<-- Return Home...

Part Two: Performance

Outcomes and programs

The 2013-14 Portfolio Budget Statements provided a strategic direction statement with one planned outcome for the Office of the Inspector-General of Intelligence and Security. That outcome was:

Independent assurance for the Prime Minister, senior ministers and Parliament as to whether Australia's intelligence and security agencies act legally and with propriety by inspecting, inquiring into and reporting on their activities.

The key strategies employed to achieve this outcome were:

The single program reflects the small size of the agency and the relatively narrow focus of its activities.

Program deliverables

The program deliverables include:

Performance indicators

The effectiveness of the office is assessed against four key performance indicators. These measures take into account the unique role and functions of the office as a specialised review body:

Agency engagement

I meet regularly with intelligence agency heads and their senior staff to discuss current issues or concerns, and to highlight issues arising from our inspection and inquiry activities. Agencies typically also use these discussions to brief me on emerging risks or potential concerns and how they plan to respond to these challenges.

These discussions enhance my awareness of each intelligence agency's operational environment and also provide a forum to resolve issues informally without the need for extended or time consuming correspondence where appropriate.

Each agency has also established regular points of contact to facilitate our visits and to coordinate our various requirements, while within the OIGIS, designated officers lead interactions with each intelligence agency. The designation of these coordination points does not limit my capacity to speak with anyone else in the organisation when required, and indeed goes a long way to ensuring that our requirements are met in a full and prompt manner. I would like to express my appreciation to our regular points of contact within each agency for assisting the work of my office during the 2013-14 reporting period.

Outreach

Presentations provide an opportunity to explain to staff in the intelligence agencies the role and functions of the office and to discuss matters relating to compliance, professionalism, accountability and ethical conduct. In the reporting period, we delivered a total of 22 presentations. Of these, 13 were to staff in the intelligence agencies, including in regional offices and other sites outside of Canberra, and nine were to external groups.

We maintained our focus on agency leaders, regional operational staff, and officers newly appointed to roles with higher compliance risk. In response to feedback, we increased our discussion of issues identified in recent inquiries and remained open to leading presentations addressing particular issues as necessary. Interaction with staff during these presentations remains strong.

I continued the practice of meeting with ASIS heads of station and ASIO officers before they are posted. This allows me to remind them of the OIGIS's functions and explore specific potential challenges raised by conditions at their post.

In the reporting period I was invited to address several leadership groups outside the intelligence agencies, including the Senior Executive Development Program of the Australian National University's National Security College, the Attorney-General's Department' Talking Heads' Seminar, and the Australian Cyber Security Centre leadership group. In April 2014, I was part of a panel at the Law Society of NSW discussing Privacy in a Digital Age.

The Assistant Inspector-General, Jake Blight, presented once again to the Department of Defence Senior Intelligence Managers' Course, and, in August 2013, to the Australian Research Council's Centre of Excellence in Policing and Security.

Similar presentations are planned for the coming year.

Inquiries

Under the IGIS Act, the IGIS can conduct a formal inquiry into a matter based on a complaint, of the IGlS's own motion, or in response to a ministerial request. The Act establishes certain immunities and protections and provides for the use of strong coercive powers in such inquiries. These include the power to compel the production of information and documents, to enter premises occupied or used by a Commonwealth agency, to issue notices to persons to attend before the IGIS to answer questions relevant to the matter under inquiry, and to administer an oath or affirmation when taking evidence.

When coercive powers are used, the IGIS Act provides protections to people who have given the OIGIS information. Those compelled to give information are protected from any penalty under Commonwealth or Territory law that would ordinarily arise from disclosing that information.

The responsible minister is advised when the IGIS begins an inquiry into a particular agency, and is also advised of any conclusions or recommendations arising from the inquiry. The IGIS also provides opportunities for ministers, agency heads and affected individuals to comment during the course of an inquiry.

During 2013-141 completed three inquiries that were carried over from the previous reporting period. Details of these are set out below. A new inquiry was initiated following on from one of these inquiries and remained open at the end of the reporting period. I will report on my conclusions and recommendations from this inquiry in my annual report for 2014-15.

Inquiry into the attendance of legal representatives at ASIO interviews

The 2012-13 Annual Report noted the progress of an inquiry following a complaint alleging ASIO officers had made arbitrary decisions regarding the attendance of legal representatives at security assessment interviews. My preliminary inquiries identified some inconsistencies between ASIO records and those of the complainant, as well as potential communication issues between ASIO and Immigration.2 Consequently, I decided to initiate an inquiry into the specific complaint, and to matters relating to ASIO interviews more broadly.

In conducting the inquiry, I considered a range of ASIO policy documents and records, including records of interviews other than those in the original complaint, and interviewed a number of ASIO staff. I also obtained statements from several legal representatives who had attended, or attempted to attend, ASIO interviews with their clients.

2 Administrative Arrangement Orders dated 18 September 2013 transferred the relevant functions of the former Department of Immigration and Citizenship to the Department of Immigration and Border Protection. This report uses the shortened form 'Immigration' to refer to both the current and former Departments.

I found that ASIO's internal guidance was both sound and appropriate, and does not preclude the attendance of legal representatives at ASIO interviews. However, ASIO has discretion not to interview a person in the presence of a particular lawyer if it believes the presence of the lawyer would be counterproductive to the conduct of the interview. As such, I concluded that the attendance of legal representatives should be considered on a case-by-case basis, with the default position to allow such attendance.

I found that the attitudes of individual officers, combined with the process established by ASIO and Immigration to arrange interviews, strongly discouraged the attendance of legal representatives. In addition, ASIO differentiated between legal representatives and migration agents, precluding migration agents from attending interviews altogether.

This inquiry led to a number of recommendations. Specifically, ASIO should:

ASIO agreed to these four recommendations.

I also noted in the report that, in my view, visa applicants should be clearly advised that interviews with ASIO are voluntary. A fifth recommendation was made to adjust the current guidance for staff. This recommendation and some supporting text was afforded a national security classification by ASIO and cannot be publicly released. ASIO agreed, in part, to this recommendation.

The inquiry report is classified but a public abridged version is available on the IGIS website.3

At the end of the reporting period ASIO provided advice about the implementation of the recommendations:

Inquiry into the management of the case of Mr E

Last year I commenced an inquiry at the then Prime Minister's request into the way that the Australian Federal Police (AFP), Immigration and ASIO handled the case of a particular Egyptian asylum seeker, 'Mr E', who presented complex security issues and, more generally, the management by Australian government agencies of complex security cases.

3 www.igis.gov.au

The purpose of the inquiry was not to establish whether the identified individual posed a threat to security but rather to look at whether the relevant agencies had, and followed, appropriate procedures to identify, assess and manage any such threat.

I completed this inquiry and provided the report to the Prime Minister in January 2014. The inquiry report is classified but a public abridged version is available on the IGIS website.4

The inquiry found that, although ASIO held information that might have caused it not to clear the individual for community detention, ASIO's security assessment processes at that time did not include consideration of that information. Different areas of ASIO dealt with the potential match to alerts connected to the Interpol red notice and the community detention checks, and the two areas did not communicate effectively with one another.

Immigration lacked awareness of the types of security checks ASIO conducted and it is not clear that relevant ministers received advice about the rigour of the checks. Within ASIO, guidance provided to staff was inadequate. Operational staff misunderstood the intentions of ASIO's senior executive and the process of checks conducted differed from that approved by the ASIO executive.

The inquiry found that Immigration made decisions on detention arrangements without a full appreciation of all relevant information. The AFP gave advice to Immigration over a period of time but there was no formal framework for such advice. Information held by separate parts of Immigration was not shared or interpreted consistently. ASIO provided no information to help Immigration assess or manage any detention risks.

4 www.igis.gov.au

The inquiry also found deficiencies in recordkeeping, particularly in Immigration. Key procedures and arrangements between Immigration and ASIO were not well documented. The report made a number of recommendations, primarily to Immigration. In summary these were:

Significant changes were initiated in ASIO and immigration prior to this case becoming a matter of public discussion. By the time this inquiry was finished, ASIO and Immigration had introduced considerably more robust security checking processes prior to community detention or the issue of bridging visas, and ASIO had published guidance for staff on how to do the checks and escalate and resolve concerns. Immigration had established a team to identify and oversight national security and serious criminality cases.

