Before commencing an inquiry into an intelligence agency the Inspector-General is required under the IGIS Act to notify the Minister responsible for that agency. A copy of the final inquiry report must be provided to the responsible Minister. The Inspector-General met these requirements for the inquiry that was conducted during 2019–20. The IGIS Act also provides that the Inspector-General may report to Ministers if the actions taken by an agency in response to recommendations set out in an inquiry report are not adequate, appropriate and sufficiently timely. There was no occasion for any such report in 2019–20. Under s 25A of the IGIS Act, the Inspector-General may report to the responsible Minister on a completed inspection of an intelligence agency. During 2019–20, no such reports were made.
During 2019–20, no requests were made by Ministers or the Prime Minister for the Inspector-General to conduct an inquiry under the IGIS Act.
OBJECTIVE 2 – ASSURING PARLIAMENT
SENATE ESTIMATES HEARINGS The Inspector-General appeared before the Senate Standing Committee on Legal and Constitutional Affairs on 22 October 2019 for Supplementary Budget Estimates, and responded in writing to one question taken on notice. The Inspector-General was prepared to attend an Additional Estimates hearing on 3 March 2020, but was not called by the Committee to appear. Following both Estimates hearings, the Inspector-General responded to written questions from members of the Committee that were directed to all agencies within the Attorney-General’s portfolio.
The Budget Estimates hearings originally scheduled for May 2020 were postponed due to COVID-19 restrictions and rescheduled to take place outside the reporting period.
PARLIAMENTARY JOINT COMMITTEE ON INTELLIGENCE AND SECURITY The Inspector-General participated in six inquiries conducted by the PJCIS during the reporting period. This included four inquiries that examined existing or proposed legislation concerning Australian intelligence agencies.
On 2 August 2019, the Inspector-General provided a written submission to the PJCIS for its inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press. The Inspector-General appeared before the Committee at a public hearing on 14 August 2019, and subsequently responded to a question taken on notice. At the end of the reporting period, the Committee was yet to table its report.
On 2 August 2019, the Inspector-General provided a written submission to the PJCIS for its statutory review of the mandatory data retention regime prescribed by Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (TIA Act). The Inspector-General appeared before the Committee at a public hearing on 7 February 2020. At the end of the reporting period, the Committee was yet to table its report.
On 25 October 2019, the Inspector-General provided a written submission to the PJCIS for its statutory review of the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. The Inspector-General appeared before the Committee at a public hearing on 7 August 2020.
On 4 May 2020, the Inspector-General provided a written submission to the PJCIS for its review of the Telecommunications Legislation Amendment (International Production Orders) Bill 2020. The Inspector-General appeared before the Committee at a public hearing on 12 May 2020, and provided a brief supplementary submission. At the end of the reporting period, the Committee was yet to table its report.
Consistent with established practices, the Inspector-General’s submissions did not comment on the policy underlying the provisions, but made a number of observations in the context of IGIS’s role of overseeing and reviewing the activities of the intelligence agencies for legality and propriety and for consistency with human rights.
REVIEWS OF THE TELECOMMUNICATIONS AND OTHER LEGISLATION AMENDMENT ASSISTANCE AND ACCESS) ACT 2018
Paragraph 29(1)(bca) of the IS Act requires the PJCIS to review, by 30 September 2020, the operation of the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. The Inspector-General’s submission to the Committee’s review mainly focused on Schedule 5 of the Act. This Schedule inserted provisions for voluntary assistance requests and compulsory assistance orders into the ASIO Act.
The PJCIS’s statutory review follows its review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, which was completed on 5 December 2018 following a referral by the Minister for Home Affairs; and its review of the consequent Act, which was completed on 3 April 2019 following referral by the Senate. The Inspector-General’s contributions to both of those reviews were discussed in the previous annual report.
Additionally, on 26 March 2019, the PJCIS referred the Assistance and Access Act to the Independent National Security Legislation Monitor (INSLM), Dr James Renwick SC, for review and report back to the Committee in order to inform its own statutory review. To assist the INSLM’s review, on 29 October 2019, the Inspector-General provided a copy of her recent submission to the PJCIS’s statutory review, as well as her submissions to previous PJCIS reviews. The INSLM’s report was tabled in the Parliament out of session on 9 July 2020.
The Inspector-General appeared before the PJCIS for a public hearing on 7 August 2020. At the time of writing, the PJCIS’s statutory review remains underway.
The Inspector-General also participated in two inquiries conducted by the PJCIS in accordance with its statutory function to review the administration and expenditure of ASIO, ASIS, AGO, DIO, ASD and ONI, including their annual financial statements. The Inspector-General regularly participates in these reviews, providing public submissions and also classified oral evidence when requested by the Committee. The Inspector-General’s contributions to these inquiries focus on IGIS’s findings in relation to each agency during the reporting period, insofar as they are relevant to an agency’s administration.
On 13 September 2019, the Inspector-General appeared before the PJCIS at a classified hearing for the Committee’s review of the administration and expenditure for the 2017–18 financial year. The Inspector-General subsequently responded to one question on notice taken at the hearing. The Inspector-General’s written submission for this review had been provided to the Committee during the previous reporting period (on 10 December 2018). The Committee presented its report to the Parliament on 5 February 2020. The report cited the Inspector-General’s evidence on more than 20 occasions.
On 17 February 2020, the Inspector-General provided an unclassified written submission to the PJCIS for its review of administration and expenditure for the 2018–19 financial year. The Inspector-General appeared at a classified hearing for that review on 26 February 2020, and subsequently responded to two questions on notice. In a statement published on the Committee’s website and distributed to the Office on 25 June 2020, the Committee advised that COVID-19 restrictions had impacted the timeframe for its review activities and hearings with agencies. The Committee indicated that, as part of its next review of administration and expenditure for 2019–20, it will explore in detail the matters raised in evidence to the 2018–19 review.
COMPREHENSIVE REVIEW OF THE LEGAL FRAMEWORK GOVERNING THE NATIONAL INTELLIGENCE COMMITTEE The Inspector-General made a significant contribution to the Comprehensive Review of the Legal Framework Governing the NIC, conducted by Mr Dennis Richardson AC. In total, IGIS made seven submissions to the review, and responded to numerous requests for information. During the reporting period, this included three classified submissions in response to a Discussion Paper. The Inspector-General also met with Mr Richardson throughout the reporting period.
EVIDENCE TO THE AAT AND THE AUSTRALIAN INFORMATION COMMISSIONER Under the Archives Act and the FOI Act, the Inspector-General may also be called on to provide expert evidence concerning national security, defence, international relations and confidential foreign government communications exemptions to the AAT and the Information Commissioner.
The FOI Act provides a number of exemptions to the requirement for government agencies to provide documents. One of the exemptions applies to documents affecting national security, defence or international relations. Before deciding that a document is not exempt under this provision, the AAT and the Information Commissioner are required to seek evidence from the Inspector-General. There are equivalent provisions in the Archives Act for the AAT. The Inspector-General is not required to give evidence if, in the Inspector-General’s opinion, they are not appropriately qualified to do so.
During the reporting period, there were two occasions where the Inspector-General received and responded to requests for evidence from the Information Commissioner in relation to Freedom of Information (FOI) exemptions. There were no requests for evidence from the AAT in relation to the review of matters relating to FOI or archives issues during the reporting period.
OBJECTIVE 3 – INFORMING THE PUBLIC
The IGIS Act provides that it is a purpose of IGIS to assist the Government in assuring the public that intelligence and security matters relating to Commonwealth agencies are open to scrutiny, in particular the activities and procedures of intelligence agencies.
During 2019–20, IGIS developed a draft strategic engagement plan. The plan was developed to provide a framework for public assurance and engagement activities. The plan recognises the need to diversify engagement strategies in order to ensure an appropriate balance is achieved between general information on IGIS oversight functions, specialised and general public presentations, reference group meetings and consultative forums.
IGIS WEBSITE In 2019–20, as part of the draft strategic engagement plan, a project was commenced to redesign and expand the content available on the IGIS website. Ensuring that information on the role, functions and activities of IGIS is easily accessible online is a key element of providing public assurance that Australian intelligence agencies are open to scrutiny.
PUBLIC OUTREACH ACTIVITIES IGIS also conducts a regular program of presentations to the broader community. This includes groups who have a demonstrated interest in national security and intelligence matters, such as those who study and research in the area or who frequently engage with parliamentary committees in relation to national security oversight and law reform. It also includes groups who may have broader interests across human rights, democratic principles, privacy, rule of law and current affairs. The program is designed to create greater public awareness and understanding of the role and activities of IGIS.
During 2019–20, IGIS delivered 12 major presentations at seminar and conference events, and spoke at a number of other forums to groups outside the intelligence community. This was slightly less than previous years, which reflects the cancellation of some events due to COVID-19 restrictions, and also the diversification of IGIS’s public engagement strategies. The Inspector-General delivered the 2019 Sir Zelman Cowan Oration and also made various presentations to academic and legal audiences around Australia including to the New South Wales Chapter of the Australian Association of Constitutional Law seminar and at the 2019 Australian Government Solicitor National Security Law Forum. These engagements were supplemented by lectures and presentations delivered by IGIS SES officers to a range of government and non-government attendees.
CIVIL SOCIETY REFERENCE GROUP In June 2019, the Inspector-General convened a pilot meeting with three civil society groups with a view to establishing a regular consultative forum. The initiative was prompted in part by advice from intelligence oversight bodies from New Zealand, the United Kingdom and the United States of America on the value they derived from such meetings. There have been two further consultative meetings in 2019–20 and it is intended that Civil Society Reference Group meetings will be convened regularly. The key objectives of the meetings are to give civil society groups access to credible unclassified information about the work of IGIS and Australia’s intelligence and security agencies; to understand the views of those who work with people directly affected by the work of intelligence and security agencies; to provide a forum to discuss different perspectives about issues relevant to the work of IGIS; and potentially to allow for the discussion of legal and technical issues with groups who possess expertise in such fields.
Meetings were convened in November 2019 and May 2020. The May 2020 meeting was initially postponed and then held via VTC due to COVID-19 restrictions. On both occasions the meetings were attended by the Joint Councils for Civil Liberties, the Human Rights Law Centre, the Law Council of Australia and the Australian Privacy Foundation. A summary of discussions is published on the IGIS website.
The next meeting of the Civil Society Reference Group is scheduled for late 2020.
OBJECTIVE 4 – INQUIRIES
The IGIS Act provides that the Inspector-General may conduct an independent inquiry into the activities of an intelligence agency either on the Inspector-General’s own motion, in response to a complaint, or in response to a ministerial request. Independent inquiries enable the Inspector-General to investigate a matter thoroughly, consider its legality, propriety and appropriate regard for human rights, and make recommendations to remedy any issues identified.
Inquiries are generally conducted in private to allow examination of all classified or sensitive information. At the conclusion of an inquiry, the Inspector-General provides a report with findings and recommendations to the responsible Minister. Where an inquiry is in response to a complaint, a written response is given to the complainant. Where possible, an unclassified report or summary is published on the IGIS website.
IGIS reports on inquiries from previous periods where there are outstanding recommendations to be implemented or ongoing activities of interest. The below table covers two inquiries from the 2018–19 reporting period and one inquiry from the current reporting period.
ASD MATTER 2018
ASIO MATTER 2018
Minister for Defence request
IGIS own motion
IGIS own motion in response to a complaint
30 May 2018
14 February 2018
2 August 2019
2 May 2019
14 June 2019
17 June 2020
Number of recommendations
Percentage of recommendations accepted
INQUIRY INTO AN ASD MATTER 2018
As reported in the 2018–19 annual report, in May 2019 the Inspector-General completed an inquiry into an ASD matter pursuant to s 8(2) of the IGIS Act. The inquiry related to the unlawful collection of communications during an operation facilitated by warrants sought by ASIO under the TIA Act.
The inquiry found that the unlawful interception occurred due to an error made by ASIO in preparing the relevant warrant documentation, combined with a failure by ASD to check the accuracy of the documentation before relying on it. The inquiry also found that ASD’s initial reporting of this matter to the Inspector-General and the Minister for Defence was inadequate. The classified inquiry report made five recommendations aimed at reducing the risk of recurrence and improving the reporting of any future breaches of the TIA Act.
In October 2019, ASD and ASIO reported to IGIS their progress in implementing the recommendations. Whilst the implementation of one of the recommendations is ongoing, IGIS is satisfied that ASD and ASIO had so far implemented appropriate remedial action. This includes the establishment of ASD-ASIO joint warrant training and updated procedures for managing warrants and reporting incidents. Through regular inspections and engagement, IGIS will continue to monitor the actions of ASD and ASIO to implement the remaining recommendation.
INQUIRY INTO AN ASIO MATTER
As reported in the 2018–19 annual report, in June 2019 the Inspector-General completed an inquiry into the conduct and details of a multi-faceted, multi-agency foreign intelligence collection operation led by ASIO. The inquiry found significant problems with the planning and execution of the operation, stemming from systemic weaknesses within ASIO’s compliance management framework. However, the inquiry also concluded that it was likely most, but not all, of the activities reviewed were lawful. Importantly, there was no evidence of any deliberate wrong-doing by the officers involved in the operation. The issues identified during the inquiry were discussed in the 2018–19 annual report.
The classified inquiry report made eight recommendations focused on: ASIO establishing a compliance team as a matter of priority; ASIO implementing a compliance training program; improving ASIO’s internal provision of legal advice; and ASIO reviewing relevant policies and procedures. ASIO accepted all eight recommendations.
On 30 September 2019, ASIO reported to IGIS on the progress of implementation of the recommendations. Subsequently, ASIO has provided quarterly progress reports to IGIS, and has also provided updates through high-level meetings between the Inspector-General and senior ASIO officers, and through ongoing compliance reporting. Key aspects of the recommendations have been implemented. IGIS considers five of the recommendations to be fully implemented and that in light of circumstances relating to COVID-19 satisfactory progress has been made in relation to the remaining three recommendations. IGIS notes that some recommendations relate to policies and procedures that will vary from time to time. The expansion and development of the compliance unit is ongoing. IGIS has included four additional inspections in the ASIO inspection program to review implementation of the inquiry recommendations. A further update will be provided in the 2020–21 annual report.
