Inspection of ASIO activities
The ASIO Act empowers ASIO to obtain, correlate and evaluate intelligence information relevant to security. ASIO's activities are governed by the ASIO Act as well as the Attorney-General's Guidelines and internal policies and procedures. The Guidelines require that any means used by ASIO to obtain information must be proportionate to the gravity of the threat and the probability of its occurrence, and inquiries and investigations into individuals or groups should be undertaken using as little intrusion into individual privacy as is possible consistent with the performance of ASIO's functions. The Guidelines are available on the ASIO website at www.asio.gov.au.
Regular inspection of investigative cases
Each month we review a sample of ASIO investigative cases to examine:
- the justification and objectives provided for the investigation
- whether the investigative activities that were undertaken or proposed were appropriate
- whether investigations were subject to formal approval and periodic review
- the application of the principle of proportionality (using less intrusive methods where possible and only progressing to increasingly intrusive methods as required).
Sample selection is oriented to those cases utilising more intrusive investigative methods---for example, cases with warrants approved by the Attorney-General, access to sensitive financial information or prospective data authorisations.
Another ongoing focus of inspections has been to ensure a high standard of recordkeeping and decision making is maintained, particularly in regard to appropriate guidance being provided by authorising officers to more junior staff.
During 2014–15, we paid particular attention to ASIO's investigative activities in relation to people under 18 years of age. Although no issues of concern were identified, OIGIS staff have highlighted a requirement for improved record keeping and documenting of decisions in these particularly sensitive cases.
We continue to work with ASIO to ensure that the inspection process can provide direct and meaningful feedback to ASIO investigative staff in a timely manner.
Human source management
This inspection activity focuses on ensuring the management of ASIO human source operations is both legal and proper. While the details of the results of these inspections are sensitive and cannot be disclosed in a public report, no significant concerns were identified in the inspections that were undertaken during the reporting period.
ASIO can intercept telecommunications and use other intrusive powers following the issue of warrants by the Attorney-General. The authority for these is in the Telecommunications (Interception and Access) Act 1979 (TIA Act) and the ASIO Act for other powers including searches, computer access and surveillance devices.
During this reporting period, inspection of ASIO warrants was primarily undertaken as part of the regular inspection of investigative cases, referred to above. This enables review of the warrant documentation and reporting within the context of the broader investigation. Additionally, we inspect a sample of ASIO foreign intelligence collection warrants on a quarterly basis.
During the reporting period, the Parliament passed the National Security Legislation Amendment Act (No. 1) 2014, which made a number of amendments to the warrant provisions in the ASIO Act. These amendments included a new identified person warrant, a new surveillance device warrant that replaced the separate listening and tracking device warrants, and a number of amendments to the computer access warrants and search warrants.
In order to provide close scrutiny of ASIO's use of the new and amended warrants under the ASIO Act, in 2015 we undertook a separate inspection activity to review a sample of relevant ASIO warrants on a quarterly basis.
The new identified person warrants have been and will continue to be a significant focus of this inspection activity. These warrants differ to other ASIO Act warrants as they involve the Attorney-General providing conditional approval for ASIO to use one or more different special powers against the identified person, with a separate authorisation from either the Attorney-General or the Director-General of Security required for the actual use of any of the powers for which conditional approval was provided. As the Director-General is now able to authorise the use of powers that would previously have required the Attorney-General's approval, we consider this merits close scrutiny by our Office. Of the identified person warrants inspected, the majority of authorisations to use specific powers under approved warrants were given by the Director-General.
We have and intend to continue to pay close attention to those warrants that may authorise actions that relate to third parties, such as the ability to use a third party computer or communication in transit to execute a computer access warrant, and gaining entry to a target premises through a third party premises. Another new power given to ASIO in the reporting period was the use of force against persons where necessary and reasonable to do the things specified in the warrant. As discussed further below this is an area that merits particularly close scrutiny.
In the 2014–15 reporting period, approximately half of the warrants obtained by ASIO were reviewed. Our inspection program did not identify any errors in ASIO's execution of warrant powers that constituted a breach of either the ASIO Act or the TIA Act. A small number of administrative errors, including typographical errors, were identified. In all these cases these errors did not impact on the legality or propriety of the warrant. Remedial actions were taken by ASIO once the administrative errors were identified.
