an arrow
menu bars Mobile Menu

You are here

Activity 2 Inspections

ABOUT INSPECTIONS

The office regularly examines selected agency records to ensure that the activities of the intelligence agencies comply with the relevant legislative and policy requirements and to identify issues before there is a need for major remedial action. These inspections include IGIS staff directly accessing electronic records, reviewing hardcopy documentation as well as retrieving and checking information independently.

Inspections concentrate on the potential impact of intelligence collection on the privacy of Australians. For this reason our inspections mainly focus on the activities of ASIO, ASIS, AGO and ASD, each of which has intrusive powers and investigative techniques. Inspections relating to DIO and ONA are generally limited to ensuring that their assessments comply with administrative privacy guidelines, and that their independence is not compromised. The small size of the office compared to the size of the agencies the office oversees, combined with the breadth and complexity of the operations of intelligence agencies, means that the office has to be well informed to target our inspection activities to the areas of highest potential risk.

Inspections of these agencies focus on whether the agency is acting in accordance with its statutory functions, its compliance with any guidance provided by the responsible Minister and its own internal policies and procedures. Inspection may consist of routine inspections and inspection projects that target specific issues as determined by the Inspector-General.

PERFORMANCE SUMMARY

Undertaking comprehensive inspection and program of visits to monitor and review intelligence agencies' operational activities.

Performance criteria: Range of inspection work undertaken.

Targets: Inspection of at least 75% of each agency's activity categories.

Other activity measures: N/A.

Source: Portfolio Budget Statements 2017-18, p.257, IGIS Corporate Plan 2017-21, p. 5.

The IGIS PBS provides for performance to be measured by both quantitative and qualitative information. One performance indicator listed in both the IGIS PBS 2017-18 and IGIS Corporate Plan 2017-21 is "range of inspection work undertaken", with the associated quantitative target of inspecting at least 75% of an agency's activity categories. The categories are determined by the Inspector-General and are based on the underlying functions of the agency laid down in the relevant legislation, namely, the ISA for AGO, ASD and ASIS; the ASIO Act for ASIO; and the ONA Act for ONA. The role of DIO is set out in a mandate agreed by the Minister for Defence, rather than in legislation. As a result, and given it is an assessment agency without the intrusive powers of the collection agencies, activity categories for DIO have been established with reference to its mandate, organisational structure and product types.

A summary of this office's performance is outlined in the following table.

Figure 2.4: Performance indicators - Inspections

Agency
Number of activity categories
Activity categories inspected
Outcome
ISA agencies and ASIO
AGO
8
7
Target achieved
ASD
6
6
Target achieved
ASIS
8
8
Target achieved
ASIO
7
6
Target achieved
Assessment agencies
DIO
4
4
Target achieved
ONA
3
1
Due to staffing constraints the target was not achieved.

INSPECTION OF ASIO ACTIVITIES

ASIO's activities have been categorised based on the functions of the agency set out in section 17 of the ASIO Act, namely:

  • intelligence collection
  • intelligence communication
  • advice about security of Ministers and Commonwealth authorities in relation to their functions and responsibilities
  • furnishing security assessments to States and state authorities
  • advice to Ministers and Commonwealth authorities about protective security
  • collection of foreign intelligence
  • co-operation with and assistance to other agencies

During this reporting period the ASIO inspection team met the office target of inspecting at least 75% of ASIO's activity categories. Priority was given to reviewing the Organisation's intelligence collection activities, its security assessments and advice to Ministers on security matters. There were no inspections of ASIO's provision of advice relating to protective security.

An ASIO operation which is the subject of a current inquiry pursuant to section 8(2) of the IGIS Act, is reported separately (see page 14).

REGULAR INSPECTIONS OF INVESTIGATIVE CASES

It is not possible to monitor all ASIO activities. Accordingly, IGIS staff inspect a sample of activities selected on the basis of risk and available resources. IGIS staff have direct access to some of ASIO's information technology and records management systems. During the reporting period, IGIS staff liaised with ASIO to acquire increased direct access to ASIO systems beyond that granted in the previous reporting period. The increased direct access improved our ability to view and analyse a wider range of ASIO's records without relying on ASIO providing the required documents.

Throughout the reporting period IGIS staff concentrated on reviewing those cases involving the most intrusive methods and activities, as well as those activities that presented an increased likelihood of non-compliance with legislation or policy – for example, warrants approved by the Attorney-General, access to prospective data authorisations, and investigative activity targeting minors. Inspections of ASIO's investigative cases focused on:

  • the legality of ASIO's activities
  • the propriety of the investigative activities being proposed and undertaken
  • compliance with Ministerial guidelines
  • compliance with internal policies and procedures

The Organisation proactively provided an increased number of briefings to the office compared to the previous reporting period. The briefings covered a wide range of topics including new capabilities, new initiatives and areas of risk.

Deficiencies in record keeping were evident in almost all areas inspected in ASIO during the reporting period. While ASIO instituted a number of measures to improve record keeping in 2017-18, the office will maintain a strong focus on this aspect in all future inspections to provide assurance that ASIO officers meet their record keeping obligations.

ANALYTIC TRADECRAFT

ASIO produces a range of analytic products including security assessments, applications for warranted powers, investigative reviews and published analytic products. Within the AIC, ASIO's unique role in collection and assessment means that these products have greater potential to intrude into the privacy of Australians than those of DIO and ONA. Also these assessments may adversely affect the interests of individuals; for example, ASIO's security assessments may recommend that the Government take adverse action against a person by cancelling their passport. These assessments may also result in ASIO providing specific policy guidance to the Government.

IGIS staff inspections of these analytic products gave rise to some concerns about adherence to ASIO policies; specifically, policies relating to tradecraft, quality assurance, referencing, record keeping and critical review. However, during the reporting period ASIO made considerable progress in addressing these issues.

HUMAN SOURCE MANAGEMENT

ASIO activities include collection of intelligence through human sources. The details of these activities are highly sensitive and cannot be disclosed in a public report. During the reporting period, IGIS staff reviewed ASIO human source case files and met with ASIO staff to discuss related activities. No substantive issues of concern were identified by IGIS staff when reviewing these activities.

ASIO WARRANTS

ASIO can intercept telecommunications and use other intrusive powers following the issue of warrants by the Attorney-General. Authority for telecommunications interception is provided in the TIA Act. The ASIO Act provides the authority for other powers, including searches, computer access and surveillance devices.

Throughout the reporting period IGIS staff inspected a large number of warrants, primarily as part of the regular inspection of investigative cases. As with the last reporting period, IGIS staff identified a number of typographical errors in warrant documents. While some typographical errors are minor and may be overlooked, others have the potential to mislead or to cause breaches; consequently we continue to draw these errors to ASIO's attention. ASIO has strong practices in place, intended to limit the frequency of typographical errors in warrant documentation. In response to IGIS findings, ASIO has further refined its processes to help ensure that warrant documentation is accurate.

ASIO proactively informed the office of breaches and other issues relating to warrants issued under the TIA Act and the ASIO Act. There was a minor increase in the number of breaches in this reporting period. The circumstances in which these occurred are summarised below.

BREACHES OF THE TIA ACT

Unlawful intercept

Section 7 of the TIA Act prohibits the interception of communications passing over a telecommunications system. In the reporting period ASIO self-reported three breaches of section 7.

In the first instance, ASIO caused the interception of communications to and from a particular telecommunications service, without warrant authorisation; the problem was caused by the erroneous transcription of a telephone number. Once it became aware of the incident, the Organisation immediately took steps to cease interception of the service and the intercepted communications were deleted. ASIO subsequently amended their practices to ensure such transcription errors are less likely to occur.

In the second instance, a breakdown in internal processes led the Organisation to intercept the communications of a particular telecommunications service for two months without a warrant. In the third instance, data was collected on two services for 20 days in breach of a warrant condition. In both cases, ASIO advised the office that the unauthorised intercept was deleted.

ASIO advised the office of four instances of over-collection arising from incorrect information given by the service provider. In all instances, ASIO advised that the non-target interception was deleted.

ASIO also notified the office of an issue which occurred during the previous reporting period. In this instance a change in the subscriber of the service led to the interception of communications not relevant to security. Here, the service listed on the warrant was initially used by a person of interest to ASIO. During the period of the warrant the service was disconnected and re-sold to a new customer. The new customer's communications were intercepted for four days before ASIO recognised the error. Although ASIO was aware that the number had been disconnected, the Organisation incorrectly assumed that the service would be reconnected to the person of interest. ASIO deleted the non-target interception and modified internal procedures to reduce the risk of this type of issue arising in the future.

