Rationale for the exemption of the intelligence and defence intelligence agencies

34.14 The Inspector-General of Intelligence and Security (IGIS), the main body charged with oversight of the intelligence and defence intelligence agencies, has stated that one of the reasons why the Australian intelligence agencies should be exempt, or partially exempt, from the provisions of the Privacy Act is that ‘it is necessary for the agencies to protect their sources, capabilities and methods if they are to function effectively’.[24] Other reasons for the exemption include that: there already are adequate privacy requirements applying to the intelligence and defence intelligence agencies contained in legislation, ministerial directions and guidelines; there are robust accountability and oversight mechanisms applying to the agencies; and the exemption is consistent with international standards. These reasons are discussed below.

Privacy requirements

Legislation

34.15 Intelligence and defence intelligence agencies only may collect intelligence on Australians under warrant or authorisation by a responsible minister. As discussed below, the Intelligence Services Act sets out the circumstances in which the responsible minister may authorise intelligence activity by the ASIS, the DIGO or the DSD against an Australian person.

34.16 Section 8 of the Intelligence Services Act provides that the responsible minister must issue a direction requiring ASIS, the DIGO or the DSD to obtain an authorisation under s 9 from the minister before undertaking intelligence activity on an Australian person. Section 32B of the Inspector-General of Intelligence and Security Act 1986 (Cth) (IGIS Act) requires the minister to give a copy of any such direction to the IGIS as soon as practicable after it is given. The validity of a ministerial authorisation given under s 9 is limited to no more than six months, and may be renewed only if the relevant minister is satisfied that it is necessary for the authorisation to continue to have effect.[25] A copy of the authorisation must be kept by the agency and made available for inspection on request by the IGIS.[26]

34.17 The agency heads of ASIS, the DIGO and the DSD must give to the responsible minister a written report in respect of intelligence activities carried out by the agency in reliance on a ministerial authorisation. The report must be provided to the minister within three months from the day on which the authorisation ceased to have effect.[27]

34.18 The Intelligence Services Act also sets out limits on the functions of ASIS, the DIGO and the DSD. The functions are only to be performed in the interests of Australia’s national security, foreign relations and national economic well-being, and ‘to the extent that those matters are affected by the capabilities, intentions or activities of people or organisations outside Australia’.[28] These three agencies are prohibited from undertaking any activity that is unnecessary for the proper performance of their functions, or not authorised or required by or under another Act.[29]

34.19 Generally, ASIO may collect information relevant to security under warrant.[30] In addition, only the Director-General of Security, or an ASIO officer authorised by the Director-General, can communicate intelligence on behalf of ASIO. It is an offence for an ASIO employee or agent to convey information acquired in the course of his or her duties outside ASIO without the authority of the Director-General of Security. The Director-General of Security may authorise an ASIO officer to communicate information to authorities of any other country approved by the Director-General.[31] Section 20 of the ASIO Act places a special responsibility upon the Director­-General of Security to take all reasonable steps to ensure that the work of ASIO is limited to what is necessary for the purposes of the discharge of ASIO’s functions.

Attorney-General’s guidelines issued under the Australian Security Intelligence Organisation Act 1979 (Cth)

34.20 Under s 8A of the ASIO Act, the Attorney-General may give the Director-General of Security guidelines to be observed by ASIO in the performance of its functions or the exercise of its powers. In 1992, the then Attorney-General issued two separate guidelines concerning the performance by ASIO of its functions relating to obtaining intelligence relevant to security and politically motivated violence.[32] These guidelines have been revised in late 2007 and combined into a single set of guidelines (Attorney-General’s Guidelines).[33] The Attorney-General’s Guidelines contain general guidance on obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence), as well as specific guidance on the treatment of personal information.

34.21 In terms of general guidance, the Attorney-General’s Guidelines specify the purposes for which ASIO may collect, maintain, analyse and assess information relevant to security, and the types of information that may be collected.[34] The Director-General of Security is required to establish processes to ensure that all requests for information from external agencies are authorised at an appropriate level.[35] In conducting its inquiries and investigations, ASIO must obtain information in a lawful, timely and efficient way.[36] The means of obtaining information must be proportionate to the gravity of the threat and the probability of its occurrence, and inquiries and investigations should be conducted ‘using as little intrusion into individual privacy as possible’.[37] The least intrusive techniques of information collection should be used whenever possible.[38] A greater degree of intrusion may be justified, however, where a threat is assessed as likely to develop quickly; or where there is a threat of politically motivated violence against specified persons or classes of persons, such as internationally protected persons.[39] The seniority of the officer required to approve an investigative technique should increase with the level of intrusiveness of the technique.[40]

34.22 Guideline 13 of the Attorney-General’s Guidelines specifically deals with the collection, use and disclosure of personal information, as well as data quality and data security. It requires that ASIO only collect, use, handle or disclose personal information for purposes connected with its statutory functions.[41] The Director-General is required to:

  • take all reasonable steps to ensure that ASIO does not collect, use, handle or disclose personal information unless it is reasonably necessary for the performance of its statutory functions;

  • ensure that all reasonable steps are taken to ensure that the personal information held, used or disclosed by ASIO is accurate and not misleading; and

  • ensure that all personal information collected or held by ASIO is protected by reasonable security measures against loss and unauthorised access, use or modification.[42]

34.23 The Attorney-General’s Guidelines also contain record-keeping requirements on all requests for personal information by ASIO, all personal information received in response to such requests, and all communication by ASIO of personal information for purposes relevant to security or as otherwise authorised. These records must be open to inspection by the IGIS.[43] In addition, the Attorney-General’s Guidelines state that, where an inquiry or investigation concludes that a subject’s activities are not, or are no longer, relevant to security, the relevant records are to be destroyed pursuant to disposal schedules agreed to between ASIO and the National Archives of Australia.[44]

34.24 The IGIS has oversight responsibility to ensure that ASIO complies with the Attorney-General’s Guidelines in conducting its activities. During 2006–07, the IGIS reported that his office inspected records associated with a wide range of ASIO activities, including warrant operations, approvals to commence an investigation, and reviews of investigations. The IGIS stated that the quality of the requests for warrant made to the Attorney-General have been ‘of a consistently high standard’. The IGIS also reported his overall satisfaction with ASIO’s adherence to the Attorney-General’s Guidelines in relation to the obtaining and review of approvals to investigate. He noted several instances of ‘minor procedural defects’ during the reporting period, but did not consider that there were any systemic concerns.[45]

Privacy rules issued under the Intelligence Services Act 2001 (Cth)

34.25 Under s 15 of the Intelligence Services Act, the responsible minister is required to make written rules regulating the communication and retention by the DIGO, the DSD and ASIS of intelligence information concerning Australians. Before making the rules, the responsible minister must consult with the head of the relevant agency as well as the IGIS and the Attorney-General.

34.26 The current privacy rules for ASIS, the DSD and the DIGO are broadly consistent with each other.[46] The rules provide for the circumstances in which the agency may communicate and retain intelligence information concerning an Australian person. In addition, they provide that where the agency has communicated intelligence information concerning an Australian person contrary to the rules, or because it had presumed wrongly that a person was not an Australian person, the agency shall immediately consult with or inform the IGIS of the measures taken to protect the privacy of the Australian person.[47] The rules, however, do not require the agency to observe particular standards when engaging in other information-handling practices that are dealt with in the Information Privacy Principles (IPPs), such as accuracy, storage and security of personal information.

