Activity 2: Undertaking inspections
Undertaking inspections and visit programmes to monitor and review intelligence agencies' operational activity
On this page
- Quantitative performance measures
- Inspection of ASIO activities
- ASIO inspection projects
- Inspection of agencies subject to the Intelligence Services Act 2001
- Inspection of ASIS activities
- Inspection of ASD activities
- Inspection of AGO activities
- Inspection of DIO activities
- Inspection of ONA activities
- Cross-agency inspections
The office regularly examines selected agency records to ensure that the activities of the intelligence agencies comply with the relevant legislative and policy requirements and to identify issues before there is a need for major remedial action. These inspections include our staff directly accessing electronic records and reviewing hardcopy documentation.
Inspections concentrate on the potential impact of intelligence collection on the privacy of Australians. As such, inspections largely focus on the activities of ASIO, ASIS, AGO and ASD. This is because each of these agencies has intrusive powers and investigative techniques. Inspections relating to DIO and ONA are generally limited to ensuring that their assessments comply with administrative privacy guidelines, and that there is no indication of their independence being compromised.
Inspections focus on whether each agency is acting in accordance with its statutory functions, any guidance provided by the responsible minister, and the agency's own internal policies and procedures. Inspection may comprise a combination of routine inspections (for example ASIO investigative cases and warrants) as well as inspection projects that target specific issues.
Quantitative performance measures
There were no quantitative performance measures applicable to our inspections work identified in the OIGIS Corporate Plan 2015–19.
The qualitative discussion below addresses the breadth, depth and impact of our inspection work in support of an assessment against the key performance indicators. The discussion additionally incorporates the Inspector-General's comments on inspections carried out under section 9A of the IGIS Act and the Inspector-General's comments on the extent of compliance by ASIS, AGO and ASD with the privacy rules made under section 15 of the Intelligence Services Act 2001.4
4 The Inspector-General's comments on these matters are required under subsection 35(2A) of the IGIS Act to be included in the annual report.
Inspection of ASIO activities
During 2015–16, we conducted a broad range of inspections at ASIO, including:
- regular inspections of investigative cases
- new inspections focused on analytical tradecraft and other areas
- human source management
- ASIO warrants
- Special Intelligence Operations
- access to telecommunications data
- exchange of information with Australian Government agencies
- ministerial submissions
- exchange of information with foreign liaisons
- security assessments, the consequences of which may include decisions by Government to cancel or refuse visas, passports or citizenship applications and in some cases may trigger consideration of removal of welfare payments
- a number of specific inspection projects.
We also examined ASIO's access to sensitive financial information under the Anti-Money Laundering and Counter Terrorism Financing Act 2006. The results of these inspections are set out later in this report.
The Australian Security Intelligence Organisation Act 1979 (the ASIO Act) empowers ASIO to obtain, correlate and evaluate intelligence information relevant to security. ASIO's activities are governed by the ASIO Act as well as the Attorney-General's Guidelines and internal policies and procedures. The Guidelines require that any means used by ASIO to obtain information must be proportionate to the gravity of the threat and the probability of its occurrence. They also require that inquiries and investigations into individuals or groups should be undertaken using as little intrusion into individual privacy as is possible consistent with the performance of ASIO's functions. The Guidelines are available on the ASIO website at www.asio.gov.au.
We commenced new areas of inspection during 2015–16 in order to ensure that there was no gap in our oversight of certain types of inquiry and investigations.
In one case, the trial inspection demonstrated that this separate inspection programme was not required. The inquiries and investigations activities conducted by this ASIO division were already included in other routine IGIS inspection activities.
Other new and existing areas of inspection are discussed below.
Regular inspection of investigative cases
We continued to review a sample of ASIO investigative cases during the reporting period in order to examine:
- the justification and objectives provided for the investigation
- whether the investigative activities that were undertaken or proposed were appropriate
- whether investigations were subject to formal approval and periodic review
- the application of the principle of proportionality according to the gravity of the threat and the probability of its occurrence and with as little intrusion into individual privacy as is consistent with the performance of ASIO's functions.
Sample selection focuses on those cases utilising more intrusive investigative methods – for example, cases with warrants approved by the Attorney-General, access to sensitive financial information or prospective data authorisations.
During 2015–16, ASIO reviewed and revised a significant proportion of its internal policies and procedures. We paid particular attention to changes where authorisation and delegations levels have been lowered. While no issues of concern were identified by the devolution of authority for approval, we note that it is sometimes desirable for more sensitive matters to be considered and approved at above the minimum level required.
Another ongoing focus of inspections has been ASIO's investigative activities in relation to people under 18 years of age. With an increasing number of young people who are of interest to ASIO, ASIO's policies have evolved with experience. We will continue to focus on this area in our inspections.
We continue to work with ASIO to ensure that the inspection process can provide direct meaningful feedback to ASIO investigative staff in a timely manner with a view to improving processes overall.
ASIO analytical tradecraft
We initiated a new inspection during the reporting period to look specifically at ASIO analytical tradecraft. In early 2014, ASIO invited the former Director-General of ONA, Mr Allan Gyngell AO, to conduct a comprehensive review into the state of analytical tradecraft and practices supporting the assessment function in ASIO. In June 2015, ASIO advised us that it had implemented a range of policies in accordance with Mr Gyngell's recommendations. We undertook a new inspection to examine compliance with these new policies. The inspection did not identify any issues of concern and we were satisfied with ASIO's policy and training. We will continue this new inspection in the next reporting period.
Human source management
This inspection activity focuses on ensuring that the management of ASIO human source operations is both legal and proper. While the detailed results of these inspections are sensitive and cannot be disclosed in a public report, no significant concerns were identified in the inspections undertaken during the reporting period.
ASIO can intercept telecommunications and use other intrusive powers following the issue of warrants by the Attorney-General. Authority for telecommunications interception is provided in the Telecommunications (Interception and Access) Act 1979 (TIA Act). The ASIO Act provides the authority for other powers, including searches, computer access and surveillance devices.
During 2015–16, inspections of ASIO warrants were undertaken quarterly, as well as in the course of our regular inspections of investigative cases. The separate warrants inspections began in 2014–15 in response to legislative changes made to the warrant provisions in the ASIO Act as part of the National Security Legislation Amendment Act (No. 1) 2014. These amendments included a new identified person warrant, a new surveillance device warrant that replaced the separate listening and tracking device warrants, and a number of amendments to the computer access warrants and search warrants. Additionally we inspected a sample of ASIO foreign intelligence collection warrants on a quarterly basis.
We reviewed a significant proportion of warrants obtained by ASIO in 2015–16. Our inspection programme did not identify any errors in ASIO's execution of warrant powers that constituted a breach of either the ASIO Act or the TIA Act. A small number of administrative errors, including typographical errors, were identified. These errors did not affect the legality or propriety of the warrant.
ASIO continued to self-report proactively in relation to breaches or errors in the execution of warrant powers. ASIO reported nine breaches, two of the ASIO Act and seven of the TIA Act. Given the volume of intercept activity, this number of breaches does not indicate a systemic problem. The breaches reported include:
- two breaches that occurred when data continued to be collected after the warrants were revoked by the Attorney-General. In one case, data was collected for 15 days after the revocation. In the other case, a service was not disconnected until six days after the Attorney-General revoked the warrant. In both cases, ASIO deleted the data permanently from its systems. The Inspector-General was satisfied that both breaches arose from human error and did not evidence any systemic practice. The relevant areas have reviewed their internal procedures for dealing with warrant revocations and implemented changes to reduce the likelihood of future occurrences.
