ASIO
The Australian Security Intelligence Organisation (ASIO) is Australia’s national security service. ASIO is responsible for the protection of Australia, its people, and its interests from threats to security, whether directed from, or committed, within, Australia or overseas.
Each year the IGIS conducts a number of inspections and reviews of the activities of ASIO. Information on all agency inspections and assessments are published in the IGIS annual report.
Given the scale and scope of ASIO functions, IGIS implements a risk-based approach to inspection and compliance monitoring; this involves regularly sampling a number of identified activities. IGIS officers have direct access to the relevant ASIO information technology and records management systems to inspect and review all records.
Throughout 2019-20 IGIS staff conducted inspections using a variety of methodologies, including thematic reviews, risk-based sampling and random sampling. While COVID-19 restrictions had a minor impact on activities, most planned inspections continued unaffected. Inspections of ASIO’s investigative cases focused on:
- the legality of ASIO’s activities;
- the propriety of the investigative activities being proposed and undertaken;
- compliance with Ministerial guidelines; and
- compliance with internal policies and procedures.
IGIS inspections identified instances that did not breach legislation but which were non-compliant with internal agency policy and procedure. ASIO separately identified and proactively notified IGIS of other instances of non-compliance with internal policy and procedure. IGIS found that ASIO has continued its focus on improving record keeping practices across the organisation.
During the last reporting period, ASIO increased the number of briefings provided to IGIS and this has continued over 2019–20. The briefings covered topics such as new capabilities, new initiatives and areas of risk. These briefings allow IGIS to stay abreast of emerging issues, or to follow up observations from inspection activities. There are regular meetings between the Inspector-General and the Director-General of Security as well as bi-monthly meetings between the Inspector-General and senior ASIO officers; these meetings cover a variety of matters.
ASIO produces a range of analytic products including security assessments, applications for warrants, investigative reviews and published analytic products. Some products have greater potential to intrude into the privacy of Australians than those of DIO and ONI, and others may adversely affect the interests of individuals; for example, an adverse security assessment may recommend that the Government take an action which would be prejudicial to the interests of the person such as cancelling their passport.
During the reporting period, ASIO has continued its efforts to support analysts in their professional development, including through development and delivery of a training package specifically targeted at officers with responsibility for overseeing and managing analytic functions. At ASIO’s invitation, IGIS officers presented at the course and reinforced expectations regarding compliance with all relevant policies and procedures.
In November 2019, ASIO advised IGIS it had become aware that key intelligence used as the justification for a security investigation of an individual had not been correctly recorded in ASIO’s corporate records; for various reasons, at the time the issue was identified the relevant material was unable to be reobtained and recorded correctly. This placed ASIO in a position where, had it been asked to produce evidence justifying the investigation of that individual, it would not have been able to do so. ASIO advised IGIS that it had immediately suspended the investigation pending an initial compliance review, and then terminated the investigation. ASIO advised that it would delete the results of telecommunications and financial inquiries conducted by ASIO from ASIO corporate systems. ASIO’s intelligence holdings were updated to remove intelligence reporting on the subject that had been based on the relevant material and ASIO circulated updated advice to remind officers of the relevant analytical integrity principles and procedures.
IGIS concluded that the incident was attributable to human error, rather than systemic weakness in analytical procedure, and that action was taken to ensure ASIO officers were aware of the relevant procedures. IGIS considers that ASIO’s identification of this issue and its remedial actions were adequate, appropriate, and timely.
ASIO activities include collection of intelligence through human sources. The details of these activities are highly sensitive and cannot be disclosed in a public report. During the reporting period, IGIS staff reviewed ASIO human source case files and met with ASIO staff to discuss related activities.
ASIO can intercept telecommunications under warrants issued by the Attorney-General pursuant to the Telecommunications (Interception and Access) Act 1979 (the TIA Act). Warrants for the exercise of other intrusive powers, including searches, computer access and surveillance devices, can be issued pursuant to the provisions of the ASIO Act.