ASIO continued to proactively self-report in relation to breaches or errors in execution of warrant powers. ASIO reported two breaches of the TIA Act and one breach of the ASIO Act:
- One breach occurred when a testing activity resulted in the incorrect connection and interception of a telecommunications service. No communications were intercepted or recorded as a result of this error, which was identified seven minutes after the connection had been actioned. ASIO has established more stringent procedures and advice for staff to ensure a similar error does not occur.
- The second breach was due to a fault of an interception system installed at a telecommunications service provider. This fault resulted in the delivery of non-warranted data to ASIO. ASIO immediately quarantined all data received from the provider and is working to identify the warranted data and purge the non-warranted data. ASIO has appropriately prioritised the significant work required to manage this breach. The provider has replaced its interception system and testing has confirmed that this error does not occur with the new system.
- The third breach occurred when data was collected from a computer that was not specified in the computer access warrant. The Inspector-General was satisfied with ASIO's explanation of how this occurred and with the remedial action taken, which included prompt action to cease collection and deletion of the small amount of data that had been collected.
While generally satisfied by the overall manner in which warrants are processed, the Inspector-General did identify some additional issues which merit comment.
As noted in previous annual reports, the IGIS has a particular interest in ASIO's use of B-party warrants because of the potential for intrusive collection of material that is not relevant to security.
B-party warrants were introduced in the TIA Act in 2006. They provide that ASIO may intercept a telecommunications service that is likely to be used by another person not of security interest to communicate with a person of security interest. B-party warrants can only be used for a maximum of three months compared to other interception warrants which can last for six months. B-party warrants can only be issued if ASIO has exhausted all other practicable means of identifying the telecommunications used or likely to be used by the person of security interest or if the interception of communications made to or from a telecommunications service likely to be used by the person would not otherwise be possible. When introduced, the then Attorney-General in his second reading speech referred to B-party warrants being used 'as a last resort' to address the use of 'evasion techniques' that would otherwise frustrate interception.
As noted in last year's Annual Report, the IGIS has been consulting with the Attorney-General's Department about ASIO's interpretation of the provisions in the TIA Act that restrict the availability of B-party warrants. This issue has not yet been resolved.
Foreign intelligence collection warrant review
In 2012, we reviewed the Australian intelligence community's processes for submitting foreign intelligence collection (FIC) warrant requests to the Attorney-General. That review recommended several changes to ASIO processes to aid the Attorney-General's decision to authorise a warrant.
The recommendations aimed to make ASIO's warrant requests and revocations more timely and improve the range of information ASIO provided to the Attorney-General to support the proposed activity.
We conducted a review in mid-2014 of ASIO's FIC warrant files to confirm ASIO's implementation of the recommendations. The review found ASIO had largely implemented the recommendations of the 2012 inspection and had made substantial improvements to the quality and timeliness of information supplied to the Attorney-General in support of FIC warrant requests.
Questioning and detention warrants
No questioning, or questioning and detention warrants were sought by, or issued to, ASIO during the reporting period.
Use of force
During the reporting period the ASIO Act was amended so that warrants issued under that Act must authorise the use of any force against persons or things that is necessary and reasonable to do the things specified in the warrant. As the Inspector-General said in her submission to the PJCIS inquiry into the National Security Legislation Amendment Bill (No. 1) 2014, 'the ASIO Act did not [previously] authorise the use of force against persons in the exercise of a search warrant and that this would therefore be a new power... [and] a proper regime of training and oversight is required.' If force is used against a person in the execution of a warrant under the ASIO Act, ASIO must notify the IGIS and the Minister in writing as soon as practicable after such force is used.
During the reporting period the IGIS received one notification relating to the use of force under an ASIO warrant. The force was exercised by law enforcement officers assisting ASIO in the execution of the warrant. The incident was subject to the usual police internal reporting and review process and there is no indication in the police report that the force was other than reasonable and proportionate for the purpose for which it was exercised.
