Commonwealth Numbered Acts Commonwealth Numbered Acts(1) This section applies to information that:
(a) has been provided in a ransomware payment report by a reporting business entity; and
(b) has been obtained by another entity, Commonwealth body or State body under subsection 29(1) or this section; and
(c) is held by the other entity, Commonwealth body or State body.
Note: This section does not apply to the information to the extent that it has been otherwise obtained by the other entity, Commonwealth body or State body.
Permitted use and disclosure
(2) The other entity, Commonwealth body or State body may make a record of, use or disclose the information but only for the purposes of one or more of the following:
(a) assisting the reporting business entity, and other entities acting on behalf of the reporting business entity, to respond to, mitigate or resolve the cyber security incident;
(b) performing functions or exercising powers under this Part or Part 6 as it applies to this Part;
(c) proceedings under, or arising out of, section 137.1 or 137.2 of the Criminal Code (false and misleading information and documents) that relate to this Act;
(d) proceedings for an offence against section 149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act;
(e) the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber security incident;
(f) the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security incident;
(g) the performance of the functions of the National Cyber Security Coordinator under Part 4 relating to a cyber security incident;
(h) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident;
(i) the performance of the functions of an intelligence agency.
Restriction on use and disclosure for civil or regulatory action
(3) However, the other entity, Commonwealth body or State body must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention, by the reporting business entity, of a Commonwealth, State or Territory law other than:
(a) a contravention by the reporting business entity of this Part; or
(b) a contravention by the reporting business entity of a law that imposes a penalty or sanction for a criminal offence.
Interaction with the Privacy Act 1988
(4) Subsection (2) does not authorise the other entity, Commonwealth body or State body to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988 .
Information not covered by the prohibitions in this section
(5) Subsection (2) does not prohibit:
(a) recording, use or disclosure of information referred to in subsection 29(4); or
(b) if the other entity is an individual--recording, use or disclosure of personal information about the individual; or
(c) recording, use or disclosure of the reporting business entity's own information, with the consent of the reporting business entity, by another entity, a Commonwealth body or a State body; or
(d) recording, use or disclosure of information for the purposes of carrying out a State's constitutional functions, powers or duties.
Civil penalty for contravention of this section
(6) An entity is liable to a civil penalty if:
(a) the entity contravenes subsection (2); and
(b) the entity is not a Commonwealth officer; and
(c) any of the following applies:
(i) the information is sensitive information about an individual and the individual has not consented to the record, use or disclosure of the information;
(ii) the information is confidential or commercially sensitive;
(iii) the record, use or disclosure of the information would, or could reasonably be expected to, cause damage to the security, defence or international relations of the Commonwealth.
Note 1: See the Criminal Code for offences for Commonwealth officers.
Note 2: This Act does not make the Crown (other than an authority of the Crown) liable to a civil penalty.
Civil penalty: 60 penalty units.