Throughout the reporting period IGIS staff inspected an indicative sample of warrants, primarily as part of the regular inspection of investigative cases. Minor compliance and record keeping errors were identified in these inspections and ASIO was advised of these issues. IGIS will continue to monitor ASIO’s compliance and record keeping as part of the regular inspection program.
IGIS continues to review ASIO’s response to a systemic issue relating to the authorisations of classes of persons under section 24 of the ASIO Act. The issue concerns the use of descriptions to define a class of persons for the purposes of section 24 of the ASIO Act. IGIS considered that these descriptions may be overly broad, uncertain, or not sufficiently connected to the exercise of power under the warrant. During the year, ASIO obtained legal advice and reviewed its internal guidance on these matters. IGIS has conducted a further inspection of authorisations made under section 24 and will continue to monitor this issue.
The 2018–19 annual report noted that IGIS had identified ASIO’s inappropriate use of templated text to brief the Attorney-General for the purposes of section 27C(2)(b) of the ASIO Act. In response to this issue, ASIO has amended warrant application templates so that officers are prompted to provide a tailored brief on the matters identified in this subsection. IGIS is satisfied that ASIO has appropriately addressed the issue and inspections conducted during 2019–20 did not identify any similar examples of the use of generic templated text.
ASIO proactively informed IGIS of certain breaches and other issues relating to warrants issued under the TIA Act and the ASIO Act. This included early notification of some incidents that were ultimately confirmed to be compliant and also notification of incidents that resulted from events outside ASIO’s control but which ASIO believed should be notified to IGIS in the interests of transparency. A small number of reported breaches were attributable to mistakes made by telecommunications carriers rather than ASIO; nevertheless they required ASIO to take remedial action such as deleting information incorrectly sent by the carrier.
A detailed summary of compliance incidents reviewed by IGIS is provided below. Some of these matters remained under review by ASIO at the end of the reporting period, therefore IGIS has not finalised its consideration of the matters.
Two breaches of section 63(1) of the TIA Act
Section 63(1) prevents a person from communicating, making use of, making a record of, or giving in evidence in a proceeding, lawfully intercepted information or information obtained by intercepting a communication unlawfully. In late June 2019, ASIO notified IGIS that it may have disclosed information in contravention of section 63(1) of the TIA Act. ASIO later confirmed that it had disclosed foreign intelligence information to two partner services in November 2018 without having written approval from the Attorney-General as required by section 65(2) of the TIA Act. In response to this breach, ASIO updated its foreign intelligence collection warrant application templates to prompt ASIO officers to request appropriate approvals for future warrants. IGIS has reviewed the matters and is satisfied with ASIO’s assessment and subsequent remediation action.
Interception under section 11B warrants
ASIO notified IGIS of an administrative error relating to interception authorised under a s 11B warrant. Section 11B provides for named person warrants to be issued for the collection of foreign intelligence. ASIO had initially intended to intercept a telecommunications service used by the subject of the warrant but decided on propriety grounds that the telecommunications service should not be intercepted. The telecommunications service was removed from the warrant but administrative errors resulted in the service being intercepted for several months. ASIO advised that on identifying the error, it ceased interception of the service, deleted all data intercepted from the service and conducted an audit to ensure no additional services were the subject of unauthorised collection. In addition, internal guidance was issued to ASIO officers reiterating the administrative procedures for s 11B warrants. While IGIS is satisfied with ASIO’s response to this specific incident, IGIS has worked with ASIO to identify additional opportunities to improve its interception procedures.
Separately, ASIO notified IGIS of a potential breach relating to a s 11B warrant where services added to the warrant related to an Australian permanent resident. Having identified this issue, ASIO immediately ceased interception of these services. ASIO is currently reviewing the matter and IGIS will assess and consider ASIO’s response following its review.
In addition, ASIO notified IGIS about a propriety issue concerning a named person warrant where some data that was lawfully collected under the warrant but was intended to be deleted from ASIO holdings was not deleted. Further investigation by ASIO determined that the segregation and deletion of this data was not viable once collected. IGIS continues to liaise with ASIO on this matter.
