The Register of Critical Infrastructure Assets will address gaps in the Government’s understanding of who owns and controls critical infrastructure assets. The register will collect this information which is currently not available to Government outside the foreign investment review process. This information is crucial in assessing the potential risks of sabotage, espionage and coercion in Australia’s critical infrastructure assets and will allow the Critical Infrastructure Centre to better target where more detailed risk assessments should be conducted.
The register is designed to improve knowledge so that the Government can proactively assess national security risks related to an asset, and mitigations can be put in place where necessary.
The 2 types of entities required to provide information for the register are: a responsible entity and a direct interest holder.
responsible entity for an asset is the entity with oversight of operational responsibility for the asset, i.e. the entity that holds the license or approval to operate the asset (defined in
section 5 of Security of Critical Infrastructure Act 2018). The definition of responsible entity has sector specific meanings and effectively applies to:
- a critical electricity or gas asset or water asset, the entity that holds the licence, approval or authorisation (however described) to operate the asset to provide the service to be delivered by the asset
- a critical port, the port operator (within the meaning of the Maritime Transport and Offshore Facilities Security Act 2003) of the port
direct interest holder is:
- any entity, together with an associate or associates, that jointly holds an interest of at least 10 per cent in a critical infrastructure asset, or
- an entity that holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset (defined in
section 8 of the Security of Critical Infrastructure Act 2018)
Direct interest holders are required to report information on intermediate and ultimate holding entities (these entities are not considered direct interest holders).
The definition ensures that the obligation to report ownership information sits with the entities best placed to report that information and all relevant influence or control details are reported.
Information provided to the register
Responsible entities are required to report 'operational information', including:
- the location of the asset
- a description of the area the asset services
- the name, address, domestic/foreign incorporation details of the responsible entity
- the above information for each entity that operates the asset, or part of the asset on behalf of the responsible entity
Direct interest holders are required to report 'interest and control information', including:
- the entity’s legal name, address and ABN (or other similar business number)
- the type and level of interest held in the asset
- information about the influence or control the entity has in relation to the asset
- information about the influence or control an entity has in relation to another entity that has influence or control
Given the centre is interested in any entity that is ultimately in a position to influence or control the asset, the definition of ‘interest and control information’ also includes the above details in relation to any other entity that is able to influence or control the direct interest holder.
This information will assist the Government to identify the degree of foreign control or operation of critical infrastructure assets, including any outsourcing and/or offshoring arrangements.
Existing registers at both the state and territory, and Commonwealth levels do not capture the sort of ownership and operational information required by the Government to clearly understand who has control and influence over a critical infrastructure asset.
Existing registers are also built on varying definitions of critical infrastructure, and may not be updated as required for the purposes of Security of Critical Infrastructure Act 2018 (the Act).
However, in accordance with
recommendation 2 in the Parliamentary Joint Committee on Intelligence and Security’s Advisory report on the Act, the Department of Home Affairs will consider options to streamline the provision of information required for the Act where that information is already provided by industry to Government for other purposes.
Penalties for non-compliance
Where a reporting entity fails to comply with the obligations to provide information for the register, it will be liable to a civil penalty up to 50 civil penalty units (section 23 of the Security of Critical Infrastructure Act 2018). This penalty equates to $10,500 per day of contravention.
The Government may also seek a performance injunction to compel the entity to register its information, or propose an enforceable undertaking with the entity.
Protection of information
The Security of Critical Infrastructure Act 2018 (the Act) makes it an offence to disclose any information obtained under the Act, including information provided on the register, or information obtained using the information gathering powers. This recognises the likely sensitive nature or commercial in confidence nature of information obtained under the Act.
The Department of Home Affairs Secretary has the discretion to disclose information to particular Commonwealth and state ministers and officials for certain specified purposes, including national security, foreign investment, taxation, industry, promoting investment, defence and sector responsibilities. This is important as the information obtained may be relevant for broader purposes.
Any information shared under the legislation can only be used for the purpose for which it was shared. In accordance with
recommendation 6 in the Parliamentary Joint Committee on Intelligence and Security’s Advisory report, further clarity is provided in the explanatory memorandum to ensure that the Secretary will consider whether any disclosure of protected information is consistent with the objects of the Act and proportionate to the sensitivity of the information disclosed.