At the end of the reporting period the agencies advised me of their progress on implementing the inquiry recommendations.

Immigration advised that coordination and collaboration between the Department, ASIO and the AFP had improved significantly. I was provided with details of actions taken and a copy of the Persons of interest placemen t operational procedures document, which guides staff regarding the placement of detainees who are of interest to law enforcement, intelligence and/or other agencies for criminal or national security matters. This document was developed in response to the inquiry recommendations.

ASIO notes that it continues to advise Immigration on significant emerging threat issues through providing adverse security assessments and discussing impending assessments where this would assist Immigration's decision making on detention issues. Where ASIO holds information potentially relevant to Immigration's consideration of a person's overall visa suitability, a qualified visa security assessment may be issued. I was provided with a procedural document relating to security assessments for IMAs for whom Immigration is considering the grant or re-grant of a bridging visa, or for those being placed in community detention. This will provide formal guidance for officers in both agencies for handling referrals which potentially match national security alerts.

The AFP advised that similar subsequent cases have seen the agency implement measures addressing the inquiry's recommendations, including case management meetings to facilitate complete assessment and sharing of all available information among stakeholder agencies.

Overall, all three agencies have made sound progress to strengthen communication and information-sharing between the agencies. Internal policies and procedures have been developed and documented to address the deficiencies highlighted in the inquiry report.

Inquiries into the use of weapons and self-defence techniques in ASIS

In April 2013, I commenced an inquiry into the use of weapons and self-defence techniques in ASIS. The inquiry was finalised in November 2013. The inquiry report is classified but an unclassified executive summary is available on the IGIS website.5

The inquiry noted that overall ASIS had managed the training in and use of weapons and self- defence techniques well. Two breaches of the ISA occurred between 2004 and mid-2013, both involving the discharge of a firearm without appropriate prior approval. However, both incidents occurred within controlled weapons training environments and were not indicative of systemic issues. (I note elsewhere in this report that in the 2013-14 reporting period there were three further, similar breaches of the ISA relating to the unauthorised use of a firearm.)

Two main concerns were identified by the 2013 inquiry. The first was in relation to delays in providing oleoresin capsicum spray and batons to some overseas Stations after this had been approved by the Minister on the basis that the weapons were necessary for the safety of staff. The inquiry found the delays were due primarily to the lack of central governance of weapons policy and procedures in ASIS.

The second concern related to the consumption of alcohol. ASIS policy at the time required that a person with a blood alcohol content above zero must not be issued with or have carriage of a weapon. The inquiry found some staff misunderstanding in relation to this requirement and that ASIS did not have adequate controls in place to provide assurance that there was compliance with this requirement.

Six recommendations were made as a result of the inquiry, most relating to the governance of weapons policy and procedures in ASIS. ASIS accepted all the recommendations and by the end of the reporting period most had been implemented. A number of the recommendations were waiting on the release of revised ASIS Guidelines for the use of weapons and self- defence techniques to be fully implemented. The most significant of these guidelines are in relation to the consumption of alcohol and controls to ensure compliance. Shortly after the end of the reporting period revised Guidelines covering these issues were implemented.

5 www.igis.gov.au

In December 2013 a further more serious incident occurred overseas involving an allegedly inappropriate action by an officer of another Australian government agency towards an ASIS officer. A review of the incident confirmed that ASIS did not yet have adequate controls in place to provide assurance that a person with a blood alcohol content above zero would not be issued with or have carriage of a weapon. While no physical injury resulted, the incident had the potential to cause serious injury. ASIS's investigation of the incident highlighted systemic issues. I was advised by the Director-General of ASIS that the investigation also revealed that there were inaccuracies in the information provided to me during the course of my 2013 inquiry. My review of the ASIS investigation report and interviews indicated other substantial discrepancies.

In June 2014, I initiated a further inquiry into the management of weapons by ASIS in that particular location to examine these issues and related matters and to review the findings of my 2013 inquiry report. Further details of the inquiry will be included in my 2014-15 annual report.

Complaints and contacts

Complaints can be made orally or in writing on matters that relate to the legality and propriety of actions of an intelligence agency.

Each contact made to my office is assessed to determine whether it falls within the functions of my office and what is the most appropriate course of action. Where it is assessed that a complaint justifies further action, it will be handled administratively in the first instance. Since the introduction of the PID scheme, contacts are also assessed to determine whether they should be handled under that scheme.

In most cases complaints and other matters can be resolved quite quickly and efficiently by IGIS staff speaking to the relevant agency or looking at their records. This approach can resolve whether a particular matter is within jurisdiction and reduces the procedural burden of an inquiry when a simple discussion with an agency or a check of records can resolve the matter. Administrative resolution can allow for a timely response to be provided to the complainant. Information provided by agencies in this way can help decide whether to pursue an inquiry for more serious or complex matters.

Notwithstanding how a matter is handled, all persons contacting my office are advised of the actions of my office, and the outcomes, to the extent possible.

Complaints about security assessments for visa applicants

ASIO provides Commonwealth agencies with security assessments relevant to their functions and responsibilities. A visa application to travel to, or remain in, Australia may be referred to ASIO with a request to provide a security assessment. My office does not assess the merits of any particular security assessment, nor do we request a change in the priority of processing of cases, or request that any particular case be expedited. However, where visa applicants have reasonable concerns that an error may have occurred, we examine ASIO's processes.

During 2013-14 we increased our focus on ASIO's handling of visa security assessments because of the significant impact this can have on individuals. This increased focus was achieved through obtaining direct access to ASIO's systems as well as increased liaison with other government stakeholders including Immigration and the Commonwealth Ombudsman.

In cases where the visa application was lodged more than 12 months previously, we examined ASIO's systems to determine whether or not the applicant had been referred to ASIO for a security assessment and, if so, reviewed ASIO's handling of the matter. In each case, we looked at whether ASIO had acted unreasonably or had made a processing error.

My office does not ordinarily advise complainants that they have or have not been the subject of a security assessment by ASIO, unless this has already been confirmed to them by Immigration, or where we have found a significant issue of concern involving ASIO which would justify this office doing so. Where am satisfied that there is no evidence of error by ASIO, my staff will advise complainants of that. While we identify few errors, where we do find ASIO has made an error, we request that the organisation rectify the matter. Where we find that no referral has been made, or that one has been made and finalised, my staff advise the complainant that there is currently no referral with ASIO. We are unable to provide complainants with specific information but indicate three possible explanations: there has been no referral, there has been a referral and it was not required, or there has been a referral and it has been finalised.

ASIO visa security assessment processes

During the reporting period we initiated a new process for investigating visa security assessment complaints. IGIS staff now interrogate ASIO's systems directly for information relating to particular visa security assessments. This process has proven to be an effective way of integrating our complaint and inspection activities. As a result of this new process we identified progress had stalled for up to six months in a small number of visa assessments because they had not been reassigned following the departure of staff from the visa security assessments team. We raised this issue with ASIO, which subsequently reviewed and formalised procedures relating to the allocation of cases in accordance with priorities set by Immigration, and national security considerations.

During the reporting period we have noted improvements in systems, processes and recordkeeping within ASIO. For example, case officers are recording more detailed case notes and reasons for changes in priority and case assignment. My staff can also request information from Immigration, which has proven useful in verifying claims.

Despite the issues we identified, overall I am satisfied that ASIO visa security assessment processes have been appropriate.

Commonwealth Ombudsman

The work of this office complements the work of the Commonwealth Ombudsman who has jurisdiction to investigate matters relating to Immigration. During the reporting period my staff increased engagement with their counterparts in the office of the Commonwealth Ombudsman. This engagement led to discussions of future collaboration and improvements in the flow of information between the two offices. We also refreshed our memorandum of understanding (MOU) with the Commonwealth Ombudsman and revised our online complaints form to allow complainants to consent to the direct transfer of complaints where appropriate.

Referrals from the Australian Human Rights Commission

The Australian Human Rights Commission is required to refer to the IGIS human rights and discrimination matters relating to an act or practice of intelligence and security agencies. In this reporting period the AHRC referred one case concerning ASIO delay in processing security assessments for immigration purposes. Our investigation revealed the individual concerned had not been referred to ASIO for a security assessment.

