Chapter 2

Annual report compliance, financial performance, and Ombudsman's findings

This chapter summarises annual report compliance requirements and assesses the ACIC against them. It provides an overview of the ACIC activities and priorities, changes to its senior management committees, financial performance, and notable findings from the Commonwealth Ombudsman.

Annual report compliance

ACC Act requirements

The ACIC annual reports must comply with requirements specified in section 61 of the ACC Act. Subsection 61(2) requires that annual reports include the following:
'a description of any investigation into matters relating to federally relevant criminal activity that the ACC conducted during the year and that the Board determined to be a special investigation;
a description, which may include statistics, of any patterns or trends, and the nature and scope, of any criminal activity that have come to the attention of the ACC during that year in the performance of its functions;
any recommendations for changes in the laws of the Commonwealth, of a participating State or of a Territory, or for administrative action, that, as a result of the performance of the ACC’s functions, the Board considers should be made;
the general nature and the extent of any information furnished by the CEO during that year to a law enforcement agency;
the general nature and the extent of any information disclosed by the CEO during that year to a body corporate under section 59AB;
the extent to which investigations by the ACC have resulted in the prosecution in that year of persons for offences;
(ea) the extent to which investigations by the ACC have resulted in confiscation proceedings;
particulars of the number and results of:
applications made to the Federal Court or the Federal Circuit Court under the Administrative Decisions (Judicial Review) Act 1977 for orders of review in respect of matters arising under this Act; and
other court proceedings involving the ACC;
being applications and proceedings that were determined, or otherwise disposed of, during that year'.1

PGPA Act requirements

As a Commonwealth entity, the ACIC must comply with the Public Governance, Performance and Accountability Act 2013 (PGPA Act), which requires Commonwealth entities to provide an annual report to the entity's responsible minister for presentation to the Parliament on the entity's activity during the reporting period,2 and the Public Governance, Performance and Accountability Rule 2014.3
Under the PGPA Act, Commonwealth entities are required to prepare annual performance statements and include a copy of these statements in their annual reports tabled in Parliament.4 The ACIC's annual performance statement appears in section 2 of the annual report.5

Committee comment

Based on the committee's assessment, the ACIC's 2017–18 annual report meets both the ACC Act and PGPA Act requirements. However, while the annual report clearly indicates in a table in Appendix A where each of the PGPA requirements has been met, the requirements of Section 61(2) of the ACC Act have not been clearly identified as addressed. The ACIC could consider, in future annual reports, including a statement or table which also sets out that each of the ACC Act requirements have been met.

Overview of ACIC activities and priorities 2017–18

The annual report sets out a summary of the ACIC activities and priorities for 2017–18. Some of the ACIC's activities included:
produced 172 analytical products;
discovered 98 previously unknown targets;
added eight targets to the Australian Priority Organisation Target List (APOT);
released key drug, criminal target, and serious financial crime reports;
helped to disrupt four APOT targets and 22 criminal entities, seize more than $3.5 billion worth of drugs, and arrest 191 people;
provided 16 systems that helped its partners prevent, detect, and reduce crime;
delivered six new or enhanced systems that increase capability of partners; and
shared 2162 information and intelligence products with stakeholders.6
The priorities listed in the annual report outline the strategic areas in which the ACIC focused its resources: strategic intelligence, international threats, operations and investigations, and national information and intelligence sharing services.7

Senior management committees restructure

The structure of the ACIC senior management committees has undergone a series of changes over the 2016–17, 2017–18, and 2018–19 years. Analysis of the annual reports shows that the following committees were introduced in 2017—18:
Strategic Investments – plans future capability of the agency;
Organised Crime Management – makes decisions about the organised crime and intelligence work program; and
Corporate – reviews organisational health and effective function.
Two committees operating in 2016–17 were removed or replaced in 2017–18:
Resource and Governance; and
Operations Management.
In 2018–19, the Strategic Investments Committee was removed, along with the Situation Report and Strategy Meeting and the Human Source Management Committee.

Committee comment

The committee acknowledges the ACIC continued work in reviewing and improving its functions and organisational structure to ensure effectiveness. A short explanation on the rationale behind committee changes would be welcome. It is unclear whether the two supporting groups that worked to the Organised Crime Committee in 2017–18 were abolished in 2018–19, if they were relocated, or if the latest annual report has simply streamlined its diagrammatic representation of committees.

