memorandum to the Security Legislation Amendment (Critical Infrastructure Protection)
Bill 2022 (the Bill).

This addendum responds to recommendations made in the Advisory Report on the Security
Legislation Amendment (Critical Infrastructure) Bill 2022 (the Advisory Report), prepared
by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and released on
25 March 2022. This addendum also provides minor corrections and updates to the
Explanatory Memorandum, including addressing matters arising in the course of the public
hearing convened by the PJCIS on 16 March 2022 in the course of its inquiry into the Bill.

OUTLINE

1. At the end of the sixth dot point on page 7 of the Explanatory Memorandum, omit
   "unless".
2. This amendment corrects a minor drafting error in the Explanatory Memorandum by
   removing an unnecessary word.

SCHEDULE 1 - Amendments

Security of Critical Infrastructure Act 2018

Item 49        After Part 2

3. Immediately after paragraph 194 on page 41 of the Explanatory Memorandum, insert
   the following new paragraphs:

   194A.      The requirement at proposed subsection 30AH(1) specifies 'so far as it is
   reasonably practicable' to enable responsible entities to show what was at a particular
   time, reasonably able to be done to address material risks. The expectation is not for
   responsible entities to eliminate risk entirely but to do so to the extent it is reasonably
   able to be done to manage material risks. The Board, or equivalent, are required to
   approve the risk management plan within this context, appropriately balancing
   operational costs with risk.

   194B.       Responsible entities are responsible for determining if a risk is a material
   risk, and so far as it is reasonably practicable to do so, minimise or eliminate the material
   risk of such a hazard occurring, and mitigate the relevant impact of such a hazard on the
   asset. This would take into account all relevant factors, including:

           •    the likelihood of the risk,

           •    the degree of harm that might result from the risk,
                                               2


           •    what the responsible entity concerned knows, or ought reasonably to know,
               about the hazard or risk,

           •    ways of eliminating or minimising the risk,

           •    the availability and suitability of ways to eliminate or minimise the risk and
               the cost associated with available ways of eliminating or minimising the risk,
               including whether the cost is grossly disproportionate to the risk.

4. This additional material provides clarification in relation to new subsection 30AH(1), as
   inserted by the amendment in item 49 of the Bill, particularly as to what is expected of
   a responsible entity by the term "reasonably practicable" in relation to minimising or
   eliminating material risks of a hazards occurring. This material addresses concerns
   raised by the Catholic Health Australia during their meeting with the Department of
   Home Affairs senior officials on 24 March 2022.


5. Immediately after paragraph 206 on page 43 of the Explanatory Memorandum, insert
   the following new paragraphs:

   206A.       The expectation is not for responsible entities to eliminate risk entirely but
   to do so to the extent it is "reasonably practicable". The requirement provides
   responsible entities flexibility to determine how they address material risk and relevant
   impact in relation to their business size, maturity and income. The intent is for
   responsible entities to seek to minimise or eliminate material risk where it is reasonable
   able to do so, in order to secure their critical infrastructure asset.

   206B.       As part of its compliance activities, the Department of Home Affairs will
   consider the diversity of the entity, taking into consideration and assessing responsible
   entities against its compliance posture. It is not expected that all entities will be required
   to undertake the same measures. Rather, required measures will be determined based on
   the responsible entity's operational context and operating costs.

6. This additional material is intended to provide clarification in relation to new
   subparagraph 30AH(1)(b)(i), as inserted by the amendment at item 49 of Schedule 1 to
   the Bill, as to what is expected of a responsible entity by the term "reasonably
   practicable" in relation to minimising or eliminating material risks of a hazard occurring.
   This additional material is included in response to concerns raised by the Catholic Health
   Australia during their meeting with the Department of Home Affairs senior officials on
   24 March 2022.
7. Immediately after paragraph 217 on page 45 of the Explanatory Memorandum, insert
   the following new paragraphs:

   217A.        To enable AusCheck background checking for the purpose of approving a
   critical infrastructure risk management program, a new scheme will be established
   through amendments to the AusCheck Regulations 2017 (the AusCheck Regulations).
                                              3


   Under this scheme, it is proposed that an AusCheck background check for a risk
   management program could include:

