41BBLimited cyber security information can only be communicated by ASD for permitted cyber security purposes

#### 41BB Limited cyber security information can only be communicated by ASD for permitted cyber security purposes (1) The Director‑General of ASD, or a staff member of ASD, may communicate limited cyber security information to a person who is not the Director‑General of ASD, or a staff member of ASD, but only for the purposes of one or more of the following: (a) the performance of any of ASD’s functions under this Act including, for example: (i) assisting, in the performance of ASD’s functions, the impacted entity (referred to in paragraph 41BA(2)(a) or (b)) to respond to, mitigate or resolve the cyber security incident or the cyber security incident that may potentially occur; or (ii) providing technical advice and assistance, in the performance of ASD’s functions, to entities on the prevention of cyber security incidents or cyber security incidents that may potentially occur; (b) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident or a cyber security incident that may potentially occur; (c) the performance of the functions of a Commonwealth body (to the extent that it is not a Commonwealth enforcement body) relating to responding to, mitigating or resolving a cyber security incident or a cyber security incident that may potentially occur; (d) the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security incident (within the meaning of the Cyber Security Act 2024); (e) the performance of the functions of the National Cyber Security Coordinator under Part 4 of the Cyber Security Act 2024 in relation to a cyber security incident (within the meaning of that Act); (f) the performance of the functions of ASIS, AGO, the Australian Security Intelligence Organisation, the Defence Intelligence Organisation or the Office of National Intelligence; (g) the performance of the functions of the Inspector‑General of Intelligence and Security; (h) the performance of the functions of the agency known as the Australian Criminal Intelligence Commission established by the Australian Crime Commission Act 2002; (i) the performance of the functions of a Commonwealth enforcement body. > Note: Information must not be communicated to a State body under this Division unless a Minister of the State or Territory has consented to this Division applying to the State body: see subsection 41BD(4). Restriction on use and communication for civil or regulatory action (2) However, the Director‑General of ASD, or a staff member of ASD, must not communicate the information for the purposes of investigating or enforcing, or assisting the investigation or enforcement, of any contravention of a Commonwealth, State or Territory law that: (a) is a contravention by the impacted entity that: (ii) originally voluntarily provided the information to ASD as referred to in paragraph 41BA(2)(a); or (ii) consented to the information being acquired or prepared by ASD as referred to in paragraph 41BA(2)(b); or (iii) originally voluntarily provided the information to the National Cyber Security Coordinator under subsection 35(2), or as referred to in subsection 39(1), of the Cyber Security Act 2024; and (b) is not a contravention by the impacted entity of: (i) this Division; or (ii) a law that imposes a penalty or sanction for a criminal offence. > Note: See also section 41BF in relation to admissibility of the information in proceedings. Interaction with this Act (3) Subsection (1) does not authorise the Director‑General of ASD, or a staff member of ASD, to communicate the information to the extent that it is prohibited or restricted by or under this Act.