Inspection of ASD activities
In addition to the major inquiry relating to ASD activities conducted during this reporting period, routine IGIS inspections of ASD activities for compliance with the ISA and internal policies and procedures continued. This inspection activity included OIGIS staff directly accessing relevant classified databases and reviewing relevant hardcopy documentation. Inspections of ASD had a particular focus on the potential impact of ASD's intelligence collection activities on the privacy of Australians. For a number of years ASD has had a substantial internal compliance area and OIGIS has, in addition to our own inspections, taken account of advice from the ASD compliance area about the outcomes of their internal compliance processes and investigations.
OIGIS staff have access to each of ASD's ministerial authorisations including the submissions to the Minister for Defence and the underlying information which supports the authorisation. In the reporting period we looked at a significant sample of these authorisations (approximately 75%). IGIS inspections in 2014–15 looked at the adequacy of record keeping, collection activities, internal compliance policy and reports given to the Minister at the end of an authorisation period.
Ministerial authorisations to produce intelligence on an Australian person last for a maximum of six months. Authorisations can only be granted in circumstances where the person is, or is likely to be, involved in one or more of the activities listed in section 9 of the ISA. A large percentage of the authorisations that were granted to ASD in 2014–15 were granted on the basis that the person was, or was likely to be, involved in activities that are, or are likely to be, a threat to security. These authorisations are not granted lightly and significant Commonwealth resources go into seeking the authorisations and collecting intelligence under them to meet high priority requirements. It is not uncommon for intelligence collection requirements to continue for more than six months. In these cases the ministerial authorisation to produce intelligence on the Australian person needs to be renewed. During 2014–15 a number of ministerial authorisations which were identified for renewal lapsed for a period of time between expiring and being renewed. Because ASD and AGO do joint submissions in most cases both agencies were affected. Legally, intelligence collection activities had to be suspended until a new authorisation was put in place. Administration for the authorisations is managed by ASD. In most cases, it appears the issue was caused by the delayed receipt of information required from another agency and finalising the submission for the minister. The scale of this issue became apparent late in the reporting period. We will continue to review the administrative processes and procedures in place to support ministerial authorisations in the next reporting period.
ASD identified and reported to IGIS on a breach of the ISA that occurred when ASD undertook activity for the purpose of collecting intelligence on an Australian person without the required ministerial authority. ASD's internal compliance area undertook an investigation into this incident. Key points were that:
- ASD had a ministerial authorisation to allow it to collect intelligence on the Australian person. That authorisation expired in mid-July 2014
- ASD did not cease activities in relation to the individual until nine days later
- No information was collected or reported during the nine day period
- At the time manual intervention was required to cease the relevant collection, this has now been linked to an automated system reducing the risk of reoccurrence
- OIGIS was initially informed of this incident within two days (July 2014) and received the internal investigation report seven weeks later (September 2014).
The ISA requires agencies to report to their minister on the activities that they have conducted under a ministerial authorisation within three months of that authorisation ceasing to have effect. During the reporting period ASD advised that on four occasions they had failed to report within the specified period. Two of these incidents occurred in April 2015 and the internal investigation report had not yet been received from ASD at the time this report was compiled. The remaining two incidents occurred late in the previous reporting period (June 2014) and the internal investigation report into both incidents was received shortly after the end of the current reporting period (July 2014). In the latter instance, ASD identified the need for a report to the Minister to be produced but that no action was taken to prepare such a report within the required timeframe.
In late 2014 the circumstances relevant to an activity conducted under a ministerial authorisation changed in a material way without ASD becoming aware of that change until after its occurrence. Once alerted to these changed circumstances (which were beyond the control of ASD), immediate and appropriate steps were taken to cease the activity. The IGIS was satisfied with the internal investigation of this matter and the remedial actions proposed and taken, including the ongoing technical development of equipment to improve compliance should similar circumstances arise in the future.
During the reporting period a ministerial authorisation was given to ASD in relation to support to a specified activity conducted by the Australian Defence Force. An extended period of time elapsed between the cessation of the Australian Defence Force activity this MA supported and ASD actions to cancel the MA and provide a report to the minister. ASD advised that this was due to uncertainty as to whether further assistance may be required.
Emergency ministerial authorisations
In the first half of the reporting period a situation arose where ASD were advised of a significant emergent threat out of hours and an oral ministerial authorisation for ASD to collect intelligence in relation to an identified Australian person was given. At the time this decision was made, the ISA allowed for the Attorney-General to provide verbal agreement in relation to a threat to security and allowed for certain other ministers to give a ministerial authorisation in writing where the minister responsible for the agency was not reasonably contactable or available. However, the ISA did not at that time provide for the ministerial authorisation itself to be given orally. In this instance the decision was followed up by a written authorisation in the standard format within twenty four hours. Legislative amendments have now been made to address the practical issues that this situation highlighted, allowing for emergency ministerial authorisations to be given orally by ministers and, in extremely limited circumstances, by agency heads.
A small number of emergency ministerial authorisations have been given to ASD since the legislation was enacted. On each occasion the IGIS was notified promptly and the formal reporting requirements set out in the ISA were complied with. The IGIS was satisfied with the records produced in relation to each event. In two cases an issue was identified with the way that the subject of the authorisation was described but it was clear the minister intended to authorise the proposed operation.
The new provision allowing an agency head to give an authorisation in an emergency when the minister is not available were not used by ASD during the reporting period.
Telecommunications (Interception and Access) Act 1979
At the end of the reporting period there were a small number of internal ASD compliance investigations still ongoing, including two possible breaches of the TIA Act. We continue to monitor these matters.
Protecting the privacy of Australians
In accordance with their obligations, ASD continued to report to IGIS on cases where a presumption of nationality had later been found to be incorrect, and the measures taken to protect the privacy of the Australian person involved.
Two instances have been identified where ASD incorrectly applied the presumption of nationality resulting in a breach of the privacy rules. In both cases information indicating that the individuals were Australian was available within ASD at the time nationality was assessed but this information was not sufficiently communicated and considered. No intelligence collection activities occurred against Australian persons under the incorrect presumption of nationality. In one case internal ASD processes and procedures were sufficient to identify and rectify the issue in less than thirty six hours. The other case was identified and remediated in nine days.
ASD undertook an internal review of how these cases occurred and has proposed follow on actions including the revision of internal policy.
ASD also reported to IGIS on a number of occasions where a presumption of nationality had been made, and was reasonable at the time it was made, but was later overturned by new information. These cases were managed consistently with the privacy rules. The ASD processes in place for reporting to IGIS and informing other intelligence agencies when a presumption of nationality is overturned are sound.