Application of section 11B(2) of the TIA Act
In July 2019, ASIO advised IGIS that it had identified an issue regarding the application of s 11B(2) of the TIA Act. Section 11B(2) requires ASIO to advise the Attorney-General of the details of telecommunications services used by the subject of the warrant application, to the extent these are known to ASIO. The matter is currently being reviewed by ASIO and IGIS will consider ASIO’s response following its review.
Breaches of section 16(2) of the TIA Act
Section 16(2) requires ASIO, where interception of communications to or from a service are no longer required, to immediately inform an authorised representative of a telecommunications carrier, with confirmation to be given in writing as soon as practicable. In August 2019, ASIO notified IGIS of a breach of section 16(2)(d) of the TIA Act. During 2019, ASIO determined that a telecommunications service it had targeted under section 9A warrant was no longer being used by the named person. ASIO immediately ceased interception of the service but did not notify the telecommunications carrier in writing, as required by section 16(2)(d) of the TIA Act, for approximately three months. Having identified the error, ASIO provided the notification. No unauthorised collection had occurred. In response to this incident, ASIO reinforced the requirements of section 16 of the TIA Act with relevant officers. IGIS has reviewed the matter and is satisfied with ASIO’s notification and response.
In the previous reporting period, ASIO had notified IGIS of a possible breach of s 16(2) of the TIA Act but had not concluded its investigation as at 30 June 2019. ASIO subsequently concluded that a breach had not occurred and provided that advice to the Inspector-General in October 2019. IGIS is satisfied with ASIO’s investigation and advice.
Error in section 11C warrant
In November 2019, ASIO advised IGIS of an error that had been identified in a warrant issued under section 11C of the TIA Act. Section 11C provides for warrants to be issued for the interception of foreign communications for the purpose of obtaining foreign intelligence. Following legal review, ASIO determined to seek a new warrant. The Inspector-General was informed of the matter and concurred with the proposed action. The Attorney-General authorised a new warrant and the original warrant was revoked.
Breaches in sections 7(1), 13 and 17(1) of the TIA Act
Section 7(1) prohibits interception of communication passing over a telecommunications system. However, section 7(1) does not apply in certain circumstances, including where a warrant is in place. Section 13 requires ASIO to ensure that interception of communications under a warrant are discontinued where the grounds on which the warrant was issued cease to exist prior to the expiration of the warrant, and to advise the Attorney-General accordingly. Section 17(1) requires ASIO to provide a report to the Attorney-General within 3 months after the expiration or revocation of a warrant.
Between January and March 2020, ASIO notified IGIS of breaches concerning several related warrants issued under section 9 of the TIA Act. In the first notification, ASIO reported two instances where issues with confirming the subscriber of a telecommunications service had resulted in the unintended interception of telecommunication services likely used by Australian persons.
The first incident of erroneous interception of the service was caused by the telecommunications carrier providing incorrect subscriber details to ASIO. ASIO advised that when it detected the error, it ceased interception, deleted all relevant data and reported the issue to the Attorney-General.
The second incident resulted from the subject unsubscribing from a telecommunications service and the service being subscribed to another person. In the brief period after ASIO had confirmed the subscriber details of the telecommunications service but before ASIO applied for the warrant, the service in question was unsubscribed by the subject of ASIO’s collection efforts. Despite becoming aware during the term of the warrant, ASIO did not revoke the warrant as it made the assumption that the service would not be resubscribed before the expiry of the warrant. However, the service was resubscribed to another subscriber shortly before the warrant expired. This resulted in the communications of the new subscriber being intercepted over a six day period. After detecting the error, ASIO deleted this data. In addition, ASIO advised IGIS that due to an administrative oversight, it did not report the incident to the Attorney-General in its initial report under section 17 of the TIA Act. A separate report of the incident was subsequently provided to the Attorney-General.
In response to these breaches, ASIO conducted a review of the interception operation. ASIO identified and notified IGIS of four additional incidents making a total of six warrants issued under s 11A of the TIA Act with identified breaches. These cases are discussed below and are currently being reviewed by ASIO. IGIS will consider ASIO’s response following its review.
