This instrument is the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022.

(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. The whole of this instrument	The day after this instrument is registered.	12 October 2022

Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3 Authority

This instrument is made under the Telecommunications Act 1997.

4 Schedules

Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

Schedule 1—Amendments

Telecommunications Regulations 2021

1 After section 15

Insert:

15A Disclosures to financial services entities for the purpose of cyber security etc.

(1) For the purposes of subsection 292(1) of the Act, this section specifies circumstances in which section 276 of the Act does not prohibit a disclosure of information or a document.

Specified circumstances

(2) Section 276 of the Act does not prohibit the disclosure of information or a document if the information or document is disclosed to a financial services entity by or on behalf of a carrier or carriage service provider and all of the following paragraphs are satisfied:

(a) the information is specified information, or the document is a specified document, in relation to the carrier or carriage service provider;

(b) the carrier or carriage service provider has received a written request from an officer of the financial services entity for the specified information or the specified document;

(c) the request states that the information or document is required by the financial services entity for the sole purpose of enabling the entity:

(i) to take steps to prevent a cyber security incident, fraud, scam activity or identity theft; or

(ii) to take steps to respond to a cyber security incident, fraud, scam activity or identity theft; or

(iii) to take steps to respond to the consequences of a cyber security incident, fraud, scam activity or identity theft; or

(iv) to take steps to address malicious cyber activity;

(d) the request states that, in the opinion of the officer, the disclosure of the information or document is necessary and proportionate to deal with the cyber security incident, fraud, scam activity, identity theft or cyber activity mentioned in paragraph (c);

(e) before the information or document is disclosed, the carrier or carriage service provider has been notified, in writing, by the ACCC that the financial services entity has given the ACCC a written commitment (on terms acceptable to the ACCC) that:

(i) the entity will only share the information or document with an associate to the extent that this is necessary for a purpose mentioned in paragraph (c); and

(ii) if the entity is a body mentioned in paragraph (c) of the definition of financial services entity in subsection (6)—the entity will only share the information or document with another financial services entity to the extent that this is necessary for a purpose mentioned in paragraph (c) of this subsection; and

(iii) if the entity is a body mentioned in paragraph (a) or (b) of the definition of financial services entity in subsection (6)—the entity will not share the information or document with any other third party; and

(iv) the entity will only access, use or disclose the information or document for a purpose mentioned in paragraph (c) of this subsection and only in accordance with the requirements of the Privacy Act 1988; and

(v) the entity will store the information or document in a manner that prevents unauthorised access, disclosure or loss; and

(vi) unless the information or document is sooner destroyed as mentioned in subparagraph (vii)—the entity will review its need to retain the information or document at least once every 12 months; and

(vii) the entity will destroy the information or document once it is no longer required for a purpose mentioned in paragraph (c); and

(viii) the entity has appropriate written procedures to ensure that the information or document is handled in accordance with the requirements set out or referred to in this paragraph; and

(ix) the entity will obtain a written commitment in the same terms as that set out in this paragraph from an associate (other than an employee of the entity) before sharing the information or document with that associate in accordance with subparagraph (i); and

(x) the entity will obtain a written commitment in the same terms as that set out in this paragraph from another financial services entity before sharing the information or document with that other entity in accordance with subparagraph (ii);

(f) the information or document is disclosed:

(i) unless subparagraph (ii) applies—in a secure and trusted manner; or

(ii) if the Minister has approved a secure and trusted manner for the purposes of this subparagraph—in the manner approved by the Minister;

(g) if the financial services entity is a body mentioned in paragraph (a) or (b) of the definition of financial services entity in subsection (6)—an authorised officer of the entity has given APRA an attestation that the entity meets, and will continue to meet, the principles and requirements of Prudential Standard CPS 234 ‑ Information Security, as in force from time to time, in relation to the information or document.

Minister may approve manner in which information or documents to be disclosed

(3) For the purposes of subparagraph (2)(f)(ii), the Minister may, in writing, approve the manner in which a carrier or carriage service provider discloses information or a document.

Minister may approve a financial services entity

(4) The Minister may, in writing, approve a body for the purposes of paragraph (c) of the definition of financial services entity in subsection (6), but only if the body is a body that provides services that:

(a) either:

(i) are directly related to, or support, the provision of services by one or more bodies mentioned in paragraph (a) or (b) of the definition of financial services entity in subsection (6); or

(ii) are directly related to, or support, the provision of services to one or more bodies mentioned in paragraph (a) or (b) of the definition of financial services entity in subsection (6); and

(b) are directly related to, or support, a purpose mentioned in paragraph (2)(c).

Minister may specify information

(5) The Minister may, by notifiable instrument, specify one or more kinds of information for the purposes of the following:

(a) paragraph (b) of the definition of specified document in subsection (6);

(b) paragraph (b) of the definition of specified information in subsection (6).