Another agency identified instances of unlawful interception of telecommunications executed under ASIO warrants involving section 12 of the TIA Act. Section 12 of the TIA Act enables the Director-General of Security, or his delegate, to authorise any person to execute a warrant on ASIO's behalf. In one case, despite ASIO's advice to the agency, the section 12 authorisation list for this warrant did not authorise the agency's officers to execute the warrant on ASIO's behalf. Consequently, the agency's officers executed the warrants without authorisation. The error was discovered when the agency requested a copy of the section 12 list. The agency advised ASIO of the omission and ASIO issued a revised section 12 list authorising the agency officers to execute the warrant on ASIO's behalf. In the second case, a number of the agency's officers not included in the section 12 authorisation list undertook unlawful collection activities. The office is currently conducting an inquiry into another agency relating to this second case. Additional information on this matter is reported on page 36.

Breach of section 16(2)

During the reporting period, IGIS staff identified an instance that occurred in 2016 where ASIO took two days to notify a carrier that interception of a service was no longer required. Section 16(2)(c) of the TIA Act requires ASIO advise the carrier "immediately". This office considers that, in the absence of special circumstances, a lapse of two days does not meet the requirement of immediate notification. The office has requested ASIO provide advice to carriers more promptly.

BREACHES OF THE ASIO ACT

ASIO notified the office of one instance where ASIO officers executed a warrant without authority. Section 24 of the ASIO Act allows the Director-General or an authorised person to approve a person, or class of persons, as authorised to exercise authority conferred by the warrant. Although ASIO obtained a warrant allowing the Organisation to undertake a particular activity, the activity was undertaken by ASIO officers who were not on the authorisation list. ASIO is considering measures to minimise the risk of similar breaches.

ASIO advised the office of errors relating to two identified person warrants. An ASIO internal investigation to determine whether the errors were in breach of the ASIO Act was ongoing at the end of the reporting period.

BREACH OF REPORTING REQUIREMENTS IN THE TIA ACT AND ASIO ACT

Section 17 of the TIA Act requires ASIO to furnish the Attorney-General with a report detailing the extent to which the warrant assisted the Organisation. Section 7(2) imposes additional requirements for reports relating to "named person warrants" issued under sections 9A or 11B. These reports must include details of the telecommunications service to or from which each intercepted communication was made.

IGIS staff identified that ASIO furnished a report to the Attorney-General advising that all services named on a warrant had been intercepted, without establishing the accuracy of this advice. The office requested ASIO to confirm whether the advice provided to the Attorney-General was accurate and whether any other warrant reports were affected by this issue. ASIO advised that it had not sought confirmation prior to drafting the report, due to ASIO's confidence that all services targeted for interception would be intercepted. From ASIO's response it is apparent that, during the reporting period, ASIO did not take the requisite steps to comply with the Organisation's reporting obligations under section 17(2) of the TIA Act.

Section 34 of the ASIO Act requires the Director-General of Security to provide a report to the Minister describing the extent to which the action taken under the warrant has assisted ASIO in carrying out its functions. During the reporting period the office found that ASIO provided section 34 reports to the Attorney-General prior to the expiry of warrants; for example, in one case, ASIO's warranted access continued 19 days after the report was provided to the Attorney-General. As the warrant was not renewed, any activity during this 19 day period was not the subject of legislative reporting.

On inquiry, ASIO confirmed that its standard practice was to provide warrant reports to the Attorney-General prior to the conclusion of the warrant. Accordingly, the problem affected a significant number of warrants granted under both the ASIO Act and TIA Act. Although this has been an accepted practice for many years, this office is of the view that this procedure does not comply with the requirements of section 34 of the ASIO Act or section 17 of the TIA Act. In accordance with this view, ASIO changed its practices so that warrant reports are now provided to the Attorney-General after the warrant authorisation has ended.

On 29 June 2017 ASIO notified this office that it had erroneously advised the Attorney-General that a surveillance device authorisation, made pursuant to an identified person warrant, was not executed. ASIO provided a supplementary warrant report to the Attorney-General to correct the error. During this reporting period IGIS staff reviewed the supplementary report and discussed the circumstances surrounding this error with ASIO staff.

OTHER WARRANT MATTERS

Use of inappropriate warrant type

Under the TIA Act the Director-General of Security may request the issue oftelecommunication service warrants under section 9 and named person warrants under section 9A. In 2016, ASIO obtained a section 9 warrant for coverage of a legitimate and proper subject of ASIO attention. This approach was taken in at least one other warranted operation.

While it was accepted that throughout the operation ASIO had taken reasonable steps to ensure that it only intercepted appropriate information; and that there was no evidence of improper interference with the privacy of Australians, IGIS staff queried whether a section 9 warrant was the most appropriate warrant for this matter. The office expressed concern that the expansive interpretation adopted by ASIO of the phrase "telecommunications service" did not accord with the narrow interpretation courts traditionally apply when interpreting the scope of intrusive statutory powers. ASIO agreed to replace the warrant with a named person warrant which resolved the matter.

Authorisation to execute ASIO warrants

Both the TIA Act and ASIO Act empower the Director-General of Security, or his delegate, to authorise any person or a class of persons to execute a warrant granted to ASIO on the Organisation's behalf. In a number of inspections IGIS staff raised issues regarding the use of these powers. Poor record keeping practices meant that in several cases it was unclear who was authorised to exercise the Organisation's warranted powers, and how ASIO had instructed those persons to exercise them. In one matter, discussed earlier at page 19, this approach caused the unlawful interception of communications by incorrectly advising a partner agency that the agency's staff were authorised to execute the warrant when this was not the case. This was not an isolated incident (see also page 36). The office is currently considering ASIO's use of authorisations and the outcome of these considerations will be included in the next reporting period.

Description of services

When ASIO submits a request to the Attorney-General to obtain a named person warrant under sections 9A or 11B of the TIA Act, ASIO must include details, to the extent these are known, sufficient to identify the telecommunications services that ASIO assesses the named person is using, or is likely to use. During the reporting period IGIS staff queried whether ASIO's warrant documentation made clear the nature of the services ASIO intended to target. ASIO's consideration of this matter is ongoing.

QUESTIONING AND DETENTION WARRANTS

No questioning or questioning and detention warrants were authorised or used during the reporting period.

USE OF FORCE

Warrants issued under the ASIO Act must explicitly authorise the use of force necessary and reasonable to do the things specified in the warrant. Under section 31A of the ASIO Act, when force is used in the execution of a warrant ASIO must notify the Inspector-General in writing as soon as practicable. The ASIO Act does not specify a timeframe for the provision of these reports and ASIO has developed a policy that requires an initial notification within 72 hours (three days) of the use of force, to be followed by more detailed information within 10 days. During the reporting period, ASIO did not advise this office of any use of force against persons during the execution of ASIO warrants by ASIO or law enforcement officers.

SPECIAL INTELLIGENCE OPERATIONS

ASIO's special intelligence operations powers introduced in 2014 allow ASIO to seek authorisation from the Attorney-General to undertake activities that would otherwise be unlawful. Where the circumstances justify the conduct of a special intelligence operation ASIO can seek these authorisations to assist in the performance of its special powers functions. The legislation requires ASIO to notify the Inspector-General as soon as practicable after an authority is given. All special intelligence operations approved during the reporting period were notified to the Inspector-General on the same day as approval was granted by the Attorney-General.

The legislation also requires ASIO to provide a written report on each special intelligence operation to the Attorney-General and the Inspector-General. As the details of special intelligence operations are highly sensitive and cannot be included in a public report it is not possible to give more information about the operations here. However, IGIS staff reviewed documentation on special intelligence operations and found no outstanding reporting requirements for the reporting period. During the reporting period one authorisation reviewed contained a discrepancy which was corrected prior to any operational activity occurring. No other substantive issues or concerns were identified when reviewing these activities.

ACCESS TO TELECOMMUNICATIONS DATA

Sections 175 and 176 of the TIA Act empower certain ASIO personnel to authorise collection of historical and prospective telecommunications data from telecommunications carriers or carriage service providers. Authorisations are limited to circumstances in connection with the performance of ASIO's functions and in accordance with the Attorney-General's Guidelines. Our inspections of ASIO's access to prospective telecommunications data and historical telecommunications data showed that the prospective data authorisations were authorised at the appropriate level, were undertaken in connection with ASIO's functions and demonstrated regard for the Attorney-General's Guidelines (the Guidelines).