Staff retention and turnover

The annual report provides statistics about the ACIC staffing profile such as staff retention, and gender and workplace diversity. A comparison of the 201617, 2017–18, and 2018–19 average staffing levels, staff turnover and retention rates is provided in Table 2.1.
The average staffing level during the 2017–18 year comprised 749.06 APS employees plus 17 secondees funded by the ACIC and 14 secondees funded by jurisdictions (a total of 780.06).8 The average core staffing level throughout 2016–17 (calculated at 30 June 2017) was 781.69.9
According to the annual report, a total of 130 staff left the agency over the 2017–18 year. Of these, 50 staff resigned and 25 were external transfers. Other reasons included moving to another APS agency (23 people), retirement (10 people), redundancies (11 people), and completing non-ongoing contracts (6 people).10 The retention rate for the 2017–18 year was 87.3 per cent.11 This is very slightly down from last year's 88.9 per cent.12 The ACIC's retention rate in 2018–19 year declined to 80.9 per cent.13 For the 2018 calendar year, the APSwide retention rate was approximately 84.5 per cent on average.14
Table 2.1:  Comparison of the ACIC retention and turnover rates
Average core staffing level
No. of staff turnover
Retention rate (%)
Source: ACIC, Annual Report 2016–17, pp. 189 and 198; ACIC, Annual Report 2017–18, pp. 172 and 179; ACIC, Annual Report 2018–19, pp. 88 and 98.

Committee comment

If retention rates are calculated on an annual basis they are able to provide some measure of stability in a workforce. However, they do not provide a holistic picture of movement as they omit departures of employees who left within the period being tracked. Providing a turnover rate in addition to a retention rate provides better transparency by defining how many employees left the agency within the year. Many agencies use attrition rates in their annual reports which fail to account for involuntary movements as well as voluntary. The committee commends the ACIC for providing detailed information that facilitates external scrutiny and analysis by breaking down staff movement to a greater degree.
The committee notes that the ACIC staff turnover rate increased and the retention rate decreased in the year subsequent to the period under examination—that is, 2018–19. The reasons for these changes, the effectiveness of any response by the ACIC to the changes, and whether there is any cause for concern, may be considered by the committee in its examination of the ACIC 2018–19 annual report.

Workplace diversity

Overall, the ACIC gender balance was relatively equal between men (399) and women (390) in the 2017–18 period (two additional staff were indeterminate). However, there is a clear under-representation of women at more senior levels and in the leadership positions. At the EL1, EL2, and SES levels, there were 134 more men than women (264 men and 130 women),15 and of the 20 people who made up the ACIC Executive, only six were women.16 This imbalance has been an ongoing and relatively unchanged feature of the ACIC, as is apparent in the three years of data presented below in Table 2.2.
Table 2.2:  Gender balance progress at the ACIC
Percentage of women in organisation
Percentage of women at EL and SES levels
Percentage of women at APS 1–6 levels
Source: ACIC, Annual Report 2016–17, pp. 192 and 257; ACIC, Annual Report 2017–18, pp. 175 and 238; ACIC, Annual Report 2018–19, pp. 91 and 148.

Committee comment

Agencies such as the ACIC must continue to work to address gender inequality through the development, implementation, and evaluation of targeted strategies. The 2016–17 and 2017–18 annual reports outline the degree of gender imbalance present in the ACIC and note that the agency's Diversity and Inclusion Sub-committee had been working to develop and implement a Gender Action Plan 2017–19. The committee commends the agency on developing its action plan and on its work implementing the plan to date. The committee suggests that the ACIC should give consideration to making a copy of the Gender Action Plan 2017–19 publicly available. Progress against the plan might also be tracked in future annual reports.