Other complaints (non visa-related)

The OIGIS registers as a complaint any approach from a member of the public that involves a credible allegation about illegality or impropriety in relation to an action by an intelligence agency. That is, there is a reasonable basis for the person believing that an intelligence agency or one of its employees has done something wrong.

I received seventeen non visa-related complaints in the reporting period. Thirteen complaints were about ASIO, while two related to ASIS and two to DSD. All seventeen complaints were resolved administratively.

Employment-related matters

The IGIS Act (ss. 8(5) and 8(7)) limits the capacity of the IGIS to investigate what might be regarded as individual employment-related grievances within the six intelligence agencies - essentially those relating to promotion, transfer or reduction, termination, discipline, remuneration or other terms and conditions of service.

When a complaint to the office relates to this type of grievance, our usual practice is to refer the matter, at least in the first instance, back to the agency concerned to be addressed through its internal grievance mechanisms or through procedures for reporting alleged breaches of the relevant Code of Conduct (where this is applicable).

The Code of Conduct provisions under the Public Service Act 1999 apply to employees of DIGO, DIO, DSD and ONA, while similar arrangements are separately established by determinations made under the ASIO Act and the ISA for employees of ASIO and ASIS respectively.

Seven of the seventeen non visa-related complaints (41 %) were from current or former employees or agents of intelligence agencies — five were ASIO employees and two worked for ASIS. Complaint issues included the impending loss of a security clearance and consequent loss of employment, workplace culture, and failure to meet contractual obligations. In each case, we examined agency records and met with key personnel.

Investigations into payment of entitlements by ASIS

Two complaints about ASIS were from individuals whose arrangements with ASIS had been terminated. In both cases the individuals believed they had suffered detriment caused by ASIS, including financial detriment because entitlements had not been paid. After reviewing ASIS's records — some stretching over many years — I was satisfied there was no evidence ASIS had not fulfilled its obligations and that the matters did not warrant further inquiry. These cases demonstrate the value of detailed and accurate records in resolving such claims.

Six of the seventeen complaints received were about the conduct of an intelligence agency that was affecting the complainants' employment in sensitive roles outside the intelligence agencies.

Four of these concerned ASIO delay in finalising security assessments for Aviation Security Identification Cards (ASIC) or Maritime Security Identification Cards (MSIC). These cards are issued by the Department of Infrastructure to identify persons who have met the minimum security requirements to work unescorted or unmonitored in a maritime or aviation security zone. A background check is undertaken by AusCheck, a unit of the Attorney-General's Department, and includes checks by ASIO.

The four complaints received about such delays represent a very small fraction (0.002%) of ASIO's annual workload of ASIC and MSIC security assessments, and I am generally satisfied with ASIO's processing arrangements.

I have undertaken to continue to monitor the progress of complex MSIC and ASIC cases.

Other contacts with the office

We were also contacted by over 200 individuals who were seeking advice or expressing concern about matters affecting them that were assessed to be outside the jurisdiction of my office, or as lacking credibility.

In response, we provided written or verbal advice about the jurisdiction of the office and alternative avenues to pursue, including other complaint- handling bodies, the police and the National Security Hotline. In cases where there had been previous contact with my office about matters that had already been assessed, we took no further action.

Statistics on inquiries and complaint matters raised with my office can be found at Annex 1.

Public Interest Disclosure scheme

As mentioned earlier, the PID Act commenced on 15 January 2014. OIGIS has received a number of enquiries concerning the PID scheme, but by 30 June 2014 had received only one disclosure directly that fell within the scheme's parameters.

This disclosure was made in April 2014 by a former intelligence agency employee who raised concerns about an officer in another Australian government agency. In this case, the OIGIS referred the matter to the agency in question for investigation.

OIGIS has been formally advised that six PID cases have been raised and allocated across the six intelligence agencies. Investigations were completed in four of these before the end of the reporting year 2013-14. Cases have mostly involved a range of personnel management matters. One case involved administrative deficiencies in the procurement of external services, and the agency concerned has advised that investigation of this disclosure identified useful refinements to administrative processes.

IGIS role in Freedom of Information and Archives matters

The Freedom of Information Act 1982(FOI Act) sets out various exemptions to the requirement for government agencies to provide documents. One of the exemptions applies to documents affecting national security, defence or international relations. Before deciding that a document is not exempt under this provision the Administrative Appeals Tribunal (AAT) and the Information Commissioner are required to seek evidence from the IGIS. There are equivalent provisions in the Archives Act 1983 for the AAT.

In this reporting period I was called on twice by the Information Commissioner to give evidence in FOI matters. In one case I decided that the matter fell outside of my area of expertise and, on that basis, I declined to give evidence. In the other case I provided evidence on one aspect of the claim being made by the Commonwealth.

I was notified by the AAT of two new Archives cases where I may be required to give evidence. One case was carried over from the previous reporting period. In each of these three cases I undertook the lengthy process of examining documents and preparing evidence. In two of the cases I was ultimately not required to give evidence. In the other case, Fernandes and National Archives of Australia [2014] AATA 180 (2 April 2014), I gave evidence about a number of documents. The Tribunal decided that two parts of one contested document could be released; that decision has been appealed to the Federal Court.

The number of cases referred to me by the Information Commissioner and the AAT is similar to the previous reporting period; however, the size and complexity of the AAT cases meant that more office resources were devoted to the preparation of evidence in 2013-14.

Numbers and trends

Inquiries

During the reporting period, three inquiries that had been carried over were concluded and one inquiry was initiated. This compares to five inquiries initiated in 2012-13.6

Complaints

As noted above, we consider a matter to be a 'complaint' if it concerns a credible allegation about illegality or impropriety in relation to an action of an intelligence agency.

With approaches to the office about non visa- related matters, a straightforward judgement is normally sufficient to determine whether or not the issues raised reach the threshold to be considered as a complaint.

For approaches about visa-related security assessments, we also consider the length of time ASIO has had to respond to a request for a security assessment before determining whether the matter should be treated as a complaint or a contact. Specifically, we consider whether the visa application was submitted more than twelve months earlier or, where an individual has previously approached the office, whether six months have passed since previous inquiries were made. Approaches about visa-related security assessments that do not meet these criteria are described as 'contacts' (see below).

6 The IGIS 2012-13 Annual Report counted complaints resolved through making inquiries of an agency head but without the use of any formal powers as a 'preliminary inquiry'. This is a potentially misleading use of the word 'inquiry' - which in the IGIS Act Is reserved for Division 3 inquiries. These complaints are now included in statistics as complaints handled administratively.

In 2013-14, IGIS received a total of 504 complaints, of which 487 were about visa-related security assessments and 17 were non visa-related (see also Annex 1 Table 1.2).

In 2012-13, IGIS received a total of 375 complaints, of which 361 were about visa-related security assessments and 14 concerned non visa-related matters.

In 2011-12 we received a total of 439 complaints comprising 430 complaints about visa-related security assessments, and 9 non visa-related matters that were treated as complaints.

Complaints about security assessments for visa applicants

The 487 visa security assessment related complaints received in 2013-14 came from a wide variety of individuals. The following table shows a breakdown of visa complaints actioned by my office, by visa type.

2013-14 Complaints by visa type

Visa type Number Percentage
Study 1 0.2
Refugee & humanitarian 12 2.5
IMA 46 9.5
Family 101 20.8
Skilled, business and work 327 67.0

The largest number of complaints came from individuals seeking skilled business and work visas, or family reunion visas. Complaints from irregular maritime arrivals (IMAs) comprised 9.5 per cent of complaints actioned by my office.

Visa-related security assessment complaints have consistently represented 96-98 per cent of all complaints made to IGIS since 2011-12.

The number of complaints about visa-related security assessments has varied but the sample size is small and the number of complaints can depend on unpredictable external factors. If a few migration agents decide to refer all of their clients to our office this will cause a surge in the number of recorded complaints. And changes in the intake of irregular arrivals in one year may affect the number of complaints to our office 12 months later.

No readily discernible factors drove the increased number of visa-related security assessment complaints to my office in 2013-14 compared to the previous reporting period, and I do not regard the year-on-year increase as being statistically relevant or a cause for undue concern.

Although the majority of complaints to our office concern visa-related security assessments, we spend more time per complaint processing non visa-related complaints. This is because visa-related security assessments are predominantly focused on issues of timeliness, while other complaints to our office can and do cover the full range of agency activities which may require more extensive investigation.

