At times the IGIS conducts inspections and reviews of activities that are common to a number of intelligence agencies. Information on all inspections and assessments are published in the IGIS annual report.
Part IAC of the Crimes Act 1914 and corresponding State and Territory laws enable ASIO and ASIS officers to create and use assumed identities for the purpose of performing their functions. The legislation protects authorised officers from civil and criminal liability where they use an assumed identity in circumstances that would otherwise be considered unlawful. Similarly, the legislation protects the Commonwealth, State and Territory agencies responsible for issuing identity documents in relation to an assumed identity in accordance with the Act. In December 2018, the Crimes Act 1914 was amended to extend authority to acquire and use assumed identities to ONI.
The legislation also imposes reporting, administration and audit regimes on those agencies using assumed identities. Section 15LG of the Crimes Act 1914 requires ASIO, ASIS and ONI to conduct six-monthly audits of assumed identity records and section 15LE requires that each agency provide the Inspector-General with an annual report containing information on the assumed identities created and used during the year. During 2018–19 the Director-General of Security and the Director-General of ASIS each provided this office with a report covering the activities of their respective agencies for the 2017-18 reporting period. There was nothing in the reports to suggest that ASIO or ASIS were not complying with their legislative responsibilities or which otherwise caused concern. ONI was not required to submit a report for 2017-18. Agency reports covering the period 2018-19 will be submitted during 2019-20.
The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act) provides a legal framework in which designated agencies are able to access and share financial intelligence information created or held by the Australian Transaction Reports and Analysis Centre (AUSTRAC). All intelligence agencies and IGIS are designated agencies for the purposes of the AML/CTF Act.
The IGIS is party to a memorandum of understanding (MOU) with AUSTRAC. This MOU establishes an agreed understanding of IGIS’s role in monitoring agencies’ access to, and use of, AUSTRAC information.
In overseeing the agencies’ use of AUSTRAC information, the office checks that there is a demonstrated intelligence purpose pertinent to the agencies’ functions, that access is appropriately limited, searches are focused, and the passage of information to both Australian agencies and foreign intelligence counterparts is correctly authorised. In 2018-19, as in previous years, the Inspector-General prepared a statement summarising compliance monitoring in respect of each of the intelligence agencies concerning their access to, and use of, AUSTRAC information in the preceding financial year and provided this to relevant ministers and the AUSTRAC Chief Executive Officer.
During 2018-19, the office inspected ASIO’s use of AUSTRAC material during 2017-18 and identified multiple breaches of section 133 of the AML/CTF Act. These breaches were consistent with the findings of an earlier ASIO internal review (conducted during 2017-18) that identified systemic deficiencies in ASIO’s compliance with the requirements of the AML/CTF Act and ASIO’s MOU with AUSTRAC. Additional detail about this review and the identified deficiencies can be found in the IGIS annual report for 2017-18. As reported last year, the ASIO internal review prompted measures to address these deficiencies and the office saw some evidence in 2018-19 that these measures are improving ASIO’s handling of AUSTRAC material. In particular, the office noted an improvement in ASIO officers’ understanding of the procedural requirements for the communication of AUSTRAC information, however, the quality of record-keeping related to the dissemination of AUSTRAC information remains inconsistent.
In 2018-19 the office conducted a specific inspection of ASIS records concerning AUSTRAC information, as well as incidentally reviewing ASIS’s use of AUSTRAC material during inspections of operational files throughout the year. The inspections found that ASIS’s governance and record-keeping in relation to AUSTRAC information continued to be effective.
Inspections of ASD, AGO and DIO relating to AUSTRAC information did not reveal any issues of concern. There were no instances of non-compliance by ASD, AGO and DIO regarding access to and use and protection of AUSTRAC information. ASD, AGO and DIO continued to have limited interaction with AUSTRAC material during the reporting period, and did not access any information directly via online access to AUSTRAC databases. All three agencies have effective procedures in place with regard to handling of this information.
The office reviewed ONI’s use of AUSTRAC material and found that, overall, ONI’s governance and record-keeping continued to be effective. ONI self-reported an issue where AUSTRAC was disseminating reports to an ONI email distribution list containing individuals not authorised to receive the reports. This activity did not constitute a breach of the AML/CTF Act as, in accordance with section 121(3)(b) of the Act, staff of AUSTRAC are able to disclose product to ONI staff to assist in the performance of their duties.
On 16 May 2020, Part VIIIA was introduced into the Privacy Act 1988 (Privacy Act); it sets
out privacy protections that relate specifically to personal information collection via the
COVIDSafe app.
Part VIIIA introduced offences for the collection, use and disclosure of COVIDSafe app
data. This new Part has implications for intelligence agencies under the jurisdiction of the
Inspector-General, in particular in respect of the incidental collection of COVIDSafe app data
amongst lawfully intercepted material. Part VIIIA provides exceptions to certain offences
that relate to incidental collection of COVIDSafe app data during the collection of other
data under a warrant. No offence is committed if the COVIDSafe app data is deleted as soon
as practicable after the agency becomes aware that it has been collected, and that it has
otherwise not been used, accessed or disclosed after it has been collected.
A project was established within IGIS that aims to identify those agencies under the
Inspector-General’s jurisdiction that are most likely to be at risk of incidentally collecting
COVIDSafe app data, and to determine if these agencies are taking the necessary steps to
comply with Part VIIIA of the Privacy Act.
Given the intersecting areas of oversight that Part VIIIA creates, this project is being
undertaken in cooperation with the Office of the Australian Information Commissioner
(OAIC). The OAIC is the agency responsible for compliance with the Privacy Act, and also
regulation of the COVIDSafe app. An unclassified report will be shared with the OAIC at
the completion of the initial assurance activities undertaken by IGIS which will allow for
completion of their obligations under the Privacy Act to be satisfied.
Inspection activities of intelligence agencies under the Inspector-General’s jurisdiction
related to the project is planned to continue until use of the COVIDSafe app is discontinued
by government and all related COVIDSafe app data is deleted.
On 16 November 2020, IGIS provided a report to OAIC covering the period 16 May - 16 November 2020.
On 17 May 2021, IGIS provided a report to OAIC covering the period 16 November 2020 - 15 May 2021.
On 15 November 2021, IGIS provided a report to OAIC covering the period 16 May - 15 November 2021.
On 26 May 2022, IGIS provided a report to OAIC covering the period 16 November 2021 - 15 May 2022.
On 21 November 2022, IGIS provided a report to OAIC covering the period 16 May 2022 - 15 November 2022.