The Report of the Comprehensive Review of the Legal Framework of the National Intelligence Community, released today, features the following recommendations -
R 1 NIC agencies should ensure that their induction and ongoing training addresses the history, background and principles that underpin their legal frameworks and of the balance in legislation sought by government and the Parliament.
R 2 The sequencing of steps required in the Intelligence Services Act’s ministerial authorisation process should be adjusted to enable the responsible minister to authorise an Intelligence Services Act agency to produce intelligence on an Australian person and then seek the Attorney-General’s agreement to that authorisation. The authorisation would not take effect until the Attorney-General has given agreement.
R 3 The legislation governing the activities of ASIO, ASIS, ASD and AGO should continue to distinguish between foreign intelligence and security intelligence.
R 4 There should continue to be a distinction between AIC agency activities that take place onshore and those that take place offshore.
R 5 The Australian Security Intelligence Organisation Act and Telecommunications (Interception and Access) Act should be amended to enable the Director-General of Security, on a request from the Foreign Minister or Defence Minister, to seek a warrant from the Attorney General for the collection of foreign intelligence on an Australian person who is acting for, or on behalf of, a foreign power.
R 6 The legislation that applies to ASIO, ASD, ASIS and AGO should continue to distinguish between Australians and non-Australians.
R 7 CLASSIFIED
R 8 ONI should develop guiding principles on open source information collection, in consultation with DIO, Home Affairs, and the IGIS.
R 9 CLASSIFIED
R 10 DIO and Home Affairs should not be included in the assumed identity regime in the Crimes Act for the purposes of open source information collection.
R 11 CLASSIFIED
R 12 The Office of National Intelligence Act should be amended so that the privacy rules apply only to analytical products of the Open Source Centre.
R 13 AGO should be established as a statutory authority before acquisition of a sovereign geospatial intelligence space capability, with the timing to be revisited as part of future independent intelligence reviews.
R 14 DIO should remain a semi-autonomous organisation within the Department of Defence.
R 15 DIO’s mandate should be made publicly available.
R 16 The intelligence functions of Home Affairs should not be specified in legislation.
R 17 The Australian Security Intelligence Organisation Act and any new electronic surveillance framework (incorporating existing authorities under the Telecommunications (Interception and Access) Act, the Surveillance Devices Act and relevant parts of the Australian Security Intelligence Organisation Act) should provide that powers vested in the Attorney General in respect of ASIO may only be exercised by the Attorney General and not by a junior minister. As with section 3A of the Intelligence Services Act, references to the Attorney General should continue to include a person acting as the Attorney General.
R 18 The Law Officers Act should be amended to remove the ability for the Attorney General to delegate his or her power to issue warrants under the Australian Security Intelligence Organisation Act to the Solicitor General, Secretary of the Attorney General’s Department or any other officer of the Commonwealth. The current prohibition in respect of warrants issued under the Telecommunications (Interception and Access) Act should remain in respect of the new electronic surveillance framework.
R 19 The Attorney-General’s powers in respect of ASIO should not be able to be conferred on another minister through an action of the Executive. Legislative amendment should be required. The ability for the Governor General in Council to make a substituted reference order in respect of the Attorney General’s role in exceptional cases should be retained, but only used in exceptional circumstances, such as where there is no Attorney General.
R 20 The Australian Security Intelligence Organisation Act and Telecommunications (Interception and Access) Act (and the new electronic surveillance framework) should permit the Director General of Security to approach the Prime Minister to issue a warrant, where the Attorney General advises the Director General of an actual or apparent conflict of interest, or where the Director General is satisfied that the Attorney General has an actual or apparent conflict of interest.
R 21 The Intelligence Services Act should be amended to permit an agency head to approach another Intelligence Services Act minister to issue an authorisation, where the responsible minister advises the agency head of an actual or apparent conflict of interest, or where the relevant agency head is satisfied that the authorising minister has an actual or apparent conflict of interest.
R 22 Legislative amendments in respect of ONI’s budget authority are not required.
R 23 The Department of Home Affairs does not require cooperation provisions in legislation.
R 24 Section 13 of the Office of National Intelligence Act does not require amendment. The legislative requirement for the Director-General to approve cooperation arrangements with an authority of another country is appropriate.
Recommendation 25 The Australian Security Intelligence Organisation Act should be amended to include a ministerial authorisation framework for ASIO’s offshore intelligence collection activities in respect of Australian persons, where those activities would require ASIO to seek a warrant inside Australia.
25.a The Attorney-General’s authorisation should be required irrespective of whether ASIO’s activities are undertaken in partnership with foreign partners or with other Australian Intelligence Community agencies.
25.b If, when ASIO seeks a warrant from the Attorney-General to conduct activities in respect of an Australian person inside Australia, it is reasonably foreseeable that the person will move offshore during the period of the warrant, and the warranted conduct can continue offshore, ASIO should inform the Attorney General of this and seek his or her authorisation to continue the conduct offshore.
25.c The Director-General of Security (and only the Director-General) should be permitted to 25.c.i make an oral application to the Attorney-General where he or she believes on reasonable grounds that the delay in making a written application for ministerial authorisation of ASIO’s offshore activities would likely defeat the purpose of obtaining the authorisation, and 25.c.ii internally authorise activities (orally or in writing) where it is not possible to make an oral application to the Attorney-General.
25.d Where an activity is authorised internally by the Director-General: 25.d.i the Director-General should be required to notify the Attorney General in writing as soon as possible, and no later than 48 hours, after the internal authorisation is issued, and 25.d.ii the Director-General should be required to notify the IGIS as soon as possible, but no later than three days, after the internal authorisation is issued.
R 26 DFAT should be informed before any NIC agency (other than ASIS) conducts covert human intelligence activity in another country without the agreement of the host authorities. DFAT is responsible for determining whether the Foreign Minister should be advised of the activity.