THE ATTORNEY‑GENERAL'S GUIDELINES

The Guidelines are issued under section 8A of the ASIO Act and are to be observed by ASIO in the performance of its functions. IGIS staff identified a number of breaches of the Guidelines during the reporting period, mainly relating to authorisation for investigative activity and the use of personal information. Some of these issues are discussed later in this report at page 23.

The Guidelines require that the initiation of an investigation be authorised by a senior ASIO officer. IGIS staff identified a small number of instances in which investigative activities were undertaken without first obtaining the proper authorisations required by the Guidelines. IGIS staff assess this is not a systemic issue.

The Guidelines also require ASIO to review each of the Organisation's investigations on an annual basis. IGIS staff identified a number of breaches of this requirement across the Organisation. There were a number of investigations that, as a consequence of administrative error, were overlooked until IGIS staff identified and raised the breach with the relevant investigative area.

PROVISION OF INACCURATE AND MISLEADING INFORMATION

The Guidelines require that ASIO take all reasonable steps to ensure that personal information it discloses is accurate and not misleading. In one instance IGIS staff found that ASIO did not specifically advise another Australian intelligence agency of a person's Australian status under the ISA, when making a request of that agency as it is required to do so. This had the effect of the other agency considering the individual not to be an Australian, resulting in inaccurate information being entered into the partner agency's repository for target data.

ASIO proactively reviewed all such requests for information made by the relevant branch in 2016 and 2017. ASIO's review identified a small number of errors and an inconsistent approach to identifying subjects as Australian persons in requests to other agencies. The errors have been corrected in the other agency's databases. All staff in the relevant branch have undertaken additional training to reduce the risk of this type of problem recurring. The office is satisfied with ASIO's actions directed to preventing the provision of inaccurate information.

RETENTION OF PERSONAL INFORMATION

The office also raised issues regarding ASIO's retention of sensitive financial records and telecommunications data. The Guidelines require the Director-General of Security to take all reasonable steps to ensure that ASIO does not use or handle personal information, unless reasonably necessary for the performance of ASIO's statutory functions or as otherwise required by law. IGIS staff identified a small number of cases in which personal information was retained by ASIO in circumstances where ASIO had assessed that the records were not relevant to security. See also page 43.

IGIS staff identified a small number of instances in which ASIO retained metadata, or telecommunications interception data that was not relevant to security. In one case ASIO intercepted a telecommunications service for two months before realising that the service was not used by ASIO's investigative target. ASIO ceased interception, but did not delete the data for over a year. The office raised concerns that the significant period taken to delete the data indicated deficiencies in ASIO's internal processes.

ASIO EXCHANGE OF INFORMATION WITH AUSTRALIAN GOVERNMENT AGENCIES

ASIO's relationship with other Australian Government agencies includes the exchange of information. Exchanges of sensitive personal information are of particular interest to the office and are subject to IGIS staff review as part of our periodic inspections.

During the reporting period, ASIO exchanged information with a number of Australian Government agencies including the Australian Criminal Intelligence Commission, Australian Federal Police, State and Territory police services, the Department of Home Affairs, the Department of Defence and the Department of Foreign Affairs and Trade. Regular inspection activity included reviewing these exchanges to assess ASIO's compliance with legislation, the Attorney-General's Guidelines and ASIO policy. Some areas of concern were identified during these inspections. These concerns are addressed in ASIO's sharing of AUSTRAC information which is discussed separately (see page 43).

ACCESS TO TAXATION INFORMATION

Sections 355-70 of Schedule 1 to the Taxation Administration Act 1953 provide that a taxation officer authorised by the Commissioner of Taxation or delegate may disclose protected information to an authorised ASIO officer if the information is relevant to the performance of ASIO's functions. This access to sensitive information is further governed by a memorandum of understanding between the Commissioner of Taxation and the Director-General of Security, the Attorney-General's Guidelines and ASIO's internal guidelines and procedures. ASIO rarely requests access to this type of information.

During the reporting period, IGIS staff reviewed ASIO access to sensitive tax information carried over from the previous financial year. No issues of concern were identified in this inspection. The office reviewed ASIO access to taxation information for the 2017-2018 period in August 2018. The results for this inspection will be included in next year's annual report.

ASIO EXCHANGE OF INFORMATION WITH FOREIGN LIAISONS

The ASIO Act authorises ASIO to provide and to seek information relevant to Australia's security, or the security of a foreign country, from authorities in other countries. ASIO may only co-operate with foreign authorities approved by their Minister. ASIO has guidelines for the communication of information on Australians and foreign nationals to approved foreign authorities.

During the reporting period IGIS staff inspected a sample of foreign liaison exchanges through the regular inspections of ASIO cases. These inspections have focused primarily on areas of increased risk to Australian persons, such as persons involved in the Syrian conflict.

In a small number of cases, IGIS staff found that delays in responses from foreign liaison partners contributed to delays, some significant, in ASIO being able to finalise security assessments. IGIS staff noted that inconsistent practices in following up outstanding requests contributed to some of these delays.

MINISTERIAL SUBMISSIONS

IGIS staff regularly review a range of submissions to the Attorney-General. These reviews continue to be useful in obtaining an overview of legality and propriety issues and to keep the office informed of current operations and emerging issues. In 2018-2019 the office will review ASIO submissions to both the Attorney-General and the Minister for Home Affairs.

SECURITY ASSESSMENTS

Security assessments can lead to cancellation or refusal of visa or passports. In this reporting period IGIS staff continued to review a sample of cases where ASIO had requested passport suspension, passport cancellation or emergency visa cancellations.

Section 38(7) of the ASIO Act

The ASIO Act requires that, where ASIO has issued a qualified or adverse security assessment of a person to a Commonwealth agency or to a State or authority of a State, that agency, state or authority shall notify the person of the assessment within 14 days. The ASIO Act provides for an exception to this requirement where ASIO's Minister certifies in writing that withholding the notice is essential to the security of the nation. Section 38(7) of the ASIO Act requires that if such certification is issued, ASIO's Minister must consider annually whether to revoke the certificate and notify the subject of the relevant assessment. While the ASIO Act does not impose a direct obligation on ASIO it is clear that in determining whether to issue the certificate and in reconsidering the matter every 12 months ASIO's Minister will need to rely on the Organisation's advice in order to meet this statutory obligation.

In October 2017, IGIS staff found that ASIO had not provided the Attorney-General with the information necessary to enable the Attorney-General to consider whether a certificate should be revoked. Seven months lapsed between IGIS staff raising this issue and ASIO advising the Attorney-General and the Minister for Home Affairs.

ASIO's repeated failure to provide the Minister with the information necessary to make a decision under section 38(7) of the ASIO Act is of significant concern. This office identified and reported on a number of such instances in the 2016-17 reporting period. As with last year, this office is concerned by the considerable time ASIO has taken to rectify this ongoing problem. It is disappointing that ASIO has shown no improvement in remedying breaches of this kind, despite instituting new procedures. At the conclusion of the current reporting period ASIO's processes and procedures remain deficient in this respect.

Procedural fairness

In one case, IGIS staff expressed concern that the subject of an ASIO adverse security assessment had not been afforded procedural fairness. ASIO officers held serious concerns regarding the threat this subject posed to security and sought to interview the person prior to issuing an adverse security assessment. In seeking to set up the interview ASIO officers advised the subject that they "wanted to discuss a minor issue." The person of interest terminated the call. Within the hour ASIO officers made two subsequent calls to the person that went unanswered. ASIO did not pursue alternative methods to inform the person of the consequences of not participating in the interview, as ASIO procedures required.

We raised concerns that ASIO did not comply with its own policy to ensure that the person of interest was informed and understood the consequences of not engaging with ASIO officers. ASIO determined that the actions of its officer had sufficiently afforded the subject of the assessment procedural fairness. This case was the subject of ongoing discussions with ASIO athe the end of the reporting period.

Delays in finalising security assessments

In addition to responding to complaints received by visa applicants, IGIS staff also review ASIO's security assessment investigations. In these inspections IGIS staff identified a number of security assessments affected by processing delays.

In one matter, a visa application was referred to ASIO in 2013 for assessment. By November 2014, ASIO had drafted the security assessment; however our inspection in November 2017, some three years later, found that the assessment had not yet been finalised. This case was highlighted to ASIO, noting concerns about the number of times the case had been reassigned to different case officers and the long periods of no activity. In response, ASIO advised the delay was due to numerous factors including ASIO's prioritisation, workloads and staffing issues. While the office accepts that ASIO has a very heavy workload and that, ultimately, it is for ASIO to manage that load, the extreme delay in this case was such that the Inspector-General has strongly recommended the case be finalised as a matter of urgency. At the end of the reporting period, the security assessment remained unresolved.

