Commonwealth Numbered Acts

CYBER SECURITY ACT 2024 (NO. 98, 2024) - SECT 55

Permitted use and disclosure

  (1)   The Board may make a record of, use or disclose information provided by an entity, Commonwealth body or State body under section   48, 49 or 51 but only:

  (a)   for the purposes of one or more of the following:

  (i)   performing functions or exercising powers under this Part or Part   6 as it applies to this Part;

  (ii)   proceedings under, or arising out of, section   137.1 or 137.2 of the Criminal Code (false and misleading information and documents) that relate to this Act;

  (iii)   proceedings for an offence against section   149.1 of the Criminal Code (which deals with obstruction of Commonwealth public officials) that relates to this Act;

  (iv)   the performance of the functions of a Commonwealth body relating to responding to, mitigating or resolving a cyber security incident;

  (v)   the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security incident;

  (vi)   informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident;

  (vii)   the performance of the functions of an intelligence agency; or

  (b)   as otherwise authorised by a provision of this Part.

Note:   Certain information must not be disclosed to a State body under Parts of this Act unless a Minister of the State or Territory has consented to those Parts applying to the State body: see section   11.

Restriction on use and disclosure for civil or regulatory action

  (2)   However, the Board must not make a record of, use or disclose the information for the purposes of investigating or enforcing, or assisting in the investigation or enforcement of, any contravention by the entity or body of a Commonwealth, State or Territory law other than:

  (a)   a contravention by the entity or body of this Part; or

  (b)   a contravention by the entity or body of a law that imposes a penalty or sanction for a criminal offence.

Note:   See also section   58 in relation to admissibility of the information in proceedings.

Interaction with the Privacy Act 1988

  (3)   Subsection   (1) does not authorise the Board to record, use or disclose the information to the extent that it is prohibited or restricted by or under the Privacy Act 1988 .

Information not covered by the prohibitions in this section

  (4)   Subsection   (1) does not prohibit the recording, use or disclosure of information that has already been lawfully made available to the public .