ASIS

IGIS officers regularly visited ASIS premises during 2019–20 to inspect ASIS’s operational case files. Generally these inspections occur monthly, however, not all scheduled operational file inspections could occur as planned, primarily due to restrictions relevant to the COVID-19 pandemic.

Inspections of operational files involve reviewing a sample of files, focusing on higher risk areas as determined by IGIS. ASIS activities involve the use of human sources and ASIS officers are deployed in many countries to support a wide range of activities including counterterrorism, efforts against people smuggling, and support to military operations. Considerations applied in the inspections of operational files include the appropriate application of the Privacy Rules; compliance with internal guidelines, policies, and procedures; and human rights requirements such as conventions relating to the prohibition of torture and other cruel, inhumane or degrading treatment.

For a given overseas location, source or operation these inspections typically focus on records created in the previous two years. During the reporting period, IGIS inspected files relating to ASIS’s operational activities in a number of countries, covering a wide variety of themes.

The sensitive nature of ASIS’s operational activities means that specific details of inspection topics, and the matters identified cannot be provided in a public report. At the conclusion of these inspections, IGIS is satisfied that ASIS is appropriately identifying and considering legality and propriety risks associated with operational activities. No significant concerns regarding legality, propriety or human rights were detected and ASIS achieved a very high level of compliance.

It is a breach of section 15(5) of the Intelligence Services Act 2001 (IS Act) for ASIS to communicate intelligence information concerning an Australian person other than in accordance with the Privacy Rules. An inspection identified an instance where ASIS communicated intelligence information on an Australian person to another Australian Government agency without first applying the Privacy Rules. This appears to have been an isolated case as on other occasions relating to this matter the Privacy Rules were clearly considered, correctly applied and appropriately documented. Moreover, it should be noted that in the isolated case the information would have met the requirements of the Rules had they been applied. Other inspections identified a number of record keeping issues which were minor in nature. IGIS is satisfied with ASIS processes and the remediation action taken.

Through its bi-monthly inspections IGIS generally inspects and reviews all ministerial submissions sent by ASIS to the Minister for Foreign Affairs. IGIS reviews submissions to ensure that ASIS is appropriately and accurately informing the Minister on relevant ASIS matters. Due to work restrictions and disruptions resulting from the impact of the COVID-19 pandemic, IGIS could not conduct all the planned inspections of ministerial submissions. The majority of the submissions reviewed during the reporting period related to Ministerial Authorisations to produce intelligence on Australian persons; these are discussed below.

ASIS consulted IGIS on several proposed ministerial submissions with potential issues connected to legality and propriety. These submissions were primarily regarding proposed updates to requirements involving the production of intelligence on Australian persons. The Inspector-General provided comments and suggestions as appropriate, and having reviewed the submissions sent to the Minister, is satisfied that in each instance the Minister was accurately informed.

ASIS is a foreign intelligence collection agency and intelligence activities it conducts on Australian persons attract IGIS scrutiny. During 2019–20, IGIS reviewed all Ministerial Authorisations obtained by ASIS from the Minister for Foreign Affairs up to February 2020 when this inspection was disrupted by the impact of COVID-19 restrictions.

The inspections conducted did not identify any breaches of legislation. IGIS identified one issue of propriety regarding the timeliness of advice to the Minister in relation to a Ministerial Authorisation whose grounds had ceased to exist. ASIS had appropriately ceased all activity as soon as the grounds ceased to exist but, due to an administrative error, ASIS did not advise the Minister in a timely manner. While the time within which the Minister is to be provided submissions to cancel Ministerial Authorisations will vary according to the facts of each case, in this instance IGIS considered that the Minister should have been advised sooner. IGIS is satisfied with ASIS processes and concluded that this was an isolated case and not indicative of a systemic issue.

There were no emergency ministerial authorisations sought during the reporting period.

The ASIS Compliance Branch aims to ensure that ASIS operates legally and in accordance with established authorisations and policies, develops internal policies and procedures, provides compliance and risk related advice and training to ASIS officers, and conducts investigations into matters of concern. The ASIS Compliance Branch works to develop and promote an agency culture of compliance.

When ASIS conducts an investigation into a matter of concern, IGIS receives a copy of the investigation report. IGIS independently reviews all ASIS investigation reports and considers the scope and process of the investigation and the action taken on any issues identified. IGIS may undertake further investigations, request additional information, recommend action to be taken, or request updates on implementation of remediation.

During the reporting period, IGIS met frequently with the ASIS Compliance Branch and was briefed on all relevant matters and provided access as required.

During 2019–20, ASIS provided IGIS with seven reports related to activities in breach of the IS Act. Some reports covered more than one specific breach. All but one breach involved communications not in accordance with the Privacy Rules; this case is discussed below. Separate to these reports, ASIS undertook reviews into other matters of concern related to internal policies and procedures and reported to IGIS as appropriate. The number of breaches of the Privacy Rules and investigation reports provided to IGIS were generally consistent with the numbers in the previous reporting period. ASIS self-identified the majority of breaches and reported them to IGIS. IGIS is satisfied with ASIS reporting, investigation and remediation in these matters.

