Print this page
Intelligence Services Act and privacy rules
Features of the Act
81. The passage of the Intelligence Services Act 2001, following several years of development, effected a major change in the operational environments of ASIS and DSD.
82. The Act, which came into operation on 29 October 2001:
- converted ASIS into a statutory body, headed by the Director General;
- sets out the functions of ASIS and DSD and the limits on those functions;
- authorises the minister responsible for each agency to issue directions to the agency;
- requires ministerial authorisation for collection activities involving Australians;
- limits the circumstances in which ministers can authorise collection of intelligence on Australians;
- requires the ministers to make rules regulating the communication and retention by the agencies of intelligence information concerning Australian persons; and
- provides for the establishment of a parliamentary oversight committee, the Parliamentary Joint Committee on ASIO, ASIS and DSD.
83. During development of the Intelligence Services Bill 2001 and its passage through the Parliament this office provided considerable input on various policy and legislative drafting issues. I also provided evidence to the Joint Select Committee on the Intelligence Services in its hearings on the bill.
Development of the privacy rules
84. The rules referred to in paragraph 82 were developed in consultation with this office and they took effect at the same time as the Act. The Minister for Foreign Affairs and the Minister for Defence consulted me about the rules, as required by the Act, before their promulgation. The rules are reproduced at Annex 4 to this report.
Ministerial directions
85. The Act provides for the responsible minister to issue written directions to ASIS and DSD. The ministers did so and, as required by the Inspector General of Intelligence and Security Act, provided me with copies. The directions are classified.
Ministerial authorisations initial preparation
86. Before the Act came into operation ASIS and DSD each identified activities for which they would need ministerial authorisations and they submitted these to ministers in time for the authorisations to have effect from the day the Act came into effect.
Ministerial authorisations reporting to ministers
87. The ASIO Act requires that the Director General of Security report to the Attorney General the results of warrant activity at the expiry of the warrant. The Intelligence Services Act, however, does not require DSD or ASIS to report the results of collection activity that their ministers authorise.
88. Shortly after the Act came into effect I suggested that the ministers should receive such reports. Both agency heads agreed to inform their ministers of the results of intelligence collection activity conducted pursuant to authorisations.
Protocols
89. The Intelligence Services Act provides immunity from civil or criminal liability for certain acts done within Australia in support of overseas activity by ASIS or DSD.
90. The Act also provides that the Inspector General may give a certificate relating to whether an act was done in the proper performance of a function of ASIS or DSD. In the event of court proceedings such certificates are evidence of the matter certified.
91. It was necessary, therefore, to establish a system for dealing with any case in which a law enforcement agency receives a claim from a person suspected of a criminal act that it was done in the performance of a function of ASIS or DSD.
92. The draft protocol, developed for discussion with law enforcement authorities, provides a mechanism whereby such claims can be referred to the agency concerned and the Inspector General can decide whether to issue a certificate. The law enforcement authority can then decide how it wishes to proceed.
93. The matter was listed for discussion by police commissioners at their conference in October 2002.
94. During parliamentary hearings on the Intelligence Services Bill there was discussion of the possibility that people might be prosecuted for offences on the basis of secret intelligence but that intelligence information that might assist their case would not be available to the defence.
95. ASIS and DSD, after consultation with this office, agreed to add to end product reports a statement requiring that if prosecution of an Australian person results from the information in a report, the agency responsible for the matter must tell the Inspector General and ASIS or DSD.
Legal advice
96. One of the effects of moving to a regime regulated by the Intelligence Services Act has been the need for ASIS and DSD to obtain legal advice from the Australian Government Solicitor about issues that arise in the implementation of the Act and the privacy rules. Many are common to both agencies.
97. Each agency has sought a large number of such advisings and the Director, DSD and the Director General of ASIS routinely provide copies to this office. In addition, when issues arise that I consider warrant the obtaining of legal advice I recommend that the agency seek it.
