On 29 November 2024 the Intelligence Services and Other Legislation Amendment (Cyber Security) Act 2024 became law. The Act amended the Intelligence Services Act 2001, adding a new Division, 1A of Part 6, legislating a limited use obligation for ASD. The Act was part of the Cyber Security Legislative Package that included the Cyber Security Act 2024, which has established a separate limited use obligation for the National Cyber Security Coordinator.
The limited use obligation for the Australian Signals Directorate (ASD) has been legislated to add additional protections to the information organisations voluntarily provide to ASD, and to the information acquired or prepared by ASD with the consent of an organisation.
Under ASD’s limited use obligation, any information voluntarily provided to, or acquired or prepared by ASD with your collaboration, about a cybersecurity incident or potential cybersecurity incident (including vulnerability information) cannot be used for regulatory purposes. The limited use protections extend to information provided to ASD by entities engaged to act on behalf of the impacted entity. This could include legal representatives or incident response providers.
Further, under the limited use obligation, ASD staff, both former and current, cannot be compelled to provide limited use information in a federal, state or territory court. This means that your organisation can provide information to ASD – understanding the limits on ASD’s use of that information. Our aspiration is that with greater confidence in the protection of your information, ASD will receive more technical information in quicker time – which will help us to improve our cybersecurity advice and assistance.
The limited use obligation does not change ASD’s ability to provide technical guidance, advice and assistance. Organisations experiencing a cybersecurity incident, or potential incident, should continue to report it to ASD as soon as it’s detected.
ASD will continue to conduct these activities, including our ability to:
- Mitigate harms in early stages of cybersecurity incidents through aggregating information derived from diverse sources.
- Provide incident management advice and assistance to entities affected by a cybersecurity incident.
- Develop and maintain a comprehensive national cyberthreat picture.
- Identify and provide advice on the mitigations of vulnerabilities affecting an entities cyber posture.
- Provide advance warning of potential threats to Australia and Australia’s interests.
The limited use obligation does not restrict regulators or law enforcement agencies from seeking information relating to a cybersecurity incident directly using their own separate and existing information gathering powers.