Commonwealth Numbered Acts Commonwealth Numbered Acts(1) This section applies to information that:
(a) has been provided by, or on behalf of, an entity (the impacted entity ) under subsection 35(2) or as referred to in subsection 39(1); and
(b) has been obtained by another entity, a Commonwealth body (other than ASD) or a State body under subsection 38(1) or 39(2) or this section; and
(c) is held by the other entity, Commonwealth body or State body.
Note 1: This section does not apply to the information to the extent that it has been otherwise obtained by the other entity, Commonwealth body or State body.
Note 2: For ASD, see Division 1A of Part 6 of the Intelligence Services Act 2001 .
Permitted use and disclosure
(2) The other entity, Commonwealth body or State body may make a record of, use or disclose the information but only for the purposes of one or more of the following:
(a) assisting the impacted entity, and other entities acting on behalf of the impacted entity, to respond to, mitigate or resolve the cyber security incident;
(b) a permitted cyber security purpose for a cyber security incident.
Note: For permitted cyber security purpose for a cyber security incident: see section 10.
Restriction on use and disclosure for civil or regulatory action
(3) However, the other entity, Commonwealth body or State body must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the impacted entity of a Commonwealth, State or Territory law other than:
(a) a contravention by the impacted entity of this Part; or
(b) a contravention by the impacted entity of a law that imposes a penalty or sanction for a criminal offence.
Interaction with the Privacy Act 1988
(4) Subsection (2) does not authorise the other entity, Commonwealth body or State body to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988 .
Information not covered by the prohibitions in this section
(5) Subsection (2) does not prohibit:
(a) recording, use or disclosure of information referred to in subsection 38(4) or 39(5); or
(b) if the other entity is an individual--recording, use or disclosure of personal information about the individual; or
(c) recording, use or disclosure of the impacted entity's own information, with the consent of the impacted entity, by another entity, a Commonwealth body or a State body; or
Civil penalty for contravention of this section
(6) An entity is liable to a civil penalty if:
(a) the entity contravenes subsection (2); and
(b) the entity is not a Commonwealth officer; and
(c) any of the following applies:
(i) the information is sensitive information about an individual and the individual has not consented to the record, use or disclosure of the information;
(ii) the information is confidential or commercially sensitive;
(iii) the record, use or disclosure of the information would, or could reasonably be expected to, cause damage to the security, defence or international relations of the Commonwealth.
Note 1: See the Criminal Code for offences for Commonwealth officers.
Note 2: This Act does not make the Crown (other than an authority of the Crown) liable to a civil penalty.
Civil penalty: 60 penalty units.