In undertaking its review of the administration of the intelligence agencies for the 2016-17 financial year, the Committee asked agencies to provide submissions addressing the following aspects of their agency:
strategic direction and priorities,
changes (if any) to the structure of the organisation,
legislative changes that have impacted on administration of the agency,
involvement (if any) in litigation matters,
human resource management, including:
staffing numbers and demographic information,
recruitment and retention strategies,
staff departure and separation rates,
workplace diversity statistics and initiatives,
training and development,
individual performance management,
staff feedback, complaints and investigations, and
accommodation and facilities,
information and communications technology initiatives,
public relations and/or public reporting, including requests for public access to records, and
organisational performance evaluation and accountability.
Additionally, the Committee asked agencies to report on aspects of their administration that are specific to that agency.
In their submissions, agencies outlined significant developments and the relevant aspects of their administration for the 2016-17 reporting period. The majority of the evidence received was classified, so has not been authorised for publication. The Committee scrutinised all material provided and followed up on several issues at classified hearings.
This chapter reports the Committee’s findings on the administration of the agencies. In some areas the discussion is necessarily general due to security needs.
During the reporting period, the Committee conducted inquiries into three bills that affected the operations of the AIC agencies.
Following consideration of the Committee’s reports, the Parliament passed each bill with amendments. The bills received Royal Assent on the dates noted below:
Counter-Terrorism Legislation Amendment Bill (No. 1) 2015
(Bill lapsed at prorogation of the 44th Parliament. Reintroduced as the Counter-Terrorism Legislation Amendment Bill (No. 1) 2016 in the 45th Parliament and received Royal Assent on 29 November 2016), and
Criminal Code Amendment (High Risk Terrorist Offenders) Bill 2016 (Royal Assent on 7 December 2016),
Telecommunications and Other Legislation Amendment Bill 2017 (Royal Assent on 18 September 2017).
Where applicable, agencies commented in their submissions on the extent to which these bills and other legislative changes had impacted on their agency’s administration.
ASIO highlighted the following:
The Counter-Terrorism Legislation Amendment Act (No.1) 2016 impacted in a number of areas:
changes to section 40 of the ASIO Act enabled ASIO to furnish security assessments in respect of a person directly to states and territories,
changes to section 35P of the ASIO Act created separate ‘insider’ and ‘outsider’ offences for the unauthorised disclosure of information related to special intelligence operations, and associated defences,
amendments to the control order regime in the Criminal Code had associated impacts on ASIO’s role in supporting these counter-terrorism powers.
The Criminal Code Amendment (High Risk Terrorist Offenders) Act 2016 introduced additional periods of detention for offenders who have completed their sentence, but would pose an unacceptable risk to the community if they were to be released.
ASIO identified that while these changes had had minimal impact on staffing, there had been a ‘substantial increase in the staffing effort across ASIO’ relating to the development of legislative reform measures that, at the time of the submission, were yet to be introduced. ASIO also noted a substantial increase in demand for legal assistance to operational activities.
Other agencies commented on their involvement in the development of legislative reform measures. Proposed amendments to the IS Act were again discussed with one agency during a private hearing.
AGO identified the integration of the Navy’s Hydrography and Meteorology Branch into their agency, which was given legislative effect by the Defence Legislation Amendment (2017 Measures No.1) Act 2017.
ASIO’s involvement in litigation and other legal matters continued in 2016‑17. This included terrorism and criminal prosecutions; coronial inquests; and Administrative Appeals Tribunal (AAT) and judicial reviews of security assessments.
20 adverse security assessment reviews were managed in the AAT,
two security assessments were reviewed by the Federal Court of Australia,
one administrative matter related to a Freedom of Information issue was commenced and dismissed by the AAT,
coronial inquests into the Lindt Café siege and the death of Ahmed Numan Haider were finalised during the reporting period, with recommendations from the siege inquest being accepted by ASIO and significant progress towards implementation made by 30 June 2017, and
evidence for use in ten NSW and four Victorian counter-terrorism prosecutions was provided to law enforcement partners.
ASD was not directly involved in any litigation matters in 2016–17.
ONA and ASIS advised that they were involved in an ongoing matter before the AAT.
Use of ASIO’s special powers
ASIO reports each year on its special powers under the ASIO Act and the Telecommunications (Interception and Access) Act 1979 to use specific methods of investigation, which include telecommunications interception and access; use of surveillance devices; entry and search of premises; computer access; and the examination of postal and delivery service articles.
The use of these powers is subject to a warrant approval process. Warrant requests are made by the Director-General of Security, usually independently reviewed by the Attorney-General’s Department, and considered by the Attorney-General.
Further, the ASIO Act enables ASIO, with the Attorney-General’s consent, to seek warrants from an independent issuing authority (a federal magistrate or judge) for questioning, or questioning and detention, of individuals for investigations relating to terrorist offences.
The number of warrants approved by the Attorney-General is classified and cannot be reported by the Committee. However, following increases in 2013–14 and 2014–15, and a small reduction in 2015–16, there was an increase in the number of warrants authorised in the 2016–17 reporting period, returning to similar levels as 2014–15.
Strategic direction, priorities and organisational structure
The Committee requested intelligence agencies to report on their organisation’s strategic direction and priorities, as well as any changes to organisational structure. A summary is provided below.
