04 December 2020

Metasurveillance, the Intelligence Community and accountability

The Government response to the Richardson report, noted in the preceding post, comments -

The Comprehensive Review of the Legal Framework of the National Intelligence Community (the Review), and the Government’s response, reaffirm that the fundamental principles that underpin Australia’s intelligence legislation remain fit-for-purpose. Australia’s intelligence agencies have distinct, but overlapping roles, and the legislation that underpins these agencies’ activities remains generally sound. Appropriate and robust oversight mechanisms must accompany agencies’ powers, in order to build and maintain public trust in their legitimate but often covert activities. 

The central area for reform is a new electronic surveillance Act, which will be a new landmark in Australia’s national intelligence legislation. The Review identified that the existing legislation is unnecessarily complex and has been outpaced by technology. A new electronic surveillance Act will be generational in its impact. This legislation will require careful and detailed consideration, with extensive public consultation, to establish a framework that will support Australia’s intelligence collection and law enforcement agencies in the years to come. 

The Review has also demonstrated the need for targeted legislative change in other areas to ensure that agencies can undertake their functions effectively. These additional reforms, including in relation to counter-espionage activities and foreign relations risk management, will be pursued in due course. 

Transparency and oversight remain important features of Australia’s intelligence community. The functions and activities of the intelligence agencies should be made clear and publicly accessible as far as possible, to ensure that the Australian people have confidence in the activities that are pursued in their name. The Review itself furthers this purpose, as it has provided Government and the public with a comprehensive and detailed overview of Australia’s contemporary intelligence framework. The Government will also pursue targeted reforms to strengthen the oversight of the national intelligence community, including by ensuring that oversight is embedded in legislation at its inception, and that it is governed by coherent principles. 

The reforms arising from this Review reach across the national intelligence community, and will require thoughtful consideration. Activities to implement these recommendations will be a feature of national security reforms over many years. The Government will continue to consider future areas for reform, in light of the guiding principles of the Review, and any further evidence that is put to Government that demonstrates a need for change.  

The response to specific recommendations is 

R 1: NIC agencies should ensure that their induction and ongoing training addresses the history, background and principles that underpin their legal frameworks and of the balance in legislation sought by government and the Parliament. 

Agreed.

R 2: The sequencing of steps required in the Intelligence Services Act’s ministerial authorisation process should be adjusted to enable the responsible minister to authorise an Intelligence Services Act agency to produce intelligence on an Australian person and then seek the Attorney-General’s agreement to that authorisation. The authorisation would not take effect until the Attorney-General has given agreement. 

Agreed. The process referred to in Recommendation 2 applies to a subset of intelligence collection. It is enlivened when an Intelligence Services Act (IS Act) agency seeks to produce intelligence on an Australian person who is or is likely to be engaged in activities that are, or are likely to be, a threat to security. In those circumstances, the relevant agency must currently seek the Attorney-General’s agreement before then seeking a ministerial authorisation from the relevant minister. The importance of the Attorney General’s agreement to producing intelligence in these circumstances is described in Recommendation 53. The Attorney-General’s discretion is unfettered, and he or she can take into account any relevant information, including drawing on ASIO’s advice about the activities of the person in making his or her decision. The purpose of Recommendation 2 is to provide agencies with greater flexibility in the process of seeking the approval of the Attorney General and authorisation of the responsible minister. Agencies should have the ability to seek the authorisation of the minister and the agreement of the Attorney-General in either order, or to approach the responsible minister and Attorney General concurrently, as appropriate. The authorisation would not take effect until both the relevant minister has authorised the production of the intelligence and the Attorney General has given his or her agreement. The IS Act will be amended to implement Recommendation 2. 

R 3: The legislation governing the activities of ASIO, ASIS, ASD and AGO should continue to distinguish between foreign intelligence and security intelligence. 

Agreed. There is a distinction between collecting ‘foreign’ intelligence concerning the activities, intentions and capabilities of people and organisations outside Australia, and collecting ‘security’ intelligence for the purpose of protecting Australia and its people from threats such as espionage, foreign interference or politically-motivated violence. This distinction recognises the state’s foundational duty to provide security for its territory and people, and that Australia’s security interests are best served by having one agency – ASIO – with primary responsibility for protecting Australia from non-military security threats. The foreign intelligence collection agencies – ASIS, ASD and AGO – also provide vital intelligence relevant to Australia’s national security but they focus, principally and appropriately, on people and organisations outside Australia (noting ASD’s increasingly important role within Australia in cyber security matters). It is appropriate that the concepts of security and foreign intelligence overlap, to ensure comprehensive coverage of Australia’s intelligence collection needs. 

R 4: There should continue to be a distinction between AIC agency activities that take place onshore and those that take place offshore. 

Agreed. The distinction between activities that take place onshore and those that take place offshore is an important principle underpinning the structure and activities of the national intelligence community (NIC). The distinction helps to inform the purposes and responsibilities of each agency, and reflects fundamental principles such as Australia’s sovereignty. The Government considers that technological changes, particularly in the realm of the internet, have challenged, and will continue to challenge, the distinction between onshore and offshore activities. It is not always possible to precisely reflect this principle in legislation due to technological change. Notwithstanding such challenges, the distinction remains an enduring feature of the NIC’s legislative framework. The Government will continue to consider and review the distinction between onshore and offshore activities, and its impact on legislation governing the NIC as it applies to cyber-enabled activities. 

R 5: The Australian Security Intelligence Organisation Act and Telecommunications (Interception and Access) Act should be amended to enable the Director General of Security, on a request from the Foreign Minister or Defence Minister, to seek a warrant from the Attorney General for the collection of foreign intelligence on an Australian person who is acting for, or on behalf of, a foreign power. 

Agreed. IS Act agencies can currently collect intelligence on Australians offshore where those Australians are agents of a foreign power and have access to intelligence relevant to Australia’s national security, foreign relations or national economic wellbeing. This collection activity is an important and proper activity of Australia’s intelligence agencies. However, those agencies cannot seek any form of warrant to collect intelligence on an Australian when they are onshore. It is the function of ASIO – rather than the IS Act agencies – to exercise warranted powers to obtain foreign intelligence inside Australia. However, ASIO may only collect intelligence using warranted powers on an Australian onshore where the Australian is involved in activities that meet the narrower definition of ‘security’ in the Australian Security Intelligence Organisation Act (ASIO Act). This results in an intelligence gap between Australia’s security interests (as defined by the ASIO Act) and Australia’s wider foreign intelligence ‘national security’ interests. The Government agrees that this gap is not supported by policy principles. An Australian serving the interests of a foreign power remains an agent for that foreign power whether they are onshore or offshore. The ASIO Act and Telecommunications (Interception and Access) Act (TIA Act) should be amended to enable the collection of foreign intelligence on an Australian within Australia where that person is acting for, or on behalf of, a foreign power. The precise definition of a ‘foreign power’ will be considered carefully in drafting the amendments, to ensure that the ability to collect foreign intelligence on an Australian person is reasonable, necessary and proportionate, and does not unduly infringe on the privacy of Australians. The definition in the ASIO Act should be considered as a starting point, in light of the purpose of this recommendation. 

R 6: The legislation that applies to ASIO, ASD, ASIS and AGO should continue to distinguish between Australians and non-Australians. 

Agreed. There are, and should be, greater steps required when agencies undertake activities with respect to Australians. The Government relies on the confidence of the Australian people to conduct intelligence activities, and engages in greater risk when conducting activities in relation to Australians. In light of this risk, it is appropriate that such decisions be made by ministers who are accountable to the public, and that such decisions be subject to particularly thorough and deliberate consideration. The purpose for which intelligence is produced also has an effect on the way Australians and non Australians are treated in intelligence legislation. The collection of security intelligence, as a means of providing collective security to Australia, more readily justifies agencies’ use of intrusive powers on an Australian person than the collection of foreign intelligence absent any connection to security. 

Recommendation 7: CLASSIFIED 

Recommendation 8: ONI should develop guiding principles on open source information collection, in consultation with DIO, Home Affairs, and the IGIS. 

Agreed. In developing these principles, ONI, DIO, Home Affairs and the IGIS will work together, along with other relevant NIC agencies, to develop guidance as to the distinction between open source information collection and other intelligence collection activities, including information collected using covert collection methodologies. 

Recommendation 9: CLASSIFIED 

R 10: DIO and Home Affairs should not be included in the assumed identity regime in the Crimes Act for the purposes of open source information collection. 

Agreed. 

R 11: CLASSIFIED 

R 12: The Office of National Intelligence Act should be amended so that the privacy rules apply only to analytical products of the Open Source Centre. 

Agreed. The Office of National Intelligence Act (ONI Act) operates such that ONI’s privacy rules apply to information other than its analytical products. The ONI Act should be amended so that the privacy rules only apply to information that is part of ONI’s analytical functions, both with respect to products of the Open Source Centre (as recommended by the Review), and with respect to information held and communicated by other parts of ONI. With respect to products of the Open Source Centre, the Government considers the ONI Act should be amended so that the privacy rules only apply where ONI applies analysis to identifiable information. This will mean that ONI’s privacy rules will not apply in situations where the Open Source Centre communicates, but does not apply analysis to, publicly available identifiable information, like a newspaper article. The purpose of the privacy rules (as set out in subsection 53(3) of the ONI Act) is to ‘ensure that the privacy of Australian citizens and permanent residents is preserved as far as is consistent with the proper performance by ONI of its functions’. As such, it is appropriate for the privacy rules to continue to apply to information collected by ONI in the performance of its analytical functions. However, the privacy rules should not apply to information that falls outside ONI’s analytical functions, including administrative and staffing information, consistent with the approach taken for IS Act agencies. Those agencies deal with such information separately by ensuring that their internal policies provide appropriate privacy protections for staffing and administrative information. Accordingly, the ONI Act should also be amended so that the privacy rules only apply to information obtained in the performance of its analytical functions, consistent with the approach taken in the IS Act. ONI will work with the IGIS, and PM&C in amending the ONI Act and ONI’s privacy rules. 

R 13: AGO should be established as a statutory authority before acquisition of a sovereign geospatial intelligence space capability, with the timing to be revisited as part of future independent intelligence reviews. 

Agreed in principle. The 2016 Defence White Paper noted the vital role space-based systems play in all Australian Defence Force (ADF) and coalition operations. It also highlighted that enhancements to Defence’s imagery capability will provide the basis to further develop intelligence surveillance and reconnaissance capabilities in the longer term, including through potential investment in space based sensors. If the acquisition of a sovereign satellite imagery capability is approved, it would be appropriate for Government to consider the question of whether and, if so, when AGO should be established as a statutory authority. 

14: DIO should remain a semi-autonomous organisation within the Department of Defence. 

Agreed.   

15: DIO’s mandate should be made publicly available. 

Agreed. 

16: The intelligence functions of Home Affairs should not be specified in legislation. 

Agreed. 

17: The Australian Security Intelligence Organisation Act and any new electronic surveillance framework (incorporating existing authorities under the Telecommunications (Interception and Access) Act, the Surveillance Devices Act and relevant parts of the Australian Security Intelligence Organisation Act) should provide that powers vested in the Attorney-General in respect of ASIO may only be exercised by the Attorney-General and not by a junior minister. As with section 3A of the Intelligence Services Act, references to the Attorney-General should continue to include a person acting as the Attorney-General. 

Agreed. 

18: The Law Officers Act should be amended to remove the ability for the Attorney-General to delegate his or her power to issue warrants under the Australian Security Intelligence Organisation Act to the Solicitor General, Secretary of the Attorney General’s Department or any other officer of the Commonwealth. The current prohibition in respect of warrants issued under the Telecommunications (Interception and Access) Act should remain in respect of the new electronic surveillance framework. 

Agreed. 

19: The Attorney-General’s powers in respect of ASIO should not be able to be conferred on another minister through an action of the Executive. Legislative amendment should be required. The ability for the Governor General in Council to make a substituted reference order in respect of the Attorney-General’s role in exceptional cases should be retained, but only used in exceptional circumstances, such as where there is no Attorney-General. 

Agreed. The Attorney-General has a special role in respect of ASIO warrants, and authorisations. In light of this special role, wherever legislation confers powers on the Attorney-General with respect to ASIO the legislation should specifically refer to the ‘Attorney-General’ rather than ‘the minister’. It is for this reason that parts of the ASIO Act were amended to refer to the Attorney General when administration of the ASIO Act was transferred to the Minister for Home Affairs. It is a matter for the Prime Minister to advise the Governor General on the scope of ministers’ portfolio duties. In certain circumstances, it is appropriate to specify particular ministers’ responsibilities in legislation. This is the case for the IS Act, which codifies the roles of particular ministers in section 3A. The ASIO Act should be amended to include a similar provision to section 3A of the IS Act. Such a provision should provide that notwithstanding any machinery of government changes, a reference to the Attorney-General will only refer to the minister with that title, and that the Governor-General in Council should only make a substituted reference order in exceptional circumstances. 

20: The Australian Security Intelligence Organisation Act and Telecommunications (Interception and Access) Act (and the new electronic surveillance framework) should permit the Director-General of Security to approach the Prime Minister to issue a warrant, where the Attorney General advises the Director-General of an actual or apparent conflict of interest, or where the Director-General is satisfied that the Attorney-General has an actual or apparent conflict of interest. 