INQUIRY INTO AN INTELLIGENCE AGENCY MATTER
During the reporting period, the Inspector-General commenced and completed an inquiry into the adequacy of mental health support provided by an intelligence agency to one of its former employees. The inquiry resulted from a PID made to IGIS in May 2019 by the former employee. It alleged there were deficiencies in the mental health support provided by the Agency while the employee was undergoing a security clearance review for cause. It is a condition of employment with the Agency that employees hold, and maintain, a security clearance.
On 2 August 2019, following a preliminary inquiry into the complainant’s allegation, the Inspector-General initiated a formal inquiry under s 8 of the IGIS Act. The inquiry examined the mental health services provided by the Agency, the facts and circumstances relevant to the complainant’s mental health requests and the adequacy of the Agency’s response to those requests.
IGIS conducted multiple in-depth witness interviews and reviewed many thousands of the Agency’s classified records relevant to the inquiry. The scope and detail of relevant material was substantial and the review process was time-consuming. Disruptions arising from the COVID-19 pandemic also delayed the process of the inquiry.
To assist the inquiry, legal advice from the office of the Australian Government Solicitor on a Commonwealth agency’s duty of care obligations was provided. The Work Health and Safety Act 2011 (Cth) (WHS Act) requires that a Commonwealth agency must exercise due diligence to ensure the health and safety of its employees in so far as is reasonably practicable. As a matter of law and propriety the employer, exercising due diligence, must be aware of the risk or it must be reasonably foreseeable.
The inquiry was completed on 17 June 2020. In regards to the matters under investigation, the inquiry found evidence contrary to the allegations made and in all the circumstances, no evidence to support the allegations made against the Agency. The Agency did not refuse any requests for support and, furthermore, there was a reasonable level of access by the complainant to psychological support. The inquiry concluded that, in the circumstances, the Agency took all reasonably practicable steps to ensure the health and safety of its employee. The inquiry highlighted the importance of intelligence agencies having a robust system of mental health and welfare support services in place, and ensuring that these are readily available to employees and subject to regular review and improvement.
The classified inquiry report made one recommendation which the Agency has accepted and undertaken to implement as soon as practicable. IGIS continues to engage with the Agency and seeks regular updates. IGIS will continue to monitor the adequacy of mental health and welfare support provided by this Agency and intelligence agencies in general.
OBJECTIVE 4 - INSPECTIONS
IGIS regularly inspects intelligence agency activities to determine if each agency is acting in accordance with its statutory functions, is complying with any guidance provided by the responsible Minister and with its own internal policies and procedures. Inspections enable IGIS to monitor the activities of agencies and to identify concerns before they develop into systemic problems that could require major remedial action.
IGIS has a risk-based approach to its inspection program, targeting high risk activities and activities with the potential to affect the lives or rights of Australian citizens detrimentally. Accordingly, the IGIS inspection program mainly focuses on the activities of ASIO, ASIS, ASD and AGO, each of which has intrusive powers and investigative techniques. Inspections of ONI and DIO are generally directed to ensuring that their assessments comply with their respective Privacy Rules and Privacy Guidelines, and that their independence is not compromised. IGIS takes into account an agency’s internal control mechanisms as well as its history of compliance and reporting.
Section 35 of the IGIS Act requires the Inspector-General to report annually on inspections conducted during the year and on the extent of compliance by certain agencies with privacy rules.
INSPECTION OF ONI ACTIVITIES ONI is responsible for enterprise-level management of the NIC and undertakes the production of all source intelligence assessments for the Australian Government. ONI’s statutory functions set out in the ONI Act include:
leading and evaluating matters relating to the NIC
assembling and preparing assessments and reports in accordance with the Government’s requirements and matters of significance to Australia
providing advice to the Prime Minister on NIC matters
collecting and disseminating information that is accessible to any section of the public
cooperation with, and assistance to, intelligence agencies and prescribed authorities.
IGIS regularly engages with ONI’s Governance and Accountability Section which manages many compliance related matters in ONI, including their own review of ONI officer compliance with the Office of National Intelligence Rules to Protect the Privacy of Australians (Privacy Rules). This engagement addresses matters such as inspection arrangements, ensuring comprehensive building and IT access, consultation on relevant policies, reporting non-compliance and exchange of information between the Inspector-General and the ONI Director-General. ONI also briefed IGIS officers on the activities of its Open Source Centre and its progress in establishing a framework for the use of assumed identities.
During 2019–20, IGIS inspected the analytic independence and integrity of ONI assessments and ONI’s compliance with its Privacy Rules. An additional inspection was scheduled in relation to ONI’s open source collection function under s 7(1)(g) of the ONI Act. However, due to the COVID-19 restrictions, that inspection did not commence and has been rescheduled for the 2020–21 reporting period. Inspections of ONI are less frequent than for a collection agency given its comparatively lower risk profile as an assessment agency.
COMPLIANCE WITH THE PRIVACY RULES During 2019–20, IGIS conducted one inspection of ONI’s compliance with its Privacy Rules. A further scheduled inspection could not be completed due to the COVID-19 restrictions. Inspection activities identified seven ONI products where the relevant Privacy Rules were not applied. IGIS officers had been monitoring ONI reporting for references to Australian persons and this monitoring was used to identify instances of non-compliance. The inspection also identified areas where ONI could improve its compliance through ONI providing more detailed guidance in its internal policies.
ONI must advise IGIS if it identifies non-compliance with the Privacy Rules and must include information about the measures taken to protect the privacy of the affected Australian person, or of Australian persons more generally. In 2019–20, ONI reported one instance of non-compliance where the Director-General’s approval was not obtained prior to ONI granting three Australian Government agencies access to reporting on Australian persons, as per the Privacy Rules.
IGIS requested further information from ONI in relation to the scale and type of reporting accessed and the remediation measures. Based on ONI’s response to this request, the Inspector-General assessed that the seriousness of the non-compliance, in terms of intrusion into the privacy of Australians, was low given the type of material accessed. The prompt remediation measures undertaken by ONI were considered sufficient to manage the instance of non-compliance and to prevent similar occurrences in the future.
ANALYTIC INTEGRITY INSPECTION During 2019–20, IGIS conducted its first ONI analytic integrity inspection. Previously, the Inspector-General completed inquiries into the analytic independence and integrity of the Office of National Assessments (now ONI), DIO and ASIO assessments.
The Inspector-General determined that targeted inspections on specific aspects of analytic integrity were a more efficient use of finite resources and this approach was more attuned to the risk level of the agency’s activities. It was determined that these inspections would be used to develop a baseline inspection process and standard for the analytic integrity of assessments across the agencies.
The inspection for ONI included a review of 40 per cent of intelligence products published by ONI from July to December 2019. IGIS officers inspected the tasking and scope of products, as well as consultation and approval requirements; the inspection focused on ONI processes being transparent and free from bias, and assessments being tested appropriately. The majority of records reviewed were of a high standard, however, there were some inconsistencies in recording key aspects related to external consultation. The inspection identified that more detailed guidance on external consultation would assist in improving the rigour and consistency of such records.
INSPECTION OF ASIO ACTIVITIES The functions of ASIO are set out in s 17 of the ASIO Act. ASIO undertakes a number of activities in the performance of its functions. These include:
advice about security of Ministers and Commonwealth authorities in relation to their functions and responsibilities
furnishing security assessments to States and States authorities
advice to Ministers and Commonwealth authorities about protective security
collection of foreign intelligence
cooperation with and assistance to other agencies.
During this reporting period, IGIS prioritised reviewing ASIO’s intelligence collection activities, its security assessments, communication of intelligence, and advice to Ministers on security matters. There were no inspections of ASIO’s advice relating to protective security.
In addition to conducting inspections, IGIS interacts frequently with members of the ASIO compliance directorate to keep abreast of developing or ongoing matters. ASIO has issued new internal guidance on proactive non-compliance reporting to IGIS and has updated its reporting templates. The directorate investigate incidents that may relate to breaches of legislation or the Attorney-General’s Guidelines, or non-compliance with ASIO internal policies and procedures. The investigation may establish that the matter in question did in fact comply with relevant requirements. When the compliance directorate investigates a matter, IGIS receives a report of its findings. IGIS independently reviews these investigation reports, and where necessary conducts its own review. In addition, the Inspector-General receives regular briefings and is provided with a copy of ASIO’s periodic compliance reports.
REGULAR INSPECTIONS OF INVESTIGATIVE CASES Given the scale and scope of ASIO functions, IGIS implements a risk-based approach to inspection and compliance monitoring; this involves regularly sampling a number of identified activities. IGIS officers have direct access to the relevant ASIO information technology and records management systems to inspect and review all records.
Throughout 2019–20, IGIS conducted inspections using a variety of methodologies, including thematic reviews, risk-based sampling and random sampling. While COVID-19 restrictions had a minor impact on activities, most planned inspections continued unaffected. Inspections of ASIO’s investigative cases focused on:
the legality of ASIO’s activities
the propriety of the investigative activities being proposed and undertaken
compliance with ministerial guidelines
compliance with internal policies and procedures.
IGIS inspections identified instances that did not breach legislation but which were non-compliant with internal agency policy and procedure. ASIO separately identified and proactively notified IGIS of other instances of non-compliance with internal policy and procedure. IGIS found that ASIO has continued its focus on improving record keeping practices across the organisation.
During the last reporting period, ASIO increased the number of briefings provided to IGIS and this has continued over 2019–20. The briefings covered topics such as new capabilities, new initiatives and areas of risk. These briefings allow IGIS to stay abreast of emerging issues, or to follow up observations from inspection activities. There are regular meetings between the Inspector-General and the Director-General of Security as well as bi-monthly meetings between the Inspector-General and senior ASIO officers; these meetings cover a variety of matters.
ANALYTIC TRADECRAFT ASIO produces a range of analytic products including security assessments, applications for warrants, investigative reviews and published analytic products. Some products have greater potential to intrude into the privacy of Australians, and others may adversely affect the interests of individuals; for example, an adverse security assessment may recommend that the Government take an action which would be prejudicial to the interests of the person such as cancelling their passport.
During the reporting period, ASIO has continued its efforts to support analysts in their professional development, including through development and delivery of a training package specifically targeted at officers with responsibility for overseeing and managing analytic functions. At ASIO’s invitation, IGIS officers presented at the course and reinforced expectations regarding compliance with all relevant policies and procedures.
FAILURE TO RECORD KEY INTELLIGENCE In November 2019, ASIO advised IGIS it had become aware that key intelligence used as the justification for a security investigation of an individual had not been correctly recorded in ASIO’s corporate records; for various reasons, at the time the issue was identified the relevant material was unable to be reobtained and recorded correctly. This placed ASIO in a position where, had it been asked to produce evidence justifying the investigation of that individual, it would not have been able to do so. ASIO advised IGIS that it had immediately suspended the investigation pending an initial compliance review, and then terminated the investigation. ASIO advised that it would delete the results of telecommunications and financial inquiries conducted by ASIO from ASIO corporate systems. ASIO’s intelligence holdings were updated to remove intelligence reporting on the subject that had been based on the relevant material and ASIO circulated updated advice to remind officers of the relevant analytical integrity principles and procedures.
IGIS concluded that the incident was attributable to human error, rather than systemic weakness in analytical procedure, and that action was taken to ensure ASIO officers were aware of the relevant procedures. IGIS considers that ASIO’s identification of this issue and its remedial actions were adequate, appropriate, and timely.
HUMAN SOURCE MANAGEMENT ASIO activities include collection of intelligence through human sources. The details of these activities are highly sensitive and cannot be disclosed in a public report. During the reporting period, IGIS reviewed ASIO human source case files and met with ASIO officers to discuss related activities.
ASIO WARRANTS ASIO may intercept telecommunications when authorised under warrants issued by the Attorney-General pursuant to the TIA Act. Warrants for the exercise of other intrusive powers, including searches, computer access and surveillance devices, can be issued by the Attorney-General pursuant to the provisions of the ASIO Act.
Throughout the reporting period, IGIS inspected an indicative sample of warrants through its regular inspection program. Minor compliance and record keeping errors were identified in these inspections and ASIO was advised of these issues. IGIS will continue to monitor ASIO’s compliance and record keeping as part of the regular inspection program.
IGIS continues to review ASIO’s response to a systemic issue relating to the authorisations of classes of persons under s 24 of the ASIO Act. The issue concerns the use of descriptions to define a class of persons for the purposes of s 24 of the ASIO Act. IGIS considered that these descriptions may be overly broad, uncertain, or not sufficiently connected to the exercise of power under the warrant. During the year, ASIO obtained legal advice and reviewed its internal guidance on these matters. IGIS has conducted a further inspection of authorisations made under s 24 and will continue to monitor this issue.
The 2018–19 annual report noted that IGIS had identified ASIO’s inappropriate use of templated text to brief the Attorney-General for the purposes of s 27C(2)(b) of the ASIO Act. In response to this issue, ASIO has amended warrant application templates so that officers are prompted to provide a tailored brief on the matters identified in this subsection. IGIS is satisfied that ASIO has appropriately addressed the issue and inspections conducted during 2019–20 did not identify any similar examples of the use of generic templated text.
ASIO proactively informed IGIS of certain breaches and other issues relating to warrants issued under the TIA Act and the ASIO Act. This included early notification of some incidents that were ultimately confirmed to be compliant and also notification of incidents that resulted from events outside ASIO’s control but which ASIO believed should be notified to IGIS in the interests of transparency. A small number of reported breaches were attributable to mistakes made by telecommunications carriers rather than ASIO; nevertheless they required ASIO to take remedial action such as deleting information incorrectly sent by the carrier.
A detailed summary of compliance incidents reviewed by IGIS is provided below. Some of these matters remained under review by ASIO at the end of the reporting period, therefore IGIS has not finalised its consideration of the matters.
INCIDENTS RELATING TO INTERCEPTION WARRANTS UNDER THE TIA ACT TWO BREACHES OF SECTION 63(1) OF THE TIA ACT Section 63(1) prevents a person from communicating, making use of, making a record of, or giving in evidence in a proceeding, lawfully intercepted information or information obtained by intercepting a communication unlawfully. In late June 2019, ASIO notified IGIS that it may have disclosed information in contravention of s 63(1) of the TIA Act. ASIO later confirmed that it had disclosed foreign intelligence information to two partner services in November 2018 without having written approval from the Attorney-General as required by s 65(2) of the TIA Act. In response to this breach, ASIO updated its foreign intelligence collection warrant application templates to prompt ASIO officers to request appropriate approvals for future warrants. IGIS has reviewed the matters and is satisfied with ASIO’s assessment and subsequent remediation action.
