This instrument is the Telecommunications (Carriage Service Provider—Security Information) Determination 2022.

(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. Sections 1 to 9 and anything in this instrument not elsewhere covered by this table	The day after this instrument is registered.
2. Sections 10 to 12	7 July 2022.	7 July 2022.
3. Sections 13 to 15	7 October 2022.	7 October 2022.

Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3 Authority

This instrument is made under subsection 99(1A) of the Telecommunications Act 1997.

4 Repeal

This instrument is repealed eighteen months after the day this instrument is registered.

5 Interpretation

Note 1: A number of expressions used in this instrument are defined in section 7 of the Act, including the following:

(a) carriage service;

(b) carriage service provider;

(d) carrier licence;

(e) facility;

(f) listed carriage service;

(g) public mobile telecommunications service;

(h) standard telephone service;

(i) telecommunications network.

Note 2: The expressions ‘Governor’, ‘Minister’, ‘SES employee’, ‘State’ and ‘Territory’ are defined in section 2B of the Acts Interpretation Act 1901, which applies to this instrument because of section 13 of the Legislation Act 2003.

(1) In this instrument:

Act means the Telecommunications Act 1997.

approved form means a form approved by the Home Affairs Secretary for the purposes of this instrument.

asset, of an eligible carriage service provider:

(a) means a tangible asset (excluding customer premises equipment) that is:

(i) owned or operated by an eligible carriage service provider; and

(ii) used to supply a carriage service; and

(b) without limitation to paragraph (a), includes the following to the extent that they are used for the supply of a carriage service:

(i) a component of a telecommunications network;

(ii) a telecommunications network;

(iii) a facility;

(iv) computers;

(v) computer devices;

(vi) computer programs;

(vii) computer data.

authorised ASD officer means either:

(a) the Director-General of the Australian Signals Directorate (ASD): or

(b) an SES employee of ASD nominated in writing by the Director-General of ASD to give or receive notices for the purposes of this instrument.

cloud service means any service supplied by a person that provides computing and other information technology services to users on demand over the internet.

cyber security incident means one or more acts, events or circumstances involving any of the following:

(a) unauthorised access to either a computer data or a computer program;

(b) unauthorised modification of computer data or a computer program;

(d) unauthorised impairment of the availability, reliability, security or operation of any of the following:

(i) a computer; or

(ii) computer data; or

(iii) a computer program;

(e) unauthorised impairment of an asset operated for the supply of a carriage service or services by the eligible carriage service provider.

direct interest holder, in respect of an asset, has the meaning given by section 9.

eligible carriage service provider has the meaning given by section 127 of the Telecommunications (Consumer Protection and Service Standards) Act 1999.

Home Affairs Department means the Department administered by the Home Affairs Minister from time to time.

Home Affairs Minister means the Minister administering the Security of Critical Infrastructure Act 2018 from time to time.

Home Affairs Secretary means the Secretary of the Home Affairs Department from time to time.

interest and control information has the meaning given by section 8.

maintained data is data that:

(a) relates to an asset of an eligible carriage service provider; and

(b) is maintained by an entity other than the eligible carriage service provider; and

(i) personal information (within the meaning of the Privacy Act 1988) of at least 20,000 individuals;

(ii) sensitive information (within the meaning of the Privacy Act 1988) that relates to any individual;

(iii) information about any research and development related to the asset;

(iv) information about any systems needed to operate the asset;

(v) information about risk management and business continuity (however described) for the asset;

(vi) information about consumers’ consumption of listed carriage services or any directly-related product.

operational information has the meaning given by section 7.

software-as-a-service means software that is provided either for free or on a subscription basis, with the software being located on computers or servers owned or operated by another entity, which are accessed over the internet.

technical assistance notice has the same meaning as in Part 15 of the Act.

technical assistance request has the same meaning as in Part 15 of the Act.

technical capability notice has the same meaning as in Part 15 of the Act.

unauthorised: access, modification or impairment has the meaning given by section 6.

(2) In this instrument, the following terms have the same meaning as in the Security of Critical Infrastructure Act 2018:

(a) access to a computer data;

(b) associate;

(d) computer data;

(e) computer device;

(f) computer program;

(g) data;

(h) entity;

(i) First Minister

(j) influence or control;

(k) interest;

(l) moneylending agreement.