Cultural diversity

In 2017–18, 15.9 per cent of ACIC employees identified that Australia is not their country of birth and 14.79 per cent speak English as a second language.17 In the 2016–17 year, these figures were 22.8 and 8.3 per cent respectively.18 Table 2.3 provides a comparison across the 2016–17, 2017–18, and 2018–19 years and shows that rates of cultural diversity at the organisation have been relatively stable.
Table 2.3:  Comparison of cultural diversity data
No. of staff born overseas (%)
No. of staff who do not speak English as a first language (%)
Indigenous rate (%)
No. of staff from a non-English speaking background
Source: ACIC, Annual Report 2016—17, p. 193; ACIC, Annual Report 2017—18, p. 176; ACIC, Annual Report 2018—19, pp. 92—93.
The rate of Indigenous employment rose marginally from the previous year; in 2016–17, 1.2 per cent of the ACIC's employees identified as Indigenous19 while the rate in 2017–18 was 1.64 per cent.20 Indigenous people are underrepresented in the ACIC relative to the proportion of people in Australia who identify as Indigenous. According to the Australian Bureau of Statistics, the estimated Aboriginal and Torres Strait Islander population of Australia as at 30 June 2016 was 3.3 per cent of the Australian population.21
The ACIC launched its Reconciliation Action Plan (RAP) 2018–20 in April 2018. The plan outlines how the agency will contribute to reconciliation and increasing awareness and understanding of Aboriginal and Torres Strait Islander culture. The ACIC has a RAP working group that meets monthly to progress actions and develop future RAPs. During 2017–18, the ACIC also commissioned Indigenous artwork for its offices, participated in Aboriginal and Torres Strait Islander development—a graduate program—and the Jawun secondment program, among other things.22 It also held its inaugural Indigenous Employee Forum to generate ideas on how the agency can support Indigenous staff.23

Committee comment

The committee acknowledges the steps undertaken by the ACIC to participate in reconciliation and notes that a copy of the RAP 2018–20 is available from the ACIC website. The committee commends the agency for its comprehensive RAP and the work it has carried out to date in implementing the plan. The committee looks forward to seeing the results of the ACIC RAP 2018–20. The committee notes that the ACIC rate of Indigenous employment appears to be stable rather than improving and acknowledges the difficulty in accurately capturing data on cultural diversity due to reliance on self-disclosure by staff. The committee suggests that ACIC also consider providing a breakdown of Indigenous staffing by classification level in its annual reports to enable comparison against broader APS-wide trends.


The last three financial years indicate a slight downward trend in disability employment levels at the ACIC. In the 2016–17 year, 2.7 per cent of ACIC employees identified as having a disability,24 in 2017–18 this figure was 2.4 per cent,25 and in 2018–19 this figure was 2.1 per cent.26 The ACIC Diversity and Inclusion Sub-committee worked to develop and implement a 2017–19 Diversity Action Plan that focuses on people with disability.27 The agency also renewed its membership to the Australian Network on Disability to develop strategies to improve workplace inclusivity for employees and stakeholders with disability.28

Committee comment

The committee acknowledges the ACIC's efforts developing and implementing a 2017–19 Diversity Action Plan that focuses on disability. The ACIC's 2018–19 annual report provides details on how the action plan is being used to change attitudes and remove barriers to improve workplace inclusivity. The committee suggests that the ACIC consider making a copy of the plan publicly available and tracking progress against targets in future annual reports.

Internal audits and risk management

The ACIC internal audit team is responsible for auditing organisational and operational systems and processes, monitoring implementation of audit outcomes, and developing business improvement opportunities to enhance effectiveness and efficiency in all business areas.29 The team is accountable to the CEO and the Audit Committee which sets out annual work plans and reviews progress of internal and external recommendations.
In 2017–18, the ACIC internal audit team examined the following areas:
management of research data and information;
management of operational equipment and exhibits;
compliance with record-keeping and policy requirements; and
covert arrangements.30
The ACIC Audit Committee is also responsible for risk oversight and management, including monitoring internal controls and fraud and corruption prevention activities.31 During 2017–18, the ACIC:
implemented a revised risk management policy and supporting procedures;
completed the Comcover risk benchmarking exercise to assess the maturity of its current approach and guide further development;
strengthened its management of work health safety risks, including the risks associated with our operational activities;
focused on approaches to improving risk culture and understanding at all levels; and
participated in multi-agency risk forums and consulted with partner agencies on best practice approaches to managing risk.32

Committee comment

The committee acknowledges the work of the ACIC in regularly monitoring, reviewing and improving its systems and processes. The committee suggests that the ACIC provide an overview or summary of the outcomes of the audit team's examinations in future annual reports to improve transparency and facilitate the committee's examination of the ACIC's function and performance.