INTERCEPTION UNDER SECTION 11B WARRANTS ASIO notified IGIS of an administrative error relating to interception authorised under a s 11B warrant. Section 11B provides for named person warrants to be issued for the collection of foreign intelligence. ASIO had initially intended to intercept a telecommunications service used by the subject of the warrant but decided on propriety grounds that the telecommunications service should not be intercepted. The telecommunications service was removed from the warrant but administrative errors resulted in the service being intercepted for several months. ASIO advised that on identifying the error, it ceased interception of the service, deleted all data intercepted from the service and conducted an audit to ensure no additional services were the subject of unauthorised collection. In addition, internal guidance was issued to ASIO officers reiterating the administrative procedures for s 11B warrants. While IGIS is satisfied with ASIO’s response to this specific incident, IGIS has worked with ASIO to identify additional opportunities to improve its interception procedures.
Separately, ASIO notified IGIS of a potential breach relating to a s 11B warrant where services added to the warrant related to an Australian permanent resident. Having identified this issue, ASIO immediately ceased interception of these services. ASIO is currently reviewing the matter and IGIS will assess and consider ASIO’s response following its review.
In addition, ASIO notified IGIS about a propriety issue concerning a named person warrant where some data that was lawfully collected under the warrant but was intended to be deleted from ASIO holdings was not deleted. Further investigation by ASIO determined that the segregation and deletion of this data was not viable once collected. IGIS continues to liaise with ASIO on this matter.
APPLICATION OF SECTION 11B(2) OF THE TIA ACT In July 2019, ASIO advised IGIS that it had identified an issue regarding the application of s 11B(2) of the TIA Act. Section 11B(2) requires ASIO to advise the Attorney-General of the details of telecommunications services used by the subject of the warrant application, to the extent these are known to ASIO. The matter is currently being reviewed by ASIO and IGIS will consider ASIO’s response following its review.
BREACHES OF SECTION 16(2) OF THE TIA ACT Section 16(2) requires ASIO, where interception of communications to or from a service are no longer required, to immediately inform an authorised representative of a telecommunications carrier, with confirmation to be given in writing as soon as practicable. In August 2019, ASIO notified IGIS of a breach of s 16(2)(d) of the TIA Act. During 2019, ASIO determined that a telecommunications service it had targeted under s 9A warrant was no longer being used by the named person. ASIO immediately ceased interception of the service but did not notify the telecommunications carrier in writing, as required by s 16(2)(d) of the TIA Act, for approximately three months. Having identified the error, ASIO provided the notification. No unauthorised collection had occurred. In response to this incident, ASIO reinforced the requirements of s 16 of the TIA Act with relevant officers. IGIS has reviewed the matter and is satisfied with ASIO’s notification and response.
In the previous reporting period, ASIO had notified IGIS of a possible breach of s 16(2) of the TIA Act but had not concluded its investigation as at 30 June 2019. ASIO subsequently concluded that a breach had not occurred and provided that advice to the Inspector-General in October 2019. IGIS is satisfied with ASIO’s investigation and advice.
ERROR IN SECTION 11C WARRANT In November 2019, ASIO advised IGIS of an error that had been identified in a warrant issued under s 11C of the TIA Act. Section 11C provides for warrants to be issued for the interception of foreign communications for the purpose of obtaining foreign intelligence. Following legal review, ASIO determined to seek a new warrant. The Inspector-General was informed of the matter and concurred with the proposed action. The Attorney-General authorised a new warrant and the original warrant was revoked.
BREACHES IN SECTION 7(1), 13 AND 17(1) OF THE TIA ACT Section 7(1) prohibits interception of communication passing over a telecommunications system. However, section 7(1) does not apply in certain circumstances, including where a warrant is in place. Section 13 requires ASIO to ensure that interception of communications under a warrant are discontinued where the grounds on which the warrant was issued cease to exist prior to the expiration of the warrant, and to advise the Attorney-General accordingly. Section 17(1) requires ASIO to provide a report to the Attorney-General within 3 months after the expiration or revocation of a warrant.
Between January and March 2020, ASIO notified IGIS of breaches concerning several related warrants issued under s 9 of the TIA Act. In the first notification, ASIO reported two instances where issues with confirming the subscriber of a telecommunications service had resulted in the unintended interception of telecommunication services likely used by Australian persons.
The first incident of erroneous interception of the service was caused by the telecommunications carrier providing incorrect subscriber details to ASIO. ASIO advised that when it detected the error, it ceased interception, deleted all relevant data and reported the issue to the Attorney-General.
The second incident resulted from the subject unsubscribing from a telecommunications service and the service being subscribed to another person. In the brief period after ASIO had confirmed the subscriber details of the telecommunications service but before ASIO applied for the warrant, the service in question was unsubscribed by the subject of ASIO’s collection efforts. Despite becoming aware during the term of the warrant, ASIO did not revoke the warrant as it made the assumption that the service would not be resubscribed before the expiry of the warrant. However, the service was resubscribed to another subscriber shortly before the warrant expired. This resulted in the communications of the new subscriber being intercepted over a six day period. After detecting the error, ASIO deleted this data. In addition, ASIO advised IGIS that due to an administrative oversight, it did not report the incident to the Attorney-General in its initial report under s 17 of the TIA Act. A separate report of the incident was subsequently provided to the Attorney-General.
In response to these breaches, ASIO conducted a review of the interception operation. ASIO identified and notified IGIS of four additional incidents making a total of six warrants issued under s 11A of the TIA Act with identified breaches. These cases are discussed below and are currently being reviewed by ASIO. IGIS will consider ASIO’s response following its review.
The third incident involved similar circumstances where a service was disconnected in the period between a subscriber check being undertaken and the warrant being authorised. The service was resubscribed during the period of the warrant, resulting in the communications of the new subscriber being intercepted over a four day period. ASIO advised that when it identified the error, it deleted the intercepted data and provided the Attorney-General with a supplementary warrant report.
In the fourth incident, ASIO determined that it would not seek a warrant to continue intercepting a particular service. ASIO did not inform the Attorney-General, as required by s 13 of the TIA Act, that the grounds on which the warrant had been issued had ceased to exist and ASIO did not take steps to ensure the interception of communications under the warrant was discontinued. Subsequently, due to an administrative error, interception of this service was sought and authorised under a later warrant.
The fifth incident resulted from an error made by ASIO in the identification of a subscriber, which led to a service being wrongly intercepted.
The sixth incident resulted from an administrative error whereby a subscriber check indicating that a service had been disconnected was incorrectly thought to indicate the service remained active. Accordingly, ASIO did not inform the Attorney-General that the grounds on which the warrant was issued had ceased to exist and did not take steps to discontinue the interception. This oversight resulted in continued interception being authorised under a later warrant. In addition, ASIO later identified that the service was probably resubscribed during the warrant period resulting in a further instance of communication from the subsequent subscriber being intercepted.
ASIO identified these additional breaches in January 2020 and provided notice of intention to revoke these warrants and requested that the interception be discontinued in each case. ASIO advised IGIS that it would delete all intercepted data and report the incidents to the Attorney-General. ASIO subsequently advised that reports had been provided to the Attorney-General.
DESCRIPTION OF SERVICES When ASIO submits a request to the Attorney-General to obtain a named person warrant under s 9A or s 11B of the TIA Act, ASIO must include details, to the extent these are known, sufficient to identify the telecommunications services that ASIO assesses the named person is using, or is likely to use. During 2017–18, IGIS questioned whether ASIO’s warrant documentation made clear the nature of the services ASIO intended to target. Following this, ASIO, in consultation with IGIS, prepared standing guidance for the Attorney-General on how it describes telecommunications services. This advice was provided to the Attorney-General in January 2020.
FAILURE TO DELETE DATA AS INTENDED Each year IGIS conducts an inspection to provide assurance that the deletion of data from ASIO systems has been effective and that no traces of information unintentionally remain. During 2019–20, IGIS identified two instances where data that ASIO had advised was deleted from all systems was still available on one system. One of these instances was caused by a failure of process. The second instance, which was identified by ASIO during the inspection, was due to a technical issue affecting the collection and storage of information obtained via a certain class of surveillance device. Following the inspection, ASIO conducted an historical review to determine if this technical error affected any other warranted collection during 2018–19. ASIO confirmed to IGIS that the failure to delete all data was an isolated technical incident. ASIO rectified the technical error and revised processes governing how information from that class of surveillance device is collected and stored. IGIS is satisfied with ASIO’s review and remediation response.
INCIDENTS RELATING TO SPECIAL POWERS UNDER THE ASIO ACT UNLAWFUL COMMENCEMENT OF JOINT WARRANTED OPERATION In July 2019, ASIO notified IGIS of an incident concerning a joint operation conducted with a partner foreign service targeting an Australian person of security interest. The operation was conducted in two phases. In both phases of the operation participation by the foreign service required authorisation under its own laws as well as authorisation under an Australian warrant. The foreign service mistakenly understood that, so long as the foreign service was authorised to conduct the activity under its own laws, then the first phase of the operation could be undertaken without an Australian warrant. Consequently, when the ASIO operational team sought assurance that the activities of the foreign service would not commence prior to the Australian warrant being in place, the foreign service provided this assurance on the assumption that the warrant was only required for the second phase of the operation.
Before commencing the first phase of the operation, the foreign service asked an ASIO liaison officer in that country (who was not part of the relevant ASIO operational team) for confirmation that the foreign service could proceed with the operation. This request was intended to maintain operational coordination with ASIO, as the foreign service believed it could proceed on the basis of its own authorisation. The ASIO liaison officer was unable to consult the relevant operational team and due to the urgency of the operation, confirmed ASIO’s agreement for the foreign service to proceed. IGIS has reviewed this matter and found that the liaison officer misconstrued corporate records of operational planning discussions that had been held earlier that day, and mistakenly believed that the Australian warrant that would provide the requisite authorisation of the foreign service was already in place.
Accordingly, the foreign partner commenced the first phase of the operation without authorisation under Australian law, resulting in unlawful intelligence collection. On the same day, when ASIO became aware of the foreign service’s action, it obtained a warrant for the activity. ASIO formally advised the foreign service that its activities were unlawful.
In response to the incident, ASIO advised IGIS that it would develop and implement new procedures for joint operational activity to mitigate the risk of a similar incident occurring. IGIS has reviewed ASIO’s records relating to this incident, and has concluded that it was caused by poor communication processes between the relevant parties. IGIS is satisfied that ASIO’s response to the incident was appropriate and timely. IGIS will continue to monitor the development of new procedures for joint operational activity.
NON-COMPLIANCE WITH SECTION 25(7)(a) OF THE ASIO ACT Section 25(7)(a) of the ASIO Act specifies that a warrant issued under s 25 of the ASIO Act must explicitly authorise the use of any force against persons and things that is necessary and reasonable. In July 2019, ASIO advised IGIS that search activity had occurred under a warrant that was non-compliant with s 25(7)(a). On the day of the planned search activity ASIO officers realised that the required authorisation had been omitted from the warrant. ASIO prepared an urgent application requesting the Attorney-General to issue a new warrant with the requisite authorisation; however, the search commenced before the Director-General made contact with the Attorney-General. The existing warrant was replaced by a new warrant during the period of the search activity. IGIS has considered the matter and is of the view that the omission of the mandatory authorisation did not invalidate the warrant. IGIS is satisfied that ASIO’s prompt actions to seek immediate reissue of the warrant were reasonable.
POTENTIAL UNAUTHORISED ACTIVITY UNDER SECTION 25 SEARCH WARRANT The 2018–19 IGIS annual report noted that ASIO had advised IGIS of a possible breach of s 25 of the ASIO Act, whereby a person who examined records during a search activity may not have been authorised under s 24 of the ASIO Act to do so. ASIO had not concluded its investigation into the matter during the 2018–19 reporting period.
In 2019–20, ASIO advised IGIS of the results of its investigation. In 2018–19, an ASIO search team requested at very short notice the participation of an officer of another Commonwealth agency to support the execution of a search warrant under s 25 of the ASIO Act. At the conclusion of the search, a post-activity review identified that, while certain classes of officer from that Commonwealth agency were validly authorised under s 24 to participate in the search, the officer in question did not belong to any of the classes specified. All other members of the search party were validly authorised to execute the warrant. IGIS is satisfied with the action taken by ASIO in identifying and notifying this breach.
DISCLOSURE OF INFORMATION FROM A FOREIGN PARTNER SERVICE ASIO notified IGIS of an incident where it had received a disclosure of information from a foreign partner service about an Australian citizen which could not have been collected lawfully by ASIO without a computer access warrant under s 25A of the ASIO Act. IGIS reviewed the circumstances of this incident and concluded that ASIO’s actions in relation to the disclosure could reasonably be argued to be lawful and proper. In particular, IGIS determined that ASIO did not solicit information on the Australian citizen from the foreign partner in a manner that could reasonably be interpreted as a request to collect or disclose information in circumvention of Australian law. IGIS considered that the incident highlighted systemic issues. IGIS considers that, should these issues remain unaddressed, it could result in future breaches. IGIS will continue to monitor how ASIO has addressed the systemic issues identified.
INCIDENTS RELATING TO PART IV OF THE ASIO ACT
BREACHES OF SECTION 38 OF THE ASIO ACT BY COMMONWEALTH DEPARTMENTS In certain circumstances, s 38(1) of the ASIO Act requires a Commonwealth agency that receives an adverse or qualified security assessment from ASIO in respect of a person to give, within 14 days, written notice to that person, including a copy of the assessment and information concerning the person’s right of appeal to the AAT. During the reporting period, ASIO advised IGIS of two cases where a Commonwealth department failed to provide the relevant information within the time period required by s 38(1).
ASIO also advised IGIS of an additional instance where a Commonwealth department failed to comply with s 38(6) of the ASIO Act, which requires that notice of an adverse security assessment must be sent to the subject of the assessment by registered mail or hand delivery. The department instead provided this notice by ordinary post. ASIO identified the non-compliance and subsequently worked with the department to ensure that the requirements of s 38(6) were met. IGIS is satisfied with ASIO’s actions in relation to these three cases. ASIO has since contributed to work undertaken by the department to develop policies and internal guidance to minimise the likelihood of future breaches of s 38 of the ASIO Act.