R 27 Processes for managing foreign relations risks, including determining the agencies subject to these processes, should be considered each time there is an Independent Intelligence Review.
R 28 The Commonwealth should not develop a common legislative framework in the form of a single Act governing all or some NIC agencies
R 29 NIC legislation should not be amended to include standalone proportionality tests as part of the threshold for the authorisation of intrusive powers.
R 30 Ministers should continue to authorise ASIO and Intelligence Services Act agency activities. These authorisations should not also be subject to judicial or other independent authorisation.
R 31 All ASIO warrants and special intelligence operation authorisations should be reviewed by the Attorney-General’s Department, noting the need for appropriate security clearances and relevant briefings.
R 32 In circumstances of extreme urgency ASIO should provide warrants or authorisations to the Attorney-General without review by the Attorney-General’s Department. In such situations, ASIO should advise the Attorney-General that the warrant or authorisation has not been reviewed by the Department, and subsequently present the warrant or authorisation to the Department for review.
R 33 Existing consultation processes for ministerial authorisations under the Intelligence Services Act are robust and support an appropriate level of assurance. These processes should continue.
R 34 The duration of search warrants in the Australian Security Intelligence Organisation Act should be kept at 90 days.
35 The duration of inspection of postal articles and inspection of delivery service articles warrants in the Australian Security Intelligence Organisation Act should be kept at six months.
36 ASIO should be required to keep accurate records of all individuals involved in the execution of a warrant. The requirement for ASIO to specify who may exercise authority under a warrant in section 24 of the ASIO Act should be retained.
37 The Australian Security Intelligence Organisation Act should be amended to make it clear that the permissible scope of classes under section 24 includes changes to, or expansion of, the class which occur after the authorisation is initially made.
38 ASIO should continue to seek foreign intelligence collection warrants from the Attorney-General for activities within Australia that require a warrant, on the advice of the Foreign Minister or Defence Minister.
39 The maximum duration of foreign intelligence collection warrants in the Australian Security Intelligence Organisation Act should remain at six months for all powers except search warrants, which should remain at 90 days, except in the limited circumstances, and subject to the additional safeguards, described in our classified report.
41 The Intelligence Services Act should be amended to provide that an agency is ‘producing intelligence’ on an Australian person or a class of Australian persons only if: • the agency undertakes a covert and intrusive activity, or a series of covert and intrusive activities, or • the agency expressly or impliedly requests a body, authority, organisation or group to undertake a covert and intrusive activity, or a series of covert and intrusive activities to obtain that intelligence.
42 The Intelligence Services Act should continue to provide that an IS Act agency can only undertake activities for the specific purpose of producing intelligence on an Australian in relation to a serious crime where the minister is satisfied that person is, or is likely to be, involved in committing a serious crime by: moving money, goods or people; using or transferring intellectual property; or transmitting data or signals by means of guided and/or unguided electromagnetic energy.
43 The Australian Security Intelligence Organisation Act and the new electronic surveillance Act should not allow warrants to be issued in respect of a class of persons, subject to the recommendations about groups and foreign organisations in relation to electronic surveillance powers (see Chapter 28).
44 A broad intelligence warrant should not be introduced to allow Intelligence Services Act agencies to collect intelligence in accordance with their functions inside Australia.
45 The 2017 Independent Intelligence Review recommendation, that Intelligence Services Act agencies be able to obtain ministerial authorisation in respect of a class of Australian persons where the class is defined by reference to involvement with a terrorist organisation proscribed for the purposes of the Criminal Code, should be implemented (Recommendation 16(a)). This should include the following requirements: 45.a the responsible minister may only issue the authorisation after obtaining the agreement of the Attorney-General 45.b the authorisation must not exceed six months 45.c Intelligence Services Act agencies must maintain a current list of all individuals on whom it sought to produce intelligence under the class authorisation with reasons why the agency believed the individual to be part of the class 45.d this list should be provided to ASIO for visibility and to coordinate counter terrorism activities, and be available for inspection and review by the IGIS, who may provide advice to the agency head and responsible minister, and 45.e agencies must report to the responsible minister within six months of the original authorisation providing details on activities undertaken and attaching the current list of individuals that fall within the class.
46 The 2017 IIR recommendation to allow AGO and ASD, like ASIS, to obtain a ministerial authorisation in relation to a class of Australians in respect of activities performed when assisting the Australian Defence Force should be implemented (Recommendation 16(b)).
47 The Intelligence Services Act should not be amended to allow ministers to issue a class ministerial authorisation in any circumstance the minister considers appropriate.
48 The Australian Security Intelligence Organisation Act should be amended to, and the new electronic surveillance Act should, provide for the issuing of ASIO warrants in emergencies as follows: 48.a The Attorney General must issue ASIO warrants in writing wherever possible. 48.b The Attorney General may orally authorise a warrant, on application from the Director-General of Security, if he or she believes on reasonable grounds that the delay in making a written application would likely defeat the purpose of obtaining the warrant. The threshold for issuing the warrant should remain as for the Attorney General’s consideration of a written application. 48.c The Director General of Security may authorise activities in writing where it is not possible to make an oral application to the Attorney General. This must be limited to circumstances where the Attorney General is unavailable, or where making an oral application would pose an unacceptable risk to operational security. The threshold for the Director General issuing the warrant should remain as for the Attorney General’s consideration of a written application. 48.d The Director General of Security may only orally authorise an emergency warrant where it is not possible to make an oral application to the Attorney General (as defined above), and where delay in authorising the application in writing would defeat the purpose of obtaining the warrant. The threshold for the Director General issuing the warrant should remain as for the Attorney General issuing a warrant.
49 Where a warrant is authorised orally: 49.a the Director-General must ensure that a written record of the warrant is made as soon as possible, but no later than 48 hours, after the authorisation is issued 49.b the Director-General should provide a copy of the record to the IGIS as soon as possible, but no later than three days, after the authorisation is issued, and 49.c the IGIS should be required to provide a report to the Attorney-General on whether the Director-General complied with the legislative requirements in giving the authorisation.
