Commonwealth Numbered Acts Commonwealth Numbered Acts(1) This section applies if:
(a) an incident has occurred, is occurring or is imminent; and
(b) an entity (the impacted entity ) provides information to the National Cyber Security Coordinator in relation to the incident; and
(c) the incident either:
(i) is not a cyber security incident; or
(ii) is a cyber security incident but is not a significant cyber security incident.
Permitted use and disclosure
(2) The National Cyber Security Coordinator may make a record of, use or disclose the information provided by the impacted entity but only for the purposes of one or more of the following:
(a) directing the impacted entity to other services that may assist the entity to respond to, mitigate, or resolve the incident;
(b) if the incident is a cyber security incident--coordinating the whole of Government response to the cyber security incident where the National Cyber Security Coordinator considers such a response is necessary;
(c) if the incident is a cyber security incident--informing and advising the Minister, and other Ministers of the Commonwealth, about the cyber security incident.
Restriction on use and disclosure for civil or regulatory action
(3) However, the National Cyber Security Coordinator must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the impacted entity of a Commonwealth, State or Territory law other than:
(a) a contravention by the impacted entity of this Part; or
(b) a contravention by the impacted entity of a law that imposes a penalty or sanction for a criminal offence.
Note: See also section 42 in relation to admissibility of the information in proceedings against the impacted entity.
Interaction with the Privacy Act 1988
(4) Subsection (2) does not authorise the National Cyber Security Coordinator to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988 .
Information not covered by the prohibitions in this section
(5) Subsection (2) does not prohibit the recording, use or disclosure of the following information:
(a) information that has been provided by, or on behalf of, the impacted entity to the Commonwealth about the cyber security incident to comply with:
(i) a requirement in Part 3 of this Act; or
(ii) a requirement in Part 2B of the Security of Critical Infrastructure Act 2018 ; or
(iii) a requirement under the Telecommunications Act 1997 ; or
(iv) a requirement under a law prescribed by the rules;
(b) information that has been provided voluntarily to the National Cyber Security Coordinator by, or on behalf of, the impacted entity, other than under this Part;
(c) information that has already been lawfully made available to the public.