BREACH OF SECTION 39 OF THE ASIO ACT Section 39 of the ASIO Act prevents Commonwealth agencies that receive advice from ASIO from taking prescribed administrative action against a person unless the advice is in the form of an adverse or qualified security assessment. ASIO advised IGIS of one instance where a Commonwealth agency took action that ASIO considered may have constituted prescribed administrative action in response to preliminary advice from ASIO that was not in the form of a security assessment. ASIO intervened to ensure that the subject of the advice was not adversely affected by the action of the Commonwealth agency. ASIO then met with the relevant agency to explain the incident and improve awareness of the requirements of the ASIO Act. IGIS is satisfied that ASIO’s response to the incident was adequate and appropriate.
ACCESS TO TELECOMMUNICATIONS DATA UNDER THE TIA ACT Sections 175 and 176 of the TIA Act empower certain ASIO personnel to authorise the collection of historical and prospective telecommunications data from telecommunications carriers or carriage service providers. Authorisations are limited to circumstances in connection with the performance of ASIO’s functions and in accordance with the Attorney-General’s Guidelines, and must be signed by a specified eligible person.
ASIO notified IGIS of three incidents relating to prospective data authorisations under s 176 of the TIA Act.
In the first incident, the eligible person was briefed on the facts and grounds for the two telecommunications services to be subject to the authorisation. However, due to human error the authorisation instrument signed by the eligible person omitted the details of one of the services, and this omission was not identified by officers responsible for communicating the authorisation to the recipient of the notice. Consequently, the recipient was instructed to provide data for both services, one of which was unauthorised. The error was identified on the same day the authorisation notice was issued and before any data had been provided. ASIO issued a revised authorisation instrument containing details of both telecommunications services. In response to this incident, ASIO advised IGIS that it would update its administrative procedures for notices under s 176 of the TIA Act to reduce the risk of human error in the future.
In the second incident, during drafting of the necessary approval documentation, relevant checks were not conducted against three individuals to ensure the individuals were at the correct investigation level in ASIO’s case management system.
The third incident occurred when the approvals that would authorise maintaining the subjects of the prospective data authorisation at the correct investigation level in ASIO’s case management system were not completed by the relevant due date. This omission was identified the following day and collection was ceased immediately.
ASIO also notified IGIS of two cases where telecommunications data was obtained contrary to s 175 of the TIA Act.
The first case involved three separate incidents within the same operation involving different telecommunications carriers. In the first incident, the carrier was unable to limit the results of the s 175 request to the criteria identified by ASIO, resulting in the provision of significant additional data. ASIO advised IGIS that it was working to identify the data that was outside the specified criteria and to delete it from ASIO’s systems. In the second incident, data was delivered by the carrier without a valid s 175 request in place. ASIO advised that this data was quarantined and then deleted. In the third incident, the s 175 request was invalid as it sought data for a period after the date of the request. ASIO advised that this data was also quarantined and deleted.
The second case involved human error in interpreting data used as the basis for four requests. This resulted in data being obtained that was earlier than the connection date of two services and, in one instance, data being sought for the wrong service. ASIO advised that the relevant data had been deleted. Separately, ASIO reported another case that highlighted similar problems in interpreting data.
These cases are currently being reviewed by ASIO and IGIS will consider ASIO’s response following their review.
QUESTIONING AND DETENTION WARRANTS No questioning or questioning and detention warrants were authorised or used during the reporting period.
USE OF FORCE Warrants issued under the ASIO Act must explicitly authorise the use of force necessary and reasonable to do the things specified in the warrant. Under s 31A of the ASIO Act, when force is used against a person in the execution of a warrant, ASIO must notify the Inspector-General in writing and as soon as practicable. The ASIO Act does not specify a timeframe for the provision of these reports and ASIO has developed a policy that requires an initial notification within 72 hours of the use of force, to be followed by more detailed information within 10 days. No notifications of use of force were received during the reporting period.
SPECIAL INTELLIGENCE OPERATIONS SIO powers allow ASIO to seek authorisation from the Attorney-General to undertake activities that would otherwise be unlawful. Where the circumstances justify the conduct of an SIO, ASIO may seek these authorisations to assist in the performance of its functions. The ASIO Act requires ASIO to notify the Inspector-General as soon as practicable after an authority is given. During the reporting period in all instances the Inspector-General was notified within 24 hours of the Attorney-General granting approval for an SIO.
The ASIO Act also requires ASIO to provide to the Attorney-General and the Inspector-General a written report on each SIO. Details of these operations are highly sensitive and cannot be included in a public report.
Unlike warrants issued under Division 2 of the ASIO Act, there is no requirement under Division 4 for an SIO to be discontinued if the requirement for special intelligence conduct has ceased. During 2019–20, IGIS identified several instances where ASIO had made a determination that conduct authorised under an SIO had ceased, but the authority was not cancelled and substantial time elapsed before the SIO authority expired. IGIS has advised ASIO that while there is no legislative requirement to do so, as a matter of propriety where ASIO makes a determination that conduct authorised under the SIO has ceased the authority should be cancelled as soon as practicable. ASIO has reported that it has updated its procedures to ensure that all officers understand this expectation. IGIS will continue to monitor ASIO’s update to procedures.
INCIDENT RELATING TO THE CRIMES ACT In June 2019, ASIO notified IGIS of an incident that occurred in February 2019. The incident involved possible unauthorised access to a telecommunications device that had been lawfully seized by the AFP under the Crimes Act 1914. At the time of the incident, ASIO had a warrant under the ASIO Act that authorised access to the device. However, an ASIO officer assisting with the investigation accessed the device but was not authorised to do so under the warrant. ASIO gave consideration to notifying IGIS in February at the time the possible breach was identified, but then did not provide notification until June.
Following notification and further details of the incident, IGIS questioned the legal basis for the information provided by ASIO in the initial notification to IGIS and the legal consequences of the incident. In June 2020, ASIO concluded that the provision of the telecommunications device to the ASIO officers and the subsequent actions taken in relation to the device were lawful and authorised under the Crimes Act. IGIS concurred with ASIO’s view regarding legality.
TELECOMMUNICATIONS AND OTHER LEGISLATION AMENDMENT (ASSISTANCE AND ACCESS) ACT 2018 In December 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 granted ASIO new powers in relation to obtaining industry assistance under the Telecommunications Act 1997. ASIO is required to notify the Inspector-General formally within seven days of a request or notice being given under the relevant legislative provisions set out in Part 15 of the Act. IGIS reviewed each use of these powers through its inspection program.
In addition, the Act granted ASIO new powers under the ASIO Act in relation to computer access and access to data, and voluntary assistance. The IGIS inspection program included a review of ASIO’s use of these powers during the year. IGIS will continue to monitor procedures and activities around the use of these powers.
TEMPORARY EXCLUSION ORDERS In July 2019, the Counter-Terrorism (Temporary Exclusion Orders) Act 2019 came into effect providing for the Minister to make temporary exclusion orders preventing a person from entering Australia for a period of up to two years. Section 10(2) of the Act sets out the circumstances in which the Minister may make a temporary exclusion order, including where ASIO has assessed the person to be directly or indirectly a risk to security (within the meaning of the ASIO Act) for reasons related to politically motivated violence (within the meaning of the ASIO Act). IGIS has included inspection of ASIO’s assessments for the purposes of temporary exclusion orders in its regular inspection program. IGIS will continue to monitor ASIO’s procedures and activities around the use of these orders through regular inspection plans.
THE ATTORNEY-GENERAL’S GUIDELINES The Attorney-General’s Guidelines (the Guidelines) are issued under s 8A of the ASIO Act and are to be observed by ASIO in performance of its functions. Among other things, the Guidelines require ASIO to review each of its investigations on an annual basis. In 2019–20, a small number of investigations were conducted without review for periods longer than a year. ASIO proactively reported the majority of these breaches to IGIS. ASIO also notified two instances where subjects were not raised to the correct investigation level in ASIO’s case management system.
The Guidelines also require that a security investigation into an entity must be reconsidered and reapproved at least annually by an ASIO officer of a certain seniority. ASIO notified IGIS of a breach of the Guidelines where, due to administrative and human error, an investigation was reviewed annually and reapproved three times by an officer who was not sufficiently senior. During this period, no intrusive activities were undertaken that required the correct approval of the investigation into the entity. In response to the breach, ASIO terminated the investigation and conducted remedial training on the requirements of the Guidelines. IGIS is satisfied with ASIO reporting and remediation action.
In March 2020, ASIO identified a potential breach of the Guidelines concerning financial records that were provided to ASIO contrary to internal procedures and without required approvals. After the incident was identified, all records that had been provided to ASIO were quarantined and then destroyed. Other relevant cases were then reviewed with no additional contraventions identified. The matter is currently being reviewed by ASIO and IGIS will consider ASIO’s response following this review.
ASIO’S EXCHANGE OF INFORMATION WITH AUSTRALIAN GOVERNMENT AGENCIES ASIO may exchange information with certain other Australian Government agencies. IGIS reviews and inspects the exchange of sensitive personal information as part of IGIS’s periodic inspections.
During the reporting period, ASIO exchanged information with a number of Australian Government agencies including the Australian Criminal Intelligence Commission (ACIC), Australian Federal Police (AFP), State and Territory police services, the Department of Home Affairs, the Department of Defence and the Department of Foreign Affairs and Trade. IGIS regularly reviewed these exchanges to assess ASIO’s compliance with legislation, the Attorney-General’s Guidelines and ASIO policy. IGIS did not identify any concerns.
ACCESS TO TAXATION INFORMATION Section 355-70 of Schedule 1 to the Taxation Administration Act 1953 provides that a taxation officer authorised by the Commissioner of Taxation or delegate may disclose protected information to an authorised ASIO officer if the information is relevant to the performance of ASIO’s functions. This access to sensitive tax information is further governed by a memorandum of understanding (MOU) between the Commissioner of Taxation and the Director-General of Security, the Attorney-General’s Guidelines and ASIO’s internal guidelines and procedures. ASIO rarely requests access to this type of information.
During the reporting period, IGIS reviewed ASIO’s access to sensitive tax information in the previous financial year 2018–19. IGIS did not identify any concerns. In the next reporting period, IGIS will review ASIO’s access to taxation information for the period 2019–20.
ASIO EXCHANGE OF INFORMATION WITH FOREIGN AUTHORITIES The ASIO Act authorises ASIO to provide, and to seek, information relevant to Australia’s security, or the security of a foreign country, from authorities in other countries. ASIO may only cooperate with foreign authorities approved by ASIO’s Minister. ASIO has guidelines for the communication of information on Australians and foreign nationals to approved foreign authorities.
During the reporting period, IGIS conducted an inspection of ASIO’s foreign liaison arrangements to assess the effectiveness of these arrangements in promoting information exchange that is consistent with human rights. The scope of the inspection included ASIO’s internal policy regarding the disclosure of information about minors. While information exchange is considered through other inspection activities conducted by IGIS, this was the first time in several years that a specific inspection into the issue had been conducted.
IGIS found that ASIO has frameworks in place to manage the potential human rights implications of disclosure, but there was scope for improvement in these frameworks. IGIS suggested measures to ensure that ASIO senior management oversight is directed towards areas of highest risk and that better guidance is provided to decision-makers to support their consideration of human rights issues. These matters are currently being addressed by ASIO. IGIS will continue to monitor ASIO’s progress.
MINISTERIAL SUBMISSIONS IGIS reviewed a number of submissions made by ASIO to the Attorney-General and the Minister for Home Affairs. These submissions provide information on current operations undertaken by ASIO and emerging issues. IGIS reviews submissions to ensure that the information provided is timely and appropriate, and accurately informs the Minister on relevant matters. During the reporting period, IGIS raised an issue identified in the previous period where potentially unreliable or misleading advice was provided to the Minister. ASIO addressed the matter and provided further advice to the Minister. IGIS is satisfied with the appropriateness of information provided in other submissions.
SECURITY ASSESSMENTS Security assessments issued by ASIO can result in administrative decisions, such as cancelling a visa or passport, which significantly affect the liberties of the person who is the subject of the assessment. In 2019–20, IGIS reviewed a sample of cases where ASIO issued prejudicial (adverse or qualified) security assessments. IGIS did not identify any issues during the reporting period.
INSPECTION OF ASIS ACTIVITIES The functions of ASIS are set out in s 6 of the IS Act. Under the IS Act ASIS can only perform these functions in the interests of Australia’s national security, foreign relations or national economic wellbeing, and only to the extent that those matters are affected by the capabilities, intentions or activities of people or organisations outside Australia.
In performance of these functions ASIS undertakes a number of activities which are subject to IGIS oversight. The activities are categorised as follows:
support to the ADF
cooperation with and assistance to intelligence agencies and prescribed authorities
certain activities in relation to ASIO
other activities as directed by the Minister for Foreign Affairs.
During 2019–20, IGIS conducted a range of inspections of ASIS’s activities. These inspections included the review of operational files, advice to the Minister for Foreign Affairs, weapons related matters and access to sensitive financial information. Inspections were conducted using a risk-based approach with priority given to operational file reviews. The approach IGIS takes to each inspection varies, but usually it involves review of official ASIS records, discussions with officers from the agency and any other elements relevant to the particular inspection. The purpose of IGIS inspections is to ascertain whether there are any activities that give rise to legality, propriety, human rights issues or other concerns. All inspections are followed by a letter from the Inspector-General to the Director-General of ASIS summarising IGIS’s findings.
IGIS also conducts other review and oversight related activities. These other activities are an important part of the oversight of ASIS, and provide additional assurance that its activities are legal and proper. IGIS reviews all ASIS reports of legislative non-compliance or other significant matters. IGIS is also consulted on the legality and propriety of certain ASIS proposals and draft internal policies prior to finalisation; this allows IGIS to identify any concerns before action is taken. Normally, the Inspector-General and IGIS officers visit ASIS officers outside its Canberra headquarters, however, this did not occur in the reporting period due to the COVID-19 pandemic.
Inspections and other oversight activities are supplemented by awareness briefings on various matters throughout the year, either as IGIS requests, or as are provided proactively by ASIS. These briefings allow IGIS to stay abreast of emerging issues, or to follow up observations from inspection activities. There are regular meetings between the Inspector-General and the Director-General of ASIS as well as bi-monthly meetings between the Inspector-General and senior ASIS officers; these meetings cover a variety of matters. The COVID-19 restrictions limited IGIS’s ability to carry out some inspections. However, some review and engagement activities did continue and IGIS officers were able to recommence normal inspection activities prior to the end of the financial year.