- breaches of the TIA Act that occurred where a carrier was advised seven days after internal approval to remove two services. The TIA Act requires a carrier to be notified immediately, with confirmation in writing to be given as soon as practicable. ASIO instructed the service provider to delete any data that was collected. ASIO has established more stringent procedures and advice for staff to ensure a similar error does not occur in the future.
- a breach of the TIA Act that occurred when an incorrect service was intercepted by ASIO due to an incorrect phone number being provided by ASIO. The error was discovered nearly one month after interception began. ASIO purged the collected data from ASIO's systems and provided the correct number. ASIO re-examined its processes for error checking and reaffirmed the need for appropriate checking procedures to ensure a similar error does not occur in the future.
- ASIO advised of an over-collect issue where, for a period of eighteen months, it received an unknown amount of non-target session-related data intermixed with its warranted intercepts. The cause of the over-collect was unknown, but ASIO's initial investigation indicated it was due to a carrier error. In December 2015 ASIO advised it would delete from its systems all of the data collected by the carrier in the relevant period to ensure all non-target data was deleted.
As noted in previous annual reports, the IGIS continues to maintain a close interest in ASIO's use of B–party warrants. B–party warrants provide that ASIO may intercept a telecommunications service that is likely to be used by another person not of security interest to communicate with a person of security interest. B–party warrants can only be used for a maximum of three months, compared to six months for other interception warrants. The IGIS is satisfied that ASIO's use of B–party warrants has been consistent with the provisions in the TIA Act that restrict the availability of B–party warrants, and no outstanding issues remain at this time.
Identified person warrants were a key focus of our warrant inspection activity, as they are still a relatively new type of warrant. They differ from other ASIO warrants in that they give conditional approval for ASIO to use one or more special powers against an identified person. The ASIO Act provides that a written authorisation (signed by the Attorney-General or Director-General) is required before ASIO can actually do that which was conditionally approved under the warrant. To date, the majority of the identified person warrants inspected have had the authorisations signed by the Director-General rather than the Attorney-General. We understand this to be the preference of the current Attorney-General.
ASIO advised us of two breaches of the ASIO Act that occurred in its execution of identified person warrants. One occurred in ASIO's first use of an identified person warrant, when an ASIO officer acted on oral rather than written approval to exercise the authority conferred by the warrant.
The second breach occurred after ASIO obtained the Attorney-General's conditional approval to access computers, conduct searches and use surveillance devices in a particular case. Due to an administrative oversight ASIO did not seek specific authorisation, either from the Attorney-General or the Director-General of Security, prior to accessing a computer.
Once the breach was detected, ASIO ceased its computer access activity and quarantined the data that was collected before seeking the necessary authorisation and recommencing access to the computer. ASIO advised the IGIS that it had quarantined and deleted the data from ASIO systems, and implemented additional measures to minimise the likelihood of such breaches recurring. We are satisfied that the access occurred in error and that the new measures to reduce breaches are adequate.
After the execution of a warrant, ASIO must report to the Attorney-General on the intelligence value of the warrant. Initially the reports to the Attorney-General on identified person warrants were narrowly focused on the overall value of the warrant, without specifically referring to which authorisations had been executed, or the intelligence value of those particular authorisations. For example, the warrant report may only have mentioned the intelligence gained from one authorisation, without mentioning if the other authorisation(s) were used and what intelligence (if any) was derived from them. We suggested that the warrant report could provide information on each authorisation, which would give the Attorney-General a better picture of how identified person warrants were being used and how they had assisted ASIO in the performance of its functions. ASIO agreed to this suggestion, and amended its policy to reflect this. We have since seen identified person warrant reports that report on each authorisation and provide a clearer picture to the Attorney-General of what was done under the warrant and the authorisations signed by the Director-General.
Questioning and detention warrants
The office has procedures in place to oversee ASIO's use of questioning powers however no questioning, or questioning and detention warrants, were issued in the reporting period.
Journalist information warrants
During the reporting period the Government introduced a journalist information warrant regime. This regime imposes additional constraints on ASIO's access to journalists' telecommunications data. The TIA Act now requires that, where ASIO seeks the telecommunications data of journalists or their employers for the purpose of identifying a journalist's source, ASIO must first obtain a warrant from the Attorney-General.
We confirmed that ASIO has policies and procedures in place to address the new journalist information warrant requirements and provide staff training. These policies and procedures will be reviewed in the course of our regular inspections.
Use of force
Warrants issued under the ASIO Act may authorise the use of force so long as it is necessary and reasonable to do the things specified in the warrant. This provision was amended during the last reporting period specifically to include a reference to using force against persons as well as against things. Under section 31A of the ASIO Act, when force is used in the execution of a warrant ASIO is required to notify the Inspector-General in writing, as soon as practicable. The ASIO Act does not specify a timeframe for the provision of these reports but ASIO has developed a policy that requires an initial notification within 72 hours (three days) of the use of force, to be followed by more detailed information within 10 days.
During the reporting period, we did not receive any notifications of the use of force against persons during the execution of ASIO warrants by either ASIO or law enforcement officers. We will monitor the timeliness of notification and reporting of any future use of force.
There has been very close consultation between our office and ASIO in relation to ASIO's updated training and policy guidance in this area and we have maintained strong interest in ASIO's development and implementation of training for its officers in the use of force. ASIO has addressed issues raised by our office. In the last reporting period, ASIO commenced a self-defence training programme. During this reporting period, ASIO has commenced additional training specifically for officers involved in the execution of warrants. No ASIO officer is authorised to use force in the execution of a warrant until after receiving appropriate training. We will continue to monitor the frequency and effectiveness of this training.
Special Intelligence Operations
We commenced inspecting ASIO's use of this new power in 2014–15.5 With experience, our inspection methodology continued to evolve during the reporting period.
The legislation requires that ASIO notify the IGIS as soon as practicable after the special intelligence operation authority is granted. In one case the IGIS was notified 10 days after the authorisation was granted. We noted that this was not in accordance with the legislation. ASIO promptly implemented a new procedure, which is working well.
The legislation also requires ASIO to give the Attorney-General and the IGIS a written report on each Special Intelligence Operation.
We have reviewed the documentation relating to each Special Intelligence Operation approved, and in some cases have received additional briefings. We have not identified any issues of legality or propriety.
We will continue to pay close attention to ASIO's Special Intelligence Operations.
5 Special Intelligence Operations are authorised in accordance with the Australian Security Intelligence Organisation Act 1979 Part III, Division 4 ss35A-35R
Access to telecommunications data
The Telecommunications (Interception and Access) Act 1979 (TIA Act) enables certain persons to authorise the collection of prospective and historical telecommunications data from telecommunications carriers or carriage service providers. The Director-General, Deputy Director-General and ASIO employees or affiliates at an SES Band 2 or higher level may provide the authorisation for prospective data. The Director-General, Deputy Director-General and ASIO employees or affiliates approved by the Director-General for that purpose, may provide an authorisation for historical data. Prospective data authorisations provide near real-time data (typically call associated data and network location data) for the period that an authorisation is in force. The threshold that ASIO is required to meet is that access to the data is in connection with the performance by ASIO of its functions. In addition, the Attorney-General's Guidelines state that investigative activities should intrude into personal privacy as little as possible, consistent with the performance of ASIO's functions. The Attorney-General's Guidelines also require that priority be given to less intrusive means, and that authorisation levels for more intrusive activities should be higher.