98. It has not so far been necessary for me to seek separate legal advice on the activities of ASIS or DSD but I have undertaken to provide copies to the agencies if I do.
99. In accordance with a recommendation of the Tampa inquiry DSD sought to obtain an in house legal adviser. Recruitment was still in progress at the end of the reporting year.
Transition to legislative regime
100. The development of the legislation within government proceeded largely on the basis that the Act should reflect existing practice, although with some modifications.
101. Amendments proposed during debates on the bill, and accepted by the government, tended to widen the gap between the old and new regimes.
102. After the Act came into operation, therefore, it was necessary for ASIS, DSD and the Inspector General to make significant adjustments both to mindset and to ways of doing things.
103. This did not happen automatically or overnight and the process is still continuing.
Operation of the Act in the first eight months ASIS
Ministerial authorisations
104. ASIS has sought authorisations from its minister as required by the minister´s directions. We inspected all authorisations together with associated supporting documentation. It was apparent that the requirements of the Act were being met.
Privacy rules internal controls
105. The rules that operated before the Intelligence Services Act came into effect encouraged a focus on identifying direct references to Australians by name in ASIS reporting. They provided, however, for inclusion of such references if it could be justified against one or more of a range of criteria.
106. The ASIS system for identifying and justifying these references was well developed. It included a centralised quality control mechanism to monitor compliance with the rules and take corrective action where necessary.
107. This system needed some modification following passage of the Intelligence Services Act, both to reflect the more restrictive reporting criteria in the new privacy rules, and also to instil in relevant personnel an understanding that these rules apply to intelligence about Australian persons whether or not they are named.
108. The development of modified systems and guidelines proceeded through the year in consultation with this office. The procedures for the preparation of reports now require officers preparing them to identify instances of reporting intelligence information on Australians and justify the inclusion of the information by reference to one or more of the criteria set out in the privacy rules. If the inclusion of the information cannot be justified under the rules then the report must not proceed with that material in it.
109. The central quality control arrangements have been retained and the personnel concerned are also responsible for preparation, maintenance and presentation of guidelines and training materials.
Privacy rules IGIS monitoring and inspection
110. We have on-line access to most of ASIS´s reporting, which we inspect daily for compliance with the rules. We also regularly review the hardcopy reports that are too sensitive to be placed on line.
111. Based on this we prepare a list of reports that appear to contain intelligence information about Australian persons and are therefore likely to require application of the privacy rules.
112. We visit ASIS headquarters approximately every eight weeks to compare this with ASIS´s own list of reports to which it believes the rules apply. On most occasions they are identical. If there are discrepancies, however, we are able to discuss these and resolve any issues about application of the rules.
113. ASIS also provides a hardcopy version of each report with a cover sheet:
- highlighting the intelligence information in the report that concerns an Australian person;
- identifying the relevant clause of the rules that permits this information to be communicated; and
- explaining how that clause applies in each case.
114. We review the cover sheets and in the vast majority of cases accept the justification for including the intelligence information. Where we do not, we note the cover sheet accordingly and discuss our concerns with a senior ASIS officer. If they are significant I will also raise them with the Director-General.
115. Our inspection visits and monitoring activities brought to light several issues which resulted in correspondence with ASIS.
Privacy rules telephone numbers
116. The inclusion of an Australian telephone number in a report with a relatively wide distribution caused me to write to the Director General suggesting that it would have been preferable not to include it. It would then have been open to an agency that could demonstrate a genuine need to know the number to apply to ASIS for its release under the privacy rules. The Director-General agreed.
117. We identified two similar instances some time later. When I drew these to the Director General´s attention he replied that he had instituted a review of ASIS´s procedures to identify why it had not adopted the agreed approach and that internal guidance would be amended to reflect our views.
Privacy rules excision of names
118. A report named an Australian person who, it was alleged, an overseas political organisation was going to approach for a donation. ASIS justified inclusion of the name on the grounds that the involvement of the Australian person was already public knowledge.