ASIO provided the IGIS with a verbal briefing on the use of force in that case ten days after the incident, followed by a written notification 12 days after the incident. The IGIS advised ASIO that she expected to be notified of the fact that force has been used in a more prompt manner, noting that a more detailed report of the incident may be provided at a later date. While the ASIO Act does not specify a timeframe, the PJCIS recommended that the IGIS should be notified within 24 hours of any incident in which force is used and get a written report within seven days.
During consideration of the use of force amendment, the PJCIS recommended that the IGIS provide close oversight of the design and execution of training for ASIO officers who may be required to use force during the execution of warrants issued under the ASIO Act.
ASIO anticipates that ASIO officers will only use force in exceptional and urgent circumstances and primarily for self-defence. ASIO recently commenced self-defence training across the Organisation and is looking at developing additional training specifically for officers involved in the execution of warrants. It remains the IGIS's view that while such use of force is expected to be rare and used only in exceptional and urgent circumstances, this does not negate the need for suitable training, if anything it increases the need for regular training.
Special Intelligence Operations
Special intelligence operations (SIOs) are a new power available to ASIO since October 2014. SIOs are similar to law enforcement 'controlled operations'. The Attorney-General may authorise a person to engage in authorised conduct, which would otherwise be unlawful.
The Attorney-General must be satisfied of a number of factors set out in section 35C of the ASIO Act, including that an SIO will assist ASIO in the performance of a special intelligence function; the circumstances are such as to justify the conduct of an SIO; unlawful conduct will be limited to the maximum extent possible and will not induce someone to commit an offence that they did not otherwise intend to commit. The Minister must also be satisfied that such conduct will not cause death or serious injury to any person, constitute torture or involve the commission of a sexual offence against any person, or result in significant loss of or serious damage to property.
SIOs may be authorised for periods of up to 12 months. ASIO is required to notify the IGIS when the Attorney-General approves an SIO, and must report to the Attorney-General and IGIS after six months and at the conclusion of the SIO.
As this is a significant new power, we intend to review each SIO that is authorised by the Attorney-General. ASIO has advised that there are security concerns with disclosing the exact number of SIOs. IGIS staff received relevant documents and attended relevant briefings, and did not identify any issues of legality or propriety.
Access to telecommunications data
The TIA Act provides the authority for a nominated group of ASIO senior managers to authorise collection of prospective and historical telecommunications data from telecommunications carriers or carriage service providers. Prospective data authorisations provide near real-time location and other subscriber information for the period that an authorisation is in force. The legislative threshold that ASIO is required to meet for access to the data is low; it is that the request is 'in connection with the performance by ASIO of its functions'. In addition, the Attorney-General's Guidelines state that investigative activities should be using as little intrusion into personal privacy as is possible, consistent with the performance of ASIO's functions. As such, a request for access to telecommunications data should only be submitted once less intrusive methods have been attempted, or considered and found to be insufficient.
The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 was enacted in April 2015, with the substantive provisions commencing on 13 October 2015. The scheme will require carriers to retain specified data for at least two years.
ASIO's access to prospective telecommunications data and historical telecommunications data is reviewed as part of our regular inspection of ASIO investigative cases.
Prospective data authorisations reviewed were endorsed by an appropriate senior officer, and demonstrated that ASIO has regard to the Attorney-General's Guidelines and is meeting the legislative requirement to make requests for data only in the performance of its functions.
In a small number of cases, IGIS staff identified errors in compliance with ASIO's internal approval policy for requests for historical telecommunications data, primarily these errors were: not recording the approval of requests or requests not being approved at the appropriate level. ASIO has undertaken to remind its staff of the relevant internal approval requirements.
During the reporting period we also identified a number of cases where requests for access to prospective data used ambiguous wording that did not adequately explain why less intrusive methods of obtaining the information had not been pursued and/or would not be appropriate in the particular case. We raised this with ASIO and were provided with additional context as to why access to prospective data had been sought in those cases, and were satisfied that this was consistent with the Attorney-General's Guidelines. ASIO indicated they would remind staff of the need to clearly document whether less intrusive methods have been considered and explain if they are not likely to be effective in a particular case.