ASIO's access to prospective telecommunications data and historical telecommunications data is reviewed as part of our regular inspection of ASIO investigative cases, discussed above.
Prospective data authorisations reviewed were endorsed by an appropriate senior officer, and demonstrated that ASIO has regard to the Attorney-General's Guidelines and is meeting the legislative requirement to make requests for data only in the performance of its functions.
In July 2015, ASIO advised us of an error that had occurred in a telecommunications provider's interception system which, contrary to the prospective data authorisation, resulted in ASIO receiving SMS content of multiple mobile phone services belonging to the provider. The problem occurred because the provider initiated a change to its systems without providing ASIO with any notice of these changes or any testing of the changes prior to their implementation. The error was discovered in less than two days. On discovery of the issue, ASIO undertook an audit of access logs and confirmed that no ASIO staff had accessed the unwarranted content. All the content was deleted from ASIO's systems, and the telecommunication provider rectified the situation by reinstating the previous system. ASIO undertook to investigate ways to buffer incorrect data of this type in the future.
No specific inspection activity occurred in the reporting period, but these requests may be reviewed as part of inquiry and investigation inspections. There were no issues of concern noted during the reporting period.
ASIO exchange of information with Australian Government agencies
An area of focus for our office is ASIO's liaison with other government agencies, particularly where sensitive personal information is involved. During the reporting period we queried ASIO's procedure regarding requests for sensitive personal information from another Australian Government agency. While we did not have concerns with ASIO's limited use of the information, we did suggest that where the information is to be used in security intelligence investigations, ASIO should consider whether it is appropriate to require additional approval to access the information and the level at which, where required, the approval can be given. ASIO has advised it will change its procedure accordingly.
Access to taxation information
Section 355-70 of Schedule 1 to the Taxation Administration Act 1953 provides that a taxation officer authorised by the Commissioner of Taxation or delegate may disclose protected information to an authorised ASIO officer if the information is relevant to the performance of ASIO's functions.
This access to sensitive information is further governed by a memorandum of understanding between the Commissioner of Taxation and the Director-General of Security, the Attorney-General's Guidelines, and ASIO's internal guidelines and procedures.
ASIO rarely requests access to this type of information. We review all of ASIO's access to sensitive taxation information, including:
- ASIO requests for information to the ATO
- spontaneous disseminations from the ATO to ASIO
- disseminations of information from ASIO to a law enforcement agency.
In 2015–16, ASIO reported that no requests had been made to access ATO information. The ATO made two proactive disclosures to ASIO, which will be reviewed in August 2016.
During this reporting period, our staff also conducted a review of ASIO access to sensitive tax information carried over from the previous financial year. We did not identify any matters of concern.
Each quarter we review a range of briefing notes and submissions on operational matters made by ASIO to the Attorney-General. In addition to the other ASIO inspection activities, these reviews continue to be useful in supporting our oversight of legality and propriety issues relevant to high risk activities---for example, cooperation with new foreign agencies, and significant operations.
ASIO exchange of information with foreign liaison
The ASIO Act provides the authority for ASIO to seek information from, and provide information to, authorities in other countries that is relevant to Australia's security or the security of the foreign country. ASIO may cooperate with foreign authorities approved by the Attorney-General. In general, the foreign authorities that are approved by the Attorney-General perform broadly similar functions to ASIO. In the course of our regular reviews of ASIO investigative cases we noted authorisation documentation and correspondence for such exchanges. We have noticed some inconsistency in relation to how records are kept regarding foreign liaison. We have come across varying practices throughout the Organisation in our inspections. We will continue to monitor how records on foreign liaison activity are kept as part of our inspection activities.
Security assessments (which can lead to cancellation or refusal of visas or passports and in some cases may trigger consideration of removal of welfare payments)
We continued to review a sample of cases where ASIO had recommended passport suspension, cancellation or refusal, or visa (emergency or regular) cancellations. We also reviewed cases where, in consequence of a security assessment for passport purposes, the Government may consider cancelling a person's entitlement to welfare payments. We continue to pay particularly close attention to any passport suspensions that do not proceed to a cancellation. In those cases, we may look in greater depth at the intelligence case supporting ASIO's advice to assess whether the advice was reasonable based on what was known to ASIO at the time.
In last year's annual report we noted that we had conducted an inspection project focusing on whether ASIO's advice concerning the (then) passport cancellation and refusal powers was consistent with the relevant legislation. At the time, section 14 of the Australian Passports Act 2005 (Passports Act) made a distinction between advice provided by ASIO and advice provided by the Director-General of Security, depending on whether the request concerned circumstances relating to a foreign country or concerned prejudice to Australia's security. The review found that ASIO's advice to the Minister appeared not to make the distinction in relevant cases. ASIO agreed to review its ministerial submission templates for passport cancellation and refusal to reflect the legislative basis for recommendations under the Passports Act.
We note that the Passports Act and the accompanying Australian Passports Determination have since been amended. The competent authority in both circumstances (whether the request concerns a foreign country or prejudice to the security of Australia) is now either the Director-General of Security or a Deputy Director-General of Security. This removes any uncertainty with regard to the identification of the competent authority in individual cases. ASIO's templates reflect this and we are satisfied this issue has now been resolved.
ASIO inspection projects
ASIO's record retention and destruction project
The IGIS annual report for 2014–15 reported on a project we initiated to investigate the data destruction practices of ASIO, with a specific focus on material obtained under warrants.
At that time, we made a number of observations arising from this project in relation to ASIO's electronic and paper-based file keeping practices.
The findings of this project are informing the IGIS's input to the review of the Attorney-General's Guidelines being undertaken by ASIO and the Attorney-General's Department – the review was ongoing at the end of the reporting period. The Government initiated this review in response to a recommendation of the Parliamentary Joint Committee on Intelligence and Security as part of its review of the National Security Legislation Amendment Bill (No. 1) 2014. In accordance with that recommendation, the Attorney-General's Guidelines issued under section 8A of the ASIO Act are being reviewed, including examining requirements to govern ASIO's management and destruction of information obtained on persons who are not relevant, or no longer relevant, to security matters.
Use of information holdings within ASIO
In mid-2015, we initiated an inspection project to review ASIO's implementation and auditing of the policy introduced in June 2014 concerning staff use of ASIO's information holdings. The policy emphasises that information holdings within ASIO are only for official purposes and not for matters which may be relevant to their personal circumstances; staff with personal security concerns should raise this with the relevant areas within ASIO, for checks to be undertaken if appropriate. The policy was implemented following concerns raised by the former IGIS in 2013–14 about the purposes for which ASIO staff were accessing ASIO information holdings.
In the course of the inspection project, ASIO provided us with details of guidance material and training provided to staff on the new policy and the audits conducted to determine compliance. ASIO also identified three instances of non-compliance with the policy. While these instances did not raise any serious or systemic concerns, we felt that they did highlight the need for ASIO to continue its efforts to ensure that staff were aware of their responsibilities. This is particularly important for staff who were familiar with the previous policy. ASIO advised that they are considering other ways to remind staff of their security obligations. We have also asked ASIO to provide us with periodic updates on the results of audits and any instances of non-compliance with the policy, so that we can continue to monitor this issue.