6 Specific definition—Meaning of unauthorised access, modification or impairment

(1) For the purposes of the definition of cyber security incident, access, modification or impairment is unauthorised if the person causing the access, modification or impairment is not entitled to do so.

(2) For the purposes of subsection (1), it is immaterial whether the person can be identified.

(3) For the purposes of, and without limitation to, subsection (1), if:

(a) a person causes any access, modification or impairment of a kind mentioned in that subsection; and

(b) the person does so:

(i) under a warrant issued under a law of the Commonwealth, a State or a Territory; or

(ii) under an emergency authorisation given to the person under Part 3 of the Surveillance Devices Act 2004, under section 31A of the Telecommunications (Interception and Access) Act 1979, or under a law of a State or Territory that makes provision to similar effect; or

(iii) under a tracking device authorisation given to the person under section 39 of the Surveillance Devices Act 2004 or section 26G of the Australian Security Intelligence Organisation Act 1979; or

(iv) in accordance with a technical assistance request; or

(v) in compliance with a technical assistance notice; or

(vi) in compliance with a technical capability notice;

the person is entitled to cause that access, modification or impairment.

7 Specific definition—meaning of operational information

(1) For the purposes of this instrument, operational information in relation to an asset of an eligible carriage service provider means:

(a) the location of the asset; and

(b) a description of the area for which carriage services are supplied using the asset; and

(i) its full legal name;

(ii) if the provider is a body corporate:

incorporated in Australia—its Australian Business Number (ABN); or
incorporated outside of Australia—the applicable business number or identifier (however described);

(iii) the address of the provider’s head office or principal place of business;

(iv) the country in which the provider was incorporated, formed or created (however described);

(v) the full name of the provider’s chief executive officer (however described) and the country or countries of which that officer is a citizen; and

(d) a description of the arrangements under which the eligible carriage service provider operates the asset or a part of the asset; and

(e) a description of the arrangements for the maintained data.

(2) The description of the arrangements for maintained data under paragraph (1)(e) above must include the full legal name of the entity that maintains the data, including:

(a) if the entity is a body corporate:

(i) incorporated in Australia—its Australian Business Number (ABN); or

(ii) incorporated outside of Australia—the applicable business number or other identifier (however described); and

(b) the address of the entity’s head office or principal place of business; and

(d) the physical address where the data is held, including, to the extent practicable, the physical address where computers or servers holding the data are located, whether or not the computers or servers are part of a cloud service or software-as-a-service; and

(e) for data held using a cloud service or using software-as-a-service—the name of the cloud service or software-as-a-service; and

(f) the kind of data that the entity maintains.

8 Specific definition—meaning of interest and control information

(1) For the purposes of this instrument, the following information is interest and control information in relation to a direct interest holder in an asset of an eligible carriage service provider (other than the eligible carriage service provider):

(a) the full legal name of the direct interest holder; and

(b) if the direct interest holder is a body corporate:

(i) incorporated in Australia—its Australian Business Number (ABN); or

(ii) incorporated outside of Australia—the applicable business number or other identifier (however described);

(i) the address of the entity’s head office or principal place of business; and

(ii) the country in which the entity was incorporated, formed or created (however described);

(d) if the direct interest holder is an individual:

(i) the residential address of the direct interest holder; and

(ii) the country in which the direct interest holder usually resides; and

(iii) the country or countries of which the direct interest holder is a citizen;

(e) the type and level of the interest held in the asset;

(f) information about the influence or control the direct interest holder is in a position to directly or indirectly exercise in relation to the asset;

(g) (where applicable) information about the ability of another person, who has been appointed by the direct interest holder, to directly access networks or systems that are necessary for the operation or control of the asset;

(h) the name of each other entity that is in a position to directly or indirectly influence or control:

(i) the direct interest holder; or

(ii) any entity covered by a previous application of this subsection;

(i) in relation to each entity covered by paragraph (h) above (the higher entity):

(i) the information in paragraphs (b) to (d), and (e) if appropriate, as if a reference in those paragraphs to the first entity were a reference to the higher entity; and

(ii) information about the influence or control the higher entity is in a position to directly or indirectly exercise in relation to the direct interest holder or any entity covered by paragraph (h).