Agreed in principle. It is important to develop a mechanism through which actual and apparent conflicts of interest can be addressed, to ensure the effective operation of Australia’s national security warrant framework. It would only be necessary to have recourse to such a mechanism in extraordinary circumstances. It is important that in such circumstances, ministers are clearly accountable for the decision to issue a warrant. Where the Attorney-General advises the Director-General of Security of an actual or apparent conflict of interest, or where the Director-General considers that the Attorney-General has an actual or apparent conflict of interest, the Director-General should refer the relevant warrant application to the Prime Minister. It is appropriate for the Prime Minister to decide to issue the warrant, or to decline to issue the warrant. The Prime Minister should also be able to refer the decision to issue the warrant to another IS Act minister if necessary. When determining whether to refer the decision to issue a warrant to another minister, the Prime Minister will give due weight to the sensitivities involved in the decision, including the special role in granting ASIO warrants. In implementing this recommendation, the Government will develop guidance to support the Director-General of Security in determining the circumstances in which it may be appropriate to approach the Prime Minister. This conflict of interest mechanism is consistent with the principle that the Attorney-General’s powers should not be able to be conferred by executive order (Recommendation 19). Recommendation 20 establishes a legislative mechanism for the exercise of the Attorney-General’s powers in a particular circumstance, and is not a ‘conferral of powers’ in the sense contemplated in Recommendation 19. 

21: The Intelligence Services Act should be amended to permit an agency head to approach another Intelligence Services Act minister to issue an authorisation, where the responsible minister advises the agency head of an actual or apparent conflict of interest, or where the relevant agency head is satisfied that the authorising minister has an actual or apparent conflict of interest. 

Agreed in principle. It is important to develop a mechanism through which actual and apparent conflicts of interest can be addressed, to ensure the effective operation of the IS Act. It would only be necessary to have recourse to such a mechanism in extraordinary circumstances. Where the responsible minister advises the agency head of an actual or apparent conflict of interest, or where the relevant agency head considers that the responsible minister has an actual or apparent conflict of interest, the agency head should refer the relevant ministerial authorisation request to the Prime Minister. It is appropriate for the Prime Minister to decide to issue the ministerial authorisation him or herself, to decline to issue the ministerial authorisation, or to refer the ministerial authorisation to another IS Act minister. In implementing this recommendation, the Government will develop guidance to support agency heads in determining the circumstances in which it may be appropriate to approach the Prime Minister. 

22: Legislative amendments in respect of ONI’s budget authority are not required. 

Agreed. 

23: The Department of Home Affairs does not require cooperation provisions in legislation. 

Agreed. 

24: Section 13 of the Office of National Intelligence Act does not require amendment. The legislative requirement for the Director-General to approve cooperation arrangements with an authority of another country is appropriate. 

Agreed, but the Government does support amendments to section 13 of the ONI Act to ensure that the cooperation is subject to appropriate approval processes. It is appropriate for the Director-General to approve cooperation arrangements with other countries. The ONI Act does not strictly require amendment to allow ONI to cooperate with international organisations – they would be considered ‘entities’ under subsection 13(1)(b) of the ONI Act. However, under the ONI Act the Director General must approve cooperation arrangements with ‘another country’ but does not need to approve cooperation arrangements with an ‘entity’ (which would include an international organisation). This issue was not considered in the Report of the Comprehensive Review of Intelligence Legislation. The safeguards in section 13 of the ONI Act for authorities of another country should also apply to ONI’s cooperation arrangements with international organisations. International organisations are generally established by a treaty to which States are party. Cooperation arrangements between ONI and international organisations would raise similar risks to cooperation arrangements with foreign authorities. As such, it would be appropriate for the Director-General to approve such arrangements, and for the Prime Minister to have an opportunity to cancel such an approval, consistent with section 13(5) of the ONI Act. Section 13 of the ONI Act should be amended such that subsections (2) to (7) of section 13 apply to cooperation with ‘entities’ that are international organisations, in the same way these provisions currently apply to authorities of another country.  

26: DFAT should be informed before any NIC agency (other than ASIS) conducts covert human intelligence activity in another country without the agreement of the host authorities. DFAT is responsible for determining whether the Foreign Minister should be advised of the activity. 

Agreed. NIC agencies (other than ASIS) will advise DFAT before conducting covert human intelligence activities in another country without the agreement of the host country’s authorities. Relevant agencies will work together and with DFAT to develop a flexible, nuanced process to assist DFAT in managing any foreign relations risk. The Government notes that Recommendation 26 is complementary to, but distinct from, Recommendation 17 of the 2017 Independent Intelligence Review (2017 IIR). The 2017 IIR recommended that: [r]egular briefings be held involving the ‘Agency Heads’ (as defined by the Intelligence Services Act 2001), their responsible Ministers, and the Attorney-General and Director General of Security, on intelligence collection activities overseas which, if compromised, could impact on Australia’s foreign policy or international relations. The Government supports the regular briefings as recommended by the 2017 IIR, and supports ONI’s ongoing work to implement the Government’s agreed response to Recommendation 17, which included the Secretary of DFAT and Director-General of ONI in the regular briefings

27: Processes for managing foreign relations risks, including determining the agencies subject to these processes, should be considered each time there is an Independent Intelligence Review. 

Agreed. 

28: The Commonwealth should not develop a common legislative framework in the form of a single Act governing all or some NIC agencies. 

Agreed. 

29: NIC legislation should not be amended to include standalone proportionality tests as part of the threshold for the authorisation of intrusive powers. 

Agreed. Proportionality is a fundamental part of the NIC legislative framework – existing authorisation frameworks require decision-makers to assess proportionality through the application of warrant tests, ministerial directions and/or guidelines. As such, it is not necessary to establish a standalone proportionality test in NIC legislation as part of the threshold for the authorisation of intrusive powers. Agencies should nevertheless seek to apply consistent approaches to proportionality assessments. Agencies should work together, in consultation with the IGIS, to review their internal guidance material on proportionality tests. 

30: Ministers should continue to authorise ASIO and Intelligence Services Act agency activities. These authorisations should not also be subject to judicial or other independent authorisation. 

Agreed. It is important that ministers be responsible for authorising ASIO and IS Act agencies’ activities, to allow ministers to make decisions taking into account the broader context of the agency, political risks, and national security considerations. The proposed process under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) Agreement departs from the principle that authorisations should not also be subject to judicial or other independent oversight. Under the Telecommunications Legislation Amendment (International Production Orders) Bill 2020, any International Production Orders sought by ASIO will be subject to both Ministerial and judicial or other independent authorisation. This is necessary to meet the specific requirements of the US legislation that established the CLOUD Act data-sharing scheme. Notwithstanding this exception, ministerial authorisations, together with IGIS oversight, provide appropriate protections and accountability for intelligence warrants and authorisations, and should continue without additional judicial or other authorisation. 

31: All ASIO warrants and special intelligence operation authorisations should be reviewed by the Attorney-General’s Department, noting the need for appropriate security clearances and relevant briefings. 

Agreed. The current review process provides valuable support to assist the Attorney-General in their decision-making. It also provides the Attorney-General with assurance that a person independent of ASIO has assessed the warrant prior to the Attorney-General’s consideration of it. Consistent with current processes, the reviewer will continue to be a legally-qualified senior official within the Attorney-General’s Department, with suitable experience regarding ASIO’s operations, and who holds the necessary security clearances and briefings. 

32: In circumstances of extreme urgency ASIO should provide warrants or authorisations to the Attorney-General without review by the Attorney-General’s Department. In such situations, ASIO should advise the Attorney-General that the warrant or authorisation has not been reviewed by the Department, and subsequently present the warrant or authorisation to the Department for review. 

Agreed. The purpose of the subsequent review by the Attorney General’s Department is to ensure that the relevant officer in the department maintains appropriate visibility of all ASIO warrants and special intelligence operations. This is essential in ensuring that the relevant departmental officer has a full understanding of the use of such powers, to support the Attorney General in their decision-making. This review is entirely separate to the role of the IGIS in reviewing activities of the Australian Intelligence Community (AIC) (including ASIO) to ensure that agencies act legally and with propriety, comply with ministerial guidelines and directives, and respect human rights. 

33: Existing consultation processes for ministerial authorisations under the Intelligence Services Act are robust and support an appropriate level of assurance. These processes should continue. 

Agreed. This recommendation is about consultation between IS Act agencies and the relevant department of state. Existing consultation processes between the agencies and their relevant department of state are appropriate, and should continue in their current form. Other recommendations of the Review deal with the relationship between IS Act agencies and entities other than the relevant department of state. For example, Recommendation 2 concerns consultation between IS Act agencies and the Attorney-General, and recommends minor changes to the process for seeking ministerial authorisations concerning an Australian person who is a threat to security. Recommendation 26 recommends that NIC agencies (other than ASIS) establish a new process to notify DFAT of certain activities overseas. 

34: The duration of search warrants in the Australian Security Intelligence Organisation Act should be kept at 90 days. 

Agreed. 

35: The duration of inspection of postal articles and inspection of delivery service articles warrants in the Australian Security Intelligence Organisation Act should be kept at six months. 

Agreed. 

36: ASIO should be required to keep accurate records of all individuals involved in the execution of a warrant. The requirement for ASIO to specify who may exercise authority under a warrant in section 24 of the ASIO Act should be retained. 

Agreed. It is important for ASIO to describe the people, including the people within a class, who can exercise warrant powers with an appropriate level of specificity. This requirement ensures that individuals who can exercise warrant powers have been deliberately selected to do so (subject to amendments agreed to in Recommendation 37), based on appropriate considerations including (but not limited to) the potential for the use of reasonable and necessary force under the warrant. It is important that agencies keep accurate records of the person or people who execute a warrant for reasons of accountability, legality and control. 

37: The Australian Security Intelligence Organisation Act should be amended to make it clear that the permissible scope of classes under section 24 includes changes to, or expansion of, the class which occur after the authorisation is initially made. 

Agreed. The ASIO Act should be amended to make it clear that when the Director-General of Security (or an appropriately appointed senior position-holder) authorises a class of persons to exercise a warrant, the class includes changes to the people holding positions in that class, and positions that come into existence after the authorisation is made. Classes would continue to be authorised based on appropriate considerations including (but not limited to) the potential for the use of reasonable and necessary force under the warrant. 

38: ASIO should continue to seek foreign intelligence collection warrants from the Attorney-General for activities within Australia that require a warrant, on the advice of the Foreign Minister or Defence Minister. 

Agreed. 

39: The maximum duration of foreign intelligence collection warrants in the Australian Security Intelligence Organisation Act should remain at six months for all powers except search warrants, which should remain at 90 days, except in the limited circumstances, and subject to the additional safeguards, described in our classified report. 

Agreed. 

40: CLASSIFIED 

41: The Intelligence Services Act should be amended to provide that an agency is ‘producing intelligence’ on an Australian person or a class of Australian persons only if: • the agency undertakes a covert and intrusive activity, or a series of covert and intrusive activities, or • the agency expressly or impliedly requests a body, authority, organisation or group to undertake a covert and intrusive activity, or a series of covert and intrusive activities to obtain that intelligence. 

Agreed. For clarity, a ‘covert and intrusive activity’ includes, but is not limited to an activity, or series of activities, that ASIO could not undertake in at least one state or territory without being authorised by warrant under Division 2 of Part III of the ASIO Act, or Part 2-2 of the TIA Act (for example telecommunications interception activities). 

42: The Intelligence Services Act should continue to provide that an IS Act agency can only undertake activities for the specific purpose of producing intelligence on an Australian in relation to a serious crime where the minister is satisfied that person is, or is likely to be, involved in committing a serious crime by: moving money, goods or people; using or transferring intellectual property; or transmitting data or signals by means of guided and/or unguided electromagnetic energy. 

Agreed. The categories of serious crimes listed under the IS Act are sufficient to meet current operational needs. A limited list should be maintained, to ensure that agencies’ power to produce intelligence on Australians in relation to serious crimes is targeted and proportionate. Any additions to this list of categories should be considered on a case-by-case-basis, and should be justified with reference to operational needs. 

43: The Australian Security Intelligence Organisation Act and the new electronic surveillance Act should not allow warrants to be issued in respect of a class of persons, subject to the recommendations about groups and foreign organisations in relation to electronic surveillance powers (see Chapter 28). 

Agreed. It is important for warrant powers to be targeted, to minimise the potential for unnecessary intrusion upon the privacy of Australians. It is also important for the Attorney-General to be the one to approve when, and against whom, ASIO will use its intrusive powers. For these reasons, the Government does not consider that the ASIO Act and the new electronic surveillance Act should allow class-based warrants, subject to Recommendation 83 which provides for electronic surveillance warrants for online investigations. One of the rationales for a class warrant system is to allow ASIO to take action quickly in urgent circumstances. Recommendation 48 may address this issue, as it is intended to streamline the mechanism through which ASIO obtains targeted security intelligence warrants quickly in urgent circumstances. 

44: A broad intelligence warrant should not be introduced to allow Intelligence Services Act agencies to collect intelligence in accordance with their functions inside Australia. 

Agreed. 