ASIO Telecommunications Interception System
During the reporting period, our staff reviewed a number of warranted and non-warranted telecommunications activities as part of an inspection project.
The services subject to the inspection were identified during regular inspections as being of potential compliance risk. These matters included collection of non-subject data or where there was an interval between the expiry of one instrument and the authorisation of the next. In the course of this inspection we identified one compliance issue where data had been retained unnecessarily.
In February 2016, ASIO advised our office of an 'overcollection' of telecommunications data under a warrant.
Mobile phone data was collected for 12 days from a mobile phone that was not being used by ASIO's person of interest. In the course of requesting the warrant, ASIO had undertaken the appropriate checks prior to interception that indicated the service belonged to the person of interest. There was no information to indicate the individual actually using the service was linked to the person of interest. ASIO advised the IGIS that it ceased intercepting the product and deleted all of the product collected from ASIO systems, however during an inspection of ASIO's telecommunications interception system it was discovered that the data had not been deleted, although it had been quarantined awaiting deletion. ASIO has advised that the error was due to a vendor system setting. ASIO have since confirmed that the data has now been fully deleted. While we are satisfied that this incident involved a simple oversight, it is important that the advice provided to this office is accurate.
Warrants 'whole of life' project
In April 2015, the previous IGIS initiated an inspection project reviewing four sets of warrants where consecutive warrants have been issued over time. The purpose of the project was to review the underlying intelligence case for each warrant and to consider whether the intelligence case put to the Attorney-General each time the warrant was raised was accurate and balanced. Based on the sample of warrants examined, the review concluded that ASIO generally managed the warrant renewal process with appropriate consideration of its obligations under the ASIO Act and the TIA Act and consistently with ASIO's internal policies and procedures. In particular, the inspection team noted improvements in source documentation between the 2011 and 2014 warrants. The project did observe some draft warrant documentation which lacked references to source documents. The project also noted that ASIO publishing practices and guidelines were not consistently applied by staff in preparation of warrant documentation.
As a result of the project findings, we recommended that ASIO teams responsible for preparing warrant documentation should consider implementing a more formal quality assurance process and extend the principles of ASIO's new Analytical Tradecraft policies, released in May 2015, to warrant documents. This will provide greater assurance that the Attorney-General is provided with sound analysis characterised by current, objective, clear, easily located and comprehensive information. ASIO advised that, following the receipt of the report, ASIO staff were reminded of ASIO internal procedures regarding referencing and retention of draft documentation.
Lawyers at interview
During the reporting period, we conducted an inspection project to follow up on an inquiry the previous IGIS had carried out in 2013. The inquiry concerned the attendance of legal representatives at ASIO interviews, and related matters.
The 2013 inquiry examined concerns raised by the Refugee Advisory and Casework Service (RACS), which alleged inconsistent and arbitrary practices by ASIO in relation to the attendance of legal representatives at security assessment interviews. The inquiry also considered related issues that arose during the course of the inquiry in respect of ASIO's broader policies and practices for the conduct of voluntary interviews (that is, those which are not conducted under the authority of a questioning warrant or a questioning and detention warrant).
The final report was presented to the Attorney-General in January 2014 and made five recommendations. ASIO agreed to recommendations 1-4 of the report and agreed in part to recommendation 5. In August 2014, ASIO provided advice to the IGIS regarding its implementation of these recommendations.
This inspection project reviewed ASIO's implementation of the inquiry's recommendations, and found that ASIO has implemented the changes recommended in the inquiry. We note that ASIO's policies are now clearer, especially in relation to the presence of third parties at interviews and the voluntariness of the interviews.
We are satisfied ASIO has successfully implemented the recommendations made in the IGIS inquiry.
Inspection of agencies subject to the Intelligence Services Act 2001
Limits on intelligence agencies' functions
The functions of the agencies governed by the Intelligence Services Act 2001 (the ISA) are set out in sections 6, 6B and 7 of the ISA. For example, for ASIS, its main functions are to obtain, in accordance with the Government's requirements, intelligence about the capabilities, intentions or activities of people or organisations outside Australia; and to communicate, in accordance with the Government's requirements, such intelligence. The work of ASIS, ASD and AGO is guided by the national intelligence priorities, which are reviewed and agreed by the National Security Committee of Cabinet each year.
The ISA also requires that ASIS, ASD and AGO only perform their functions in the interests of Australia's national security, Australia's foreign relations or Australia's national economic well-being; and only to the extent that those matters are affected by the capabilities, intentions or activities of people or organisations outside Australia.
All activities undertaken by ASIS, ASD or AGO to produce intelligence on an Australian person require individual consideration and approval by the responsible minister, with the following exceptions:
- intelligence can be produced by ASIS on an Australian person without ministerial authorisation if doing so assists ASIO in the performance of its functions
- 'class authorisations' can be given by the Minister where the intelligence is produced by ASIS in the course of providing assistance to the Defence Force
- subject to conditions, agency heads may give an authorisation in an emergency when ministers are not available.
Ministers are able to direct that other activities require prior ministerial approval, and each Minister has done so. In AGO's case, any intelligence collected over Australian territory requires authorisation by the head of the agency.
Section 15 of the ISA provides that the ministers responsible for ASIS, ASD and AGO must make written rules to regulate the communication and retention of intelligence information concerning Australian persons (privacy rules). The term 'Australian persons' includes citizens and certain permanent residents and companies. The rules regulate the agencies' communication of intelligence information concerning Australian persons to other Australian agencies and to foreign authorities, including to Australia's closest intelligence partners. Communication to foreign authorities is also subject to additional requirements. The privacy rules are unclassified and appear on the agencies' websites. No changes were made to the privacy rules in this reporting period.
Privacy rules require that agencies may only retain or communicate information about an Australian person where it is necessary to do so for the proper performance of each agency's functions, or where retention or communication is required under another Act.
If a breach of an agency's privacy rules is identified, the agency in question must advise the IGIS of the incident and the measures taken by the agency to protect the privacy of the Australian person, or Australian persons more generally. Adherence to this reporting requirement provides us with sufficient information upon which to decide whether appropriate remedial action has been taken, or further investigation and reporting back to the IGIS is required.
The presumption of nationality
The privacy rules require that ASIS, ASD and AGO are to presume that a person located in Australia is an Australian person, and that a person who is located out of Australia is not an Australian person, unless there is evidence to the contrary.
An initial presumption of nationality may be rebutted at a later date. For example:
- new information or evidence may indicate that a person overseas is an 'Australian person'. If it was not reasonable for this information to have been known and considered at the time the initial assessment was made then the presumption of nationality could be rebutted. There would have been no breach of the privacy rules in this circumstance.
- the agency may discover that it was already in possession of evidence that indicated that a person was an Australian person that should have been considered in the initial assessment, or another Australian agency might have possessed that information. In this case the presumption of nationality would be rebutted and if intelligence information had already been communicated about the Australian person there may have been a breach of the privacy rules. There may also be a breach of the ministerial authorisation rules if intelligence collection actually was undertaken.
If the agency made a reasonable assessment of the nationality status of that person, based on all the information that was available at the time, there is no breach of the privacy rules.