One of the compliance reports referred to above related to a failure to obtain a Ministerial Authorisation in breach of section 8 of the IS Act. This case involved ASIS being engaged in activities for the purpose of producing intelligence on an overseas Australian person who was likely involved in terrorism related activities. These activities occurred without a Ministerial Authorisation in place, or a written notice under section 13B of the IS Act. The case also involved two breaches of the Privacy Rules and a number of issues of administrative non-compliance. There was also a significant delay between the identification of this incident and notification to IGIS. The case was brought to the attention of the ASIS Compliance Branch following a compliance training session and subsequently the ASIS Compliance Branch notified IGIS and kept IGIS informed as the ASIS investigation progressed. ASIS advised IGIS that it was planning to use the scenario as part of its ongoing compliance training, and would update its internal Privacy Rules policy to minimise the risk of future similar breaches. IGIS reviewed the ASIS investigation report and raised additional matters, including further suggested changes to internal policy. As at 30 June 2020, these updates had not yet been implemented. IGIS will continue to engage with ASIS and monitor these changes.

During 2019–20, ASIS self-reported a total of 17 breaches of the Privacy Rules in the seven compliance reports referred to above. Seven of these breaches occurred between 2012 and 2015, which ASIS identified during 2019–20. An additional two breaches were identified by IGIS during inspection and other review work. Human error was the cause of the breach in the majority of cases. The errors included officers missing key information when reviewing a report prior to publication, failing to accurately interrogate a key ASIS database that contains information indicating a person’s nationality, or not updating that database as required.

Noting the total volume of reporting that ASIS produced on Australian persons during 2019–20, the incidence of Privacy Rules breaches was rare. IGIS found no indication of systemic failings with ASIS’s compliance controls or training. IGIS did not identify any cases where reporting on an Australian person would not have been reasonable and proper had the Privacy Rules been correctly applied at the time.

In its compliance reports ASIS identified some areas for improvement in record keeping or compliance, and IGIS identified some additional matters in its inspection and review work. IGIS will continue to monitor ASIS’s application of the Privacy Rules closely as well as the implementation of areas identified for improvement. IGIS is satisfied with ASIS reporting procedures in these matters.

Under the Privacy Rules ASIS is also required to advise IGIS when it obtains information which leads to the overturning of the initial presumption that a person overseas is not an Australian person. If the initial presumption was reasonable, such incidences are not recorded as a breach of legislation or the Privacy Rules. In 2019–20, ASIS reported three occasions where such a ‘presumption of nationality’ was overturned. In all cases ASIS’s initial presumption was reasonable and in accordance with the Privacy Rules as it initially had no evidence that the individuals, who were located outside Australia, were Australian. One case related to the s 8 compliance incident discussed earlier. Timely notification of this incident was not provided to IGIS or to other relevant intelligence agencies. IGIS is however satisfied with the basis of the initial presumption of nationality and will continue to monitor these matters and the timing of the notifications that should be made to IGIS.

Under the IS Act ASIS officers are prevented from undertaking activities that involve violence or the use of weapons except in the limited circumstances permitted by the IS Act. The IS Act provides for ASIS to equip its officers with weapons, and to train them to use weapons and self-defence techniques in certain circumstances, particularly in order to protect themselves or certain other people.

Schedules 2 and 3 of the ISA require that the Minister and Director-General provide certain documentation to this office related to the use of force and weapons, including approvals for weapons and self-defence training; copies of Director-General Guidelines issued for the purpose of weapons and self-defence; approvals in specific circumstances where the Minister approves the use of force; and if officers or agents use weapons or self-defence techniques other than in training or approved scenarios.

During 2019–20, the Director-General of ASIS issued new guidelines under Schedule 3 of the IS Act relating to the use of force or threats of the use of force, and updated guidelines made under Schedule 2 relating to the use of weapons and self-defence techniques. The Inspector-General was consulted during the drafting of these documents, and the final versions did not raise any legality or propriety concerns. As required under the IS Act, the Inspector-General briefed the PJCIS on these changes. In the 2019–20 reporting period, the Minister and the Director-General of ASIS provided the reports required under the IS Act. The Inspector-General continues to be satisfied that there is a genuine need for a limited number of ASIS staff to have access to weapons for self-defence in order to perform their duties effectively. ASIS did not report, and IGIS did not find, any cases where a weapon was discharged or self-defence techniques were used other than in training. ASIS did not report, and IGIS did not find, any instances of non-compliance with the Director-General’s internal guidelines on weapons. In one case the Minister provided an approval for certain ASIS staff members to protect a number of persons in accordance with Schedule 2, Clause 1(3) of the IS Act.

IGIS examined ASIS weapons and self-defence policies, guidelines and training records during an inspection. No significant issues were identified. IGIS identified a record keeping error relating to how ASIS applied part of its guidelines issued under Schedule 2. IGIS is satisfied with ASIS processes and reporting, and its remediation of the record keeping error.