45: The 2017 Independent Intelligence Review recommendation, that Intelligence Services Act agencies be able to obtain ministerial authorisation in respect of a class of Australian persons where the class is defined by reference to involvement with a terrorist organisation proscribed for the purposes of the Criminal Code, should be implemented (Recommendation 16(a)). This should include the following requirements: 45.a the responsible minister may only issue the authorisation after obtaining the agreement of the Attorney-General 45.b the authorisation must not exceed six months 45.c Intelligence Services Act agencies must maintain a current list of all individuals on whom it sought to produce intelligence under the class authorisation with reasons why the agency believed the individual to be part of the class 45.d this list should be provided to ASIO for visibility and to coordinate counter-terrorism activities, and be available for inspection and review by the IGIS, who may provide advice to the agency head and responsible minister, and 45.e agencies must report to the responsible minister within six months of the original authorisation providing details on activities undertaken and attaching the current list of individuals that fall within the class. 

Agreed. It is important for ministerial authorisations for IS Act agency activities concerning Australians to be issued on an individualised basis or, if necessary, in relation to a narrowly-defined class. This ensures that ministers have appropriate control over agencies’ intelligence collection activities, particularly those that concern Australians, as agreed to in its response to Recommendation 6 of the Review. In light of these core principles, IS Act agencies should be able to obtain a ministerial authorisation in respect of a class of Australian persons where those persons are members of, or are involved with, a terrorist organisation proscribed in regulations made under the Criminal Code. The Government agreed to a recommendation in similar terms in the 2017 IIR (Recommendation 16(a)). The purpose of that recommendation was to give ministers greater flexibility to issue ministerial authorisations covering Australians whose involvement with terrorist organisations proscribed under the Criminal Code constituted a threat to national security. The scope of the proposed class is appropriate, as it provides a high degree of confidence that Australians identified as falling within it will be relevant to security. The process of proscribing terrorist organisations requires the minister to be satisfied that the organisation is directly or indirectly involved in terrorist activity. It is appropriate that people involved with such organisations be able to be subject to ongoing intelligence agency scrutiny. It is important that the ministerial authorisation framework supports agencies’ operational needs, while ensuring Australian persons are afforded appropriate protections. Where an Australian person falls outside the proposed class of people who are members of or involved with a proscribed terrorist organisation, agencies may still have recourse to individual ministerial authorisations to produce intelligence on an Australian person where the relevant criteria are met. 

46: The 2017 IIR recommendation to allow AGO and ASD, like ASIS, to obtain a ministerial authorisation in relation to a class of Australians in respect of activities performed when assisting the Australian Defence Force should be implemented (Recommendation 16(b)). 

Agreed. 

47: The Intelligence Services Act should not be amended to allow ministers to issue a class ministerial authorisation in any circumstance the minister considers appropriate. 

Agreed. 

48: The Australian Security Intelligence Organisation Act should be amended to, and the new electronic surveillance Act should, provide for the issuing of ASIO warrants in emergencies as follows: 48.a The Attorney-General must issue ASIO warrants in writing wherever possible. 48.b The Attorney-General may orally authorise a warrant, on application from the Director General of Security, if he or she believes on reasonable grounds that the delay in making a written application would likely defeat the purpose of obtaining the warrant. The threshold for issuing the warrant should remain as for the Attorney-General’s consideration of a written application. 48.c The Director-General of Security may authorise activities in writing where it is not possible to make an oral application to the Attorney-General. This must be limited to circumstances where the Attorney-General is unavailable, or where making an oral application would pose an unacceptable risk to operational security. The threshold for the Director-General issuing the warrant should remain as for the Attorney-General’s consideration of a written application. 48.d The Director-General of Security may only orally authorise an emergency warrant where it is not possible to make an oral application to the Attorney-General (as defined above), and where delay in authorising the application in writing would defeat the purpose of obtaining the warrant. The threshold for the Director-General issuing the warrant should remain as for the Attorney-General issuing a warrant. 

Agreed. It is important that ASIO have an effective emergency authorisation framework that supports it to perform its statutory functions in genuinely urgent situations. In all but the rarest and most exceptional circumstances, ASIO will continue to use its existing legal framework to seek warrants from the Attorney General. There may be rare circumstances in which ASIO needs to act with such urgency that it is almost impossible for it to obtain a warrant using the usual frameworks. Existing emergency warrant powers are not appropriately adapted to deal with such urgent circumstances, as they require ASIO to take steps that are as time-consuming as regular processes. Under the existing framework, there may be circumstances in which ASIO does not have the legal tools available to enable it to perform its statutory function. The proposed emergency framework is intended to address this gap. ASIO must only have recourse to emergency processes in rare and exceptional circumstances. Further, even in these urgent situations, intrusive intelligence activities must always be conducted under lawful authority, must be controlled by ministers to the greatest extent possible, and subject to independent oversight informed by stringent notification and reporting requirements. The IGIS will have oversight of such processes under the ASIO Act and new electronic surveillance Act. 

49: Where a warrant is authorised orally: 49.a the Director-General must ensure that a written record of the warrant is made as soon as possible, but no later than 48 hours, after the authorisation is issued 49.b the Director-General should provide a copy of the record to the IGIS as soon as possible, but no later than three days, after the authorisation is issued, and 49.c the IGIS should be required to provide a report to the Attorney-General on whether the Director-General complied with the legislative requirements in giving the authorisation. 

Agreed. 

50: The power to issue emergency warrants should be vested only in the Director General of Security, or any person acting in that position, and should not be able to be delegated to any other ASIO officer. 

Agreed. 

51: The Director-General of Security should be required to submit a written warrant application to the Attorney-General as soon as possible, but no later than 48 hours, after the authorisation is issued. On receipt of the written application, the Attorney-General must decide whether to: 51.a endorse the authorisation, and issue a regular warrant authorising ongoing activities 51.b endorse the authorisation, but decline to issue a regular warrant authorising ongoing activities and direct that activities cease, or 51.c invalidate the authorisation, and direct that any material obtained under that authorisation be quarantined from further use (other than for limited purposes relating to oversight, or any investigation or proceeding relating to the activities). 

Agreed. 

52: The emergency authorisation provisions in the Intelligence Services Act do not require amendment, beyond implementing amendments to address situations where it is reasonable to believe that an Australian person consents to the production of intelligence by the IS Act agency on that person, as recommended by the 2017 Independent Intelligence Review. 

Agreed. 

53: For the purposes of section 9 of the Intelligence Services Act, the Minister should continue to obtain the Attorney-General’s agreement before authorising activities with respect to Australians involved in threats to security. 

Agreed. This recommendation complements Recommendation 2, which provides agencies with flexibility in the process of seeking the approval of the Attorney General and authorisation of the responsible minister, provided that both the Attorney General’s approval and the minister’s authorisation are in place before the authorisation takes effect. This recommendation also complements Recommendation 3, which reaffirms the distinction between foreign intelligence and security intelligence. ASIO has primary responsibility for collection of security intelligence, and the Attorney General is the minister charged with authorising intelligence collection for security purposes. The purpose of seeking the Attorney General’s agreement is to provide them with visibility of proposed operational activities that relate to security threats. 

54: Section 13B of the Intelligence Services Act should continue to require ASIO to notify ASIS that it requires ASIS’s assistance to undertake activities to support ASIO in the performance of its functions. 

Agreed. 

55: The Intelligence Services Act should not be amended to allow ASIO to request ASIS to produce ‘foundational intelligence’ on a person suspected to be an Australian person using methods that would require a warrant if undertaken in Australia. 

Agreed. 

56: The immunities in section 14 of the Intelligence Services Act should not be extended. 

Agreed. 

57: Section 13B of the Intelligence Services Act should not be extended to apply to ASIS’s onshore activities. 

Disagreed. Section 13B of the IS Act enables ASIS to undertake activities offshore to assist ASIO in the support of ASIO's functions without needing to obtain a ministerial authorisation for the production of intelligence on an Australian person. This legislative framework is a useful tool that assists ASIS and ASIO to work together and allows ASIS to undertake 'less intrusive' activities in support of ASIO, specifically activities for which ASIO would not need a warrant if they were done within Australia. The Government previously agreed at Recommendation 18(b) of the 2017 IIR to extend section 13B of the IS Act to ASIS’s onshore activities. The goal of the 2017 IIR was to foster cooperation between intelligence agencies and strengthen the integration of the intelligence community. Those imperatives remain and the Government considers there is likely to be a greater operational need to foster cooperation in the future. Section 13B requires ASIO to issue ASIS with a written notice to produce intelligence to support ASIO in the performance of its functions. This requirement would remain and would be extended domestically. The exceptional circumstances provision allowing an ASIS officer to act outside Australia in an emergency in the absence of a written notice from ASIO would not apply in Australia. 

58: Current arrangements under section 13B of the Intelligence Services Act should not be extended to ASD and AGO. 

Agreed. ASD and AGO have sufficient ability to cooperate with ASIO under existing legislative and non-legislative arrangements. There is no operational need to amend section 13B of the IS Act to allow ASIO to request assistance from ASD and AGO. Recommendation 58 is contrary to Recommendation 18(b) of the 2017 IIR, which recommended that the Government extend section 13B of the IS Act to ASD and AGO. This would have enabled those agencies to support ASIO in the performance of ASIO’s functions without the need to obtain a ministerial authorisation, in circumstances where ASIO would not need a warrant for the activities. The goal of the 2017 IIR was to foster cooperation between intelligence agencies and strengthen the integration of the intelligence community. While this remains an important goal, the present review considered the existing tools available to intelligence agencies, and recommended legislative change only where that was necessary to fill a gap in the existing regime. In light of this guiding principle, the present Review recommended against legislative change to extend the 13B regime to ASD and AGO. As such, Recommendation 18(b) of the 2017 IIR should not be implemented. 

59: The Intelligence Services Act appropriately provides for ministerial oversight and visibility of activities to achieve a direct effect undertaken directly by ASIS and ASD. 

Agreed. 

60: Intelligence Services Act agencies should advise their minister, when seeking a producing intelligence ministerial authorisation to cooperate with the ADF or ASIS, that intelligence provided by it may be used to achieve a direct effect. 

Agreed. Where an IS Act agency seeks to produce intelligence on an Australian person and pass that intelligence to another entity, and it is intended or reasonably foreseeable that that intelligence will be used to achieve a direct effect on an Australian person, the minister should be alerted to this fact. This would allow the relevant minister to be fully aware of, and make informed decisions in relation to, the reasonably foreseeable consequences of producing and sharing intelligence. Agencies will work with the IGIS to implement this recommendation, and Recommendation 61. 

61: Intelligence Services Act agencies should advise the responsible minister, when seeking a producing intelligence authorisation on an Australian, of the likelihood that a foreign partner may use the reporting produced to achieve a direct effect. If, during the course of the authorisation period, the agency becomes aware that a foreign partner is using the information to achieve a direct effect, the agency should notify the minister. 

Agreed. IS Act agencies will work with the IGIS to implement this recommendation, and Recommendation 60. 

62: ASIO should be required to seek authorisation from the Attorney-General for unilateral activities undertaken offshore, and when communicating intelligence to a foreign partner, where it is reasonably foreseeable that undertaking the activities will result in: • the death of, or serious harm to, the Australian person • the Australian person being detained, arrested, charged with or convicted of an offence punishable by the death penalty, or • the Australian person being subject to torture or other cruel, inhuman or degrading treatment or punishment. 

Agreed. ASIO should develop a framework, in consultation with the IGIS, to guide the identification of such activities and the process for seeking the Attorney-General’s consent. For clarity, some of ASIO’s activities covered by Recommendation 62 would also be relevant to the DFAT notification process agreed to in Recommendation 26. The Government has agreed that agencies should establish a process for notifying DFAT before undertaking covert human intelligence activities in a foreign State without that State’s consent (Recommendation 26). To the extent ASIO’s unilateral activities include covert human intelligence collection in a foreign State without that State’s consent, ASIO should notify DFAT of those activities under the Recommendation 26 process. The Government does not consider it necessary to establish a formal process through which agencies should notify DFAT when communicating intelligence to a foreign partner. However, in some circumstances it may be prudent for agencies to notify DFAT, especially where it is reasonably foreseeable that the above outcomes may arise. As a matter of best practice, ASIO should advise DFAT of its intention to share intelligence with a foreign partner where it is reasonably foreseeable that the consequences listed in Recommendation 62 will arise. 

63: Ministerial directions or guidelines providing guidance on the meaning of the term ‘direct effect’ should be issued to each of ASIS, ASD, AGO and ASIO. 

Agreed. The term ‘direct effect’ may not be the relevant term for all agencies. However agencies will work together, in consultation with the IGIS, to determine core features of activities that should be considered ‘direct effects’ activities, notwithstanding any differences in terminology used by each agency. This should, at a minimum, include activities that create an outcome, either directly or indirectly, and whether positive or negative, for an Australian person overseas. The outcome must be intended or reasonably foreseeable, not simply an unintended or remote possibility. Agencies should work together, in consultation with the IGIS, to develop a consistent approach to the meaning of ‘direct effects’ in their ministerial directions or guidelines. Ultimately, relevant ministers will issue separate guidance tailored to each agency and their activities. 

64: ASIO should not have a broad immunity from criminal liability for its activities. Agreed. 

