On 29 November 2024 the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 became law. The Act amended the Intelligence Services Act 2001, adding a new Division, 1A of Part 6, legislating a limited use obligation for ASD. The Act was part of the Cyber Security Legislative Package that included the Cyber Security Act 2024, which has established a separate limited use obligation for the National Cyber Security Coordinator.
The limited use obligation for the Australian Signals Directorate (ASD) has been legislated to add additional protections to the information organisations voluntarily provide to ASD, and to the information acquired or prepared by ASD with the consent of an organisation.
Under ASD’s limited use obligation, any information voluntarily provided to, or acquired or prepared by ASD with your collaboration, about a cyber security incident or potential cyber security incident (including vulnerability information) cannot be used for regulatory purposes. The limited use protections extend to information provided to ASD by entities engaged to act on behalf of the impacted entity. This could include legal representatives or incident response providers.
Further, under the limited use obligation, ASD staff, both former and current, cannot be compelled to provide limited use information in a federal, state or territory court. This means that your organisation can provide information to ASD – understanding the limits on ASD’s use of that information. Our aspiration is that with greater confidence in the protection of your information, ASD will receive more technical information in quicker time – which will help us to improve our cyber security advice and assistance.
The limited use obligation does not change ASD’s ability to provide technical guidance, advice and assistance.Organisations experiencing a cyber security incident, or potential incident, should continue to report it to ASD as soon as it’s detected.
ASD will continue to conduct these activities, including our ability to:
- Mitigate harms in early stages of cyber incidents through aggregating information derived from diverse sources.
- Provide incident management advice and assistance to entities affected by a cyber incident.
- Develop and maintain a comprehensive national cyber threat picture.
- Identify and provide advice on the mitigations of vulnerabilities affecting an entities cyber posture.
- Provide advance warning of potential threats to Australia and Australia’s interests.
The limited use obligation does not restrict regulators or law enforcement agencies from seeking information relating to a cyber security incident directly using their own separate and existing information gathering powers.
FAQs:
No, ASD is not a regulator. The limited use obligation has been introduced in addition to our current protections (such as being exempt from the Freedom of Information Act 1982) to provide legislative protections ensuring that your information cannot be used for regulatory purposes. The limited use obligation further ensures that your information cannot be admitted as evidence in criminal or civil proceedings against you when it is held by a Commonwealth or State body.
Organisations are still required to be aware of, and adhere to, their mandatory reporting obligations.
Again, ASD is not a regulator and providing information under limited use does not acquit your regulatory reporting responsibilities. However, where mandatory reporting is submitted through cyber.gov.au and with your consent, ASD can facilitate the sharing of these mandatory reports to the regulator.
ASD can also use your report to provide you with confidential cyber security advice and assistance.
No, the limited use protection does not expire.
However, if information covered under the limited use obligation is made lawfully publicly available, the protections no longer apply.
For example, if your organisation makes a public statement confirming that you have been impacted by a cyber security incident, the information within your statement is no longer protected by the limited use obligation, as your organisation has made it lawfully publicly available.
ASD shares cyber security incident information, to warn, uplift and protect Australians. Where possible, this information is completely anonymised so that the impacted organisation cannot be identified. However, if an organisation is reasonably identifiable from particular information, the information will be covered under limited use protections.
On 25 November 2024, the Australian Government passed the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024. The Act amended the Intelligence Services Act 2001, legislating a limited use obligation for ASD. The Act was part of the Cyber Security Legislative Package that included the Cyber Security Act 2024, which has established a separate limited use obligation for the National Cyber Security Coordinator
More information on the limited use obligation is available in the Intelligence Services Act 2001.