As a corporate Commonwealth entity, we comply with the Public Governance, Performance and Accountability Act 2013 (PGPA Act), to ensure the effective, efficient, economical and ethical use of our resources. The Board articulates its expectations through key organisational policies that are operationalised through 16 established governance frameworks. These governance frameworks embed legal and regulatory obligations aligned to better practice frameworks and work together to support the delivery of our corporate objectives.
The overarching Governance, Risk and Compliance (GRC) Framework directs our GRC accountabilities and actions and promotes continuous improvement across all our governance frameworks. Assurance is provided to the Board and senior management that GRC accountabilities are being effectively and appropriately applied. Key activities this year have included a focus on process design, reduction in red tape, automation, digitisation, and alignment of assurance activities.
We support a culture of proactive risk management by ensuring sound GRC practices are embedded in our business activities. Our risk management practices meet the requirements of Section 16 of the PGPA Act 2013 and are aligned to ISO 31000:2018 Risk Management Guidelines and the Commonwealth Risk Management Policy.
The Board’s Risk Appetite Statement was reviewed and refreshed this year, driving effective risk management and decision-making processes through a better understanding of the level of risk that we are willing to accept. It also articulates our need to maintain the safety of air navigation as the most important consideration, while delivering value and innovative services for our customers and the aviation industry.
As an organisation operating in the complex global aviation industry, ongoing compliance with applicable legal and regulatory obligations is fundamental to achieving our objectives. Our compliance management approach is aligned to ISO 19600:2015 Compliance Management Systems Guidelines and is operationalised through comprehensive compliance obligation registers that are supported by legislation monitoring processes and active compliance management activities. The Three Lines of Defence Model assurance continues to direct and inform our GRC insights and performance.
Ethical standards and fraud control
We promote the highest standards of ethical behaviour and do not tolerate fraudulent conduct, including corruption and bribery. We maintain strong and effective fraud control arrangements consistent with Section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Fraud Rule).
The Executive Ethics and Fraud Committee monitors, advises and provides assurance on the maintenance and implementation of our Ethics and Fraud Framework.
Our Fraud Control and Bullying, Harassment and Discrimination policies, supported by the Code of Conduct Standard, inform employees, contractors and consultants about ethical standards and our approach to fraud control. All alleged incidents of fraud, corruption and bribery including ‘disclosable conduct’ under the Public Interest Disclosure Act 2013 are managed in accordance with this framework and these policies. This covers investigations and any actions undertaken, including reporting alleged wrongdoing that is potentially criminal or illegal, to the appropriate law enforcement agency. We continually review fraud risks and monitor controls for effectiveness. All reasonable measures are undertaken to prevent, minimise and investigate incidents of fraud, with the recovery of fraud losses also occurring wherever possible.
One complaint was received by the Commonwealth Ombudsman, regarding a Public Interest Disclosure (PID) investigation. Although the Commonwealth Ombudsman deemed a further review was not required, we identified an opportunity to improve our processes. We have committed to providing further training of our PID Authorised Officers, and all our PID requirements will be aligned within the new investigation and support function created by the Safeplace initiative. This will ensure all communication with complainants remains
Organisational resilience is defined within ISO 22316:2017 Security and Resilience-Organisational Resilience-Principles and Attributes as “the ability of an organisation to absorb and adapt in a changing environment”. The COVID-19 pandemic provided the opportunity to stress test our business continuity plans to respond to significant industry disruption. We established a Corporate Response Team to facilitate leader communication and actions in response to the COVID-19 pandemic’s impact on our people and services. Through this real-time response, we successfully adapted our service delivery, and introduced new virtual platforms and working from home arrangements for a significant number of our people.
We are committed to protecting our people, information and assets to deliver safe operational services to our customers. We achieve this by identifying and managing our security threats and aligning our security risk management processes to the Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM).
During 2019–20, we established an enterprise security plan, which details our security goals, strategic objectives and actions for 1 July 2020 to 30 June 2022. The plan demonstrates how we address the PSPF’s core requirement for security planning and risk management, which requires Commonwealth entities to have a security plan in place to manage the entity’s security risks.
We manage our security threats using a threat and risk‑based, outcomes-focused approach. We actively monitor our threat level and control environment to mitigate emerging threats and risks.