Protective Security Policy Framework

The Australian Government developed the Protective Security Policy Framework (PSPF) to assist government agencies to protect their people, information and assets. The PSPF applies to all non-corporate Commonwealth entities (NCCEs) that are subject to the PGPA Act, including the ACIC. For the 2017–18 period, the PSPF mandated 36 security requirements. Full PSPF compliance was only reported by 40.43 per cent of NCCEs in 2017–18. On average, NCCEs reported compliance with 92.17 per cent of the PSPF's requirements (equivalent to 33.2 of the 36).33 The report does not break down compliance by agency. The Attorney-General's Department compliance report for the period notes that, of the four focus areas for protective security, information security remains an ongoing challenge.34
In 2017, an agency-wide security threat and risk assessment was developed, which identified operational and strategic risks and proposed measures to mitigate current and emerging security risks facing the agency. During the 2017–18 year, the ACIC undertook considerable work to implement recommendations identified in the assessment.35 In 2017–18, the ACIC incorporated IT Security into its Security and Integrity section 'to enable a more holistic understanding of our agency’s security landscape'.36 The annual report advises that the ACIC security team continues to work towards meeting the requirements of the PSPF.
The ACIC internal security incident reporting mechanism enables all staff to report security incidents. A total of 85 security incidents were reported in 2017–18. This included 19 incidents within the PSPF definition of a security breach, which is an accidental or unintentional failure to observe the protective security mandatory requirements. The majority of security incidents reported were of a low level and occurred within secure ACIC premises.

Committee comment

The committee notes that the ACIC is continuing to work towards meeting PSPF requirements. More information on the status of its work as well as how the ACIC follows up on security breaches in order to prevent recurrence would be welcome.

Misconduct, fraud and corruption activity

The ACIC Integrity Assurance team works to report, prevent, detect and investigate suspected breaches of the Australian Public Service Code of Conduct, internal fraud, and corruption within the agency. During the year, the team investigated 19 referrals. By the end of June 2018:
13 of the referrals were deemed not to require a formal investigation following an assessment or preliminary investigation; and
six referrals were investigated under procedures established by the ACIC in accordance with section 15(3) of the Public Service Act 1999.37
During 2017–18, the Integrity Assurance team received no allegations of fraud, however, it received five allegations of corruption. Three of these allegations were referred to the Australian Commission for Law Enforcement Integrity, one was referred to the New South Wales Police Force, and one was awaiting an ACLEI referral pending legal advice at the time of reporting.38
The number and results of misconduct, fraud and corruption allegations investigated by the ACIC is provided in Table 2.4. A comparison to the 2018―19 year was not possible due to lack of information in the ACIC annual report. It is unclear whether the lack of information means there were no referrals during the period, whether the agency was unable to provide figures for a reason, or whether it is an oversight.
Table 2.4:  ACIC misconduct, fraud and corruption allegations investigated during the period
External referrals
Internal referrals
Open at time of reporting
Source: Adapted from ACIC, Annual Report 2016–17, p. 178; ACIC, Annual Report 2017–18, p. 162.
In 2017–18, the ACIC updated its fraud and corruption detection program following a risk assessment process. The agency targeted identified high-risk activities, updated its integrity-related policies and procedures, and provided all staff with an Ethics and Integrity Handbook.39

Committee comment

The committee notes a lack of misconduct, fraud and corruption information in the 2018–19 report. The committee understands that reporting methods may change, however an explanation should be provided for clarity. Changes in how information is presented in annual reports prevent comparison between reporting periods and can detract from the committee's ability to scrutinise the agency's performance and functions. The matter may be considered when the committee examines the ACIC 2018–19 report.