ASIO identified a number of strategic challenges faced by the agency, including:
expansion in the variety of actors posing a threat to national security,
the more rapid rate at which threats develop,
an ‘exponential’ increase in the use of online technologies, including encryption,
recruitment and retention of skilled knowledge workers, and
the need for ‘big data analytics to manage an increasing variety, velocity and volume of data’.
ASIO stated that it continued to address these challenges throughout 2016‑17, including through introduction of an innovation strategy, information technology initiatives, promotion of diversity and inclusion, continued recruitment of technical staff, and tailored risk management.
ASIO2020, which commenced on 1 July 2016, is ASIO’s key mechanism for strategic direction and reform, and is intended to address the most significant challenges to ASIO’s success against four strands that set the organisation’s strategic capability agenda: Context, Culture, People and Systems.
ASIO delivered its Corporate Plan 2017–18 during the reporting period, as required by the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The plan identifies four key areas of strategic focus for 2017–18:
countering espionage, foreign interference and malicious insiders,
countering serious threats to Australia’s border security, and
providing protective security advice to government and industry.
ASIO noted that foreign intelligence collection, the fifth key activity in its previous corporate plan, would be managed as a subset of countering espionage, foreign interference and malicious insiders.
ASIO noted its contribution to the 2017 Independent Intelligence Review.
ASIO reported that its organisational structure, launched in August 2015 and discussed in the Committee’s previous report, had proven to be ‘an effective and agile mechanism to utilise ASIO’s resources efficiently’. During the year, ASIO launched a new corporate governance structure to support its Executive Board.
2017 was ASIS’s 65th anniversary. Its submission included a strategic overview from the Director-General, outlining the internal reform initiatives progressed throughout the year. The Director-General noted that significant work was undertaken to assess ASIS’s future operating environment and that reforms continued with completion of the first phase of the Service’s business change program.
ONA reported no significant changes to its organisational structure during the reporting period, but noted that transitioning to the new Office of National Intelligence as recommended by the 2017 Independent Intelligence Review will require ‘significant expansion, with consequent impacts on legislation, staffing, structure and accommodation requirements’.
ONA’s Director-General provided an update on staffing and resources during the private hearing, noting that introduction of legislation was imminent.
ONA reported in its submission on its priority areas of work in 2016–17 and its progress against the priority areas identified in its Corporate Plan 2016‑20.
Defence Intelligence Agencies
The Defence Intelligence Agencies (DIAs) each outlined their strategic priorities and changes to organisational structures in their submissions. Much of the information provided was classified and cannot be included in this report.
Defence noted that the 2017 Independent Intelligence Review would have a significant impact on the DIAs, particularly ASD. Outside the reporting period, the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018 amended the IS Act to establish ASD as a statutory authority reporting directly to the Minister for Defence from 1 July 2018.
Defence advised that it had made substantial progress in delivering the 2016 Defence White Paper and implementation of the 2015 First Principles Review.
AGO noted that it had undergone ‘a highly successful period of expansion’ during the reporting period, driven by investment in GEOINT-related capabilities as a result of the White Paper and First Principles Review. This included recruitment and training, the integration of the Navy’s Australian Hydrographic Office into AGO, and a major project to provide enhanced commercial satellite imagery exploitation capability. AGO provided an update on its organisational structure and corporate governance arrangements.
DIO advised that, under its strategic plan, it remained well-placed to meet Defence requirements and, more broadly, the needs of the Australian Government, and provided details of its strategic priorities through the year. It noted that there had been no significant changes to its organisational structure.
ASD similarly updated the Committee on its strategic priorities, including changes to its organisational structure.
Pathways to change
The Pathway to Change: Evolving Defence Culture and Employment Pathways for [Australian Public Service] Women in the Department of Defence (Pathway to Change) strategy was announced in March 2012 in response to reviews into Defence culture. It provides ‘a clear commitment to shape Defence’s attitudes, systems and behaviours to improve capability and ensure the continued support of the Australian public’.
The DIAs updated the Committee on their activities under the Pathway to Change strategy through the reporting period, which included existing and new initiatives. The agencies supported and promoted participation in mentoring programs, ongoing training courses, women’s networking events, and other diversity and inclusion initiatives.
Human resource management and demographics
The Committee requested the intelligence agencies to provide an update on human resource management and demographics issues, as identified earlier in this chapter.
Information provided to the Committee regarding the staffing and management arrangements of each agency was mostly classified, however, where possible, these issues are discussed below.
Staff numbers and demographics
As at 30 June 2017, ASIO employed 1931 staff (1794.3 full-time equivalent (FTE)), up from 1876 staff (1746 FTE) a year earlier. This included 53 Senior Executive Service (SES) officers, 550 ASIO Executive Officer 1, 2 and 3 officers and 1328 other officers. 868 officers (45 per cent) were women, 324 came from a non-English speaking background, 12 identified as Aboriginal and Torres–Strait Islander, and 19 staff had a disability. Nearly 70 per cent of staff had five years of service or longer, with 37 per cent having ten or more years’ service. 1366 staff were Canberra-based, with 565 in other locations.