50 The power to issue emergency warrants should be vested only in the Director General of Security, or any person acting in that position, and should not be able to be delegated to any other ASIO officer.
51 The Director-General of Security should be required to submit a written warrant application to the Attorney General as soon as possible, but no later than 48 hours, after the authorisation is issued. On receipt of the written application, the Attorney General must decide whether to: 51.a endorse the authorisation, and issue a regular warrant authorising ongoing activities 51.b endorse the authorisation, but decline to issue a regular warrant authorising ongoing activities and direct that activities cease, or 51.c invalidate the authorisation, and direct that any material obtained under that authorisation be quarantined from further use (other than for limited purposes relating to oversight, or any investigation or proceeding relating to the activities).
52 The emergency authorisation provisions in the Intelligence Services Act do not require amendment, beyond implementing amendments to address situations where it is reasonable to believe that an Australian person consents to the production of intelligence by the IS Act agency on that person, as recommended by the 2017 Independent Intelligence Review.
53 For the purposes of section 9 of the Intelligence Services Act, the Minister should continue to obtain the Attorney-General’s agreement before authorising activities with respect to Australians involved in threats to security.
54 Section 13B of the Intelligence Services Act should continue to require ASIO to notify ASIS that it requires ASIS’s assistance to undertake activities to support ASIO in the performance of its functions.
55 The Intelligence Services Act should not be amended to allow ASIO to request ASIS to produce ‘foundational intelligence’ on a person suspected to be an Australian person using methods that would require a warrant if undertaken in Australia.
56 The immunities in section 14 of the Intelligence Services Act should not be extended.
57 Section 13B of the Intelligence Services Act should not be extended to apply to ASIS’s onshore activities.
58 Current arrangements under section 13B of the Intelligence Services Act should not be extended to ASD and AGO.
59 The Intelligence Services Act appropriately provides for ministerial oversight and visibility of activities to achieve a direct effect undertaken directly by ASIS and ASD.
60 Intelligence Services Act agencies should advise their minister, when seeking a producing intelligence ministerial authorisation to cooperate with the ADF or ASIS, that intelligence provided by it may be used to achieve a direct effect.
61 Intelligence Services Act agencies should advise the responsible minister, when seeking a producing intelligence authorisation on an Australian, of the likelihood that a foreign partner may use the reporting produced to achieve a direct effect. If, during the course of the authorisation period, the agency becomes aware that a foreign partner is using the information to achieve a direct effect, the agency should notify the minister.
62 ASIO should be required to seek authorisation from the Attorney-General for unilateral activities undertaken offshore, and when communicating intelligence to a foreign partner, where it is reasonably foreseeable that undertaking the activities will result in: • the death of, or serious harm to, the Australian person • the Australian person being detained, arrested, charged with or convicted of an offence punishable by the death penalty, or • the Australian person being subject to torture or other cruel, inhuman or degrading treatment or punishment.
63 Ministerial directions or guidelines providing guidance on the meaning of the term ‘direct effect’ should be issued to each of ASIS, ASD, AGO and ASIO.
64 ASIO should not have a broad immunity from criminal liability for its activities.
65 The Attorney-General, when issuing a warrant under the Australian Security Intelligence Organisation Act, should be empowered to specify particular things ASIO can do that are necessary and proportionate to achieve the purpose of the warrant.
66 The defence in subsection 474.6(7) of the Criminal Code should be extended for ASIO so that it applies to all offences in section 474.6 (Interference with facilities). The defence should only be available where ASIO officers are acting in the course of their duties, and where that conduct is reasonable in the circumstances for the purpose of performing those duties.
67 The ONI-led National Intelligence Community Legislation Forum should be informed of all upcoming criminal law Bills to ensure consultation with all NIC agencies occurs at the policy and drafting stages, before a Bill is introduced to Parliament.
68 Applications to the Attorney-General for a special intelligence operation authorisation should only be made by the Director-General of Security.
69 A special intelligence operation authority obtained under the Australian Security Intelligence Organisation Act should continue to describe the nature of the conduct in which identified persons are authorised to engage.
70 The Intelligence Services Act should be amended to provide that the Director General of ASIS can authorise the use of a Commonwealth department or agency as the cover employer for ASIS officers.
71 The Australian Security Intelligence Organisation Act should be amended to provide that the Director-General of Security can authorise the use of a Commonwealth department or agency as the cover employer for ASIO employees and affiliates.
72 The Criminal Code should be amended to give Australian Defence Force members immunity under Part 10.7 for computer-related acts done outside Australia in the course of properly declared operations under legally approved rules of engagement.
73 The Criminal Code should not be amended to give Australian Defence Force members immunity for telecommunications offences in Part 10.6.
74 The current immunity in section 476.5 of the Criminal Code for ASIS, ASD and AGO should be extended to apply where a staff member or agent reasonably believes the relevant conduct is likely to take place outside Australia, whether or not it in fact takes place outside Australia. This should also apply to the Australian Defence Force, if it is included within the immunity in section 476.5.
75 The Surveillance Devices Act, Telecommunications (Interception and Access) Act and those parts of the Australian Security Intelligence Organisation Act governing the use of computer access and surveillance devices powers should be repealed and replaced with a new Act.
76 Agencies should continue to be required to obtain separate warrants to authorise covert access to communications, computer access or the use of a listening or optical surveillance device under a new Act. The Act should not introduce a ‘single warrant’ capable of authorising all electronic surveillance powers.
77 As part of the development of a new electronic surveillance Act, AUSTRAC should be able to access telecommunications data in its own right under arrangements consistent with other Commonwealth, state and territory law enforcement agencies presently authorised to access telecommunications data.
78 As part of the development of a new electronic surveillance Act, corrective services authorities should be granted the power to access telecommunications data, if the relevant state or territory government considers it to be necessary.