Definitions

(6) In this section:

ADI means an authorised deposit‑taking institution within the meaning of the Banking Act 1959, other than a foreign ADI (within the meaning of that Act).

associate, of an entity (within the meaning of section 64A of the Corporations Act 2001), means any of the following:

(a) an employee of the entity;

(b) if the entity is a body corporate:

(i) a related body corporate (within the meaning of the Corporations Act 2001) of the entity; and

(ii) an employee of the related body corporate;

cyber security incident has the same meaning as in the Security of Critical Infrastructure Act 2018.

financial services entity means:

(a) an ADI; or

(b) a body mentioned in paragraph (b), (c), (e), (ea) or (f) of the definition of body regulated by APRA in subsection 3(2) of the Australian Prudential Regulation Authority Act 1998; or

officer, in relation to a financial services entity, means:

(a) a director or secretary of the entity; or

(b) a person:

(i) who makes, or participates in making, decisions that affect the whole, or a substantial part, of the business of the entity; or

(ii) who has the capacity to affect significantly the entity’s financial standing; or

(iii) in accordance with whose instructions or wishes the directors of the entity are accustomed to act.

specified document, in relation to a carrier or carriage service provider, means a document that only includes one or both of the following:

(a) the government related identifiers (within the meaning of the Privacy Act 1988) of one or more individuals who are, or were, customers of the carrier or carriage service provider;

(b) information of a kind specified for the purposes of this paragraph by the Minister in a notifiable instrument, being personal information (within the meaning of the Privacy Act 1988) about one or more individuals who are, or were, customers of the carrier or carriage service provider.

specified information, in relation to a carrier or carriage service provider, means any of the following:

(a) the government related identifiers (within the meaning of the Privacy Act 1988) of one or more individuals who are, or were, customers of the carrier or carriage service provider;

Application

(7) This section applies to information or a document, whether the information or document was in the possession of a carrier or carriage service provider before, on or after the commencement of this section.

Sunset of this section

(8) This section is repealed at the start of the day after the end of the period of 12 months starting on the day this section commences.

15B Disclosures to government entities for the purpose of cyber security etc.

(1) For the purposes of subsection 292(1) of the Act, this section specifies circumstances in which section 276 of the Act does not prohibit a disclosure of information or a document.

Specified circumstances

(2) Section 276 of the Act does not prohibit the disclosure of information or a document if the information or document is disclosed to a Commonwealth entity or State authority by or on behalf of a carrier or carriage service provider and all of the following paragraphs are satisfied:

(a) the carrier or carriage service provider has received a written request from an official of the Commonwealth entity or State authority for the information or the document;

(b) the request states that the information or document is required by the Commonwealth entity or State authority for the sole purpose of enabling the Commonwealth entity or State authority:

(i) to take steps to prevent a cyber security incident, fraud, scam activity or identity theft; or

(ii) to take steps to respond to a cyber security incident, fraud, scam activity or identity theft; or

(iii) to take steps to respond to the consequences of a cyber security incident, fraud, scam activity or identity theft; or

(iv) to take steps to address malicious cyber activity;

(c) the request states that, in the opinion of the official, the disclosure of the information or document is necessary and proportionate to deal with the purpose mentioned in paragraph (b) for which the information or document is required;

(d) the information is any of, or the document only includes one or both of, the following:

(i) the government related identifiers (within the meaning of the Privacy Act 1988) of one or more individuals who are, or were, customers of the carrier or carriage service provider;

(ii) information of a kind specified for the purposes of this subparagraph by the Minister in a notifiable instrument, being personal information (within the meaning of the Privacy Act 1988) about one or more individuals who are, or were, customers of the carrier or carriage service provider;

(e) the information or document is disclosed in a secure and trusted manner.

Note: Nothing in this subsection limits the carrier’s, or carriage service provider’s, obligations under subsection 313(3) of the Act to help officers and authorities of the Commonwealth and of the States and Territories.

Minister may specify information

(3) The Minister may, by notifiable instrument, specify one or more kinds of information for the purposes of subparagraph (2)(d)(ii).

Note: The notifiable instrument could be in the same document as a notifiable instrument made for the purposes of subsection 15A(5).

Definitions

(4) In this section:

Commonwealth entity has the meaning given by the Public Governance, Performance and Accountability Act 2013.

cyber security incident has the same meaning as in the Security of Critical Infrastructure Act 2018.

official, in relation to a Commonwealth entity or State authority, means:

(a) the head (however described) of the Commonwealth entity or State authority; or

(b) a member or acting member of the Commonwealth entity or State authority; or

(d) an officer or employee of the Commonwealth entity or State authority.

State authority has the same meaning as in the Intelligence Services Act 2001.

Application

(5) This section applies to information or a document, whether the information or document was in the possession of a carrier or carriage service provider before, on or after the commencement of this section.

Sunset of this section

(6) This section is repealed at the start of the day after the end of the period of 12 months starting on the day this section commences.