The third incident involved similar circumstances where a service was disconnected in the period between a subscriber check being undertaken and the warrant being authorised. The service was resubscribed during the period of the warrant, resulting in the communications of the new subscriber being intercepted over a four day period. ASIO advised that when it identified the error, it deleted the intercepted data and provided the Attorney-General with a supplementary warrant report.
In the fourth incident, ASIO determined that it would not seek a warrant to continue intercepting a particular service. ASIO did not inform the Attorney-General, as required by s 13 of the TIA Act, that the grounds on which the warrant had been issued had ceased to exist and ASIO did not take steps to ensure the interception of communications under the warrant was discontinued. Subsequently, due to an administrative error, interception of this service was sought and authorised under a later warrant.
The fifth incident resulted from an error made by ASIO in the identification of a subscriber, which led to a service being wrongly intercepted.
The sixth incident resulted from an administrative error whereby a subscriber check indicating that a service had been disconnected was incorrectly thought to indicate the service remained active. Accordingly, ASIO did not inform the Attorney-General that the grounds on which the warrant was issued had ceased to exist and did not take steps to discontinue the interception. This oversight resulted in continued interception being authorised under a later warrant. In addition, ASIO later identified that the service was probably resubscribed during the warrant period resulting in a further instance of communication from the subsequent subscriber being intercepted.
ASIO identified these additional breaches in January 2020 and provided notice of intention to revoke these warrants and requested that the interception be discontinued in each case. ASIO advised IGIS that it would delete all intercepted data and report the incidents to the Attorney-General. ASIO subsequently advised that reports had been provided to the Attorney-General.
Description of services
When ASIO submits a request to the Attorney-General to obtain a named person warrant under section 9A or section 11B of the TIA Act, ASIO must include details, to the extent these are known, sufficient to identify the telecommunications services that ASIO assesses the named person is using, or is likely to use. During 2017-18 IGIS staff queried whether ASIO’s warrant documentation made clear the nature of the services ASIO intended to target. Following this, ASIO, in consultation with IGIS, prepared standing guidance for the Attorney-General on how it describes telecommunications services. This advice was provided to the Attorney-General in January 2020.
Failure to delete data as intended
As an assurance activity, each year IGIS staff conduct an inspection to confirm that the deletion of data from ASIO systems has been effective and that no traces of information unintentionally remain. During 2019–20, IGIS identified two instances where data that ASIO had advised was deleted from all systems was still available on one system. One of these instances was caused by a failure of process. The second instance, which was identified by ASIO during the inspection, was due to a technical issue affecting the collection and storage of information obtained via a certain class of surveillance device. Following the inspection, ASIO conducted an historical review to determine if this technical error affected any other warranted collection during 2018–19. ASIO confirmed to IGIS that the failure to delete all data was an isolated technical incident. ASIO rectified the technical error and revised processes governing how information from that class of surveillance device is collected and stored. IGIS is satisfied with ASIO’s review and remediation response.
Sections 175 and 176 of the TIA Act empower certain ASIO personnel to authorise the collection of historical and prospective telecommunications data from telecommunications carriers or carriage service providers. Authorisations are limited to circumstances in connection with the performance of ASIO’s functions and in accordance with the Attorney-General’s Guidelines, and must be signed by a specific eligible person.
ASIO notified IGIS of three incidents relating to prospective data authorisations under section 176 of the TIA Act.
In the first incident, the eligible person was briefed on the facts and grounds for the two telecommunications services to be subject to the authorisation. However, due to human error the authorisation instrument signed by the eligible person omitted the details of one of the services, and this omission was not identified by officers responsible for communicating the authorisation to the recipient of the notice. Consequently, the recipient was instructed to provide data for both services, one of which was unauthorised. The error was identified on the same day the authorisation notice was issued and before any data had been provided. ASIO issued a revised authorisation instrument containing details of both telecommunications services. In response to this incident, ASIO advised IGIS that it would update its administrative procedures for notices under section 176 of the TIA Act to reduce the risk of human error in the future.