34.27 In his annual report for 2006–07, the IGIS stated that his office undertook on-going monitoring of ASIS’s compliance with privacy rules. He also reviewed regularly reports containing secret intelligence information to ensure that the information was handled in accordance with the requirements of the Intelligence Service Act and the privacy rules. The IGIS reported that that he has ‘seen no privacy abuses in the material we have access to, and that there is a commitment within ASIS to the rigorous application of the privacy rules’.[48]

34.28 In relation to the DSD, the IGIS reported that a fully-staffed section within the DSD monitors the DSD’s compliance with the privacy rules, and his office fulfils a similar function independently of the DSD. He stated that there was a regular dialogue between the DSD and his office on privacy issues, and that he was satisfied that the incidence of Australian persons being identified in DSD’s reporting was extremely low relative to the number of reports DSD disseminated. In addition, the IGIS stated that notwithstanding the highly intrusive nature of DSD’s work, privacy issues were taken very seriously by the DSD.[49]

34.29 During 2006–07, the IGIS visited DIGO headquarters every two months and ‘closely examined all tasking requests DIGO receives which might impact upon Australian persons or interests, for compliance with the DIGO’s privacy rules’. He commented that, while a uniform approach to the handling of privacy-related matters by foreign intelligence collection agencies is commendable, it presented certain challenges for DIGO due to DIGO’s predominantly image-based reporting on property or premises that may fall within the definition of an ‘Australian person’. The IGIS stated, however, that ‘the vast majority of DIGO’s reporting has an off-shore focus, and that the privacy rules come into play relatively infrequently’. The IGIS was satisfied that the DIGO was committed to applying the privacy rules, and that it ‘was inclined to take a cautious and conservative approach rather than to disregard the requirements of the rules’.[50]

Administrative privacy guidelines

34.30 Unlike ASIS, the DSD and the DIGO, the ONA and the DIO are not required by legislation to have privacy rules or guidelines in place. A review of the Intelligence Services Act in 2005–06 coordinated by the Department of the Prime Minister and Cabinet resulted in a government decision that the ONA and the DIO should be subject to privacy guidelines consistent with the requirements placed on ASIS, the DSD and the DIGO. The ONA and the DIO have since developed and implemented privacy guidelines that are broadly consistent with those in use elsewhere by other intelligence and defence intelligence agencies. The IGIS was consulted by the ONA and the DIO in the development of the guidelines.[51] Both sets of guidelines have been in effect since December 2005.[52]

34.31 The purpose of the guidelines is to ensure that in the agencies’ external communications, the privacy of Australians is preserved as far as is consistent with the proper performance of the agencies’ functions.[53] The guidelines for the ONA and the DIO constitute a direction to all agency staff by the responsible minister.[54] Copies of the guidelines are annexed to the IGIS’s Annual Report for 2005–06, and the ONA’s privacy guidelines also are available on its website.[55]

34.32 During the reporting period 2006–07, the IGIS conducted five inspections of the ONA and another five of the DIO to ascertain the extent of compliance with the guidelines. The IGIS was generally satisfied with the quality of the documentation and the thorough implementation of the guidelines at both the DIO and the ONA. The IGIS also reported that the DIO and the ONA have continued to educate analysts on how to apply, and report on compliance with, the guidelines. In the most recent Annual Report, the IGIS stated that he intended to continue to conduct inspections of the DIO and the ONA every three months to monitor compliance with the guidelines.[56]

Protective Security Manual

34.33 In addition to privacy rules and guidelines that apply to individual agencies, all the intelligence and defence intelligence agencies are required to comply with the Protective Security Manual. The Protective Security Manual is a policy document produced, and periodically revised, by the Attorney-General’s Department (AGD) on behalf of the Protective Security Policy Committee.

It is the principal means for disseminating Australian Government protective security policies, principles, standards and procedures, to be followed by all Australian Government agencies for the protection of official resources.[57]

34.34 The Protective Security Manual sets out guidelines and minimum standards relating to protective security for Australian Government agencies and officers, as well as for contractors and their employees who perform services for the Australian Government. Of particular relevance is Part C of the Protective Security Manual, which provides ‘guidance on the classification system and the protective standards required to protect both electronic and paper-based security classified information’.[58] This part sets out minimum standards addressing the use, access, copying, storage, security and disposal of classified information.

34.35 Although the Protective Security Manual—as it applies to the intelligence and defence intelligence agencies—addresses some of the privacy issues that are not dealt with under these agencies’ privacy rules or guidelines, the privacy protections under the Protective Security Manual guidelines are restricted to security classified information. Other matters under the IPPs, such as the accuracy of personal information, are not dealt with.

34.36 The intelligence and defence intelligence agencies also are required to comply with the Australian Government Information and Communications Technology Security Manual (ACSI 33), which provides guidance to Australian Government agencies on the protection of their information and communication technology systems.[59]

34.37 In its report, Keeping Secrets: The Protection of Classified and Security Sensitive Information (ALRC 98), the ALRC recommended that a revised Protective Security Manual be placed in the public domain, with any sensitive security information removed.[60] In September 2005, the AGD released a revised Protective Security Manual. The availability of the manual, however, remains restricted to Australian Government agencies. The ALRC continues to be of the view that the Protective Security Manual should be a publicly available document, as recommended in ALRC 98.

Secrecy provisions

34.38 Sections 39, 39A and 40 of the Intelligence Services Act prohibit the communication of any information or matter that was prepared by or on behalf of ASIS, the DIGO or the DSD in connection with their functions. These provisions apply to a person who: is a current or former staff member of ASIS, the DIGO or the DSD; has entered into a contract, agreement or arrangement with one of these agencies; or has been an employee or agent of a person who has entered into a contract, agreement or arrangement with one of these agencies.

34.39 Similarly, it is an offence for an ASIO employee or agent to convey information acquired in the course of his or her duties outside ASIO without the authority of the Director-General of Security.[61]

Accountability and oversight mechanisms

34.40 Whether intelligence and defence intelligence agencies should continue to be exempt from the operation of the Privacy Act depends, in part, on whether current accountability principles and oversight mechanisms adequately address privacy issues.

Inspector-General of Intelligence and Security

34.41 The IGIS is an independent statutory officer who is responsible for ensuring that the intelligence and defence intelligence agencies conduct their activities legally, behave with propriety, comply with any directions and guidelines from the responsible minister, and have regard for human rights, including privacy. To ensure the independence of the office, the IGIS is appointed by the Governor-General for a fixed term of five years and can be dismissed only on limited grounds.[62] An IGIS cannot be appointed more than twice.[63]

34.42 The IGIS conducts inquiries, investigates complaints, makes recommendations to government and provides annual reports to the Australian Parliament. Sections 8 and 11 of the IGIS Act allow the IGIS to undertake inquiries in response to a complaint, at the request of the responsible minister or on the IGIS’s own initiative, into a number of matters relating to the operations of the intelligence and defence intelligence agencies—including their compliance with the law, ministerial directions and guidelines, propriety and human rights standards.[64] The IGIS is directly accountable to the Prime Minister.

34.43 When exercising its inquiry function, the IGIS has significant powers that are similar to those of a Royal Commission. The IGIS has powers to obtain information, require persons to answer questions and produce documents, take sworn evidence and enter the premises of any intelligence or defence intelligence agency.[65] Under s 20 of the IGIS Act, the IGIS may obtain documents with a national security classification for the purposes of an inquiry. The IGIS must make arrangements with the head of the relevant agency for the protection of those documents while they remain in the IGIS’s possession, and for their return.

34.44 The IGIS has conducted several inquiries into the activities of intelligence and defence intelligence agencies, including inquiries into: intelligence activities in relation to the Tampa incident; terrorist attacks in Bali in October 2002; allegations that the DSD intercepted communications of the Hon Laurie Brereton MP; and concerns raised about the DIO by Lieutenant Colonel Lance Collins.[66]

Ministerial oversight

34.45 The heads of the intelligence and defence intelligence agencies are responsible to their respective ministers in accordance with normal governance arrangements. The IGIS also assists ministers in their oversight of the intelligence and defence intelligence agencies by conducting inquiries into the agencies at the request of the ministers.[67]

34.46 In addition, the intelligence and defence intelligence agencies are guided by the National Security Committee, which sets broad policy and priorities for the agencies. The Committee is supported by the Secretaries Committee on National Security (SCNS), a committee of senior officials chaired by the Secretary of the Department of the Prime Minister and Cabinet and attended by the secretaries of the National Security Committee’s portfolio departments, the Director-General of the ONA and the Director-General of Security. The SCNS advises the National Security Committee on national security policy, coordinates implementation of policies and programs relevant to national security, and guides departments and agencies involved in intelligence and security.[68]

Parliamentary oversight

34.47 Under s 29 of the Intelligence Services Act, the oversight responsibilities of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) include:

  • reviewing the administration and expenditure of intelligence and defence intelligence agencies;

  • reviewing any matter in relation to the intelligence and defence intelligence agencies referred to the Committee by the responsible minister or a resolution of either House of the Parliament; and

  • reporting the Committee’s comments and recommendations to each House of the Parliament and to the responsible minister.[69]

34.48 The intelligence and defence intelligence agencies also are subject to scrutiny by Senate legislation committees in respect of their finance and administration, particularly their budget allocations. In addition, the IGIS is accountable to the Senate Finance and Public Administration Committee.[70]