119. Since the person concerned and the wider community appeared to be unaware of the intended approach, it was difficult to see how this information could be construed as being in the public domain.
120. Although there was no difficulty about reporting the allegation I suggested to the Director General that the use of a generic descriptor rather than the name would have been more appropriate. As with the previous case, agencies with a need to know could then provide justification in support of their request.
121. Mere excision of a name is not enough to ensure compliance with the privacy rules. Following an inspection visit in March 2002, I wrote to the Director-General about several reports where names of Australians had been excised, saying that inclusion of any intelligence information about Australian persons needed to be justified under the rules, whether or not they were named.
122. The Director-General said that he intended to advise relevant ASIS staff accordingly.
Privacy rules provision of names to other agencies
123. The rules permit the transmission of intelligence information about Australians in certain restricted circumstances.
124. The existence of a valid reason for transmitting the information, however, does not remove the need for consideration of whether all recipients of the intelligence information need to know the names of the Australian persons concerned.
125. For this reason, in appropriate cases, ASIS does not include the names. An agency needing the name can apply to ASIS for its release.
126. In one such case a requesting agency said it needed the intelligence because it was relevant to preventing or investigating the commission of a serious crime and release could therefore be justified under the rules. It did not, however, provide supporting information.
127. I took the view, supported by legal advice, that ASIS needed sufficient information to enable it to be confident that the agency required it for crime prevention or investigation. I wrote to the Director-General suggesting that the agency in this case should have been asked to provide details of a specific offence, or provision of a relevant Act. ASIS agreed to adopt this approach for the future.
Privacy rules informal reporting
128. The privacy rules do not distinguish between intelligence information provided by way of formal reports and that passed on more informally.
129. While it is unusual, there can be occasions when it is necessary. An ASIS officer might, for example, be involved in inter agency consultations about matters such as people smuggling.130. It has been necessary, therefore, to develop processes for ensuring that intelligence information that is passed on informally does not breach the privacy rules, and also to record instances for inspection by the Inspector General.
Training
131. In addition to development of new guidelines and reporting systems, adaptation to the requirements of the Intelligence Services Act and the privacy rules has required the implementation of training for those involved. I have attended and assisted with course presentation, to explain the role of the Inspector General and our interpretation of the requirements of the Act and the rules.
Operations of the Act the first eight months DSD
Ministerial authorisations approval
132. Government has always set overall collection priorities, but before the Act came into effect it did not become involved in decisions about particular signals intelligence collection targets.
133. If Australian persons were the subject of collection activity the Rules on Sigint and Australian Persons applied. These rules have been described in previous annual reports of the Inspector General. They were administrative guidelines endorsed by government. The Director, DSD was the decision maker under the rules and ministers did not become involved.
134. The Intelligence Services Act, however, requires that the minister authorise any activity undertaken for the specific purpose, or for purposes which include the specific purpose, of producing intelligence on an Australian person who is overseas.
135. DSD has, therefore, needed to develop systems to ensure that, once it forms the intention to conduct such an activity, the Director seeks an authorisation from the Minister for Defence.
136. This involves, as required by the Act, providing sufficient information to satisfy the minister that the strict criteria set out in the Act for such intelligence collection will be met.
137. If the minister is not satisfied, collection cannot take place. DSD may choose to again seek an authorisation, providing further justification, or it may let the matter rest.
138. The requirement for ministerial authorisation can also mean that DSD has to suspend foreign intelligence collection activity under some circumstances.
139. In a case that came to my attention late in the reporting period an agency made an urgent request to DSD to collect certain foreign communications.
140. Several days later the agency wrote supplying further information, from which it appeared that the primary purpose of the request, not revealed at the time of the first request, was to obtain intelligence information on an Australian person.
141. When DSD realised this it ceased collection and sought a ministerial authorisation.
142. It did not appear that meeting the request was in breach of the Act. Any collection occurring in the few hours after DSD knew the purpose of the request and before collection ceased, however, might have been.