79 As part of the development of a new electronic surveillance Act: • electronic surveillance powers should be vested in the Australian Border Force, not the Department of Home Affairs, and • the Australian Border Force should also be granted the power to use tracking devices under warrant and authorisation, for the purpose of serious criminal investigations.
80 Electronic surveillance should only be authorised where it is necessary for, and proportionate to, the purposes of an investigation.
81 Electronic surveillance should be directed at persons who are under investigation, subject to limited exceptions in relation to third parties, groups, unidentified persons and foreign intelligence. To the extent that person-based, third party and group warrants are not adequate to address all cases, an object or premises based warrant should be retained.
82 Electronic surveillance warrants should be available in respect of a person who is not under investigation (a third party), where the issuing authority is satisfied that, in addition to the test for an ordinary warrant, obtaining information under a warrant in respect of the subject of the investigation would be impractical or ineffective.
83 Electronic surveillance warrants should be available in respect of a group where the issuing authority is satisfied that: • the group has engaged in, or is reasonably suspected of having engaged in, or being engaged in, or being likely to engage in common activities, that would justify the issue of an electronic surveillance warrant, and • obtaining warrants in respect of the individual members of the group would be impractical or ineffective.
84 Electronic surveillance warrants should continue to be available in respect of a person who cannot be identified at the time of the warrant application.
85 Foreign intelligence warrants with respect to foreign organisations should be retained in the new electronic surveillance Act.
86 The Attorney-General should be permitted to issue warrants authorising ASIO to intercept telecommunications, access stored communications, access computers, and use optical and listening devices under a new Act, if satisfied that: • a person is engaged in, or is reasonably suspected of being engaged in or of being likely to engage in, activities relevant to security, and • the exercise of powers under the warrant in respect of the person is likely to substantially assist ASIO in obtaining intelligence in respect of a matter that is important in relation to security.
87 An issuing authority should be permitted to issue warrants authorising a law enforcement agency to intercept telecommunications, access stored communications, access computers, and use optical and listening devices under a new Act, if he or she is satisfied that: • a person has committed, or is reasonably suspected of committing or of being likely to commit, an offence that is punishable by a maximum penalty of at least five years’ imprisonment, and • the exercise of powers under the warrant in respect of the person is likely to substantially assist the agency in the investigation of the offence.
88 Electronic surveillance powers should be available to the ACIC for the purposes of special investigations, as well as for evidentiary investigations carried out under the authority of a special operation.
89 Under a new electronic surveillance Act, offences should only be included as exceptions to the five year threshold for surveillance if they are punishable by at least three years’ imprisonment and the use of electronic surveillance powers is necessary in order to effectively investigate the offences.
90 Under a new electronic surveillance Act, surveillance device powers should continue to be available for the purposes of integrity operations.
91 Agencies should continue to be permitted to obtain warrants to use electronic surveillance powers to monitor persons subject to control orders, for mutual assistance purposes, to assist with an order for the recovery of a child, and other similar purposes currently contained in the Telecommunications (Interception and Access) Act and the Surveillance Devices Act.
92 The use of tracking devices should be regulated separately from other electronic surveillance powers in a new electronic surveillance Act.
93 Under a new Act, ASIO’s tracking device warrants should be subject to the same test as ASIO’s other electronic surveillance warrants.
94 A new electronic surveillance Act should allow an issuing authority to authorise a law enforcement agency to use a tracking device if satisfied that: • a person has committed, or is reasonably suspected of committing or of being likely to commit an offence that is punishable by a maximum penalty of at least three years’ imprisonment, and • the use of a tracking device under the warrant in respect of the person is likely to assist the agency in the investigation of the offence.
95 ASIO and law enforcement agencies should be permitted to internally authorise the use of a tracking device, where: • the installation and use of the device will not involve entry onto premises or interference with the interior of a vehicle without permission, and • the use of a tracking device would otherwise meet the threshold for a warrant—that is, in the case of law enforcement agencies the device will be used for the purposes of the investigation of an offence punishable by a maximum penalty of at least three years’ imprisonment, and in the case of ASIO the device will be used in respect of a matter that is important in relation to security.
96 Future reviews should re-evaluate the legal framework for tracking a person by accessing location data from carriers once the 5G network roll-out is substantially complete, to determine whether access to network data has become functionally equivalent to using a tracking device.
97 A new electronic surveillance Act should accommodate the issuing of warrants to law enforcement agencies in emergencies as follows. • An issuing authority must issue law enforcement warrants in writing wherever possible. • An issuing authority may orally authorise a warrant, on application from an agency, if he or she believes on reasonable grounds that the delay in making a written application would likely defeat the purpose of obtaining the warrant. The threshold for issuing the warrant should remain the same as for the issuing authority’s consideration of a written application.
98 The relevant minister should continue to report on law enforcement agencies’ use of time-sensitive warrants in his or her annual report.
99 Where a law enforcement warrant is authorised orally, the head of the agency should be required to make a written record and provide a copy to the Ombudsman as soon as possible. The Ombudsman should be required to provide a report to the Attorney-General on whether the agency head complied with the legislative requirements in giving the authorisation.
100 The law enforcement agency should be required to submit a written warrant application to an issuing authority as soon as possible. On receipt of the written application, the issuing authority must decide whether to issue a warrant, decline to issue a warrant, or decline to issue a warrant and invalidate the authorisation.
101 A new electronic surveillance Act should enable law enforcement agencies to use electronic surveillance powers, without a requirement to obtain a warrant, to: • prevent or lessen imminent threats to life, or of serious harm or damage to property • locate and investigate suspected kidnappings • locate missing persons, and • recover a child subject to a child recovery order, where an officer reasonably suspects that the circumstances are so urgent as to require the immediate use of the power, and that it is not practicable in the circumstances to apply for a warrant.
