Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024: Furthering the limited use obligation

Cyber reforms: Cyber Security Legislative Package 2024

To complement the "limited use" obligation on the National Cyber Security Coordinator (NCSC) introduced by the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Cth) (IS Bill) amends the Intelligence Services Act 2001 (Cth) (IS Act) to impose a "limited use" obligation to protect the information voluntarily provided by an entity to, or acquired or prepared by, the Australian Signals Directorate (ASD) during an impacted entity's engagement in relation to a cyber security incident.

Summary

What does the "limited use" obligation mean for information shared with the ASD?

Information regarding cyber security incidents voluntarily provided by an entity to the ASD can only be shared by the ASD with other entities for "permitted cyber security purposes". These include:

• in performing the ASD's functions, assisting the impacted entity to prevent, respond to, mitigate or resolve the cyber security incident;
• advising the Minister about a cyber security incident;
• in performing the functions of various Commonwealth or State bodies; and
• in performing the functions of a Commonwealth enforcement body.

Whose information does this obligation impact?

The "limited use" obligation applies to information provided by an "entity".

An "entity" under the IS Bill has the same broad definition as in the Cyber Security Bill, meaning an individual, body corporate, partnership, an unincorporated association that has a governing body, a trust, or a responsible entity for a critical infrastructure asset.

How does this affect privileged information?

Providing information to the ASD does not affect a claim of legal professional privilege that may be made in relation to that information in any proceeding under Commonwealth, State or Territory law (including common law and tribunal proceedings).

Can the information be admitted as evidence?

Information provided to the ASD is also not admissible in evidence against the impacted entity in:

• criminal proceedings (with certain exceptions, such as proceedings that deal with false or misleading information or documents);
• civil proceedings (other than a civil penalty provision under the IS Bill);
• proceedings for a breach of any other Commonwealth, State or Territory law, or tribunal proceedings.

Implications

By assuring entities that information reported to the ASD will not be shared or used for reasons other than a permitted cyber security purpose, the IS Bill seeks to implement a key initiative of the 2023-2030 Australian Cyber Security Strategy ─ to encourage industry engagement with government in relation to a cyber incident.

This is bolstered by the fact that information disclosed to the ASD does not affect a claim of legal professional privilege in any proceeding, and is not admissible in court or tribunal proceedings, with certain exceptions.

However, whether legal professional privilege still exists or is not waived will depend on the circumstances. Impacted entities should therefore consider measures to protect any claim for legal professional privilege when disclosing the relevant information.

Importantly, the limited use obligation is not intended to be a "safe harbour" to shield an impacted entity from legal liability provisions. It also does not preclude other government agencies, including regulators, from seeking or acquiring such information directly from entities under existing information gathering powers.

Key takeaways

The imposition of a "limited use" obligation on the ASD under the IS Bill aims to encourage industry engagement with the government by providing assurance that the information reported to the ASD will not be shared and used for reasons other than permitted cyber security purposes. Nevertheless, in circumstances where the limited use obligation is not intended to be a "safe harbour" to shield an impacted entity from legal liability provisions and there is still a risk of waiver of legal professional privilege, businesses should still take steps to ensure that such information is protected.

For more information on the legal aspects of the Bill and how to prepare for impending changes, please contact our team of experienced cyber practitioners.