You are here
Inspection of ASD activities
During 2016–17 the office inspected a number of ASD activities, including:
- ministerial authorisations to produce intelligence on Australian persons
- ASD's compliance with the privacy rules
- compliance incident reports
- cyber activities
- ASD's access to sensitive financial information (discussed later in the report).
These inspections are supplemented by briefings on various matters across the year either at the request of this office or at the instigation of ASD. These briefings and subsequent investigations allow the office to stay abreast of emerging issues, and to pursue trends observed during inspections.
In this reporting period a significant focus for the office was an inquiry into ASD's interception of certain telecommunications outside authorised parameters. The ASD inquiry was labour intensive and, with the inquiry into the analytic independence and integrity of DIO, completing these inquiries meant diverting some staff from ASD inspections. Consequently, the office reviewed fewer ministerial authorisations to produce intelligence on Australian persons than in the previous reporting period, and was not able to complete any in-depth inspections of these authorisations.
Ministerial authorisations to produce intelligence on Australian persons
During 2016–17 the office inspected about two-thirds of ASD's ministerial authorisations, down slightly on the previous reporting period. The submissions were generally of a high standard. In some cases, however, the office was able to suggest possible improvements for future submissions to the Minister. These matters were not significant, and ASD's response to these suggestions was appropriate.
When ASD seeks to renew a ministerial authorisation there can be a period between the expiry of the previous authorisation and approval of the renewal during which ASD must not attempt to produce intelligence or engage in other activities relating to the subject of the ministerial authorisation. In such cases IGIS officers investigate whether ASD ceased relevant activities during the relevant period. The office identified only one case where ASD conducted an activity during a short period between the expiry and renewal of the authorisations. ASD accepted the finding and its investigation into the incident was ongoing at the end of the reporting period.
A change of circumstances may prompt the Minister to cancel a ministerial authorisation, or it may expire at the end of the authorisation period. In either case within three months ASD is required to provide the Minister a report on its activities that relied on the authorisation. We reviewed a number of these cancellation and non-renewal reports and did not identify any concerns.
Emergency ministerial authorisations
Situations may arise where, as a matter of urgency, ASD requires a ministerial authorisation to undertake certain activities. Emergency authorisations may be provided orally by the Defence Minister, other select ministers where the Defence Minister is unavailable, or the Director ASD can authorise such activities if the ministers are not readily available. Emergency authorisations are only valid for 48 hours after which any further activity will require a new authorisation if ASD is to continue the relevant activity.
One emergency ministerial authorisation was issued for ASD during the reporting period. This authorisation is associated with an ASD compliance incident report provided to this office on 30 June 2017. This office will report on this matter in the next reporting period.
Protecting the privacy of Australian persons
The Minister for Defence makes written rules, the Rules to Protect the Privacy of Australians, to regulate how ASD communicates and retains intelligence information concerning Australian persons. ASD is required to report to this office any breaches of the privacy rules and during inspections IGIS staff pay close attention to ASD's compliance with the privacy rules and to its distribution of intelligence about Australian persons. In accordance with its obligations under the privacy rules, ASD has continued to report cases where the presumption that an individual is not an Australian is subsequently rebutted and the person is shown to be Australian. These reports include details of the measures taken to protect the privacy of that person. In all such cases reported to this office by ASD, the presumption of nationality was reasonable based on the information ASD had at the time. The actions taken by ASD, including informing other intelligence agencies that the person is Australian, were appropriate and in accordance with the privacy rules. To ensure there are adequate safeguards to protect the privacy of Australians ASD has also consulted with this office in relation to such matters as expanding information sharing with other countries.
There was one breach of the privacy rules, which occurred at the end of 2015–16 but was reported to this office in 2016–17. This breach resulted from human error where intelligence information on an Australian person was not removed from a wider dataset that was passed to a foreign intelligence agency. The office accepted ASD's account of this case, and was satisfied with the remedial actions ASD took to minimise the risk of this recurring.
Before being informed of this breach, the IGIS was briefed on ASD's procedures to redact information about Australians. The circumstances detailed in that briefing were similar to those of the breach, however the breach was not raised. The IGIS subsequently raised with Director ASD the need for ASD staff to be more candid in any future briefings. A lack of timely, detailed advice was also an issue in relation to the compliance incident report that prompted this office to undertake the inquiry into ASD. Subsequently, in the latter part of 2016–17, there has been a marked improvement in the openness of ASD's reporting and in its timeliness.
Compliance incident reports
Where ASD identifies matters involving breaches of legislation and significant or systemic matters of non-compliance with ASD policy, these are investigated by ASD and reported to the IGIS in compliance incident reports. This office reviews these reports and undertakes an investigation of the incident where necessary. ASD provided four such reports during 2016–17; one of these was provided on 30 June and, the results of our review will be reported in the next annual report.
In August 2016 ASD advised this office of its investigation into an incident that involved sharing certain types of data in support of operations in Afghanistan. The data intended to be shared included some data that ASD was not authorised to share. There was no resultant legislative breach as technological safeguards ultimately prevented non-compliant data from being shared. The ASD investigation made recommendations to improve the management of information sharing. This office was satisfied with ASD's investigation and remedial action proposed to prevent recurrence.
There was another incident in August 2016 after ASD collected intelligence about an individual in breach of the of the Telecommunications (Interception and Access) Act 1979. The Inspector-General formed the view that the cause of this breach was a failure to follow extant policies and procedures with the requisite care but was satisfied with the remedial actions proposed and implemented by ASD.
In December 2016, ASD reported on three breaches of the Telecommunications (Interception and Access) Act 1979. The configuration of an ASD collection system had led to it collecting certain telecommunications beyond the scope of the relevant warrant. In doing so ASD had relied on legal advice to the effect that communications beyond the scope of the warrant could be lawfully collected provided they were later destroyed. This led to the IGIS inquiry into the matter; the inquiry report was finalised and submitted to all relevant parties several weeks after the end of the current reporting period.
Among the concerns discussed in the report was the adequacy and timeliness of ASD's communications about the issues including to Ministers and to this office. An initial communication merely stated that there had been a breach but did not give any further details. It was some months before additional details were provided. This was not consistent with the written guidance given to ASD about IGIS reporting expectations nor was it consistent with this office's reliance on agencies proactively reporting issues of legality and propriety. Since this issue was drawn to ASD's attention, which was well before the inquiry was completed, it has been gratifying to record that there have been noticeable improvements in the reporting on compliance matters to this office. The final report was submitted to all relevant parties some weeks after the end of the current reporting period. It contained classified recommendations designed to improve communications and prevent any future such issue.
As at 30 June ASD had also reported four additional breaches of the ISA and Telecommunications (Interception and Access) Act 1979. These matters were being investigated and will be reported on in the next annual report.
In October 2016 this office concluded an inspection project in relation to ASD computer network operations, including sensitive cyber operations in support of ADF operations in Iraq and Syria. The project noted that ASD's offensive cyber capabilities are evolving rapidly and the governance frameworks underpinning some areas are still developing. This project found guidance in place at the time was appropriate and followed by staff, and no issues of legality or propriety were noted. This office continues to maintain an interest in the cyber activities of ASD.