102 A new electronic surveillance Act should continue to permit ASIO and law enforcement agencies to use optical and listening devices, without obtaining a warrant, in limited circumstances in the performance of their duties, where: • in the case of an optical surveillance device—the installation and use does not involve unauthorised entry onto premises or interference with a vehicle or thing, and • in the case of a listening device—the device is used to record a conversation to which an officer or agent is party, or could be reasonably expected to overhear.
103 A new electronic surveillance Act should require ASIO and law enforcement agencies to specify, in writing, the people or class of people who may exercise the authority of a warrant, and to keep accurate records of all individuals involved in the execution of a warrant.
104 As part of a new electronic surveillance Act, the Attorney-General or issuing authority should have the discretion to approve an agency to vary minor, specified aspects of a warrant while it is in force, if he or she is satisfied that it is necessary to do so. Agencies should not have the authority to vary warrants beyond such minor variations.
105 When agencies make minor modifications to warrants, they should be required to: • apply the same statutory test when deciding whether to vary a warrant as the issuing authority applied at the time the warrant was issued • make any variations in writing, other than in urgent cases which should follow a similar procedure to time-sensitive authorisations, and • list and explain all variations when seeking a renewal of the warrant, or reporting to the Attorney-General.
106 The development and testing framework that is presently contained in Part 2-4 of the TIA Act should be extended to enable the Attorney-General to authorise the testing and development of electronic surveillance and cyber capabilities, as part of a new electronic surveillance Act.
107 The development and testing framework should be extended, as part of a new Act, to enable the Attorney-General to authorise the use of electronic surveillance and cyber capabilities for the purposes of: • training personnel on technologies and capabilities, and • maintaining, improving, repairing and evaluating the performance of technologies and capabilities.
108 The development and testing authorisation framework should permit the Attorney General to authorise the retention of information obtained under another testing authorisation, or a separate warrant, authorisation or power, as well as non compliant information, as part of a new Act.
109 The core definitions in a new electronic surveillance Act should: • provide clarity to agencies, oversight bodies and the public about the scope of agencies’ powers • ensure that there are no gaps in the types of information that agencies may intercept, access or obtain under warrants and authorisations, and • be capable of applying to new technologies over time.
110 A new electronic surveillance Act should not require carriers, carriage service providers or other regulated companies to develop and maintain ‘attribute based’ interception capabilities. These companies should continue to be required to develop and maintain the capability to intercept communications sent and received by specified services and devices.
111 Under a new electronic surveillance Act, the Attorney-General should be given the power to require a company to develop and maintain a specified attribute based interception capability. If such a capability has been developed, agencies should be able to obtain attribute-based interception warrants in cases where it will be practicable for the warrant to be executed.
112 As part of a new electronic surveillance Act, ASIO and law enforcement agencies should be permitted to use their own attribute-based interception capabilities, in conjunction with service providers, under warrant.
113 As part of a new electronic surveillance Act, law enforcement agencies should continue to be able to request an issuing authority to impose a condition or restriction on a warrant, requiring that specified communications that are unlikely to be relevant to the matter under investigation not be intercepted, or be promptly destroyed once they are delivered to the agency.
114 Interception warrants issued under a new electronic surveillance Act should be capable of authorising the interception of communications by reference to one or more services or devices that the person (or group) who is the subject of the warrant uses, or is likely to use.
115 Law enforcement agencies should only be permitted to use deployable interception capabilities, beyond the circumstances presently provided for in the TIA Act, under the following conditions: • where the agency has certified, in consultation with service providers, that the use of its capabilities will not interfere with the operation of the telecommunications network, and • subject to the development of arrangements for agencies to compensate a service provider, should the use of their capabilities cause damage to, or seriously disrupt, the telecommunications network.
116 A new electronic surveillance Act should retain specific secrecy offences for the use and disclosure of, and other dealings with, information obtained by, and relating to, electronic surveillance.
117 A new electronic surveillance Act should continue to prohibit the use and disclosure of, and other dealings with, information obtained as a result of unlawful surveillance activities.
118 Secrecy offences in a new electronic surveillance Act should apply to a defined category of ‘entrusted persons’, who have obtained information in an official capacity, or under an agreement or arrangement with an agency. The offences applying to ‘entrusted persons’ should not require that the disclosure or other conduct cause, or be likely or intended to cause, harm to an essential public interest.
119 Secrecy offences in a new electronic surveillance Act should continue to apply to ‘outsiders’. However, the ‘outsider’ offences should differentiate between information obtained by electronic surveillance and information related to, or otherwise connected with, electronic surveillance—the latter of which should require that the disclosure or other conduct cause, or be likely or intended to cause, harm to an essential public interest.
120 Existing use and disclosure provisions in the Surveillance Devices Act and the Telecommunications (Interception and Access) Act should be replaced with simple, principles-based rules that maintain strict limitations on the use and disclosure of information obtained by electronic surveillance.
121 A new electronic surveillance Act should permit the use and disclosure of, and other dealings with, surveillance information for the purpose for which the information was originally and lawfully obtained.
122 A new electronic surveillance Act should permit agencies to use, disclose and otherwise deal with surveillance information for a defined range of secondary purposes, including: • the performance of functions by ASIO, ASIS, ASD, AGO, ACIC, IGIS and the Commonwealth Ombudsman • the investigating or prosecuting of a criminal offence punishable by a maximum penalty of at least three years’ imprisonment • crime-related proceedings, such as bail, parole, proceeds of crime, control order, preventative detention order or continuing detention order proceedings • purposes relating to corruption or serious misconduct by public officials • the provision of mutual legal assistance to a foreign country under the Mutual Assistance in Criminal Matters Act 1987, and • the prevention or lessening of a serious risk to individual life, health or safety, or substantial damage to property.
123 A new electronic surveillance Act should continue to permit the use and disclosure of, and other dealings with, surveillance information for a defined range of miscellaneous purposes that fall outside the scope of the recommended primary and secondary purpose provisions.
124 A new electronic surveillance Act should enable agencies to disclose surveillance information to any person or authority, provided the disclosure is for a permitted purpose.