Financial performance

The ACIC financial result for 2017–18 was an operating deficit of $16.325 million.40 With the exclusion of unfunded depreciation and capital funding, the ACIC would have realised a deficit of $8.937 million for the financial year, arising primarily from the closure of the Biometric Identification Services project.41 In 2016–17, the ACIC reported an operating surplus of $10.982 million.42
The ACIC total appropriation for 2017–18 was $91.666 million, which included an $88.446 million operating budget, a $2.64 million departmental capital budget, and a $0.58 million equity injection.43 The total appropriation for 2018 is less than that for 2016–17, which was $94.663 million.44
In 2017–18, $79.607 million was allocated for base funding (this figure was $81.812 million in 2016–17),45 with the remainder allocated as follows:
$1.763 million funding for the Australian Gangs Intelligence Coordination Centre;
$0.886 million to enhance physical security to all office buildings and personnel security capabilities, in response to the current heightened security threat;
$4.803 million to develop and enhance the ACIC’s cybercrime intelligence and analysis capability in response to the 2016 Cyber Security Review recommendations;
$0.864 million to work on the development of National Order Reference System to facilitate information sharing and enforcement of domestic violence orders between courts and police across Australia;
$0.197 million for supporting the Australian Cyber Security Centre operating 24/7 to prevent and combat cyber security threats; and
$0.326 million for establishing a national database of rejected applications for Working with Children Checks.46
The ACIC's revenue for 2017–18 was generated from its appropriation for ordinary annual services ($88.446 million) and own source income which totalled $124.265 million. Own source income was derived from the provision of National Policing Information Services ($97.737 million), Proceeds of Crime Trust Account ($10.379 million), provision of services ($14.764 million), and $1.385 million in resources were received free-of-charge.47
The annual report notes a number of major variances between the funds allocated in the 2017–18 Portfolio Budget Statements and the final outcome for 2017–18. Some of the ACIC explanations included:
Supplier expenses were higher due to unexpected levels of operation associated with the Proceeds of Crime Act activity, projects funded through New Policy Proposals, and expenses associated with the closure of the Biometric Identification Services project;48
Revenues were higher than expected due to greater demand for the National Police Checking service, and there was unexpected revenue from the Proceeds of Crime Act and other services;
The actual balance for financial assets is approximately 17% greater than budget. This is due to the original budget being prepared before the 2016–17 actual figure was known and, as a consequence, the opening balance of the 2017–18 statement had to be estimated.49
In 2017–18, the ACIC commenced six new consultancy contracts (worth $0.5 million) in addition to the five ongoing consultancy contracts active during the year (worth $0.04 million), creating a total of $0.54 million.50
The Australian National Audit Office determined that the ACIC had complied with the Australian Accounting Standards – Reduced Disclosure Requirements and the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015, and presented fairly its financial position as at 30 June 2018, its financial performance and cash flows for 2017–18.51

Commonwealth Ombudsman reports

During 2017–18, the Commonwealth Ombudsman (Ombudsman) visited the ACIC's offices in Brisbane, Sydney and Melbourne to conduct seven inspections.52 The Ombudsman released three inspection reports which relate to the 2017–18 year. These reports assess the ACIC's:
compliance with the Surveillance Devices Act 2004 (SD Act);
access to stored communications and telecommunications data under Chapters 3 and 4 of the Telecommunications (Interception and Access) Act 1979; and
controlled operation records.

Surveillance devices

Under the Act, specified law enforcement agencies can covertly use surveillance devices when investigating certain offences. Each agency's compliance with the Act is independently assessed by the Ombudsman. Overall, the ACIC was found to be compliant with the requirements of the Act with the exception of some minor errors.53
The Ombudsman 1 July to 31 December 2017 report assessed the ACIC's surveillance records from 28 February to 3 March 2017. The Commonwealth Ombudsman 1 January to 30 June 2018 report assessed the ACIC's surveillance records from 11 to 14 September 2017 and 9 to 12 April 2018. Eight findings were made across the two reports, outlined below.