In the second incident, during drafting of the necessary approval documentation, relevant checks were not conducted against three individuals to ensure the individuals were at the correct investigation level in ASIO’s case management system.
The third incident occurred when the approvals that would authorise maintaining the subjects of the prospective data authorisation at the correct investigation level in ASIO’s case management system were not completed by the relevant due date. This omission was identified the following day and collection was ceased immediately.
ASIO also notified IGIS of two cases where telecommunications data was obtained contrary to section 175 of the TIA Act.
The first case involved three separate incidents within the same operation involving different telecommunications carriers. In the first incident, the carrier was unable to limit the results of the section 175 request to the criteria identified by ASIO, resulting in the provision of significant additional data. ASIO advised IGIS that it was working to identify the data that was outside the specified criteria and to delete it from ASIO’s systems. In the second incident, data was delivered by the carrier without a valid section 175 request in place. ASIO advised that this data was quarantined and then deleted. In the third incident, the section 175 request was invalid as it sought data for a period after the date of the request. ASIO advised that this data was also quarantined and deleted.
The second case involved human error in interpreting data used as the basis for four requests. This resulted in data being obtained that was earlier than the connection date of two services and, in one instance, data being sought for the wrong service. ASIO advised that the relevant data had been deleted. Separately, ASIO reported another case that highlighted similar problems in interpreting data.
These cases are currently being reviewed by ASIO and IGIS will consider ASIO’s response following their review.
Unlawful commencement of joint warranted operation
In July 2019, ASIO notified IGIS of an incident concerning a joint operation conducted with a partner foreign service targeting an Australian person of security interest. The operation was conducted in two phases. In both phases of the operation participation by the foreign service required authorisation under its own laws as well as authorisation under an Australian warrant. The foreign service mistakenly understood that, so long as the foreign service was authorised to conduct the activity under its own laws, then the first phase of the operation could be undertaken without an Australian warrant. Consequently, when the ASIO operational team sought assurance that the activities of the foreign service would not commence prior to the Australian warrant being in place, the foreign service provided this assurance on the assumption that the warrant was only required for the second phase of the operation.
Before commencing the first phase of the operation, the foreign service asked an ASIO liaison officer in that country (who was not part of the relevant ASIO operational team) for confirmation that the foreign service could proceed with the operation. This request was intended to maintain operational coordination with ASIO, as the foreign service believed it could proceed on the basis of its own authorisation. The ASIO liaison officer was unable to consult the relevant operational team and due to the urgency of the operation, confirmed ASIO’s agreement for the foreign service to proceed. IGIS has reviewed this matter and found that the liaison officer misconstrued corporate records of operational planning discussions that had been held earlier that day, and mistakenly believed that the Australian warrant that would provide the requisite authorisation of the foreign service was already in place.
Accordingly, the foreign partner commenced the first phase of the operation without authorisation under Australian law, resulting in unlawful intelligence collection. On the same day, when ASIO became aware of the foreign service’s action, it obtained a warrant for the activity. ASIO formally advised the foreign service that its activities were unlawful.
In response to the incident, ASIO advised IGIS that it would develop and implement new procedures for joint operational activity to mitigate the risk of a similar incident occurring. IGIS has reviewed ASIO’s records relating to this incident, and has concluded that it was caused by poor communication processes between the relevant parties. IGIS is satisfied that ASIO’s response to the incident was appropriate and timely. IGIS will continue to monitor the development of new procedures for joint operational activity.
Non-compliance with section 25(7)(a) of the ASIO Act
Section 25(7)(a) of the ASIO Act specifies that a warrant issued under section 25 of the ASIO Act must explicitly authorise the use of any force against persons and things that is necessary and reasonable. In July 2019, ASIO advised IGIS that search activity had occurred under a warrant that was non-compliant with section 25(7)(a). On the day of the planned search activity ASIO officers realised that the required authorisation had been omitted from the warrant. ASIO prepared an urgent application requesting the Attorney-General to issue a new warrant with the requisite authorisation; however, the search commenced before the Director-General made contact with the Attorney-General. The existing warrant was replaced by a new warrant during the period of the search activity. IGIS has considered the matter and is of the view that the omission of the mandatory authorisation did not invalidate the warrant. IGIS is satisfied that ASIO’s prompt actions to seek immediate reissue of the warrant were reasonable.