125 A new electronic surveillance Act should require ASIO to destroy records of information obtained by electronic surveillance, as soon as reasonably practicable after the information is no longer required for the performance of its functions or exercise of its powers, and to ensure such information is rendered inaccessible pending its destruction.
126 A new electronic surveillance Act should require law enforcement agencies to destroy records of information obtained by electronic surveillance and ensure the information is inaccessible pending destruction, as soon as reasonably practicable after: • the agency is satisfied that the records are not required for a specified purpose (being a purpose for which the information may be used and disclosed), or • five years unless the agency positively certifies the records are required for a specified purpose.
127 A new electronic surveillance Act should require Commonwealth, state and territory agencies (other than ASIO, IS Act agencies and law enforcement agencies) to destroy records of information obtained by electronic surveillance consistent with the destruction requirement for law enforcement agencies recommended above. IS Act agencies should be subject to destruction requirements consistent with their privacy rules.
128 ASIO conduct under a new electronic surveillance Act should continue to be overseen by the IGIS.
129 The Commonwealth Ombudsman should have oversight responsibility for the use of Commonwealth electronic surveillance powers by all agencies other than ASIO.
130 The existing ability of the Commonwealth Ombudsman to exchange information with state and territory counterparts should be maintained.
131 The Ombudsman should oversee the compliance of all agencies (other than ASIO) with a new electronic surveillance Act, including state and territory agencies.
132 Under a new electronic surveillance Act, the Ombudsman’s reporting requirements should be harmonised, including so that all reports are tabled by the Minister in full, except where information has been redacted in order to avoid prejudice to security, the defence of Australia, Australia’s relations with other countries, law enforcement operations, the privacy of individuals or to avoid danger to a person’s safety.
135 A common legislative framework for NIC information sharing, either in the form of a single Act that regulates information sharing or a new Act that facilitates information sharing, should not be adopted.
136 Exclusions in the spent convictions scheme in Part VIIC of the Crimes Act should be expanded to enable ASIO to use, record and disclose spent conviction information for the performance of its functions.
137 NIC agencies do not require new powers or authorities to collect or obtain reference information.
138 The collection, retention and use of reference information by AUSTRAC, Home Affairs and the AFP should continue to be regulated by the Privacy Act and specific statutory frameworks.
139 The ASIO Guidelines and the Privacy Rules for ASIS, ASD, AGO, ONI, DIO and the ACIC should be amended to deal with the collection, retention, use and disclosure of reference information concerning Australian persons.
140 85 The ASIO Guidelines and the Privacy Rules for ASIS, ASD, AGO, ONI, DIO and the ACIC should require each agency to regularly review its holdings of reference information, and to destroy information unless it is necessary and proportionate to continue retaining it. Any such requirement should reflect each agency’s functions and activities, including the ACIC’s statutory function of holding national policing information on behalf of Commonwealth, state and territory law enforcement agencies.
141 Future Independent Intelligence Reviews should reconsider whether statutory controls on the collection, retention or use of reference data are required.
142 Specific secrecy offences are not required to protect the identities of ASD officers or members of the ADF Special Operations Command.
117 The secrecy offences in sections 39-40M of the Intelligence Services Act should be consolidated. The scope of the offences should not be expanded.
144 Current mechanisms for public interest disclosures of information obtained by, or relating to, NIC agencies remain appropriate. Neither the specific secrecy offences applying to NIC agencies, nor the general secrecy offences in the Criminal Code, should be amended to include an exception or defence for disclosures made in the public interest.
145 The IGIS should be subject to a legislative requirement to report annually on public interest disclosures received by, and complaints about similar conduct made to, the IGIS.
146 Specific secrecy offences applying to agencies within the IGIS’ jurisdiction should contain exceptions to permit disclosures of information to, and by, IGIS officials.
154 ONI should coordinate NIC agencies’ development of governance and ethical frameworks for the use of artificial intelligence capabilities for intelligence purposes.
155 The requirement to have human involvement in significant or adverse decisions made by automated capabilities or artificial intelligence should be maintained. Similar controls should be included when new artificial intelligence capabilities are developed and implemented.
156 Where a NIC agency relies on an artificial intelligence capability to contribute to the production of intelligence that is subsequently relied on to make a decision (by that agency or another government entity), the NIC agency should be able to explain how it produced that intelligence—including how the artificial intelligence capability contributed to that intelligence.
157 Artificial intelligence capabilities, and their outputs, should not be protected from examination in legal proceedings merely because of the involvement of artificial intelligence.
158 Future Independent Intelligence Reviews should consider the use of artificial intelligence for intelligence purposes.
159 The PJCIS should receive a briefing from agencies on the development of their artificial intelligence-based intelligence capabilities at least once per year.
160 ASIO already lawfully engages in threat reduction and disruption activities and there is no need for it to have a statutory threat reduction or disruption function.
161 ASD’s cybercrime function under section 7(1)(c) of the Intelligence Services Act should not be extended to apply onshore.
162 The AFP, with ASD’s assistance, should develop high end capability to fight cybercrime and fully utilise its existing powers to disrupt online offending.
163 The Australian Crime Commission Act should not be amended to introduce a covert or delayed notification search warrant power for the ACIC.
164 The Australian Crime Commission Act should not be amended to allow the conduct of coercive examinations offshore.
165 The Australian Crime Commission Act should not be amended to include a civil immunity for private sector bodies that have provided information to the ACIC voluntarily or on request.
166 The ACIC’s notice to produce powers under the Australian Crime Commission Act should not be amended to allow it to compel the ongoing disclosure of information over a particular time period.
167 ASIS, AGO, ASD, ONI and DIO should be excluded from the Commonwealth Ombudsman’s jurisdiction.
168 The IGIS should not have oversight of the Department of Home Affairs or the AFP as recommended in the 2017 IIR.
169 Legislation establishing oversight responsibilities for the NIC should take a functional approach. Oversight should follow intelligence function, regardless of the structures used to support performance of the function.