Despite this, during the 2013-14 reporting period my office made a number of refinements to our inspection activities in regards to visa security assessment complaints, with a view to improving our understanding of the visa application process at both Immigration and ASIO and focusing on areas of potential concern based on any trends which emerge from our complaints-handling function.

Other complaints (non visa-related)

I received 17 non visa-related complaints in the reporting period. This is comparable to the 14 complaints received in 2012-13. Thirteen complaints in this reporting period were about ASIO, while two related to ASIS and two to DSD. All 17 complaints were resolved administratively.

Contacts

In addition to dealing with complaints, we also respond to people who raise issues we regard as 'contacts' rather than complaints.

These contacts are approaches made to the IGIS which fall outside of the jurisdiction of the office, fall outside of the timelines described above for visa-related security assessments, or do not raise serious and credible concerns about the intelligence agencies. Contacts are handled administratively rather than by means of inquiry or investigation.

Although we maintain a record of all persons who contact our office, figures for the number of contacts we receive are inexact as not all contacts by all persons are recorded due to the administrative burden involved in doing so (for example, some individuals send repeated emails or faxes, or make repeated phone calls to the office).

We received contacts from approximately 200 individuals during the reporting period, all of which we responded to administratively. This is similar to the number of individuals who contacted our office in the previous two reporting periods. No obvious trends are discernible from this data other than that a number of individuals continue to seek reassurance that they are not being targeted by the intelligence community.

Public interest disclosures

As noted above, one PID disclosure was directly received and handled in the reporting period. Six PID complaints were notified to the office as having been received by the intelligence agencies.

Timeliness

Three inquiries were completed during the year. The complexity of the subject matter and the individual circumstances of each inquiry were factors affecting timeliness. The duration of these inquiries ranged from 228 days for an inquiry into ASIS's use of weapons, to 280 days for an inquiry into the actions and interactions of three Commonwealth agencies in the management of an irregular maritime arrival case (see Annex 1 Table 1.1).

The IGIS Act has prescriptive and comprehensive procedural fairness requirements allowing individuals, agency heads and ministers the opportunity to comment on or discuss a report's findings before the report is finalised. This can add some months to an inquiry. For example, the inquiry into the management of the case of the Egyptian IMA involving ASIO, the AFP and immigration commenced in June 2013, initial documents were obtained in July, interviews were largely conducted in August, the report was largely drafted in September and preliminary views provided to agency heads in early October. Following consideration of further submissions and additional documents that were provided, the proposed report was provided to ministers at the end of November inviting them to meet to discuss the report. Following these meetings the final report was provided to the Prime Minister at the end of January.

Complaints of all types were assessed promptly and initial responses were made within two weeks of receipt in all cases, with the average time taken to acknowledge a complaint being two days. Of complaints about visa security assessments that were handled administratively, 88.5 per cent were completed within two weeks of the complaint being received, with the average time taken being nine days. For other complaints, 35 percent were completed within two weeks of the complaint being received, with the average time taken being 55 days. These variations in timeliness reflect differences in the nature of the complaint, with common themes arising in many complaints about visa security assessments compared to the diversity of complex issues that can arise in other complaints.

Effecting change in agencies

Where an inquiry makes recommendations, we ask agencies to indicate whether they accept these recommendations. Where appropriate, we also follow up at the end of the reporting period the progress of outstanding recommendations, including those from previous years. I am pleased with the agencies' high level of acceptance and implementation of my recommendations. The actions taken by the agencies in respect of inquiries completed in the reporting period are described further in the section on inquiries commencing on page 7.

Implementation of recommendations — Analytic independence inquiry of 2012-13

In 2012-13, I conducted an inquiry into the analytic independence of the assessment activities of ASIO, DIO and ONA. While there was no evidence of inappropriate pressure being placed on any of the agencies, the inquiry recommended a number of improvements to policies, procedures and training in ASIO and DIO so that those agencies could consistently demonstrate their assessments are free from interference or bias.

That inquiry recommended DIO and ASIO implement policies to improve the consistency of referencing and recordkeeping in regard to analytical product. The review also identified that ASIO and DIO did not conduct formal reviews of key judgments to see whether there were any lessons that could be learnt from previous analytic work and did not have written policies relating to the management of dissent.

In early 2014, I conducted a review of DIO's implementation of the inquiry's recommendations. This review found that DIO has implemented new policies regarding referencing and recordkeeping. My staff inspected a large sample of DIO's analytic product issued in 2013-14 and found substantial improvements in the use and quality of references. This review also found improvements in the consistency of recordkeeping in product development.

DIO is developing a new intelligence production IT system. Technical problems with the new system have required DIO to delay its introduction until later in 2014. We have looked at the initial functionality of this system and agree with DIO that it is likely to make a sound contribution to further improving DIO's referencing and recordkeeping.

This review also found DIO had implemented new policies regarding key judgment reviews and dissent management. OIGIS staff attended a key judgments review session and found the process productive and robust. DIO had not experienced a major case of dissent under the new dissent management policy, but this review found the policy was likely to be effective.

In mid-2014, I initiated a similar review of ASIO's implementation of the 2012 inquiry's recommendations. This review is expected to be completed by late 2014.

Our inspection and complaint activities also provide opportunities for the office to effect change in the intelligence agencies. Any issues that we identify through inspections and complaints are raised with the agency concerned and, as a result, we have seen a number of changes in agency processes. Some of these changes are described in our highlight stories and elsewhere in this report.

Inspections

Overview of inspection activities

The office regularly examines selected agency records to ensure that the activities of the intelligence agencies comply with the relevant legislative and policy frameworks and to identify issues before there is a need for major remedial action.

These inspections largely focus on the activities of ASIO, ASIS, DIGO and DSD given each of these agencies has access to intrusive powers and investigative techniques.

During 2013-14, inspection teams responsible for oversighting ASIO, ASIS, DIGO and DSD continued to coordinate closely to identify areas of high compliance risk. Inspection activities focused on the management of joint ministerial authorisations made under the ISA, special powers warrants issued to ASIO, information sharing between agencies, systems for communicating information requests between agencies, and recordkeeping.

Inspection activities relating to DIO and ONA are generally limited to ensuring that their assessments comply with administrative privacy guidelines (which have a similar effect to the privacy rules applying to ASIS, DSD and DIGO).

Inspection activities consider whether or not each agency is acting in accordance with its statutory functions, any guidance provided by the responsible minister, and its own internal policies and procedures.

In the reporting period the relatively high inquiry workload resulted in prioritisation of inspections work based on a risk management approach. The oversight of ASIO, ASIS and DSD was maintained but fewer resources were allocated to DIGO, DIO and ONA.

Inspection of ASIO activities

The ASIO Act empowers ASIO to obtain, correlate and evaluate intelligence information relevant to security. ASIO's activities are governed by the ASIO Act as well as the Attorney-General's Guidelines and internal policies and procedures. The Attorney-General's Guidelines require that any means used by ASIO to obtain information must be proportionate to the gravity of the threat and the probability of its occurrence, and inquiries and investigations into individuals or groups should be undertaken using as little intrusion into individual privacy as is possible consistent with the performance of ASIO's functions. Where such intrusions are unavoidable, the distribution of any information obtained should be limited to persons or agencies with a demonstrable 'need to know'.

Human source management

This inspection activity focuses on ensuring the management of ASIO human source operations is both legal and proper. While the details of these inspections are sensitive and cannot be disclosed in a public report, we noted that there was considerable improvement in both recordkeeping and compliance with internal ASIO guidelines during 2013-14 in relation to the management of human sources.

Review of submissions to the Attorney-General

Each quarter my office reviews a range of submissions made by ASIO to the Attorney- General on operational matters. In addition to the other ASIO inspection activities, these reviews are proving useful in obtaining an overview of legality and propriety issues relevant to high risk activities.

Regular inspection of investigative cases

Each month my staff review a sample of ASIO investigative cases to examine:

Our sample selection is oriented to those cases utilising more intrusive investigative methods — for example, cases with warrants approved by the Attorney-General, access to sensitive financial information or prospective data authorisations.