INSPECTION OF OPERATIONAL FILES IGIS officers regularly visited ASIS premises during 2019–20 to inspect ASIS’s operational case files. Generally these inspections occur monthly, however, not all scheduled operational file inspections could occur as planned, primarily due to restrictions relevant to the COVID-19 pandemic.
Inspections of operational files involve reviewing a sample of files, focusing on higher risk areas as determined by IGIS. ASIS activities involve the use of human sources and ASIS officers are deployed in many countries to support a wide range of activities including counterterrorism, efforts against people smuggling, and support to military operations. Considerations applied in the inspections of operational files include the appropriate application of the Privacy Rules; compliance with internal guidelines, policies, and procedures; and human rights requirements such as conventions relating to the prohibition of torture and other cruel, inhumane or degrading treatment.
For a given overseas location, source or operation these inspections typically focus on records created in the previous two years. During the reporting period, IGIS inspected files relating to ASIS’s operational activities in a number of countries, covering a wide variety of themes.
The sensitive nature of ASIS’s operational activities means that specific details of inspection topics, and the matters identified cannot be provided in a public report. At the conclusion of these inspections, IGIS is satisfied that ASIS is appropriately identifying and considering legality and propriety risks associated with operational activities. No significant concerns regarding legality, propriety or human rights were detected and ASIS achieved a very high level of compliance.
It is a breach of s 15(5) of the IS Act for ASIS to communicate intelligence information concerning an Australian person other than in accordance with the Privacy Rules. An inspection identified an instance where ASIS communicated intelligence information on an Australian person to another Australian Government agency without first applying the Privacy Rules. This appears to have been an isolated case as on other occasions relating to this matter the Privacy Rules were clearly considered, correctly applied and appropriately documented. Moreover, it should be noted that in the isolated case the information would have met the requirements of the Rules had they been applied. Other inspections identified a number of record keeping issues which were minor in nature. IGIS is satisfied with ASIS processes and the remediation action taken.
MINISTERIAL SUBMISSIONS Through its bi-monthly inspections IGIS generally inspects and reviews all ministerial submissions sent by ASIS to the Minister for Foreign Affairs. IGIS reviews submissions to ensure that ASIS is appropriately and accurately informing the Minister on relevant ASIS matters. Due to work restrictions and disruptions resulting from the impact of the COVID-19 pandemic, IGIS could not conduct all the planned inspections of ministerial submissions. The majority of the submissions reviewed during the reporting period related to Ministerial Authorisations to produce intelligence on Australian persons; these are discussed below.
ASIS consulted IGIS on several proposed ministerial submissions with potential issues connected to legality and propriety. These submissions were primarily regarding proposed updates to requirements involving the production of intelligence on Australian persons. The Inspector-General provided comments and suggestions as appropriate, and having reviewed the submissions sent to the Minister, is satisfied that in each instance the Minister was accurately informed.
MINISTERIAL AUTHORISATIONS TO PRODUCE INTELLIGENCE ON AUSTRALIAN PERSONS ASIS is a foreign intelligence collection agency and intelligence activities it conducts on Australian persons attract IGIS scrutiny. During 2019–20, IGIS reviewed all Ministerial Authorisations obtained by ASIS from the Minister for Foreign Affairs up to February 2020 when this inspection was disrupted by the impact of COVID-19 restrictions.
The inspections conducted did not identify any breaches of legislation. IGIS identified one issue of propriety regarding the timeliness of advice to the Minister in relation to a Ministerial Authorisation whose grounds had ceased to exist. ASIS had appropriately ceased all activity as soon as the grounds ceased to exist but, due to an administrative error, ASIS did not advise the Minister in a timely manner. While the time within which the Minister is to be provided submissions to cancel Ministerial Authorisations will vary according to the facts of each case, in this instance IGIS considered that the Minister should have been advised sooner. IGIS is satisfied with ASIS processes and concluded that this was an isolated case and not indicative of a systemic issue.
EMERGENCY MINISTERIAL AUTHORISATIONS There were no emergency Ministerial Authorisations sought during the reporting period.
THE ASIS COMPLIANCE BRANCH The ASIS Compliance Branch aims to ensure that ASIS operates legally and in accordance with established authorisations and policies, develops internal policies and procedures, provides compliance and risk related advice and training to ASIS officers, and conducts investigations into matters of concern. The ASIS Compliance Branch works to develop and promote an agency culture of compliance.
When ASIS conducts an investigation into a matter of concern, IGIS receives a copy of the investigation report. IGIS independently reviews all ASIS investigation reports and considers the scope and process of the investigation and the action taken on any issues identified. IGIS may undertake further investigations, request additional information, recommend action to be taken, or request updates on implementation of remediation.
During the reporting period, IGIS met frequently with the ASIS Compliance Branch and was briefed on all relevant matters and provided access as required.
REPORTING OF COMPLIANCE MATTERS During 2019–20, ASIS provided IGIS with seven reports related to activities in breach of the IS Act. Some reports covered more than one specific breach. All but one breach involved communications not in accordance with the Privacy Rules; this case is discussed below. Separate to these reports, ASIS undertook reviews into other matters of concern related to internal policies and procedures and reported to IGIS as appropriate. The number of breaches of the Privacy Rules and investigation reports provided to IGIS were generally consistent with the numbers in the previous reporting period. ASIS self-identified the majority of breaches and reported them to IGIS. IGIS is satisfied with ASIS reporting, investigation and remediation in these matters.
One of the compliance reports referred to above related to a failure to obtain a Ministerial Authorisation in breach of s 8 of the IS Act. This case involved ASIS being engaged in activities for the purpose of producing intelligence on an overseas Australian person who was likely involved in terrorism related activities. These activities occurred without a Ministerial Authorisation in place, or a written notice under s 13B of the IS Act. The case also involved two breaches of the Privacy Rules and a number of issues of administrative non-compliance. There was also a significant delay between the identification of this incident and notification to IGIS. The case was brought to the attention of the ASIS Compliance Branch following a compliance training session and subsequently the ASIS Compliance Branch notified IGIS and kept IGIS informed as the ASIS investigation progressed. ASIS advised IGIS that it was planning to use the scenario as part of its ongoing compliance training, and would update its internal Privacy Rules policy to minimise the risk of future similar breaches. IGIS reviewed the ASIS investigation report and raised additional matters, including further suggested changes to internal policy. As at 30 June 2020, these updates had not yet been implemented. IGIS will continue to engage with ASIS and monitor these changes.
PROTECTING THE PRIVACY OF AUSTRALIAN PERSONS During 2019–20, ASIS self-reported a total of 17 breaches of the Privacy Rules in the seven compliance reports referred to above. Seven of these breaches occurred between 2012 and 2015, which ASIS identified during 2019–20. An additional two breaches were identified by IGIS during inspection and other review work. Human error was the cause of the breach in the majority of cases. The errors included officers missing key information when reviewing a report prior to publication, failing to accurately interrogate a key ASIS database that contains information indicating a person’s nationality, or not updating that database as required.
Noting the total volume of reporting that ASIS produced on Australian persons during 2019–20, the incidence of Privacy Rules breaches was rare. IGIS found no indication of systemic failings with ASIS’s compliance controls or training. IGIS did not identify any cases where reporting on an Australian person would not have been reasonable and proper had the Privacy Rules been correctly applied at the time.
In its compliance reports ASIS identified some areas for improvement in record keeping or compliance, and IGIS identified some additional matters in its inspection and review work. IGIS will continue to monitor ASIS’s application of the Privacy Rules closely as well as the implementation of areas identified for improvement. IGIS is satisfied with ASIS reporting procedures in these matters.
Under the Privacy Rules ASIS is also required to advise IGIS when it obtains information which leads to the overturning of the initial presumption that a person overseas is not an Australian person. If the initial presumption was reasonable, such incidences are not recorded as a breach of legislation or the Privacy Rules. In 2019–20, ASIS reported three occasions where such a ‘presumption of nationality’ was overturned. In all cases ASIS’s initial presumption was reasonable and in accordance with the Privacy Rules as it initially had no evidence that the individuals, who were located outside Australia, were Australian. One case related to the s 8 compliance incident discussed earlier. Timely notification of this incident was not provided to IGIS or to other relevant intelligence agencies. IGIS is however satisfied with the basis of the initial presumption of nationality and will continue to monitor these matters and the timing of the notifications that should be made to IGIS.
AUTHORISATIONS RELATING TO THE USE OF WEAPONS Under the IS Act ASIS officers are prevented from undertaking activities that involve violence or the use of weapons except in the limited circumstances permitted by the IS Act. The IS Act provides for ASIS to equip its officers with weapons, and to train them to use weapons and self-defence techniques in certain circumstances, particularly in order to protect themselves or certain other people.
Schedules 2 and 3 of the IS Act require the Minister and the Director-General of ASIS to provide certain documentation relating to the use of force and weapons to the Inspector-General. This includes approvals for weapons and self-defence training; copies of the Director-General guidelines issued for the purpose of weapons and self-defence; approvals in specific circumstances where the Minister approves the use of force; and notification of officers or agents using weapons or self-defence techniques other than in training or approved scenarios. During 2019–20, the Director-General of ASIS issued new guidelines under Schedule 3 of the IS Act relating to the use of force or threats of the use of force, and updated guidelines made under Schedule 2 relating to the use of weapons and self-defence techniques. The Inspector-General was consulted during the drafting of these documents, and the final versions did not raise any legality or propriety concerns. As required under the IS Act, the Inspector-General briefed the PJCIS on these changes.
In the 2019–20 reporting period, the Minister and the Director-General of ASIS provided the reports required under the IS Act. The Inspector-General continues to be satisfied that there is a genuine need for a limited number of ASIS staff to have access to weapons for self-defence in order to perform their duties effectively. ASIS did not report, and IGIS did not find, any cases where a weapon was discharged or self-defence techniques were used other than in training. ASIS did not report, and IGIS did not find, any instances of non-compliance with the Director-General’s internal guidelines on weapons. In one case the Minister provided an approval for certain ASIS staff members to protect a number of persons in accordance with Schedule 2, Clause 1(3) of the IS Act.
IGIS examined ASIS weapons and self-defence policies, guidelines and training records during an inspection. No significant issues were identified. IGIS identified a record keeping error relating to how ASIS applied part of its guidelines issued under Schedule 2. IGIS is satisfied with ASIS processes and reporting, and its remediation of the record keeping error.
INSPECTION OF ASD ACTIVITIES The functions of ASD are set out in s 7 of the IS Act. ASD undertakes a number of activities in exercise of these functions. The activities which are subject to IGIS oversight are categorised as follows:
foreign intelligence collection
prevention and disruption of cybercrime
provision of material, advice and assistance relating to security and integrity of information
assistance to the ADF
protection of specialised technologies
assistance to Commonwealth and State authorities
assistance to certain intelligence agencies and prescribed authorities.
IGIS inspection of ASD activities is facilitated by strong working relationships with ASD’s Oversight, Compliance and Legal teams, and regular access to required information and systems. Given the volume and complex nature of ASD activities, the IGIS inspection program is continuous and includes scheduled inspection activities, and proactive reviews of areas of risk or sensitivity. IGIS also reviews selected ASD existing and proposed policies to ensure they are appropriate, implemented and effective.
During 2019–20, IGIS inspected a number of ASD activities, including:
applications for Ministerial Authorisation to produce intelligence on Australian persons
ASD’s compliance with the Rules to Protect the Privacy of Australians (Privacy Rules)
compliance incident reports
ASD’s access to sensitive financial information.
While COVID-19 restrictions had a minor effect on activities, most planned inspections were able to be conducted. Inspections were supplemented by briefings on various matters across the year, regular meetings with the ASD Oversight and Compliance teams, engagement with ASD Legal officers, and visits to ASD officers posted outside Canberra. The Inspector-General and the Director-General of ASD met formally on a quarterly basis to discuss oversight matters and developments.
MINISTERIAL AUTHORISATIONS TO PRODUCE INTELLIGENCE ON AUSTRALIAN PERSONS The IS Act requires that ASD obtain authorisation from the Minister for Defence before conducting certain activities, including the production of intelligence on Australian persons. During 2019–20, IGIS inspected the majority of ASD’s applications for Ministerial Authorisation. These applications were generally of a high standard, and no significant issues were identified by IGIS officers, with the exception of the ministerial submission instances discussed below.
The 2018–19 IGIS annual report noted that IGIS had identified several instances where ASD did not include the appropriate administrative restrictions on certain database records. IGIS noted that this practice heightened the risk of an inadvertent breach of the IS Act by omitting a layer of additional assurance. During the 2019–20 reporting period, IGIS identified further instances where appropriate administrative restrictions were not in place. ASD conducted an internal audit in September 2019 and to mitigate this risk of continued occurrence published further guidance for its officers in April 2020. There was some delay from initial identification of the issue to ASD taking remedial action and additional instances occurred over that time, however, IGIS has now seen a reduction in the number of instances identified. IGIS will continue to monitor the effectiveness of ASD’s remedial actions.
EMERGENCY MINISTERIAL AUTHORISATIONS Situations may arise where, as a matter of urgency, ASD requires a Ministerial Authorisation to undertake certain activities. Emergency authorisations may be provided orally by the Minister for Defence, other select Ministers where the Minister for Defence is unavailable or, if the Ministers are not readily available the Director-General of ASD can authorise such activities. Emergency authorisations are valid for 48 hours after which a new authorisation is required if ASD is to continue the activity. ASD did not seek any emergency Ministerial Authorisations during the reporting period.
MINISTERIAL SUBMISSIONS During the reporting period, IGIS conducted a quarterly review of the submissions ASD provided to the Minister for Defence. In conducting these reviews IGIS considers whether the Minister for Defence is provided timely and accurate information about critical ASD issues.
In August 2019, ASD advised IGIS that it had conducted an audit of ministerial submissions prepared in support of all active Ministerial Authorisations. This audit was conducted at the Minister for Defence’s direction following an incident where ASD had provided incorrect information to the Minister in a submission in support of a Ministerial Authorisation. ASD identified over one third of the submissions audited contained unclear or inaccurate advice. ASD assessed that none of the identified errors affected the grounds upon which the Ministerial Authorisations were sought or granted. At the Minister for Defence’s request, ASD has updated its governance arrangements for preparing submissions in support of Ministerial Authorisations, and implemented regular compliance audits to ensure the accuracy of information. ASD has also undertaken to report quarterly to the Minister for Defence on its remedial actions. Based on IGIS’s initial review of the matter it appears that these issues were the result of an insufficient quality assurance process. IGIS will continue to monitor this issue and the effectiveness of ASD’s remedial actions.