ONA had 167 employees at 30 June 2017 (including the Director-General), up from 140 a year earlier. This included 154 ongoing, 11 non-ongoing and two locally engaged staff. Approximately 45 per cent of ONA staff were female.
Staffing demographics information provided by ASIS and the DIAs was given classifications or Dissemination Limiting Markers, and cannot be published in this report. In broad terms, however, ASIS staff levels decreased slightly in 2016–17 after an increase the previous year. Staffing levels in each of the DIAs were varied at 30 June 2017, when compared to a year earlier, with decreases and increases reported.
Recruitment and retention strategies
ASIO’s staffing growth in 2015–16 continued during this reporting period with continuing funding from the ‘Enhancing security intelligence capabilities to counter the Islamist terrorism threat’ measure, first announced in August 2014.
Following reviews, ASIO implemented a series of changes to its graduate and trainee programs, and refined its advertising and marketing strategies. ASIO commented on the mixed success of its significant recruitment changes in 2015–16, noting that the continuous model of Intelligence Officer recruitment ceased in 2016–17 for resourcing reasons but that the Intelligence Analyst Development Program had been well received. ASIO attended 12 career fairs through the reporting period. In 48 recruitment activities in 2016–17, ASIO received 10 211 applications (compared with 12 997 in 2015–16 and 5462 in 2014–15).
ASIO provided additional information about its recruitment strategies and work being undertaken to anticipate future workforce requirements during the private hearing.
ONA’s Workforce Management Committee informs the agency’s strategic recruitment and workforce planning activities. ONA updated the Committee on the number of new employees in the reporting period and its overall growth in staff numbers, which has been an outcome of targeted recruitment in certain areas.
As in previous years, ONA noted the challenges presented by the lead time to recruit employees requiring a Positive Vetting security clearance and outlined the strategies used by the agency to manage operational requirements.
Four Defence Intelligence graduates undertook their external rotation with ONA through the year. An agreement was also established with the Department of Foreign Affairs and Trade for several graduates to undertake a rotation in ONA during 2018.
ONA noted that ‘the temporary transfer of staff from a variety of government departments and agencies continued to ensure ONA met its statutory responsibilities and provides a good balance between continuity and change’.
ASIS reported that it had continued recruiting across employment streams and that it had had considerable success with bulk recruitment campaigns to fill identified vacancies.
ASIS’s graduate program, known as ACTIVATE, again attracted high-calibre candidates across a range of university subject disciplines.
AGO reported an increased number of recruitment rounds in 2016–17, resulting in significantly more arrivals, including graduates, when compared with the previous year. While the number of recruitment rounds remained steady in DIO, the agency similarly reported an increased number of new arrivals in 2016–17. DIO noted the positive effect of recent recruitment activities upon retention rates within the agency.
ASD reported in its submission on strategies used to recruit and retain staff. ASD conducted 68 recruitment rounds in 2016–17, with 187 arrivals (compared with 99 in 2015–16). ASD recruited 40 graduates through the Defence Graduate Program.
Defence noted the implications of workforce competition and the ongoing challenges faced by agencies to ‘recruit, retain and train an agile workforce’, and outlined measures that have been implemented to address this issue at the private hearing.
The average separation rate across the APS for 2016–17 was 7 percent. Of these separations, 45.7 percent were attributed to resignation, 23.2 percent to age retirement, 25.8 percent to retrenchment, 2.4 percent to physical or mental incapacity and 2 percent to termination.
ASIO reported a separation rate of 5.26 percent at 30 June 2017, an increase from 4.44 percent in 2015–16. This consisted of 80 resignations, 10 age retirements, one retirement on invalidity grounds, and 67 ‘other’ separations.
ONA’s separation rate for 2016–17 was 15 percent (including moves to other APS agencies), a decrease on the previous year. Reasons for separation included resignation, retirement, completion of non-ongoing contract, return to home agency, termination and transfer to another APS agency.
ASIS and ASD reported an increase in staff turnover. AGO and DIO both reported a decrease in separation rates.
Training and development
All agencies reported on specific training and development activities undertaken during the reporting period, encompassing both corporate and operational activities.
ASIO reported that it approved or conducted 146 training courses, with 4256 face-to-face training activities attended by 1387 staff. Staff also completed 2839 mandatory and 1928 non-mandatory e-learning courses.
ASIO advised that its range of face-to-face courses included induction courses for new starters, officer safety and first aid training, foundational and advanced/refresher analytical and operational training, IT training, and management and leadership training.
ASIO identified a number of training initiatives in the reporting period, including improved identification of organisational resources, a new training continuum for technical staff, and significant improvements to existing training programs. Specific initiatives included:
a ‘Train the ASIO Trainer’ course,
a moderation process added to the existing Surveillance Officer Training Program,
an in-depth training needs analysis for staff working in technical areas, and
an online training evaluation toolkit.
ASIO’s Intelligence Development Program trains and assesses employees recruited to perform operational and analytical roles in ASIO. It comprises the Intelligence Officer Development Program (IODP) and the Intelligence Analyst Development Program (IADP). The IADP was introduced in 2017 following a pilot in 2016 to provide dedicated training and career progression for individuals seeking to specialise in intelligence analysis. ASIO noted that the IADP ‘also offers a career pathway for IODP participants who complete the foundational analytical training but either voluntarily withdraw from the IODP or are removed due to underperformance during the operational training’.