Since late 2012 ASIO and law enforcement agencies have been able to give notice to telecommunications carriers to require them to retain certain stored communications for up to 90 days while ASIO seeks an appropriate warrant to access those communications. These notices are called Preservation Notices, and can only be used where they 'might assist the Organisation in carrying out its functions of obtaining intelligence relating to security'.
Section 158A of the TIA Act specifically provides that the IGIS has functions in relation to providing assurance of compliance by ASIO in respect of preservation notices.
Throughout the reporting period there were a very small number of such notices raised by ASIO. These activities were reviewed as part of our ongoing inspection program and there were no issues of concern identified in relation to those reviewed.
Access to taxation information
Section 355-70 of Schedule 1 to the Taxation Administration Act 1953 provides for a taxation officer authorised by the Commissioner of Taxation or delegate to disclose protected information to an authorised ASIO officer if the information is relevant to the performance of ASIO's functions.
This access to sensitive information is further governed by a MOU between the Commissioner of Taxation and the Director-General of Security, the Attorney-General's Guidelines and ASIO's internal guidelines and procedures, ensuring that a request for taxation information can only be made when less intrusive means have been exhausted and not yielded the required information.
ASIO rarely requests access to this type of information. We review all of ASIO's access to sensitive taxation information, including:
- ASIO requests for information to the ATO
- spontaneous disseminations from the ATO to ASIO
- disseminations of information from ASIO to a law enforcement agency
In 2014–15, ASIO reported that no requests had been made to access ATO information. The ATO made three proactive disclosures to ASIO which will be reviewed in July 2015.
ASIO requests for information from Intelligence Services Act agencies
During the reporting period we finalised an inspection project that was initiated in November 2013 to review ASIO requests for information (RFI) to agencies governed by the Intelligence Services Act 2001 (ISA). The purpose of the project was to provide assurance that ISA agencies were being appropriately informed when requests for information from ASIO related to an Australian person.
During the information gathering phase we identified that while ASD had a robust system for receiving, processing and disseminating RFIs from external agencies, both ASIO and ASIS lacked any form of centralised system of receiving, processing and disseminating RFIs.
Despite this shortcoming, the review was able to conclude that in almost all of the RFIs reviewed, ASIO provided all available information required for ISA agencies to meet their obligations under the ISA. On the single occasion where it was identified that additional information was available but not provided, this omission was based on security grounds.
Relevant agencies were advised that while the Inspector-General was satisfied that ASIO provides sufficient information for ISA agencies to meet their legislative obligations, the introduction of a standard RFI process would improve record keeping, compliance and accountability. It was also suggested RFIs should include a mandatory field to identify whether the subject is an Australian citizen, permanent resident or visa holder to minimise the risk of unauthorised targeting of an Australian person.
ASIO exchange of information with foreign liaison
The ASIO Act provides the authority for ASIO to seek information from, and provide information to, authorities in other countries that is relevant to Australia's security, or the security of the foreign country. ASIO may co-operate with foreign authorities approved by the Attorney-General. In general, the types of foreign authorities that are approved by the Attorney-General perform broadly similar functions to ASIO, and include security and intelligence authorities, law enforcement, immigration and border control, and government coordination bodies.
ASIO has internal guidelines that govern the communication of information on Australians and foreign nationals to approved foreign authorities. These guidelines impose an internal framework for assessing and approving the passage of such information. ASIO's internal requirements vary according to the country, based on factors such as ASIO's previous experience dealing with authorities of that country and how the foreign authorities manage information received, including in relation to human rights issues.
During 2014–15, we inspected a sample of authorisation documentation and correspondence for such exchanges, both through regular reviews of ASIO investigative cases and through dedicated foreign liaison inspection activities.
Inspection activity focused on ASIO's intelligence sharing activities where there may be potential additional risks to an individual as a result of their location. During this reporting period, this has been most often in relation to persons involved with the conflict in Syria or other global hotspots. In the case of this elevated risk, it may be appropriate for ASIO officers to escalate the approval for the liaison to a more senior officer. There were no issues of concern identified in relation to those higher risk intelligence exchanges reviewed.
More generally, inspections have identified some cases where ASIO could improve compliance with internal guidelines, particularly in relation to documenting human rights considerations which should be contemplated before exchanging information with foreign authorities.