           •    a national security assessment conducted by the Australian Security
               Intelligence Organisation (ASIO);

           •    a criminal history check undertaken by the Australian Criminal Intelligence
               Commission (ACIC);

           •    a right-to-work check; and

           •    both electronic and in-person verification of a person's identity

   217B.        For the criminal history element of an AusCheck background check, the
   Department of Home Affairs will assess the outcomes of criminal checks provided by
   the ACIC against the criteria for Major National Event security-relevant offences listed
   in Schedule 1 to the AusCheck Regulations. Should an employee or potential employee
   be found to have been convicted of a Tier 1 or 2 offence, or imprisoned for a Tier 3
   offence, it is proposed that the Department of Home Affairs will inform the responsible
   entity of the category of offence relevant without providing specific details.

   217C.       No individual employed by a responsible entity is specifically required to
   undertake an AusCheck background check for the purposes of a critical infrastructure
   risk management program under Part 2A. The risk management program rules only
   require a responsible entity for a critical infrastructure asset to establish and maintain a
   process to assess the suitability of their critical workers to have access to the critical
   components of the asset. A responsible entity may choose to meet this requirement by
   conducting background checks under the AusCheck scheme at their own discretion.

   217D.       There is no power under the Bill for the Department of Home Affairs to deny
   any person a position based on a background check, including an AusCheck background
   check. It is up to the responsible entity to assess the risk that an employee may pose to
   critical components of an asset. This assessment can be based on AusCheck advice, and
   the responsible entity will need to put in place mitigation strategies should a risk be
   identified. Mitigation strategies for any risk or hazard a critical worker may pose could
   include reassignment to another area of the business, dual authentication, or restricted
   duties.

   217E.       The requirement to undertake background checking for a risk management
   program does not propose to modify existing workers' rights and does not negate the
   responsibilities of employers under the Fair Work Act 2009, work health and safety
   legislation, or any other currently legally mandated or protected action. An employee
   who is subject to action as a result of a background check (including an AusCheck
   background check) under the SOCI Act is protected by all existing rights at work.

8. This amendment to the Explanatory Memorandum is made in response to
   recommendation 4 by the PJCIS in its Advisory Report. The additional material clarifies
   that an entity is not specifically mandated to undertake an AusCheck background check
   for the purposes of compliance with the requirements of a critical infrastructure risk
                                               4


   management program rules. The additional material also clarifies that a worker subject
   to background checking for a risk management program has all the relevant workers'
   rights and protections available under legislation.


Item 58        After Part 2B

9. Immediately before paragraph 509 on page 99 of the Explanatory Memorandum, insert
   the following new paragraph:

   508A.       It is the strong preference of Government that the installation of software
   only be pursued as a last resort, in those instances where a private entity does not have
   the capability to provide system information to the Australian Signals Directorate
   (ASD). The software that Government will make available under these provisions
   includes commercially available tools which are often used by critical infrastructure
   entities with mature cyber security programs to obtain system information for their own
   security management purposes. Government will cooperate with entities to provide the
   software solution, from those available, that is most compatible with the entity's
   systems.

10. This amendment to the Explanatory Memorandum is made in response to
    recommendation 6 by the PJCIS in its Advisory Report. This additional material clarifies
    the safeguards regarding the requirement for a system of national significance to provide
    access to systems information, and specifically the requirement for responsible entities
    to install specified software in last resort cases. It is also intended to address a request
    from the PJCIS in the course of the public hearing on 16 March 2022, suggesting that
    further explanatory material was required to assure industry that there are appropriate
    safeguards on the requirement to install system software under new section 30DJ, as
    inserted in the Security of Critical Infrastructure Act 2018 by the amendment in item 58
    of Schedule 1 to the Bill.


Attachment C - Draft Security of Critical Infrastructure (Critical infrastructure risk
management program) Rules (LIN 22/018) 2022

11. On page 3 of Attachment C, at the end of the definition of 'critical component', omit
    'that ' and insert:
   that's absence, damage or compromise would prevent the proper function of the asset or
   could cause significant damage to the asset, as assessed by the entity.

12. This amendment addresses an inadvertent error in Attachment C, where the text above
    was not included in the original Explanatory Memorandum.