ASIO INSPECTION PROJECTS

ASIC/MSIC

During the reporting period the office finalised a review of ASIO's management of security assessments related to the Aviation Security Identification Card (ASIC) and the Maritime Security Identification Card (MSIC). The project examined complex cases, with a particular focus on the length of time taken to finalise the cases. It is acknowledged that not all aspects of investigating complex cases are within ASIO's control; resource limitations among others are significant factors. However, it was considered appropriate to examine this issue because of the implications for applicants' livelihoods.

ASIO prioritises advice and services for stakeholders by consulting them on their priorities and focusing on areas of greatest security risk. The project found that as a consequence of this approach lower risk complex cases, those least likely to result in an Adverse Security Assessment, experience the longest delays.

Despite these problems, overall, there was a significant improvement in the time taken to finalise security assessments for complex ASIC and MSIC security assessments between 2015 and 2017. The responsibility for ASIC and MSIC security assessments changed divisions in 2015 and the new division inherited ten cases that had suffered serious delays; all took more than 600 days to finalise the security assessments. The area in ASIO currently responsible for ASIC/MSIC security assessments cleared the backlog of cases and has significantly reduced the average processing time for complex cases.

DEVICES PROJECT

In November 2016 the IGIS initiated an inspection project focusing on ASIO staff access to surveillance devices and other technical devices used for surveillance. This project was suspended due to higher priority inspection activities and staffing shortages in this office.

ONLINE INVESTIGATIONS

In November 2016 the office initiated an inspection project focused on ASIO's online investigative activities. The project did not arise in response to a specific concern or complaint, but was considered to be timely noting the proliferation of social media activity amongst the investigative targets and broader public alike. During the reporting period, the project was cancelled to make way for higher priority investigations.

PROTECTING COMPLAINANT INFORMATION

In 2011 ASIO and the office agreed on a protocol for the management of information concerning complaints or public interest disclosures made to the Inspector-General. This protocol provides guidance for ASIO's management of lawfully intercepted communications which identify, or potentially identify, a person who has made a complaint or public interest disclosure to this office.

In last year's annual report, the office reported on the identification by IGIS staff of breaches of this protocol and ASIO's subsequent comprehensive review. ASIO and the office have reviewed the protocol and proposed changes that will reduce the possibility of recurrence. The revised protocol was not yet finalised at the end of the reporting period.

AGENCIES SUBJECT TO THE INTELLIGENCE SERVICES ACT 2001

LIMITS TO THE FUNCTIONS OF INTELLIGENCE AGENCIES

The functions of agencies governed by the ISA are set out in sections 6, 6B and 7 of the ISA. For example, ASIS functions include to obtain and communicate, in accordance with the Government's requirements, intelligence about the capabilities, intentions or activities of people or organisations outside Australia. The work of ASIS, ASD and AGO is guided by the national intelligence priorities, which are reviewed and agreed by the National Security Committee of Cabinet each year.

The ISA also requires that ASIS, ASD and AGO only perform their functions in the interests of Australia's national security, Australia's foreign relations or Australia's national economic well-being; and only to the extent that those matters are affected by the capabilities, intentions or activities of people or organisations outside Australia.

MINISTERIAL AUTHORISATIONS

All activities undertaken by ASIS, ASD or AGO to produce intelligence on an Australian person require individual consideration and approval by the responsible Minister, with the following exceptions:

  • intelligence can be produced by ASIS on an Australian person without ministerial authorisation if doing so assists ASIO in the performance of its functions
  • class authorisations can be given by the Minister where the intelligence is produced by ASIS in the course of providing assistance to the ADF
  • subject to conditions, agency heads may give an authorisation in an emergency when Ministers are not available

Ministers are able to direct that other activities require prior ministerial approval, and each Minister has done so. In AGO's case, any intelligence collected over Australian territory requires authorisation by the head of the agency. Another example is that ministerial approval is required before ASD conduct certain cyber operations.

PRIVACY RULES

Section 15 of the ISA provides that the Ministers responsible for ASIS, ASD and AGO must make written rules to regulate the communication and retention of intelligence information concerning Australian persons (Privacy Rules). The term "Australian persons" includes citizens and certain permanent residents and companies. The rules regulate the agencies' communication of intelligence information concerning Australian persons to other Australian agencies and to foreign authorities, including to Australia's closest intelligence partners. Communication to foreign authorities is also subject to additional requirements. The Privacy Rules are unclassified and appear on the agencies' websites. No changes were made to the Privacy Rules in this reporting period.

Privacy Rules require that agencies may only retain or communicate information about an Australian person where it is necessary to do so for the proper performance of each agency's functions or where retention or communication is required under another Act. If a breach of an agency's Privacy Rules is identified, the agency in question must advise the IGIS of the incident and the measures taken by the agency to protect the privacy of the Australian person, or Australian persons more generally. Adherence to this reporting requirement provides the office with sufficient information upon which to decide whether appropriate remedial action has been taken, or further investigation and reporting back to the Inspector-General is required.

THE PRESUMPTION OF NATIONALITY

The Privacy Rules require that, unless there is evidence to the contrary, ASIS, ASD and AGO are to presume that a person in Australia is an Australian person and that a person who is not in Australia is not an Australian person. An initial presumption of nationality may be rebutted at a later date. For example:

  • new information or evidence may indicate that a person overseas is an "Australian person". If it was not reasonable for this information to have been known and considered at the time the initial assessment was made then the presumption of nationality could be rebutted. There would have been no breach of the Privacy Rules in this circumstance.
  • the agency may discover that it, or another agency, was already in possession of evidence that a person was an Australian person and which should have been considered in the initial assessment. In this case the presumption of nationality would be rebutted and if intelligence information had already been communicated about the Australian person there may have been a breach of the Privacy Rules. There may also be a breach of the ministerial authorisation rules if intelligence collection actually was undertaken.

If the agency made a reasonable assessment of the nationality status of that person, based on all the information that was available at the time, there is no breach of the Privacy Rules. Where a presumption of nationality is later rebutted, ASIS, ASD and AGO must advise the office of this and the measures taken to protect the privacy of the Australian concerned.

INSPECTION OF ASIS ACTIVITIES

IGIS oversight of ASIS's activities generally fall into eight categories, which are based on the underlying functions of the agency in accordance with section 6(1) of the ISA. These categories are:

  • intelligence collection
  • intelligence communication
  • support to the ADF
  • counter-intelligence
  • foreign liaison
  • co-operation and assistance to intelligence agencies and prescribed authorities
  • actions undertaken in relation to ASIO
  • other activities as the Minister responsible directs

During the reporting period, IGIS staff met the target of inspecting at least 75% of ASIS's activity categories. IGIS staff conducted a range of regular inspections of ASIS activities as part of the comprehensive inspection and visits program. These inspections included reviewing operational files, advice to the Foreign Minister, compliance incident reports, weapons related matters and access to sensitive financial information. Inspection activities were conducted using a risk-based approach with priority given to operational file reviews. IGIS staff also reviewed ASIS activities to ensure that they were consistent with human rights and did not constitute discrimination.

These inspections are supplemented by ASIS briefings on various matters throughout the year. Such briefings allow us to stay abreast of emerging issues and to follow up on observations from inspection activities.

REVIEW OF OPERATIONAL FILES

ASIS activities involve the use of human sources. ASIS officers are deployed in many countries to support a wide range of activities including counter-terrorism, efforts against people smuggling and support to military operations.

IGIS staff visited ASIS several times each month during the reporting period to review ASIS's operational case files. These inspections considered a sample of files, focusing on high risk areas and ASIS's application of the Privacy Rules. While the sensitive nature of ASIS's operational activities means that specific detail of the nature and range of issues inspected cannot be provided in a public report, we can advise that these reviews are thorough and rigorous.

Overall, IGIS staff were satisfied with ASIS operational activities and that ASIS staff were appropriately identifying and considering risks associated with these activities. Inspections also allow IGIS staff to work with ASIS to identify and mitigate against unnecessary levels of risk. For example, in one inspection IGIS staff identified an area that had not sufficiently considered the Privacy Rules; the ASIS Compliance Branch addressed this issue and increased Privacy Rules training for this area. In another inspection, IGIS staff raised concerns regarding the level of oversight by senior ASIS staff of certain activities. The office has been working with ASIS to identify and appropriately manage this risk.

