By Mike Trovato and Chong Shao

In our third newsletter in 2021, we pointed to two recent privacy and security stories of note:

  • The Critical Infrastructure Bill

  • IIS makes submission on DTA Digital Identity Legislation

The Critical Infrastructure Amendment Bill 2020 

The rapidity with which cyber threats are evolving and the stress on the systems created by the COVID-19 crisis have been driving further government response. Following Australia’s Cyber Security Strategy 2020, the Department of Home Affairs introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Draft Bill) into Parliament.

The Draft Bill seeks to amend the Security of Critical Infrastructure Act 2018 which currently applies to operators of assets in only four critical infrastructure sectors: electricity, gas, water and ports. It proposes to extend the Act to 11 sectors, including communications, financial services, data storage and processing, defence industry, higher education and research, energy, food and grocery and transports.

The proposed amendments introduce wider powers to the Federal Government, with the ability to intervene and direct organisations to provide information or do specified acts when responding to cyber security. It also puts forward new obligations: ‘positive security obligation’ for critical infrastructure, including mandatory cyber incident reporting and a risk management program, and enhanced cyber security obligations for systems deemed to be of ‘national significance’.

The Draft Bill creates opportunities but also challenges for the concerned sectors, as it increases the complexity of the regulatory landscape applying to information security and creates additional reporting burden. It has also raised concerns across professional cyber security industry in relation to excessive Government powers.

IIS is supportive of the government’s efforts for improving cyber security resilience and hope that numerous submissions offered in November 2020 will be used to improve the legislation so that entities take a primary role in improving their resilience to attacks.

IIS makes submission on Exposure Draft of the DTA’s Trusted Digital Identity Bill

IIS participated in the Digital Transformation Agency’s call for submissions on the DTA Trusted Digital Identity Legislation. IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato drafted an extensive paper addressing the Legislation’s intention to help expand the Australian Government’s Digital Identity system into a whole-of-economy Digital Identity solution by establishing robust governance, strengthening data and consumer protections, and enabling entities in other digital identity systems to apply for Trusted Digital Identity Framework (TDIF) accreditation.

IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato submitted an extensive paper during the consultation process, with an emphasis on respecting and protecting individuals’ interests. IIS subsequently consulted with DTA and provided a submimssion for the Draft Exposure Bill. 

Key to IIS’ position on the design of the Legislation is to recognise that digital identities obtained and verified through TDIF are likely to dominate every aspect the lives of individuals as digital continues to increase its dominance of how lives, business and government are conducted. Indeed, the policy intent is that TDIF facilitates this evolution. 

Overall, IIS identified that more emphasis needs to be placed on the system being respectful of Users as individual people not just economic units and be symmetric in its treatment of the parties. 

We raised the following key points:

  • Ensuring that Users / advocates will have continuing and genuine influence as the system evolves.

  • Effective governance, compliance, enforcement, and remediation/redress for the individual User.

  • Protection from (or genuine oversight of) surveillance by law enforcement and national security agencies.

  • Ensuring that alternatives to using the TDIF system continue to be available for years to come, if not forever. There must be genuine alternatives to the use of digital identities (i.e., practical, available, not cumbersome or coerced); otherwise, any ‘consent’ is rendered meaningless and arguably invalid under law.  

Once again, you can read the full submission here.