Business Insight

Clarifying the protected information regime under the SOCI Act

22 February 2024

Amendments to the protected information regime under the Security of Critical Infrastructure Act 2018 (the SOCI Act) have been proposed as part of the Australian Cyber Security Strategy Legislative Reforms Consultation Paper to clarify application of the regime and promote effective data sharing.

What you need to know

The 2023-2030 Australian Cyber Security Strategy Legislative Reforms Consultation Paper contains proposed amendments to the SOCI Act, including amendments to the protected information regime.
Under the SOCI Act, the protected information regime provides restrictions and authorisations in respect of the recording, use and disclosure of 'protected information', including information obtained in the course of exercising or performing duties or functions under the SOCI Act.
One of the rationales for the introduction of the protected information regime was to give entities comfort that when they needed (or were required) to disclose protected information to Government, that the security of their protected information would be maintained and not used or disclosed inappropriately.
In practice, entities have found the protected information regime confusing and difficult to manage from a practical perspective.
Amendments to the protected information regime are now proposed to respond to these concerns, including how protected information can be effectively shared without breaching the SOCI Act.
The proposed amendments:

look to amend the definition of 'protected information';

require organisations to adopt a risk-based approach in determining whether disclosure of protected information is permitted; and

will broaden and clarify certain disclosure authorisation provisions under the SOCI Act.

Written submissions on the amendments proposed in the Consultation Paper are to be submitted by 1 March 2024.

What you need to do

Once further particulars of the proposed amendments are released by the Government, organisations who are caught by the SOCI Act should revisit the processes and procedures that they have in place for dealing with protected information, and make any necessary updates in order to stay aligned with these changes.

Amendments to SOCI's protected information regime

The Security of Critical Infrastructure Act 2018 (SOCI Act) regulates critical infrastructure in Australia and aims to enhance national security by protecting and strengthening the security of critical infrastructure assets. As part of the protective framework, the SOCI Act recognises that the protection of certain information relating to Australia's critical infrastructure is key to preventing harm to Australia's national security and the actions of nefarious threat actors. Here, the SOCI Act establishes the concept of 'protected information' and imposes restrictions on the recording, use and disclosure of this information, subject to certain authorisations.

On 22 November 2023, Home Affairs Minister, Clare O'Neil, launched the Australian Cyber Security Strategy and associated Action Plan which outlined a bold regulatory reform agenda. As part of the Government's commitment to implementing this reform agenda, the Government has published the Australian Cyber Security Strategy Legislative Reforms Consultation Paper (Consultation Paper) and will consult with industry regarding key amendments proposed to the SOCI Act, in particular, to the protected information provisions. The aim of these amendments is to address concerns regarding constraints on information sharing and compliance management.

What is protected information?

Protected information is defined broadly under section 5 of the SOCI Act and includes "information obtained by a person in the course of exercising powers, or performing duties or functions under the SOCI Act." The definition further captures documents and information including:

critical infrastructure risk management programs (and information included in these programs);
records or the fact that an asset is declared to be a critical infrastructure asset or a system of national significance;
records that the Minister has given or revoked a Ministerial authorisation; and
information that is, or is included in, a mandatory cyber security report or incident response plan.

Notably, protected information within the meaning of the SOCI Act is distinct from the 'PROTECTED' document security designation provided under the Australia Government's Protected Security Policy Framework. As part of the consultation process, there has been some noise around renaming 'protected information' under the SOCI Act to avoid this confusion (some have proposed a rebrand to 'restricted information'). We will have to wait to see whether this is taken up by the Government but it would be an easy win in clearly drawing a distinction between the two regimes.

How is protected information dealt with under the SOCI Act?

The SOCI Act imposes a general prohibition on the recording, disclosure or use of protected information by any person or organisation. Contravening this prohibition is an offence unless a relevant authorisation or exception applies. Examples of key authorisations and exceptions are set out in the image below.

