Clarifying the protected information regime under the SOCI Act
22 February 2024
22 February 2024
Amendments to the protected information regime under the Security of Critical Infrastructure Act 2018 (the SOCI Act) have been proposed as part of the Australian Cyber Security Strategy Legislative Reforms Consultation Paper to clarify application of the regime and promote effective data sharing.
look to amend the definition of 'protected information';
require organisations to adopt a risk-based approach in determining whether disclosure of protected information is permitted; and
will broaden and clarify certain disclosure authorisation provisions under the SOCI Act.
Once further particulars of the proposed amendments are released by the Government, organisations who are caught by the SOCI Act should revisit the processes and procedures that they have in place for dealing with protected information, and make any necessary updates in order to stay aligned with these changes.
The Security of Critical Infrastructure Act 2018 (SOCI Act) regulates critical infrastructure in Australia and aims to enhance national security by protecting and strengthening the security of critical infrastructure assets. As part of the protective framework, the SOCI Act recognises that the protection of certain information relating to Australia's critical infrastructure is key to preventing harm to Australia's national security and the actions of nefarious threat actors. Here, the SOCI Act establishes the concept of 'protected information' and imposes restrictions on the recording, use and disclosure of this information, subject to certain authorisations.
On 22 November 2023, Home Affairs Minister, Clare O'Neil, launched the Australian Cyber Security Strategy and associated Action Plan which outlined a bold regulatory reform agenda. As part of the Government's commitment to implementing this reform agenda, the Government has published the Australian Cyber Security Strategy Legislative Reforms Consultation Paper (Consultation Paper) and will consult with industry regarding key amendments proposed to the SOCI Act, in particular, to the protected information provisions. The aim of these amendments is to address concerns regarding constraints on information sharing and compliance management.
Protected information is defined broadly under section 5 of the SOCI Act and includes "information obtained by a person in the course of exercising powers, or performing duties or functions under the SOCI Act." The definition further captures documents and information including:
Notably, protected information within the meaning of the SOCI Act is distinct from the 'PROTECTED' document security designation provided under the Australia Government's Protected Security Policy Framework. As part of the consultation process, there has been some noise around renaming 'protected information' under the SOCI Act to avoid this confusion (some have proposed a rebrand to 'restricted information'). We will have to wait to see whether this is taken up by the Government but it would be an easy win in clearly drawing a distinction between the two regimes.
The SOCI Act imposes a general prohibition on the recording, disclosure or use of protected information by any person or organisation. Contravening this prohibition is an offence unless a relevant authorisation or exception applies. Examples of key authorisations and exceptions are set out in the image below.
Many stakeholders have raised concerns about the current applicability of the protected information regime and how organisations should approach compliance. Both industry and government are concerned that the current regime restricts effective information sharing and may have the effect of impeding organisations' responses to incidents. These concerns arise as currently:
In a series of townhalls held by the Department of Home Affairs between February and August 2023, the Department attempted to clarify that the protected information regime is not intended to prevent the sharing of information with regulators or government. Despite this, industry has continued to harbour concerns.
In response to these concerns, the Consultation Paper proposes the following amendments to the protected information regime:
The Consultation Paper proposes to amend the protected information definition to provide greater clarity and specificity, although no drafting has been provided at this stage.
The Consultation Paper provides that the proposed amendments will require organisations to take a harm-based approach when disclosing protected information. Adopting a harm-based approach will mean that, before disclosing protected information, organisations will be required to consider the potential harm or risk of the disclosure to:
The Department of Home Affairs considers that this approach will enhance flexibility while maintaining a distinction between information that may be shared for the sake of transparency and information that must remain protected to ensure security.
As mentioned above, the SOCI Act currently enables organisations to use and disclose protected information for the purpose of ensuring compliance with the SOCI Act. However, the Consultation Paper highlights that there is no clear permission for organisations to disclose information for purposes relevant to the continued operation, or mitigation of risk to, a critical infrastructure asset.
To assist organisations in disclosing information, the proposed amendments are expected to clarify that organisations are permitted to disclose protected information for the purpose of:
The Consultation Paper proposes that this authorisation is to be balanced by the required adoption of the harm-based approach outlined above.
The Consultation Paper further proposes to broaden and add to the existing authorisations under the SOCI Act to fix current implementation and scope issues. The Consultation Paper highlights that current authorisations under SOCI Act:
The Consultation Paper also observes that, for state and territory agencies, there are currently restrictions on the Commonwealth's ability to disclose information regarding data storage and processing assets to a relevant jurisdiction, if the physical infrastructure is not located in that jurisdiction.
As such, the Consultation Papery proposes that:
The Department of Home Affairs is seeking feedback on the proposals provided in the Consultation Paper. The feedback received will be considered in developing policy and advice to Government.
Once further particulars of the proposed amendments are released by the Government, organisations who are caught by the SOCI Act should revisit the processes and procedures that they have in place for dealing with protected information, and make any necessary updates.
Watch this space.
Authors: Amanda Ludlow, Partner; Clare Doneley, Counsel; and Chanel Gray, Associate.
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 22 February 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
Sign-up to select your areas of interest
Sign-up