34.49 ASIO produces an unclassified annual report for tabling in Parliament. It also provides a classified annual report to the Attorney-General, the Prime Minister and the Leader of the Opposition on its activities.[71] In the annual reports of the Department of Defence and the IGIS, broad references are made to the activities of the DIGO, DSD and the DIO. The heads of ASIS and the ONA must provide the responsible minister with a report on their operations at least annually.[72] Although these annual reports are not made public, both ASIS and the ONA also produce unclassified budget documents.[73]

Royal Commissions and other inquiries

34.50 The intelligence and defence intelligence agencies have been the subject of several Royal Commissions and a number of other inquiries. The Hon Justice Robert Hope conducted two Royal Commissions into these agencies during the 1970s and 1980s, which broadly established their current structure, functions and processes.[74] In March 1995, the Hon Gordon Samuels QC and Michael Codd concluded a Royal Commission that inquired into the effectiveness of ASIS’s organisation, management, control and accountability arrangements, protection of sources and resolution of grievances and complaints.[75]

34.51 The Parliamentary Joint Committee on ASIO, ASIS and DSD (now the PJCIS) conducted a number of inquiries into intelligence issues, including: an inquiry into the intelligence on Iraqi’s weapons of mass destruction;[76] reviews of intelligence services legislation;[77] assessments of the government’s proposed amendment of the ASIO Act;[78] and an examination of the nature, scope and appropriateness of ASIO’s public reporting activities.[79]

34.52 In 2004, the then Prime Minister appointed Mr Philip Flood AO to conduct an inquiry into the effectiveness of the intelligence community’s current oversight and accountability mechanisms, and the delivery of high quality and independent intelligence advice to the government. In the 2004 Report of the Inquiry into Australian Intelligence Agencies (Flood Report),[80] it was acknowledged that all elements of government, including the AIC, should be accountable. The Report stated, however, that different accountability and oversight mechanisms for intelligence agencies are justified because of the need for parts of the intelligence function to remain secret. The Flood Report stated that purpose-specific institutions and systems are needed to deal with the tension between accountability and secrecy.[81] The Report found that accountability arrangements for the intelligence agencies were working effectively and that the Intelligence Services Act has worked well in practice.[82]

34.53 The Flood Report, however, did recommend some changes to the accountability arrangements relating to the intelligence and defence intelligence agencies, including that: the mandate of the Parliamentary Joint Committee on ASIO, ASIS and DSD (now the PJCIS) be extended to cover all of the relevant agencies; the functions and ministerial accountabilities of the DIGO be formalised in legislation by amendments to the Intelligence Services Act; and the mandate of the IGIS be extended to allow the IGIS to initiate inquiries into matters relating to the ONA and the DIO without ministerial referral.[83] All of these recommendations have been implemented.

34.54 In Open Government: A Review of the Federal Freedom of Information Act 1982 (ALRC 77), the ALRC and the Administrative Review Council (ARC) also were of the view that scrutiny by the IGIS and the Parliamentary Committee on ASIO of the internal processes and methods of intelligence agencies is adequate.[84] They therefore recommended that intelligence agencies remain exempt from the operation of the Freedom of Information Act.[85]

Commonwealth Ombudsman

34.55 The Commonwealth Ombudsman is an independent statutory office established by the Ombudsman Act 1976 (Cth). The Act provides that the Ombudsman is to investigate the administrative actions of Australian Government departments and prescribed authorities in response to complaints or on the Ombudsman’s own motion.[86] The Act also permits the Ombudsman, in some circumstances, to decline to investigate; for example, where a matter has not yet been put to the relevant agency.[87] The Ombudsman Act enables the Ombudsman to report in a number of ways following an investigation, although it requires the investigation itself to be conducted in private and with fairness to anyone likely to be criticised.[88] The disclosure of identifying information about a complainant is prohibited unless the disclosure is fair and reasonable in all the circumstances.[89]

34.56 The AGD and the Departments of Defence, Foreign Affairs and Trade, and the Prime Minister and Cabinet are within the Ombudsman’s jurisdiction.[90] ASIO and the IGIS, however, are excluded.[91] ASIS, the ONA, the DSD, the DIO and the DIGO fall within the Ombudsman’s jurisdiction but, in practice, people seeking to make complaints about them are referred to the IGIS.[92] The Ombudsman also is appointed as the Defence Force Ombudsman under the Ombudsman Act.[93]

34.57 The Act provides the Ombudsman with an extensive range of powers to investigate, including a power to require the production of information or documents.[94] This power is limited, however, by s 9(3), which provides that the Attorney-General may issue a certificate certifying that the disclosure to the Ombudsman of certain information or documents would be contrary to the public interest for a number of reasons—including that it would prejudice the security, defence or international relations of the Australian Government.

Security Appeals Division of the Administrative Appeals Tribunal

34.58 The Security Appeals Division of the Administrative Appeals Tribunal (AAT) deals with three types of matters, namely, applications for review of: adverse or qualified security assessments made by ASIO; decisions of the National Archives of Australia in respect of access to a record of ASIO; and preventative detention orders issued or extended under the Criminal Code.[95] The AAT, however, does not have power to review security assessments conducted by agencies other than ASIO.

34.59 Under the ASIO Act, a security assessment cannot be made in respect of a person who is not: an Australian citizen; the holder of a valid permanent visa; or the holder of a special category or special purpose visa.[96] During review by the AAT, the Director-General of Security is required to present to the AAT all relevant information available to the Director-General, whether favourable or unfavourable to the applicant. The applicant and his or her representative may be present when the AAT is hearing submissions made or evidence adduced by the Director-General of Security or the Australian Government agency to which the assessment was given—unless the minister administering the ASIO Act certifies that disclosure of the evidence or submissions would be contrary to the public interest because it would prejudice security or the defence of Australia.[97]

Australian National Audit Office

34.60 The Australian National Audit Office (ANAO) is a specialist public sector agency responsible for auditing the activities of most Australian Government public sector entities.[98] The Auditor-General has broad information-gathering powers and authority to access Australian Government premises.[99] The scope of its audit program includes all of the intelligence and defence intelligence agencies.[100] The ANAO undertakes annual audits of the financial statements of ASIO, ASIS and the ONA; audits of the Department of Defence that include a consideration of the financial operations of the DIO, the DSD and the DIGO; and occasional performance audits of programs relevant to the intelligence and defence intelligence agencies, usually as part of a wider cross-government consideration of security issues.[101]

Opposition briefing

34.61 Section 21 of the ASIO Act requires that the Director-General of Security brief the Leader of the Opposition for the purpose of keeping him or her informed on matters relating to security. Similarly, the Director-General of ASIS must consult regularly with the Leader of the Opposition in the House of Representatives for the purpose of keeping him or her informed on matters relating to ASIS.[102]

International instruments

34.62 A number of international instruments recognise the need to balance the interests of national security and defence with the interests of privacy or data protection. The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, issued by the Organisation for Economic Co-operation and Development (OECD Guidelines), provide that acceptable bases for exceptions in the Guidelines include national sovereignty and national security.[103]

34.63 The Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Directive), issued by the European Parliament, contains exemptions concerning public security, defence and state security.[104]

34.64 Similarly, the Asia-Pacific Economic Cooperation Privacy Framework (APEC Privacy Framework) states that it is not intended to impede governmental activities authorised by law to protect national security, public safety, national sovereignty and other public policy interests. It does provide, however, that exceptions to the principles—including those relating to national sovereignty, national security, public safety and public policy—should be limited and proportional to meeting the objectives to which the exceptions relate. They should also be and made known to the public; or should be in accordance with law.[105]

Discussion Paper proposal

34.65 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC considered whether the intelligence and defence intelligence agencies should continue to be exempt from the operation of the Privacy Act. The ALRC noted that a number of stakeholders considered the current exemption to be appropriate,[106] provided that there was sufficient oversight.[107] Submissions from the Office of the Privacy Commissioner (OPC) and the intelligence and defence intelligence agencies supported the view that some of the IPPs were incompatible with the functions of the intelligence and defence intelligence agencies.[108] The foreign intelligence agencies—ASIS, the ONA, the DSD, the DIO and the DIGO—stated that the collection and communication[109] of personal information is a central part of their intelligence function.[110] Both the foreign intelligence agencies and ASIO were concerned that a requirement that they comply with the provisions of the Privacy Act would constrain unduly their ability to carry out their functions. Such a requirement, they argued, could:

  • prejudice their methods of intelligence collection;[111]

  • disclose their methods, capabilities and sources to persons of security interest;[112]

  • alert such persons to the fact and scope of the agency’s covert investigations;[113]

  • enable persons of security interest to adopt defensive security measures that would hinder intelligence collection;[114] and

  • undermine their domestic and international liaison relationships, because partner agencies would be likely to withhold the sharing of intelligence where there is a requirement for the relevant intelligence or defence intelligence agency to disclose this information to persons of security interest.[115]

34.66 The OPC and the intelligence and defence intelligence agencies were of the view that the privacy requirements applying to the intelligence and defence intelligence agencies were adequate, including legislative requirements, ministerial directions and secrecy provisions.[116] The foreign intelligence agencies also submitted that they have invested resources and conducted internal audits to monitor and ensure adherence to the privacy rules and other relevant legislative and administrative requirements.[117]

34.67 Furthermore, ASIO and the foreign intelligence agencies stated that they already are subject to robust accountability and oversight mechanisms, including through the IGIS and the PJCIS.[118] In addition, ASIO suggested that the current exemption that applies to it is consistent with international standards under the OECD Guidelines, the EU Directive and the APEC Privacy Framework.[119]

34.68 By contrast, the Queensland Council of Civil Liberties expressed concern that there is a danger that intelligence agencies may regard themselves as exempt from control and supervision, and suggested that other mechanisms should be implemented to ensure that these agencies are accountable.[120]

34.69 The OPC noted that the IGIS has been developed as a specialist oversight body for intelligence and defence intelligence agencies due to the different nature of the work of these agencies. The OPC submitted that ‘it may be difficult for the Privacy Commissioner to investigate or audit the activities of [these] agencies without the appropriate powers, infrastructure or security clearances’.[121]

34.70 The Centre for Law and Genetics submitted that the exemption of these agencies is reasonable, but only should apply when an officer of an intelligence or defence intelligence agency is acting in the public interest. The exemption should not apply when such an officer is seeking personal information for private purposes. It also suggested that, as a matter of good practice, any access to personal information by these agencies should be recorded to enable access to be tracked and later audited.[122]

34.71 A few stakeholders suggested that, although there is a legitimate public interest in exempting the intelligence and defence intelligence agencies from compliance with the Privacy Act, these agencies should not be exempt completely from the Act.[123] These stakeholders suggested that the exemption may not be justified in respect of administrative information,[124] or staff and contractors’ records of the intelligence and defence intelligence agencies.[125]

34.72 Only the foreign intelligence agencies commented on whether any other intelligence and defence intelligence agencies should be exempt from the operation of the Privacy Act. Only one possibility was mentioned—the Defence Security Authority, which is a member of the Intelligence and Security Group within the Department of Defence. The common view, however, was that the Defence Security Authority should not be exempt from the operation of the Act.[126]

34.73 In DP 72, the ALRC expressed the preliminary view that there is a need to balance privacy interests with the public interest in maintaining national security and defence. The ALRC observed that the ability to collect and assess intelligence information covertly is central to the functions of the intelligence and defence intelligence agencies. Given the inherently covert nature of much of the work of these agencies, many of the requirements under the privacy principles would be incompatible with their functions—especially those requirements in the proposed Unified Privacy Principles (UPPs) relating to collection, use and disclosure, and notification.

34.74 The ALRC noted that each of the intelligence and defence intelligence agencies is subject to privacy rules or guidelines, and that the IGIS generally has been satisfied with the implementation of, and compliance with, those rules and guidelines by such agencies. The ALRC stated that there is room, however, for extending the ambit of the privacy rules and guidelines, and improving the relevant legislative arrangements for, and the accessibility of, the rules and guidelines. The ALRC therefore made a number of proposals to improve the consistency and accessibility of the rules and guidelines and to strengthen the relevant legislative arrangements. These proposals included:

  • amendment of the privacy rules and guidelines to ensure consistency in relation to incidents involving the incorrect use and disclosure of personal information, and the accuracy, storage and security of personal information;[127]

  • a legislative requirement that ministers responsible for the ONA and the DIO make written rules regulating the agencies’ communication and retention of intelligence information concerning Australian persons;[128]

  • amendment of the relevant enabling legislation to ensure that the ministers responsible for the intelligence and defence intelligence agencies consult with the OPC before making privacy rules or guidelines;[129] and

  • a requirement that the privacy rules and guidelines be made available electronically to the public, for example, on the website of those agencies.[130]

Submissions and consultations

34.75 Several stakeholders supported the approach proposed by the ALRC concerning the intelligence and defence intelligence agencies.[131] For example, National Legal Aid supported the proposals on the basis that:

Australian citizens and residents facing the exercise of extraordinary powers under anti-terrorist legislation need to have at least some basic assurance of the integrity of the information giving rise to investigation and charges.[132]

34.76 One individual suggested that the guidelines provide insufficient protection of the personal information handled by intelligence and defence intelligence agencies.[133] The Cyberspace Law and Policy Centre argued that these agencies should not be exempt completely from the Privacy Act and that ‘the extent of any justifiable exemptions to or modifications of specific IPPs should be stated in the Schedule to the Act’. It suggested there was no justification for the exemption of intelligence and defence intelligence agencies in respect of administrative and employment information. It also suggested that some of the privacy principles should apply to all personal information handled by the intelligence and defence intelligence agencies, including information collected operationally. The Cyberspace Law and Policy Centre suggested the following principles should apply: data security; data quality; and the use and disclosure principle, provided that there are specific exceptions for use and disclosure that is required by law or for law enforcement purposes.[134]

Consistent privacy rules and guidelines

34.77 In submissions there was support[135] for the proposal that the privacy rules and guidelines applicable to the intelligence and defence intelligence agencies be amended to include consistent rules and guidelines relating to incidents involving the incorrect use and disclosure of personal information, and the accuracy, storage and security of personal information.[136]

34.78 Privacy NSW agreed that the privacy rules and guidelines should be consistent, given the covert nature of activities of the intelligence and defence intelligence agencies, and stressed that there is a ‘need for a transparent framework issued by the OPC governing law enforcement and intelligence agencies’.[137]

34.79 The Law Council of Australia submitted that the argument that the intelligence and defence intelligence agencies should be exempt, because they already are subject to specific privacy rules and guidelines, would be sustainable only if the relevant rules and guidelines address the full spectrum of issues dealt with under the Privacy Act. The Law Council argued that, to the extent that those rules and guidelines ‘are currently focused on [the] collection, communication and retention of information … they cannot provide an adequate substitute for the Privacy Act’.[138]

34.80 On the other hand, the foreign intelligence agencies submitted that the privacy rules and guidelines already address the incorrect use and disclosure of personal information, as well as the storage and security of information. In relation to the incorrect use and disclosure of personal information, they submitted that they already are required to advise the IGIS of such incidents, and to either consult with the IGIS to determine the appropriate remedial action, or advise the IGIS of the incident and the measures taken to protection the privacy of the Australian person. In addition, the agencies stated that, in practice, intelligence is ‘used’ when it is communicated, and that any use of personal information that did not fall within their statutory functions and powers would be ‘incorrect’ and subject to investigation by the IGIS pursuant to s 8 of the IGIS Act.[139]

34.81 As regards the storage and security of personal information, the foreign intelligence agencies argued that the requirements under the privacy rules and guidelines, together with the Protective Security Manual and penalties under the Crimes Act 1914 (Cth), already exceed the requirements under the Privacy Act. They noted that the privacy rules and guidelines currently require that intelligence information concerning Australian persons be retained by the intelligence and defence intelligence agencies in a manner applicable to the retention of information having a security classification of not less than ‘secret’. The foreign intelligence agencies noted that the Protective Security Manual already includes ‘requirements for storing material; procedures for registering, transferring and reproducing classified material; and restrictions on who can handle such information’. In addition, it was observed that any deliberate disclosure of information classified as ‘secret’ would be subject to penalties under the Crimes Act.[140]

34.82 The foreign intelligence agencies also submitted that the intent of the proposal that there should be consistent privacy rules and guidelines concerning the accuracy of personal information was unclear. They argued that the proposal appeared to be at odds with their functions. Their submission was that, since intelligence is focused on the intentions, activities and capabilities of individuals or organisations, it is rarely simple factual information or information that is readily verifiable.