65: The Attorney-General, when issuing a warrant under the Australian Security Intelligence Organisation Act, should be empowered to specify particular things ASIO can do that are necessary and proportionate to achieve the purpose of the warrant. 

Agreed. The ASIO Act currently allows the Attorney-General to authorise some activities necessary for, and incidental to, the exercise of powers under a warrant. However, the scope of those necessary and incidental activities are not appropriately adapted to ASIO’s current operating environment, and in some circumstances may be too narrow to allow ASIO to execute the warrant. The ASIO Act should allow the Attorney General to turn his or her mind to the activities that may be necessary to achieve the purpose of the warrant, and to authorise those activities at the time he or she makes the warrant. This would provide clear authority to ASIO to undertake activities under the warrant, and would ensure that the activities are limited to those that are necessary for and proportionate to that warrant. 

66: The defence in subsection 474.6(7) of the Criminal Code should be extended for ASIO so that it applies to all offences in section 474.6 (Interference with facilities). The defence should only be available where ASIO officers are acting in the course of their duties, and where that conduct is reasonable in the circumstances for the purpose of performing those duties. 

Agreed. 

67: The ONI-led National Intelligence Community Legislation Forum should be informed of all upcoming criminal law Bills to ensure consultation with all NIC agencies occurs at the policy and drafting stages, before a Bill is introduced to Parliament. 

Agreed. It is appropriate for the NIC Legislation Forum to be informed of relevant legislation that may affect the national intelligence community, including criminal law Bills. The Government notes ONI’s important role in coordinating this forum on behalf of NIC agencies. 

68: Applications to the Attorney-General for a special intelligence operation authorisation should only be made by the Director-General of Security. 

Agreed. 

69: A special intelligence operation authority obtained under the Australian Security Intelligence Organisation Act should continue to describe the nature of the conduct in which identified persons are authorised to engage. 

Agreed. 

70: The Intelligence Services Act should be amended to provide that the Director General of ASIS can authorise the use of a Commonwealth department or agency as the cover employer for ASIS officers. 

Agreed. It is appropriate, following consultation with the relevant department or agency head, for the Director-General of ASIS to authorise the use of that Commonwealth department or agency as the cover employer for ASIS officers. In light of ASD’s establishment as a statutory agency within the Defence portfolio in 2018, it would also be appropriate for ASD to consider whether, and to what extent, it is necessary to amend the IS Act in a similar way to support certain ASD activities, including foreign intelligence activities. 

71: The Australian Security Intelligence Organisation Act should be amended to provide that the Director-General of Security can authorise the use of a Commonwealth department or agency as the cover employer for ASIO employees and affiliates. 

Agreed. It is appropriate, following consultation with the relevant department or agency head, for the Director-General of Security to authorise the use of that Commonwealth department or agency as the cover employer for ASIO employees and affiliates. 

72: The Criminal Code should be amended to give Australian Defence Force members immunity under Part 10.7 for computer-related acts done outside Australia in the course of properly declared operations under legally approved rules of engagement. 

Agreed. The Criminal Code should be amended to give ADF members and civilian Defence personnel immunity under Part 10.7 for computer-related acts done outside Australia in the proper performance of ADF activities, consistent with the immunity provided to staff members of ASIS, AGO and ASD under section 476.5 of the Criminal Code. Any such activities would be subject to and authorised under approved rules of engagement. This immunity would be complementary to any existing authorities or immunities that apply to ADF members and civilian Defence personnel in such circumstances. Similar to section 476.5(2) of the Criminal Code, immunity should also apply to a person for any act inside or outside Australia that is preparatory to, in support of, or otherwise directly connected with the overseas activities of the ADF. 

73: The Criminal Code should not be amended to give Australian Defence Force members immunity for telecommunications offences in Part 10.6. 

Disagreed. The Review considered that there was no need for legislative amendments to the Criminal Code to ensure that ADF members are not captured by telecommunications offences. However, the Government considers that this issue would benefit from further consideration. It is important that the legal framework that supports ADF operations remains appropriate and clear, especially in light of developments in telecommunications technology. The Government should consider whether, and to what extent, the extraterritorial aspect of telecommunications offences in Part 10.6 of the Criminal Code apply to the ADF’s activities outside Australia. To the extent that risks are identified, or the application of the law is unclear, the Government will bring forward legislative amendments to address such uncertainty. Any legislative amendments should be the subject of detailed policy consideration. 

74: The current immunity in section 476.5 of the Criminal Code for ASIS, ASD and AGO should be extended to apply where a staff member or agent reasonably believes the relevant conduct is likely to take place outside Australia, whether or not it in fact takes place outside Australia. This should also apply to the Australian Defence Force, if it is included within the immunity in section 476.5. 

Agreed. 

75: The Surveillance Devices Act, Telecommunications (Interception and Access) Act and those parts of the Australian Security Intelligence Organisation Act governing the use of computer access and surveillance devices powers should be repealed and replaced with a new Act. 

Agreed. Of the three options discussed for how the Government could respond to the shortcomings in the current legal framework, the Government agrees that comprehensively reforming the entire electronic surveillance framework is preferable. The Government agrees with the Review’s conclusion that the other two options of either continuing to progress ad hoc amendments or rewriting the TIA Act alone are not preferred. These approaches would not resolve the systemic structural issues, inconsistency, and complexity of the current suite of electronic surveillance legislation. The Government supports holistic reform of the legislative framework governing electronic surveillance and will develop legislation that achieves the principles and objectives underpinning each of Recommendations 76 to 132. However the policy development and drafting process requires a degree of flexibility, particularly as it is impossible to foresee all legal and operational issues that may arise in a rapidly evolving technological and national security environment. As such, the Bill ultimately put forward may not adopt the precise language of the Review. During this process, the Government will consult widely with key stakeholders including state and territory agencies, oversight bodies, public interest groups and the public. 

76: Agencies should continue to be required to obtain separate warrants to authorise covert access to communications, computer access or the use of a listening or optical surveillance device under a new Act. The Act should not introduce a ‘single warrant’ capable of authorising all electronic surveillance powers. 

Agreed. The Government acknowledges that retaining separate categories of warrants will facilitate transparency and oversight of the tools agencies deploy to gather data for law enforcement and intelligence purposes, and agrees that a new electronic surveillance Act should not introduce a ‘single warrant’ framework. However, the Government will give further consideration to whether there is a basis to consolidate some of the existing categories of warrants or otherwise reframe them during the policy development and drafting process. The rapid development of communications technology may result in the current categories of warrants becoming substantially the same in their practical effect. Further, emerging technologies may require new regulation and oversight, including potentially new classes of warrants. 

77: As part of the development of a new electronic surveillance Act, AUSTRAC should be able to access telecommunications data in its own right under arrangements consistent with other Commonwealth, state and territory law enforcement agencies presently authorised to access telecommunications data. 

Agreed. 

78: As part of the development of a new electronic surveillance Act, corrective services authorities should be granted the power to access telecommunications data, if the relevant state or territory government considers it to be necessary. 

Agreed. 

79: As part of the development of a new electronic surveillance Act: • electronic surveillance powers should be vested in the Australian Border Force, not the Department of Home Affairs, and • the Australian Border Force should also be granted the power to use tracking devices under warrant and authorisation, for the purpose of serious criminal investigations. 

Agreed. 

80: Electronic surveillance should only be authorised where it is necessary for, and proportionate to, the purposes of an investigation. 

Agreed. One of the underlying principles of the new legislation should be that electronic surveillance should only be authorised where necessary and proportionate. For the avoidance of doubt, the Government notes that electronic surveillance can be authorised for a broader range of purposes than only an ‘investigation’ (for example, ASIO interception warrants may be granted to assist ASIO in carrying out its function of obtaining intelligence relating to security). The necessity and proportionality requirement should apply to the authorisation of electronic surveillance for any purpose. 

81: Electronic surveillance should be directed at persons who are under investigation, subject to limited exceptions in relation to third parties, groups, unidentified persons and foreign intelligence. To the extent that person-based, third party and group warrants are not adequate to address all cases, an object or premises-based warrant should be retained. 

Agreed. An agency would not be required to obtain a person-based, third party or group warrant before seeking an object or premises-based warrant. Rather, the agency would need to consider whether a person-based, third party or group warrant would adequately meet operational and investigative needs before seeking an object or premises-based warrant. 

82: Electronic surveillance warrants should be available in respect of a person who is not under investigation (a third party), where the issuing authority is satisfied that, in addition to the test for an ordinary warrant, obtaining information under a warrant in respect of the subject of the investigation would be impractical or ineffective. 

Agreed. 

83: Electronic surveillance warrants should be available in respect of a group where the issuing authority is satisfied that: • the group has engaged in, or is reasonably suspected of having engaged in, or being engaged in, or being likely to engage in common activities, that would justify the issue of an electronic surveillance warrant, and • obtaining warrants in respect of the individual members of the group would be impractical or ineffective. 

Agreed. The precise definitions of ‘group’ and ‘common activities’ will be carefully considered in drafting the new electronic surveillance Act. 

84: Electronic surveillance warrants should continue to be available in respect of a person who cannot be identified at the time of the warrant application. 

Agreed. At present, warrants can be issued under existing legislation in respect of people who are not yet identified. This is necessary because agencies do not always know the precise identity of the person or people who are the subject of their investigations. This could occur, for example, where an investigation focuses on discovering the identity of a person engaged in serious criminal activity. 

85: Foreign intelligence warrants with respect to foreign organisations should be retained in the new electronic surveillance Act. 

Agreed. Foreign intelligence warrants enable ASIO to collect intelligence concerning foreign organisations operating inside Australia in circumstances where it would be impracticable to effectively target individual members of the organisation. These warrants are only available for the purpose of collecting foreign intelligence. They are also subject to a higher threshold than individualised foreign intelligence warrants, and the Attorney-General may only issue these where satisfied that relying on an individualised telecommunications service warrant would be ineffective. 

86: The Attorney-General should be permitted to issue warrants authorising ASIO to intercept telecommunications, access stored communications, access computers, and use optical and listening devices under a new Act, if satisfied that: • a person is engaged in, or is reasonably suspected of being engaged in or of being likely to engage in, activities relevant to security, and • the exercise of powers under the warrant in respect of the person is likely to substantially assist ASIO in obtaining intelligence in respect of a matter that is important in relation to security. 

Agreed. There are currently two different thresholds at which the Attorney-General may issue ASIO with a warrant to undertake electronic surveillance activities. These depend upon the type of warrant sought. The current thresholds for these warrants should be harmonised in a new Act, as the differences are not based on principled distinctions, and their harmonisation would assist in improving the overall consistency and clarity of the new regime. 

87: An issuing authority should be permitted to issue warrants authorising a law enforcement agency to intercept telecommunications, access stored communications, access computers, and use optical and listening devices under a new Act, if he or she is satisfied that: • a person has committed, or is reasonably suspected of committing or of being likely to commit, an offence that is punishable by a maximum penalty of at least five years’ imprisonment, and • the exercise of powers under the warrant in respect of the person is likely to substantially assist the agency in the investigation of the offence. 

Agreed. At present, there are two different thresholds at which an issuing authority may issue a warrant authorising law enforcement agencies to conduct electronic surveillance. These thresholds should be harmonised under the new Act. The threshold the Review recommends appropriately reflects that these powers should only be available for the investigation of serious offences. This recommendation is subject to certain exceptions as noted under Recommendation 89. 

88: Electronic surveillance powers should be available to the ACIC for the purposes of special investigations, as well as for evidentiary investigations carried out under the authority of a special operation. 

Agreed. An evidentiary investigation by the ACIC into offences that have been identified in the course of a special operation is likely to involve criminal offending of similar thresholds to ACIC special investigations, and such offending is unlikely to be susceptible to traditional law enforcement methods. As such, the ACIC should be able to apply for an electronic surveillance warrant for evidentiary investigations conducted under the authority of an ACIC special operation. Given the breadth of special operations, electronic surveillance powers should only be made available for evidentiary investigations carried out under the authority of a special operation, and not for the broader criminal intelligence purposes of a special operation. 

89: Under a new electronic surveillance Act, offences should only be included as exceptions to the five year threshold for surveillance if they are punishable by at least three years’ imprisonment and the use of electronic surveillance powers is necessary in order to effectively investigate the offences.  

Agreed in principle. There may be a need to allow for the use of electronic surveillance powers for a small number of offences carrying less than a three year maximum penalty if there is evidence that, due to the nature of the offence, there is no feasible way of investigating and prosecuting without using electronic surveillance (for example, certain offences relating to cybercrime, such as those under section 478.1 (unauthorised access to, or modification of, restricted data) or section 478.2 (unauthorised impairment of data held on a computer disk etc) of the Criminal Code). Any such offences should be specified in legislation, ensuring that only offences that cannot be effectively investigated without the use of electronic surveillance powers are included. 

90: Under a new electronic surveillance Act, surveillance device powers should continue to be available for the purposes of integrity operations. 

Agreed. 

91: Agencies should continue to be permitted to obtain warrants to use electronic surveillance powers to monitor persons subject to control orders, for mutual assistance purposes, to assist with an order for the recovery of a child, and other similar purposes currently contained in the Telecommunications (Interception and Access) Act and the Surveillance Devices Act. 