Where IGIS staff have identified areas requiring further investigation, ASIS has been forthcoming in providing additional information or briefing. In one case, it was judged that ASIS should have obtained a warrant to conduct an activity while in Australia. ASIS records showed that seeking a warrant was considered, but ultimately ASIS decided one was not necessary. This has led to constructive discussions to identify the risks and policy thresholds for warrants.

In another operational file review IGIS staff raised concerns about a delay in finalising internal guidance to ASIS staff on section 13B of the ISA, and identified a record keeping issue relating to a particular section 13B notice. Section 13B of the ISA allows ASIS to produce intelligence on an Australian person, or a class of Australian persons, to support ASIO in the performance of its functions, without first obtaining authorisation from the Minister for Foreign Affairs. In response to concerns raised, ASIS promptly finalised internal guidance on section 13B notices and reviewed all other section 13B notices to ensure that the problem was limited and not systemic.

MINISTERIAL SUBMISSIONS

IGIS staff reviewed all ministerial submissions produced by ASIS and found that the majority were of a high standard. In essence, an inspection of ministerial submissions seeks to ensure the responsible Minister is properly informed about sensitive ASIS operational issues. In most cases IGIS staff were satisfied that the information provided to the Minister was appropriate; however, IGIS staff did observe delays in providing some information to the Foreign Minister.

In one case, ASIS did not provide timely advice to the Minister for Foreign Affairs about unauthorised interception of communications by another agency, but related to a foreign intelligence collection warrant. Complicating the matter, ASIS staff wrote to the Foreign Minister about the foreign intelligence collection warrant but omitted any reference to the unauthorised interception. When the issue was identified by IGIS staff ASIS promptly rectified the omission through a separate submission to the Minister. The Inspector-General reminded ASIS of the importance of providing timely and accurate advice to Ministers as a matter of propriety, especially where there has been a breach of Australian law even by another agency.

In a second case, ASIS delayed fulfilling its reporting requirements under the ISA; section 13F of the ISA requires the Director-General of ASIS to provide a written annual report to the Foreign Minister in respect of activities undertaken by ASIS in accordance with section 13B. The report is to be provided "as soon as practicable after each year ending on 30 June". The report for the period 2016-2017 was provided to the Minister for Foreign Affairs in January 2018. While not a breach of the ISA, the provision of the report to the Minister more than six months after the conclusion of the reporting period is not satisfactory. We will continue to monitor the timeliness of information provided to the Minister.

Ministerial Authorisations to produce intelligence on Australian persons

In the reporting period, IGIS staff reviewed all ASIS ministerial authorisations to produce intelligence on Australian persons. These inspections did not identify any issues of legality or propriety. However, inconsistencies were observed in the wording of authorising instruments, which resulted in variations to the commencement date and expiry dates of the authorisations. While no compliance issues were observed, the lack of consistency will inevitably increase the risk of error.

COMPLIANCE INCIDENT REPORTS

Since mid-2015 ASIS has provided the office with Compliance Incident Reports (CIRs) when ASIS identifies an issue or when an ASIS officer self-reports an issue relating to compliance or propriety. ASIS investigates the issue or incident and initiates remediation activities, including additional training for the staff and teams involved. This office reviews all ASIS CIRs and undertakes its own independent investigation of the incident where necessary. In this reporting period, ASIS provided 12 such reports, down from the 16 reports provided in the last reporting period. Of the 12 incidents, six related to Privacy Rules breaches, three involved weapons-related incidents and one related to ASIS's handling of sensitive financial information. These incidents are addressed later in this report. The remaining two incidents involved activities not in accordance with section 8 of the ISA and are outlined below.

In August 2017 ASIS self-reported an incident to IGIS staff where ASIS had accessed an electronic device in Australia without informed consent from the owner of the device. Although ASIS had asked the individual if it could access the device, the purpose for accessing the device was not communicated clearly enough for ASIS to be satisfied that the individual was sufficiently informed. Without informed consent, this activity was in breach of section 8 of the ISA and also section 25A of the ASIO Act. ASIS informed the individual and apologised for the incident, as recommended by the Inspector-General. The office considered that the actions of the ASIS officers did not give rise to a criminal offence and was satisfied with the measures ASIS put in place to prevent incidents of this nature from recurring.

In the second CIR, ASIS reported on two activities ASIS had undertaken in relation to an Australian person without having first obtained a ministerial authorisation. At the time of conducting the activities, the ASIS officer was unaware the individual was an Australian citizen and relied on the presumption of nationality; that is, a person outside Australia is to be presumed not to be an Australian person. Upon learning that the person was an Australian citizen, ASIS sought a ministerial authorisation to produce intelligence on the Australian person. The office views this as an appropriate course of action under the circumstances.

EMERGENCY MINISTERIAL AUTHORISATIONS

In the reporting period there were two instances where ASIS sought an oral authorisation from the Minister in an emergency using the section 9A provisions in the ISA. In both instances, a written record of the oral authorisation was made within 48 hours and a copy of the record was provided to this office within three days, in accordance with section 9A(5) of the ISA. The office did not identify any issues of concern relating to these authorisations.

PROTECTING THE PRIVACY OF AUSTRALIAN PERSONS

IGIS staff pay close attention to the distribution of intelligence about Australian persons during regular inspection activities. ASIS continued to provide training to its staff on producing intelligence on Australian persons and introduced initiatives to mitigate the risk of unintentionally reporting on Australian persons.

Throughout the reporting period there were a small number of instances where the Privacy Rules were not applied prior to ASIS reporting on an Australian person or company. While most were the result of human error, the effect of an ageing IT system and not identifying a person as an Australian citizen, the office found only one where reporting on an Australian person would not have been reasonable and proper had the Privacy Rules been applied at the time. In this case, the report was released in error and once the incident had been identified, ASIS immediately recalled the report and advised recipients of the incorrect details. IGIS staff reviewed this matter and the Inspector-General was satisfied that remediation was appropriate and measures to prevent recurrence were effective.

PRESUMPTION OF NATIONALITY

ASIS reported six occasions in the reporting period where the presumption of nationality was overturned; that is, information became known that an individual was actually an Australian person or that an individual was originally assumed to be Australian but later identified as non-Australian. In these instances there was no breach of the Privacy Rules, as the presumption of nationality was reasonable at the time it was made and the information indicating the individuals were Australian was not available at that time.

AUTHORISATIONS RELATING TO THE USE OF WEAPONS

Schedule 2 of the ISA requires:

  • the Minister for Foreign Affairs to provide the Inspector-General with copies of all approvals issued by the Minister for Foreign Affairs in respect of the provision of weapons and the training in and use of weapons and self-defence techniques in ASIS, and also
  • the Director-General of ASIS to give the Inspector-General a written report if a staff member or agent of ASIS discharges a weapon other than in training.

These requirements were met during the reporting period and the Inspector-General was satisfied that there was a need for limited numbers of ASIS staff to have access to weapons for self-defence in order to perform their duties. IGIS staff also examined ASIS weapon and self-defence policies, guidelines and training records in 2017–18. The reviews found that ASIS's approach to governance and record keeping on this matter continued to be satisfactory.

ASIS advised this office of three weapons-related incidents during the reporting period, two of which involved non-compliance with ASIS procedures and the third related to a firearms discharge. The first compliance issue arose when ASIS officers undertook firearms training (target practice) at a range that was not approved by ASIS. Australian security contractors who provide assurance to other Australian Government agencies had assessed this range and found it suitable for use; however, ASIS had not provided separate approval for its officers to use that training facility as required by ASIS policy. This was an administrative oversight rather than an operational incident or breach of legislation.

The second incident arose when ADF and ASIS personnel conducted joint weapons-related training prior to formal exchange of letters approving the training, as required by a memorandum of understanding between Defence and ASIS. As soon as the ASIS team responsible for the training became aware that the formal letters were not signed they immediately stopped the training exercise. The training recommenced once the letters of agreement were signed. The office considers that ASIS staff acted appropriately in suspending the training until formal arrangements were in place.

The third incident reported to this office concerned an accidental discharge of an ASIS-issued weapon by an ASIS officer during an approved training session. The weapon was fired in a safe direction and there were no injuries or damage to property resulting from the incident. ASIS took immediate steps to identify the cause of the accidental discharge and put in place measures to reduce the likelihood of another incident occurring. ASIS also notified Comcare of the incident.