ONA reported that training in the reporting period included APS core skills and training in Information and Communications Technology (ICT), languages, leadership, and analysis related tradecraft, within its overall training budget of $362 000. Around 10 percent of this budget was spent on language training with 13 officers attending training either in-house or externally. 20 staff held recognised language qualifications as at 30 June 2017.
All Defence APS employees and Australian Defence Force personnel are required to undertake and maintain proficiency in a range of mandatory training courses. The DIAs each reported on the percentage of their staff attending the mandatory courses. As in previous years, the figures indicated that a significant majority, but not all, staff in each agency had completed the mandatory training.
Staff also participated in a range of specialist training courses, including language proficiency and National Intelligence Community training programs.
Individual performance management
All agencies reported on their arrangements for managing the performance of their employees.
ASIO reported that it had built on the reforms implemented in the previous year by formalising the requirement for managers and employees to hold performance discussions and agree on performance expectations at the beginning of the performance cycle on 1 July. ASIO noted that its focus during the 2016–17 performance cycle had been on educating staff on the performance process, with an emphasis on meeting cycle deadlines. All staff were compliant with performance management obligations.
Six ASIO staff members participated in formal underperformance management processes in 2016–17.
ASIO noted that its focus for 2017–18 would be on ‘the quality of the expectations discussions, educating and supporting managers and increasing proactive interaction with all employees regarding optimising performance’.
The DIAs noted that the performance of their APS employees was formally assessed twice a year as part of the Defence Performance Feedback Assessment and Development Scheme process, which is linked to performance progression payments. ASD advised that 91 percent of staff who participated had their performance progression approved. The balance were either denied for progression or not eligible on the basis that they were on probation, on leave, new starters, trainees, or recently promoted. For the other DIAs, the majority of staff denied progression were either newly promoted, graduates, or probationers.
Agencies provided information on the diversity of their workforces.
As with previous years, gender diversity was given a particular focus across the agencies. In June 2017, 59 percent of employees of the total APS were women. The proportion of women to men in the AIC, however, continued to be significantly lower. Agencies reported on a range of initiatives to address gender inequality in the AIC.
Women comprised approximately 45 percent of ASIO’s workforce on 30 June 2017, similar to the previous year. The number of female SES managers increased from 18 to 21 (or 40 percent) during the year. Around 53 percent of grade 1 to 6 ASIO officers and 16 percent of Information Technology Officers and Engineers were women, which was largely consistent with the previous year. Women represented 35 percent of staff at the ASIO ‘Senior Officers’ (equivalent to Executive Level 1 and 2) level.
ASIO advised during the private hearing that, in addition to gender diversity, there had been a focus over the previous 12 months on other areas of diversity and inclusion, which included establishment of staff-led diversity networks and a new diversity strategy.
Forty three percent of ASIS staff were female at the end of 2016–17. ASIS noted that through its Diversity in ASIS Committee, it ‘continued to improve its long-term approach to equity and diversity’. The Committee implemented a range of initiatives including unconscious bias training, a flexible working arrangements policy, development of a diversity and inclusion strategy, launch of a LGBTI network, and support for employees on long-term leave. It also hosted events including International Women’s Day and facilitated a number of speaker events.
ONA reported that it had made ‘significant gains’ on its diversity and inclusiveness goals, including updating its Diversity Action Plan, achieving its 2018 gender stretch target figure at the Executive Level 2 cohort (at 38 percent, compared with a target of 30 percent), making meaningful advances on its Indigenous goals and initiatives, and participating in Australian Network on Disability activities.
Achievements against ONA’s Diversity Action Plan included:
regular Diversity Working Group meetings, chaired by the Director-General,
establishing a Women’s Network, with male and female members across ONA,
assigning a Women’s Champion, Indigenous Champion, and Mental Health Champion,
maintaining a diversity portal on ONA’s intranet site,
reporting on Diversity Key Performance Indicators in ONA’s annual report,
Unconscious Knowledge and Bias training for all staff,
ongoing audits of selection reports to ensure recruitment gender equity and to educate panel chairs on potential unconscious bias,
promoting flexible working arrangements,
ongoing evaluation of gender demographics,
installation of Aboriginal and Torres Strait Islander flags,
development of a Reconciliation Action Plan, and
consultation and collaboration to recruit Indigenous staff.
The proportion of female staff members in the DIA’s in 2016–17 increased in AGO, remained stable in ASD, and decreased slightly in DIO.
ASIO reported that $291 661 was allocated to 34 employees for language capability development as part of the Language Skills in ASIO program (compared with $370 281 for 69 employees across 21 languages in 2015–16). ASIO Language Capabilities delivered various courses and seminars to a broader ASIO and AIC audience.
ONA noted that 20 staff held recognised language qualifications. Around 10 percent of ONA’s training budget was spent on language training.
Further information in relation to language skills cannot be published due to classifications or Dissemination Limiting Markers.
Staff feedback and complaints
The ASIO Ombudsman is an external service provider ‘who works to resolve staff issues or concerns impartially and informally, through advice, consultation and mediation’. In 2016–17, the ASIO Ombudsman provided advice and guidance in response to 23 informal contacts from staff; carried out four investigations relating to ASIO’s Code of Conduct; provided formal advice based on investigation into one additional matter; and provided assistance in relation to an IGIS inquiry.