Where a presumption of nationality is later rebutted, ASIS, ASD and AGO must advise the IGIS of this and the measures taken to protect the privacy of the Australian concerned.
Inspection of ASIS activities
During 2015–16, we conducted a broad range of inspections of ASIS activities, including examination of:
- operational files
- ministerial authorisations to produce intelligence on Australian persons
- emergency ministerial authorisations
- ASIS's compliance with the privacy rules
- authorisations relating to the use of weapons.
We also examined ASIS's access to sensitive financial information under the Anti-Money Laundering and Counter Terrorism Financing Act 2006. The results of these inspections are set out later in this report.
Review of operational files
Members of our staff visited ASIS several times each month during 2015–16 to review ASIS's operational case files. ASIS activities involve the use of human sources and ASIS officers are deployed in many countries to support a wide range of activities including counter-terrorism, efforts against people smuggling and support to military operations. These activities are often high-risk and sensitive. During the reporting period, we reviewed files relating to ASIS's operational activities in a diverse range of countries where ASIS has a presence.
These inspections provide a deep insight into the operational environment in which field staff operate, the extent to which staff in ASIS headquarters evaluate risk and guide sensitive activities, and often, an indication of the health of inter-agency relations.
While the sensitive nature of ASIS's operational activities means that we cannot describe in detail the nature and range of issues arising from these inspections in a public report, we can confirm that these reviews are thorough and rigorous.
The insertion of section 13B into the ISA during the previous reporting period allows ASIS to produce intelligence on an Australian person, or a class of Australian persons, in support of ASIO's performance of its functions, without first obtaining authorisation from the Minister for Foreign Affairs. For this power to be enlivened ASIO needs to give ASIS a notice saying that it requires the production of intelligence on the Australian person or class of Australian persons. Alternatively, an authorised ASIS officer must reasonably believe that it is not practicable in the circumstances for ASIO to notify ASIS before the intelligence about the Australian(s) can be collected. We continued to monitor closely the use of these powers throughout 2015–16, primarily through our regular operational file inspections.
Ministerial authorisations to produce intelligence on Australian persons
The majority of ASIS ministerial submissions reviewed were of a high standard.
ASIS self-reported that in September 2015, at the request of ASIO, it had passed intelligence information on Australian persons to a foreign liaison without applying the appropriate privacy rules. The information passed included a request for information beyond the current holdings of the foreign liaison on the two Australian persons, without obtaining the appropriate authority to do so. Although we were assured that no intelligence was produced, this activity did not comply with the requirements in sections 8(1)(a)(i) or 13B(1) of the ISA to obtain an appropriate authority to undertake an activity, or series of activities, for the specific purpose, or purposes which include the specific purpose, of producing intelligence on an Australian person.
Under section 10A(2) of the ISA, ASIS is required to provide the Minister with a written report in respect of each activity carried out in reliance on an authorisation provided under section 9, 9A or 9B. In November 2015, ASIS advised us of two occasions when it did not advise the Minister within the required three-month timeframe. In both instances, assessments provided by ASIO to ASIS indicated that the individual Australians were deceased, and consequently the grounds for the ministerial authorisation ceased as the person was no longer an Australian person for the purpose of the Act. ASIS also wrote to the Minister for Foreign Affairs and this office providing further details of the matter and the steps taken to mitigate the risk of this reoccurring.
During 2015–16, there were two instances where ASIS sought a renewal of an existing ministerial authorisation that was not signed within the required period for renewal. In each case the renewal was signed the day after the authorisation ceased to have effect, which meant that in practice there was no 'gap' in authorisation.
As a result of queries we raised in a previous reporting period, ASIS advised that it had investigated two historical cases where it had collected intelligence on Australian persons without appropriate authorisation and therefore was not compliant with section 8 of the ISA.
One of those cases involved an agent seeking information from a contact, an Australian person, about the activities of various associates. Although the information collected directly related to non-Australian persons, the information inadvertently also related to the Australian contact.
The other matter related to activities that occurred between 2007 and 2011. Although the sensitive nature of these activities means we cannot detail the nature and range of issues, we are confident that the policies, guidance and training that ASIS has developed since this case, in consultation with this office, are appropriate mitigation strategies to reduce the likelihood of future failures of this kind.
Emergency ministerial authorisations
No issues were identified with ASIS's use of emergency ministerial authorisations during the reporting period.
Only one emergency ministerial authorisation was issued by the Minister during the reporting period. ASIS notified us promptly in accordance with the formal reporting requirements set out in the ISA.
During 2015–16 ASIS did not use the provision that allows an agency head to give an authorisation in an emergency when the Minister is not available.
Compliance with privacy rules
During our regular inspection activities we pay close attention to ASIS's distribution of intelligence about Australian persons.
ASIS continued to modify its guidelines and training on producing intelligence on Australian persons, incorporating strategies to mitigate against the risk of unintentionally reporting on Australian persons.
Throughout 2015–16, there were a number of occasions identified where the privacy rules were not applied to reporting on an Australian person or company due to either human or technical error. In some of these cases, information had been communicated to a foreign liaison without the application of the privacy rules and without approval under ASIS internal policy. Although we identified some of these occasions during routine operational file inspections, most issues were self-reported by ASIS as a result of raised awareness of the issue amongst ASIS staff following increased compliance training.
ASIS reported five occasions in 2015–16 where the 'presumption of nationality' was rebutted; that is, information that an individual was actually an Australian person came to light and the privacy rules were retrospectively applied to reporting. In these instances there was no breach of the rules as the presumption of nationality was reasonable at the time it was applied and the information suggesting the person was Australian was not available at that time.
ASIS advised that during the reporting period there were five cases where, at the request of ASIO, it had passed intelligence information on Australian persons from ASIO to a foreign liaison without applying the appropriate privacy rules. In each instance we were satisfied that ASIS had implemented appropriate remediation measures.
Authorisations relating to the use of weapons
Schedule 2 of the ISA requires the Director-General of ASIS to provide the Inspector-General with:
- copies of all approvals issued by the Minister for Foreign Affairs in respect of the provision of weapons and the training in and use of weapons and self-defence techniques in ASIS
- a written report if a staff member or agent of ASIS discharges a weapon other than in training.
This reporting requirement was met during 2015–16 and we were satisfied that the need for a limited number of ASIS staff to have access to weapons for self-defence in order to perform their duties was genuine.
We conducted an inspection of ASIS weapons and self-defence training records in April 2016. The inspection found that ASIS's governance and recordkeeping on this matter continued to be effective, with no breaches of the ISA or non-compliance with the ASIS internal weapons guidelines noted during the reporting period.
Inspection of ASD activities
During 2015–16, we conducted a broad range of inspections at ASD, including examination of:
- ministerial authorisations to produce intelligence on Australian persons
- cancellations and non-renewals of ministerial authorisations
- selected ministerial authorisations for in-depth inspection
- ASD's compliance with the privacy rules
- compliance incident reports.
We also examined ASD's access to sensitive financial information under the Anti-Money Laundering and Counter Terrorism Financing Act 2006. The results of these inspections are reported separately later in this report.
During 2015–16, we continued to inspect the large majority of ASD's ministerial authorisations to produce intelligence on an Australian person.