Agreed. 

92: The use of tracking devices should be regulated separately from other electronic surveillance powers in a new electronic surveillance Act. 

Agreed. The use of tracking devices, while intrusive, is not as intrusive as other forms of electronic surveillance. Other forms of electronic surveillance, such as the recording of conversations, can provide insight into a person’s thoughts and beliefs. In contrast, the use of a tracking device typically provides information that is observable to members of the public. The difference in the level of intrusiveness means that it is appropriate for the use of tracking devices to be regulated separately. 

93: Under a new Act, ASIO’s tracking device warrants should be subject to the same test as ASIO’s other electronic surveillance warrants. 

Agreed. While there should be a separate regime regulating the use of tracking devices (Recommendation 92), it is not necessary to set ASIO’s threshold for obtaining a tracking device warrants at a lower level than for other electronic surveillance warrants. This is consistent with maintaining tight controls on the use of intrusive powers. 

94: A new electronic surveillance Act should allow an issuing authority to authorise a law enforcement agency to use a tracking device if satisfied that: • a person has committed, or is reasonably suspected of committing or of being likely to commit an offence that is punishable by a maximum penalty of at least three years’ imprisonment, and • the use of a tracking device under the warrant in respect of the person is likely to assist the agency in the investigation of the offence. 

Agreed. Recommendation 95, with which the Government agrees, proposes that ASIO be, and law enforcement agencies continue to be, permitted to internally authorise the use of a tracking device in limited circumstances. 

95: ASIO and law enforcement agencies should be permitted to internally authorise the use of a tracking device, where: • the installation and use of the device will not involve entry onto premises or interference with the interior of a vehicle without permission, and • the use of a tracking device would otherwise meet the threshold for a warrant—that is, in the case of law enforcement agencies the device will be used for the purposes of the investigation of an offence punishable by a maximum penalty of at least three years’ imprisonment, and in the case of ASIO the device will be used in respect of a matter that is important in relation to security. 

Agreed. While law enforcement agencies can currently internally authorise the use of a tracking device in the circumstances stated in the recommendation, ASIO does not currently have this internal authorisation ability. Providing ASIO with this ability will improve its capacity to quickly respond to changes in operations, reduce the risk to ASIO operatives engaging in physical operations, and improve ASIO’s ability to cooperate with law enforcement agencies in joint operations. The substance of this recommendation is being implemented through the Australian Security Intelligence Organisation Amendment Bill 2020, which was introduced to Parliament on 13 May 2020. 

96: Future reviews should re-evaluate the legal framework for tracking a person by accessing location data from carriers once the 5G network roll-out is substantially complete, to determine whether access to network data has become functionally equivalent to using a tracking device. 

Agreed in principle. The Government will continue to monitor the impact of new and emerging technologies (including 5G) and adjust the electronic surveillance legislation as necessary, including to ensure that adequate protections and oversight are maintained. 

97: A new electronic surveillance Act should accommodate the issuing of warrants to law enforcement agencies in emergencies as follows. • An issuing authority must issue law enforcement warrants in writing wherever possible. • An issuing authority may orally authorise a warrant, on application from an agency, if he or she believes on reasonable grounds that the delay in making a written application would likely defeat the purpose of obtaining the warrant. The threshold for issuing the warrant should remain the same as for the issuing authority’s consideration of a written application. Agreed. Recommendation 99, with which the Government agrees in principle, provides that a written record must also be made of a warrant that is authorised orally, and sets out a process for the Ombudsman to report on whether the agency head has complied with the legislative requirements in giving the authorisation. 

98: The relevant minister should continue to report on law enforcement agencies’ use of time sensitive warrants in his or her annual report. 

Agreed. 

99: Where a law enforcement warrant is authorised orally, the head of the agency should be required to make a written record and provide a copy to the Ombudsman as soon as possible. The Ombudsman should be required to provide a report to the Attorney-General on whether the agency head complied with the legislative requirements in giving the authorisation. 

Agreed in principle. Written records should continue to be made of orally authorised law enforcement warrants and a copy should be provided to the Ombudsman as soon as possible. The Ombudsman should be required to provide a copy of this report to the relevant minister. The Government will determine the most appropriate minister during the drafting process, noting that ministerial responsibilities may change over time. 

100: The law enforcement agency should be required to submit a written warrant application to an issuing authority as soon as possible. On receipt of the written application, the issuing authority must decide whether to issue a warrant, decline to issue a warrant, or decline to issue a warrant and invalidate the authorisation. 

Agreed. For clarity, the Government notes that this recommendation sets out the process that should apply after an issuing authority has orally authorised a law enforcement warrant. 

101: A new electronic surveillance Act should enable law enforcement agencies to use electronic surveillance powers, without a requirement to obtain a warrant, to: • prevent or lessen imminent threats to life, or of serious harm or damage to property • locate and investigate suspected kidnappings • locate missing persons, and • recover a child subject to a child recovery order, where an officer reasonably suspects that the circumstances are so urgent as to require the immediate use of the power, and that it is not practicable in the circumstances to apply for a warrant. Agreed. The Government will ensure that the use of these powers will be subject to appropriate oversight arrangements and reporting requirements. 

102: A new electronic surveillance Act should continue to permit ASIO and law enforcement agencies to use optical and listening devices, without obtaining a warrant, in limited circumstances in the performance of their duties, where: • in the case of an optical surveillance device—the installation and use does not involve unauthorised entry onto premises or interference with a vehicle or thing, and • in the case of a listening device—the device is used to record a conversation to which an officer or agent is party, or could be reasonably expected to overhear. 

Agreed. This recommendation continues to authorise the ability of ASIO and law enforcement agencies to record observations that a staff member or agent could otherwise make themselves. 

103: A new electronic surveillance Act should require ASIO and law enforcement agencies to specify, in writing, the people or class of people who may exercise the authority of a warrant, and to keep accurate records of all individuals involved in the execution of a warrant. 

Agreed. Consistent with the response to Recommendation 36, it is important for ASIO and law enforcement agencies to describe the people, including the people within a class, who can exercise warrant powers with an appropriate level of specificity. It is important that agencies keep accurate records of the person or people who execute a warrant for reasons of accountability, legality and control. 

104: As part of a new electronic surveillance Act, the Attorney-General or issuing authority should have the discretion to approve an agency to vary minor, specified aspects of a warrant while it is in force, if he or she is satisfied that it is necessary to do so. Agencies should not have the authority to vary warrants beyond such minor variations. Agreed. 

105: When agencies make minor modifications to warrants, they should be required to: • apply the same statutory test when deciding whether to vary a warrant as the issuing authority applied at the time the warrant was issued • make any variations in writing, other than in urgent cases which should follow a similar procedure to time-sensitive authorisations, and • list and explain all variations when seeking a renewal of the warrant, or reporting to the Attorney-General. Agreed. 

106: The development and testing framework that is presently contained in Part 2 4 of the TIA Act should be extended to enable the Attorney-General to authorise the testing and development of electronic surveillance and cyber capabilities, as part of a new electronic surveillance Act. Agreed. 

107: The development and testing framework should be extended, as part of a new Act, to enable the Attorney-General to authorise the use of electronic surveillance and cyber capabilities for the purposes of: • training personnel on technologies and capabilities, and • maintaining, improving, repairing and evaluating the performance of technologies and capabilities. 

Agreed. 

108: The development and testing authorisation framework should permit the Attorney-General to authorise the retention of information obtained under another testing authorisation, or a separate warrant, authorisation or power, as well as non-compliant information, as part of a new Act. 

Agreed. The retention of non-compliant information will be subject to a range of safeguards, including that: • each testing authorisation be approved by the Attorney-General, who must be given detailed information about the activities that would be covered by the authorisation, as well as reports on the outcomes • non-compliant information retained under a testing authorisation must be clearly distinguished from other information held by an agency, and only be accessed and used for the purposes of the testing authorisation – under no circumstances would it be available to analysts to rely on for intelligence purposes • the reports provided to the Attorney-General on the outcomes of the testing authorisation should clearly explain what value, if any, has been achieved from the retention and use of non-compliant information – to enable the Attorney-General to make an informed decision about whether to authorise the retention and use of such information in the future, and • such information must be destroyed, once it is no longer required for the purposes for which its collection was authorised. Agencies that wish to use non-compliant information retained as a result of this regime should develop protocols over its access, use and destruction. These protocols will be developed in consultation with the IGIS or Ombudsman as appropriate. 

109: The core definitions in a new electronic surveillance Act should: • provide clarity to agencies, oversight bodies and the public about the scope of agencies’ powers • ensure that there are no gaps in the types of information that agencies may intercept, access or obtain under warrants and authorisations, and • be capable of applying to new technologies over time. 

Agreed. 

110: A new electronic surveillance Act should not require carriers, carriage service providers or other regulated companies to develop and maintain ‘attribute-based’ interception capabilities. These companies should continue to be required to develop and maintain the capability to intercept communications sent and received by specified services and devices. 

Agreed. The Government agrees that it would not be appropriate to require all carriers, carriage service providers or other regulated companies to develop and maintain general attribute-based interception capabilities. Ubiquitous encryption has significantly diminished the value of a requirement for all relevant companies to develop and maintain attribute-based interception capabilities. The current requirement for companies to develop and maintain the capability to intercept communications sent and received by specified services and devices should remain the default requirement. 

111: Under a new electronic surveillance Act, the Attorney-General should be given the power to require a company to develop and maintain a specified attribute-based interception capability. If such a capability has been developed, agencies should be able to obtain attribute-based interception warrants in cases where it will be practicable for the warrant to be executed. Agreed. There are some circumstances where the benefits to law enforcement or security would justify the cost of requiring selected members of the telecommunications industry to develop and maintain a specified attribute-based interception capability. In those cases, attribute-based interception would be an effective tool that allows for more targeted interception and reduces the interception of irrelevant communications, when compared with intercepting communications based on specified services and devices. Implementation of this recommendation will be subject to a full Regulation Impact Statement being developed. 

112: As part of a new electronic surveillance Act, ASIO and law enforcement agencies should be permitted to use their own attribute-based interception capabilities, in conjunction with service providers, under warrant. Agreed. ASIO and law enforcement agencies can already connect their own interception capabilities to a network, in collaboration with the relevant carrier or carriage service provider, to enable the company to execute a warrant. The use of such capabilities would be done with the knowledge and involvement of the carrier or carriage service provider, and with close oversight by the Ombudsman or IGIS. 

113: As part of a new electronic surveillance Act, law enforcement agencies should continue to be able to request an issuing authority to impose a condition or restriction on a warrant, requiring that specified communications that are unlikely to be relevant to the matter under investigation not be intercepted, or be promptly destroyed once they are delivered to the agency. 

Agreed. Issuing authorities are best-placed to impose conditions or restrictions on warrants that require that certain communications not be intercepted, or be promptly destroyed, where intercepted material is unlikely to be relevant to the matter under investigation, in a way that does not pose any risk to an accused’s right to a fair trial. 

114: Interception warrants issued under a new electronic surveillance Act should be capable of authorising the interception of communications by reference to one or more services or devices that the person (or group) who is the subject of the warrant uses, or is likely to use. 

Agreed. The present distinction between service and device-based interception should be removed as device-based interception is not inherently more intrusive than intercepting communications to and from a service. However, as part of a warrant application, an issuing authority should receive details of which services and devices the agency proposes to intercept. Consistent with Recommendation 105, agencies should not be permitted to add services or devices from an active warrant, unless they have been expressly authorised to do so by the issuing authority. 

115: Law enforcement agencies should only be permitted to use deployable interception capabilities, beyond the circumstances presently provided for in the TIA Act, under the following conditions: • where the agency has certified, in consultation with service providers, that the use of its capabilities will not interfere with the operation of the telecommunications network, and • subject to the development of arrangements for agencies to compensate a service provider, should the use of their capabilities cause damage to, or seriously disrupt, the telecommunications network. 

Agreed. The use of deployable interception capabilities in appropriate circumstances can assist law enforcement agencies to carry out their functions. Where law enforcement agencies seek to use such technologies beyond their current use in limited circumstances, it is important that they act within a strict regulatory framework that includes, at a minimum, certification and compensation requirements. 

116: A new electronic surveillance Act should retain specific secrecy offences for the use and disclosure of, and other dealings with, information obtained by, and relating to, electronic surveillance. Agreed. Information obtained by electronic surveillance is highly sensitive and should continue to be subject to specific secrecy offences. These offences should continue to be subject to specific and narrowly-defined exceptions and permitted use and disclosure provisions, which complement the broader defences to the general secrecy offences in the Criminal Code. 

117: A new electronic surveillance Act should continue to prohibit the use and disclosure of, and other dealings with, information obtained as a result of unlawful surveillance activities. 

Agreed. The specific surveillance offences in the new electronic surveillance Act should continue to prohibit dealings with unlawfully obtained information in order to control and prohibit its subsequent use and disclosure. Agencies are, and will continue to be, subject to strict legal requirements that regulate the collection of information using electronic surveillance powers. In the unlikely event that agencies obtain or receive information collected outside of legal boundaries, agencies should continue to be required to account for, quarantine, destroy and report on such information. 

