Purpose of the Bill
The purpose of the National Security Legislation Amendment (Comprehensive Review and Other Measures No. 3) Bill 2023 (the Bill) is to amend a number of Commonwealth Acts to implement the Government’s response to 12 outstanding recommendations of the Comprehensive Review of the Legal Framework of the National Intelligence Community (Comprehensive Review).
The Bill also includes a number of measures which fall outside these recommendations and have been ‘identified as necessary’ in consultation with national security agencies (p. 5).
Structure of the Bill and Bills Digest
The Bill is divided into four Schedules with multiple parts, as reflected in the below table.
Provisions |
Commencement |
Detail |
Schedule 1, Part 1 |
Division 1: The day after Royal Assent.
Division 2: Immediately after the commencement of the provisions in Schedule 1, Part 1, Division 1 of the Bill (see above).
|
Amends the Australian Security Intelligence Organisation Act 1979 (ASIO Act) to:
- extend the definition of prescribed administrative action in Part IV of the ASIO Act to decisions relating to parole, firearms licences and security guard licences (gives effect to recommendation 193 of the Comprehensive Review)
- enable ASIO to communicate information to a Commonwealth agency, a state or an authority of a state under subsections 18(3) or 19A(4) of the ASIO Act, for the purposes of prescribed administrative action that is a decision relating to firearms licences and security guard licences
- enable new categories of ‘prescribed administrative action’ to be prescribed by the regulations (gives effect to recommendation 194 of the Comprehensive Review).
|
Schedule 1, Part 2 |
Divisions 1 and 2: The day after Royal Assent.
Divisions 3 and 4: At the same time as the commencement of the provisions in Schedule 1, Part 1, Division 2 of the Bill (see above).
|
Amends the ASIO Act to:
- provide that a decision under the Foreign Acquisitions and Takeovers Act 1975 does not constitute prescribed administrative action (gives effect to recommendation 197 of the Comprehensive Review)
- clarify the application of the definitions in section 35 throughout Part IV of the ASIO Act
- enable ASIO to make a preliminary communication to Commonwealth agencies, states or authorities of a state on an urgent and temporary basis, where the information could be used for the purposes of certain prescribed administrative action (gives effect to recommendation 198 of the Comprehensive Review)
- enable a Commonwealth agency to take certain prescribed administrative action as a matter of urgency on the basis of a communication made by ASIO not amounting to a security assessment, pending the furnishing of a security assessment.
|
Schedule 1, Part 3 |
The earlier of Proclamation or 6 months after Royal Assent. |
Amends the ASIO Act to:
- require ASIO to notify the Inspector-General of Intelligence and Security where certain security assessments are not furnished within 12 months (gives effect in part to recommendation 199 of the Comprehensive Review) and
- require the Director-General of ASIO to make a written protocol for dealing with delayed security assessments.
|
Schedule 2, Part 1 |
The day after Royal Assent. |
Amends the Intelligence Services Act 2001 (IS Act) to:
- provide that the Director-General of the Australian Secret Intelligence Service (ASIS) and Director-General of the Australian Signals Directorate (ASD) can authorise the use of a Commonwealth authority as the cover employer for staff members of ASIS and ASD, or former staff members of ASIS and ASD, including where the person became a staff member before the amendments commence or requires cover employment for a period that occurred before the amendments commence. The amendments will also provide an immunity from criminal liability for persons who facilitate, or provide support in furtherance of those cover arrangements. This gives effect to recommendation 70 of the Comprehensive Review.
Amends the ASIO Act to:
- provide that the Director-General of ASIO can authorise the use of an authority of the Commonwealth as the cover employer for ASIO employees and affiliates, or former ASIO employees and affiliates, including where the person became an employee or affiliate before the amendments commence or requires cover employment for a period that occurred before the amendments commence. This gives effect to recommendation 71 of the Comprehensive Review.
|
Schedule 2, Part 2 |
The day after Royal Assent. |
Amends the IS Act to consolidate secrecy offences which are aimed at protecting the identity of staff members of agencies that are regulated by the IS Act (namely ASIS, ASD, the Australian Geospatial-Intelligence Organisation (AGO) and the Defence Intelligence Organisation (DIO)). This gives effect to recommendation 143 of the Comprehensive Review. |
Schedule 2, Part 3 |
The day after Royal Assent. |
Amends the Administrative Appeals Tribunal Act 1975 (AAT Act) and the Archives Act 1983 to make exempt records that identify ASIO or ASIS employees or affiliates. This gives effect to recommendation 190 of the Comprehensive Review. |
Schedule 2, Part 4 |
The day after Royal Assent. |
Amends the ASIO Act, and makes consequential amendments to a number of other Commonwealth Acts, to:
- strengthen the protection of identities of ASIO employees or ASIO affiliates, by modernising and updating the publication offence under section 92 of the ASIO Act
- create a new offence relating to the disclosure of the identity of ASIO officers and affiliates, to bring them into closer alignment with those afforded to ASIS officers under the IS Act.