In the previous reporting period, we noted that a number of ministerial authorisations that were identified for renewal lapsed for a period of time before being renewed. Legally, intelligence collection activities had to be suspended until a new authorisation was obtained. In the cases reviewed toward the end of the last reporting period, it appeared that this issue was caused by the delay in finalising the submission to the Minister while awaiting information from another agency.
We continued to monitor this issue in 2015–16. While we noted a similar number of occurrences, we are satisfied that ASD, who also administers the ministerial authorisation process for AGO, has appropriate policies and procedures in place to manage the ministerial authorisation renewal process. Requests for the information and documents required in support of the ministerial authorisation process are made in a timely manner and factor in reasonable time frames for response. We have noted an improvement in the information provided to the Minister in these circumstances, in line with the feedback we provided.
Ministerial authorisations – cancellations and non-renewals
A ministerial authorisation may be cancelled by the Minister as a result of a change of circumstances or it may expire at the end of the authorisation period. In either case, there is a requirement for agencies to report to the Minister within three months on activities conducted in accordance with the authorisation.
During the 2015–16 reporting period, we identified an issue in relation to the detail provided to the Minister in post activity reporting for both ASD and AGO. We are satisfied that in each case this was an isolated occurrence and was not indicative of any systemic problem. This matter is also reflected in our reporting below in relation to AGO.
Ministerial authorisations – in-depth inspections
During the reporting period, we commenced a new process of in-depth reviews on a small sample of ministerial authorisations. These in-depth reviews looked at the internal procedures of ASD teams for developing and reviewing the submissions which are ultimately presented to the Minister, the detail of the supporting intelligence, and the accuracy of this information as presented to the Minister.
In one of the matters reviewed, we noted that one aspect of the reporting relied upon in a submission to the Minister was significantly older than the remainder of the reporting without making this distinction clear to the Minister. We considered that this was not material to the decision made by the Minister in this instance. Nevertheless, to ensure that the Minister is provided with a clear and accurate understanding of the situation described, we recommended that any significant difference in the currency of the information relied on should be brought to the attention of the Minister. ASD has accepted this recommendation.
Another in-depth review identified that a key preliminary decision was not made in accordance with the normal procedure. This decision was reviewed and we were satisfied that, despite the departure from normal procedures, the decision was made in a manner consistent with ASD's obligations under the ISA and the intention of internal policies. The preliminary decision making process in another matter highlighted varied interpretations, at the working level, of how to assess whether or not ASD had a purpose to produce intelligence on an individual.
Noting the issues highlighted by these reviews, we commenced a regular inspection of ASD's preliminary decision making processes in relation to ministerial authorisations. These inspections have not identified any issues of concern.
ASD compliance with privacy rules
In accordance with its obligations, ASD continued to report to the IGIS cases where a presumption that a person was not Australian had later been found to be inappropriate, and the measures taken to protect the privacy of the Australian person involved.
In all cases where a presumption that a person was not Australian was made and rebutted at a later date, we considered that the application of the presumption was reasonable based on the information available to ASD at the time. The actions taken by ASD, including actions to ensure that other intelligence agencies were informed that the subject was an Australian person, were appropriate and consistent with the privacy rules. We made one recommendation to ASD in relation to the detail contained in its reporting of rebuttals of presumptions of nationality. This recommendation was accepted and implemented during the reporting period.
Compliance incident reports
There were a small number of compliance incident investigations ongoing at the time the previous IGIS annual report was prepared. These matters were finalised in this reporting period and have been incorporated in to this report.
In April 2015, ASD advised the IGIS that it had failed to report activities conducted in accordance with a ministerial authorisation within the three month reporting timeframe stipulated by the ISA. An internal review was conducted and a report provided to the IGIS in October 2015. The circumstances of the incident were unique, highly sensitive, and while a formal report was not provided within the required timeframe, ASD had informally engaged with the Minister and the Minister's office in relation to the authorised activity. A formal report to the Minister was provided a short time later. A similar breach of the same ISA requirement occurred in March 2016, again in relation to a highly sensitive matter. While we are satisfied that the circumstances of each of these incidents were unique, we are pleased that ASD is revising its internal procedures in relation to the management of highly sensitive authorisations to reduce the likelihood of any further breaches of this requirement.
In February 2016, ASD advised that on three occasions it had conducted activities with the purpose of producing intelligence in relation to an Australian person without prior authorisation from the Minister for Defence and therefore in breach of the ISA.
On one occasion, a failure to take into account all of the information available resulted in the conduct of an unauthorised activity. This error in ASD's preliminary processes was identified internally and reported to our office.
The second incident involved the continuation of an activity beyond the expiry of the ministerial authorisation. ASD had taken steps to cease its activities in advance of the expiry of the authorisation, however, because of a failure in internal processes, one aspect of its activities continued for an additional four days. ASD advised that internal guidance and procedures will be updated to address these failures in process. We will continue to monitor the implementation of the recommendations arising from these incidents.
The third matter was identified by an internal audit, which detected an historical breach of the ISA. This incident occurred between 2010 and 2014 as a result of a failure by ASD to follow appropriate record keeping practices, an issue that we previously reviewed and reported on in more detail in the 2013–14 Annual Report. We are pleased that ASD has continued with a proactive process of internal review and continues to report legacy issues to us where they are identified. We are satisfied with the additional technical safeguards implemented by ASD in conjunction with compliance guidance and training for staff in relation to this type of record keeping.
In May 2015, ASD became aware that individuals who were not authorised under the Telecommunications (Interception and Access) Act 1979 (TIA Act) had conducted a testing activity. ASD's internal investigation of this breach was not finalised until early in this reporting period. The investigation determined that the personnel involved in the activity were aware of the legislative requirements and had assumed that the required authorisation was in place. In response to this breach ASD decided that a dedicated officer would be appointed within the areas that conduct testing activities to oversee compliance with legislative and policy requirements. These appointments are being made and we are regularly involved with the training of appointees. ASD has also updated its internal guidance to reflect the lessons learnt. We are satisfied with the management of this incident and the actions taken to prevent reoccurrence.
Where the Attorney-General gives a testing authority under the TIA Act, ASD is required to provide a report on activities conducted under the authority within three months of expiration. In May 2015, ASD identified that a report had been prepared within the required timeframe, but because of a series of administrative errors, the report was not submitted until two months after the reporting deadline had passed. ASD highlighted the breach of the TIA Act reporting requirements to the Attorney-General when the report was submitted. ASD conducted an internal review of this matter and provided a report to us in August 2015. We are satisfied with the improvements made to ASD's internal administrative arrangements in response to this incident and have observed that all subsequent reports for this reporting period have been submitted within the required timeframe.
ASD also advised us that, in September 2015, it had collected intelligence in breach of the TIA Act. The breach was identified internally and immediate action was taken in response. The breach was the subject of an internal investigation, which we reviewed. The internal investigation determined that an analytical oversight was the cause of the breach. We agree with this assessment and are satisfied that there were no underlying systemic issues that contributed to the incident. We are satisfied that ASD has taken appropriate steps, including updates to internal training, to prevent a similar oversight in the future.
Inspection of AGO activities
During 2015–16, we conducted a broad range of inspections at AGO, including examination of:
- Director's approvals of intelligence collection activities in relation to Australian territory
- ministerial authorisations to produce intelligence on Australian persons
- cancellations and non-renewals of ministerial authorisations
- AGO's compliance with the privacy rules.