INSPECTION OF ASD ACTIVITIES

ASD's activities subject to the office's oversight have been categorised according to the underlying functions of the agency as set out in section 7 of the ISA, namely:

  • intelligence collection
  • intelligence communication
  • advice to Ministers or authorities in matters relating to security
  • security assessments
  • advice relating to protective security
  • foreign intelligence collection
  • assistance to intelligence agencies and prescribed authorities

In the reporting period IGIS staff met the target of inspecting at least 75% of ASD's activity categories.

The office's inspection of ASD activities is facilitated by strong working level relationships with ASD's compliance area and regular access to required systems. Given the volume and complex nature of ASD activities, the IGIS inspection program is continuous and includes scheduled activities, proactive reviews of areas of risk or sensitivity, as well as reviews of draft policies.

During the reporting period, the office inspected a number of ASD activities, including:

  • ministerial authorisations to produce intelligence on Australian persons
  • ASD's compliance with the Privacy Rules
  • compliance incident reports
  • ASD's access to sensitive financial information (discussed later in the report)

These inspections were supplemented by briefings on various matters across the year either at the request of this office or at the instigation of ASD. These briefings and subsequent investigations allowed the office to stay abreast of emerging issues and to pursue trends observed during inspections.

ASD had a higher number of breaches in this reporting period (12) compared to the previous reporting period (nine), however ASD's compliance area was more actively engaged with the office about breaches or potential breaches.

In this reporting period, the Defence inspection team increased in size. This allowed the team to continue its regular inspection activities and to commence an inquiry into an ASD matter requested by the Minister for Defence.

MINISTERIAL AUTHORISATIONS TO PRODUCE INTELLIGENCE ON AUSTRALIAN PERSONS

During the reporting period the office inspected around 80% of ASD's ministerial authorisations, a small increase on the 75% reviewed in the last reporting period. The submissions were generally of a high standard. However, IGIS staff did identify that, in 2017, numerous submissions seeking to renew a ministerial authorisation incorrectly stated the expiry date of the preceding authorisation. The office highlighted these errors to ASD because of the heightened potential to breach the ISA as a result of such inaccuracies. ASD's response to feedback on this issue was appropriate. IGIS staff will continue to monitor this aspect of ministerial submissions in future inspections.

A change of circumstances may prompt the Minister to cancel a ministerial authorisation, or it may expire at the end of the authorisation period. In either case, within three months ASD is required to provide the Minister with a report on its activities that relied on the authorisation. IGIS staff reviewed a number of these cancellation and non-renewal reports and did not identify any significant issues.

In December 2017 this office completed in-depth reviews of two ministerial authorisations provided under section 9(1A) of the ISA (acting for, or on behalf of, a foreign power). The selection of these cases was not prompted by any particular concern with these ministerial authorisations. IGIS staff reviewed the accuracy, balance and currency of the information provided to the Minister; end-product reporting; exchanges with other agencies; record keeping; and team-level procedures. The reviews did not identify issues of legality or propriety; indeed they revealed a culture of consistent record keeping within the relevant ASD team and showed that they actively considered compliance issues to manage risks.

EMERGENCY MINISTERIAL AUTHORISATIONS

Situations may arise where, as a matter of urgency, ASD requires a ministerial authorisation to undertake certain activities. Emergency authorisations may be provided orally by the Minister for Defence, other select Ministers where the Minister for Defence is unavailable, or the Director ASD can authorise such activities if the Ministers are not readily available. Emergency authorisations are only valid for 48 hours after which any further activity will require a new authorisation if ASD is to continue that activity.

Nine emergency ministerial authorisations were issued to ASD during the reporting period. IGIS staff found no significant issues with these authorisations. In one case, an analyst accidentally conducted activity under an emergency ministerial authorisation that was not yet authorised, however this office acknowledged that this was not intentional and occurred in a high-pressure situation. IGIS staff also found that due to extraordinary circumstances, one emergency ministerial authorisation was signed slightly late. These cases are detailed as compliance incident reports later in this section.

MINISTERIAL SUBMISSIONS

During the reporting period IGIS staff also conducted a quarterly review of ministerial submissions that were not related to ministerial authorisations. The purpose of these reviews was to ensure the responsible Minister is provided timely and accurate information about critical ASD issues. These inspections began in mid-2017, and the results of the reviews were sent to ASD as part of the quarterly inspection letters. Over this reporting period, IGIS staff found that the majority of ASD ministerial submissions were of a high standard, and were provided to the Minister with sufficient time for approval. IGIS staff appreciated ASD actively consulting with the office in relation to a number of submissions reviewed.

PROTECTING THE PRIVACY OF AUSTRALIANS

The Minister for Defence makes written rules, the Rules to Protect the Privacy of Australians, to regulate how ASD communicates and retains intelligence information concerning Australian persons. ASD is required to report to this office any breaches of the Privacy Rules. In accordance with its obligations under the Privacy Rules, ASD reported cases during the reporting period where the presumption that an individual was not an Australian was subsequently rebutted and the person was shown to be Australian. These reports included details of the measures taken to protect the privacy of that person. Separately, ASD consulted with this office in relation to its efforts to expand information sharing with foreign partners, and the implications for protecting the privacy of Australian persons.

IGIS staff reviewed such cases reported by ASD and found that many of the presumptions of nationality were reasonable given the information available to ASD at the time. ASD's actions, including informing other intelligence agencies that the person is Australian, were appropriate and in accordance with the Privacy Rules.

However, the office review of several cases uncovered matters of concern. In August 2017 the office reviewed submissions from ASD relating to overturned presumptions of nationality. As part of this review, IGIS staff identified that ASD had breached section 63(1) of the TIA Act which restricts the communication of lawfully intercepted information. This breach occurred when ASD communicated lawfully intercepted information, but did not have authorisation to do so. The Inspector-General recommended ASD review the relevant arrangements to ensure they were consistent with the relevant authorisations. Later in the year, an IGIS review of another case encouraged ASD to consider informing foreign partners about overturned presumptions of nationality, as a further safeguard to protect privacy.

In September 2017 ASD advised this office of its investigation into a breach of the Privacy Rules. The breach occurred when ASD conducted activity on an individual, relying upon an incorrect presumption of foreign nationality. Given the information available at the time, this office considered that ASD should have presumed the individual was an Australian person and applied the Privacy Rules. ASD's investigation found that inconsistent work practices, human error and a high operational tempo resulted in the relevant area not taking into account all available information. IGIS staff reviewed ASD's findings and recommendations in regard to this incident and were satisfied the implementation of the recommendations would minimise the risk of future recurrence. In December 2017, ASD provided the office with a revised policy relating to this incident which helped to clarify specific processes across ASD.

COMPLIANCE INCIDENT REPORTS

Matters identified by ASD involving breaches of legislation and significant or systemic matters of noncompliance with ASD policy are investigated by ASD and reported to the IGIS in Compliance Incident Reports (CIRs). This office reviews these reports and undertakes an investigation of the incident where necessary. ASD provided 11 such reports during 2017-18 and one report on 30 June 2017. These incidents are outlined below.

On 30 June 2017 ASD advised this office of its investigation into a breach of section 8(1) of the ISA, in which ASD produced intelligence on an Australian person without a ministerial authorisation. A breach of section 10A of the ISA was also investigated as part of this case, as ASD failed to report to the Minister within one month of the date on which an emergency ministerial authorisation ceased to have effect. This office reviewed ASD's investigation and considered most of the findings to be reasonable, and agreed with the remedial actions proposed to prevent recurrence. Our office formed the view that ASD had an interest in the target prior to the date identified in the report and therefore should have obtained a ministerial authorisation sooner.

In the reporting period, ASD also advised this office of its investigation into four breaches of section 8(1) of the ISA, which involved ASD producing intelligence on an Australian person without a ministerial authorisation. In the first case, ASD assessed that the breach had occurred due to an incomplete process; IGIS staff reviewed the investigation and were satisfied with the conclusions and recommendations. In the second case, a breach occurred due to a failure of process following an update to an ASD user interface; IGIS staff reviewed ASD's investigation, identified that the required paperwork for the Minister was unsatisfactory and recommended that ASD re-submit the relevant documents. The circumstances of the third breach were that ASD had incorrectly overturned a presumption of nationality on the basis of citizenship status without proper regard to the residential status of an individual. The office was satisfied with ASD's subsequent investigation and remedial action proposed to prevent recurrence. In the final instance the breach occurred in the context of an emergency situation, lasted for a period of five minutes, and was identified and reported to this office within an appropriate time period.

