Critical infrastructure assets - your reporting obligations

04/10/2022

On 6 April 2022, the Minister for Home Affairs enacted the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Cth) (Application Rules). These Application Rules “switch on” the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) obligations to provide ownership and operational information about certain critical infrastructure assets to the Register of Critical Infrastructure Assets (the Register) following a six month grace period. Entities that own or operate the following assets must complete their reporting obligations no later than 8 October 2022:

critical infrastructure

Other critical infrastructure assets, such as port, water, electricity, and gas assets, as well as assets privately declared by the Minister, have been subject to Register reporting obligations since the original SOCI Act was enacted in 2018, prior to the SLACI and SLACIP amendments.

Register of Critical Infrastructure Assets Refresher

The Register is designed to assist the Government in understanding who owns, controls, or has access to Australia’s critical infrastructure assets. This helps the Government to have visibility of national security risks and apply mitigations where necessary.

Our previous article, Security of Critical Infrastructure Act (SOCI) reforms – what your business needs to know, explains the requirement under the SOCI Act for “reporting entities” to provide information to the Secretary of the Department of Home Affairs to be recorded on the Register.

The “reporting entities” for an asset are those entities which meet the definition of a “responsible entity” for the asset and / or “direct interest holder” of the asset. An asset may have multiple reporting entities.

Reporting entity
Responsible entity	Direct interest holder
Responsible entities are sector specific (e.g. the responsible entity for a critical water asset is the water utility that holds the licence, approval or authorisation to provide the service). Responsible entity for an asset is required to provide operational information, including: the asset’s location; a description of the area the asset services; the name, address, domestic/foreign incorporation details of the responsible entity; the above information for each entity that operates the asset, or part of the asset, on behalf of the responsible entity and a description of the arrangements under which they operate the asset; and a description of the arrangements under which certain protected data relating to the asset is maintained (see FAQ section below). Responsible entities must complete the Registration form for the Responsible Entity of a Critical Infrastructure Asset (Responsible Entity Form). After successfully submitting the Responsible Entity Form, the responsible entity will be given the option to complete the Direct Interest Holder Form if applicable. Where a responsible entity fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.	An entity is a “direct interest holder” in relation to an asset if: the entity (together with associates) holds an interest of at least 10% in the asset; or the entity holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. Direct interest holders must provide interest and control information relating to the asset, including: the entity’s legal name, address and ABN (or other similar business number); the type and level of interest held in the asset; information about the influence or control the entity has in relation to the asset; information about each person appointed to a governing body, who has access to networks or systems necessary for the operation or control of the asset; the name of each other entity that is in a position to directly or indirectly influence or control: (i) the entity; or (ii) any other entity that is in a position to directly or indirectly influence or control the entity; and for each entity identified in paragraph (v) above, certain corporate details of the entity, information about the type and level of interest held in the asset (if applicable) and information about the influence or control an entity has in relation to the other entities in the chain. Direct interest holders must complete the New registration of a Critical Infrastructure Asset form (Direct Interest Holder Form). After successfully submitting the Direct Interest Holder Form, the direct interest holder will be given the option to complete the Responsible Entity Form if applicable. Where a direct interest holder fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.

Reporting entity

Responsible entity

Direct interest holder

Responsible entities are sector specific (e.g. the responsible entity for a critical water asset is the water utility that holds the licence, approval or authorisation to provide the service).
Responsible entity for an asset is required to provide operational information, including:

the asset’s location;
a description of the area the asset services;
the name, address, domestic/foreign incorporation details of the responsible entity;
the above information for each entity that operates the asset, or part of the asset, on behalf of the responsible entity and a description of the arrangements under which they operate the asset; and
a description of the arrangements under which certain protected data relating to the asset is maintained (see FAQ section below).

Responsible entities must complete the Registration form for the Responsible Entity of a Critical Infrastructure Asset (Responsible Entity Form). After successfully submitting the Responsible Entity Form, the responsible entity will be given the option to complete the Direct Interest Holder Form if applicable.
Where a responsible entity fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.

