Protected information

​The Security of Critical Infrastructure Act 2018 (the SOCI Act) limits the use and disclosure of protected information as defined within the Act. Protected information includes information obtained in the course of exercising powers, or performing duties or functions under the SOCI Act. It also includes key documents such as a critical infrastructure risk management program. It is an offence to use or disclose protected information unless authorised.

Importantly, the phrase “protected information” under the SOCI Act is different from the PROTECTED security classification under the Australian Government’s Protective Security Policy Framework (PSPF).

Protected information under the SOCI Act includes:

  • records or the fact that an asset is privately declared to be a critical infrastructure asset or a system of national significance
  • records or the fact that the Minister has:
    • given a Ministerial authorisation
    • revoked a Ministerial authorisation
  • records or the fact that the Secretary of the Department of Home Affairs (the Department) has:
    • given a direction or request under sections 35AK, 35AQ and 35AX (Part 3A which sets up a regime for government assistance measures)
    • revoked such a direction or request
  • information that is, or is included in, a mandatory cyber security report or a critical infrastructure risk management program.

There may be situations in which information is protected information and has a PROTECTED security classification. It is important to note that these are entirely separate operational and legal frameworks. For further information, visit the PSPF website.

Unauthorised use or disclosure of protected information is punishable by 2 years imprisonment or 120 penalty units, or both.

Authorised use and disclosure of protected information

The protected information framework allows a responsible entity to share protected information when necessary, within the parameters of the framework.

In general terms, an entity can use or disclose this information where:

  • they are authorised to do so under the Act
  • they are required to do so by a notification provision as defined in the Act
  • an exception under section 46 of the Act applies.

Appropriate authorisations to disclose protected information include:

  • performance of functions or duties under the SOCI Act
  • compliance purposes
  • secondary use and disclosure
  • required or authorised by law
  • to a specified government entity
  • with the Secretary’s consent
  • by the Secretary.

To learn more about protected information, read the Protected Information - Industry guidance for critical infrastructure assets fact​​sheet.​