ASIO reported that two public interest disclosures were allocated for investigation in 2016–17. Two disclosures were allocated to the Human Resources Branch ‘for investigation under another authority’.
ASIS’s Ombudsman undertook two formal reviews during the reporting period. There were no other investigations or staff complaints, and the agency had no internal public interest disclosures during the year.
ASIS noted that its staff grievance procedures, required by section 37 of the IS Act, were reviewed and updated in June 2017. These procedures provide an employee with the ability to seek a review of any ASIS action that relates to their ASIS employment. The procedures focus on attempting informal resolution where possible, with more formal processes available where a successful outcome cannot be reached. ASIS noted that the Office of the IGIS is also able to review the handling of grievance matters.
ONA had two complaints of unacceptable behaviour that were handled in accordance with ONA’s Unacceptable Workplace Behaviour Instruction. ONA had no public interest disclosures during the reporting period.
Defence requires all complaints of unacceptable behaviour involving Defence personnel or contracted staff to be recorded in the ‘COMTRACK’ database by a complainant’s manager. The DIAs noted that while responsibility for resolving complaints rests with the manager or supervisor of the complainant, agency heads are provided with reports to allow them to monitor unacceptable behaviour in their agency.
AGO noted several internal and external mechanisms for employee feedback and complaint resolution, including:
Workplace Consultative and Safety Management Committee,
Defence Complaints Resolution Agency,
Inspector-General Branch of Defence,
Merit Protection Commission,
Fair Work Commission, and
public interest disclosure scheme.
DIO similarly noted the range of internal and external options available to staff.
The DIAs provided details about complaints of unacceptable behaviour, alleged breaches of the APS Code of Conduct, Review of Action applications, cases lodged with the Fair Work Commission, and public interest disclosures during the reporting period.
ASD reported that it had three recorded complaints of unacceptable behaviour, all of which were substantiated with informal resolution and management action. Two Review of Action applications were received, with the original decision confirmed in both cases. Seven public interest disclosures were made and finalised during the reporting period.
Complaints to the Inspector-General of Intelligence and Security
Under the Inspector-General of Intelligence and Security Act 1986, the IGIS may receive and inquire into complaints in respect of actions taken by intelligence agencies, including in relation to disclosures under the Public Interest Disclosure Act 2013.
The IGIS received eight complaints and public interest disclosures about the DIAs in 2016–17, primarily relating to employment related matters including recruitment, security clearances and alleged bullying. The IGIS noted that four cases warranted investigation by the IGIS or were referred to Defence for investigation, with Defence agreeing ‘to make changes to relevant recruitment advice, handling of certain records, advice to employees and advice to disclosers’. A written apology was issued by Defence to one person about an employment related matter.
For ASIO, the IGIS received 253 complaints about security assessments for visa and citizenship applications (compared with 118 in 2015–16) and 34 other complaints about ASIO, including two public interest disclosures, all of which were investigated.
The IGIS received five complaints about ASIS including two public interest disclosures, all relating to individual employment or recruitment related matters.
The inspection and inquiry-related activities of the IGIS during the reporting period are summarised later in this chapter.
Agencies updated the Committee on accommodation arrangements. Most advice was either classified or given Dissemination Limiting Markers so cannot be discussed in this report.
ASD noted two major projects, which were discussed in the Committee’s 2015–16 report: relocation of the Australian Cyber Security Centre (ACSC), which was approved by the Parliament on 31 March 2017, and the R5/6 Infrastructure Upgrade Project for ASD’s headquarters, which was approved by the Parliament on 14 June 2017. The ACSC was officially opened by the then Prime Minister on 16 August 2018.
ASIO reported that the corporate suites in the Ben Chifley Building, which include Australia’s largest security-accredited auditorium, received more than 5000 visitors in 2016–17.
Security functions within the AIC agencies encompass physical, technical, administrative, ICT and personnel security.
The Committee’s review of security matters included security policies and procedures, security training, security breaches, e-security arrangements, and security clearances.
Much of the evidence on security matters was classified. However, the Committee notes that throughout 2016–17, safeguarding initiatives, and security enhancements and improvements continued to be implemented across the AIC.
Activities undertaken by agencies during 2016–17 included:
upgrading facilities and systems,
physical and technical security audits,
reviewing and updating internal security policies, procedures and risk management frameworks,
staff awareness and security training,
implementation of continuous assessment approaches to personnel security,
improved physical security arrangements, and
inter-agency forums on security best practice.
Security policies and awareness
ASIO’s Security Committee provides advice to the Executive Board on ‘the evolving security environment and matters relating to the security of our operational activities, people, property and information technology’.
ASIO advised that in the reporting period, it had:
reviewed and updated policies and procedures to reflect changes in broader government policy and ASIO’s risk environment,
provided staff with security awareness training at commencement and regular intervals,
conduced annual reviews of staff clearances,
provided mechanisms for staff to report security incidents or concerns, and
supplemented physical security arrangements at ASIO headquarters.
In terms of e-security, ASIO reported that it continually works to manage and mitigate identified security risks to its ICT systems, including by strengthening these systems against trusted insider and external threats and through auditing of all activities.
