Insights

Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024: Furthering the limited use obligation

Two women standing in a data centre or communications room

Learn more about all of the reforms introduced in October 2024 in Cyber reforms: Cyber Security Legislative Package 2024

To complement the "limited use" obligation on the National Cyber Security Coordinator (NCSC) introduced by the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Cth) (IS Bill) amends the Intelligence Services Act 2001 (Cth) (IS Act) to impose a "limited use" obligation to protect the information voluntarily provided by an entity to, or acquired or prepared by, the Australian Signals Directorate (ASD) during an impacted entity's engagement in relation to a cyber security incident.

Summary

What does the "limited use" obligation in the amended Intelligence Services Act 2001 (Cth) mean for information shared with the Australian Signals Directorate (ASD)?

Information regarding cyber security incidents voluntarily provided by an entity to the ASD can only be shared by the ASD with other entities for "permitted cyber security purposes". These include:

  • in performing the ASD's functions, assisting the impacted entity to prevent, respond to, mitigate or resolve the cyber security incident;
  • advising the Minister about a cyber security incident;
  • in performing the functions of various Commonwealth or State bodies; and
  • in performing the functions of a Commonwealth enforcement body.

Whose information does this obligation impact?

The "limited use" obligation applies to information provided by an "entity".

An "entity" under the IS Bill has the same broad definition as in the Cyber Security Bill, meaning an individual, body corporate, partnership, an unincorporated association that has a governing body, a trust, or a responsible entity for a critical infrastructure asset.

How does this affect privileged information?

Providing information to the ASD does not affect a claim of legal professional privilege that may be made in relation to that information in any proceeding under Commonwealth, State or Territory law (including common law and tribunal proceedings).

Can the information be admitted as evidence?

Information provided to the ASD is also not admissible in evidence against the impacted entity in:

  • criminal proceedings (with certain exceptions, such as proceedings that deal with false or misleading information or documents);
  • civil proceedings (other than a civil penalty provision under the IS Bill);
  • proceedings for a breach of any other Commonwealth, State or Territory law, or tribunal proceedings.

Implications

By assuring entities that information reported to the ASD will not be shared or used for reasons other than a permitted cyber security purpose, the IS Bill seeks to implement a key initiative of the 2023-2030 Australian Cyber Security Strategy ─ to encourage industry engagement with government in relation to a cyber incident.

This is bolstered by the fact that information disclosed to the ASD does not affect a claim of legal professional privilege in any proceeding, and is not admissible in court or tribunal proceedings, with certain exceptions.

However, whether legal professional privilege still exists or is not waived will depend on the circumstances. Impacted entities should therefore consider measures to protect any claim for legal professional privilege when disclosing the relevant information.

Importantly, the limited use obligation is not intended to be a "safe harbour" to shield an impacted entity from legal liability provisions. It also does not preclude other government agencies, including regulators, from seeking or acquiring such information directly from entities under existing information gathering powers.

Key takeaways

The imposition of a "limited use" obligation on the ASD under the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Cth) (IS Bill) aims to encourage industry engagement with the government by providing assurance that the information reported to the ASD will not be shared and used for reasons other than permitted cyber security purposes. Nevertheless, in circumstances where the limited use obligation is not intended to be a "safe harbour" to shield an impacted entity from legal liability provisions and there is still a risk of waiver of legal professional privilege, businesses should still take steps to ensure that such information is protected.

For more information on the legal aspects of the Bill and how to prepare for impending changes, please contact our team of experienced cyber legal practitioners.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.

Key contacts

Keely O'Dowd

Special Counsel

Jeffrey Chung

Jeffrey Chung

Lawyer