Inspection of ASIS activities
During the reporting period ASIS implemented an agency-wide compliance training program. The program focuses on compliance with ASIS's legislative and internal policy framework, drawing on case studies for scenario based learning. Training is compulsory for all ASIS officers, whether based in Australia or overseas. This training is regularly updated to incorporate lessons learnt from IGIS reviews and inquiries.
Ministerial authorisations to produce intelligence on Australian persons
There were three cases where IGIS undertook further investigation to establish if ASIS had taken action to produce intelligence on an Australian person without appropriate ministerial authorisations. In one of these cases ASIS conducted a review of the operation and agreed collection had taken place against two Australian persons without ministerial authorisation. Specific additional training was provided to staff in the area where the unauthorised collection occurred. In another case the review is ongoing, and in the third case no breach was found.
If an agency head is satisfied that the grounds on which a ministerial authorisation is given cease to have effect, the agency head is required by the ISA to inform the Minister. In October 2014 ASIS advised us of a breach of this obligation that had occurred when in October 2013 ASIS had been advised that the subject of a ministerial authorisation was not an Australian person, as had originally been presumed. ASIS did not promptly inform the Minister that the grounds on which the authorisation was issued had ceased to exist. Our inspections identified two further occasions where there were delays in informing the Minister that the grounds on which an authorisation was issued had ceased to exist.
During 2014–15 there were three instances where ASIS sought a renewal of an existing ministerial authorisation and where the renewal was not signed within the eligible period for renewal. In each case it was signed the day after the authorisation ceased to have effect which meant that in practice there was no 'gap' in authorisation. Nevertheless, this is not ideal, and ASIS has undertaken to improve its processes for renewal to ensure it does not happen again.
During 2014–15, IGIS inspections identified inconsistencies in the way the commencement and expiry dates of authorisations were worded; the lack of consistency increases the risk of breaches. This has been drawn to ASIS' attention.
Implementation of new legislative provisions relating to ministerial authorisations
Legislative changes introduced during this reporting period allow ASIS to produce intelligence on an Australian person, or a class of Australian persons, to support ASIO in the performance of its functions, without first obtaining authorisation from the Minister for Foreign Affairs. For this new power to be enlivened either ASIO needs to give ASIS a notice saying that it requires the production of intelligence on the Australian person or class of Australian persons or an authorised ASIS officer must reasonably believe that it is not practicable in the circumstances for ASIO to notify ASIS before the intelligence about the Australian(s) can be collected.
As at 30 June 2015, ASIO had provided a number of notices to ASIS stating that it requires the production of intelligence on Australian persons to support the performance of ASIO's functions. This included three requests from ASIO in respect of a class of Australian persons. There were no instances where ASIS relied on an ASIS officer reasonably believing that it was not practicable in the circumstances for ASIO to notify ASIS before the intelligence about an Australian could be collected.
In June 2015 we conducted an inspection project in relation to the requests from ASIO; the inspection did not identify any issues of concern.
Changes to the ISA introduced in the reporting period also make provision for the Minister for Foreign Affairs to authorise the production of intelligence on, or have a direct effect on, one or more members of a class of Australian persons when providing assistance to the Australian Defence Force. No such authorisations were given during the reporting period.
New provisions were also inserted in the ISA to allow approval to be given to produce intelligence on an Australian in an emergency. ASIS did not use these emergency provisions during the reporting period.
We will continue to review the use of these new powers throughout 2015–16.
OIGIS staff pay close attention to the distribution of intelligence about Australian persons by ASIS during regular inspection activities and the subject is also discussed with the IGIS at bi-monthly meetings.
ASIS reported one occasion in 2014–15 where the 'presumption of nationality' was overturned; that is, information came to light that an individual was actually an Australian person and the privacy rules were applied retrospectively to reporting. In this instance there was no breach of the rules as presumption was reasonable at the time it was made and the information suggesting the person was Australian was not available at that time.
Throughout 2014–15 there were a number of occasions identified where the privacy rules were not applied to reporting on an Australian person or company due to either human or technical error. Some of these occasions were identified by OIGIS staff during routine operational file inspections, others were reported by ASIS (see case study on page 34). ASIS has acknowledged that the errors were due to a combination of a lack of understanding of the correct procedures by staff, unclear policies and the effect of an ageing IT system.
The total number of cases where there were issues was a very small percentage of the overall amount of intelligence activity undertaken by ASIS.
Cooperation with foreign liaisons
In October 2014, ASIS advised that information had been communicated to a foreign liaison, without the application of the privacy rules and without approval under the ASIS internal policy. ASIS advised the communication of this information was also a breach of section 9 of the ISA, which requires ministerial authorisation to undertake an activity that will or is likely to have a direct effect on an Australian person. More information is provided on this incident on page 34.
In March 2015 ASIS provided a summary of seven occasions where intelligence information had been provided to foreign liaisons, without the application of the privacy rules and without approval under the ASIS internal policy. One of the cases was originally identified through an IGIS operational file inspection in February 2015 and the other cases were mostly self reported by ASIS staff following raised awareness of the issue as a result of ASIS compliance training.