Potential unauthorised activity under a section 25 search warrant
The 2018–19 IGIS annual report noted that ASIO had advised IGIS of a possible breach of s 25 of the ASIO Act, whereby a person who examined records during a search activity may not have been authorised under s 24 of the ASIO Act to do so. ASIO had not concluded its investigation into the matter during the 2018–19 reporting period.
In 2019–20, ASIO advised IGIS of the results of its investigation. In 2018–19, an ASIO search team requested at very short notice the participation of an officer of another Commonwealth agency to support the execution of a search warrant under s 25 of the ASIO Act. At the conclusion of the search, a post-activity review identified that, while certain classes of officer from that Commonwealth agency were validly authorised under s 24 to participate in the search, the officer in question did not belong to any of the classes specified. All other members of the search party were validly authorised to execute the warrant. IGIS is satisfied with the action taken by ASIO in identifying and notifying this breach.
Disclosure of information from a foreign partner service
ASIO notified IGIS of an incident where it had received a disclosure of information from a foreign partner service about an Australian citizen which could not have been collected lawfully by ASIO without a computer access warrant under section 25A of the ASIO Act. IGIS reviewed the circumstances of this incident and concluded that ASIO’s actions in relation to the disclosure could reasonably be argued to be lawful and proper. In particular, IGIS determined that ASIO did not solicit information on the Australian citizen from the foreign partner in a manner that could reasonably be interpreted as a request to collect or disclose information in circumvention of Australian law. IGIS considered that the incident highlighted systemic issues. IGIS considers that, should these issues remain unaddressed, it could result in future breaches. IGIS will continue to monitor how ASIO has addressed the systemic issues identified.
Breaches of section 38 of the ASIO Act by Commonwealth Departments
In certain circumstances, section 38(1) of the ASIO Act requires a Commonwealth agency that receives an adverse or qualified security assessment from ASIO in respect of a person to give, within 14 days, written notice to that person, including a copy of the assessment and information concerning the person’s right of appeal to the AAT. During the reporting period, ASIO advised IGIS of two cases where a Commonwealth department failed to provide the relevant information within the time period required by section 38(1).
ASIO also advised IGIS of an additional instance where a Commonwealth department failed to comply with section 38(6) of the ASIO Act, which requires that notice of an adverse security assessment must be sent to the subject of the assessment by registered mail or hand delivery. The department instead provided this notice by ordinary post. ASIO identified the non-compliance and subsequently worked with the department to ensure that the requirements of section 38(6) were met.
IGIS is satisfied with ASIO’s actions in relation to these three cases. ASIO has since contributed to work undertaken by the department to develop policies and internal guidance to minimise the likelihood of future breaches of section 38 of the ASIO Act.
Breach of section 39 of the ASIO Act
Section 39 of the ASIO Act prevents Commonwealth agencies that receive advice from ASIO from taking prescribed administrative action against a person unless the advice is in the form of an adverse or qualified security assessment. ASIO advised IGIS of one instance where a Commonwealth agency took action that ASIO considered may have constituted prescribed administrative action in response to preliminary advice from ASIO that was not in the form of a security assessment. ASIO intervened to ensure that the subject of the advice was not adversely affected by the action of the Commonwealth agency. ASIO then met with the relevant agency to explain the incident and improve awareness of the requirements of the ASIO Act. IGIS is satisfied that ASIO’s response to the incident was adequate and appropriate.
No questioning, or questioning and detention, warrants were authorised or used during the reporting period.
Warrants issued under the ASIO Act must explicitly authorise the use of force necessary and reasonable to do the things specified in the warrant. Under section 31A of the ASIO Act, when force is used against a person in the execution of a warrant ASIO must notify the Inspector-General in writing as soon as practicable. The ASIO Act does not specify a timeframe for the provision of these reports and ASIO has developed a policy that requires an initial notification within 72 hours (three days) of the use of force, to be followed by more detailed information within 10 days. No notifications of use of force were received during the reporting period.