Other agencies also reported on mitigation and safeguarding initiatives.
Agencies reported on the number and nature of security breaches reported in 2016–17 and any action taken as a result of the breach(es). Agencies also reported on internal and external risk mitigation strategies employed to protect information of national security significance. While the Committee cannot report any details concerning security breaches, the Committee notes that none of the breaches were identified as having resulted in a loss or compromise of national security classified material.
Personnel across the AIC are required to secure and maintain an appropriate security clearance to perform their roles.
As part of its review, the Committee sought evidence from agencies about current procedures, timelines, delays and any associated outsourcing arrangements. Agencies reported on these matters in their submissions and in classified evidence to the Committee.
In its submission, the Department of Defence provided an update on:
timeframes for obtaining security clearances through the Australian Government Security Vetting Agency (AGSVA),
reform efforts to improve timeframes for Positive Vetting clearances, and
a project to replace the existing eVetting system.
Defence informed the Committee as to when the backlog for new Positive Vetting clearances was expected to be cleared, after which it was anticipated that new clearances would be processed within benchmark timeframes. Defence representatives also provided an update during the private hearing.
The DIAs advised that they were continuing to work with AGSVA on Positive Vetting clearance processing and prioritisation, and noted that prioritisation of these clearances had allowed strategic positions to be filled more quickly than the general average.
ASIO, ASIS and ONA conduct their own security vetting processes.
ASIO reported on its processes and priorities for initial clearances and provided an update on clearance timeframes.
ONA reported in its submission on procedural changes to its vetting processes during the reporting period as well as timeframes for initial clearances and revalidations, which were affected by the increase in staff numbers. These matters were discussed further at the private hearing.
ASIS similarly provided an update on initial clearance and revalidation timeframes, and details of risk management processes in its submission, and elaborated on some of these issues during the private hearing.
Some agencies referred to their involvement with the Inter Agency Security Forum and the establishment of a continuous assessment model for security clearances. Agencies also noted the establishment of workforces within their organisations that are cleared to lower levels.
Oversight, accountability and performance evaluation
The Committee requested that agency submissions address performance management and accountability, including any outcomes relevant to administration and expenditure for the reporting period.
There are a number of internal and external oversight and accountability mechanisms in place for each of the intelligence agencies to provide assurance to the Australian public of the legality and propriety of their activities. These mechanisms include:
Ministerial and parliamentary accountability,
for ASIO, the Independent Reviewer of Adverse Security Assessments.
Agencies also regularly undertake, or are subject to, formal evaluations of their performance.
Ministerial authorisations and section 13B notices
Section 8 of the IS Act requires AGO, ASD and ASIS to obtain ministerial authorisation in order to undertake an activity for the purpose of producing intelligence on an Australian person or an activity that will, or is likely to, have a direct effect on an Australian person. The Minister specifies, in the form of a written direction, circumstances in which agencies must seek authorisation before undertaking other activities or classes of activities.
The Committee asked the relevant agencies to report on the number of ministerial authorisations issued (including class authorisations) and the number of activities undertaken under a ministerial authorisation, categorised by type.
AGO, ASD and ASIS provided information about the number of ministerial authorisations issued in the three years to 2016–17. The number of ministerial authorisations is classified and cannot be reported by the Committee.
Section 13B of the IS Act enables ASIS to support ASIO by undertaking an activity or series of activities to produce intelligence on an Australian person or class of Australian persons without ministerial authorisation. ASIS reported on the number of section 13B notices received from ASIO in the three years to 2016–17. The number of section 13B notices is classified and cannot be reported by the Committee.
The Committee sought additional information about ministerial authorisations and section 13B notices during a private hearing.
ONA undertakes performance evaluations of the AIC collection agencies’ foreign intelligence collection activities (ASD, AGO, ASIS and ONA’s Open Source Centre).
ONA noted that it uses both qualitative and quantitative indicators to measure its own performance. It collects performance information through customer and stakeholder surveys, close liaison with the Prime Minister’s office and the offices of other Ministers and their departments, and capturing the outcomes of evaluation of ONA’s statutory independence by the IGIS. ONA’s performance is reviewed annually by the Department of the Prime Minister and Cabinet. ONA also conducts regular internal reviews of its analytical and resource management objectives and performance, including ‘key judgment reviews’ on a six-monthly basis.
ASIO noted that, as required by the PGPA Act, it prepares annual performance statements that provide an assessment of performance against its Corporate Plan key activities. An unclassified version of the performance assessment is included in ASIO’s annual report.
Inspector-General of Intelligence and Security
The IGIS is an independent statutory office holder with responsibility for reviewing the activities of the AIC agencies. The IGIS’s purpose is
to provide assurance that each intelligence agency acts legally and with propriety, complies with ministerial guidelines and directives, and acts consistently with human rights.
The IGIS may also, at the request of the Prime Minister, inquire into an intelligence or security matter relating to any Commonwealth agency.
The Hon Margaret Stone held the position of IGIS throughout the reporting period.
The Committee sought a submission from the IGIS on any issues of administration and expenditure arising during the IGIS’s inspection and inquiry activities. The IGIS appeared at a private hearing, during which the Committee sought additional information on inquiries and other inspections conducted during the reporting period.