Review of submissions to the Attorney-General
Each quarter we review a range of submissions and briefing notes made by ASIO to the Attorney-General on operational matters. In addition to the other ASIO inspection activities, these reviews continue to be useful in obtaining an overview of legality and propriety issues relevant to high risk activities.
Independent Reviewer of Adverse Security Assessments
The role of the Independent Reviewer of Adverse Security Assessments (the Reviewer) is to review ASIO adverse security assessments (ASAs) given to DIBP in relation to people who remain in immigration detention and have been found to engage Australia's protection obligations under international law and not to be eligible for a permanent protection visa or have had their permanent protection visa cancelled. The Reviewer examines all material relied upon by ASIO as well as other relevant material, and forms an opinion on whether the assessment is an appropriate outcome. The Reviewer provides her recommendations to the Director-General of Security who must respond to the Reviewer. The IGIS also receive copies of the Reviewer's reports and recommendations.
In the 2014–15 financial year the Reviewer completed 24 reviews of cases that she had not previously considered. Of these 24 cases:
- in six cases the Reviewer found the initial ASA was and remained appropriate.
- In three cases the Reviewer found the ASA was not appropriate and this resulted in ASIO issuing three non-prejudicial assessments
- In six cases the Reviewer formed the view that the ASA was appropriate at the time it was furnished but was no longer appropriate. This resulted in ASIO issuing four qualified assessments and two non-prejudicial assessments.
- in five cases ASIO furnished new non-prejudicial or qualified assessments after considering new information referred to it by the Reviewer and on the basis of outcomes from ASIO's own investigations. As a result ASIO issued two non-prejudicial and three qualified assessments.
- In two cases the Reviewer formed the view that there were flaws in ASIO's assessment such that she was unable to form a a view as to the appropriateness of the ASA. In each of these cases ASIO subsequently issued a qualified assessment.
- In two cases the Reviewer's review was well advanced when ASIO issued a new assessment and the Reviewer found the new assessment was appropriate. One resulted in a nonprejudicial assessment and the other a qualified assessment.
In addition there were four cases where ASIO revised an adverse or qualified visa security assessment on its own initiative.
We have observed a significant improvement in ASIO's approach to proactively reviewing ASAs for individuals in immigration detention since the work of the Reviewer commenced. The work of the Reviewer has brought focus and resources to bear on these cases. While difficult to measure there also appears to be an increase in the quality of decision making; this is a benefit of external review in combination with other factors.
The terms of reference for the Reviewer provide that eligible ASAs are to be reviewed annually. This regular review process provides assurance that if new information comes to light or if relevant circumstances change then a new assessment can be made.
There are some people subject to ASAs in immigration detention who are not eligible for review by the Reviewer because they have not had their protection claims assessed. In these cases ASIO reviews the assessment when new information of sufficient relevance is provided. The IGIS has received complaints from a small number of people in this situation and has examined their cases – see case study earlier.
ASIO's investigations of issues-motivated groups
During the reporting period we conducted an inspection project to look at ASIO's investigation of Australian issues-motivated groups (IMGs). This inspection did not arise out of any particular complaint or concern, but rather noted that this is an area of consistent public and media interest, and was also particularly relevant in light of the Brisbane G20 summit held in November 2014.
The project found that the overall scale of ASIO's investigation of groups and individuals that may be associated with issues-motivated groups appeared to be reasonable and justified in the context of ASIO's statutory functions and its assessments about risk.
The project found no systemic issues, but made a number of observations in relation to specific cases reviewed and matters of best practice.
The project observed a small number of cases where the IGIS considered that broad statements were made about a person's 'history' of involvement in activities of security concern or 'support for the use of violent protest'. These statements occurred in the context of requests to access information or undertake internally approved investigative activities. The review examined the underlying intelligence base and the IGIS concluded that while there was sufficient justification for the activities undertaken in the relevant cases, it was questionable as to whether the intelligence base did establish a 'history' or clearly indicate the 'support' as described. It is best practice to clearly articulate what is actually known or suspected about the person's activities, rather than making general statements that could potentially suggest a stronger justification for investigative activities. The project also identified inconsistencies in record keeping and documentation of reasons for requests to access certain information and in the descriptors used in some of ASIO's electronic records.