ASIO’s special intelligence operations (SIO) powers allow ASIO to seek authorisation from the Attorney-General to undertake activities that would otherwise be unlawful. Where the circumstances justify the conduct of an SIO, ASIO can seek these authorisations to assist in the performance of its special powers functions. The legislation requires ASIO to notify the IGIS as soon as practicable after an authority is given. During the reporting period in all instances the Inspector-General was notified within 24 hours of the Attorney-General granting approval for an SIO.
The legislation also requires ASIO to provide a written report on each SIO to the Attorney-General and the IGIS. As the details of SIOs are highly sensitive they cannot be included in a public report.
Unlike warrants issued under Division 2 of the ASIO Act, there is no requirement under Division 4 for an SIO to be discontinued if the requirement for special intelligence conduct has ceased. During 2019–20, IGIS identified several instances where ASIO had made a determination that conduct authorised under an SIO had ceased, but the authority was not cancelled and substantial time elapsed before the SIO authority expired. IGIS has advised ASIO that while there is no legislative requirement to do so, as a matter of propriety where ASIO makes a determination that conduct authorised under the SIO has ceased the authority should be cancelled as soon as practicable. ASIO has reported that it has updated its procedures to ensure that all officers understand this expectation. IGIS will continue to monitor ASIO’s update to procedure.
In June 2019, ASIO notified IGIS of an incident that occurred in February 2019. The incident involved possible unauthorised access to a telecommunications device that had been lawfully seized by the AFP under the Crimes Act 1914. At the time of the incident, ASIO had a warrant under the ASIO Act that authorised access to the device. However, an ASIO officer assisting with the investigation accessed the device but was not authorised to do so under the warrant. ASIO gave consideration to notifying IGIS in February at the time the possible breach was identified, but then did not provide notification until June.
Following notification and further details of the incident, IGIS questioned the legal basis for the information provided by ASIO in the initial notification to IGIS and the legal consequences of the incident. In June 2020, ASIO concluded that the provision of the telecommunications device to the ASIO officers and the subsequent actions taken in relation to the device were lawful and authorised under the Crimes Act. IGIS concurred with ASIO’s view regarding legality.
In December 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 granted ASIO new powers in relation to obtaining industry assistance under the Telecommunications Act 1997. ASIO is required to notify the Inspector-General formally within seven days of a request or notice being given under the relevant legislative provisions set out in Part 15 of the Act. IGIS reviewed each use of these powers through its inspection program.
In addition, the Act granted ASIO new powers under the ASIO Act in relation to computer access and access to data, and voluntary assistance. The IGIS inspection program included a review of ASIO’s use of these powers during the year. IGIS will continue to monitor procedures and activities around the use of these powers.
In July 2019, the Counter-Terrorism (Temporary Exclusion Orders) Act 2019 came into effect providing for the Minister to make temporary exclusion orders preventing a person from entering Australia for a period of up to two years. Section 10(2) of the Act sets out the circumstances in which the Minister may make a temporary exclusion order, including where ASIO has assessed the person to be directly or indirectly a risk to security (within the meaning of the ASIO Act) for reasons related to politically motivated violence (within the meaning of the ASIO Act). IGIS has included inspection of ASIO’s assessments for the purposes of temporary exclusion orders in its regular inspection program. IGIS will continue to monitor ASIO’s procedures and activities around the use of these orders through regular inspection plans.
The Attorney-General’s Guidelines (the Guidelines) are issued under section 8A of the ASIO Act and are to be observed by ASIO in the performance of its functions. Among other things, the Guidelines require ASIO to review each of its investigations on an annual basis. In 2019–20, a small number of investigations were conducted without review for periods longer than a year. ASIO proactively reported the majority of these breaches to IGIS. ASIO also notified two instances where subjects were not raised to the correct investigation level in ASIO’s case management system.