Agencies also informed the Committee about their interaction with the IGIS and her office throughout the reporting period.
At the time of her submission, the office of the IGIS had 15 staff. The IGIS noted the difficulty in providing adequate oversight with this number of staff and welcomed the outcomes of the 2017 Independent Intelligence Review, which recommended that her office be allocated additional resources to enable it to sustain a full-time staff of around 50. The IGIS noted that with these additional resources, she will be able to provide much greater assurance to Ministers, the Parliament and the public ‘that intelligence and security matters are open to scrutiny’.
The Appropriation Act (No. 3) 2017–18, which received Royal Assent on 28 March 2018, increased the IGIS’s Budget appropriation from $3.182 million to $15.222 million.
The Inspector-General provided additional information on current recruitment processes, expected staffing and accommodation arrangements during a private hearing. The Inspector-General also outlined the work being undertaken by her office in anticipation of the introduction of legislation to expand her remit to the ten national intelligence community agencies.
The IGIS conducted a major inquiry into certain actions of ASD, which found that ASD ‘had relied on incorrect legal advice in determining the parameters governing its interception of certain telecommunications’. The IGIS advised that the inquiry also found inadequacies in ASD’s reporting of problems to the IGIS and Ministers. The IGIS made five recommendations, which were all accepted by ASD.
In 2016–17, the IGIS conducted an inquiry into the analytic independence and integrity of DIO. The inquiry followed similar inquiries in 2008 and 2013 and ‘critically examined elements of the report production process directed to ensuring that reports meet the required standards of independence and integrity’. The inquiry found some room for improvement in consistent recording of the basis for assessments, but noted significant improvements in DIO processes since the previous inquiry.
The IGIS conducted a fourth inquiry into the analytic independence of ONA during the reporting period, finding no evidence of interference with the independence of ONA assessments. The IGIS stated that ONA observes appropriate procedures, and its policies and practices encourage contestability. It also has an appropriate structure for critically reviewing key judgements made in assessments.
Regular inspections of agency records continued throughout the reporting period. The IGIS noted in her submission the impact that resourcing levels at the time had had on her inspection work:
The Inspector-General assesses risk and allocates staff resources accordingly but current resourcing only allows for review of a small proportion of the agencies’ activities. For example during the ASD inquiry it was necessary to suspend all Defence inspections and to reduce the ‘team’ overseeing ASIS to one person.
The IGIS’s unclassified submission contained an overview of the IGIS’s inspection program for 2016–17 and her findings in relation to each agency. Additional information is also available in the IGIS’s annual report, where the Inspector-General noted that:
We have continued the development of our inspection program to target high risk areas, focusing on in-depth investigations rather than the breadth of the inspection program. In addition we have paid considerable attention to compliance with privacy rules applicable to ASIS, ASD and AGO and, in this time of interest in dual citizenship, the difficulty of determining who is an “Australian person” as defined in section 3 of the Intelligence Services Act 2001.
Independent Reviewer of Adverse Security Assessments
ASIO furnishes security assessments to Commonwealth agencies in accordance with the ASIO Act. A security assessment may be adverse, qualified or non-prejudicial.
The role of the Independent Reviewer of Adverse Security Assessments (the Independent Reviewer) is to:
Review ASIO adverse security assessments (ASAs) given to the Department of Home Affairs in relation to people who remain in immigration detention and have been found to:
engage Australia’s protection obligations under international law,
not be eligible for a permanent protection visa, or who have had their permanent protection visa cancelled.
Mr Robert Cornall AO continued as the Independent Reviewer throughout the reporting period.
The Independent Reviewer examines all material relied on by ASIO in making a security assessment, as well as other relevant material, and forms an opinion as to whether the assessment is an appropriate outcome. The Reviewer provides recommendations to the Director-General of Security, who must respond to the Reviewer and may determine whether to take action if he agrees with the Reviewer’s opinion.
ASIO advised that, as at 1 July 2016, four matters remained within the Independent Reviewer’s jurisdiction and that no new matters arose during the year. The four cases, which comprised two periodic reviews and two primary reviews, were finalised in 2016–17. ASIO reported that:
Each periodic review was deferred, with the agreement of the applicant’s solicitors, until ASIO had completed an internal review. In each case ASIO provided a qualified security assessment in relation to the applicant.
The Independent Reviewer disagreed with ASIO’s assessment in both primary reviews. Following consideration of ASIO’s own internal review and the Independent Reviewer’s report, a qualified security assessment was furnished by the Director-General of Security for both applicants.
Independent National Security Legislation Monitor
The Independent National Security Legislation Monitor (INSLM) is appointed under the Independent National Security Legislation Monitor Act 2010 on a part time basis for a term of up to three years. The INSLM
independently reviews the operation, effectiveness and implications of national security and counter-terrorism laws; and considers whether the laws contain appropriate protections for individual rights, remain proportionate to terrorism or national security threats, and remain necessary.
Following the resignation of the then INSLM, the Hon Roger Gyles AO QC, on 31 October 2016, Dr James Renwick SC was appointed Acting INSLM on 24 February 2017. Dr Renwick’s appointment was confirmed on 24 August 2017.