143. I therefore recommended that DSD destroy any material collected in this period and cancel any reports based on this material.
144. DSD indicated that in future cases of urgent requests it would seek enough information to enable it to decide whether to seek a ministerial authorisation before beginning collection.
145. DSD may also, during collection of foreign intelligence, unintentionally collect the communications of an Australian person who is engaged in activity that is of legitimate intelligence interest, such as planning a terrorist act.
146. If DSD then decides that it wishes to continue to collect that person´s communications in relation to that activity it will need to have a ministerial authorisation. If the only access it has to that person´s foreign communications is its original collection target, the effect of the legislation is that it must cease that collection activity pending ministerial consideration of the DSD request for authorisation.
Ministerial authorisations time limits
147. Development of systems to ensure that intentional collection of intelligence on Australian persons does not take place without ministerial authorisation has also required development of reliable methods of ensuring that authorised collection ceases on or before the date of expiry of the authorisation.
148. Under the Act, the minister cannot authorise collection of intelligence on an Australian person for a period exceeding six months. Renewed authorisations are subject to the same time limit.
149. The need for development of better systems became apparent as DSD was preparing to seek authorisations to operate from the date of the Act coming into effect.
150. At that time it identified several cases in which time limits imposed by the Director under the previous system had been exceeded. The Director informed me of these immediately and also of measures proposed to prevent a recurrence.
151. In the cases in question, four end product reports had resulted from collection activity undertaken after the expiry of the time limits. Although it was of concern that collection had continued beyond the approved dates, I did not consider that there were serious consequences. There was no breach of the law since the previous system was administrative; the persons concerned were originally, and remained, legitimate intelligence collection targets engaged in serious crime; and the end product reports met criteria for reporting under the rules then in operation.
152. The changed procedures included centralising responsibility for compliance with the Act by creating a position of compliance manager.
153. Further procedural change followed later in the year when it became apparent that there had been another case of failure to discontinue collection, following expiry of a ministerial authorisation after the Australian person concerned was held in custody.
154. In this case most collection activity ceased at the time of expiry but, through oversight, certain facilities were not detasked. No intelligence reports issued and the small amount of material collected was destroyed.
155. In the light of this incident and as the year progressed DSD refined and improved the system in consultation with this office, to the point where the potential for human error has largely been excluded.
156. We will continue, however, to monitor the operation of the system and encourage improvements as necessary. At the close of the year DSD was working towards providing us with on line access to the relevant systems so that we can check compliance from within the office.
Ministerial authorisations cancellation
157. DSD seeks authorisations for the minimum period it believes necessary. There are, however, occasions when there is no need to continue collection even though the authorisation is still in force.
158. The Intelligence Services Act does not require revocation in these circumstances. I suggested, however, that DSD should ask the minister to cancel such authorisations. Initially the Director was concerned that this might create too much paperwork for the minister but later decided to implement a cancellation procedure.
Privacy rules generation of reports
159. The rules that operated before the Intelligence Services Act came into effect encouraged a focus on identifying and eliminating direct references to Australians by name in DSD reporting. The requirement for privacy could be satisfied by removing names and replacing them with references such as ‘a named Australian person’, which DSD almost invariably did.
160. The new privacy rules, by contrast, apply to reporting intelligence information about Australian persons, whether or not the persons are named in the reports.
161. The new requirements have necessitated a change in understanding and also changes in procedures on the part of DSD.
162. The primary procedural change has been the development, at our suggestion, of a computerised failsafe mechanism that prevents issue of a report unless the reporter has assessed that it will not breach the privacy rules. If a report is to contain intelligence information on Australian persons, the reporter must identify the clause of the privacy rules that permits its inclusion.
163. There have also been improvements in recording and central monitoring of such reporting, as well as enhancements to the computer system to provide this office with analytical tools to assist our inspection activities.