The Guidelines also require that a security investigation into an entity must be reconsidered and reapproved at least annually by an ASIO officer of a certain seniority. ASIO notified IGIS of a breach of the Guidelines where, due to administrative and human error, an investigation was reviewed annually and reapproved three times by an officer who was not sufficiently senior. During this period, no intrusive activities were undertaken that required the correct approval of the investigation into the entity. In response to the breach, ASIO terminated the investigation and conducted remedial training on the requirements of the Guidelines. IGIS is satisfied with ASIO reporting and remediation action.
In March 2020, ASIO identified a potential breach of the Guidelines concerning financial records that were provided to ASIO contrary to internal procedures and without required approvals. After the incident was identified, all records that had been provided to ASIO were quarantined and then destroyed. Other relevant cases were then reviewed with no additional contraventions identified. The matter is currently being reviewed by ASIO and IGIS will consider ASIO’s response following this review.
ASIO may exchange information with certain other Australian Government agencies. IGIS reviews and inspects the exchange of sensitive personal information as part of IGIS’s periodic inspections.
During the reporting period, ASIO exchanged information with a number of Australian Government agencies including the Australian Criminal Intelligence Commission (ACIC), Australian Federal Police (AFP), State and Territory police services, the Department of Home Affairs, the Department of Defence and the Department of Foreign Affairs and Trade. IGIS regularly reviewed these exchanges to assess ASIO’s compliance with legislation, the Attorney-General’s Guidelines and ASIO policy. IGIS did not identify any concerns.
Access to taxation information
Section 355-70 of Schedule 1 to the Taxation Administration Act 1953 provides that a taxation officer authorised by the Commissioner of Taxation or delegate may disclose protected information to an authorised ASIO officer if the information is relevant to the performance of ASIO’s functions. This access to sensitive information is further governed by a memorandum of understanding between the Commissioner of Taxation and the Director-General of Security, the Attorney-General’s Guidelines and ASIO’s internal guidelines and procedures. ASIO rarely requests access to this type of information.
During the reporting period, IGIS staff reviewed ASIO’s access to sensitive tax information in the 2018-19 financial year. IGIS did not identify any issues of concern. In the next reporting period, IGIS will review ASIO’s access to taxation information for the period 2019-20.
The ASIO Act authorises ASIO to provide and to seek information relevant to Australia’s security, or the security of a foreign country, from authorities in other countries. ASIO may only cooperate with foreign authorities approved by the Minister. ASIO has guidelines for the communication of information on Australians and foreign nationals to approved foreign authorities.
During the reporting period, IGIS conducted an inspection of ASIO’s foreign liaison arrangements to assess the effectiveness of these arrangements in promoting information exchange that is consistent with human rights. The scope of the inspection included ASIO’s internal policy regarding the disclosure of information about minors. While information exchange is considered through other inspection activities conducted by IGIS, this was the first time in several years that a specific inspection into the issue had been conducted.
IGIS found that ASIO has frameworks in place to manage the potential human rights implications of disclosure, but there was scope for improvement in these frameworks. IGIS suggested measures to ensure that ASIO senior management oversight is directed towards areas of highest risk and that better guidance is provided to decision-makers to support their consideration of human rights issues. These matters are currently being addressed by ASIO. IGIS will continue to monitor ASIO’s progress.
IGIS reviewed a number of submissions made by ASIO to the Attorney-General and the Minister for Home Affairs. These submissions provide information on current operations undertaken by ASIO and emerging issues. IGIS reviews submissions to ensure that the information provided is timely and appropriate, and accurately informs the Minister on relevant matters. During the reporting period, IGIS raised an issue identified in the previous period where potentially unreliable or misleading advice was provided to the Minister. ASIO addressed the matter and provided further advice to the Minister. IGIS is satisfied with the appropriateness of information provided in other submissions.
Security assessments issued by ASIO can result in administrative decisions, such as cancelling a visa or passport, which significantly affect the liberties of the person who is the subject of the assessment. In 2019–20, IGIS reviewed a sample of cases where ASIO issued prejudicial (adverse or qualified) security assessments. IGIS did not identify any issues during the reporting period.