Rather, it is the credibility of information that matters. Collection agencies are obliged to report intelligence information they have collected accurately, whether or not it is true. This allows assessment agencies to test the credibility of that intelligence against all other available information and develop assessments for government accordingly. In these senses, accuracy is at the very heart of the intelligence processes. However, the processes are conceptually quite different and attempting an overlay applicable to other areas of public administration would not be appropriate.[141]

Written privacy rules for DIO and ONA

34.83 A number of stakeholders[142] supported the proposals that would require ministers responsible for the ONA and the DIO to make written rules regulating the agencies’ communication and retention of intelligence information concerning Australian persons.[143] The Office of the Victorian Privacy Commissioner (OVPC) was concerned that the proposals only related to ‘the privacy of Australian persons’, and considered that there is ‘no policy justification for limiting the privacy protections to Australian citizens or permanent residents’.[144]

34.84 The foreign intelligence agencies did not support the proposals. They suggested that, since a core area of the activities of foreign intelligence collection agencies—ASIS, the DSD and the DIGO—is to gather intelligence from various sources, it is possible that these agencies may collect intelligence about Australian individuals and therefore a legislative requirement to adhere to privacy rules is appropriate. It was observed that, by contrast, foreign intelligence assessment agencies—the ONA and the DIO—generate assessments using information from a number of sources, including intelligence provided by collection agencies that has been collected in accordance with the applicable privacy rules. They argued, therefore, that subjecting the assessment agencies to administrative privacy guidelines (rather than privacy rules mandated by legislation) is appropriate given the lower level of risk to privacy posed by the activities of such agencies.[145]

34.85 The foreign intelligence agencies also submitted that, due to their international focus, ‘foreign intelligence reporting on an Australian is relatively rare and instances where an Australian might be mentioned are few’. In addition, the agencies submitted that the privacy guidelines applicable to the ONA and the DIO are very similar to the privacy rules applicable to the ASIS, the DIGO and the DSD, and that the ONA and the DIO also are subject to similar reporting and monitoring requirements as those imposed on the foreign intelligence collection agencies.[146]

Consultation with the OPC

34.86 A number of stakeholders supported the proposals that ministers responsible for the intelligence and defence intelligence agencies be required to consult with the OPC before making rules to protect the privacy of Australian persons.[147] The OPC supported the proposals, but noted that such consultation should be held with the Privacy Commissioner rather than his or her office. It also noted that the Privacy Commissioner has been consulted on ASIO’s privacy guidelines on a previous occasion.[148] The Public Interest Advocacy Centre (PIAC) supported the proposal, but suggested that there needs to be further clarification as to whether the relevant ministers also should consult with the IGIS and the Attorney-General.[149]

34.87 The Law Council of Australia supported the proposal as it relates to ASIO, but submitted that s 8A(6) of the ASIO Act also should explicitly require the minister responsible for ASIO to consult with the IGIS in the drafting stage—even though it was understood that this does occur in practice. The Law Council also noted that when the new ASIO guidelines were issued in October 2007, the IGIS was reportedly dissatisfied with the guidelines and troubled by the absence of substantial requirements concerning retention and destruction of intelligence information. It was submitted that:

These reported comments demonstrate that an obligation to consult with IGIS and the OPC will only ever provide a limited safeguard and should not be regarded as a substitute for enforceable duties and standards.[150]

34.88 On the other hand, the foreign intelligence agencies did not support the proposals, on the grounds that ‘the existing framework for oversight of agencies’ privacy provisions by the IGIS and the Attorney-General provides for strong oversight and accountability’, and that the proposal appeared to risk duplication with the role of the IGIS. In addition, they argued that the current privacy rules and guidelines were developed in consultation with the Attorney-General, the relevant agency head and the IGIS.[151]

Public availability of privacy rules and guidelines

34.89 A number of stakeholders,[152] including the foreign intelligence agencies and the IGIS,[153] agreed that the privacy rules and guidelines applicable to the intelligence and defence intelligence agencies should be made available to the public electronically.[154] In his submission, the IGIS stated that making the privacy rules and guidelines readily available to the public is appropriate and involves ‘no significant security considerations’. In addition, the IGIS considered that ‘there is benefit in making available information about the ways in which the agencies are held to account’.[155]

34.90 The Law Council of Australia stated that ‘the public dissemination of information about the powers and obligations of intelligence agencies is a pre-requisite to accountability’. It submitted further that the privacy rules and guidelines should be highlighted clearly on an agency’s website so that members of the public would not have to know that the specific rules and guidelines exist or their precise titles in order to be able to locate them.[156]

34.91 The OPC supported the proposal, but suggested that ‘reasonable steps should be taken to ensure that the privacy rules and guidelines [are] made available in other accessible forms as requested by members of the public’, which would enhance community confidence in the agencies’ handling of personal information.[157] Similarly, the OVPC submitted that ‘these rules and guidelines should be made available in a variety of formats, both electronic and hard copy and preferably, in a range of community languages’.[158]

34.92 While supportive of the proposal, the Australian Privacy Foundation and PIAC suggested that the relevant legislative provisions requiring the making of privacy rules also should be made available to the public electronically.[159] The ALRC notes that the relevant legislative provisions are readily accessible on the ‘ComLaw’ website maintained by the AGD.[160] In the ALRC’s view, the current level of accessibility of the relevant provisions is adequate.

34.93 The IGIS, while not commenting in detail on the proposals concerning the intelligence and defence intelligence agencies, submitted that the current accountability arrangements clearly are significant and effective. On this basis, the IGIS stated that ‘it is understandable that intelligence and defence intelligence agencies might question why there is any need for changes to existing structures’.[161]

ALRC’s view

34.94 The current exemptions that apply to the intelligence and defence intelligence agencies under the Privacy Act should remain. Stakeholders that commented on these exemptions acknowledged the need to balance the interests of individual privacy with the interests of national security and defence. The need for such a balance is consistent with international standards, which provide for exceptions or exemptions to privacy principles for the purposes of national security and defence.

34.95 The central function of intelligence and defence intelligence agencies is the covert collection and assessment of intelligence information—that is, information ‘obtained without the authority of the government or group that “owns” the information’.[162] Given the inherently covert nature of much of the work of these agencies, many of the requirements under the model UPPs would be incompatible with their functions—especially those relating to the collection, use and disclosure of personal information, and notification to the individual concerned about the information collected.

34.96 Although the intelligence agencies—ASIO, ASIS and the ONA—are exempt completely from the operation of the Privacy Act, and the defence intelligence agencies—the DIO, the DIGO and the DSD—are exempt partially from the operation of the Act, each of these agencies has privacy rules or guidelines in place. In addition, there is a system of accountability that provides a high degree of oversight of the intelligence and defence intelligence agencies, including oversight of compliance with the privacy rules and guidelines by the IGIS. The ALRC is generally satisfied with the degree and quality of oversight of the intelligence and defence intelligence agencies.

34.97 While the IGIS has reported his overall satisfaction with the implementation of, and compliance with, the privacy rules and guidelines by the intelligence and defence intelligence agencies, the ALRC considers that there is room for extending the ambit of the privacy rules and guidelines, and improving the relevant legislative arrangements and the accessibility of the rules and guidelines.

34.98 First, the privacy rules and guidelines applicable to intelligence and defence intelligence agencies currently only cover Australian persons. There is merit in the OVPC’s submission that the privacy protections provided by these rules and guidelines should not be limited to Australian persons. The ALRC is of the view, however, that the coverage of the privacy rules and guidelines should be extended to the handling of personal information about non-Australian individuals only to the extent that this is covered by the Privacy Act. This is because the privacy rules and guidelines applicable to intelligence and defence intelligence agencies should not have a more extensive extra-territorial operation than the Privacy Act.

34.99 While the Privacy Act generally covers the handling of personal information about an individual—which is defined as a natural person under s 6(1) and therefore is not limited to Australian individuals—it extends to overseas acts and practices of an organisation only where:

the act or practice relates to personal information about an Australian citizen or a person whose continued presence in Australia is not subject to a limitation as to time imposed by law …[163]

34.100 The ALRC recommends, therefore, that the privacy rules and guidelines applicable to the intelligence and defence intelligence agencies be extended to cover the domestic acts and practices of these agencies relating to personal information about non-Australian individuals. These privacy rules and guidelines, however, should not cover the overseas acts and practices of an intelligence agency or a defence intelligence agency unless those acts and practices relate to personal information about an Australian citizen or a person whose continued presence in Australia is not subject to a limitation imposed by law as to time.