In September 2017 ASD advised this office of its investigation into a breach of the Ministerial Directions that give effect to section 8(2) of the ISA. The breach occurred in the context of an emergency situation, was identified immediately by ASD, and reported to this office the day it occurred. This office was satisfied with ASD's investigation and remedial actions. In May 2018, this office also provided ASD with comments on an updated policy document related to this case, noting that this updated guidance will assist with preventing future related incidents.

In the 2017-18 reporting period, ASD informed this office of its investigation into four breaches of section 7 of the TIA Act. Two of these cases involved interception by unauthorised persons under section 12 of the TIA Act. These breaches highlighted an inconsistent approach to ASD's management of warrants, including a lack of communication within ASD teams, and a failure to adhere to, and formalise, team procedures. This office is currently conducting an inquiry into ASD that relates to these cases. In the third case, ASD conducted unauthorised interception of certain communications. ASD assessed the breach occurred due to a gap in process and application of compliance requirements. This office was satisfied with the investigation and proposed actions to prevent recurrence, including updating procedures and related policies. The final such breach also involved the interception of certain communications, which ASD assessed occurred due to its failure to review collected intelligence in a timely manner. This office was satisfied with ASD's investigation and remedial actions.

In mid-2018, ASD informed this office of two further breach investigations. The first involved a breach of section 7 of the TIA Act, in which ASD intercepted certain communications data without the appropriate authorisation. The second concerned a breach of section 8 and section 15(5) of the ISA, which relates to the Privacy Rules, and involved ASD conducting activities against an Australian person without a ministerial authorisation. ASD completed its investigation into both incidents outside the reporting period. These incidents will be reported on in the next annual report.

POTENTIAL BREACHES OF THE TIA ACT

ASD considers that matters are classed as potential breaches when it is unclear, due to data limitations or the absence of essential details, whether a breach has occurred. The office reviews these matters in the same manner as its reviews compliance incidents.

In July 2017 ASD advised this office of its investigation into a potential breach of section 7 of the TIA Act. The incident involved possible collection of certain communications; however, ASD judged that it was not possible to determine whether certain communications had been collected. This office reviewed ASD's investigation and is satisfied with the final assessment and proposed measures for mitigating future risk associated with this matter.

In February 2018 ASD advised this office of its investigation into a potential breach of section 7 of the TIA Act. The incident involved the possible interception of certain communications over approximately one day; however, ASD was unable to determine if certain collection occurred because the system had automatically deleted the data after a period of time ASD's system. The cause of the incident was unable to be determined and it is likely it was a result of factors outside of ASD's control. The office was satisfied with the timeliness of ASD's investigation of the incident and reporting to this office.

In March 2018 ASD informed this office it was investigating two further potential breaches of section 7 of the TIA Act. The first was a result of a quality control process system misconfiguration, and this office was satisfied with ASD's investigation and remedial action. The second incident involved collection of potentially non-compliant data after a system upgrade. Following the update, collection of large amounts of data that was not collected during the testing phase occurred. ASD was unable to determine if there was domestic interception and if the data collected is considered a "communication" for the purposes of the TIA Act. This issue continues to be investigated by ASD and if necessary will be included in the next annual report.

In May 2018 ASD advised this office that it was investigating a further potential breach of section 7 of the TIA Act. This involved the possible collection of certain communications for a short period of time. ASD advised this office that it deleted the data in question, as it could not readily confirm whether it was compliant or not. ASD completed its investigation and reported the findings to this office in July 2018 and we were satisfied with ASD's investigation and actions.

INSPECTION OF AGO ACTIVITIES

The activity categories assigned to AGO are derived from AGO's statutory functions under the ISA, namely:

  • intelligence collection in support of the Government
  • support to the ADF
  • intelligence collection in support of Commonwealth and State authorities national security functions
  • intelligence communication
  • provision of imagery and other geospatial products
  • assistance to intelligence agencies and prescribed authorities
  • co-operation with, and assistance to, other intelligence agencies
  • functions of the Australian Hydrographic Office

During the reporting period, this office achieved the target of inspecting 75% of AGO's inspection categories. These included:

  • Ministerial authorisations to produce intelligence on Australian persons
  • Director's approvals and post activity reporting
  • AGO's compliance with the Privacy Rules
  • AGO's access to sensitive financial information (discussed later in the report)

The office also received briefings from AGO teams for a better understanding of the agency's functions and to identify emerging issues. These briefings enabled the office to enhance working-level relationships within AGO and to follow up on matters observed during inspections.

Based on inspection and review activities, the office is satisfied that AGO met its statutory obligations under the ISA and that AGO has in place systems to encourage compliance.

MINISTERIAL AUTHORISATIONS TO PRODUCE INTELLIGENCE ON AUSTRALIAN PERSONS

AGO is required to seek authorisation from the Minister for Defence to produce intelligence on an Australian person. This authorisation is ordinarily requested in conjunction with ASD. During the reporting period, our inspections did not identify any concerns relating to AGO's ministerial authorisations, renewals, cancellations or non-renewals. Four emergency ministerial authorisations were issued to AGO during the reporting period; IGIS staff reviewed these emergency authorisations and did not identify any issues of concern.

DIRECTOR'S APPROVALS AND POST ACTIVITY REPORTING

The Minister for Defence requires the Director of AGO personally to approve AGO activities intended to obtain or communicate geospatial imagery intelligence of Australian territory. The Director of AGO is also required to provide the Minister with quarterly reports on approved intelligence activities. The accuracy of these and other reports provided to the Minister for Defence were reviewed during the reporting period. IGIS staff identified minor date errors in two of these quarterly reports, however these errors had no practical impact on the authorised activities.

At the conclusion of approved activities, AGO staff prepare a post-activity compliance report for the Director, which this office regularly examines. During the reporting period, IGIS staff identified no significant issues with AGO's post-activity compliance reports. However, IGIS staff noted one instance of non-compliance with a set of special conditions. Special conditions are regularly noted in Director's approvals as caveats for certain activities. In this instance, the special condition was not addressed in the post-activity compliance report, and the Director was incorrectly informed that all conditions had been met. This office provided guidance to AGO that all special conditions approved by the Director should be accurately referenced and addressed in the post-activity compliance reports, noting that this procedure would give the Director greater assurance that activities are conducted as directed. The office is satisfied that AGO has taken appropriate remedial action and steps in response to this matter.

AGO COMPLIANCE WITH PRIVACY RULES

The Minister for Defence makes written rules, namely Rules to Protect the Privacy of Australians, to regulate how AGO communicates and retains intelligence information concerning Australian persons. During the reporting period, IGIS staff did not identify any concerns in relation to issues AGO's compliance with the Privacy Rules. This is the second consecutive year that AGO has been fully compliant with the Privacy Rules.

AUSTRALIAN HYDROGRAPHIC OFFICE

In October 2017 legislative changes enabled the transfer of the Australian Hydrographic Office functions from Royal Australian Navy to AGO, which was based on the findings of the 2015 First Principles Review. The office consequently now has oversight of the functions of the Australian Hydrographic Office in relation to any intelligence collection or application of the Privacy Rules. In May 2018, AGO advised the office that the Australian Hydrographic Office had fully incorporated ISA requirements into daily workflows and had received relevant compliance training. Due to current differences in task tracking and recording in separate systems, we have not yet reviewed any Hydrographic office products, but we intend to review and report on these in the next annual report.

INSPECTION OF DIO ACTIVITIES

DIO's role is set out in a mandate agreed by the Minister for Defence, rather than in legislation. As a result, activity categories for DIO have been established with reference to its mandate, organisational structure and product types. Inspections of DIO are less frequent than for ASIO, ASIS, ASD and AGO, as the office focuses its limited resources on inspecting and reviewing the activities of the intelligence collection agencies over those of the assessment agencies DIO and ONA.

In this reporting period the office achieved the target of inspecting 75% of DIO's inspection categories. The office's inspection of DIO's activities included following up on matters identified during the inquiry into the analytic independence and integrity of DIO, as well as routine inspections of DIO's compliance with the Guidelines to Protect the Privacy of Australian Persons. IGIS staff also reviewed DIO's access to sensitive financial information from AUSTRAC, which is discussed in the Cross Agency Inspection section of this report.

In addition to these inspection activities, we were briefed by DIO in relation to its co-operation with other agencies. This co-operation has been important in maximising the efficiency of its processes which are subject to review by this office.