(2) For the avoidance of doubt, information under subsection (1) may include personal information (within the meaning of the Privacy Act 1988).

9 Specific definition—meaning of direct interest holder

General definition

(1) An entity is a direct interest holder, in an asset that is owned or operated by the eligible carriage service provider, if the entity:

(a) together with any associates of the entity, holds an interest of at least 10% in the asset (including if any of the interests are held jointly with one or more other entities); or

(b) holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.

Exclusions to general definition

(2) Subsection (1) does not apply to an interest in an asset held by a Governor, First Minister, Administrator or Minister of a State or Territory.

(3) Subsection (1) does not apply to an interest in an asset if:

(a) the entity holds the interest in the asset solely:

(i) by way of security for the purposes of a moneylending agreement; or

(ii) as a result of enforcing a security for the purposes of a moneylending agreement; and

(b) the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset; and

(c) if the entity is holding the interest solely by way of security—enforcing the security would not put the entity in a position to directly or indirectly influence or control the asset.

How certain interests are held

(4) For the purposes of this instrument, and without limitation, an interest in an asset that is owned or operated by an eligible carriage service provider is taken to be held if:

(a) one or more trustees hold the interest on behalf of the beneficiaries of the trust; or

(b) one or more partners hold the interest on behalf of the partnership; or

(d) one or more appointed officers hold the interest on behalf of the company.

Part 2—Rules

Division 1—General

10 Application

For the purposes of subsection 99(1A) of the Act, this instrument applies to each eligible carriage service provider who is not a carrier, in relation to the supply of any of the following services:

(a) a standard telephone service, where any of the customers are residential customers or small business customers;

(b) a public mobile telecommunications service;

Division 2—Specific Service Provider Rules

Note: The notification obligations under Part 2 are imposed on eligible carriage service providers individually. However, an eligible carriage service providers who is part of corporate group comprising other providers may elect for another provider in the corporate group (on their behalf) to deliver the notices required under this Part 2 to the relevant officers. However, each individual eligible carriage service provider is responsible for ensuring obligations imposed on it are fully complied with.

11 Notification of critical cyber security incidents

(1) Subject to subsection (5), when an eligible carriage service provider becomes aware that:

(a) a cyber security incident has occurred or is occurring; and

(b) the incident has had, or is having, a significant impact (whether direct or indirect) on the availability of any of its assets; and

(i) give ASD a report about the incident; and

(ii) do so as soon as practicable, and in any event within 12 hours, after the eligible carriage service provider becomes so aware.

Significant impact

(2) For the purposes of subsection (1), a cyber security incident has a significant impact (whether direct or indirect) on the availability of an asset if, and only if, both:

(a) the asset is used in connection with the provision of essential goods or services; and

(b) the incident has materially disrupted the availability of those essential goods or services.

Form of report

(3) A report under subsection (1) may be given:

(a) orally; or

(b) in writing in the approved form.

(4) If a report under subsection (1) is given orally, the carriage service provider must:

(a) do both of the following:

(i) make a written record of the report in the approved form;

(ii) give a copy of the written record of the report to ASD; and

(b) do so within 84 hours after the report is given.

(5) The obligation under subsection (1) does not apply in respect of a particular cyber security incident if an authorised ASD officer has provided advice in writing to the carriage service provider that a report about the incident is not required. For the avoidance of doubt, such a notice is not a legislative instrument.

12 Notification of other cyber security incidents

(1) Subject to subsection (5), when an eligible carriage service provider becomes aware that:

(a) a cyber security incident has occurred, is occurring or is imminent; and

(b) the incident has had, is having, or is likely to have, a relevant impact on an asset of the eligible carriage service provider;

the eligible carriage service provider must:

(d) do so as soon as practicable, and in any event within 72 hours, after the eligible carriage service provider becomes so aware.

Relevant impact

(2) For the purposes of subsection (1), each of the following is a relevant impact of a cyber security incident on an asset:

(a) an impact (whether direct or indirect) of the incident on the availability of the asset;

(b) an impact (whether direct or indirect) of the incident on the integrity of the asset;

(d) an impact (whether direct or indirect) of the incident on the confidentiality of:

(i) information about the asset; or

(ii) if information is stored in the asset—that information; or

(iii) if the asset is computer data—that computer data.