The INSLM tabled two reports during 2016–17:
Independent National Security Legislation Monitor Annual Report 2016–17 – 4 December 2017, and
Certain Questioning and Detention Powers in relation to terrorism – 8 February 2017.
The INSLM’s statutory reviews into stop, search and seizure powers; control orders; preventative detention orders; and declared areas were progressed during the reporting period, with the INSLM’s reports presented to the Prime Minister on 7 September 2017.
The Committee requested agencies address public relations and/or public reporting in their submissions, including requests for public access to records.
ASIO noted that its Director-General and Deputy Directors-General undertake public outreach through media responses, public speeches, appearances at parliamentary hearings and select public seminars or conferences. The media is able to contact ASIO directly through a publicly listed media contact number and email address.
ASIO noted the release of the third and final volume of ASIO’s history, The Secret Cold War: The Official History of ASIO 1975–1989 during the year.
ONA noted that its relationship with the general public extended to promulgation of information on its unclassified website. The number of visitors to its website decreased during 2016–17. ONA contributed to a number of published reports and responded to Senate Orders and parliamentary questions.
ASD reported that it responded to seven media inquiries and that the ACSC responded to 20 media inquiries during 2016–17.
ASD coordinated and hosted the 2017 ACSC Conference, which attracted over 1400 delegates from Australia and 28 other countries, and included 100 speakers and 75 sponsors/exhibitors. ASD reported that the event was an ‘overwhelming success’ that is now established as the largest cyber security themed conference in Australia.
ASD continued to promote ICT security awareness through engagement with Australian government stakeholders, State and Territory governments, and the Australian community more broadly. It also participated in public cyber security forums, workshops and presentations throughout 2016–17.
ASD updated and/or released publications relating to ICT security. These publications included its ‘world-leading’ technical guidance Strategies to Mitigate Cyber Security Incidents, the companion guides Essential Eight Explained and Essential Eight Maturity Model, and the ACSC Threat Report 2016.
DIO reported that it did not undertake any media liaison or public engagements during the reporting period. It published one document, Defence Economic Trends in the Asia-Pacific in 2016, to the Defence internet site.
Requests for access to public records
Agencies continued to cooperate with requests for public access to agency records, balancing the right to access public records with the need to protect certain information from disclosure.
Requests for access to ASIO records remained steady in 2016–17, with 484 applications made and 478 requests completed. This compared with 473 requests for record access in 2015–16 and 790 requests in 2014–15.
Under section 42 of the Archives Act 1983, a decision regarding the release of a document can be reviewed (known as an ‘internal reconsideration’). In 2016–17, four internal reconsiderations were processed in relation to ASIO, with ASIO’s decisions upheld by the National Archives of Australia (NAA). One appeal to the AAT, which was ongoing at the end of the last reporting period, was dismissed on 2 September 2016.
Other agencies also reported on public access requests.
ASD received 40 public access requests, with 14 requests completed during the reporting period and seven requests completed in early 2017–18. Of these requests, ASD agreed that four be released as the material was no longer regarded as sensitive, seven be released with redactions, and three be exempted.
ASD was consulted by the NAA in relation to one internal reconsideration case. Following review, ASD requested that the original advice be maintained. It was also consulted on one AAT matter where it had no objection to the release of selected documents from one record.
Of the nine outstanding requests from the previous year, ASD reported that seven were finalised. ASD agreed that one record be released as the material was no longer considered sensitive and that six records be released with redactions.
ASD reviewed 18 cabinet records from the 1994–95 period and agreed to the release of nine records, with the remaining nine released with redactions.
AGO received one request for public records during the reporting period, which was denied.
DIO noted that that it received 125 referrals to examine classified material during 2016–17 and completed 164 cases. This included providing agency advice on the draft manuscript for ‘The Official History of Australian Peacekeeping Operations Volume 1’.
DIO reported that it had worked with Defence stakeholders, AIC agencies and other government departments to implement a governance framework for the provision of Commonwealth records to the Australian War Memorial’s Official History of Australian Operations in Iraq and Afghanistan and Peacekeeping Operations in East-Timor. The project’s authors have been granted special access to records from 1998 to 2014, including classified information. DIO reported that:
Due to the recent and sensitive nature of the material being requested by the authors, as well as Australia’s ongoing involvement in these conflicts, DIO has diverted resources from processing routine access examination requests to identify and provide applicable material to the project, while maintaining appropriate information security. DIO has also engaged ADF reserve personnel to manage some of the increased workload.
The Committee has reviewed the administration and expenditure of the six intelligence agencies for the 2016–17 financial year and is satisfied that agencies are overseeing their administrative functions effectively.
Agencies continued to focus on workforce management during the reporting period. A key focus was recruiting, retaining and training staff, especially in difficult to fill roles. The length of time required to obtain a Positive Vetting security clearance remained an issue for some agencies. The Committee was updated on the continuing impact of delays in the finalisation of security clearances and strategies that are being utilised to improve timeframes and bring staff into agencies more efficiently.
The Committee notes the work that is being undertaken by the Australian Government Security Vetting Agency to clear the backlog of clearance requests and return to benchmark timeframes for Positive Vetting clearances. The Committee will continue to monitor this issue in its future reviews.
Overall, the Committee has not identified any areas of concern within the six intelligence agencies and considers that the administration of the agencies is conducted appropriately.