Separate to the above, during the reporting period ASD notified IGIS of one instance where a warrant application contained incorrect information and one instance where a ministerial submission contained incorrect information. ASD has since strengthened its internal procedures to mitigate the likelihood of recurrence. IGIS reviewed the circumstances of each incident and was satisfied that ASD’s remedial actions were appropriate to ensure the accuracy of submissions provided to Ministers.
PROTECTING THE PRIVACY OF AUSTRALIANS The Minister for Defence issues written rules (Privacy Rules) to regulate the basis on which ASD may communicate and retain intelligence information about Australian persons. The IS Act prohibits ASD from communicating intelligence information concerning an Australian person other than in accordance with those rules. The rules are publicly available on the ASD website.
The Privacy Rules also require ASD to: provide IGIS with access to all of ASD’s intelligence holdings concerning Australian persons; consult IGIS about relevant procedures; report to IGIS any breaches of the Privacy Rules; and to advise where ASD has revised its determination that a person previously presumed to be foreign is an Australian person.
ASD reported to IGIS cases where ASD, in accordance with the guidance set out in the rules, had initially presumed that an individual was not an Australian person, but where the presumption was subsequently overturned and the person shown to be Australian. ASD’s reports included details of the measures taken to protect the privacy of that person including, as a propriety measure, informing other relevant intelligence agencies of overturned presumptions of nationality.
If the initial presumption was reasonable, such incidents do not breach legislation or the Privacy Rules. IGIS reviewed these cases and found that ASD’s initial presumptions of nationality were reasonable given the information available to ASD at the time. IGIS found that ASD’s actions were appropriate and in accordance with the Privacy Rules. IGIS is satisfied with ASD’s compliance with Privacy Rules and reporting processes.
LEGISLATIVE NON-COMPLIANCE When ASD identifies breaches of legislation and significant or systemic matters of non-compliance with ASD policy, it proactively provides written notification of these issues to IGIS. ASD then undertakes an investigation of the incident and provides its findings to IGIS which reviews these reports and where necessary undertakes further independent investigation of the incidents.
TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) ACT 1979 INCIDENT REPORTS The TIA Act prohibits agencies from intercepting communications passing over a telecommunications system, except in limited circumstances, including where there is a warrant in place allowing interception.
The 2018–19 IGIS annual report stated that ASD had notified IGIS in May 2019 that it may have breached s 7 of the TIA Act. In June 2019, ASD confirmed that this incident did constitute a breach of s 7, as it had enabled interception without an appropriate warrant. In three instances, telecommunications ‘devices’ were specified for interception under warrants that could only lawfully authorise interception of telecommunications ‘services’. Although these telecommunications devices were targeted for interception no communications were intercepted as a result. This problem arose from ASD officers incorrectly believing that the telecommunications devices specified were telecommunications services. In November 2019, ASD provided IGIS the related compliance incident report. IGIS independently reviewed the circumstances of this incident and was satisfied that ASD had sufficiently sought to understand the novel technical elements of the incident, and had implemented appropriate remedial action.
In August 2019, ASD confirmed that it had breached s 63 of the TIA Act by communicating information that had been intercepted without an appropriate warrant. This information had been provided to ASD by a partner agency that, at the time, believed that the information had been lawfully obtained. In November 2019, ASD provided IGIS the related compliance incident report. IGIS reviewed this incident and found that ASD’s response and the remedial actions taken, including deleting the relevant information, were appropriate in the circumstances.
In February 2020, ASD notified IGIS that it may have breached s 7 of the TIA Act by intercepting communications without an appropriate warrant. ASD investigated this incident and in June 2020 confirmed that the activity was a breach of the TIA Act. As of 30 June 2020, ASD was conducting an internal investigation. IGIS will independently review ASD’s investigation and report in the 2020–21 annual report.
In addition to advising IGIS of confirmed breaches of legislation, ASD also advises IGIS of 'potential breaches’, that is where it is technically possible that there was a breach but this cannot be proven. ASD categorises an incident as a potential breach when it is unclear, due to data limitations or the absence of essential details, whether a breach has occurred. IGIS reviews these matters in the same manner as it reviews confirmed breaches. During the reporting period, ASD reported one potential breach.
The 2018–19 IGIS annual report noted that ASD had notified IGIS in June 2019 that it may have breached s 7 of the TIA Act. ASD investigated this incident, and in late June 2019, confirmed that this issue constituted potential breaches of s 7(1)(a) and s 63 of the TIA Act, as ASD had likely intercepted and communicated certain information without an appropriate warrant. ASD also confirmed that it had breached s 7(1)(c) of the TIA Act as it had enabled interception, regardless of whether interception had occurred. In this instance, an unanticipated change in the use of technology resulted in communications likely being intercepted that were outside the authority of a warrant. The information obtained from the interception was then likely communicated to partner agencies. Due to the technical nature of the incident, ASD could not confirm that interception or communication had occurred. Following ASD providing the related compliance incident report in November 2019, IGIS independently reviewed ASD’s investigation. IGIS found that the technological adaptation could not have been reasonably foreseen by ASD, whose actions would otherwise have been entirely consistent with legislation. IGIS is satisfied with reporting and the mitigation measures enacted by ASD.
OTHER INCIDENT REPORTS In July 2019, ASD confirmed a legislative breach as a result of an electronic signals intelligence activity. In August 2019, ASD provided IGIS the related compliance incident report. A key issue which led to the incident was a lack of understanding about how a particular capability operated, a problem compounded by the pressure of a time sensitive operation. IGIS has independently reviewed this breach and determined that ASD’s remedial actions, which included increased training to relevant areas and revised procedures to mitigate recurrence, were appropriate in the circumstances.
INSPECTION OF AGO ACTIVITIES The functions of AGO are set out in s 6B of the IS Act. In performance of these functions AGO undertakes a number of activities which are subject to IGIS oversight. The activities are categorised as follows:
intelligence collection in support of the Australian Government
intelligence collection in support of the ADF
intelligence collection in support of Commonwealth and State Authorities carrying out national security functions
communication of intelligence
provision of imagery and other geospatial products
support to persons or bodies responsible for functions including emergency response, safety, scientific research, economic development, culture, and environmental protection
assistance to intelligence agencies and prescribed authorities
the functions of the Australian Hydrographic Office (AHO).
During the 2019–20 reporting period, IGIS officers conducted inspections of the following AGO activities:
applications for Ministerial Authorisations to produce intelligence on Australian persons
Director’s approvals and post activity reporting
AGO’s compliance with the AGO Privacy Rules
AGO’s access to sensitive financial information, which is discussed later in the report.
IGIS officers received briefings from AGO teams in Canberra, which gave IGIS a better understanding of the agency’s functions and made it better equipped to identify emerging issues. These briefings also assisted IGIS to enhance relationships with AGO and to pursue issues observed during inspections.
The Inspector-General had three meetings with the Director of AGO during the reporting period. Among other matters the meetings discussed key issues and arrangements for oversight. Based on inspection and review activities, IGIS is satisfied that AGO met the majority of its statutory obligations under the IS Act during the 2019–20 reporting period. IGIS is also satisfied that AGO continues to enhance its systems and processes to encourage compliance with legislation and internal procedures.
MINISTERIAL AUTHORISATIONS TO PRODUCE INTELLIGENCE ON AUSTRALIAN PERSONS The IS Act requires AGO to obtain authorisation from the Minister for Defence before conducting certain activities, including the production of intelligence on an Australian person. This authorisation is ordinarily requested in conjunction with ASD. During 2019–20, IGIS officers reviewed a majority of the Ministerial Authorisation applications made by AGO. During the reporting period, AGO proactively reported one instance where it produced an intelligence product that included information relating to an Australian person, without obtaining a Ministerial Authorisation. IGIS officers reviewed this matter and the Inspector-General agreed with AGO’s assessment that the incident did not comply with s 9 and s 15 of the IS Act. The Inspector-General was satisfied with the remedial action AGO took in response to the incident, including informing the Minister for Defence of the non-compliance. Additionally, AGO implemented measures to mitigate the likelihood of future non-compliance in similar circumstances. IGIS did not identify any other concerns relating to AGO’s applications for Ministerial Authorisation, renewals, or circumstances in which AGO sought to cancel an authorisation.
DIRECTOR’S APPROVALS AND POST ACTIVITY REPORTING The Minister for Defence requires the Director of AGO to approve AGO activities intended to produce geospatial or imagery intelligence on a person or body corporate in Australian territory or subject to Australian jurisdiction, unless the activity is one for which AGO must seek Ministerial Authorisation. The Director of AGO is also required to provide the Minister with quarterly reports on the activities conducted in accordance with such approval. The accuracy of these and other reports provided to the Minister for Defence were reviewed by IGIS during the reporting period and no issues were identified. At the conclusion of approved activities, AGO officers prepare a post-activity compliance report for the Director, which IGIS examines. During 2019–20, no significant issues with these reports were identified.
AGO COMPLIANCE WITH PRIVACY RULES The Minister for Defence issues written rules (Privacy Rules) to regulate AGO’s communication and retention of intelligence information concerning Australian persons. During the 2019–20 reporting period, IGIS conducted an in-depth inspection to review AGO’s application of the Privacy Rules, using a sample of AGO products published between July 2018 and October 2019. IGIS officers identified 16 products where a privacy rule was not correctly applied. It should be noted that in these instances the information would have met the requirements of the Privacy Rules had they been applied. IGIS, in cooperation with AGO, identified the factors that led to the non-compliance, and AGO subsequently took remedial action to make future recurrence less likely. This included implementing compliance checklists, additional training, and specific prompts in approval templates, which will assist in preventing similar non-compliance. IGIS is satisfied with AGO’s remedial actions. Additionally, IGIS identified five products produced under a Director’s approval where a privacy rule was not applied. AGO found that this non-compliance resulted from a misunderstanding within a particular team about the application of the rules, and subsequently provided additional training and compliance support to the team. IGIS is satisfied that AGO took appropriate actions to address the non-compliance.
AUSTRALIAN HYDROGRAPHIC OFFICE In October 2017, the AHO functions were transferred from the Royal Australian Navy to AGO. This transfer meant that IGIS assumed oversight of the functions of the AHO in relation to any intelligence collection or application of the AGO Privacy Rules. The AHO has fully incorporated IS Act requirements into its daily workflows and has received relevant compliance training. However, due to current differences in task tracking and recording in separate systems, IGIS has not yet reviewed any AHO products. In the 2019–20 reporting period, IGIS was unable to conduct planned outreach and inspection activities at the Wollongong site due to the COVID-19 restrictions. Pending the finalisation of infrastructure upgrades at the Wollongong site, IGIS officers will conduct outreach and inspection activities during the 2020–21 reporting period. Given the nature of AHO work, IGIS assesses that the risk of non-compliance is low.
INSPECTION OF DIO ACTIVITIES DIO is part of the Department of Defence and is mandated to support:
the planning and conduct of ADF operations
Defence Organisation policy, planning and decision-making
the development and sustainment of Defence capability
wider government planning and decision-making on defence and national security issues.
DIO is not subject to direction in regard to the judgments in its intelligence assessments. To fulfil its role, DIO is mandated to provide:
assessment, advice and services to support the planning, command and conduct of current and potential operations by the ADF
timely assessments of countries and foreign organisations relevant to Australia’s security strategic environment, including technical assessment of weapons systems, cyber threats and defence-related technologies
specialist advice to support whole-of-government strategies, including to counter proliferation and combat terrorism.
Given its lower risk profile as an assessment agency, in comparison with a collection agency, inspections of DIO are less frequent. IGIS focused its inspection resources on the key areas of legality and propriety risks for DIO.
Oversight of DIO activities is facilitated by strong working relationships with DIO’s Governance Team, and IGIS access to required information and systems. In the 2019–20 reporting period, IGIS conducted inspections of DIO’s compliance with the Guidelines to Protect the Privacy of Australian Persons (Privacy Guidelines). IGIS officers also reviewed DIO’s access to sensitive financial information from AUSTRAC, which is discussed later in this report.
In addition to these inspection activities, IGIS officers attended relevant compliance and analytical training facilitated by DIO, and monitored the percentage of DIO personnel that have completed mandatory compliance training requirements. DIO personnel proactively briefed IGIS about new activities and capabilities; this is of valuable assistance to IGIS’s understanding of DIO’s operating environment.
In the reporting period, the Inspector-General and senior IGIS officers met with DIO senior leaders to discuss key issues and arrangements for oversight. Additionally, the Inspector-General conducted an outreach session to DIO officers covering the role and functions of the Inspector-General, and IGIS’s approach to the performance of its functions.
In the reporting period, restrictions relevant to the COVID-19 pandemic compromised the ability for IGIS to conduct inspections and reviews at DIO. A planned analytical integrity inspection was not able to be conducted due to this restricted access and is now planned for 2020–21.
COMPLIANCE WITH DIO’S PRIVACY GUIDELINES IGIS reviewed DIO’s compliance with the Privacy Guidelines once during the reporting period. The second inspection for the reporting period was not undertaken due to COVID-19 restrictions; this inspection is now scheduled for the 2020–21 reporting period. The Privacy Guidelines, which are available on the DIO website, are similar to the privacy rules established under s 15 of the IS Act for ASIS, ASD and AGO. They allow DIO to perform its role while respecting the privacy of Australians. IGIS did not identify any significant issues or concerns in this reporting period, and there was no evidence that DIO failed to comply with the Privacy Guidelines.
CROSS-AGENCY MATTERS During the reporting period, IGIS conducted inspections that covered activities common to a number of agencies.
USE OF ASSUMED IDENTITIES Part IAC of the Crimes Act 1914 and corresponding State and Territory laws enable ASIO, ASIS and ONI officers to create and use assumed identities for the purpose of performing their functions. The legislation protects authorised officers from civil and criminal liability where they use an assumed identity in circumstances that would otherwise be considered unlawful. Similarly, the legislation protects the Commonwealth, State and Territory agencies responsible for issuing identity documents in relation to an assumed identity in accordance with the Act.