118: Secrecy offences in a new electronic surveillance Act should apply to a defined category of ‘entrusted persons’, who have obtained information in an official capacity, or under an agreement or arrangement with an agency. The offences applying to ‘entrusted persons’ should not require that the disclosure or other conduct cause, or be likely or intended to cause, harm to an essential public interest. Agreed. It is important that, where a specific secrecy offence regulates the behaviour of individuals other than Commonwealth officers, the provision should be drafted to clearly identify the regulated group. The purpose of these secrecy offences is to regulate the behaviour of any person who obtains or receives surveillance information in an official or trusted capacity. This includes Commonwealth, state and territory agency officials, oversight bodies, issuing authorities, industry members and service providers (including their employees) and any person who obtains surveillance information under an agreement or arrangement with a government agency. This group should be clearly defined in the new electronic surveillance Act. 

119: Secrecy offences in a new electronic surveillance Act should continue to apply to ‘outsiders’. However, the ‘outsider’ offences should differentiate between information obtained by electronic surveillance and information related to, or otherwise connected with, electronic surveillance—the latter of which should require that the disclosure or other conduct cause, or be likely or intended to cause, harm to an essential public interest. 

Agreed. It is appropriate that secrecy offences apply to ‘outsiders’ (ie persons who receive information outside of an official government capacity) where the information is highly sensitive. The information obtained by electronic surveillance is inherently sensitive, as it involves private communications or recordings of private activities obtained in relation to the investigation of serious criminal activity or threats to security. As such, a new electronic surveillance Act should include a secrecy offence for outsiders, to ensure that electronic surveillance information continues to be subject to strict controls that are proportionate to the protection of the public interest. 

120: Existing use and disclosure provisions in the Surveillance Devices Act and the Telecommunications (Interception and Access) Act should be replaced with simple, principles based rules that maintain strict limitations on the use and disclosure of information obtained by electronic surveillance. 

Agreed. There would be significant benefit in simplifying and streamlining, to the extent possible, existing use and disclosure provisions in the TIA Act and Surveillance Devices Act (SD Act) in the new Act governing electronic surveillance. A simpler framework would provide greater clarity about when agencies can use and disclose or otherwise deal with surveillance information, and would support greater cooperation and information sharing between agencies. Careful consideration will need to be given to the development and drafting of simplified and principles-based use and disclosure provisions, noting that in some circumstances, legislative complexity is a necessary consequence of the need to balance privacy and security considerations. 

121: A new electronic surveillance Act should permit the use and disclosure of, and other dealings with, surveillance information for the purpose for which the information was originally and lawfully obtained. 

Agreed. Currently the TIA Act and SD Act do not expressly authorise the use and disclosure of surveillance information for the purpose for which the information was originally obtained. However, many of the existing permitted use and disclosure provisions align with the purpose for which electronic surveillance powers may be exercised. The new electronic surveillance Act should provide clear and simple authority for ‘entrusted persons’ to deal with surveillance information for the primary purpose for which the information was originally, and lawfully, obtained. 

122: A new electronic surveillance Act should permit agencies to use, disclose and otherwise deal with surveillance information for a defined range of secondary purposes, including: • the performance of functions by ASIO, ASIS, ASD, AGO, ACIC, IGIS and the Commonwealth Ombudsman • the investigating or prosecuting of a criminal offence punishable by a maximum penalty of at least three years’ imprisonment • crime-related proceedings, such as bail, parole, proceeds of crime, control order, preventative detention order or continuing detention order proceedings • purposes relating to corruption or serious misconduct by public officials • the provision of mutual legal assistance to a foreign country under the Mutual Assistance in Criminal Matters Act 1987, and • the prevention or lessening of a serious risk to individual life, health or safety, or substantial damage to property. 

Agreed in principle. The precise wording of the range of permitted secondary purposes will need to be refined during the policy development and drafting process. 

123: A new electronic surveillance Act should continue to permit the use and disclosure of, and other dealings with, surveillance information for a defined range of miscellaneous purposes that fall outside the scope of the recommended primary and secondary purpose provisions. 

Agreed. 

124: A new electronic surveillance Act should enable agencies to disclose surveillance information to any person or authority, provided the disclosure is for a permitted purpose. Agreed. 

125: A new electronic surveillance Act should require ASIO to destroy records of information obtained by electronic surveillance, as soon as reasonably practicable after the information is no longer required for the performance of its functions or exercise of its powers, and to ensure such information is rendered inaccessible pending its destruction. Agreed. 

126: A new electronic surveillance Act should require law enforcement agencies to destroy records of information obtained by electronic surveillance and ensure the information is inaccessible pending destruction, as soon as reasonably practicable after: • the agency is satisfied that the records are not required for a specified purpose (being a purpose for which the information may be used and disclosed), or • five years unless the agency positively certifies the records are required for a specified purpose. 

Agreed. The precise range of purposes for which a record is required either to be kept or destroyed will be considered in consultation with law enforcement agencies and may vary between different warrants and authorisations. 

127: A new electronic surveillance Act should require Commonwealth, state and territory agencies (other than ASIO, IS Act agencies and law enforcement agencies) to destroy records of information obtained by electronic surveillance consistent with the destruction requirement for law enforcement agencies recommended above. IS Act agencies should be subject to destruction requirements consistent with their privacy rules. 

Agreed. Consistent with the reasoning in the Review, a new electronic surveillance Act will ensure all agencies who gain possession or control of information obtained by electronic surveillance are subject to an obligation to destroy such information, either through a destruction requirement in the new legislation or through their own privacy rules. The obligation should also apply to agencies that did not initially gather the information but have received it in accordance with the use and disclosure provisions. To avoid duplication of destruction requirements, the Government considers that the new Act should provide that all AIC agencies with privacy rules, including IS Act agencies, will be required to destroy electronic surveillance information in accordance with their privacy rules where it is no longer required. Recommendation 125 outlines ASIO’s destruction requirements. 

128: ASIO conduct under a new electronic surveillance Act should continue to be overseen by the IGIS. Agreed. 

129: The Commonwealth Ombudsman should have oversight responsibility for the use of Commonwealth electronic surveillance powers by all agencies other than ASIO. 

Agreed. The Government agrees that, subject to consultation with the states and territories, the Commonwealth Ombudsman’s oversight should be extended to state and territory agencies that use Commonwealth electronic surveillance powers. This recommendation only covers enforcement agencies that are to have powers under the new electronic surveillance legislation. Recommendation 167, with which the Government agrees, will formalise the position that the Ombudsman does not have jurisdiction over ASIO and other AIC agencies. 

130: The existing ability of the Commonwealth Ombudsman to exchange information with state and territory counterparts should be maintained. Agreed. 

131: The Ombudsman should oversee the compliance of all agencies (other than ASIO) with a new electronic surveillance Act, including state and territory agencies. 

Agreed. The Government agrees that the Commonwealth Ombudsman’s oversight should be extended to assessing overall compliance with the electronic surveillance legislation rather than being limited to record-keeping and destruction processes. The Government notes that this recommendation only covers enforcement agencies that are to have powers under the new electronic surveillance legislation. Recommendation 167, with which the Government agrees, will formalise the position that the Ombudsman does not have jurisdiction over ASIO and other AIC agencies. 

132: Under a new electronic surveillance Act, the Ombudsman’s reporting requirements should be harmonised, including so that all reports are tabled by the Minister in full, except where information has been redacted in order to avoid prejudice to security, the defence of Australia, Australia’s relations with other countries, law enforcement operations, the privacy of individuals or to avoid danger to a person’s safety. 

Agreed. 

133: CLASSIFIED 

134: CLASSIFIED 

135: A common legislative framework for NIC information sharing, either in the form of a single Act that regulates information sharing or a new Act that facilitates information sharing, should not be adopted. 

Agreed. 

136: Exclusions in the spent convictions scheme in Part VIIC of the Crimes Act should be expanded to enable ASIO to use, record and disclose spent conviction information for the performance of its functions. 

Agreed. The spent convictions regime is an important tool that assists in preventing discrimination on the basis of certain previous convictions. Noting that there are existing exclusions for certain agency functions, it is appropriate for ASIO to also have access to spent conviction information for the purpose of performing its functions. Consistent with other intelligence information held by ASIO, ASIO’s use, recording and disclosure of spent convictions would be subject to its Ministerial Guidelines, and would be overseen by the IGIS. 

137: NIC agencies do not require new powers or authorities to collect or obtain reference information. 

Agreed. ‘Reference information’ means, in broad terms, data sets containing personal information that agencies obtain for the purpose of assisting in the performance of their intelligence or investigatory functions generally. Agencies may hold reference information themselves, or have direct access to copies of reference information held by others. 

138: The collection, retention and use of reference information by AUSTRAC, Home Affairs and the AFP should continue to be regulated by the Privacy Act and specific statutory frameworks. 

Agreed. 

139: The ASIO Guidelines and the Privacy Rules for ASIS, ASD, AGO, ONI, DIO and the ACIC should be amended to deal with the collection, retention, use and disclosure of reference information concerning Australian persons. 

Agreed. Where agencies hold or have direct access to personal information, including reference information, such information should be subject to appropriate controls and safeguards. To this end, ASIO will review its Ministerial Guidelines, and ASIS, ASD, AGO, ONI, DIO and the ACIC will review their respective Privacy Rules, in consultation with the IGIS and consistent with the scope for such measures applicable to each agency. 

140: The ASIO Guidelines and the Privacy Rules for ASIS, ASD, AGO, ONI, DIO and the ACIC should require each agency to regularly review its holdings of reference information, and to destroy information unless it is necessary and proportionate to continue retaining it. Any such requirement should reflect each agency’s functions and activities, including the ACIC’s statutory function of holding national policing information on behalf of Commonwealth, state and territory law enforcement agencies. 

Agreed. Each relevant agency should regularly review its holdings of, and its direct access to, reference information. When conducting such reviews, agencies should destroy or remove access to reference information unless it is necessary and proportionate to continue retaining it. Agencies should amend their respective guidelines and rules, in consultation with the IGIS, to include this requirement to destroy or remove access to reference information that does not meet this threshold. The ACIC should include this requirement in its new privacy rules that it will create pursuant to Recommendation 189 of the Review. While agencies should work together to ensure consistency in these rules where possible, guidance should ultimately be tailored to reflect each agency’s functions and activities. This may include introducing differentiated rules for information that an agency holds on behalf of other agencies, as opposed to reference information it has obtained to assist with the performance of its own investigatory and intelligence functions. 

141: Future Independent Intelligence Reviews should reconsider whether statutory controls on the collection, retention or use of reference data are required. 

Agreed. 

142: Specific secrecy offences are not required to protect the identities of ASD officers or members of the ADF Special Operations Command. Agreed. 

143: The secrecy offences in sections 39-40M of the Intelligence Services Act should be consolidated. The scope of the offences should not be expanded. Agreed. 

144: Current mechanisms for public interest disclosures of information obtained by, or relating to, NIC agencies remain appropriate. Neither the specific secrecy offences applying to NIC agencies, nor the general secrecy offences in the Criminal Code, should be amended to include an exception or defence for disclosures made in the public interest. 

Agreed. The inclusion of a broad or catch-all public interest disclosure exception to the general and specific secrecy offences would undermine the objective of those offences – to prevent the unauthorised disclosure and handling of information which would cause serious harm to important public interests and to the effective functioning of government. Individual officers or persons disclosing information to the public are unlikely to have appropriate context or understanding of the potential impact of the relevant disclosure, or the ability to assess how the disclosure may harm the public interest. In the intelligence context, there is an additional risk that isolated disclosures of seemingly innocuous information, when combined with other information, together disclose sensitive information that could cause harm to national security. In light of these risks, it is important that any disclosure of information obtained by or relating to NIC agencies take place within the framework and safeguards provided for by the Public Interest Disclosure Act (PID Act) and the Inspector-General of Intelligence and Security Act (IGIS Act) or in accordance with the explicit exceptions to the offences – such as with the approval of the Director General or other senior officials – rather than in accordance with an assessment made by an individual officer or other persons in possession of the information. 

145: The IGIS should be subject to a legislative requirement to report annually on public interest disclosures received by, and complaints about similar conduct made to, the IGIS. 

Agreed. The IGIS’ current practice of reporting annually on public interest disclosures made to it under the PID Act and complaints made to it about similar conduct under section 10 of the IGIS Act should be formalised in legislation. This practice ensures transparency in relation to complaints and disclosures concerning the agencies within the IGIS’ jurisdiction, and is consistent with the IGIS’ oversight role. This reporting is complementary to, but distinct from, reports by the Ombudsman, whose role it is to report annually on all public interest disclosures made across the Commonwealth. At a minimum, the IGIS should continue to report on the alleged conduct, action taken by the IGIS to investigate the allegation, and any remedial action taken by the agency in response. The IGIS should continue to endeavour to report on as much information as is appropriate, without disclosing information that, when considered individually or in total, would compromise national security. 

146: Specific secrecy offences applying to agencies within the IGIS’ jurisdiction should contain exceptions to permit disclosures of information to, and by, IGIS officials. 

Agreed. 

147: CLASSIFIED 

148: CLASSIFIED 

149: CLASSIFIED 

150: CLASSIFIED 

151: CLASSIFIED 

152: CLASSIFIED 

153: CLASSIFIED 

154: ONI should coordinate NIC agencies’ development of governance and ethical frameworks for the use of artificial intelligence capabilities for intelligence purposes. 