34.101 Secondly, the governing legislation, and privacy rules and guidelines that apply to the intelligence and defence intelligence agencies only cover collection, communication and retention of intelligence information. The Protective Security Manual does contain minimum standards concerning the use, access, copying, storage, security and disposal of classified information. It only applies to security classified information, however, and does not deal with other matters under the UPPs. The privacy rules and guidelines should be updated, therefore, to include rules dealing with the incorrect use and disclosure by intelligence and defence intelligence agencies of all personal information, the accuracy of records, and the storage and security of personal information.

34.102 The ALRC notes the submission by the foreign intelligence agencies that the privacy rules and guidelines applicable to them already require that they notify the IGIS of incidents involving the incorrect use and disclosure of personal information. The Attorney-General’s Guidelines, however, do not contain a similar requirement. The ALRC is of the view that the Attorney-General’s Guidelines should be amended in line with the other privacy rules and guidelines in this regard.

34.103 In relation to the accuracy of records, the ALRC agrees with the submission by the foreign intelligence agencies that some intelligence may not be verifiable information. This issue should be covered in the drafting of the privacy rules and guidelines. It is clear that there may be circumstances where it would be unreasonable to require an intelligence agency or a defence intelligence agency to verify the accuracy of certain personal information, for example, because it would alert the intelligence target to the agency’s covert investigation. This calls for the use of qualitative or evaluative terms, such as ‘fair and reasonable’, in the drafting of the accuracy requirement, rather than the omission of accuracy requirements. Such an approach allows the same rules to apply flexibly to the individual intelligence and defence intelligence agencies within their different operational contexts. Accordingly, the ALRC recommends that the privacy rules and guidelines applicable to the intelligence and defence intelligence agencies be amended to include consistent rules and guidelines relating to the accuracy of personal information.

34.104 As regards storage and security of personal information, the ALRC notes that the need for rules concerning the retention and destruction of personal information was highlighted by the IGIS’s dissatisfaction with the 2007 Attorney-General’s Guidelines. The IGIS reportedly was unable to endorse the new guidelines in their entirety because of concerns about the lack of substantive requirements as to when ASIO should retain or destroy data.[164] The ALRC therefore recommends that the privacy rules and guidelines applicable to the intelligence and defence intelligence agencies include consistent rules and guidelines relating to the storage and security of personal information.

34.105 Thirdly, under the ASIO Act and the Intelligence Services Act, the ministers responsible for ASIO, ASIS, the DSD and the DIGO are required to make written rules regulating the communication and retention of intelligence information concerning Australian persons. Although the ONA and the DIO have implemented privacy guidelines administratively, their responsible ministers are not subject to the same legislative requirement to make written rules or issue ministerial guidelines as other intelligence and defence intelligence agencies. The ALRC considers this anomaly should be corrected by an amendment to the Intelligence Services Act and the Office of National Assessments Act that requires the ministers responsible for the ONA and the DIO to make written rules regulating the handling of intelligence information about individuals by the agencies.

34.106 The ALRC notes the submission by the foreign intelligence agencies that the ONA and the DIO should be subject only to privacy guidelines (rather than privacy rules mandated by legislation) because of the lower level risk they pose to privacy compared to other foreign intelligence agencies. While this may be the case, the ALRC does not agree that intelligence and defence intelligence agencies should be treated differently based on the different level of risk they pose to privacy. The ALRC’s approach in this Report is that, subject to limited exceptions, privacy regulation should apply universally, regardless of the degree of risk an agency or organisation poses to privacy. By analogy, the different levels of risk posed by individual intelligence and defence intelligence agencies do not provide sufficient justification for them to be subject to different requirements concerning privacy.

34.107 Furthermore, not all of the ministers responsible for the intelligence and defence intelligence agencies are required to undertake a consultation process before making privacy rules or guidelines. The ministers responsible for ASIS, the DIGO and the DSD are required to consult with the relevant agency head, the IGIS and the Attorney-General when drafting privacy rules; however, there is no equivalent provision that applies to the other intelligence and defence intelligence agencies.[165] In addition, none of the ministers are required to consult with the Privacy Commissioner when drafting such rules. In the ALRC’s view, all ministers with responsibility for the intelligence and defence intelligence agencies should consult with the appropriate agencies before making privacy rules. The appropriate agencies would include the relevant agency heads and the IGIS, who have responsibility for, or oversight of, the activities of the relevant agencies, and the Privacy Commissioner and the minister responsible for administering the Privacy Act, who oversee privacy regulation in Australia.

34.108 Finally, the ALRC recommends that the privacy rules and guidelines should be made more accessible to the public. In DP 72, the ALRC noted that, although all of the privacy rules and guidelines applicable to the intelligence and defence intelligence agencies were available electronically on the IGIS’s website, and some of them are available on the relevant agency’s website, those applicable to the ONA and the DIO were not available on the agencies’ websites. Since the publication of DP 72, the ONA has posted its privacy guidelines on its website. The DIO is now the only relevant agency that has not made its privacy guidelines available electronically on its website. All privacy rules and guidelines should be published on the relevant agency’s website and should be made available, on request, in other accessible forms.

34.109 A few stakeholders suggested that the intelligence and defence intelligence agencies should be subject to exceptions to specific privacy principles, rather than exempt from the operation of the Privacy Act. The ALRC disagrees with this approach. All the intelligence and defence intelligence agencies already are subject to privacy rules or guidelines. The ALRC also is recommending that the ambit of these rules and guidelines be extended further to enhance privacy protection. In addition, the internal processes and methods of the intelligence and defence intelligence agencies are subject to a number of oversight and accountability mechanisms, including by the IGIS, the PJCIS and others. In particular, the IGIS has reported that he conducted regular inspections of the intelligence and defence intelligence agencies and actively monitored their adherence to privacy rules and guidelines. Finally, it should be noted that the OPC would have difficulties investigating or auditing the activities of the intelligence and defence intelligence agencies because it lacks the appropriate powers, infrastructure and security clearances to do so. For these reasons, it is not necessary to alter the scope of the exemption that applies to the intelligence and defence intelligence agencies under the Privacy Act.

Recommendation 34-1 (a) The privacy rules and guidelines that relate to the handling of intelligence information concerning Australian persons by the Australian Security Intelligence Organisation, the Australian Secret Intelligence Service, the Defence Imagery and Geospatial Organisation, the Defence Intelligence Organisation, the Defence Signals Directorate and the Office of National Assessments, should be amended to include consistent rules and guidelines relating to:

(i) the handling of personal information about non-Australian individuals, to the extent that this is covered by the Privacy Act;

(ii) incidents involving the incorrect use and disclosure of personal information (including a requirement to contact the Inspector-General of Intelligence and Security and advise of incidents and measures taken to protect the privacy of the individual);

(iii) the accuracy of personal information; and

(iv) the storage and security of personal information.

(b) The privacy rules and guidelines should be made available without charge to an individual: electronically on the websites of those agencies; and on request, in hard copy or, where reasonable, in an alternative form accessible to individuals with special needs.

Recommendation 34-2 Section 15 of the Intelligence Services Act 2001 (Cth) should be amended to provide that the ministers responsible for the Australian Secret Intelligence Service, the Defence Imagery and Geospatial Organisation, the Defence Signals Directorate and the Defence Intelligence Organisation:

(a) are required to make written rules regulating the handling of intelligence information concerning individuals by the relevant agency, except where:

(i) the agency is engaged in activity outside Australia and the external territories; and

(ii) that activity does not involve the handling of personal information about an Australian citizen or a person whose continued presence in Australia or a territory is not subject to a limitation as to time imposed by law; and

(b) should consult with the relevant agency head, the Privacy Commissioner, the Inspector-General of Intelligence and Security and the minister responsible for administering the Privacy Act before making privacy rules about the handling of intelligence information.