The legislation also imposes reporting, administration and audit regimes on those agencies using assumed identities. Section 15LG of the Crimes Act 1914 requires ASIO, ASIS and ONI to conduct six monthly audits of assumed identity records and s 15LE requires that each agency provide the Inspector-General with an annual report containing information on the assumed identities created and used during the year. During 2019–20, the Director-General of Security, the Director-General of ASIS and the Director-General of ONI each provided IGIS with a report covering the activities of their respective agencies for the 2018–19 reporting period. There was nothing in the reports to suggest that ASIO, ASIS or ONI were not complying with their legislative responsibilities or which otherwise caused significant concern. Agency reports covering the period 2019–20 will be submitted during 2020–21.
ACCESS TO SENSITIVE FINANCIAL INFORMATION BY INTELLIGENCE AGENCIES The Anti-Money Laundering and Counter Terrorism Financing Act 2006 (AML/CTF Act) provides a legal framework in which designated agencies are able to access and share financial intelligence information created or held by AUSTRAC. All intelligence agencies and IGIS are designated agencies for the purposes of the AML/CTF Act.
IGIS is party to an MOU with AUSTRAC. This MOU records an agreed understanding of IGIS’s role in monitoring agencies’ access to, and use of, AUSTRAC information.
In overseeing the agencies’ use of AUSTRAC information, IGIS officers check that there is a demonstrated intelligence purpose pertinent to the agencies’ functions, that access is appropriately limited, searches are focused, and that information passed to both Australian agencies and foreign intelligence counterparts is correctly authorised. In 2019–20, as it does each year, IGIS prepared a statement summarising compliance monitoring in respect of each of the intelligence agencies concerning their access to, and use of, AUSTRAC information in the preceding financial year and provided this to relevant Ministers and the AUSTRAC Chief Executive Officer.
In the 2019–20 reporting period, IGIS conducted an inspection of ASIS’s 2018–19 records concerning AUSTRAC information, as well as reviewing ASIS’s use of AUSTRAC material during routine inspections. The inspections found that ASIS’s governance and record keeping in relation to AUSTRAC information continued to be effective and there were no instances of non-compliance observed with this material during the period.
Separately, IGIS reviewed the access to, and use and protection of, sensitive financial information by ASD, AGO and DIO in 2018–19. These inspections revealed no instances of non-compliance by these agencies regarding the access to, and use and protection of, AUSTRAC information. ASD, AGO and DIO continued to have limited interaction with AUSTRAC material during the reporting period, and did not access any information directly via online access to AUSTRAC databases. All three agencies have effective procedures in place for handling this information.
IGIS also inspected ASIO’s use of AUSTRAC material during 2018–19. The overall standard of ASIO’s use of AUSTRAC material has improved when compared with previous reporting periods, particularly in its compliance with the dissemination and communication requirements of the AML/CTF Act. The inspection identified record keeping issues relating to policy and procedures, including issues relating to the record keeping requirements set out in the MOU between ASIO and AUSTRAC. ASIO is currently revising internal policies and procedures which, together with increased training for ASIO officers in handling AUSTRAC information and the establishment of a central internal compliance directorate, will assist ASIO to address the deficiencies identified during this period.
COVIDSAFE APP PROJECT On 16 May 2020, Part VIIIA was introduced into the Privacy Act 1988 (Privacy Act); it sets out privacy protections that relate specifically to personal information collection via the COVIDSafe app.
Part VIIIA introduced offences for the collection, use and disclosure of COVIDSafe app data. This new Part has implications for intelligence agencies under the jurisdiction of the Inspector-General, in particular in respect of the incidental collection of COVIDSafe app data amongst lawfully intercepted material. Part VIIIA provides exceptions to certain offences that relate to incidental collection of COVIDSafe app data during the collection of other data under a warrant. No offence is committed if the COVIDSafe app data is deleted as soon as practicable after the agency becomes aware that it has been collected, and that it has otherwise not been used, accessed or disclosed after it has been collected.
A project was established within IGIS that aims to identify those agencies under the Inspector-General’s jurisdiction that are most likely to be at risk of incidentally collecting COVIDSafe app data, and to determine if these agencies are taking the necessary steps to comply with Part VIIIA of the Privacy Act.
Given the intersecting areas of oversight that Part VIIIA creates, this project is being undertaken in cooperation with the Office of the Australian Information Commissioner (OAIC). The OAIC is the agency responsible for compliance with the Privacy Act, and also regulation of the COVIDSafe app. An unclassified report will be shared with the OAIC at the completion of the initial assurance activities undertaken by IGIS which will allow for completion of their obligations under the Privacy Act to be satisfied.
Inspection activities of intelligence agencies under the Inspector-General’s jurisdiction related to the project is planned to continue until use of the COVIDSafe app is discontinued by government and all related COVIDSafe app data is deleted.
ACTIVITIES RELATING TO ACIC, AFP, AUSTRAC AND THE DEPARTMENT OF HOME AFFAIRS
PROPOSED EXPANSION OF IGIS ROLE The 2017 Independent Intelligence Review recommended far-reaching changes to Australia’s intelligence bodies. One recommendation of that Review is that the jurisdiction of the Inspector-General be expanded to include the intelligence functions of the ACIC, AFP, AUSTRAC and the Department of Home Affairs. While the final form and timing of any expanded jurisdiction remains a matter for the Government and Parliament, IGIS has continued to build the relationships and understanding of the activities of these four agencies, and is developing interim inspection plans accordingly.
OUTREACH During 2019–20, IGIS continued to engage with key contacts and senior managers within the ACIC, AFP, AUSTRAC, and the Department of Home Affairs, to assist in obtaining an in-depth understanding of the intelligence activities of each of these agencies and how these activities fit within their broader functions. This engagement has included liaison visits, specific operational and capability briefings, observation of inspections by OCO officers and regional visits. Outreach activities have also focused on explaining the role of the Inspector-General and IGIS’s approach to the role. In addition, some IGIS officers have been placed with the agencies to assist in building a detailed and practical understanding of their intelligence functions and the internal policies and procedures that support those functions. The immersive development placement program is discussed further in Objective 6 of this report.
OBJECTIVE 4 – COMPLAINTS AND PUBLIC INTEREST DISCLOSURES
ABOUT COMPLAINTS For practical purposes, communications received by IGIS expressing a grievance are categorised either as ‘contacts’ or ‘complaints’. Contacts are communications raising grievances that fall outside the jurisdiction of the Inspector-General, or which otherwise cannot be progressed for various reasons, including that they are clearly not credible or not intelligible.
IGIS categorises a matter as a complaint if it raises an initially credible allegation of illegal or improper conduct or an abuse of human rights in relation to an action, or alleged action, of an intelligence agency within the jurisdiction of the Inspector-General. Complaints can be made orally or in writing and they may be made anonymously.
Each communication is assessed to determine the most appropriate course of action and whether it falls within the PID scheme. Matters which fall within the PID scheme are managed with the requirements of that scheme. Complaints are usually handled administratively in the first instance. In most cases, complaints and other matters can be resolved quickly and efficiently by IGIS officers contacting the relevant agency or reviewing their records. This approach can determine whether a particular matter is within jurisdiction and reduce the procedural burden of an inquiry. Administrative resolution usually gives the complainant a timely response, and information sought from agencies in this way can help the Inspector-General determine whether to conduct an inquiry for more serious or complex matters.
Each person who contacts IGIS with a complaint is given advice about actions taken in response to their concerns and the outcomes, to the extent possible within IGIS security obligations.
QUANTITATIVE PERFORMANCE MEASURES
Figure 2.2: Timeliness of response to complaints
*Total includes weighted averages.
COMPLAINTS ABOUT VISA AND CITIZENSHIP APPLICATIONS The Department of Home Affairs processes visa and citizenship applications. There are occasions when applications will be referred to other government agencies to conduct necessary background checks. When asked to do so by the Department of Home Affairs, ASIO may make a security assessment or provide advice in support of the visa process. IGIS’s role in reviewing ASIO’s conduct is to ensure standards of legality and propriety are met.
Complaints to IGIS about visa and citizenship are almost invariably related to an application taking longer than the applicant anticipated. The last three years of investigating visa and citizenship complaints have revealed no instances of illegality or impropriety in the way ASIO managed the applications. As a result, in March 2020, the Inspector-General changed the way this category of complaint is handled. Each complaint continues to be individually assessed and acknowledged upon receipt. Complaints meeting identified criteria are referred to the inspection team for incorporation in the inspection program. Relevant inspection criteria have been established to ensure the IGIS inspection program identifies any concerns about the legality or propriety of ASIO’s handling of these cases when conducting security assessments and providing advice. The results of inspections are passed to a complaints officer so that any trends or anomalies can be identified. Complex cases which go beyond the usual concerns about processing are considered promptly by inspection team officers, outside the routine inspection program. The inspection team takes responsibility for any further investigation and correspondence relating to a complex case.
In 2019–20, IGIS received 300 complaints about visa or citizenship applications, a notable 60% drop from 2018–19 (Figure 2.3), and more in line with the two preceding years. There was also a reduction in these type of complaints received in the final quarter of 2019–20 (44 complaints compared to the quarterly average of 75). This period coincided with COVID-19 and could reflect global uncertainty and travel restrictions.
Of the 300 visa and citizenship related complaints received, 90% concerned the time taken to finalise visa applications, and 10% concerned citizenship applications (Figure 2.3). Of the complaints about visa processing delays, over two thirds related to visa applications to study or train in Australia while one fifth concerned work related visas (Figure 2.4). One complaint concerned a person in detention, but unlike previous years, there were no complaints lodged in 2019–20 regarding refugee/humanitarian/protection visa applications. There was an 89% reduction on the previous period in complaints about delays in processing citizenship applications, from 283 complaints in 2018–19 to 30 in 2019–20.
After an initial review, twenty five complaints about visa and citizenship matters were assessed as falling outside the jurisdiction of the Inspector-General. Of the 275 complaints within jurisdiction, no instances of illegality or impropriety were identified. IGIS identified only one complaint where a processing error had occurred, and the agency rectified the oversight after it was brought to its attention.
OTHER COMPLAINTS MADE UNDER THE IGIS ACT IGIS received 35 other complaints in the reporting period (excluding PID matters), and four requests for a review of a complaint. One complaint received in 2018–19 was carried into the 2019–20 reporting period, while at the end of 2019–20 three complaints remained open. The average time taken to acknowledge complaints was three business days. IGIS officers responded to 80% of such complaints within five business days, below the performance measure of 90%. In three of the seven complaints affected by a delay in acknowledgement, the delay was attributed to restrictions implemented in response to COVID-19. Delay in the remaining four cases was attributed to competing priorities and available resources. Four complainants sought a review because they were dissatisfied either with the IGIS officer’s handling of their complaint or with the outcome of their complaint. In each of these cases, a review of all relevant information by a more senior IGIS officer found no reason to take any further action.
Figure 2.6: Breakdown of complaint by agency and allegation 2019–20
Access to records
Breach of privacy
Conflict of interest
Delay – personal security clearance
Detriment arising from agency action
Employment - management action or security related
Employment - recruitment
Warrant – conduct, return of property seized
During the reporting period, IGIS sought agency information related to complaints by speaking with relevant agency staff, reviewing files and undertaking independent searches of agency databases to identify issues of legality or propriety, and where possible, to facilitate a resolution to complaints. IGIS officers have established effective relationships with agency staff which ensures most matters are able to be resolved in a timely manner.
On finalisation, all complainants were given advice regarding the action IGIS had taken in response to their complaints, IGIS consideration of agency briefings and records, and how any concerns were resolved. Where appropriate, complainants were also invited to contact IGIS again if they continued to have concerns relating to their original complaint.
The majority of complaints (28) were about ASIO, while six were about ASIS and one concerned ASD. No complaints were received about AGO, DIO or ONI.
The complaints covered a wide range of matters, including allegations related to:
security assessments for employment
return of property seized under warrant
employment issues including recruitment processes, and management or security related action
detriment arising from agency action.
Eight of the complaints in 2019–2020 were related to delays by ASIO in undertaking an assessment of suitability for an individual to be granted a security clearance for employment purposes. This compares with eleven such cases in the previous reporting period. In several cases, a member of the public had complained more than once. These cases had been with ASIO for some time and had previously been the subject of scrutiny by IGIS.
IGIS sought advice from ASIO on each case and reviewed a sample of relevant ASIO holdings. IGIS considered the eight complaints regarding the time taken by ASIO to complete security assessments, and information gained in previous reporting periods. Based on this, IGIS is satisfied that ASIO’s processing of security assessments for personal security clearances is systematic, with cases prioritised on the basis of any externally-set priorities as well as the age of referrals.
In addition to the above, it should be noted that ASIO conducts thorough assessment of all cases, including giving proper attention to complications, particularly where the circumstances could lead to a prejudicial outcome. No concerns were identified in the reporting period about the legality or propriety of ASIO’s handling of these cases. In cases where complainants held particular concerns about delay, IGIS suggested the complainant seek prioritisation through their employer.
Six complaints about ASIO were broadly classified as alleging detriment arising from agency action. The type of detriment claimed to have been suffered included a breach of privacy, and difficulties in personal circumstances due to inaction or lack of support or the conduct of an officer. IGIS’s response when matters such as these are brought to its attention includes reviewing relevant ASIO records and briefings, and referral to ASIO for it to investigate and consider management action, if appropriate. IGIS identified no illegality or impropriety by ASIO in the matters raised with us in 2019–20.
Five of the complaints were about warrant operations. Four of these concerned property that was either seized or misplaced during the operation. Another made serious claims about the conduct of an operation, including ASIO’s alleged use of force. ASIO has certain obligations regarding any use of force, including reporting its use to IGIS. The complaint was referred to IGIS inspection officers for a search of relevant ASIO records. No illegality or impropriety by ASIO was identified by IGIS. We note that ASIO may conduct warrant operations with assistance from relevant Commonwealth or State police services. Other agencies also conduct their own warrant operations. A complainant may not always identify the correct agency responsible for the issues of concern and for matters outside IGIS jurisdiction the complainant is advised to contact the relevant agency.
COMPLAINT REVIEWS For security reasons it is usually not possible to give complainants a complete picture of how their matters have been handled by the agency concerned and by IGIS. This means advice to complainants is quite general in nature which can be frustrating for them.
Four complainants sought a review of their complaint because they were dissatisfied either with the IGIS officer’s handling of their complaint or with the outcome of their complaint. A more senior IGIS officer reviewed the complaints and no concerns were identified through these reviews. Requests for these reviews largely arose because information could not be provided to complainants.
