Critical information: Are you ready for the Security of Critical Infrastructure Act's January reporting deadline – Part 1
If you or your clients own, operate or have an interest in a critical infrastructure asset then you should now be mobilising to meet your reporting obligations under the Security of Critical Infrastructure Act 2018, which commenced on 11 July 2018.
The Act seeks to manage the national security risks of espionage, sabotage and coercion arising from foreign involvement in Australia's critical infrastructure. One of the key ways it aims to do so is through the establishment of a Register of Critical Information Assets, administered by the Critical Infrastructure Centre.
Who needs to report and what needs to be reported?
The Act requires a "reporting entity" to provide information to the Secretary, to be placed on the Register. Reporting entities are either:
- a "responsible entity" for; or
- a "direct interest holder" in
a critical infrastructure asset.
Critical infrastructure under the Act includes:
- electricity, gas and water assets that meet the requirements of the Act;
- certain ports (as specified in the Act and rules); and
- any asset declared under section 51 of the Act to be a critical infrastructure asset.
Responsible entities must report "operational information"
- A responsible entity is an entity which:
- for a critical electricity, gas or water asset, the entity which hold the licence, approval or authorisation to provide the service to be delivered by that asset;
- for a critical port, the port operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003); and
- for an asset declared under section 51 or prescribed by the rules, the entity specified as the responsible entity.
- Operational information must be reported by the water utility. This includes:
- the location of the critical water asset and description of the area it services;
- details of the water utility itself or any operator (name, ABN or similar, country of incorporation and address of head office);
- details of the water utility's CEO (name, country/countries of citizenship);
- description of the critical water asset's operating arrangements; and
- certain data maintenance arrangements (as prescribed the rules).
Direct interest holders must report "interest and control information"
- A direct interest holder is an entity which:
- together with any "associates", holds an interest of at least 10% in the asset (including any interests jointly held with one or more other entities); or
- holds a less than 10% interest in the asset that puts the entity in a position to directly or indirectly "influence or control" the asset.
- Associate is defined broadly, and includes:
- for an individual: any corporation in which they hold an interest, and any relative;
- for a company: any senior officers, holding companies, individuals who hold an interest in that company; and
- any person with whom the entity is acting in concert in relation to the asset.
- Interest and control information includes:
- the entity's details (name, ABN, address of head office, country of incorporation);
- information about the influence or control the entity is in a position to exercise over the asset (eg. veto rights);
- details (name, ABN, address of head office, country of incorporation) of the entities ("higher entities") exerting direct or indirect influence or control over the direct interest holder or other higher entities; and
- information about the influence or control exerted by those higher entities.
Getting ready for your Critical Infrastructure reporting requirements
As the above requirements show, the Act has a broad reach, so a large amount of information needs to be collected and reported. Reporting entities have until 11 January 2019 to make their initial reports, so the process of preparing the information that needs to be disclosed should be started sooner rather than later.
As well as the broad reach of the Act, its national security purpose "on its face" must be kept in mind – interpretation of the Act is likely to favour reporting.
Accurate records will also need to be kept and maintained as, following initial reporting, any notifiable changes to the required information must be reported within 30 days of a "notifiable event" occurring, to ensure accuracy of the Register. Notifiable events include where information previously reported becomes incomplete or incorrect, or where an entity becomes a reporting entity (eg. as a result in a change to the ownership or operation structure of the business).
We recommend that affected owners and operators:
- review existing contracts for confidentiality obligations and exceptions;
- consider appointing someone with sufficient seniority to be responsible for ongoing compliance with the Act, including managing any communications received from the Department of Home Affairs;
- consider whether additional training for employees, or updates to policies or procedures are required;
- assess if additional legal or forensics assistance is required to validate that all reporting entities have been identified and that the affected entities and employees have accurately understood all reporting obligations.
When you are ready to report, this is done via an online form submitted via the Centre: www.cicentre.gov.au/hub
Penalties and fines for non-compliance may apply
Where a reporting entity fails to meet its obligations under the Act, this could result in civil penalties including daily fines imposed for each day of non-compliance and performance injunctions compelling the entity to report certain information. It is therefore crucial that the Act's requirements are understood, and that affected entities implement controls, processes to confidently comply with all requirements.
Is reported information confidential?
The Register will not be made public and information obtained by any person in the course of exercising powers, duties or functions under the Act is "protected information". There are penalties for unauthorised disclosure of protected information.
However, bear in mind that the Secretary may make "permitted disclosures" to certain bodies including any:
- Commonwealth Minister with responsibility for national security, law enforcement, foreign investment, taxation policy, industry policy, promoting investment in Australia, defence or regulation or oversight of the relevant industry;
- State or Territory Minister responsible for regulation or oversight of the relevant industry responsible for the asset;
- person employed as a member of staff ofMinister mentioned in (a) or (b); or
- law enforcement body.
Top tips
We encourage our readers to familiarise themselves with the Act and its requirements so that:
- the task of reporting is fully appreciated;
- accurate records can be maintained in order to comply with the ongoing reporting requirements; and
- relationships with suppliers and other contractors can be appropriately managed, particularly with regards to confidential information that may need to be disclosed.
If you're unsure about your reporting obligations or whether this new legislation affects you, please feel free to get in touch with Stuart Cosgriff or Daniel Heywood.
In Part 2, we'll dig into the detail of how you track down all the relevant information for creating the report.