During the reporting period my office sought advice from ASIO on the adequacy of their internal approval procedures for accessing sensitive information from government and non- government agencies. ASIO has advised this issue will be considered in a comprehensive review of their policies and procedures which has recently commenced, and I will be monitoring its progress in this regard.

In one case it was noted that ASIO had provided assistance to a law enforcement agency in response to a request, although that request had not been made by the head of that agency as required under section 19A(2) of the ASIO Act.

Another ongoing focus of my inspections has been to ensure a high standard of recordkeeping and decision making is maintained, particularly that appropriate guidance is provided by authorising officers to more junior staff.

My staff continue to work with ASIO to ensure that the inspection process can provide direct and meaningful feedback to ASIO investigative staff in a timely manner.

ASIO warrants

ASIO can intercept telecommunications and use other intrusive powers following the issue of warrants by the Attorney-General. The authority for telecommunications intercepts is provided by the Telecommunications (Interception and Access) Act 1979 (TIA Act). The ASIO Act authorises other powers including the use of listening devices, searches and computer access.

In 2013-14 we reviewed approximately half of the warrants obtained by ASIO. These inspections occur after the Attorney-General has authorised the warrant and usually after ASIO has completed the operation and reported back to the Attorney- General.

During 2013-14 our inspection program identified four errors in ASIO's execution of warrant powers, each of which constituted a breach of either the ASIO Act or the TIA Act. I also identified a very small number of minor administrative errors, including typographical errors. In all these cases was satisfied that these administrative errors did not impact on the legality or propriety of the warrant, and that appropriate remedial actions were taken.

ASIO continued to self-report proactively during the reporting period. In addition to the breaches identified by my office, ASIO reported three breaches of the TIA Act, and two breaches of the ASIO Act.

While I am generally satisfied by the overall manner in which warrants are processed did identify some additional issues which merit comment.

As noted in previous annual reports, I have a particular interest in ASIO's use of B-Party warrants because of the potential for intrusive collection of material that is not relevant to security. In 2013-14 there was a modest increase in the use of such warrants following a decrease the previous year. This increase was due to a growth in the number of Australians involved in foreign conflicts. Most of these warrants are reviewed by my office. I am currently consulting with the Attorney-General's Department about ASIO's interpretation of the provisions in the TIA that restrict the availability of B-party warrants.

During the reporting period my staff were briefed on ASIO's management of the process of providing a formal report to the Attorney-General on warrants, a requirement under both the ASIO Act and the TIA Act. The reporting regime is generally quite robust, with a number of internal and external oversight mechanisms operating to ensure ASIO complies with its legislative requirements. One area identified for additional focus is the consistency and accuracy of reporting over long-running warrants that are periodically renewed. It is my intention to conduct a 'whole of life' review of a number of long-running and complex warrants and I expect to be able to report on this activity in the next reporting period.

Questioning and detention warrants

No questioning, or questioning and detention warrants were sought by, or issued to, ASIO during the reporting period.

ASIO access to telecommunications locational information or subscriber data

The TIA Act provides the legal authority for a nominated group of ASIO senior managers to authorise collection of prospective and historical telecommunications data from telecommunications carriers or carriage service providers. Prospective data authorisations provide near real-time location and other subscriber information for the period that an authorisation is in force. The threshold that ASIO is required to meet is that access to the data is in connection with the performance by ASIO of its functions. In addition, the Attorney- General's Guidelines state that investigative activities should use as little intrusion into personal privacy as is possible, consistent with the performance of ASIO's functions. A request for access to telecommunications data should only be submitted once less intrusive methods have been attempted, or considered and found to be insufficient. Similarly, the Attorney-General's Guidelines state that authorisation levels for activities should be higher for more intrusive investigative techniques.

ASIO's access to prospective telecommunications data is reviewed as part of our regular inspection program. Due to their intrusive nature, access to prospective and historical telecommunications data are reviewed in a similar manner to telecommunications warrants.

I did not identify any concerns with ASIO's access to prospective and historic telecommunications data. My office's oversight of this particular investigative technique decreased during this reporting period due primarily to changes in our inspection program and the high rate of compliance in this area.

I am satisfied that prospective data authorisations reviewed were endorsed by an appropriate senior officer, and that ASIO has regard to the Attorney- General's Guidelines and is meeting the legislative requirement to only make requests for data in connection with the performance of its functions.

Preservation requests

The Cybercrime Legislation Amendment Act 2012 came into effect in late 2012. This Act amended the TIA Act to provide a new power for ASIO and law enforcement agencies to give notice to telecommunications carriers to require them to retain certain stored communications for up to 90 days while ASIO seeks an appropriate warrant to access those communications. These notices are called Preservation Notices.

While the new legislation refers to both domestic and foreign preservation notices, only domestic notices are relevant to ASIO. These notices can only be used where they 'might assist the Organisation in carrying out its functions of obtaining intelligence relating to security'.

Section 158A of the TIA Act specifically provides that the IGIS has functions in relation to providing assurance of compliance by ASIO in respect of preservation notices.

Throughout the reporting period there was a very small number of such notices raised by ASIO. These activities were reviewed as part of our ongoing inspection program and there were no issues of concern identified in relation to those reviewed.

Access to taxation information

The Taxation Administration Act 1953(s.355- 70; Schedule 1) provides for a taxation officer authorised by the Commissioner of Taxation or delegate to disclose protected information to an authorised ASIO officer if the information is relevant to the performance of ASIO's functions.

This access to sensitive information is further governed by an MOU between the Commissioner of Taxation and the Director-General of Security, the Attorney-General's Guidelines and ASIO's internal guidelines and procedures, ensuring that a request for taxation information can only be made when less intrusive means have been exhausted and not yielded the required information.

ASIO rarely requests access to this type of information. My office reviews all of ASIO's access to sensitive financial information, including:

ASIO reported that no requests had been made to access ATO information in 2013-14.

Exchange of information with foreign liaisons

The ASIO Act provides the authority for ASIO to seek information from, and provide information to, authorities in other countries that is relevant to Australia's security, or the security of the foreign country. ASIO may only cooperate with foreign authorities approved by the Attorney-General. In general, the types of foreign authorities approved by the Attorney-General perform broadly similar functions to ASIO, and include security and intelligence authorities, law enforcement, immigration and border control, and government coordination bodies.

ASIO has internal guidelines that govern the communication of information on Australians and foreign nationals to approved foreign authorities. These guidelines impose an internal framework for assessing and approving the passage of such information. ASIO's internal requirements vary according to the country, based on factors such as ASIO's previous experience dealing with their authorities and how the foreign authorities manage information received, including in relation to human rights issues.

During 2013-14, my office inspected a sample of authorisation documentation and correspondence for such exchanges, both through regular reviews of ASIO investigative cases and through dedicated foreign liaison inspection activities.

My office identified one instance when ASIO communicated information on Australian persons to a non-approved foreign authority responsible for issuing passports for that country. The case raised complex legal issues and at the end of the reporting period I had not formed a final view on whether approval from the Attorney-General was strictly legally required; however, my view is that at east as a matter of propriety and compliance with the intention of the restrictions the matter should have gone to the Attorney-General.

Inspections by my office have also identified cases where ASIO could improve compliance with internal guidelines, particularly in relation to documenting human rights considerations, continue to raise these matters with ASIO.

Access to ASIO's information holdings by staff

Our inspection program includes the regular review of investigative authorities generated by ASIO for its own internal security purposes.

In one case I questioned whether the justification given for the internal security investigation was sufficient or reasonable, having regard to all of the circumstances. In particular I questioned whether it was appropriate for personal information about a member of the public to be passed to an ASIO officer who had expressed concerns that the individual might pose a risk to the officer's own personal safety.

I was advised at the time that all ASIO staff members could access some ASIO holdings to perform checks on individuals, including neighbours and social contacts that might relate to personal security or safety. I expressed concern that ASIO did not have formal processes in place to ensure that personal information in ASIO's holdings about a member of the public could not be released to a staff member or accessed directly by the staff member. In my view, this is out of step with community expectations in respect of privacy.

In response to the concerns I raised, in June 2014 ASIO implemented a new security policy for the use of information holdings within ASIO. The policy emphasises that information holdings within ASIO are only for official purposes and that ASIO staff are not to access ASIO information holdings to obtain information which may be relevant to their personal circumstances. Staff with security concerns should raise this with the relevant area within ASIO, which will conduct the necessary checks.