ASIO has advised it will consider those observations to ensure it meets best practice.
ASIO may request the cancellation of an Australian passport under the Australian Passports Act 2005 ('Passports Act') and the Australian Passports Determination 2005 if it suspects on reasonable grounds that the person continuing to hold the passport would be likely to engage in conduct that might prejudice the security of Australia or a foreign country, and the cancellation should occur in order to prevent the person from engaging in the conduct.
During the reporting period we conducted an inspection project to review a sample of ASIO's submissions to the Attorney-General requesting the cancellation of Australian passports held by individuals assessed to be in or intending to travel to Syria or Iraq. The review focused on whether ASIO's use of the existing passport cancellation and refusal powers was consistent with the legislation.
Section 14 of the Passports Act makes a distinction between advice provided by ASIO and advice provided by the Director-General of Security, depending on whether the request concerns circumstances relating to a foreign country or whether it concerns prejudice to Australia's security. The review found that ASIO's advice to the Minister appeared not to make this distinction in relevant cases. In February 2015, ASIO agreed to review its passport cancellation and refusal ministerial submission templates to better reflect the legislative basis for recommendations under the Passport Act. In June 2015, we reviewed an additional sample of ASIO's passport cancellation ministerial submissions and found that ASIO has not yet amended its templates to make a distinction between advice provided by ASIO and advice provided by the Director-General. We will provide a further update on this issue in next year's annual report.
Passport suspension, emergency visa cancellation and welfare payment cancellation
In 2014, Parliament passed laws enabling Australian and foreign passports to be suspended on security grounds for 14 days, and for the emergency cancellation of visas for 28 days. Passport suspension or emergency visa cancellation on security grounds is triggered by advice from ASIO, and enables action to be taken pending more detailed consideration by ASIO as to whether there are grounds to issue an adverse security assessment recommending passport or visa cancellation. The threshold for passport suspension and emergency visa cancellation is lower, and although judicial review is available, merits review by the AAT is not.
In June 2015 we conducted an inspection to review all cases where ASIO had requested passport suspension or emergency visa cancellation. No issues were identified. We intend to conduct a similar inspection during the next reporting period. We pay particularly close attention to any passport suspensions or emergency visa cancellations that do not proceed to a cancellation.
New legislation also enables welfare payments to be cancelled on security grounds if the person has their passport cancelled or visa refused or cancelled on security grounds. ASIO is one of a number of agencies that may have a role in considering whether welfare payments should be cancelled. We sought briefing from ASIO and inspected records from a sample of cases where welfare cancellation was or may have been under consideration. ASIO's role is to provide advice in relation to the security considerations in such cases, and this includes considering whether the welfare payments are being used for activities prejudicial to security and whether cancellation could have an adverse security outcome, such as by further radicalising an individual.
We will continue to monitor ASIO's role in providing advice in cases where welfare payment cancellation is under consideration.
In March 2013 the IGIS reported on an inquiry into the analytic independence of ASIO, DIO and ONA. In March 2014, the IGIS initiated an inspection project to review the progress of ASIO in implementing the recommendations of that report. The 2013 Inquiry had recommended a number of improvements to ASIO's analytical and organisational processes, including key judgment reviews, formalised dissent handling procedures and improved record-keeping regarding analytical sources and external consultation. ASIO had indicated it accepted all recommendations and intended to implement new policies to address these issues.
In early 2014, ASIO invited the former Director-General of ONA, Mr Allan Gyngell AO, to conduct a comprehensive review into the state of analytic tradecraft and practices supporting the assessment function in ASIO. The inspection project was undertaken shortly after this review, and ASIO was in the process of developing and trialling new organisation-wide policies. The review project noted that there remained inconsistency in relation to ASIO analytic tradecraft, but the adoption of the organisation-wide policies was expected to lead to improvements. In June 2015 ASIO advised that the policies had been endorsed and were now being implemented across the Organisation.
Warrants 'whole of life' project
In April 2015 the IGIS initiated an inspection project reviewing four sets of warrants where consecutive warrants have been issued over time. The purpose of the project was to review the underlying intelligence case for each warrant and to consider whether the intelligence case put to the Attorney-General each time the warrant is raised is accurate and balanced. The results of this inspection activity will be included in next year's annual report.