170 The IGIS and Ombudsman should be consulted as a matter of course in relation to all proposed amendments to intelligence legislation affecting matters within their jurisdiction to ensure that oversight issues can be addressed upfront. This requirement should be included in the Legislation Handbook.
171 The Attorney-General should issue publicly available guidelines for embedding oversight into NIC legislation. The guidelines should include the following principles: 171.a Legislation should clearly state oversight bodies’ jurisdiction. 171.b Any duplication in oversight jurisdiction should be minimised where possible, while recognising that the elimination of all overlap would also give rise to unintended gaps. 171.c Laws and guidelines governing NIC agencies should be clear, precise and unambiguous in their terms and in their interaction with each other. 171.d Legislation should allow oversight bodies to exercise discretion in managing their oversight functions and responsibilities. 171.e NIC oversight legislation should avoid overly prescriptive and detailed inspection or reporting requirements. 171.f Oversight bodies should be able to access all relevant information from intelligence agencies and appropriately share information between themselves. 171.g Careful consideration should be given to dissemination of reports by an oversight body. 171.h NIC agencies should be required to actively provide information to an oversight body about the use of extraordinary powers. 171.i Legislation (or guidelines, as appropriate) should be clear about record keeping obligations and facilitate meaningful oversight. 171.j Oversight bodies should have a role in supporting the continuous improvement of agencies’ legislative compliance by sharing their expertise on compliance best practice, and regularly reviewing agencies’ guidance materials.
172 The Inspector-General of Intelligence and Security Act should be amended to preclude the appointment to the Office of the IGIS of a person whose immediate prior role was as head or deputy head of an agency within the IGIS’ oversight remit.
173 An independent panel should be established to provide technical expertise and assistance to the IGIS.
174 The Inspector-General of Intelligence and Security Act should be amended to give the IGIS an inquiry function for employment related grievances of staff employed under the Office of National Intelligence Act.
175 Agencies should seek legal advice through in-house counsel or the Australian Government Solicitor, in a manner consistent with the Legal Services Directions.
176 The Australian Government Solicitor should centrally and electronically store all classified legal advices provided to National Intelligence Community agencies.
177 The Independent National Security Legislation Monitor Act should be amended to provide that the INSLM may prepare and give to the Attorney-General a report on any matter relating to the performance of the INSLM’s functions at any time. The Attorney-General should be required to table an (unclassified) copy of the report in each House of the Parliament within a reasonable time of receiving the report.
178 As a matter of good practice, the Government should provide a publicly available response to the INSLM’s recommendations within 12 months of the INSLM’s report being tabled in Parliament.
179 The Independent Reviewer of Adverse Security Assessments should continue as a standing arrangement.
180 The remit of the Parliamentary Joint Committee on Intelligence and Security should not be expanded to include direct oversight of operational activities, whether past or current.\
181 181.a The IIR recommendation to enable the PJCIS to request the IGIS to conduct an inquiry into the legality and propriety of particular operational activities, and report to the PJCIS, Prime Minister and responsible minister, should be implemented. 181.b Changes to enable the PJCIS to make such a request should make it clear that the PJCIS can only request, not oblige, the IGIS to conduct an inquiry. 181.c The amendments should also maintain the current restriction that prevents the PJCIS from requiring a person or body to disclose operationally sensitive information or information that would or might prejudice Australia’s national security or the conduct of Australia’s foreign relations.
182 Existing restrictions that apply to information disclosure by the PJCIS should continue to apply in respect of the Inspector-General of Intelligence and Security’s reports or briefings to the PJCIS on its inquiries.
183 The Intelligence Services Act should be amended so that the PJCIS is only limited to not reviewing agency compliance with agency privacy rules, leaving scope for it to review the rules as made. Table of recommendations—Volume 4
184 ASIS, ASIO, ASD, DIO and ONI should continue to be exempt from the operation of the Freedom of Information Act.
185 The Department Home Affairs, including its Intelligence Division, should remain subject to the Freedom of Information Act.
186 The Freedom of Information Act should be amended to remove AGO’s exemption in respect of its non-intelligence function.
187 The ACIC should remain subject to the Freedom of Information Act.
188 In respect of AUSTRAC, consistent protections should be afforded to Suspicious Matter Reports and Suspicious Transaction Reports under the Freedom of Information Act.
189 ASIO, ASIS, ASD, AGO, DIO and ACIC should be required, by legislation, to have legally-binding privacy guidelines or rules. These rules should be made public (except to the extent that those rules contain classified information).
190 The identities of ASIO and ASIS staff members and agents should be protected from disclosure under the Archives Act.
191 All security matters arising under the Archives Act should be heard in the Security Division of the Administrative Appeals Tribunal.
192 The Freedom of Information Act and Archives Act should be amended so that the IGIS is only required to provide evidence that addresses the damage that would, or could reasonably be expected to, arise from the release of material where the matter involves one or more of the agencies that the IGIS oversees.
193 The definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act should be amended to include the exercise of powers or functions in relation to parole, security guard licences and firearms licences.
194 A regulation making power should be inserted into the definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act. 194.a The regulation making power should allow regulations to add an action to the definition of ‘prescribed administrative action’ where that action has potential to affect an individual’s liberty or livelihood. Matters relating to security would be a key consideration in taking that action. 194.b Regulations made under the regulation making power should be reviewed by the PJCIS before the end of the applicable disallowance period in each Chamber prior to coming into effect.
195 195.a A decision to suspend or revoke an ASIS staff member’s security clearance should fall within the definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act. 195.b A decision to suspend access to information or places which are controlled or limited on security grounds while a decision to revoke or suspend a clearance is reviewed should not fall within the definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act. 195.c A decision to deny access to information or places which are controlled or limited on security grounds once a decision to revoke a security clearance is confirmed should not fall within the definition of ‘prescribed administrative action’ in the Australian Security Intelligence Organisation Act.