SOCI-Article-diagram

Many stakeholders have raised concerns about the current applicability of the protected information regime and how organisations should approach compliance. Both industry and government are concerned that the current regime restricts effective information sharing and may have the effect of impeding organisations' responses to incidents. These concerns arise as currently:

there is uncertainty regarding when an entity is disclosing information for "the purpose of exercising its powers, or performing its functions or duties under the SOCI Act";
unless an existing authorisation applies, organisations are currently not permitted to voluntarily disclose protected information to regulators, the government or other organisations that may assist in mounting an effective incident response or mitigating the risk to critical infrastructure assets;
disclosing and sharing protected information is not permitted as between government entities except in limited prescribed circumstances, even where such disclosure would improve threat awareness and strategy; and
the broad definition of 'protected information' has resulted in various interpretations and understandings of what is, or may be, protected information, leading to fears regarding inadvertent non-compliance.

In a series of townhalls held by the Department of Home Affairs between February and August 2023, the Department attempted to clarify that the protected information regime is not intended to prevent the sharing of information with regulators or government. Despite this, industry has continued to harbour concerns.

Proposed reform

In response to these concerns, the Consultation Paper proposes the following amendments to the protected information regime:

Amendment to the definition of 'protected information'
Adoption of a harm-based approach to disclosure
Clarification regarding the disclosure provisions

Amendment to the protected information definition

The Consultation Paper proposes to amend the protected information definition to provide greater clarity and specificity, although no drafting has been provided at this stage.

Harm-based approach

The Consultation Paper provides that the proposed amendments will require organisations to take a harm-based approach when disclosing protected information. Adopting a harm-based approach will mean that, before disclosing protected information, organisations will be required to consider the potential harm or risk of the disclosure to:

the security of their asset; and
the socioeconomic stability, national security and defence of Australia.

The Department of Home Affairs considers that this approach will enhance flexibility while maintaining a distinction between information that may be shared for the sake of transparency and information that must remain protected to ensure security.

Clarification of disclosure provisions

As mentioned above, the SOCI Act currently enables organisations to use and disclose protected information for the purpose of ensuring compliance with the SOCI Act. However, the Consultation Paper highlights that there is no clear permission for organisations to disclose information for purposes relevant to the continued operation, or mitigation of risk to, a critical infrastructure asset.

To assist organisations in disclosing information, the proposed amendments are expected to clarify that organisations are permitted to disclose protected information for the purpose of:

the continued operation of a critical infrastructure asset; or
mitigating risk to a critical infrastructure asset.

The Consultation Paper proposes that this authorisation is to be balanced by the required adoption of the harm-based approach outlined above.

The Consultation Paper further proposes to broaden and add to the existing authorisations under the SOCI Act to fix current implementation and scope issues. The Consultation Paper highlights that current authorisations under SOCI Act:

require Ministers and agencies to fall within certain categories in order to receive information which do not include emergency management agencies. This impedes cooperation and coordination between departments; and
the current authorisations do not permit disclosure to regulatory agencies who may have direct involvement in incident response (the Consultation Paper provides the example of the OAIC for an incident that is also a notifiable data breach).

The Consultation Paper also observes that, for state and territory agencies, there are currently restrictions on the Commonwealth's ability to disclose information regarding data storage and processing assets to a relevant jurisdiction, if the physical infrastructure is not located in that jurisdiction.

As such, the Consultation Papery proposes that:

disclosure of protected information to all Commonwealth, state and territory government entities (regardless of policy responsibility) should be permitted if the disclosure is necessary for the purpose of upholding the security and resilience of critical infrastructure or protecting national security; and
permitting voluntary disclosures by individuals, government officials and industry to the Inspector General of Intelligence and Security would aid the agency in performing its duties (rather than the information being disclosed by the Secretary of Home Affairs).

What to expect

The Department of Home Affairs is seeking feedback on the proposals provided in the Consultation Paper. The feedback received will be considered in developing policy and advice to Government.

Once further particulars of the proposed amendments are released by the Government, organisations who are caught by the SOCI Act should revisit the processes and procedures that they have in place for dealing with protected information, and make any necessary updates.

Watch this space.

Want to know more

Mandatory cyber incident reporting now live for Australia’s critical infrastructure (19 July 2022)
Australia's cyber strategy – a bold regulatory reform agenda (24 November 2023)

Authors: Amanda Ludlow, Partner; Clare Doneley, Counsel; and Chanel Gray, Associate.

This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.

Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

This material is current as at 22 February 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.