In my view this is a significant improvement in privacy protection that occurred as a result of concerns raised by this office. I will be monitoring the implementation of this new policy and have requested that ASIO provide details of any post-implementation audits.

Inspection of agencies subject to the Intelligence Services Act 2001

Limits on intelligence agencies' functions

There was media interest in the reporting period about the extent to which the OIGIS could effectively assess whether intelligence agencies act within their functions or otherwise undertake what could generally be regarded as commercial espionage.

The functions of the ISA agencies are set out in sections 6,6B and 7 of the ISA. For example, for ASIS the most relevant functions are to obtain in accordance with the Government's requirements, intelligence about the capabilities, intentions of activities of people or organisations outside Australia; and to communicate in accordance with the Government's requirements, such intelligence. The work of ASIS, DSD and DIGO is guided by the national intelligence priorities, which are reviewed and agreed by the National Security Committee of Cabinet each year.

The ISA also requires that ASIS, DSD and DIGO only perform their functions in the interests of Australia's national security, Australia's foreign relations or Australia's national economic well-being and only to the extent that those matters are affected by the capabilities, intentions or activities of people or organisations outside Australia.

While I do not conduct particular inspections to determine whether agencies' activities comply with the limits of their functions, we are always mindful of this fundamental question as the case study on page 25 demonstrates. In most cases it is clear how particular intelligence products relate to the national intelligence priorities.

Ministerial authorisations

Any activity to produce intelligence on an Australian person by Australia's foreign intelligence collection agencies requires ministerial authorisation. Ministers may also direct that other activities require prior ministerial approval. In the case of Australian persons who are, or are likely to be, involved in activities that pose a threat to security, the approval of the Attorney- General must also be obtained. In DIGO's case, any intelligence collected over Australian territory requires authorisation by the head of the agency.

Privacy rules

Section 15 of the ISA provides that the ministers responsible for ASIS, DSD and DIGO must make written rules to regulate the communication and retention of intelligence information concerning Australian persons (privacy rules). The term 'Australian person' generally includes citizens, permanent residents and certain companies. These rules regulate the agencies' communication of intelligence information concerning Australian persons to other Australian agencies and to foreign authorities, including to Australia's closest intelligence partners. (Communication to foreign authorities is also subject to additional requirements.)

Privacy rules require that agencies may only retain or communicate information about an Australian person where it is necessary to do so for the proper performance of each agency's legislatively mandated functions, or where the retention or communication is required under another Act.

If a breach of an agency's privacy rules is identified, the agency in question must advise my office of the incident, and the measures taken by the agency to protect the privacy of the Australian person, or Australian persons more generally. Adherence to this reporting requirement provides me with sufficient information upon which to decide whether appropriate remedial action has been taken, or further investigation and reporting back to my office is required.

The presumption of nationality

The privacy rules require that ASIS, DSD and DIGO are to presume that a person located in Australia is an Australian person, and that a person who is located outside of Australia is not an Australian person unless there is evidence to the contrary.

An agency may later overturn an initial presumption of nationality, for example:

If the agency made a reasonable assessment of the nationality status of that person, based on all information which was available at the time, there is no breach of the privacy rules but the case must still be reported to me.

Where a presumption of nationality is later found to be incorrect ASIS, DSD and DIGO must advise my office of this and the measures taken to protect the privacy of the Australian concerned.

Inspection of ASIS activities

Ministerial authorisations

There was a significant improvement in ASIS's compliance with ministerial authorisation requirements during late 2013, compared to 2012-13 when a number of issues had been identified; however, a number of breaches of the ISA in relation to ministerial authorisations occurred in the first half of 2014.

In April 2014 ASIS advised my office of a breach where an ASIS officer collected information by searching the personal property of an Australian person without ministerial authorisation.

Section 10A of the ISA requires the Director- General of ASIS to report to the Minister for Foreign Affairs on the authorised activities within three months of the day on which the relevant authorisation ceased to have effect. There were three breaches of section 10A of the ISA:

My staff also identified one occasion where ASIS failed to inform the minister when the grounds on which an authorisation was issued ceased to exist as required by s.10 (2A) of the ISA.

Protecting the privacy of Australian persons

We meet with ASIS staff every two months to discuss compliance with privacy rules and undertake inspections of ASIS's dissemination of information about Australian persons.

In 2013-14 ASIS reported eight occasions where the presumption of nationality was overturned; that is, information came to light that an individual was actually an Australian person and the privacy rules were applied retrospectively to reporting. On more than one of these occasions there was initial inconsistency between the views of ASIS and DSD on whether a person was an Australian person, I have advised all agencies that it is important that agencies take a consistent approach to the presumption of nationality, to avoid a situation where agencies draw separate conclusions as to the nationality of a particular individual. In seven of these cases the initial presumption of nationality had been reasonable and there was no breach of the privacy rules.

In one instance ASIS had been aware that the person was Australian but this had not been well documented or communicated. This was a breach of the privacy rules. It was subsequently found that there was also a breach of the requirement that ASIS only communicate intelligence in accordance with government requirements and the requirement for ministerial authorisation before taking action to produce intelligence on an Australian person. There is further information on this case below.

CASE STUDY — a breach of the privacy rules and the ISA

In August 2013 ASIS advised me that a March 2013 report had failed to take account of the fact that the individual concerned was an Australian citizen (with dual nationality) and thus the communication breached the privacy rules. At the time, the notification was limited to advice about the communication of intelligence. There was no notification about the collection of intelligence.

When ASIS provided further information about the case in March 2014 I raised concerns as to whether:

ASIS investigated the case further. I received a copy of the final report from the Director-General in June 2014, which confirmed there had been a breach of both section 6(1)(b) and section 8 of the ISA, as well as a breach of the privacy rules. The Director-General directed that remedial action include:

I will monitor the implementation of these actions.

ASIS reported two breaches because the privacy rules were not applied to reporting on a person known to be an Australian person. Inspections by my office identified an additional two breaches where the privacy rules had not been applied. ASIS subsequently amended all four reports and applied the privacy rules retrospectively.

Review of operational files

ASIS activities often involve the use of human sources and ASIS officers are deployed in many countries to support a wide range of activities including counter-terrorism, efforts against people smuggling and support to military operations. These activities are often high-risk and sensitive.

During the reporting period, we reviewed files relating to operational activities in a diverse range of countries where ASIS has a presence.

While the sensitive nature of ASIS's operational activities means that I cannot specifically detail the nature and range of issues arising from these inspections in a public report, I can advise that these reviews are thorough and rigorous and something in which I take a keen personal interest. No significant issues were raised during the reporting period as a result of these inspections.

Authorisations relating to the use of weapons

Schedule 2 of the ISA requires the Director- General of ASIS to provide the IGIS with:

This reporting requirement was met during 2013-14 and I am satisfied that the need for Imited numbers of ASIS staff to have access to weapons for self-defence in order to perform their duties is genuine. I am also satisfied that appropriate controls are in place to limit the circumstances in which weapons may be used for self-defence.

An inspection of records relating to the provision by ASIS of training in the use of self-defence techniques and weapons was conducted in May 2014. It was apparent that governance and recordkeeping improvements implemented in the previous reporting period were proving effective.

The May 2014 inspection confirmed one breach of the ISA, where an ASIS officer who had not been approved for training in or the use of weapons discharged a firearm in a skills maintenance session in March 2014. This incident had already been brought to my attention by ASIS. ASIS reported a further two breaches of the ISA relating to the unapproved use of weapons by ASIS officers during the reporting period: one at a skills maintenance session in September 2013 and one at a firing range in December 2013.

Inspection of DSD activities

OIGIS staff members have access to and ongoing visibility of DSD's activities. We undertake regular inspections on a range of DSD activities, with a particular focus on the privacy of Australians. More generally, staff may inspect any activity undertaken by DSD, with regard to legality and propriety, and whether the activities are consistent with human rights. The legality of any DSD activity is assessed by reference to whether the purpose was consistent with a function of DSD, whether it was within the limits set out in the relevant legislation, and whether the activity had an appropriate level of approval.

DSD can only cooperate with an authority of another country to the extent authorised by the Minister for Defence. These authorising instruments are reviewed by my office.