As an aviation industry participant, we maintain a Transport Security Program and associated Aviation Security Identification Card (ASIC) Program. The programmes are approved by the Aviation and Maritime Security Division, Department of Home Affairs, as required under the Aviation Transport Security Act 2004 and the Aviation Transport Security Regulations 2005. During 2019-20, the Essential 8 Project successfully achieved Maturity Level 3 compliance for our ASIC environment. We are compliant with the cybersecurity directive from the Department of Home Affairs, as an ASIC Issuing Body.
We are active participants in various government and industry security forums, including local airport security committees, personnel security forums, PSPF Communities of Practice and working groups. We actively engage with both law enforcement and intelligence agencies to ensure our threat intelligence is current and commensurate with our National Security Alert Plan.
Our internal audits
Internal audit’s role is to provide independent assurance that our risk management, governance, and internal control processes are operating effectively. It is the third line in the Three Lines of Defence Model, which we use to monitor the operation of controls and risk mitigation activities to assure the effective and efficient performance of our business processes.
During 2019–20, our internal audit team performed 20 business audits, of which four were supported by external subject matter experts and six were conducted by external independent contractors. Additionally, 13 Civil Aviation Safety Regulations 1998 (CASR) site location audits were performed.
All corrective actions arising from our internal audits are tracked, and their implementation progress is overseen by the Board’s Audit and Risk Committee.
During 2019–20, we were not the subject of any external audits.
We continue to promote a culture of privacy that values and protects personal information. It is supported by the steps we take to ensure compliance with the Notifiable Data Breach Scheme (NDBS) and the Australian Government Agencies Privacy Code (the Code). These steps include:
the establishment of an ongoing privacy training programme, to continue to enhance our people’s awareness of privacy obligations and requirements. The programme includes introductory privacy training as part of new employee induction and refresher training for existing employees and follow-up privacy training to increase people’s understanding of the Privacy Act 1988. The training programme addresses the privacy obligations of our people and provides information on best practice methods when undertaking activities that involve the handling of personal information.
the continued use of our Privacy Threshold and Impact Assessments, so we can identify, manage and mitigate any privacy concerns that may arise in our proposed projects and activities.
the regular update of our Register of Privacy Impact Assessments on our website, setting out all projects for which a Privacy Impact Assessment has been undertaken.
the implementation and continuous improvement of our Data Breach Response Plan, to ensure optimal responses to manage and mitigate data breaches and to minimise the risk of similar breaches. This plan is overseen by our Data Breach Response Team, which comprises relevant specialists from across the business.
regular communication to all employees about privacy matters, including working collaboratively with the Office of the Australian Information Commissioner (OAIC) to remind our people of the importance of privacy during Privacy Awareness Week.
During 2019–20, we identified one privacy breach. We assessed this breach to have met the NDBS criteria, and therefore we informed the OAIC.
Freedom of Information (FOI)
We are required to publish information as part of the Information Publication Scheme (IPS) in accordance with the Freedom of Information Act 1982 (FOI Act).
During 2019–20, we received 40 FOI requests and completed 39 requests. One of the completed requests was received prior to 1 July 2019.
Our FOI Disclosure Log lists information that has been released in response to FOI access requests. The Disclosure Log and IPS are available at: https://www.airservicesaustralia.com/about-us/freedom-of-information.
Information is not published on the Disclosure Log or the IPS if it:
contains personal or business details, rendering it unreasonable to publish
is exempt from release under the FOI Act
has been published or released outside the FOI Act.
To ensure our people’s continuing awareness of FOI requirements, ongoing training has been established, including introductory FOI training as part of the new employee induction and refresher training for existing employees, with follow-up FOI training to increase our people’s understanding of the operation of the FOI Act.
During 2019–20, there were no requests made to the OAIC to review any of our decisions made under the FOI Act.
Commonwealth Ombudsman activity
During 2019–20, the Office of the Commonwealth Ombudsman received one formal complaint about a Public Interest Disclosure (PID) investigation. Information about this is given under our ethical standards and fraud control section. A further review of the complaint was not required.
Fair Work Commission (FWC)
The FWC reviewed and approved the Airservices Australia (Air Traffic Control and Supporting Air Traffic Services) Enterprise Agreement 2020–2023 on 14 April 2020.
It came into effect on 21 April 2020.
Judicial Decisions and Reviews by outside bodies
No judicial or tribunal decisions were made during the reporting period that has had or may have, a significant effect on our operations.
Adverse effect of non-commercial commitments
No non-commercial commitments were recorded in 2019–20.