An entity is a “direct interest holder” in relation to an asset if:

the entity (together with associates) holds an interest of at least 10% in the asset; or
the entity holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.

Direct interest holders must provide interest and control information relating to the asset, including:

the entity’s legal name, address and ABN (or other similar business number);
the type and level of interest held in the asset;
information about the influence or control the entity has in relation to the asset;
information about each person appointed to a governing body, who has access to networks or systems necessary for the operation or control of the asset;
the name of each other entity that is in a position to directly or indirectly influence or control: (i) the entity; or (ii) any other entity that is in a position to directly or indirectly influence or control the entity; and
for each entity identified in paragraph (v) above, certain corporate details of the entity, information about the type and level of interest held in the asset (if applicable) and information about the influence or control an entity has in relation to the other entities in the chain.

Direct interest holders must complete the New registration of a Critical Infrastructure Asset form (Direct Interest Holder Form). After successfully submitting the Direct Interest Holder Form, the direct interest holder will be given the option to complete the Responsible Entity Form if applicable.
Where a direct interest holder fails to comply with the information reporting obligations, it will be liable for a civil penalty of up to $11,100 (50 penalty units) per day of contravention, or $55,500 (250 penalty units) if the entity is a corporation.

SOCI Register FAQ

Yes. Section 30 of the SOCI Act allows an entity to satisfy its Register reporting obligations by having another entity (Agent) report on its behalf. Therefore, a reporting entity required by section 23 or 24 of the SOCI Act to give notice or information is taken to have complied with the requirement if an Agent gives the notice or information, in accordance with that section, on the reporting entity’s behalf.

However, a separate Register form must be submitted by the Agent completing the registration – the Agent cannot bundle multiple reporting entities’ registrations into the same submission. The information submitted to the Register may be very repetitive, as each reporting entity is required to report on the chain of other entities in their ownership structure. Merely listing another entity in the Direct Interest Holder Form as having the ability to directly or indirectly influence or control the entity that is submitting its registration, does not satisfy the reporting entity registration obligations for that other entity.

Top

Section 25 of the SOCI Act contemplates cases where a reporting entity cannot obtain all information it is required to submit to the Register. Where a reporting entity uses best endeavours to obtain the information and it is not able to obtain the information, then the asset reporting obligations pursuant to section 23 and 24 do not apply in relation to that information. The onus of proof is on the reporting entity to demonstrate that it used best endeavours to obtain the information, if it wishes to rely on this exception.

Entities may need to rely on this section where a reporting entity has a particularly complicated and opaque ownership structure. For example, if a shareholder of a direct interest holder refused to disclose its ownership structure (despite the direct interest holder’s best endeavours), and therefore the direct interest holder could not assess which entities have the ability to directly or indirectly influence or control the shareholder.

Top

Section 17 of the Security of Critical Infrastructure (Definitions) Rules 2021 (Cth) (Rules) sets out the types of data for which maintenance arrangements need to be reported on:

data that relates to the critical infrastructure asset;
data that is maintained by an entity that is not the responsible entity for the asset; and
data that is any of the following:

personal information (as that term is defined in the Privacy Act 1988 (Cth) (Privacy Act) of at least 20,000 persons;
sensitive information (as that term is defined in the Privacy Act);
information about research and development related to the critical infrastructure asset;
information about any systems needed to operate the critical infrastructure asset;
information about risk management and business continuity for the critical infrastructure asset;
consumers, and consumption of payment system services produced or supplied by the critical infrastructure asset.

The responsible entity must provide a description of the arrangements under which data prescribed by the Rules (set out above), relating to the asset, is maintained. The description of the arrangements must include:

the name of the entity maintaining the data;
their ABN (or similar business number), address and country of incorporation;
address where data is held i.e. location of computers or servers whether or not it is a cloud service;
where data is held using a cloud service – the name of the cloud service; and
the kind of data maintained.

Top

Authors: Lesley Sutton, Claire Harris, Sara Liu