ABOUT PUBLIC INTEREST DISCLOSURES The PID Act is intended to promote integrity and accountability within the Commonwealth public sector. This includes by encouraging PIDs by public officials, providing appropriate support to disclosers to ensure they are not subject to adverse consequences as a result of their disclosures and ensuring that disclosures by public officials are properly investigated and addressed.
IGIS’S HANDLING OF PUBLIC INTEREST DISCLOSURES IGIS has key responsibilities under the PID scheme, including:
receiving, and where appropriate, investigating disclosures about suspected wrongdoing within the intelligence agencies
assisting current or former public officials who work for, or who previously worked for, the intelligence agencies in relation to the operation of the PID Act
assisting the intelligence agencies in meeting their responsibilities under the PID Act, including through education and awareness activities
overseeing the operation of the PID scheme in the intelligence agencies.
IGIS has 12 authorised officers under the PID scheme in addition to a principal officer (the Inspector-General). These officers are accessible to intelligence agency staff due to their regular attendance at agencies for routine activities such as inspections and briefings. IGIS authorised officers are also contactable via classified email and phone.
Figure 2.8: PIDs by agency and outcome in 2019–20
Number of PIDs
within 5 business days
No evidence to
accordance with 48(1) of the PID Act
IGIS received two PIDs concerning intelligence agencies during the reporting period, continuing a downward trend across the last three periods. No disclosable conduct was reported in relation to IGIS.
Both PIDs raised allegations of maladministration. One concerned allegations that a senior officer interfered in HR related matters. This disclosure was investigated in accordance with the IGIS Act rather than the PID Act to enable use of IGIS inquiry powers if required. No evidence was found to substantiate the claim.
The second concerned allegations of inadequate support to officers in a high risk environment. In accordance with s 48(1)(h) of the PID Act, the Inspector-General exercised her discretion not to investigate the disclosure. The discloser did not want investigation of the disclosure to be pursued, and the Inspector-General was satisfied that there were no matters that warranted investigation.
Separately, in May 2019, IGIS received a PID from a former intelligence agency employee. Following preliminary investigations, in August 2019 the Inspector-General decided to conduct an inquiry under s 8 of the IGIS Act. Although the inquiry was triggered by a PID made under the PID Act, it was decided that the matter would be more appropriately investigated under s 8 of the IGIS Act to enable the use of IGIS inquiry powers if required. The details of this matter are included in the Inquiries section of this report.
OVERSEEING THE OPERATION OF THE PID SCHEME IN THE INTELLIGENCE AGENCIES In accordance with s 44(1A)(b) of the PID Act, intelligence agencies are required to meet certain reporting requirements including by informing IGIS when a PID is allocated for investigation by an intelligence agency.
Agency staff engaged regularly with IGIS to notify when a PID had been received. During the reporting period IGIS was advised of four PIDs received by the intelligence agencies. The agencies advised of the actions taken in each matter, including when the matter was being investigated under a more appropriate legislation. Agencies discussed PID related issues with IGIS, including whether concerns raised by staff reached the PID threshold and regarding investigation decisions.
IGIS also has a role in meeting annual reporting obligations by collecting and collating the intelligence agencies’ responses to the OCO’s annual PID survey. IGIS performs this role to ensure the protection of classified details relating to the intelligence agencies. The results of these are reported in the Ombudsman’s annual report.
OTHER CONTACTS In 2019–20, IGIS also received contacts from approximately 180 individuals seeking advice or expressing concern about matters affecting them that were assessed to be either outside the jurisdiction of the Inspector-General or as not requiring action. This represents around 10% fewer than the previous reporting period, however, as many contacted IGIS on multiple occasions, the impact of the reduction was not noticeable.
When IGIS is contacted about matters it cannot pursue, IGIS officers provide written or oral advice about the Inspector-General’s jurisdiction and alternative action that can be taken to resolve concerns. This includes reference to other complaint-handling bodies, police and the National Security Hotline where appropriate. In cases where there has been previous contact about matters that have already been assessed, IGIS takes no further action unless substantially new and credible information is provided.
OBJECTIVE 5 – INFRASTRUCTURE AND STAKEHOLDERS INFRASTRUCTURE AND GOVERNANCE The Office of the Inspector-General of Intelligence and Security is co-located with the Attorney-General’s Department at 3-5 National Circuit, Barton. These premises and the IGIS ICT systems are accredited and meet all applicable standards.
In mid-2020, the Office implemented its new case management system, and an electronic records management system on the Protected system. The installation of the classified LAN has been delayed. The electronic records management system and case management systems will be installed on the classified LAN in the next reporting period. The case management system has been designed to meet the particular work requirements of IGIS.
The Office continues to be supported by external agencies through MOUs for services including property maintenance, payroll and finance processing, and ICT.
An internal governance review was conducted to design governance arrangements that will suit the increased size of the Office. The recommendations of the review will be implemented through 2020.
LIAISON WITH DOMESTIC ACCOUNTABILITY AND INTEGRITY AGENCIES IGIS regularly liaises with other accountability and integrity agencies in Australia, to discuss matters of mutual interest such as oversight processes, administrative improvements, implementation of legislative changes, and significant developments in relevant domestic and global issues. The Inspector-General also attends the twice yearly Integrity Agencies Group (IAG) meeting which brings together the heads of the integrity agencies and other relevant Commonwealth departments. The purpose of the IAG is to lead coordination, enhancement and promotion of institutional integrity across the Commonwealth.
Recommendations of the 2017 Independent Intelligence Review included that the jurisdiction of the Inspector-General be extended to include the intelligence functions of the ACIC, AFP, AUSTRAC and the Department of Home Affairs. As noted in the 2018–19 annual report, IGIS has engaged with other accountability and integrity agencies on measures to ensure that future changes to oversight processes are complementary and avoid overlap wherever possible. It was reported that agreement-in-principle has been reached and set out in a Statement of Cooperation. The Statement of Cooperation will be finalised following legislation to extend the jurisdiction of the Inspector-General.
AUSTRALIAN COMMISSION FOR LAW ENFORCEMENT INTEGRITY During the reporting period, IGIS continued to strengthen the relationship with ACLEI ahead of proposed changes to the Inspector-General’s jurisdiction. Two IGIS officers completed immersive development placements with ACLEI to enhance understanding of their activities, practices and procedures.
AUSTRALIAN HUMAN RIGHTS COMMISSION The Australian Human Rights Commission is required by s 11(3) of the Australian Human Rights Commission Act 1986 to refer human rights and discrimination matters relating to an act or practice of the intelligence security agencies to the Inspector-General. During 2019–20, no such matters were referred by the Australian Human Rights Commission.
INSPECTOR-GENERAL OF THE AUSTRALIAN DEFENCE FORCE There was continued liaison with the Inspector-General of the ADF in areas of common interest.
OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER IGIS continued to engage with the OAIC in developing a shared understanding of the complementary roles of IGIS and OAIC. As described in Section Two of this report, IGIS has been cooperating with the OAIC to ensure effective oversight of the COVIDSafe app.
OFFICE OF THE COMMONWEALTH OMBUDSMAN During the reporting period, IGIS continued to engage regularly at various levels within the OCO. In the course of this engagement IGIS officers have observed elements of OCO inspections of agencies that are within the scope of the proposed expansion of the Inspector-General’s jurisdiction. In some respects the responsibilities of the OCO and IGIS are complementary; a memorandum of understanding between the two offices provides guidance for handling complaints that fall within the overlapping jurisdiction of each office. During 2019–20, an IGIS officer completed an immersive development placement at OCO.
INTERNATIONAL ENGAGEMENT WITH ACCOUNTABILITY AND INTEGRITY AGENCIES IGIS also liaises with accountability and integrity agencies overseas. This provides opportunities to learn from each other’s practices, to discuss oversight responsibilities in relation to emerging issues, and to keep informed of significant developments in other jurisdictions.
FIVE EYES INTELLIGENCE OVERSIGHT AND REVIEW COUNCIL In 2019–20, the Inspector-General continued her engagement with the FIORC. The FIORC is comprised of the following intelligence oversight, review and security entities of the Five Eyes countries: the Office of the Inspector-General of Intelligence and Security of Australia; the Office of the Intelligence Commissioner and the National Security and Intelligence Review Agency of Canada; the Commissioner of Intelligence Warrants and the Office of the Inspector-General of Intelligence and Security of New Zealand; the Investigatory Powers Commissioner’s Office of the United Kingdom; and the Office of the Inspector General of the Intelligence Community of the United States.
FIORC members exchange views on subjects of mutual interest and concern. They compare best practices in review and oversight methodology; explore areas where cooperation on reviews and the sharing of results is permitted and appropriate. They encourage transparency to the greatest extent possible to enhance public trust, and they maintain contact with political offices, oversight and review committees, and non Five Eyes countries as appropriate. FIORC meets in person at least once each year; in 2019 the meeting took place in the United Kingdom and was attended by the Deputy Inspector-General Mr Jake Blight, Assistant Inspector-General Ms Bronwyn Notzon-Glenn, and a senior IGIS officer.
At the conclusion of the forum, the FIORC agreed to establish working level committees on three topics: automated data processing and AI; methods to mitigate risks of mistreatment from sharing information with foreign entities; and jurisdictional or territorial constraints on the review/oversight activities of FIORC partners that create a gap in coverage over the cumulative activities of the Five Eyes agencies.
In 2019–20, IGIS completed work to support the working committee on methods to mitigate risks of mistreatment from sharing information with foreign entities. This involves considering how intelligence and security agencies may mitigate risks of human rights abuses by foreign entities when agencies share information with these entities, and how to improve coherence across the Five Eyes countries when overseeing agencies for such purposes. IGIS has developed a paper on the legal framework applicable to Australian intelligence and security agencies, policies and procedures, reporting arrangements, and oversight trends observed by IGIS regarding sharing information across borders, and associated safeguards.
In consultation with Australia’s intelligence agencies IGIS is continuing to work towards a set of principles that encapsulates the Inspector-General’s expectations around the passage of information to foreign entities. These principles will reflect Australia’s high standards in relation to the prohibition on torture, cruel or inhuman treatment and punishment, and unlawful killing.
During the 2019–20 reporting period, FIORC also liaised via regular teleconferences to discuss topics of mutual interest or priority. The 2020 FIORC meeting, scheduled to be hosted by New Zealand in October 2020, was cancelled due to the COVID-19 pandemic. Teleconferences have enabled the FIORC members to continue to liaise and progress the work of the three working committees.
INTERNATIONAL INTELLIGENCE OVERSIGHT FORUM Directly before the October 2019 FIORC meeting, the Deputy Inspector-General and a senior IGIS officer attended the International Intelligence Oversight Forum (IIOF) in London. This was the fourth iteration of the conference series which since 2016 has been hosted under the mandate of the Special Rapporteur on the right to privacy.
BILATERAL ENGAGEMENT In August 2019, the Inspector-General met the Canadian Assistant Chief Defence Intelligence at National Defence, Marie-Hélène Chayer. Canadian Defence Intelligence is comparable to DIO. Ms Chayer is responsible for Defence Intelligence policy, oversight and analysis. The meeting covered how the IGIS office operates, in particular how oversight of the Australian Defence intelligence agencies work. Ms Chayer also briefed the Inspector-General on her role and oversight responsibilities, which includes reporting on Defence Intelligence oversight to the Canadian National Security and Intelligence Committee of Parliamentarians.
In January 2020, an IGIS officer travelled to Wellington to meet New Zealand’s acting Inspector-General of Intelligence and Security and her office. The purpose of the visit was to establish working relationships and make preparations for a three-month exchange of officers between the Canberra and Wellington IGIS offices. Discussions covered general office structure and methodologies, proposed work programs for the exchange, and other logistical arrangements. The IGIS officer also conducted an outreach session to relevant Australian personnel based in Wellington. Because of travel restrictions during the COVID-19 pandemic, the exchange program has not taken place during the reporting period.
OBJECTIVE 6 – HIGH-PERFORMING WORKFORCE
OVERVIEW The Office maintains a strategic human resource management plan to ensure it recruits, develops and retains a workforce that effectively supports the Inspector-General in current activities as well as preparing for the anticipated expansion of jurisdiction. In striving to meet its recruitment target, the Office initiated seven recruitment rounds in 2019–20. One of those rounds commenced in late June 2020 and will be completed in 2020–21. From the completed rounds a number of candidates are undergoing relevant pre-employment suitability and security checks. The Office welcomed seven new officers during the reporting period.
In 2019–20, the Office continued its program of internal professional development in job-specific skills and knowledge including recent changes to legislation, complaints handling and security awareness. There were continued opportunities for IGIS officers to attend training courses and seminars relevant to their role as well as special guest presenters at internal training sessions. Also relevant to professional development is the IGIS Enterprise Agreement 2016–2019 which provides a study assistance scheme for employees who pursue studies relevant to the work of the Office.
Eight officers (24%) utilised formal flexible working arrangements in 2019–20. In addition, other officers utilised temporary or adhoc flexible working arrangements with the agreement of their supervisor. The Office adopted work from home arrangements during COVID-19 restrictions in Canberra and in some instances has continued to utilise these arrangements for officers in the high risk category and to provide greater flexibility to officers.
The Office conducts regular staff surveys to seek feedback on the Office’s performance management and training arrangements. In 2019–20, the Office conducted two staff surveys, one on the management of COVID-19 arrangements and the other a productivity pulse survey. The surveys covered matters relevant to communication, workplace flexibility, safety management and support to employees, and professional development.
STAFF PLACEMENTS During 2019–2020, this Office has undertaken immersive development placements with the following Commonwealth Government agencies: ACLEI, ACIC, AFP, AUSTRAC, and the OCO. The arrangements for these placements were agreed in an MOU with each host agency, and further tailored to each individual placement. Placements have primarily been undertaken by newly recruited staff who are in the process of obtaining the security clearance for IGIS roles.
As mentioned earlier, these placements are designed to improve the expertise of this Office ahead of the anticipated expansion of the Inspector-General’s jurisdiction. They also enable the Office to enhance its understanding of the host agencies’ internal policies, procedures and organisational structures. The placements have likewise provided host agencies with an understanding of the organisational structure of this Office and its approach to oversight.
Placements in the ACIC, AFP and AUSTRAC have also improved our understanding of the intelligence functions of those agencies, and developed the skills and capabilities of IGIS officers in relation to those functions. The placement of IGIS officers with other oversight bodies (ACLEI and OCO) has assisted this Office in its work to prepare for the deconfliction of oversight when the expanded jurisdiction commences.