On 27 November the Attorney-General and the Minister for Communications and the Arts released a second exposure draft of the Telecommunications and Other Legislation Amendment Bill (the Bill) for public comment, along with the revised explanatory memorandum and draft industry guidelines.
The Bill and explanatory memorandum were revised to incorporate feedback received from the first exposure draft process on the draft Bill. The second consultation process provides a further opportunity for industry and interested persons to consider the details of the proposed reform, including the draft administrative guidelines which will underpin implementation of the regulatory requirements placed on industry.
Written feedback on the exposure draft Bill, explanatory memorandum or draft administrative guidelines must be received by 18 January 2016.
Overview of the Bill
The Bill will amend the Telecommunications Act 1997 (the Telecommunications Act) to strengthen the current framework for managing national security risks to Australia's telecommunications networks.
National security risks in the form of espionage, sabotage, and foreign interference can arise in the global supply chain for telecommunications equipment, services, or the outsourcing of sensitive network management functions. It is vital that these security risks are managed to protect the availability and integrity of telecommunications networks and systems and the confidentiality of information stored and carried on these networks and systems.
The Bill formalises and enhances existing information sharing and relationships between government and telecommunications carriers and carriage service providers (C/CSPs) to ensure greater consistency, transparency and accountability for managing national security risks across all parts of the telecommunications sector. Key elements of the Bill include:
- establishing a security obligation, applicable to all C/CSPs requiring them to do their best to protect their networks from unauthorised access and interference
- requiring carriers and some carriage service providers to notify security agencies of planned key changes to networks and services that could compromise their ability to comply with the security obligation
- empowering the Secretary of the Attorney-General's Department to request information from C/CSPs to monitor compliance with the security obligation
- providing the Attorney-General with a power to issue a C/CSP a direction requiring them to do or refrain from doing a specified thing to manage security risks
- expanding the operation of existing civil enforcement mechanisms in the Telecommunications Act to address non-compliance with the security obligation, notification requirement, information requests and directions.
Amendments made following the June 2015 public consultation
A first exposure draft of the Telecommunications and Other Legislation Amendment Bill, the explanatory memorandum and regulatory impact statement were released for public comment between 26 June and 31 July 2015.
The government received detailed feedback during this public consultation. A number of changes have been made to improve the operation of the proposed legislation in response to this feedback, including providing additional safeguards to govern the use of the proposed regulatory powers, clarifying the intended scope and application of requirements to be imposed on telecommunications providers, including by creating a standalone notification provision within the Telecommunications Act instead of using the existing notification requirement in the Telecommunications (Interception and Access Act) 1979.
Key changes to the Bill include:
- The scope of the security obligation to protect telecommunications networks from unauthorised access and interference has been clarified and narrowed.
- The power to issue directions to C/CSPs has been vested in the Attorney-General instead of the Secretary of the Attorney-General's Department.
- The threshold for the exercise of the directions powers has been increased by:
- requiring an adverse security assessment to be furnished by ASIO
- requiring the Attorney-General to be satisfied that the activity is prejudicial to security
- requiring the Attorney-General to be satisfied that all reasonable steps have been taken to negotiate a security outcome in good faith.
- Additional safeguards have been added to the exercise of the directions powers, by requiring the Attorney-General to:
- consult with the affected company and the Minister for Communications
- take into account factors such as the impact of a direction on the company, their customers and the market in addition to security considerations.
- The threshold for exercise of the information gathering power has been increased by imposing a higher test for exercising the power and limiting the Secretary's ability to delegate the power to the Director-General of ASIO.
- Additional safeguards have been included to protect the confidentiality of commercially sensitive information obtained through the exercise of the information gathering power, including by de-identifying company information to be shared outside of the Australian Government.
- Directions issued by the Attorney-General (including the existing direction power to cease a service) will now be reviewable under the Administrative Decisions (Judicial Review) Act 1977.
- The operation of the notification requirement will now be clearer, more transparent and impose less regulatory burden on industry by:
- creating a notification provision in the Telecommunications Act (instead of relying on the existing notifications regime in the Telecommunications (Interception and Access) Act 1979)
- providing that a C/CSP may be exempted from the notification requirement or that parts of a C/CSP's business may be exempted from the notification requirement
- allowing a C/CSP to submit a security plan instead of individual notifications of changes to telecommunications systems
- outlining the processes for assessing security risks in notifications
- The implementation timeframe will be increased from six months to 12 months from Royal Assent.
The proposed legislation continues to reflect the approach that was recommended by the Parliamentary Joint Committee on Intelligence and Security in 2013.
The explanatory memorandum has also been significantly revised to reflect the above changes to the Bill, and provide further clarity and information on the proposed operation of the legislative provisions and policy intention. Further information has been provided about the scope and operation of civil and criminal immunity protections, and the interaction between confidentiality requirements under the security obligation and existing Privacy Act requirements.
The regulatory framework would be supported by administrative guidelines which will provide practical advice to C/CSPs on what is expected of them in complying with the security obligation and notification requirement. The guidelines will help C/CSPs understand which parts of their networks are particularly vulnerable to espionage, sabotage and foreign interference and guidance on the controls and measures that can be implemented to manage these vulnerabilities.
The guidelines will be a living document and be updated from time-to-time to address changes in the operating and threat environments. The guidelines are intended to be used by all parts of a telecommunications company from technical security officers through to board members to guide investment decision making.
The government is also seeking comments on a draft version of the guidelines as part of this public consultation:
Making a submission
Unless otherwise notified, submissions will be made available on the Telecommunications security page to inform the public debate about the proposal. Individuals and organisations should indicate whether or not they consent to having their submission published on this website at the time of providing their submission using the following template:
In meeting the Australian Government's commitment to enhancing the accessibility of published material, the Attorney-General's Department will only publish submissions to this website that have been submitted electronically. We request that individuals and organisations provide submissions in a Microsoft Word (DOC), Rich Text Format (RTF) or TXT format, as well as PDF format.
Please limit individual file size to less than 5MB. The department may create PDF documents from a DOC, RTF or TXT format. Hardcopy submissions received by mail will still be considered, however they may not be published on the website. Submissions may be the subject of a request for access under the Freedom of Information Act 1982.
Submissions on the Bill should be emailed to email@example.com or posted to:
Cyber and Identity Security Policy Branch
3-5 National Circuit
BARTON ACT 2600
Submissions must be received by 18 January 2016.