At a subsequent operational file inspection in April 2015 OIGIS staff identified a number of additional cases where intelligence information had been provided to foreign liaisons, without the application of the privacy rules and without approval under the ASIS internal policy. One of those incidents had been reported by ASIS on the same day as the inspection.
ASIS advised that a lack of awareness by staff of the breadth of the definition of 'intelligence information' for the purpose of the privacy rules was a significant contributing factor.
In June 2015 ASIS advised IGIS that in April 2015 they had 'cooperated' with a foreign liaison service prior to obtaining ministerial approval to do so contrary to section 13(1)(c) of the ISA and internal ASIS policy. ASIS may only have limited interaction with a foreign liaison service prior to ministerial approval being obtained. An ASIS review of the incident was conducted in April 2015. The review resulted in a number of recommendations, including reinforcing ASIS policy on the legislative requirement for cooperation with foreign authorities.
Intelligence collected and provided to a foreign authority without approval
In October 2014 ASIS advised IGIS about a case where:
- intelligence information about an Australian person was provided to a foreign liaison without the application of the privacy rules as required by the ISA
- the communication was made without the relevant internal approval, which should have been obtained in accordance with internal ASIS policy
- the communication of the intelligence required prior ministerial authorisation because it was, or was likely have, a direct effect on an Australian person. That authorisation was not sought from the Minister.
The day after the incident, ASIS took steps to obtain the appropriate authorisation and the ministerial submission noted that ASIS had already undertaken activities in breach of the ISA and had not applied the privacy rules. The ministerial authorisation was granted the same day. ASIS also subsequently applied the privacy rules to the communication, and the Director-General retrospectively approved the release of the information to the foreign liaison. ASIS provided a full report of the incident to IGIS in February 2015.
This case highlighted the challenges ASIS faces in complying with legislative obligations and internal policies in time critical situations. In its report ASIS noted that recently passed National Security Legislation Amendment Act (No.1) 2014 and Counter-Terrorism Legislation Amendment Act (No. 1) 2014 introduced new arrangements for emergency authorisations.
Review of operational files
ASIS activities often involve the use of human sources and ASIS officers are deployed in many countries to support a wide range of activities including counter-terrorism, efforts against people smuggling and support to military operations. These activities are often high-risk and sensitive.
During the reporting period, we reviewed files relating to operational activities in a diverse range of countries where ASIS has a presence.
The sensitive nature of ASIS's operational activities means specific detail about the nature of certain issues arising from these inspections cannot be disclosed in a public report. In addition to the ministerial authorisation issues outlined above, it was noted that internal approvals for operational activities were not always apparent on the relevant files. While in some cases there were explanations for why approvals were not documented, ASIS was reminded of the importance of official records containing a complete and accurate record of approvals. This issue is being addressed by ASIS.
Authorisations relating to the use of weapons
Schedule 2 of the ISA requires the Director-General of ASIS to provide the IGIS with:
- copies of all approvals issued by the Minister of Foreign Affairs in respect of the provision of weapons and the training in and use of weapons and self-defence techniques in ASIS
- a written report if a staff member or agent of ASIS discharges a weapon other than in training.
This reporting requirement was met during 2014–15 and the IGIS was satisfied that the need for limited numbers of ASIS staff to have access to weapons for self-defence in order to perform their duties is genuine.
During the 2014 Weapons Inquiry (see page 10) an occasion was identified where ASIS staff had participated in weapons familiarisation in controlled conditions under ADF supervision without the required prior approval by the Minister to fire the weapons concerned. It became apparent that ASIS staff did not realise this was a breach of the ISA, which suggested a deficiency in ASIS training for staff about the requirements around weapons. At our request, ASIS provided a report of all the other occasions where a similar breach of the ISA had occurred. A very significant number of ASIS officers had fired weapons they were not authorised for, either once or on several occasions in these circumstances, indicating a widespread lack of understanding about the legal requirements. However, in all cases the weapons were fired in a controlled environment under qualified ADF supervision. Changes made to the ISA during the reporting period mean that in future such activities will not constitute a breach of the ISA.
We conducted two inspections of ASIS weapons and self-defence training records in 2014–15, in November 2014 and May 2015. The inspections found that ASIS's current governance and recordkeeping on this matter was effective, with no new breaches of the ISA or non-compliance with the ASIS internal weapons guidelines noted during the reporting period.
While reviewing files as a part of an IGIS Act investigation into a complaint, we identified a further breach of the ASIS weapons guidelines that had occurred a number of years earlier. In that case appropriate internal approval had not been obtained prior to the appointment of an external training provider being engaged. Although the training provider met the necessary competency standards to provide specialist training of the kind ASIS required, ASIS acknowledged that under the guidelines the provision of this training should not have occurred without this internal approval having first been obtained.