Strengthening the National Security of Australia’s Critical Infrastructure – A Discussion Paper — submission to the Critical Infrastructure Centre

27 March 2017

Our reference: 16/000102-03

Australia’s critical infrastructure consultation
Critical Infrastructure Centre
Attorney-General’s Department

Via email: ciccentre@ag.gov.au

To the Critical Infrastructure Centre

OAIC submission on Strengthening the National Security of Australia’s Critical Infrastructure – A Discussion Paper

I welcome the opportunity to provide this submission to the Critical Infrastructure Centre (the Centre) in relation to Strengthening the National Security of Australia’s Critical Infrastructure – A Discussion Paper (the Discussion Paper).

The Discussion Paper provides a high-level outline of the Centre’s plans to respond to the complex and evolving national security risks to Australia’s critical infrastructure. I appreciate the need to ensure the resilience of critical infrastructure in modern Australia, and the role that the Centre has to play in achieving this objective.

I also appreciate the need for the Centre to collaborate with a range of government agencies and private sector organisations. Many of these entities will be subject to the Privacy Act 1988 (Privacy Act). As the technological functions and connective capabilities of Australia’s critical assets continue to evolve, so too does the capacity for these assets to handle a large volume of personal information. For these reasons, privacy must be a consideration in the development and implementation of the Centre’s plans.

My comments below outline some key privacy considerations for the Centre when handling information, particularly regarding the proposal to establish a register of critical infrastructure assets. I also provide some comments about the opportunity for collaboration between the Centre and the OAIC.

Critical Infrastructure Asset Register

The creation of a critical infrastructure assets register (the Register) is a fundamental component of the Centre’s strategy to identify key infrastructure assets and understand the associated risks. To the extent to which the Register will contain personal information, the Australian Privacy Principles (APPs) contained in the Privacy Act will apply to the Centre’s information handling practices, given is it part of the Attorney General’s Department.

I encourage the Centre to ensure that the collection, use, disclosure, and storage of personal information is conducted in a manner that is not only consistent with the APPs, but also in a way that the community believes is valuable and reasonable. This can help establish a social licence for using data in publicly beneficial ways.

Amongst other APP obligations, it will be incumbent on the Centre to ensure the accuracy of the personal information it collects, and that this personal information is protected by reasonable security safeguards. With this in mind, I suggest that the Centre undertakes a privacy impact assessment prior to the establishment of the Register to ensure that any risks to individuals’ personal information are identified and mitigated.[1] The Centre can continue to use the privacy impact assessment to evaluate the effectiveness of its practices, procedures and systems for handling personal information once the Register is operational.

It is likely that APP obligations will also apply to the entities that will provide information to the Centre for inclusion in the Register. One example of these obligations is that the open and transparent management of personal information mandated by the APPs requires entities to disclose the parties with which they will share personal information. Compliance with this obligation is ultimately a matter for each entity. However, in the interests of privacy best practice, I also suggest that when the Centre solicits information, it ensures each entity is aware of the need to consider their existing APP obligations when providing information for the Register.

National security risk assessments

I welcome the proactive and collaborative approach to mitigating national security risks that the Discussion Paper describes. In particular, I note that the Centre will be developing and implementing national security risk assessments. I provide the following comments by way of background to the OAIC’s regulatory role in conducting privacy assessments, while being mindful that the nature of the privacy assessments and security assessments are distinct.

The OAIC regularly undertakes privacy assessments of how Australian government agencies and private sector organisations handle personal information. Section 33C of the Privacy Act provides the Commissioner with the power to conduct assessments of APP entities about whether the personal information they hold is being maintained and handled in accordance with the APPs. Some of the OAIC’s recent privacy assessments have involved organisations in what the Discussion Paper identifies as a high-risk sector.

The OAIC generally uses a risk-based assessment methodology, and takes a consultative approach when conducting privacy assessments to maximise the educative value of the assessment process. The OAIC would be happy to discuss its approach to undertaking privacy assessments[2] if the centre would like additional information, particularly to reduce any risk of duplicative and inconsistent regulation for Australian entities as highlighted recently in the Belcher Red Tape Review.[3]

If you would like to discuss any of the comments above or have any questions, please contact Paula Cheng on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

22 March 2017

Footnotes

[1] Refer to https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-undertaking-privacy-impact-assessments for more information on undertaking privacy impact assessments.

[2] For more information about the OAIC’s assessment approach, refer to Chapter 7 of the OAIC’s Guide to privacy regulatory action - https://www.oaic.gov.au/about-us/our-regulatory-approach/guide-to-privacy-regulatory-action/chapter-7-privacy-assessments.

[3] ‘The independent Review of Whole-of-Government Internal Regulation (Belcher Red Tape Review)’, Volume 1, Attachment A: Recommendations, page 25. Refer to https://www.finance.gov.au/publications/reducingredtape/.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au