During the reporting period, the Inspector-General conducted a visit to AGO's Bendigo facility and met with staff to discuss the capabilities and the scope of ongoing work to be conducted from Bendigo.
We also examined AGO's access to sensitive financial information under the Anti-Money Laundering and Counter Terrorism Financing Act 2006. The results of these inspections are set out later in this report.
Director's approvals and post activity reporting
The Minister for Defence requires the Director of AGO personally to approve AGO intelligence collection activities undertaken in relation to Australian territory. The Director of AGO provides a report on these authorisations to the Minister for Defence quarterly. Additionally, a post activity compliance report is provided to the Director of AGO in relation to each approval. Our staff reviewed a significant sample of the post activity compliance reports provided to the Director of AGO during the reporting period.
The approval provided by the Director is often subject to conditions. During 2015–16, we identified two issues in relation to compliance with the conditions imposed by the Director. An administrative oversight in the drafting of one approval resulted in the imposition of a condition that was inconsistent with the intent of the Director's approval. In another matter, the post activity compliance report did not specifically refer to compliance with the conditions imposed. A review of a sample of the activities conducted under the approval confirmed that the conditions had been met. AGO have accepted the recommendations our office made regarding its administrative processes in relation to conditions imposed on an approval by the Director and we are satisfied that AGO's subsequent actions are appropriate to address this issue.
AGO is required to seek authorisation from the Minister for Defence to produce intelligence on an Australian person. This authorisation is ordinarily requested in conjunction with ASD. During 2015–16, we inspected the large majority of AGO's ministerial authorisations.
Late in the 2014–15 reporting period, AGO advised us that a draft intelligence report had been developed on the basis of information voluntarily provided by an Australian person prior to the Minister giving an authorisation. The internal review of this matter was concluded in July 2015 and reported to us. It was identified that appropriate internal policies and procedures were in place but had not been followed. We noted that AGO staff identified the issue on the same day the draft report was developed. We consider that the remedial actions taken were appropriate in the circumstances.
Our office made one recommendation in relation to this matter which was accepted by AGO.
Ministerial authorisations – cancellations and non-renewals
A ministerial authorisation may expire at the conclusion of the authorisation period or be cancelled by the Minister as a result of a change of circumstances. In either case, there is a requirement for agencies to report to the Minister within three months on activities conducted in accordance with the authorisation.
During the 2015–2016 reporting period, we identified an issue in relation to the detail provided to the Minister in post activity reporting for an authorisation for both AGO and ASD. We are satisfied that this was an isolated occurrence and not indicative of any systemic issues. This matter is also reflected in our reporting in relation to ASD above.
AGO compliance with privacy rules
The Minister for Defence makes written rules designed to ensure the privacy of Australian persons or entities where intelligence has been collected about them. These rules regulate the communication and retention of intelligence information in relation to Australian persons and entities.
During the reporting period, AGO identified a historical breach of these rules, promptly notified us and conducted an internal review. In satisfying ourselves that the remedial action taken by AGO in relation to this matter was appropriate, we considered the developments in AGO internal policies and training since the breach occurred, as well as the specific response to this incident.
While working on a task in support of another intelligence agency during the 2015–16 reporting period, AGO revised nationality assessments for companies but did not advise their partner agency. We commend AGO's diligence in continuing to reassess issues of nationality as new information becomes available, but it is important that, where appropriate, this information is shared between agencies to ensure that there is a consistent approach to compliance and the protection of the privacy of Australian persons. AGO have accepted our recommendations on this issue.
Inspection of DIO activities
As has been the practice of this office over a number of years, during the reporting period we continued to exercise a 'light touch' inspection regime with respect to DIO. Our rationale for this is that, as DIO is an assessment agency (that is, it does not directly collect intelligence information), its activities are far less likely to intrude into the personal affairs of Australian persons than the activities of intelligence collection agencies.
During 2015–16, we conducted inspections examining:
- DIO's compliance with its privacy guidelines
- a range of sensitive assessments published by DIO which are distributed to key decision makers
- special briefings.
We also examined DIO's access to sensitive financial information under the Anti-Money Laundering and Counter Terrorism Financing Act 2006. The results of these inspections are reported separately later in this report.
Compliance with privacy guidelines
We aim to review the compliance of DIO with its privacy guidelines at least twice a year. In 2015–16 we undertook two such inspection visits to review relevant DIO records.
These inspections revealed that DIO is generally compliant with the requirements of its privacy guidelines and that the agency continues to take its privacy responsibilities seriously.
To the extent that non-compliance issues were identified, these tended to be relatively minor and administrative in nature and there was no evidence that intelligence was passed in breach of the guidelines.
In addition to our bi-annual inspection visits, DIO will, as circumstances demand in individual cases, seek a waiver from the Inspector-General to vary the way in which it records instances where the DIO privacy guidelines have been invoked to justify the disclosure of intelligence information about an Australian person.
These requests are typically made when it is anticipated that the information in question is likely to be time critical, and passage of that information to intended recipients should not be delayed while usual processes are followed. The IGIS granted four such waivers during the reporting period. Relevant records were kept and reviewed in each instance, and no issues of concern were identified.
Other inspection activities
As an assessment agency, DIO produces a range of products that contain its assessments of various topical and enduring issues. The IGIS monitors this output, with a view to informing our periodic reviews of the analytical integrity of DIO's products.
The Inspector-General is not empowered to receive complaints about DIO, however, if made aware of matters that would reach our office's complaint threshold, the Inspector-General has the capacity either to make administrative inquiries of DIO, or where appropriate, to initiate an 'own motion' inquiry.
The Inspector-General became aware of a complaint that was aired in the media in the second half of the reporting period. The complaint alleged that during a training event a number of years earlier, several DIO military personnel had been involved in conduct raising issues of concern. The matter was investigated by this office however the IGIS concluded that there was insufficient basis to justify an inquiry.
Inspection of ONA activities
We also exercised a 'light touch' inspection regime with respect to ONA during the reporting period. We did so because ONA is an assessment agency and its activities are consequently less likely to intrude upon the personal affairs of Australian persons than those of the intelligence collection agencies.
During 2015–16, we conducted inspections examining:
- ONA's compliance with its privacy guidelines
- a wide range of sensitive assessments published by ONA which are distributed to key decision makers
- special briefings.
We also examined ONA's access to sensitive financial information under the Anti-Money Laundering and Counter Terrorism Financing Act 2006. The results of these inspections are reported separately later in this report.
Compliance with privacy guidelines
We intend to review the compliance of ONA with its privacy guidelines by reviewing its relevant records at least twice a year. In 2015–16, we undertook two such inspections.
The first of these inspections identified a number of interpretative and administrative errors. While this was concerning to us, it should be noted that none of these errors led to intelligence information about an Australian person being disseminated without there being an appropriate underlying basis for doing so.
As a consequence of this first inspection activity, ONA instituted a number of process changes to its business rules for the completion of privacy guidelines compliance sheets. ONA also put in place a centrally located quality assessor to ensure that the guidelines are properly interpreted and applied.
More rigorous justifications are now provided in those instances where it is necessary to refer to Australian persons in ONA products and communications. Following these changes, our second inspection of the year found no errors of any consequence.