Agreed. 

155: The requirement to have human involvement in significant or adverse decisions made by automated capabilities or artificial intelligence should be maintained. Similar controls should be included when new artificial intelligence capabilities are developed and implemented. 

Agreed. The Government considers that the system of control that applies to the use of artificial intelligence should be considered in its relevant context. Such safeguards should enable agencies to build their expertise and familiarity with AI-based systems, while maintaining clear human control over, and accountability for, the outputs produced by these systems. Furthermore, where human judgments, assessments and decisions are based, to a lesser or greater degree, on outputs produced by these systems, then appropriate controls and safeguards should be built into the decision-making process. In the intelligence context, where a NIC agency takes an action that may substantively affect a person’s rights or interests, or where an agency makes an adverse decision in relation to a person, a human should be involved in approving such activities and decisions. This requirement is found in existing laws and policies applicable to NIC agencies, and should be maintained. It is also important that appropriate mechanisms are developed, and records maintained, to assist in the oversight and transparency of such decisions. 

156: Where a NIC agency relies on an artificial intelligence capability to contribute to the production of intelligence that is subsequently relied on to make a decision (by that agency or another government entity), the NIC agency should be able to explain how it produced that intelligence—including how the artificial intelligence capability contributed to that intelligence. 

Agreed. It is important that agencies develop mechanisms to ensure appropriate transparency of decisions made by, or with, artificial intelligence capabilities. What is ‘appropriate’ will depend on the circumstances, informed by the technical capabilities of the artificial intelligence system and the relevant oversight and accountability framework. Agencies will need to demonstrate that the outcomes of artificial intelligence can be confidently relied upon by decision makers. It is also important that appropriate mechanisms are developed, and records maintained, to assist in the oversight, including by the IGIS, and transparency of such decisions. 

157: Artificial intelligence capabilities, and their outputs, should not be protected from examination in legal proceedings merely because of the involvement of artificial intelligence. 

Agreed. 

158: Future Independent Intelligence Reviews should consider the use of artificial intelligence for intelligence purposes. 

Agreed. 

159: The PJCIS should receive a briefing from agencies on the development of their artificial intelligence-based intelligence capabilities at least once per year. 

Agreed. The purpose of these briefings should be to enable the Parliament to develop and maintain an understanding of NIC agencies’ development and use of AI. Agencies should inform the Parliamentary Joint Committee on Intelligence and Security (PJCIS), within the scope of its existing functions, of any substantial changes in their development and use of AI capabilities, to provide Parliament with an opportunity to consider whether legislative or policy responses are required. In such briefings, the PJCIS should also consider whether the IGIS has access to sufficient independent technical expertise necessary to scrutinise NIC agencies’ use of AI capabilities for intelligence purposes. 

160: ASIO already lawfully engages in threat reduction and disruption activities and there is no need for it to have a statutory threat reduction or disruption function. 

Agreed. 

161: ASD’s cybercrime function under section 7(1)(c) of the Intelligence Services Act should not be extended to apply onshore. Agreed. 

162: The AFP, with ASD’s assistance, should develop high end capability to fight cybercrime and fully utilise its existing powers to disrupt online offending. 

Agreed to the extent that the Review recommends that the AFP should be responsible for fighting cybercrime and undertaking disruption activities onshore. The ACIC, drawing on its specialist criminal intelligence capabilities, also plays a vital role in discovering serious and organised crime activity that is perpetrated online, including by identifying priority cybercrime and cyber-enabled crime targets. The ACIC’s intelligence functions directly enable investigative and disruption activity undertaken by law enforcement and intelligence partners, both within Australia and offshore. The Government disagrees with the Review’s position that the AFP does not need new powers to disrupt online offending. The AFP and the ACIC should fully utilise existing powers to combat cyber enabled crime. However those agencies’ current powers are increasingly ineffective against mass campaigns of cyber enabled crime, including those that use the cover of the dark web and anonymising technologies on the surface web (such as virtual private networks). The increasingly large-scale use of the dark web, and other technologies that allow users to remain anonymous, to enable serious crime and terrorism is inhibiting agencies’ ability to protect the community, including protecting children from sexual abuse. New powers should enable agencies to identify and collect intelligence on dark web targets, and to take action against those targets, whether that be through traditional investigation and prosecution, or through further disruption of criminal activities. Legislative reform is necessary to enhance the ability of the AFP and the ACIC to discover and disrupt serious criminality online. Such powers should be targeted at activities that have a direct and real impact on Australia’s most vulnerable and are usually orchestrated by the most sophisticated of criminal networks (eg. online child sexual abuse, the sale of illicit drugs and firearms and terrorism activities). Any new powers should also be proportionate to the identified risk, and subject to robust safeguards and oversight. Oversight arrangements should be appropriately apportioned between the IGIS and Ombudsman. To implement such reforms, the AFP and ACIC would likely require the technical assistance of ASD in accordance with ASD’s existing authorities. Any technical assistance provided by ASD in support of the proposed new powers should be provided from within ASD’s existing statutory powers and resourcing for counter-cybercrime activities. 

163: The Australian Crime Commission Act should not be amended to introduce a covert or delayed notification search warrant power for the ACIC. 

Agreed. With respect to delayed notification search warrants, such warrants are extraordinary and to date have been reserved for exclusive use by law enforcement and, at the Commonwealth level, for terrorism offences. While the Government agrees that further operational justification is required to introduce such powers, the Government recognises that such a power would assist the ACIC in collecting evidence under an ACIC special investigation. For the Government and Parliament to consider introducing delayed notification search warrants for the ACIC in future, the ACIC would need to demonstrate that the evidence and operational benefit gained under delayed notification search warrants would be proportionate to the intrusion on privacy and civil liberties that such warrants would permit. The ACIC will continue to build a robust evidence base to provide the operational justification for delayed notification search warrant reforms. With respect to covert search warrant powers and the use of delayed notification search warrants in ACIC special operations, the Government agrees that a stronger case would be required to demonstrate the operational need to introduce such powers to support the ACIC’s intelligence collection function, having regard to the principles set out in the Review. 

164: The Australian Crime Commission Act should not be amended to allow the conduct of coercive examinations offshore. 

Agreed. 

165: The Australian Crime Commission Act should not be amended to include a civil immunity for private sector bodies that have provided information to the ACIC voluntarily or on request. 

Agreed. 

166: The ACIC’s notice to produce powers under the Australian Crime Commission Act should not be amended to allow it to compel the ongoing disclosure of information over a particular time period. 

Agreed. 

167: ASIS, AGO, ASD, ONI and DIO should be excluded from the Commonwealth Ombudsman’s jurisdiction. 

Agreed. The Ombudsman currently does not exercise its jurisdiction over these agencies by convention. This recommendation is merely intended to formalise this position. This recommendation does not alter the jurisdiction of the Defence Force Ombudsman, a role the Commonwealth Ombudsman carries out over the employment and other administrative complaints of ADF members, including ADF members working for intelligence agencies. 

168: The IGIS should not have oversight of the Department of Home Affairs or the AFP as recommended in the 2017 IIR. 

Agreed. The Government agrees that the IGIS should not have oversight of the intelligence functions of the Department of Home Affairs or the AFP. The intelligence functions of the Department of Home Affairs and the AFP are subject to existing and effective oversight mechanisms given the scope and nature of these functions. Neither the Review, nor the 2017 IIR, identified a gap in the existing oversight of the Department of Home Affairs or the AFP that justified including these bodies in the jurisdiction of the IGIS. Consistent with Recommendation 21 of the 2017 IIR, the Government will extend the jurisdiction of the IGIS to include the intelligence functions of the ACIC and AUSTRAC. The Review noted that while the ACIC and AUSTRAC are already ‘the subject of a range of oversight mechanisms, the specialised intelligence oversight of the IGIS would more readily add value and assurance’ in respect of the intelligence functions of the ACIC and AUSTRAC. 

169: Legislation establishing oversight responsibilities for the NIC should take a functional approach. Oversight should follow intelligence function, regardless of the structures used to support performance of the function. 

Agreed. 

170: The IGIS and Ombudsman should be consulted as a matter of course in relation to all proposed amendments to intelligence legislation affecting matters within their jurisdiction to ensure that oversight issues can be addressed upfront. This requirement should be included in the Legislation Handbook. 

Agreed. 

171: The Attorney-General should issue publicly available guidelines for embedding oversight into NIC legislation. The guidelines should include the following principles: 171.a Legislation should clearly state oversight bodies’ jurisdiction. 171.b Any duplication in oversight jurisdiction should be minimised where possible, while recognising that the elimination of all overlap would also give rise to unintended gaps. 171.c Laws and guidelines governing NIC agencies should be clear, precise and unambiguous in their terms and in their interaction with each other. 171.d Legislation should allow oversight bodies to exercise discretion in managing their oversight functions and responsibilities. 171.e NIC oversight legislation should avoid overly prescriptive and detailed inspection or reporting requirements. 171.f Oversight bodies should be able to access all relevant information from intelligence agencies and appropriately share information between themselves. 171.g Careful consideration should be given to dissemination of reports by an oversight body. 171.h NIC agencies should be required to actively provide information to an oversight body about the use of extraordinary powers. 171.i Legislation (or guidelines, as appropriate) should be clear about record keeping obligations and facilitate meaningful oversight. 171.j Oversight bodies should have a role in supporting the continuous improvement of agencies’ legislative compliance by sharing their expertise on compliance best practice, and regularly reviewing agencies’ guidance materials. 

Agreed. 

172: The Inspector-General of Intelligence and Security Act should be amended to preclude the appointment to the Office of the IGIS of a person whose immediate prior role was as head or deputy head of an agency within the IGIS’ oversight remit. 

Agreed. The IGIS has a unique role as the primary body with responsibility for intelligence oversight. Accordingly, this additional safeguard on IGIS's independence (and perceived independence) is appropriate. 

173: An independent panel should be established to provide technical expertise and assistance to the IGIS. 

Agreed. 

174: The Inspector-General of Intelligence and Security Act should be amended to give the IGIS an inquiry function for employment-related grievances of staff employed under the Office of National Intelligence Act. 

Agreed. 

175: Agencies should seek legal advice through in-house counsel or the Australian Government Solicitor, in a manner consistent with the Legal Services Directions. 

Agreed. Although important, consultation with the IGIS is not a substitute for such legal advice. The IGIS’ statutory functions include overseeing the compliance of the intelligence agencies with the law, and the propriety of their activities. The role of the IGIS can rightly include early engagement with agencies, particularly where there are novel issues or agencies are using a power for the first time. It is also vital that agencies continue to proactively report on potential issues to the IGIS. 

176: The Australian Government Solicitor should centrally and electronically store all classified legal advices provided to National Intelligence Community agencies. 

Agreed. 

177: The Independent National Security Legislation Monitor Act should be amended to provide that the INSLM may prepare and give to the Attorney-General a report on any matter relating to the performance of the INSLM’s functions at any time. The Attorney-General should be required to table an (unclassified) copy of the report in each House of the Parliament within a reasonable time of receiving the report. 

Agreed. 

178: As a matter of good practice, the Government should provide a publicly available response to the INSLM’s recommendations within 12 months of the INSLM’s report being tabled in Parliament.  

Agreed. The Government notes that where the recommendations of INSLM reports raise complex legal and policy questions, it may take more than 12 months for the Government to formally respond to those reports. The Government will continue to endeavour to advise Parliament as soon as practicable of its responses to future INSLM recommendations. 

179: The Independent Reviewer of Adverse Security Assessments should continue as a standing arrangement. 

Agreed. 

180: The remit of the Parliamentary Joint Committee on Intelligence and Security should not be expanded to include direct oversight of operational activities, whether past or current. 

Agreed. 

181: 181.a The IIR recommendation to enable the PJCIS to request the IGIS to conduct an inquiry into the legality and propriety of particular operational activities, and report to the PJCIS, Prime Minister and responsible minister, should be implemented. 181.b Changes to enable the PJCIS to make such a request should make it clear that the PJCIS can only request, not oblige, the IGIS to conduct an inquiry. 181.c The amendments should also maintain the current restriction that prevents the PJCIS from requiring a person or body to disclose operationally sensitive information or information that would or might prejudice Australia’s national security or the conduct of Australia’s foreign relations. 

Disagreed. Even if the IGIS is not obliged to conduct an inquiry, the remit of the PJCIS should not be expanded to include oversight of agencies’ operational activities by requesting the IGIS to inquire into and report on particular operations. It remains appropriate for ministers to primarily oversee operations and be accountable to Parliament. The Government considers that the IGIS has extensive powers to oversee and inquire into the legality and propriety of NIC operations. The IGIS already publishes unclassified versions of reports and appears before the PJCIS on non-operational matters. The PJCIS may also request the IGIS to brief the Committee, although the Committee cannot require the IGIS to disclose operationally sensitive information, under the IS Act. These existing arrangements appropriately balance accountability with the need to protect sensitive operations and capabilities, and further oversight by the PJCIS is not necessary. 

182: Existing restrictions that apply to information disclosure by the PJCIS should continue to apply in respect of the Inspector-General of Intelligence and Security’s reports or briefings to the PJCIS on its inquiries. 