Finding 1

The ACIC self-disclosed three instances where protected information was obtained without proper authority. In all instances, surveillance devices continued to capture protected information after the relevant warrants had expired; however, in each instance, the ACIC quarantined all protected information captured after expiration.54

Finding 2

The ACIC self-disclosed three instances where protected information was obtained without proper authority. There was also one instance where protected information was transferred to a partner agency and that agency could not account for the location of the protected information. The ACIC advised it would conduct a review of its procedures to ensure all protected information is accounted for.55

Finding 3

The ACIC reported to the Minister under s 49 that a warrant had not been executed; however, the Ombudsman identified at inspection that a partner agency had executed the warrant. The ACIC provided a corrected report to the Minister following the inspection.56

Finding 4

The Ombudsman identified three instances where protected information was not properly destroyed. Following the Ombudsman's suggestion, the ACIC destroyed the records as soon as practicable.57

Finding 5

The Ombudsman reported that, under a person warrant, the ACIC had installed an optical device on a premises and the device had not been retrieved for four days after the person of interest had been arrested. After the Ombudsman's inspection, the ACIC advised that it had obtained both a person warrant and a premises warrant and that the device had been installed under the premises warrant despite records to the contrary. The ACIC advised that it had corrected its records to reflect the correct warrant the device had been installed and used under. The Ombudsman reported that it could not confirm compliance until it reviewed the ACIC's records at the next inspection.58

Finding 6

The ACIC disclosed four instances where authorising officers either did not provide their permission in writing when giving a tracking device authorisation, or written permission was provided but did not indicate the period for which the authorisation was to remain in force, contrary to the Act. The ACIC took remedial action, such as briefing staff on the requirements, updating its procedures, and quarantining any protected information.59

Finding 7

The ACIC retrieved a surveillance device under a retrieval warrant, and left the warrant to expire five days later, despite the Act requiring immediate revocation of the warrant and the chief officer to be notified once grounds for the warrant cease to exist. Subsequently the ACIC included a reminder about revocation obligations in its fortnightly advice to staff.

Finding 8

The ACIC disclosed three instances of handling protected information contrary to the Act regarding destruction of evidence that is no longer required. In the first instance, the ACIC could not locate the protected information and could not confirm its destruction. In the second, protected information held by a partner agency could not be destroyed. In the third, protected information was destroyed two days after the five year period for action. Despite these incidents, the Ombudsman was satisfied the ACIC had adequate procedures in place and understood its obligations.60

Telecommunications interception records and stored communication records

In March 2019, the Ombudsman published its report on its monitoring of agency access to stored communications and telecommunications data under Chapter 3 and 4 of the Telecommunications (Interception and Access) Act 1979 (TIA Act) for the period 1 July 2017 to 30 June 2018. The inspections examined agency records for the period 1 July 2016 to 30 June 2017.61
During the 2017–18 inspections, the Ombudsman found that all agencies demonstrated a high level of compliance with the TIA Act and there were fewer problems than in the previous period.62 However, it identified non-compliance in a number of key areas across all law enforcement agencies including:
authorisations that were improperly made;
an inability to sufficiently demonstrate required privacy considerations;
access to unauthorised telecommunications data;
statistics and reporting; and
The Ombudsman inspected 125 telecommunications data authorisations obtained by the ACIC and identified issues in relation to 41. The issues related to telecommunications data accessed without proper authority; telecommunications data outside the parameters of the authority; inadvertent disclosure; written records indicating notification of an authorisation; and record keeping.63 Twenty-seven of the 41 issues were self-disclosed by the ACIC.
The Ombudsman reported that where telecommunications data was accessed without proper authority, the ACIC notified the carrier of an authorisation prior to it being formally signed by an authorised officer and quarantined the telecommunications data obtained in each instance. Where telecommunications data was outside the parameters of the authority, the ACIC continued to receive telecommunications data after a revocation had taken effect; however, the ACIC has since updated its processes to mitigate reoccurrence of this issue.64
The Ombudsman inspected two warrants and 3 preservation notices relating to stored communications during its inspection of the ACIC and reported nil instances of non-compliance.65

Controlled operations

Under the Crimes Act 1914 (Crimes Act) the ACIC (as well as the Australian Federal Police and the Australian Commission for Law Enforcement Integrity) may grant an authority to authorise a controlled operation.
Controlled operations are covert operations carried out for the purpose of obtaining evidence that may lead to the prosecution of a person for a serious Commonwealth offence. Participants involved in such operations are protected from criminal responsibility and indemnified against civil liabilities that may arise as a result of activities undertaken during the course of the operation, providing that conditions are met.66
The Ombudsman performs independent oversight of this power by inspecting agencies' records, at least once every 12 months, to determine compliance with the Crimes Act and, in the ACIC's case, corresponding state controlled operations legislation. The Ombudsman annually releases the Report on the Commonwealth Ombudsman's activities in monitoring controlled operations which presents the results of inspections.
The Ombudsman assesses compliance based on the records made available at the inspection, discussions with agency staff, observations of agencies’ processes through information provided, and agencies’ remedial action in response to any identified issues.67

