Coronavirus (COVID-19) updates from the Australian Government

Security information obligations for carriers and eligible carriage service providers

We’re seeking feedback on draft legislative instruments requiring carriers and eligible carriage service providers to share information about their assets and cyber security incidents.

Why we want your input

Carriers and eligible carriage service providers (CSPs) will be required to report on asset and cyber security incidents, to align to the obligations other sectors have under the Security of Critical Infrastructure Act 2018. These changes will provide clarity for the sector and reduce regulatory duplication.

How you can voice your opinion

Read the consultation paper and draft legislative instruments and provide your submission using the form below, email or post.

What will be the outcome of this consultation?

Your submission will help inform the design of new security obligations for carriers and eligible CSPs.

The Issue

What we are seeking feedback on

We’re seeking feedback on the:

  • scope and content of the draft legislative instruments
  • estimated cost of complying with the obligations in the draft instruments

Why a new carrier licence condition and service provider rule are needed

The Australian Government is committed to protecting the essential services Australians rely on by improving the security and resilience of critical infrastructure, including in the telecommunications sector.

The Security of Critical Infrastructure Act 2018 (SOCI Act) was amended in December 2021, introducing new positive security obligations for many sectors, including:

  • giving the Secretary of the Department of Home Affairs certain information about critical infrastructure assets to be included in a register; and
  • telling the Australian Signals Directorate if a cyber-security incident has a relevant impact on a critical infrastructure asset.

In order to avoid regulatory duplication and provide clarity for the telecommunications industry, these obligations will be introduced through mechanisms under the Telecommunications Act 1997 (Tel Act). The Tel Act contains a well-established regulatory framework that is familiar to industry and is embedded in how the telecommunications sector operates.

Specifically, the Government is proposing to make a new carrier licence condition and a new service provider rule. The new condition and rule align carriers and eligible CSPs with current obligations other sectors will have under the SOCI Act.

What the new condition and rule will do

The proposed carrier licence condition and service provider rule would require carriers and eligible CSPs to:

  • give the Secretary of the Department of Home Affairs operational information in relation to their assets and, where an entity other than the carrier or eligible CSP holds a direct interest in an asset owned or operated by the carrier or eligible CSP, the interest and control information of direct interest holders in the asset;
  • give the Australian Signals Directorate (ASD) a notice of a critical cyber security incident no later than 12 hours after the carrier or eligible CSP becomes aware of the incident; and
  • give the ASD a notice of other cyber security incidents no later than 72 hours after the carrier or eligible CSP becomes aware of the incident.

Who the new condition and rule will affect

All holders of a carrier licence will be subject to the new carrier licence condition. All eligible CSPs would have to comply with the new service provider rule, unless they are a carrier. Eligible CSPs are defined in section 127 of the Telecommunications (Consumer Protection and Service Standards) Act 1999 as a CSP who supplies a:

  • standard telephone service, where any of the customers are residential customers or small business customers;
  • public mobile telecommunications service; or
  • carriage service that enables end‑users to access the internet; or
  • carriage service intermediary who arranges for the supply of one of these services.

Eligible CSPs must be members of the Telecommunications Industry Ombudsman scheme.

Other powers under Part 3A of the Security of Critical Infrastructure Act 2018

The SOCI Act also gives the Government powers to assist industry in certain situations if a serious cyber-security incident has had, is having or will have a relevant impact on a critical infrastructure asset. These assistance powers will be available for the Government to use in relation to the telecommunications sector under the SOCI Act; they will not be mirrored in the Tel Act.

Relevant documentation

Participate

25 Feb 2022 19:00 AEDT
29 Mar 2022 23:59 AEDT
Closed

We invite you to to tell us your views on this topic.

Please include:

  • contact name
  • organisation name, if applicable
  • contact details, including telephone number, postal and email addresses
  • confirmation whether or not your submission can be made public—published—or kept confidential.

All submissions to be made public need to meet the Digital Service Standard for accessibility. Any submission that does not meet this standard may be modified before being made public.

If your submission is to be made public, please ensure you do not include any personal information that you don't want to be published.

If your submission is confidential, please ensure each page of the submission is marked as confidential.

Please click on the 'Have your say now' button below to upload your submission.

This consultation is closed.

Alternatively please email your completed template submission to telsecurityreview@communications.gov.au or send it to:

Telecommunications Security Review
Department of Infrastructure, Transport, Regional Development and Communications
GPO Box 594
Canberra ACT 2601

Privacy notice

Your submission, including any personal information supplied, is being collected by the department in accordance with the Privacy Act 1988 (the Privacy Act), for the purposes of designing new security information obligations for carriers and eligible carriage service providers and assessing the regulatory impact of the proposed new security obligations on those entities.

The department will use this information to inform the design of new security information obligations for carriers and eligible carriage service providers and assess the regulatory impact of the proposed new security obligations on those entities.

Your personal information will be stored securely by the department. It may be used by the department to make further contact with you about the consultation process. Your personal information will not be disclosed to any other third parties, except in the circumstances outlined below.

Submissions, in part or full, including the name of the author may be published on the department's website or in the Government’s response, unless the submission is confidential. Confidential submissions (including author name) will not be published. Private addresses and contact details will not be published or disclosed to any third parties unless required by law.

Submissions will only be treated as confidential if they are expressly stated to be confidential. Automatically generated confidentiality statements or disclaimers appended to an email do not suffice for this purpose. If you wish you make a confidential submission, you should indicate this by ensuring your submission is marked confidential.

Confidential submissions will be kept securely and will only be disclosed in the following circumstances:

  • in response to a request by a Commonwealth Minister;
  • where required by a House or a Committee of the Parliament of the Commonwealth of Australia; or
  • where required by law.

The department may also disclose confidential submissions within the Commonwealth of Australia, including with other Commonwealth agencies, where necessary for the purposes of this consultation.

Please note that in order to protect the personal privacy of individuals in accordance with the Privacy Act any submissions containing sensitive information, personal information or information which may reasonably be used to identify a person or group of people may not be published, even if not marked as confidential.

The department’s Privacy Policy contains information regarding complaint handling processes and how to access and/or seek correction of personal information held by the department. The Privacy Officer can be contact at privacy@infrastructure.gov.au.