164. With considerable input from this office, DSD has revised and improved its written internal guidance to collection and reporting staff on the requirements of the Intelligence Services Act and the privacy rules.
165. Finally, also in collaboration with this office, DSD developed training for all staff involved in intelligence collection and reporting. The training courses, which I or a member of my staff attend and make presentations to, provide staff with intensive exposure to issues that arise or are likely to arise in relation to application of the Intelligence Services Act and the privacy rules.
166. These measures cannot guarantee that there will not be mistakes of judgment, but they will go a long way towards minimising the risk.
Privacy rules provision of names
167. With rare exceptions DSD maintains its previous practice of not naming Australians when it reports intelligence on them.168. It has in place a system whereby agencies wishing to access the names can apply to DSD for their release. The agency seeking access must be able to establish a need to know by reference to its own functions and the provision of sufficient information to enable DSD to be confident that passing on the information does not breach the privacy rules. This requires more than simple citation by the requesting agency of a sub-clause of the rules.
169. DSD has developed a sophisticated system for receiving and responding to these requests and maintains detailed records for inspection by the Inspector General.
170. There were no instances of breaches of the rules by releasing names. In several cases we commended DSD staff for exercising critical judgement as to whether the requests actually fulfilled the criteria set down in clause 3 of the DSD privacy rules, rather than simply accepting the interpretations of the requesting agencies.
171. At the close of the reporting year DSD was developing a consolidated record that will provide this office with on line access to all its decisions on such requests. This will largely replace examination of these records at our regular inspection visits.
Privacy rules informal reporting
172. As noted at paragraph 128, the privacy rules do not distinguish between intelligence information provided by way of formal reports and that passed on more informally.
173. DSD discourages the latter and it is rare, but there can be occasions when it is necessary. A hypothetical example would be if DSD obtained intelligence about an imminent terrorist attack, when a telephone call might be the quickest way of getting the information where it needed to go.
174. It has been necessary, therefore, to develop processes for ensuring that intelligence information that is passed on informally does not breach the privacy rules, and also to record instances for inspection by the Inspector General.
Legislative deficiencies affecting ASIS and DSD
175. From time to time strict application of the Act has produced unintended effects, or the Act does not deal with a situation that desirably it should. At my suggestion ASIS and DSD are keeping records of these problems so that, if necessary, amendments can be proposed at some opportune time.
176. It is sometimes possible to deal with such difficulties by other means. For example, the Act does not require ASIS and DSD to obtain ministerial authorisation to collect intelligence about an Australian person who is in Australia.
177. DSD occasionally needs to collect foreign intelligence about Australians who are in Australia although it may not intercept communications within the Australian domestic telecommunications network.
178. The Minister for Defence therefore issued a direction to DSD requiring it to obtain an authorisation before collecting intelligence on Australian persons who are within Australia.
179. A consequential defect was the lack of any legislative requirement to satisfy the minister, when obtaining such an authorisation, on the range of matters that the Act requires in relation to collection of intelligence about Australian persons who are overseas.
180. Although DSD was dealing with such authorisation requests in the same way as those required by the Act I suggested that there be a ministerial direction requiring it to do so. The Director agreed and an appropriate direction is being prepared in conjunction with the Australian Government Solicitor.
181. The privacy rules require that if ASIS or DSD identifies that it has breached the privacy rules it immediately consult with the Inspector General about appropriate action to protect the privacy of the Australian person.
182. There is, however, no provision for consultation if ASIS or DSD identifies that it has breached the Intelligence Services Act itself.
183. I suggested to both agencies that there should be, and at the close of the reporting period the Australian Government Solicitor was developing advice on how to achieve this.
Summary
184. The Intelligence Services Act and the privacy rules have posed significant administrative and legal challenges for ASIS and DSD. At the start of 2002 2003 there was still much work to do and new problems and issues will undoubtedly emerge. Both agencies, however, have worked hard and effectively at meeting the challenges and are well placed to continue meeting the various accountability and compliance requirements that the legislation imposes.