Recommendation 34-3 The Office of National Assessments Act 1977 (Cth) should be amended to provide that the minister responsible for the Office of National Assessments (ONA):

(a) is required to make written rules regulating the handling of intelligence information about individuals by the ONA, except where:

(i) the ONA is engaged in activity outside Australia and the external territories; and

(ii) that activity does not involve the handling of personal information about an Australian citizen or a person whose continued presence in Australia or a territory is not subject to a limitation as to time imposed by law; and

(b) should consult with the Director-General of the ONA, the Privacy Commissioner, the Inspector-General of Intelligence and Security and the minister responsible for administering the Privacy Act before making privacy rules about the handling of intelligence information.

Recommendation 34-4 Section 8A of the Australian Security Intelligence Organisation Act 1979 (Cth) should be amended to provide that the:

(a) guidelines issued by the minister responsible for the Australian Security Intelligence Organisation (ASIO) must include guidelines regulating the handling of intelligence information about individuals by ASIO, except where ASIO:

(i) is engaged in activity outside Australia and the external territories; and

(ii) that activity does not involve the handling of personal information about an Australian citizen or a person whose continued presence in Australia or a territory is not subject to a limitation as to time imposed by law; and

(b) minister responsible for ASIO should consult with the Director-General of Security, the Privacy Commissioner, the Inspector-General of Intelligence and Security and the minister responsible for administering the Privacy Act before making privacy guidelines about the handling of intelligence information.

[24] Inspector-General of Intelligence and Security, ‘Trust and the Rule of Law’ (Paper presented at Australian Institute of Professional Intelligence Officers, Intelligence 2005 Conference, 3 November 2005), 4.

[25] Intelligence Services Act 2001 (Cth) ss 9(4), 10.

[26] Ibid s 9(5).

[27] Ibid s 10A.

[28] Ibid s 11.

[29] Ibid s 12.

[30]Australian Security Intelligence Organisation Act 1979 (Cth) pt III divs 2 and 3. The only exception is where an authorised ASIO officer or employee requests information or documents from an operator of an aircraft or vessel relating to its cargo, crew, passenger, stores or voyages: Australian Security Intelligence Organisation Act 1979 (Cth) s 23.

[31] Australian Security Intelligence Organisation Act 1979 (Cth) ss 18–19.

[32] See Australian Government Inspector-General of Intelligence and Security, Annual Report 2006–2007 (2007), 39.

[33] Australian Security Intelligence Organisation, Attorney-General's Guidelines in relation to the Performance by the Australian Security Intelligence Organisation of its Function of Obtaining, Correlating, Evaluating and Communicating Intelligence relevant to Security (including Politically Motivated Violence) <www.asio.gov.au/About/Content/AttorneyAccountability.aspx> at 7 April 2008. See also N O’Brien, ‘Changes Permit ASIO to Keep Files’, The Australian (online), 13 October 2007, <www.theaustralian.news.com.au>.

[34] Australian Security Intelligence Organisation, Attorney-General's Guidelines in relation to the Performance by the Australian Security Intelligence Organisation of its Function of Obtaining, Correlating, Evaluating and Communicating Intelligence relevant to Security (including Politically Motivated Violence) <www.asio.gov.au/About/Content/AttorneyAccountability.aspx> at 7 April 2008, Guidelines 6.2, 10.3.

[35] Ibid, Guideline 8.2.

[36] Ibid, Guideline 10.4.

[37] Ibid, Guideline 10.4(a), (b).

[38] Ibid, Guidelines 10.4(d).

[39] Ibid, Guidelines 10.4(e), 15.12.

[40] Ibid, Guidelines 10.4(c).

[41] Ibid, Guideline 10.1.

[42] Ibid, Guidelines 13.2, 13.3, 13.6.

[43] Ibid, Guidelines 13.4, 13.5.

[44] Ibid, Guideline 11.2.

[45] See Australian Government Inspector-General of Intelligence and Security, Annual Report 2006–2007 (2007), 42, 45–46. Note that the IGIS’s assessment relates to ASIO’s compliance with the 1992 privacy guidelines issued by the Attorney-General to the Director-General of Security: see Australian Government Inspector-General of Intelligence and Security, Annual Report 2006–2007 (2007), 39.

[46] R Hill, Defence Imagery and Geospatial Organisation Privacy Rules (2005) Australian Government Department of Defence <www.defence.gov.au/DIGO/About_Us/about.html> at 10 April 2008; P Reith, Defence Signals Directorate: Privacy Safeguards (2001) Australian Government Defence Signals Directorate <www.dsd.gov.au/about_dsd/privacy_safeguards.html> at 10 April 2008; A Downer, Australian Secret Intelligence Service: Rules to Protect the Privacy of Australians (2001) Australian Secret Intelligence Service <www.asis.gov.au/privacygov.html> at 10 April 2008.

[47] R Hill, Defence Imagery and Geospatial Organisation Privacy Rules (2005) Australian Government Department of Defence <www.defence.gov.au/DIGO/About_Us/about.html> at 10 April 2008, r 6.

[48] Australian Government Inspector-General of Intelligence and Security, Annual Report 2006–2007 (2007), 57.

[49] Ibid, 62.

[50] Ibid, 65.

[51] Australian Government Inspector-General of Intelligence and Security, Annual Report 2005–2006 (2006), 50–51, 53–54.

[52] Ibid, 8.

[53] Ibid, Annex 6 (DIO), Annex 7 (ONA).

[54] Ibid, 8.

[55] Ibid, Annex 6 (DIO), Annex 7 (ONA). The Australian Government Inspector-General of Intelligence and Security, Annual Report 2005–2006 (2006) is available on the IGIS’s website <www.igis.gov.au>.

[56] Australian Government Inspector-General of Intelligence and Security, Annual Report 2006–2007 (2007), 67, 70.

[57] Australian Government Attorney-General’s Department, Protective Security Manual (PSM 2005) <www.ag.gov.au/www/agd/agd.nsf/Page/National_security> at 8 April 2008.

[58] Ibid.

[59] Australian Government Defence Signals Directorate, Australian Government Information and Communications Technology Security Manual (ACSI 33) (2007).

[60] Australian Law Reform Commission, Keeping Secrets: The Protection of Classified and Security Sensitive Information, ALRC 98 (2004), Rec 4–1.

[61] Australian Security Intelligence Organisation Act 1979 (Cth) s 18.

[62] Inspector-General of Intelligence and Security Act 1986 (Cth) ss 6(2), 26, 30.

[63] Ibid s 26(2).

[64] Ibid ss 8, 11.

[65] Ibid ss 18–20.

[66] Australian Government Inspector-General of Intelligence and Security, Annual Report 2001–2002 (2002), Annex 2; Australian Government Inspector-General of Intelligence and Security, Annual Report 2002–2003 (2003), Annex 2, 3; Australian Government Inspector-General of Intelligence and Security, Annual Report 2003–2004 (2004), Annex 3, 4. See also Australian Government Office of National Assessments, The Australian Intelligence Community: Agencies, Functions, Accountability and Oversight (2006), 15. On 6 December 2000, Lieutenant Colonel Lance Collins of the Australian Defence Force wrote to the Minister for Defence expressing concerns that: the DIO acted in mid-1998 to quash early warning, included in an assessment prepared by him, of problems developing in East Timor; the DIO’s assessments concerning East Timor were pro-Indonesia; and the DIO cut access to an intelligence database without warning. The IGIS was asked by the Minister for Defence to investigate, report and make recommendations about Collins’ allegations. The IGIS found that Collins’ view was sincerely held but unfounded: Australian Government Inspector-General of Intelligence and Security, Annual Report 2003–2004 (2004), Annex 3.

[67] Australian Government Office of National Assessments, The Australian Intelligence Community: Agencies, Functions, Accountability and Oversight (2006), 13.

[68] Ibid, 14.

[69] The Committee also has responsibilities for reviewing the operation, effectiveness and implications of certain amendments to anti-terrorism legislation; and ASIO’s questioning and detention powers under Division 3 of Part III of the ASIO Act: Intelligence Services Act 2001 (Cth) s 29(1)(ba), (bb).

[70] Australian Government Office of National Assessments, The Australian Intelligence Community: Agencies, Functions, Accountability and Oversight (2006), 14.

[71] Australian Security Intelligence Organisation Act 1979 (Cth) s 94.

[72] Intelligence Services Act 2001 (Cth) s 42; Office of National Assessments Act 1977 (Cth) s 19.

[73] Australian Government Office of National Assessments, The Australian Intelligence Community: Agencies, Functions, Accountability and Oversight (2006), 15.

