Extending telecommunications security reform instruments

In July 2022, instruments were put in place to require telecommunications carriers and CSPs to provide information to the Register of Critical Infrastructure Assets. This register supports the Australian Government to identify and manage risks to critical infrastructure assets which could cause significant harm to Australia.

The Security of Critical Infrastructure Act 2018 (SOCI Act) was amended in December 2021, introducing new positive security obligations for many sectors. These provisions did not cover the telecommunications sector.

On 7 July 2022, the Australian Government created parallel obligations for the telecommunications sector by putting in place the Telecommunications (Carrier License Conditions—Security Information) Declaration 2022 and the Telecommunications (Carriage Service Provider—Security Information) Determination 2022, as separate arrangements in the Telecommunications Act 1997.

The Australian Government is still deciding on the best approach in the longer term to address telecommunications security issues. Since the legislative instruments are due to sunset on 7 January 2024 and replacement legislative amendments will not be in place by that date, the Australian Government is seeking to extend the timeframe of the instruments to allow enough time for these reforms to take place.

The extension of these instruments by an additional 18 months will extend security information obligations for carriers and eligible carriage service providers from 7 January 2024 to 6 July 2025 (23.59).

We are seeking views from interested parties on the extension of legislative instruments for another 18 months, through an amendment to the wording in Part 4 of the legislative instruments to change the timeframe wording from 'eighteen months' to 'three years'.

Relevant documentation

• Attachment A: Draft revised Telecommunications (Carrier Licence Conditions—Security Information) Declaration 2022
• Attachment B: Draft revised Telecommunications (Carriage Service Provider—Security Information) Determination 2022

Australian Privacy Principle 5 Notice

Extending security information obligations for carriers and eligible carriage service providers

The Department of Infrastructure, Transport, Regional Development, Communications and the Arts (the department) is collecting information for the purposes of extending security information obligations for carriers and eligible carriage service providers, in accordance with the Privacy Act 1988.

The department will use this information to inform consideration of issues associated with extending security information obligations for carriers and eligible carriage service providers and will store this information securely. It may be used by the department to make further contact with you about the review.

The department will not disclose information to third parties, except in the circumstances outlined below.

Submissions, in part or full, including the name of the author may be published on the department's website unless the submission is confidential. Confidential submissions (including the author's name) will not be published. Private addresses and contact details will not be published or disclosed to any third parties unless required by law.

Submissions will only be treated as confidential if they are expressly stated to be confidential. Automatically generated confidentiality statements or disclaimers appended to an email do not suffice for this purpose. If you wish you make a confidential submission, you should indicate this by ensuring your submission is marked confidential.

Confidential submissions will be kept securely and will only be disclosed in the following circumstances:

• in response to a request by a Commonwealth Minister
• where required by a House or a Committee of the Parliament of the Commonwealth of Australia
• where required by law.

The department may also disclose confidential submissions within the Commonwealth of Australia, including with other Commonwealth agencies, where necessary in the public interest.

Please note that in order to protect the personal privacy of individuals in accordance with the Privacy Act any submissions containing sensitive information, personal information or information which may reasonably be used to identify a person or group of people may not be published, even if not marked as confidential.

The department’s privacy policy contains information regarding complaint handling processes and how to access and/or seek correction of personal information held by the department. The Privacy Officer can be contacted on 02 6274 6495 or by email: privacy@infrastructure.gov.au.