41BCLimitations on secondary use and communication of limited cyber security information

#### 41BC Limitations on secondary use and communication of limited cyber security information (1) This section applies to limited cyber security information that: (a) has been acquired, under subsection 41BB(1) or this section, by: (i) a Commonwealth body; or (ii) a State body; or (iii) an entity that is a corporation to which paragraph 51(xx) of the Constitution applies; and (b) is held by the Commonwealth body, State body or entity. > Note: This section does not apply to information held by the Commonwealth body, State body or entity, to the extent that it has been otherwise acquired. (2) The Commonwealth body, State body or entity may use or communicate the limited cyber security information but only for the purposes of one or more of the following: (a) informing and advising the Minister, and other Ministers of the Commonwealth, about a cyber security incident or a cyber security incident that may potentially occur; (b) the performance of the functions of a Commonwealth body (to the extent that it is not a Commonwealth enforcement body) relating to responding to, mitigating or resolving a cyber security incident or a cyber security incident that may potentially occur; (c) the performance of the functions of a State body relating to responding to, mitigating or resolving a cyber security incident (within the meaning of the Cyber Security Act 2024); (d) the performance of the functions of the National Cyber Security Coordinator under Part 4 of the Cyber Security Act 2024 in relation to a cyber security incident (within the meaning of that Act); (e) the performance of the functions of ASD, ASIS, AGO, the Australian Security Intelligence Organisation, the Defence Intelligence Organisation or the Office of National Intelligence; (f) the performance of the functions of the Inspector‑General of Intelligence and Security; (g) the performance of the functions of the agency known as the Australian Criminal Intelligence Commission established by the Australian Crime Commission Act 2002; (h) the performance of the functions of a Commonwealth enforcement body. > Note: Information must not be communicated to a State body under this Division unless a Minister of the State or Territory has consented to this Division applying to the State body: see subsection 41BD(4). Restriction on use and communication for civil or regulatory action (3) However, the Commonwealth body, State body or entity must not use or communicate the information for the purposes of investigating or enforcing, or assisting the investigation or enforcement of, any contravention of a Commonwealth, State or Territory law that: (a) is a contravention by the impacted entity that: (i) originally voluntarily provided the information to ASD as referred to in paragraph 41BA(2)(a); or (ii) consented to the information being acquired or prepared by ASD as referred to in paragraph 41BA(2)(b); or (iii) originally voluntarily provided the information to the National Cyber Security Coordinator under subsection 35(2), or as referred to in subsection 39(1), of the Cyber Security Act 2024; and (b) is not a contravention by the impacted entity of: (i) this Division; or (ii) a law that imposes a penalty or sanction for a criminal offence. > Note: See also section 41BF in relation to admissibility of the information in proceedings. Interaction with this Act (4) Subsection (2) does not authorise the Commonwealth body, State body or entity to use or communicate the information to the extent that it is prohibited or restricted by or under this Act. Information not covered by the prohibitions in this section (5) Subsection (2) does not prohibit: (a) use or communication of the limited cyber security information, by the Commonwealth body, State body or entity, with the consent of the impacted entity that: (i) originally voluntarily provided the limited cyber security information to ASD as referred to in paragraph 41BA(2)(a); or (ii) consented to the limited cyber security information being acquired or prepared by ASD as referred to in paragraph 41BA(2)(b); or (iii) originally voluntarily provided the limited cyber security information to the National Cyber Security Coordinator under subsection 35(2), or as referred to in subsection 39(1), of the Cyber Security Act 2024; or (b) use or communication of information for the purposes of carrying out a State’s constitutional functions, powers or duties. Civil penalty for contravention of this section (6) An entity is liable to a civil penalty if: (a) the entity contravenes subsection (2); and (b) the entity is not a Commonwealth officer (within the meaning of Part 5.6 of the Criminal Code); and (c) any of the following applies: (i) the information is sensitive information (within the meaning of the Privacy Act 1988) about an individual and the individual has not consented to the use or communication of the information; (ii) the information is confidential or commercially sensitive; (iii) the use or communication of the information would, or could reasonably be expected to cause, damage to the security, defence or international relations of the Commonwealth. > Note 1: See the Criminal Code for offences for Commonwealth officers. > Note 2: This section does not make the Crown (other than an authority of the Crown) liable to a civil penalty, see section 41BD. > Note 3: For the application of provisions of the Regulatory Powers (Standard Provisions) Act 2014 to this Division, see Part 6 of the Cyber Security Act 2024. Civil penalty: 60 penalty units.