[74] See P Flood, Report of the Inquiry into Australian Intelligence Agencies (2004) Australian Government Department of Prime Minister and Cabinet, 4.

[75] Commission of Inquiry into the Australian Secret Intelligence Service, Report on the Australian Secret Intelligence Service (Public Edition) (1995).

[76] Parliament of Australia—Parliamentary Joint Committee on ASIO‚ ASIS and DSD, Intelligence on Iraq’s Weapons of Mass Destruction (2003).

[77] Parliament of Australia—Joint Select Committee on the Intelligence Services, An Advisory Report on the Intelligence Services Bill 2001, the Intelligence Services (Consequential Provisions) Bill 2001 and Certain Parts of the Cybercrime Bill 2001 (2001); Parliament of Australia—Parliamentary Joint Committee on ASIO‚ ASIS and DSD, Review of the Intelligence Services Amendment Bill 2003 (2004); Parliament of Australia—Parliamentary Joint Committee on ASIO, ASIS and DSD, Review of the Intelligence Services Legislation Amendment Bill 2005 (2005).

[78] Parliament of Australia—Parliamentary Joint Committee on the Australian Security Intelligence Organization, An Advisory Report on the Australian Security Intelligence Organisation Legislation Amendment Bill 1999 (1999); Parliament of Australia—Parliamentary Joint Committee on ASIO‚ ASIS and DSD, An Advisory Report on the Australian Security Intelligence Organisation Legislation Amendment (Terrorism) Bill 2002 (2002).

[79] Parliament of Australia—Joint Select Committee on the Intelligence Services, A Watching Brief: The Nature, Scope and Appropriateness of ASIO’s Public Reporting Activities (2000).

[80] P Flood, Report of the Inquiry into Australian Intelligence Agencies (2004) Australian Government Department of Prime Minister and Cabinet.

[81] Ibid, 51.

[82] Ibid, 57.

[83] Ibid, 59–60.

[84] Australian Law Reform Commission and Administrative Review Council, Open Government: A Review of the Federal Freedom of Information Act 1982, ALRC 77 (1995), [11.13].

[85] Ibid, Rec 74.

[86]Ombudsman Act 1976 (Cth) s 5.

[87] Ibid s 6.

[88] Ibid ss 15–17, 19, 35A(3)(a), 35A(3E)(a).

[89] Ibid ss 8(2), 35A(3)(b), 35A(3E)(b).

[90] Ibid s 5(1)(a).

[91]Ombudsman Regulations 1977 (Cth) regs 4, 6.

[92] Australian Law Reform Commission, Keeping Secrets: The Protection of Classified and Security Sensitive Information, ALRC 98 (2004), [2.43].

[93]Ombudsman Act 1976 (Cth) s 19B.

[94] Ibid s 4.

[95]Administrative Appeals Tribunal Act 1975 (Cth) s 19(6); Australian Security Intelligence Organisation Act 1979 (Cth) s 54; Criminal Code Act 1995 (Cth) s 105.51(6). See also G Downes, ‘The Security Appeals Division of the Administrative Appeals Tribunal—Functions, Powers And Procedures’ (Paper presented at National Security Law Course, University of Sydney, Sydney, 13 September 2006), 6.

[96]Australian Security Intelligence Organisation Act 1979 (Cth) s 36.

[97]Administrative Appeals Tribunal Act 1975 (Cth) s 39A(3), (6), (8), (9).

[98] Auditor-General Act 1997 (Cth) s 39 and pt 4.

[99] Ibid pt 5 div 1.

[100] Australian Government Office of National Assessments, The Australian Intelligence Community: Agencies, Functions, Accountability and Oversight (2006), 16.

[101] P Flood, Report of the Inquiry into Australian Intelligence Agencies (2004) Australian Government Department of Prime Minister and Cabinet, 57.

[102] Intelligence Services Act 2001 (Cth) s 19.

[103] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), Guideline 4; Memorandum, [46].

[104] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), arts 3(2), 13; recitals 16, 43.

[105] Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [13].

[106] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007; Australian Security Intelligence Organisation, Submission PR 180, 9 February 2007; Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 159, 31 January 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; W Caelli, Submission PR 99, 15 January 2007; K Handscombe, Submission PR 89, 15 January 2007.

[107] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; W Caelli, Submission PR 99, 15 January 2007; K Handscombe, Submission PR 89, 15 January 2007.

[108] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Security Intelligence Organisation, Submission PR 180, 9 February 2007; Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 159, 31 January 2007.

[109] ‘Communication’ is the terminology used in the Intelligence Services Act 2001 (Cth). Sections 6 (1)(b), 6B(d) and 7(b) of the Intelligence Services Act 2001 (Cth) provide that one of the functions of the ASIS, the DIGO and the DSD is to communicate, in accordance with the requirements of the Australian Government, intelligence about specified matters.

[110] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 159, 31 January 2007.

[111] Ibid; Australian Security Intelligence Organisation, Submission PR 180, 9 February 2007.

[112] Australian Security Intelligence Organisation, Submission PR 180, 9 February 2007.

[113] Ibid.

[114] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 159, 31 January 2007.

[115] Australian Security Intelligence Organisation, Submission PR 180, 9 February 2007.

[116] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Security Intelligence Organisation, Submission PR 180, 9 February 2007; Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 159, 31 January 2007.

[117] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 159, 31 January 2007.

[118] Australian Security Intelligence Organisation, Submission PR 180, 9 February 2007; Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 159, 31 January 2007.

[119] Australian Security Intelligence Organisation, Submission PR 180, 9 February 2007.

[120] Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[121] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[122] Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[123] Commonwealth Ombudsman, Submission PR 202, 21 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; K Pospisek, Submission PR 104, 15 January 2007.

[124] Australian Privacy Foundation, Submission PR 167, 2 February 2007. See also G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[125] Commonwealth Ombudsman, Submission PR 202, 21 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[126] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 159, 31 January 2007. The Defence Security Authority is responsible for the coordination of security across the Department of Defence, including the development of security policy, security training and awareness across the Department of Defence and the Australian Defence Force; security performance assessment programs; serious and complex security investigations; and security vetting of personnel: Australian Government Department of Defence, Annual Report 2004–05 (2005), 244.

[127]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 31–1.

[128]Ibid, Proposals 31–2(a), 31–3(a).

[129]Ibid, Proposals 31–2(b), 31–3(b), 31–4.

[130]Ibid, Proposal 31–5.

[131] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[132] National Legal Aid, Submission PR 521, 21 December 2007.

[133] Confidential, Submission PR 332, 19 October 2007.

[134] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. See also Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[135] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[136]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 31–1.

[137] Privacy NSW, Submission PR 468, 14 December 2007.

[138] Law Council of Australia, Submission PR 527, 21 December 2007.

[139] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 466, 13 December 2007.

[140] Ibid.

[141] Ibid.

[142] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007 (supported the responsible minister for ONA being required to make such written rules); Privacy NSW, Submission PR 468, 14 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[143]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 31–2(a), 31–3(a).

[144] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[145] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 466, 13 December 2007.

[146] Ibid.

[147] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposals 31–2(b), 31–3(b), 31–4. The following submissions supported the proposals relating to ASIS, DIGO, DSD, DIO and ONA: Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; P Youngman, Submission PR 394, 7 December 2007. The following submissions supported the proposal as it relates to ASIO: Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[148] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[149] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[150] Law Council of Australia, Submission PR 527, 21 December 2007.

[151] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 466, 13 December 2007.

[152]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[153] Foreign Intelligence Agencies of the Australian Intelligence Community, Submission PR 466, 13 December 2007; Inspector-General of Intelligence and Security, Submission PR 432, 10 December 2007.

[154]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 31–5.

[155]Inspector-General of Intelligence and Security, Submission PR 432, 10 December 2007.

[156] Law Council of Australia, Submission PR 527, 21 December 2007.

[157] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[158] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[159] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[160] See <www.comlaw.gov.au/>.

[161]Inspector-General of Intelligence and Security, Submission PR 432, 10 December 2007.

[162] Australian Government Office of National Assessments, The Australian Intelligence Community: Agencies, Functions, Accountability and Oversight (2006), 3.

[163]Privacy Act 1988 (Cth) s 5B(1)(a).

[164] N O’Brien, ‘Changes Permit ASIO to Keep Files’, The Australian (online), 13 October 2007, <www.theaustralian.news.com.au>.

[165] Intelligence Services Act 2001 (Cth) s 15(3).