In addition to these changes, the Director-General of ONA has initiated a review of ONA's existing privacy related guidance and is developing a revised training package to be delivered to relevant staff. We commend the positive and responsible response of the Director-General of ONA to our earlier inspection concerns.
Other inspection activities
ONA produces a wide range of products that contain its assessments of various topical and enduring issues. The IGIS monitors this output, with a view to informing our periodic reviews of the political independence of the assessments contained in ONA's products.
During the reporting period, we conducted inspections and projects which covered activities common to a number of agencies.
Use of assumed identities
Part 1AC of the Crimes Act 1914, and corresponding State and Territory laws, enable ASIO and ASIS officers to create and use assumed identities for the purpose of carrying out their functions. The legislation protects authorised officers from civil and criminal liability where they use an assumed identity in circumstances that would otherwise be considered unlawful. Similarly, the legislation protects the Commonwealth, State and Territory agencies responsible for providing the evidence of an assumed identity in accordance with the Act.
The legislation also imposes reporting, administration and audit regimes on those agencies using assumed identities. This includes the Crimes Act 1914 section 15LG requirement that ASIO and ASIS each conduct six monthly audits of assumed identity records; and the section 15LE requirement that each agency is to provide the IGIS with an annual report containing information on the assumed identities created and used during the year. The Director-General of Security and the Director-General of ASIS provided us with reports covering the activities of their respective agencies for the 2014–15 reporting period. There was nothing in the reports to suggest that the agencies were not complying with their legislative responsibilities, or which otherwise caused concern.
During the reporting period, we conducted an inspection project focused on a specific intelligence operation conducted jointly by a team of ASD and ASIS personnel. The project reviewed the operation from the identification of the intelligence requirement, through to the planning, approval and conduct of the operation. We were satisfied that the operation was conducted appropriately and in accordance with the law. The records of the operation showed that key decisions made throughout the conduct of the operation and the reasons for those decisions were soundly based.
A focus of our future activities will be revising our inspection activities in light of the increasing resources available to ASD under the 2016 Defence White Paper and Cyber Security Strategy. The allocation of our resources must be responsive to organisational and capability changes within the agencies.
Foreign Intelligence Collection review
During the reporting period, we undertook a project to review a sample of completed Foreign Intelligence Collection (FIC) warrants (including warrants requested, executed and reported). This inspection project involved a whole of Australian Intelligence Community FIC warrant inspection. The project accessed information from ASIO, ASD, ASIS and ONA. We noted that some of the information provided to us by some of the agencies was out-dated or not comprehensive.
The project found that, overall, the FIC warrant process is managed well and there were no substantial issues of concern. The IGIS recommended the agencies involved ensure that comprehensive and up-to-date guidance is available for all staff involved in the FIC warrant process.
We completed a project during 2015–16 to increase our understanding of governance arrangements for joint teams and joint positions involving one or more Australian intelligence agencies. Two joint teams were selected for the project. We were comfortable with the processes and systems in place for recording details of information exchanges, however, the project found that each joint team is quite different. For that reason it is difficult to reach any broad conclusions or draw comparisons between the governance arrangements without undertaking an extensive review of a range of joint teams. Resources permitting, this is a possible area for future projects or inspections.
Work Health and Safety Project
During the reporting period, our office considered how ASIO and ASIS applied section 12C of the Work Health and Safety Act 2011 (the WHS Act). This section enables these agencies, in the course of maintaining Australia's national security, to exempt themselves from certain reporting required by the WHS Act. Our inspections extended to examining any records, reports, policies and guidelines relevant to the exemption.
Both ASIO and ASIS have written declarations outlining circumstances in which the exemption could be applied, focusing, among other things, on exempting reporting and post-incident investigations in order to protect national security material. Both declarations detail exemptions and modifications of certain other provisions within the WHS Act.
We found that both declarations and the accompanying policies and procedures were sound and appropriate.
Access to sensitive financial information by intelligence agencies
The Anti-Money Laundering and Counter Terrorism Financing Act 2006 (the AML/CTF Act) provides a legal framework within which designated agencies are able to access and share financial intelligence information created or held by the Australian Transaction Reports and Analysis Centre (AUSTRAC). All intelligence agencies and our office are designated agencies for the purposes of the AML/CTF Act.
In 2012, the Inspector-General entered into a memorandum of understanding with AUSTRAC in relation to monitoring the intelligence agencies' access to, and use of, AUSTRAC information.
In overseeing the agencies' use of AUSTRAC information, we check that there is a demonstrated intelligence purpose pertinent to the agencies' functions, that access is appropriately limited, searches are focussed, and information passed to both Australian agencies and foreign intelligence counterparts is correctly authorised.
During 2015–16, in accordance with the memorandum of understanding, the IGIS reported to the responsible ministers on the outcome of compliance monitoring activities in each of the agencies concerning their access to, and use of, AUSTRAC information in the previous reporting period.
In 2015, we conducted an inspection project to examine how ONA, ASIS and ASIO, as part of their in-house vetting, obtained approval to access financial information from the co-holder of a jointly held account. Advice was also sought from the Australian Government Security Vetting Agency for comparison purposes. In summary, the project found that all agencies sought approval from a co-holder to access jointly held financial information.
We conducted regular inspections of ASIO's access to AUSTRAC material during 2015–16. In our previous report we noted our ongoing interaction with ASIO regarding two inconsistent internal policies relating to the setting of search limitations. This issue was subsequently resolved.
During our inspections we identified only a limited number of compliance issues. These issues included:
- typographical errors in ASIO's searches of an AUSTRAC database, such as misspelling a name
- AUSTRAC information provided to the requesting officer that exceeded the parameters of the request.
These issues were addressed appropriately by ASIO staff.
We conducted inspections of ASIS records in September 2015 and March 2016. The inspections found that ASIS's governance and recordkeeping on this matter continued to be effective, with no breaches of the ISA or non-compliance with the ASIS guidelines in relation to the use of AUSTRAC material noted during the reporting period.
Our AUSTRAC inspection activities in relation to ASD during 2015–16 were facilitated by an annual compliance statement provided to our office by ASD. Our inspection activities identified no issues of legality or propriety in relation to ASD's access to or use of AUSTRAC information. ASD has clear internal guidance in place for the management and use of AUSTRAC information, which were complied with during the reporting period.
Our AUSTRAC inspection activities in relation to AGO during 2015–16 were facilitated by an annual compliance statement provided to our office by AGO. Our inspection activities identified no issues of legality or propriety in relation to AGO's access to or use of AUSTRAC information.
Our AUSTRAC inspection activities in relation to DIO during 2015–16 were facilitated by a comprehensive internal review conducted by DIO. We noted one breach of the AUSTRAC-DIO memorandum of understanding during the reporting period in relation to the dissemination of information to an official within DIO who did not work within one of the designated analytic branches authorised to receive AUSTRAC data. We are satisfied that steps are being taken, through the implementation of internal guidance and the renegotiation of the memorandum of understanding with AUSTRAC, to reduce the chance of reoccurrence. We will continue to monitor the suitability of these measures through annual inspection activities.
We identified no significant concerns with ONA's access to and use of AUSTRAC related data during the reporting period. Where issues of a compliance nature were identified, we were satisfied that steps were being taken, through the implementation of internal guidance, to reduce the chance of reoccurrence. We will continue to monitor the suitability of these measures through annual inspection activities.