Changes to inspection approach

During the 2017-18 period the Ombudsman varied the approach to inspecting controlled operation authorities, by inspecting a sample of authorities at the ACIC rather than all eligible authorities. For the Australian Federal Police and the ACIC, it focused on authorities that reached 24 months, the maximum permitted period under the Crimes Act, as well as other authorities that appeared to be more complex and presented greater risks to compliance.68

Revised assessment of variations to authorities

The Crimes Act provides for controlled operation authorities to be varied in certain circumstances. Authorising officers must not grant a variation of authority where doing so would constitute a significant alteration to the nature of the controlled operation. In the previous annual report, the Ombudsman premised assessments on the basis that a significant alteration to an authority would be one that authorised operations targeted at a different criminal activity. However, the approach was reviewed following discussions with agencies to assessing variations with regard to the legislative provision, the explanatory memorandum and the operation of legislation in practice. The Ombudsman now considers whether the variation is consistent with the character of the original authorised controlled operation.69

Findings from 2017–18

In 2017–18, the Ombudsman conducted two inspections at the ACIC, where it assessed 30 of its 52 controlled operations authorities, and made the following findings, as outlined below.

Finding 1 – Unauthorised participants and activities of controlled operations

Authorities provide protection from criminal and civil liability for participants who engage in conduct during the course of a controlled operation. In five instances at the first inspection, the Ombudsman was unable to assess whether activities and participants involved in a controlled operation were authorised by an authority, due to insufficient detail in the ACIC’s post-operation reports. In two of those instances, the Ombudsman reviewed additional information at its next inspection that confirmed the activities and participants were authorised. In two other instances there was insufficient information in the ACIC’s records about what activities were conducted by law enforcement officers including what time the conduct commenced. In the remaining instance, the Ombudsman was unable to determine whether a civilian participant had acted at the direction of a law-enforcement participant. No further instances were identified during the second inspection as the ACIC had implemented improved practices.70

Finding 2 - Granting of two authorities for the same operation

The ACIC disclosed that it had inadvertently issued two controlled operations authorities for the same operation with the same reference number. This second authority was issued to correct an error in the original authority where a participant had been omitted. The ACIC acknowledged that, contrary to its usual practice, these authorities were not vetted by the legal team. It also advised that the original authority should have been cancelled.71

Finding 3 – Consecutive authorities

A formal authority must not be varied in such a way that the period of effect of the authority will, after the variation is made, exceed three months, including any previous extensions. The Ombudsman identified one authority that targeted the same criminal activities and person of interest as a previous authority. This authority had been granted within six days of the expiry of the previous authority. It was unclear why the ACIC did not seek to extend the original authority by applying to the Administrative Appeals Tribunal. The ACIC advised that it had originally expected that the operation would cease in line with the expiry of the first authority. However, the day before the expiry of the authority, additional information became available that changed the operational circumstances. 72

Finding 4 – General register and record keeping matters

Agencies must keep a general register, specifying certain details about each controlled operation such as the nature of the controlled conduct engaged in by law-enforcement participants. The Ombudsman identified eight instances at the first inspection and five instances at the second inspection, where specific details were either incorrectly recorded or omitted. The ACIC subsequently updated its general register and revised relevant guidance material.73

Adequacy of controlled operations reports

Agencies are required to report to the Ombudsman and the Minister on the details of controlled operations during the preceding six months. The adequacy of these reports is considered by the Ombudsman in its annual report. In the 2017–18 period, two instances were identified where information was either omitted or incorrectly recorded. The ACIC implemented remedial measures, including allocating an additional staff resource, creating new templates and updating procedures.74

Committee comment

The committee notes the Ombudsman's findings and acknowledges the ACIC's high level of compliance, willingness to self-disclose, and its work to address issues that have been identified. The committee is confident that the same diligence will be applied to the issues identified in the controlled operations report. As part of its usual role, the committee will monitor this progress going forward.

 |  Contents  |