ASIO internal approval process project
Before ASIO commences an investigation, the proposed investigation must be authorised in accordance with the requirements of the Attorney-General's Guidelines. We initiated an inspection project during the previous reporting period to review ASIO's internal approvals for accessing sensitive information from government and non-government agencies. The review concluded that ASIO generally managed these investigative activities with due consideration of its legislative obligations, but a number of breaches of internal policies and procedures were identified, such as activities not being approved by an officer of the correct level or verbal approvals not being documented.
As a result of the project findings the Inspector-General recommended that ASIO consider an annual refresher training program, or other type of education program, for authorising officers to ensure they clearly understand their obligations under the legislation and ASIO's internal policies and procedures. The review also identified cases with long periods of inactivity, and recommended that ASIO officers responsible for reviewing investigations should record the reasons for any lack of progress of investigative activities in the regular reviews. Under the Attorney-General's Guidelines, investigations are required to be reviewed at least annually. ASIO indicated that it will remind staff of their obligations regarding compliance with internal policies and procedures.
ASIO's record retention and destruction project
In November 2014 the IGIS initiated a project to investigate the data destruction practices of ASIO with a specific focus on material obtained under warrants. This project followed on from a similar project finalised in 2010, which made a number of recommendations aimed at improving ASIO's corporate recordkeeping practices in the context of an expected increase in the volume of data held by ASIO (due to the volume of intelligence collected and the use of electronic documents and systems). The 2010 report specifically recommended that ASIO revisit its records management framework to ensure information and intelligence is appropriately retained or destroyed in accordance with requirements in the Archives Act 1983, ASIO Act and the TIA Act. Since 2010, ASIO has undertaken a major review of its records management framework, including the introduction of an updated National Archives of Australia (NAA)-ASIO Records Authority (RA) in 2012 and a new electronic system for managing investigative files during 2012–13.
An issue of particular interest to the IGIS in the follow-up project was the extent to which section 31 of the ASIO Act and section 14 of the TIA Act were being utilised. Those provisions require that, where a record or copy has been made of material obtained under warrant, and is in the possession of ASIO; and where the Director-General is satisfied that the record or copy is not required for the purposes of performing ASIO's functions, or exercising powers under those Acts '...the Director-General shall cause the record or copy to be destroyed'.
While the project was ongoing at the end of the reporting period, the IGIS has made a number of preliminary observations relating to ASIO's electronic and paper-based file keeping practices:
- There was no evidence that warrant-related material had been destroyed in reliance on section 31 of the ASIO Act and section 14 of the TIA Act. ASIO advised that it considers material for disposal or retention in accordance with the NAA RA, rather than under those specific legislative provisions. However, while the Archives regime permits destruction in appropriate cases, it does not require it, and it also does not address the handling of copies of material residing in other databases.
- In the absence of a current register of electronic data repositories, ASIO policy needs to be updated to ensure data on other systems is appropriately managed. ASIO has agreed that the current policy (developed in 2011) will need to be updated as a result of the project's findings.
- ASIO currently has a backlog of paper-based files waiting to be checked and, if appropriate, destroyed. ASIO has policies and processes in place for working through this backlog and retains records of what has been destroyed.
- ASIO has appropriate systems for identifying human or technological errors resulting in the collection of material outside the authority of a warrant, and is diligent in purging all such information from its systems.
- There was no evidence that ASIO has actually destroyed any electronic records that are eligible for destruction. ASIO advised that the electronic files created in the current version of their case management system have not yet reached the full term of the disposal category assigned. IGIS will continue to monitor whether electronic records that are eligible for destruction are appropriately destroyed.
- Any changes to ASIO systems and policies as a result of the project will be reported in the next annual report.
- The findings from this project will also be taken into account in the IGIS's input to the review to be undertaken by ASIO and the Attorney-General's Department of the Attorney-General's Guidelines issued under section 8A of the ASIO Act. The Government has indicated that review will include examining requirements to govern ASIO's management and destruction of information obtained on persons who are not relevant, or no longer relevant to security matters.