On 6 April 2022, the Minister for Home Affairs enacted the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Cth) (Application Rules). These Application Rules “switch on” the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) obligations to provide ownership and operational information about certain critical infrastructure assets to the Register of Critical Infrastructure Assets (the Register) following a six month grace period. Entities that own or operate the following assets must complete their reporting obligations no later than 8 October 2022:
Other critical infrastructure assets, such as port, water, electricity, and gas assets, as well as assets privately declared by the Minister, have been subject to Register reporting obligations since the original SOCI Act was enacted in 2018, prior to the SLACI and SLACIP amendments.
Register of Critical Infrastructure Assets Refresher
The Register is designed to assist the Government in understanding who owns, controls, or has access to Australia’s critical infrastructure assets. This helps the Government to have visibility of national security risks and apply mitigations where necessary.
Our previous article, Security of Critical Infrastructure Act (SOCI) reforms – what your business needs to know, explains the requirement under the SOCI Act for “reporting entities” to provide information to the Secretary of the Department of Home Affairs to be recorded on the Register.
The “reporting entities” for an asset are those entities which meet the definition of a “responsible entity” for the asset and / or “direct interest holder” of the asset. An asset may have multiple reporting entities.
Direct interest holder
SOCI Register FAQ
Yes. Section 30 of the SOCI Act allows an entity to satisfy its Register reporting obligations by having another entity (Agent) report on its behalf. Therefore, a reporting entity required by section 23 or 24 of the SOCI Act to give notice or information is taken to have complied with the requirement if an Agent gives the notice or information, in accordance with that section, on the reporting entity’s behalf.
However, a separate Register form must be submitted by the Agent completing the registration – the Agent cannot bundle multiple reporting entities’ registrations into the same submission. The information submitted to the Register may be very repetitive, as each reporting entity is required to report on the chain of other entities in their ownership structure. Merely listing another entity in the Direct Interest Holder Form as having the ability to directly or indirectly influence or control the entity that is submitting its registration, does not satisfy the reporting entity registration obligations for that other entity.
Section 25 of the SOCI Act contemplates cases where a reporting entity cannot obtain all information it is required to submit to the Register. Where a reporting entity uses best endeavours to obtain the information and it is not able to obtain the information, then the asset reporting obligations pursuant to section 23 and 24 do not apply in relation to that information. The onus of proof is on the reporting entity to demonstrate that it used best endeavours to obtain the information, if it wishes to rely on this exception.
Entities may need to rely on this section where a reporting entity has a particularly complicated and opaque ownership structure. For example, if a shareholder of a direct interest holder refused to disclose its ownership structure (despite the direct interest holder’s best endeavours), and therefore the direct interest holder could not assess which entities have the ability to directly or indirectly influence or control the shareholder.
Section 17 of the Security of Critical Infrastructure (Definitions) Rules 2021 (Cth) (Rules) sets out the types of data for which maintenance arrangements need to be reported on:
- data that relates to the critical infrastructure asset;
- data that is maintained by an entity that is not the responsible entity for the asset; and
- data that is any of the following:
- personal information (as that term is defined in the Privacy Act 1988 (Cth) (Privacy Act) of at least 20,000 persons;
- sensitive information (as that term is defined in the Privacy Act);
- information about research and development related to the critical infrastructure asset;
- information about any systems needed to operate the critical infrastructure asset;
- information about risk management and business continuity for the critical infrastructure asset;
- consumers, and consumption of payment system services produced or supplied by the critical infrastructure asset.
The responsible entity must provide a description of the arrangements under which data prescribed by the Rules (set out above), relating to the asset, is maintained. The description of the arrangements must include:
- the name of the entity maintaining the data;
- their ABN (or similar business number), address and country of incorporation;
- address where data is held i.e. location of computers or servers whether or not it is a cloud service;
- where data is held using a cloud service – the name of the cloud service; and
- the kind of data maintained.
Authors: Lesley Sutton, Claire Harris, Sara Liu