Agreed. 

183: The Intelligence Services Act should be amended so that the PJCIS is only limited to not reviewing agency compliance with agency privacy rules, leaving scope for it to review the rules as made. Agreed. 

184: ASIS, ASIO, ASD, DIO and ONI should continue to be exempt from the operation of the Freedom of Information Act. 

Agreed. 

185: The Department of Home Affairs, including its Intelligence Division, should remain subject to the Freedom of Information Act. 

Agreed. 

186: The Freedom of Information Act should be amended to remove AGO’s exemption in respect of its non-intelligence function. 

Agreed. The Review makes clear that this recommendation only applies to the functions of the Australian Hydrographic Office. The functions of the Australian Hydrographic Office were transferred to AGO in 2017. Before its transfer to AGO, the functions of the Australian Hydrographic Office were subject to the Freedom of Information Act (FOI Act). In the interim, and before the FOI Act is amended, the Minister for Defence will make a publicly-available ministerial direction that the provisions of the FOI Act apply as a matter of policy to requests for access to information produced under the functions of the Australian Hydrographic Office. A full exemption remains appropriate for the remainder of AGO's non-intelligence functions. Highly sensitive information that is not suitable for public release is relevant to AGO's other non intelligence functions. 

187: The ACIC should remain subject to the Freedom of Information Act. 

Disagreed. The ACIC should be exempt from the FOI Act, and all Australian Government agencies and ministers should also be exempt in relation to documents that have originated with, or been received from, the ACIC. The ACIC’s functions are closely aligned with the functions of other agencies that are members of Australia’s intelligence community and exempt from the FOI Act. At present, the ACIC’s sensitive information is not protected in the same way as the information of those agencies. It is now the case that the majority of FOI requests received by the ACIC will be exempt, or partially exempt, from disclosure due to their sensitivity. In 2018-19 (the most recent reporting year), 45% of total requests that the ACIC released in full related to the Australian Cybercrime Online Reporting Network (ACORN). However, on 1 July 2019 ACORN was decommissioned and replaced by the ACSC’s cyber.gov.au platform. If FOI requests relating to the ACORN were excluded from the ACIC’s statistics for 2018-19, 42% of requests would have been fully exempt, and 31% would have been partially exempt from disclosure. Given the high percentage of documents that would be exempt or partially-exempt from disclosure, the Government does not consider that the transparency benefit outweighs the resource burden required to process the FOI requests. The ACIC is already subject to extensive oversight that ensures the agency’s accountability and transparency. These include the ACIC Board, the Inter-Governmental Committee on the ACIC, the Commonwealth Ombudsman, the Parliamentary Joint Committee on Law Enforcement, and mandatory five year reviews under the Australian Crime Commission Act (ACC Act). Other parts of the Government’s reform agenda will enhance the oversight regime for the ACIC. Consistent with Recommendation 21 of the 2017 IIR, the Government will extend the jurisdiction of the IGIS to include the intelligence functions of the ACIC. This reform will ensure that the intelligence functions of the ACIC are subject to specialised intelligence oversight. IGIS oversight will provide increased assurance of the legality and propriety of the ACIC’s activities. Further, the Government has also agreed to Recommendation 189, that legislation should require the ACIC to have legally binding privacy rules. A legislative requirement for these rules will ensure greater accountability in relation to the ACIC’s handling of personal information, including an individual’s right to access their own personal information. Exemption of the ACIC from the FOI Act is also consistent with the recommendations of Dr Allan Hawke AC in his 2013 Review of the Freedom of Information Act 1982 and Australian Information Commissioner Act 2010. Dr Hawke reasoned that the Australian Crime Commission (the ACIC’s predecessor) should be excluded from the operation of the FOI Act to provide protection for criminal information and intelligence. Dr Hawke noted that the Commission’s primary function was the provision of criminal intelligence. Since Dr Hawke’s Review, the merger of the Australian Crime Commission and CrimTrac has further increased the sensitivity of the information held by the agency. The ACIC now has access to a larger number of sensitive data sets. It is also increasingly collaborating with NIC agencies and Five Eyes partners. The merging of these datasets and intelligence from a range of sources has increased the sensitivity of the data it holds. 

188: In respect of AUSTRAC, consistent protections should be afforded to Suspicious Matter Reports and Suspicious Transaction Reports under the Freedom of Information Act. 

Agreed. 

189: ASIO, ASIS, ASD, AGO, DIO and ACIC should be required, by legislation, to have legally-binding privacy guidelines or rules. These rules should be made public (except to the extent that those rules contain classified information). 

Agreed. The Government notes that ASIO, ASIS, ASD, AGO and ONI are currently required by legislation to have legally-binding privacy guidelines or rules made by the relevant minister, all of which are publicly available. DIO currently has publicly available privacy rules approved by the Minister for Defence, although there is no legislative requirement for it to do so. The IS Act will be amended in accordance with this recommendation to require the Minister for Defence to publish privacy rules that cover DIO’s communication and retention of intelligence information concerning Australian persons. The ACIC currently has a publicly available Information Handling Protocol, but is also not currently required by legislation to have privacy rules made by the Minister for Home Affairs. The ACC Act will be amended to require the Minister for Home Affairs to publish privacy rules in accordance with this recommendation. 

190: The identities of ASIO and ASIS staff members and agents should be protected from disclosure under the Archives Act. 

Agreed. 

191: All security matters arising under the Archives Act should be heard in the Security Division of the Administrative Appeals Tribunal. Agreed. However, the President of the Administrative Appeals Tribunal (AAT) should retain the discretion to transfer matters from the Security Division to another Division in appropriate circumstances. 

192: The Freedom of Information Act and Archives Act should be amended so that the IGIS is only required to provide evidence that addresses the damage that would, or could reasonably be expected to, arise from the release of material where the matter involves one or more of the agencies that the IGIS oversees. 

Agreed. 

193: The definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act should be amended to include the exercise of powers or functions in relation to parole, security guard licences and firearms licences. 

Agreed. 

194: A regulation-making power should be inserted into the definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act. 194.a The regulation making power should allow regulations to add an action to the definition of ‘prescribed administrative action’ where that action has potential to affect an individual’s liberty or livelihood. Matters relating to security would be a key consideration in taking that action. 194.b Regulations made under the regulation making power should be reviewed by the PJCIS before the end of the applicable disallowance period in each Chamber prior to coming into effect. 

Agreed. The insertion of a regulation-making power will allow for new categories of action to be added quickly to the definition, subject to their review by the PJCIS. Once an action is prescribed in regulation, any advice by ASIO that informed a decision about that action would be subject to the significant protections of Part IV of the ASIO Act. The Government notes that the regulation making power will not provide for the ability to exclude specific administrative actions from the definition of ‘prescribed administrative action’. It would not be appropriate to exclude actions that might have serious consequences for individuals from the security assessment regime through regulations. Any exclusion of actions from the definition should be done through amendment to the ASIO Act, to ensure comprehensive consideration of the changes by the Parliament. Despite the Review’s recommendation, the Government considers that further clarity is still needed as to the scope of the definition within the ASIO Act. The Government will explore further options for reform of this provision to ensure that it remains fit-for-purpose. Any amendments will be consistent with the existing intention of Part IV of the ASIO Act. This includes providing a person who might suffer serious consequences as a result of administrative action that has been informed by an adverse or qualified security assessment with the ability to seek a review of the security assessment. 

195: 195.a A decision to suspend or revoke an ASIS staff member’s security clearance should fall within the definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act. 195.b A decision to suspend access to information or places which are controlled or limited on security grounds while a decision to revoke or suspend a clearance is reviewed should not fall within the definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act. 195.c A decision to deny access to information or places which are controlled or limited on security grounds once a decision to revoke a security clearance is confirmed should not fall within the definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act. 

Agreed in principle. The Government notes that Recommendation 195.a only relates to decisions made on the basis of ASIO advice. Such decisions are already captured by the definition of ‘prescribed administrative action’, so it is unnecessary to amend the ASIO Act, or add such decisions to the definition through regulation, to give effect to Recommendation 195.a. The Government also notes that paragraph 36(1)(c) of the ASIO Act has the effect that the requirements of Part IV of the Act largely do not apply to the decisions set out in Recommendations 195.b and 195.c. However, to give effect to these recommendations, the Government will amend paragraph 36(1)(c) of the ASIO Act to more clearly identify that the paragraph covers security assessments in relation to a person’s access to information or places as part of their engagement with ASIO, an intelligence or security agency. 

196: 196.a ASIO’s passage of vetting information on former ASIO staff and unsuccessful ASIO applicants should not be exempted from the operation of Part IV. 196.b ASIO’s passage of third party information or unassessed lead information to a Commonwealth or state agency for the purposes of prescribed administrative action should not be exempted from the operation of Part IV. 

196.a Agreed. ASIO should continue to be able to pass vetting information on former ASIO staff and unsuccessful applicants to other vetting agencies, subject to the operation of Part IV of the ASIO Act. ASIO can and currently does pass on such information to other vetting agencies in the form of preliminary advice under section 39 of the ASIO Act without the need to complete a security assessment. However, in accordance with section 39 of the ASIO Act, an agency cannot take prescribed administrative action on the basis of this preliminary advice. If the agency then wishes to take prescribed administrative action, it must seek and receive a security assessment from ASIO, which would entitle the subject of the security assessment to the usual review rights that Justice Hope was concerned to ensure were available to prevent the possibility of a ‘grave and permanent injustice’. 

196.b Agreed in principle. There are circumstances where this requirement curtails ASIO’s ability to act as a neutral intermediary between a third party (often a foreign partner) and another Commonwealth or state or territory agency where ASIO is best-placed logistically to facilitate the passage of such information. This is an appropriate function for ASIO to undertake. The Government will explore further options for reform of Part IV to ensure that it remains fit for purpose. 

197: ASIO security assessments prepared for the purpose of informing the Foreign Investment Review Board should be exempted from the operation of Part IV of the Australian Security Intelligence Organisation Act. 

Agreed. The Government notes that implementation of this recommendation will be done in accordance with Australia’s international trade and investment law obligations. 

198: The Australian Security Intelligence Organisation Act should be amended to allow ASIO to make a preliminary communication directly to a state or territory agency where the requirements of security make it necessary, as a matter of urgency, to take action of a temporary nature pending the furnishing of a security assessment. 

Agreed. The Review did not identify a principled reason for the current distinction between Commonwealth agencies and state and territory agencies under the ASIO Act. At present, ASIO may make a preliminary communication to a Commonwealth agency in limited, urgent circumstances upon which the Commonwealth agency may take action of a temporary nature, but ASIO cannot make a similar communication to a state or territory agency. This can frustrate ASIO’s ability to protect the people of the states and territories from threats to security. Any such communication to a state or territory agency should be subject to the same safeguards that apply to preliminary communications to Commonwealth agencies. 

199: The Australian Security Intelligence Organisation Act should be amended to require ASIO to notify the IGIS in every instance where it has taken more than 12 months to finalise a security assessment, and subject to the requirements of security, notify the individual in writing of their ability to make a written complaint under the Inspector-General of Intelligence and Security Act. If the requirements of security do not permit notification of the individual, IGIS must be notified of this fact. 

Agreed in part. The Government agrees that ASIO should notify the IGIS in every instance where it has taken more than 12 months to finalise a security assessment. The Government will amend the ASIO Act to require the Director-General of Security and the IGIS to agree a protocol for the handling of these matters. However, the Government does not agree that ASIO should then notify the individual of their ability to make a complaint. The IGIS will be given greater visibility of lengthy security assessments and will be able to consider the reasons for, and reasonableness of, the delay in finalising them through the requirement for ASIO to notify the IGIS. This approach avoids any risk of individuals and their associates gaining an understanding of the precise prioritisation of ASIO’s categories of security assessments, which may allow those people to modify their behaviour and activities to obscure matters of security interest. The Review’s recommendation that ASIO notify individuals of their ability to make a complaint to the IGIS was intended to ensure that individuals were aware of this right. As such, the Government considers that the most appropriate solution is for individuals to be better alerted to that right, for example through changes to relevant application forms or guidance material. 

200: A person the subject of an ACIC assessment that may be acted on by the recipient in a decision that affects the employment or liberty of the person should be notified of that assessment and given the opportunity to seek review. 

Agreed. Should ACIC assessments become a formal part of Government decision making, the Government will develop a framework for notification and review rights for those assessments. 

201: DIO assessments should not be subject to rights of notification and review similar to those in Part IV of the Australian Security Intelligence Organisation Act. 

Agreed. 

202: The National Security Information (Criminal and Civil Proceedings) Act should be amended to include a rebuttable presumption to protect the identity of ASIO and ASIS staff members and agents. The presumption should preserve the court’s discretion and ensure that the respondent is given notice of the fact that the rebuttable presumption is engaged in a particular case. 

Agreed. The express presumption of protection for particular agencies’ staff members and agents should not be taken as a presumption that protection would not be granted for other persons (where that protection is justified on national security grounds). 

203: The offences in Part 5 of the National Security Information (Criminal and Civil Proceedings) Act should be reviewed and redrafted to include a tiered range of offences with penalties commensurate to the fault elements specified. 

Agreed.