(3) A report under subsection (1) may be given:

(a) orally; or

(b) in writing in the approved form.

(4) If a report under subsection (1) is given orally, the eligible carriage service provider must:

(a) do both of the following:

(i) make a written record of the report in the approved form;

(ii) give a copy of the written record of the report to ASD; and

(b) do so within 48 hours after the report is given.

(5) The obligation under subsection (1) does not apply in respect of a particular cyber security incident if an authorised ASD officer has provided advice in writing to the eligible carriage service provider that a report about the incident is not required.

Note: Staff members of ASD are subject to section 40G of the Intelligence Services Act 2001 (Cth), which makes imposes an offence for those staff members, relating the intentional unauthorised dealings with certain records obtained by reason of his or her being, or having been, a staff member of ASD. A breach of section 40G carries a maximum penalty of imprisonment for 3 years.

13 Initial obligation to give information

(1) Subject to section 15, the eligible carriage service provider must give the Secretary of Home Affairs the following information in writing:

(a) the operational information in relation to each asset of the eligible carriage service provider; and

(b) where an entity other than the eligible carriage service provider holds a direct interest in an asset owned or operated by the provider—the interest and control information of direct interest holders in the asset.

(2) The information must be given:

(a) in the approved form; and

(b) by the later of:

(i) the day on which this section commences ; and

(ii) within the end of 30 days after becoming an eligible carriage service provider.

(3) For the purposes of subsection (1) above, the operational information about assets should, where practicable, be provided by the eligible carriage service provider at the level of component systems of telecommunications networks, constituent network units, and associated control or administrative systems, identifying these by each distinct operational region (as applicable).

14 Ongoing obligation to give information and notify of events

(1) Subject to section 15 and subsections (3) and (4) of this section, if an eligible carriage service provider is required to give information in relation to an event in accordance with subsection (2), the provider must give the Home Affairs Secretary that information and notice of the event:

(a) in the approved form; and

(b) by the end of 30 days after the event occurs.

(2) The following table sets out the information an eligible carriage service provider is required to give in relation to an event.

Ongoing obligation to give information
Item	If the event ...	the eligible carriage service provider must give this information:
1	has the effect that the operational information in relation to an asset previously obtained by the Home Affairs Secretary under this instrument becomes incorrect or incomplete	any operational information in relation to the asset that is necessary to correct or complete the operational information, in relation to the asset, previously obtained by the Home Affairs Secretary.
2	has the effect that the interest and control information in relation to a direct interest holder in an asset previously obtained by the Home Affairs Secretary under this instrument becomes incorrect or incomplete	any interest and control information in relation to the direct interest holder and the asset that is necessary to correct or complete the interest and control information, in relation to the direct interest holder and the asset, previously obtained by the Home Affairs Secretary.
3	has the effect that a direct interest holder: (i) acquires an interest; or (ii) changes its interest; in an asset of an eligible carriage service provider	the operational information in relation to the asset, and the interest and control information in relation to the direct interest holder and the asset.

(3) Subsection (1) does not apply to an event in relation to an asset (the first event) if:

(a) before the end of 30 days after the first event occurs, another notifiable event (the second event) occurs in relation to the same asset; and

(b) a result of the second event is that the information in relation to the asset that was required to be given to the Home Affairs Secretary under subsection (1) following the first event is no longer correct.

(4) Subsection (1) does not apply to an event in relation to an asset if the Home Affairs Secretary has provided advice in writing to the eligible carriage service provider about the event is not required.

Note: Section 122.4 of the Schedule to the Criminal Code Act 1995 makes it an offence for a current or former Commonwealth officer to communicate information obtained by reason of being a Commonwealth officer, or otherwise being engaged to perform work for a Commonwealth entity, if there is a Commonwealth statutory duty not to disclose the information. Under section 13 of the Public Service Act 1999, APS officers (a class of Commonwealth officers) are subject to various statutory duties including in relation to not improperly using confidential information. A breach of section 122.4 carries a maximum penalty of imprisonment for 2 years.

15 Circumstances where the information is not able to be obtained

The obligations under section 13 (initial obligation to give information) and section 14 (ongoing obligation to give information and notify of events) do not apply if the eligible carriage service provider has used its best endeavours to obtain the required information and has not been able to obtain the information.