196 196.a ASIO’s passage of vetting information on former ASIO staff and unsuccessful ASIO applicants should not be exempted from the operation of Part IV. 196.b ASIO’s passage of third party information or unassessed lead information to a Commonwealth or state agency for the purposes of prescribed administrative action should not be exempted from the operation of Part IV.
197 ASIO security assessments prepared for the purpose of informing the Foreign Investment Review Board should be exempted from the operation of Part IV of the Australian Security Intelligence Organisation Act.
198 The Australian Security Intelligence Organisation Act should be amended to allow ASIO to make a preliminary communication directly to a state or territory agency where the requirements of security make it necessary, as a matter of urgency, to take action of a temporary nature pending the furnishing of a security assessment.
199 The Australian Security Intelligence Organisation Act should be amended to require ASIO to notify the IGIS in every instance where it has taken more than 12 months to finalise a security assessment, and subject to the requirements of security, notify the individual in writing of their ability to make a written complaint under the Inspector-General of Intelligence and Security Act. If the requirements of security do not permit notification of the individual, IGIS must be notified of this fact.
200 A person the subject of an ACIC assessment that may be acted on by the recipient in a decision that affects the employment or liberty of the person should be notified of that assessment and given the opportunity to seek review.
201 DIO assessments should not be subject to rights of notification and review similar to those in Part IV of the Australian Security Intelligence Organisation Act.
202 The National Security Information (Criminal and Civil Proceedings) Act should be amended to include a rebuttable presumption to protect the identity of ASIO and ASIS staff member and agents. The presumption should preserve the court’s discretion and ensure that the respondent is given notice of the fact that the rebuttable presumption is engaged in a particular case.
203 The offences in Part 5 of the National Security Information (Criminal and Civil Proceedings) Act should be reviewed and redrafted to include a tiered range of offences with penalties commensurate to the fault elements specified.
The Review was to 'comprehensively examine the effectiveness of the legislative framework for the National Intelligence Community (NIC) and prepare findings and recommendations for any reforms', considering
• the legislation relating to the six Australian Intelligence Community (AIC) agencies, as well as the Australian Federal Police (AFP), Australian Criminal Intelligence Commission (ACIC), Australian Transaction Reports and Analysis Centre (AUSTRAC) and the Department of Home Affairs to the extent their legislative provisions relate to the intelligence activities of these four agencies;
• the appropriateness of maintaining the current distinction between Foreign Intelligence and Security Intelligence, and legislative distinctions and restrictions relating to intelligence collection onshore and offshore;
• whether Australia should adopt a common legislative framework, as has been done in the United Kingdom and New Zealand;
• improvements that could be made to ensure that the legislative framework for the NIC:
o facilitates the general co-ordination and appropriate control and direction of each agency comprising the NIC in relation to the exercise of intelligence powers and functions, and of the NIC as a whole;
o supports effective co-operation, liaison and sharing of information between NIC agencies, and between NIC agencies and Commonwealth, State, Territory, foreign government and other partners, for intelligence purposes;
o supports the intelligence purposes, functions, administration and staffing (including recruiting) of each agency comprising the NIC;
o provides for accountability and oversight that is transparent and as consistent across the NIC agencies as is practicably feasible.
• any specific proposals for reform, such as Recommendation 16(c) of the Independent Intelligence Review.
• core legislation relating to the six AIC agencies, such as the Australian Security Intelligence Organisation Act 1979, the Office of National Assessments Act 1977, including proposed legislation to give effect to the transition to the Office of National Intelligence, and Intelligence Services Act 2001, including amendments contained in the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018 to establish ASD as an independent statutory agency;
• elements of core legislation relating to the AFP, ACIC, AUSTRAC and Department of Home Affairs, such as the Australian Federal Police Act 1979 to the extent it relates to the performance of their intelligence functions as part of the NIC;
• legislation containing NIC agency investigative powers, such as the Surveillance Devices Act 2004 and Telecommunications (Interception and Access) Act 1979;
• the adequacy of national security information handling provisions under the National Security Information Act 2004, including the protection of information relating to counter terrorism and foreign interference prosecutions;
• oversight-related legislation, such as the Inspector-General of Intelligence and Security Act 1986 and Independent National Security Legislation Monitor Act 2010.
The report states
This is a long report—over 1,300 pages across four volumes. The terms of reference were extensive. The Government allocated a budget of over $18 million and a full time secretariat of over 20 people worked on the Review for about 18 months.
Very few readers of this report will have a need (or inclination!) to read the whole four volumes. But in addition to exploring and analysing the precise nature of proposed reforms in one of the most complex areas of legislation, the report provides a template for the reform process.
Unlike seminal reviews of the past, dramatic circumstances have not given rise to this Review.
The legal frameworks governing the National Intelligence Community (NIC) are carefully considered, balancing competing interests—individual liberties and collective security. They preserve the values and principles that underpin the NIC, and indeed our democratic society.
Our observations and recommendations are intended to preserve the principled underpinnings of the legislative framework, build on those principles where reform is required, and to provide guidance to inform future calls for reform.
The Review has greatly benefited from engagement with, and submissions from, the NIC, relevant departments, oversight agencies and states and territories. We have also engaged with non government organisations, leading authorities and eminent persons—here in Australia and abroad. We have examined the legislative frameworks in comparable democracies: each of the Five Eyes, as well as France and the Netherlands. All contributors have provided constructive and thoughtful observations which have informed our work. A list of organisations and people with whom we have consulted is at Annex A.
The Review itself was a learning process for both agencies and the Review team. Views and positions changed and developed, highlighting the benefit of a deliberate approach to significant legislative reform. Where possible, we sought agreement with and between agencies, but avoided a search for consensus for its own sake. Not all agencies or interest groups will therefore agree with all recommendations. Indeed, some of the recommendations will be controversial.