Ministerial authorisations

During 2013-14, OIGIS staff continued to review all ministerial authorisations presented to the Minister for Defence. Overall, I observed a high level of compliance with authorisations and relevant directions issued to DSD by the minister.

Throughout 2013-14, I continued to monitor records of intelligence collection activities undertaken by DSD under ministerial authorisations. Following the implementation of a number of improved governance and administrative arrangements in DSD in mid- 2013, I observed a significant improvement in the agency's ability to self-identify and appropriately respond to compliance risks during the reporting period.

We also conducted a small number of non- routine spot checks and inspection projects to assess how DSD deals with targets where there is a higher than usual compliance risk. These inspections demonstrated a high level of understanding by DSD staff of legislative requirements and thresholds for undertaking activities under the ISA and the ASIO Act.

In August 2013, I completed a review of an incident which came to my attention in mid-2013, involving a breach of the ISA where intelligence targeting occurred for several days after DSD had determined the target to be an Australian person. While I found no evidence of intentional wrongdoing, my review highlighted a number of compliance concerns in relation to the event and DSD's handling of the matter.

DSD subsequently initiated an investigation into the incident and identified a number of areas for improvement in its internal policy framework and procedures. DSD has kept my office informed of progress on the implementation of revised procedures, and I am satisfied that action taken in response to my original concerns is appropriate.

In January 2014, DSD separately provided to me their final report on a breach of the ISA which occurred during October 2013, where incomplete records had resulted in DSD conducting intelligence collection activity on a person known to be Australian.

During the reporting period I continued to inspect cancellations of ministerial authorisations and non-renewal reports to the Minister for Defence under sections 10 and 10A of the ISA. In September 2013, as part of our regular inspection of DSD activities, I asked DSD to confirm that intelligence collection against several subjects had ceased (as had been advised by DSD to the Minister for Defence). DSD advised that collection against one subject had continued for several months beyond the expiry of the ministerial authorisation, in breach of the requirements specified in the ISA.

This finding in September 2013 contributed to a decision by DSD to consider its quality assurance processes for managing specific types of ministerial authorisations. In late 2013, DSD initiated a thorough retrospective analysis of cancelled or expired ministerial authorisations. This review is discussed below under Legacy incidents: review of ministerial authorisation cancellations and non-renewals.

Protecting the privacy of Australians

In accordance with their obligations, DSD continued to report to me cases where a presumption of nationality had later been found to be incorrect, and the measures taken to protect the privacy of the Australian person, I found the actions taken by DSD in response to incorrect presumptions of nationality occurring during the reporting period, including the timely notification to other intelligence agencies, to be generally appropriate.

In two cases there were breaches of the privacy rules as the presumption of nationality was not applied reasonably by DSD. In both cases, intelligence collection activity occurred against Australian persons in circumstances where DSD already had information indicating that the individuals concerned were Australian persons, but in each case members of staff had failed to make appropriate inquiries of existing DSD records. In addition to these cases being breaches of the presumption rule in the privacy rules, the action taken to produce intelligence on an Australian person was inconsistent with the ministerial authorisation requirement in the ISA.

During 2013-14, I assessed two instances where DSD communicated information about an Australian person not in accordance with the privacy rules. Both incidents resulted from a failure to follow established compliance processes. I am satisfied the remedial action taken in both cases appropriately addressed the privacy of the Australian persons concerned.

The privacy rules and cooperation with signals intelligence partners

DSD works particularly closely with a small number of allied signals intelligence agencies. During the reporting period, DSD reported to me several instances where it had identified that one of these partner agencies had made an incorrect presumption of nationality, and had inadvertently communicated information on an Australian person. I was satisfied that DSD followed up with partner agencies concerning any required remedial action in a timely and appropriate manner.

Inspection project involving DSD

In January 2014, I initiated an inspection project into specific activities of DSD conducted in response to a high-priority collection effort directed by government. The project found a high level of compliance by DSD in relation to:

In a small number of the cases investigated, DSD staff did not consistently follow established recordkeeping requirements. While there was no breach in these cases, I note that a number of compliance incidents involving breaches of the ISA over the previous year had also resulted from a failure to adhere to recordkeeping requirements, thereby constituting a significant compliance risk.

Consistent with routine inspections of DSD, and reviews conducted internally by DSD of compliance incidents, the project findings highlighted the importance of best practice corporate recordkeeping for ensuring high levels of compliance. At the end of the reporting period, DSD advised it was updating a number of compliance frameworks which will help increase staff understanding and minimise compliance risks in similar cases.

Compliance with the Telecommunications (Interception and Access) Act 1979

DSD brought to my attention one case where a DSD officer who was assisting with the execution of a warrant had not been listed as an authorised person for the purpose of exercising the authority of a warrant in respect of a telecommunications service. DSD took remedial action immediately upon learning of the error. I am satisfied that DSD's actions were appropriate and that this error was administrative in nature.

Legacy incidents: review of ministerial authorisation cancellations and non-renewals

DSD conducted a thorough retrospective analysis in late 2013 of cancelled or expired ministerial authorisations, and reported the outcome of this review to me in June 2014. This review reported on three previously identified compliance incidents, and identified a further three instances where intelligence targeting continued beyond the cancellation of the ministerial authorisation during 2011 and 2012.

In all instances, DSD found intelligence targeting continued for periods ranging from several weeks to more than a month beyond the date the ministerial authorisation was cancelled by the Minister for Defence (at DSD's request). DSD assessed that each incident demonstrated a failure by DSD to follow established procedures for the management of cancellations. In June 2014 DSD advised the Minister for Defence about these breaches of the ministerial authorisation requirement under the ISA and the remedial actions which had been taken.

Legacy compliance incidents

Prompted in part by some of the compliance concerns raised by my office, DSD also initiated a full review of their unfinalised compliance reporting records, covering legacy compliance issues raised and addressed since 2011, but not reported to my office.

The findings from the legacy investigations were progressively reported to me in the second half of the 2013-14 reporting period.

Three of the legacy incidents investigated by DSD involved collection against persons already known by DSD to be Australian persons, breaching the requirements of the ISA. These incidents, which occurred between 2010 and 2012, all resulted from a failure by DSD to follow good recordkeeping practices.

While none of these incidents involved any intentional wrongdoing, these incidents were nonetheless of a serious nature.

DSD also reported to me a breach of the ISA which had occurred during 2011 where, due to human error, intelligence targeting against three Australian persons had occurred for less than one day without a ministerial authorisation. As the error was reported by the responsible analyst to DSD's compliance section that day, DSD was able to take immediate remedial action and no communications were collected.

Two legacy incidents from 2012 involved the continued collection on an Australian person after a presumption of nationality had been found to be incorrect, due to a technical error in the collection system. This continued collection was inconsistent with the ministerial authorisation requirements in the ISA. DSD has advised that the collection system in question is no longer in use by DSD, and similar technical problems are unlikely to occur with the current systems in use.

While it is regrettable the legacy incidents were not reported to me sooner, I am pleased DSD has focused on improving staff understanding of compliance requirements, through improved compliance guidance and training for staff. During the first half of 2014, DSD continued to report to me any significant compliance issues as they occurred.

I was also pleased to see that, in most cases, DSD analysts proactively reported incidents to their internal compliance section in a timely and appropriate manner, even where doing so would bring attention to a mistake on their part. This speaks well of DSD's compliance culture.

At the end of the 2013-14 reporting period, DSD was in the process of adding a number of additional safeguards to technical systems as part of overall improvements designed to minimise compliance incidents.

Legacy privacy rules cases

Several of the legacy incidents reported to me during 2013-14 involved overturned presumptions of nationality under the privacy rules. While no issues were identified with DSD's application of the privacy rules in these cases, several of the incidents occurred prior to an amendment to the privacy rules approved by the then Minister for Defence in October 2012, which removed the requirement for DSD to consult with me about the actions taken to protect the privacy of the Australian person concerned. In most cases, however, DSD took appropriate action to protect the privacy of the Australian person at the time the incorrect presumption was first identified.

DSD has implemented a number of changes to internal procedures on reporting under the privacy rules since these incidents. I will continue to monitor DSD's response to compliance incidents over the 2014-15 reporting period through regular inspection activity, and ongoing engagement with DSD staff.