COMPLIANCE WITH DIO'S PRIVACY GUIDELINES

DIO's compliance with its Privacy Guidelines was reviewed twice during the reporting period by IGIS staff. These guidelines, which are available on the DIO website, are similar to the Privacy Rules established under section 15 of the ISA for ASIS, ASD and AGO. They allow DIO to perform its role while respecting the privacy of Australians. IGIS staff did not identify any significant issues or concerns in this reporting period and there was no evidence that DIO breached the privacy guidelines.

INSPECTION OF ONA ACTIVITIES

The activity categories assigned to ONA are derived from the way in which ONA's statutory functions are structured under section 5 of the ONA Act, namely:

  • assessment
  • coordination
  • evaluation

Due to staffing constraints, in this reporting period the office did not meet the target of inspecting at least 75% of ONA's activity categories. As ONA is an assessment agency the office considers that ONA's activities are consequently less likely to intrude upon the personal affairs of Australian persons than the activities of the intelligence collection agencies, which for that reason are given priority.

During 2017–18, IGIS staff conducted inspections examining ONA's compliance with its Privacy Guidelines and reviewed ONA's policies and handling of open source information as part of a cross agency project. The results of this inspection project are reported in the Cross Agency Inspections section of this report.

COMPLIANCE WITH PRIVACY GUIDELINES

At the end of the last reporting period, ONA updated its Privacy Guidelines. ONA reviewed and updated its existing privacy related guidance and developed a revised training package to be delivered to relevant staff.

During the reporting period, IGIS staff undertook two inspections of ONA's compliance with its Privacy Guidelines. The first of these inspections found no errors of consequence. The second identified a small number of instances where Privacy Guidelines were not applied appropriately by ONA before publication. ONA self-reported these incidents. We assessed that these errors did not result in the dissemination of intelligence information about an Australian person without an appropriate reason.

OTHER ACTIVITIES

This year IGIS staff increased their engagement with ONA's Open Source Centre (OSC), particularly focusing on its governance arrangements. The OSC systematically collects and researches publicly available information to support Australian Government intelligence priorities and the work of the National Intelligence Community. In accordance with ONA's mandate under the ONA Act, the OSC focuses on international developments that affect Australia's national interests. IGIS staff will continue to focus on this aspect of ONA's work during 201819.

CROSS AGENCY INSPECTIONS

During the reporting period this office conducted inspections that covered activities common to a number of agencies.

OPEN SOURCE INFORMATION PROJECT

This project assessed the intelligence agencies' understanding of open source information, including the distinction between open source and private information, as well as whether their handling of open source information is appropriate and in accordance with respective statutory obligations. The project also provided guidance as to how the office should review activities in relation to the intelligence agencies' handling of open source information.

The project concluded that there is a common understanding of the meanings of open source and private information. All agencies distinguish between open source information (meaning unprotected publicly available information) and private information (where the originator of the information has taken steps to protect or add privacy restrictions) even though the information may be accessible via an open source medium, such as a social media platform.

There is no evidence to suggest that the intelligence agencies use open source material illegally or inappropriately. All agencies understand that collection of open source information must be legal and proportionate to the threat and that covert and intrusive collection requires different authorisation and procedures. Each agency has developed processes to identify and exploit open source information and carefully considers the issues of online security when conducting online research.

USE OF ASSUMED IDENTITIES

Part 1AC of the Crimes Act 1914 and corresponding State and Territory laws enable ASIO and ASIS officers to create and use assumed identities for the purpose of performing their functions. The legislation protects authorised officers from civil and criminal liability where they use an assumed identity in a circumstance that would otherwise be considered unlawful. Similarly, the legislation protects the Commonwealth, State and Territory agencies who provide the evidence of an assumed identity in accordance with the Act.

The legislation also imposes reporting, administration and audit regimes on those agencies using assumed identities. Section 15LG of the Crimes Act 1914 requires ASIO and ASIS to conduct six monthly audits of assumed identity records and section 15LE requires that each agency provide the Inspector-General with an annual report detailing the activities of their respective agencies during the year. The Director-General of Security and the Director-General of ASIS provided the Inspector-General with reports covering the activities of their respective agencies for the 2016-17 reporting period. There was nothing in the reports to suggest that the agencies were not complying with their legislative responsibilities, or which otherwise caused concern.

ACCESS TO SENSITIVE FINANCIAL INFORMATION BY INTELLIGENCE AGENCIES

The Anti-Money Laundering and Counter Terrorism Financing Act 2006 (the AML/CTF Act) provides a legal framework in which designated agencies are able to access and share financial intelligence information created or held by AUSTRAC. All intelligence agencies and the office are designated agencies for the purposes of the AML/CTF Act.

The office has a memorandum of understanding (MOU) with AUSTRAC which provides an agreed understanding of the office's role in monitoring access to, and use of, AUSTRAC information by agencies.

In overseeing an agency's use of AUSTRAC information, IGIS staff check that there is a demonstrated intelligence purpose applicable to that agency's functions; that access is appropriately limited; searches are focused; and information passed to Australian agencies and foreign intelligence counterparts is correctly authorised. Each year we prepare a statement summarising compliance monitoring in respect of the intelligence agencies access to, and use of, AUSTRAC information in the previous reporting period. As required under the MOU, during the reporting period, this statement was sent to the Attorney-General, the Minister for Foreign Affairs and the Minister for Defence. ONA advised us that, during the reporting period, it did not access or use any AUSTRAC related data.

Review of access to sensitive financial information by ASD, AGO and DIO during the reporting period did not reveal any issues of material concern. There were no instances of non-compliance by ASD, AGO and DIO regarding use and protection of and access to AUSTRAC information. ASD, AGO and DIO continued to have limited interaction with AUSTRAC material during the reporting period and did not access any information directly via online access to AUSTRAC databases. All the Defence intelligence agencies have effective procedures in place with regard to handling of this information.

Review of ASIS access to AUSTRAC information found that ASIS governance and recordkeeping on this matter continued to be effective. In addition, ASIS self-reported a case where ASIS staff passed AUSTRAC information to a liaison partner without seeking prior approval from the Director-General. This was in breach of section 133A of the AML/CTF Act and ASIS procedures. In this case, the Inspector-General was satisfied that the disclosure by ASIS was for the purpose of the ASIS staff members' duties and therefore not a criminal offence under section 127(2) of the Act.

The office's review of ASIO's access to and use of AUSTRAC material identified extensive non-compliance with the requirements of ASIO's MOU with AUSTRAC and with ASIO internal policy, as well as a potential breach of the AML/CTF Act.

In particular, the MOU requires ASIO to maintain a log of all transmission of AUSTRAC information. IGIS staff found that this requirement was only complied with once during the review period. Further, IGIS staff identified a number of ASIO communications addressed to agency officials in circumstances where ASIO staff did not first ascertain whether the receiving officers were authorised to receive AUSTRAC information. ASIO advised that ASIO had passed AUSTRAC information to a foreign intelligence service without acquiring the requisite level of internal approval, in breach of the MOU.

In relation to the AML/CTF, IGIS staff identified that ASIO had disseminated a particular subset of AUSTRAC information – suspicious matter reporting – to a non-designated agency on a number of occasions. ASIO's view was that ASIO is able to share information with non-designated agencies reliant upon section 127(3)(a) of the AML/CTF Act. The Inspector-General views that, as a matter of propriety, if not legality, ASIO should not communicate suspicious matter reporting to non-designated agencies and that ASIO should communicate AUSTRAC information in accordance with the requirements of sections 128 and 133 of the AML/CTF Act.

In response to the issues raised by this office, ASIO conducted an internal review. As a result, ASIO made a number of recommendations, all of which were accepted by ASIO's Intelligence Committee. The office is satisfied that these measures will improve ASIO's handling of AUSTRAC material and mitigate against the risk of these errors recurring.

The office's inspection of ASIO's handling of AUSTRAC information also raised concerns in relation to compliance with the Attorney-General's Guidelines. The Guidelines require ASIO to take reasonable steps to ensure that personal information is not collected, used, handled or disclosed by ASIO unless it is reasonably necessary for the performance of its statutory functions. IGIS staff identified two instances in which a number of AUSTRAC records on file did not relate to the subject of ASIO inquiry. In both instances these records related to another person with the same name as the subject of inquiry, but who were not themselves the subject of ASIO's inquiries. The Inspector-General recommended that ASIO should consider how this sensitive information could be de-identified, quarantined and prevented from being incorporated into other ASIO databases and used, handled or disclosed at some later date. ASIO is yet to advise how this concern will be addressed.

HTML version of this annual report converted and prepared by XiNG Digital Pty Ltd.