Telecommunications (Interception Capability and Security) Act 2013

Disclosure

47 Areas of specified security interest

(1)

In this section and section 48, an area of specified security interest, in relation to a network operator, means—

(a)

network operations centres:

(b)

lawful interception equipment or operations:

(c)

any part of a public telecommunications network that manages or stores—

(i)

aggregated information about a significant number of customers:

(ii)

aggregated authentication credentials of a significant number of customers:

(iii)

administrative (privileged user) authentication credentials:

(d)

any place in a public telecommunications network where data belonging to a customer or end user aggregates in large volumes, being either data in transit or stored data:

(e)

any area prescribed under subsection (2).

(2)

The Governor-General may, by Order in Council, on the recommendation of the Minister responsible for the Government Communications Security Bureau, make regulations—

(a)

amending or removing an area of specified security interest listed in subsection (1):

(b)

prescribing additional areas of specified security interest.

(3)

The Minister must not recommend the making of regulations under subsection (2) unless—

(a)

the Minister has consulted network operators registered under Part 4; and

(b)

the Minister is satisfied that the regulations are necessary or desirable to—

(i)

keep up to date with changes in technology; or

(ii)

address changes in the way that networks are being used that may give rise to a security risk; or

(iii)

address any significant changes in architectural approach to the design of a public telecommunications network.

(4)

In this section,—

administrative (privileged user) authentication credentials means the authentication credentials of a privileged user

authentication credentials means any information (for example, passwords or usernames) used to ascertain the identity of a user, process, or device

privileged user means a person who has authorisations that enable the person to, among other things, alter, bypass, or circumvent network security protections.