Monitoring DIGO

During 2013-14 we conducted several inspection visits to DIGO, including DIGO's online records of its collection activities. As in past years, this office focused on DIGO's compliance with the terms of each ministerial authorisation issued to the agency by the Minister for Defence, noted the time taken to cancel collection activities when the grounds for the ministerial authorisation had materially changed, and reviewed the accuracy of reports provided to the Minister for Defence following the expiry or cancellation of a ministerial authorisation.

My staff also closely examined the adequacy of DIGO's attempts to determine the nationality of individuals or entities before initiating targeted collection activities (to establish whether or not a ministerial authorisation was required). We also examined the extent of cooperation between DIGO and other intelligence collection agencies when seeking intelligence about the same target or requesting a joint ministerial authorisation.

No significant errors or breaches were identified. Based on these inspection activities, I am confident DIGO takes its statutory obligations under the ISA seriously and has put in place robust systems to encourage compliance.

My staff and I discussed specific compliance issues with the Director DIGO and with relevant DIGO officers at several meetings.

Monitoring DIO and ONA

As has been the practice of this office over many years, we continue to exercise a' light touch' approach to the activities of ONA and DIO. As these agencies do not collect covert intelligence, their activities are far less likely than those of the collection agencies to intrude upon the personal affairs of Australian persons.

We aim to review ONA and DIO's compliance with their privacy guidelines at least twice a year. In 2013-14 we undertook two inspection visits to DIO and one to ONA. A further visit to ONA planned for June 2014 was postponed to the next reporting period due to competing priorities.

These inspections revealed that ONA and DIO are generally compliant with the requirements of their privacy guidelines and that they each take their privacy responsibilities seriously. The few non-compliance issues identified tended to be questions of nuance or administration, rather than whether or not relevant intelligence information about Australian persons or entities should be included in their products.

My staff also engaged with ONA and DIO on wider Australian intelligence community issues and, in the case of the Public Interest Disclosure scheme, to gather information relevant to the Commonwealth Ombudsman.

My office also conducted a review of DIO's implementation of recommendations from a 2012 inquiry examining DIO's analytical integrity. This review activity is covered on page 17.

Cross-agency inspections

Use of assumed identities

Part 1AC of the Crimes Act 1914 and corresponding State and Territory laws enable ASIO and ASIS officers to create and use assumed identities in carrying out their functions. The legislation protects authorised officers from civil and criminal liability where they use an assumed identity in a circumstance that would otherwise be considered unlawful. Similarly, the legislation provides protections to the Commonwealth, State and Territory agencies responsible for providing the evidence of an assumed identity in this context.

The legislation also imposes reporting, administration and audit regimes on those agencies using assumed identities. ASIO and ASIS are required to conduct six-monthly audits of assumed identity records and provide the IGIS with an annual report containing information on the assumed identities created and used during the year. The Director-General of Security and the Director-General of ASIS provided reports covering the activities of their respective agencies for the 2012-13 reporting period. Nothing in the reports caused me concern.

This year, my staff also inspected ASIS's assumed identity records. No issues of concern were identified during the inspection, and I was satisfied that ASIS is complying with Commonwealth, State and Territory legislation. I have asked ASIS to provide me with copies of their internal audit reports in addition to the annual report in future, as is ASIO's current practice. Provision of this additional level of detail will strengthen existing oversight mechanisms.

ASIS advised of a breach of its internal policy in 2014 where equipment was purchased without first obtaining an assumed identity. This was due to a staff member not understanding the requirements. ASIS has put procedures in place to ensure this does not happen again.

Access to sensitive financial information by intelligence agencies

The Anti-Money Laundering and Counter Terrorism Financing Act 2006 (the AML/CTF Act) provides a legal framework in which designated agencies are able to access and share financial intelligence information created or held by the Australian Transaction Reports and Analysis Centre (AUSTRAC). All intelligence agencies and the office of the IGIS are designated agencies for the purposes of the AML/CTF Act.

The IGIS is party to an MOU with AUSTRAC. This MOU establishes an agreed understanding of IGlS's role in monitoring agencies' access to, and use of, AUSTRAC information.

In oversighting the agencies' use of AUSTRAC information, we check that there is a demonstrated intelligence purpose pertinent to the agencies' functions, that access is appropriately limited, searches are focused, and information passed to both Australian agencies and foreign intelligence counterparts is correctly authorised.

ASIO

Early in the reporting period I finalised my annual statement for 2012-13 to the Attorney-General on the outcome of my compliance monitoring activities in ASIO, concerning access to, and use of, AUSTRAC information in the previous reporting period.

I noted that ASIO was not compliant with AUSTRAC's guidelines on the storage of certain AUSTRAC information. ASIO subsequently began negotiations with AUSTRAC to reach a solution and has since been provided with a waiver from the CEO of AUSTRAC in respect of the storage requirements on the condition that ASIO implement internal user access controls to this sensitive information.

During my 2013-14 inspection program, a breach of Section 133(1) of the AML/CTF Act was identified whereby ASIO communicated AUSTRAC information to a foreign intelligence agency without first receiving appropriate undertakings for the protection and use of the information. This breach will be included in my next annual statement to the Attorney-General.

ASIS

Early in the reporting period I finalised my annual statement for 2012-13 to the Minister for Foreign Affairs on the outcome of my compliance monitoring activities in ASIS, concerning access to, and use of, AUSTRAC information in the previous reporting period.

In that annual statement I noted two areas of shortcoming in 2012-13; the first in relation to the accurate receipt of AUSTRAC information within ASIS and the second regarding deficiencies in relation to reporting movements of currency into or out of Australia.

Inspections by my office throughout 2013-14 have indicated that shortcomings by ASIS in relation to recordkeeping have continued and this will be included in my statement to the Foreign Minister. No deficiencies regarding movements of currency into or out of Australia were observed in 2013-14

Summary of IGIS financial performance and resources for outcomes

OIGIS received an unqualified audit report from the Australian National Audit Office for its 2013-14 financial statements. A summary of this office's financial performance can be found on the next page.

The office operated within available resources in 2013-14and ended the year with a surplus of $226 333.

In relation to expenditure, the most significant budget variances consisted of $18 000 allocated for security clearances for ongoing staff members, $13 000 allocated for potential software licences and a $4000 difference in relation to losses on the disposal of assets. Changes in the government bond rate at the end of financial year resulted in a $25 000 downward movement in reported leave liabilities and consequently reduced employee expenses. Also, the original budget anticipated a pay rise from 1 July 2014 for staff. The pay rise, which has not occurred, had been expected to increase the reported leave liabilities at end of financial year by approximately $12 000.

Appropriation funding decreased slightly from $2 180 000 in 2012-13 to $2 179 000 in 2013-14 as a result of savings measures. During 2013-14 significant other revenue was received including $139 000 inquiry funding.

Net equity increased from $1 401 888 in 2012-13 to $1 653 529 in 2013-14. Movements in equity included a $226 333 increase in retained surplus and a $9308 increase in the asset revaluation reserve following an asset revaluation exercise conducted at 30 June 2014. Contributed Equity also increased from $447 000 in 2012-13 to $463 000 in 2013-14. Movements in Contributed Equity included capital funding of $69 000 received offset by a reduction of $53 000 following the repeal of an unspent 2004-05 equity injection.

The following tables can be found in Annex 3:

Table 3.1 - Agency Resource Statement and Resource for Outcomes 2013-14, and

Table 3.2 - Expenses and Resources for Outcome 1.

OIGIS has one outcome and one program.

Trends in finances

Significant changes to the finances of the office during 2013-14 included:

2013–14
OUTCOME 1 $
2012–13
OUTCOME 1 $
Change from
previous year
Revenue from Government 2 179 000 2 180 000 -
Other income 274 548 200 247 +37%
TOTAL INCOME 2 453 548 2 380 247
Employee expenses 1 916 059 2 062 633 -7%
Supplier expenses 270 683 240 583 +12%
Other expenses 40 473 39 608 +2%
TOTAL EXPENSES 2 227 215 2 342 824
OPERATING RESULT 226 333 37 423
Financial assets A 2 437 208 2 106 737 +15%
Non-financial assets B 63 735 89 984 -41%
Liabilities C 847 414 794 833 +6%
NET ASSETS = A+B-C 1 653 529 1 401 888

Annual report navigation