|
Schedule 3, Part 1 |
The day after Royal Assent. |
Amends the IS Act to:
- adjust the sequencing of the ministerial authorisation process to enable the Minister for Foreign Affairs and the Minister for Defence to authorise ASIS, ASD and AGO to undertake activities relating to an Australian person (who is likely to be involved in activities likely to be a threat to security) and then seek the Attorney-General’s agreement to the authorisation (which still must be obtained, either orally or in writing, before the authorisation takes effect). This gives effect to recommendation 2 of the Comprehensive Review
- clarify that the Minister for Foreign Affairs and the Minister for Defence can authorise ASIS, ASD and AGO to undertake activities relating to an Australian person who is likely to be involved in activities that present a risk to their own safety, or are themselves involved in activities relating to a contravention of a UN sanction enforcement law.
|
Schedule 3, Part 2 |
The day after Royal Assent. |
Amend the ASIO Act and the Telecommunications (Interception and Access) Act 1979 (TIA Act) to remove the ability for a junior Minister to exercise a power under these Acts. This gives effect to recommendation 17 of the Comprehensive Review. |
Schedule 3, Part 3 |
The day after Royal Assent. |
Amend the ASIO Act to permit only the Director-General of ASIO to apply for an authority to conduct a special intelligence operation on behalf of ASIO. This gives effect to recommendation 68 of the Comprehensive Review. |
Schedule 4, Part 1 |
The day after Royal Assent. |
Amend the ASIO Act to allow the Director-General of ASIO to delegate their power or function to furnish non-prejudicial security clearance suitability assessments to an ASIO employee or affiliate irrespective of what position within ASIO the person holds. |
Schedule 4, Part 2 |
At the same time as the commencement of the provisions in Schedule 1, Part 3 of the Bill (see above). |
Amend the ASIO Act to:
- require ASIO to notify the Inspector-General of Intelligence and Security (IGIS) where certain security clearance decisions and security clearance suitability assessments are not made or furnished within 12 months (gives effect in part to recommendation 199 of the Comprehensive Review)
- require the Director-General of ASIO to make a written protocol for dealing with delayed security clearance decisions and delayed security clearance suitability assessments.
|
Background
Australia’s National Intelligence Community
Australia’s National Intelligence Community (NIC) is collectively made up of a number of agencies and departments that operate under a range of Commonwealth legislation. The Australian Intelligence Community (AIC) was initially comprised of six agencies:
- Australian Geospatial-Intelligence Organisation (AGO)
- Australian Signals Directorate (ASD)
- Australian Secret Intelligence Service (ASIS)
- Australian Security Intelligence Organisation (ASIO)
- Defence Intelligence Organisation (DIO) and
- Office of National Intelligence (ONI).
The 2017 Independent Intelligence Review led to the creation of the NIC, consisting of the six members of the AIC, plus the following law enforcement agencies/department:
- Australian Criminal Intelligence Commission (ACIC)
- Australian Federal Police (AFP)
- Australian Transaction Reports and Analysis Centre (AUSTRAC) and
- Department of Home Affairs (Home Affairs).[1]
As noted in the Comprehensive Review:
The NIC brings together within the one framework those agencies that need to work closely together in the national interest. However, the additional four are not intelligence agencies per se, having a range of law enforcement, regulatory and policy responsibilities.[2]
The ability of NIC agencies to share information is primarily guided by the core legislation under which each agency operates, though is also regulated by information sharing provisions in other Commonwealth legislation (for example, the Telecommunications (Interception and Access) Act 1979).
Accountability and oversight bodies
Australia’s current accountability and oversight framework for the NIC consists ‘of a number of specialised bodies independent of the Government and each other and the agencies they oversee’.[3] These include:
While the NIC has expanded, it has continued to operate with the same ‘oversight and accountability framework’, which has not ‘been reformed since the formation of the community’, as the Attorney-General noted in his second reading speech for the Intelligence Services Legislation Amendment Bill 2023, which is currently before the Parliament. That Bill addresses several key recommendations from the 2017 Independent Intelligence Review and the 2020 Comprehensive Review of the Legal Framework of the National Intelligence Community with respect to amending current oversight arrangements.
Recent intelligence reviews
Independent reviews of Australia’s intelligence community are undertaken every five to seven years, with the most recent review undertaken in 2017. Detail on the 2017 Independent Intelligence Review, completed by Michael L’Estrange, Stephen Merchant and Sir Iain Lobban is available in a Parliamentary Library Briefing Book article on Intelligence community reforms. Additional information can be found in the Bills Digest for the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020 and the PJCIS report on that Bill and various submissions.
More recently, the 2023–24 Budget provided additional resourcing to the Department of the Prime Minister and Cabinet to support the next Independent Intelligence Review (p. 193), which is due in 2024 and will be undertaken by Dr Heather Smith and Richard Maude. The Terms of Reference for the 2024 Independent Intelligence Review were released in August 2023, and outlined that the review would be completed in the first half of 2024. The Review will consider:
- The impact of the implementation of the recommendations of the 2017 Independent Intelligence Review and the 2019 Comprehensive Review, including the benefits of the establishment of the Office of National Intelligence, the expansion to create the NIC, and the effectiveness and outcomes of the Joint Capability Fund;
- How effectively the NIC serves, and is positioned to serve, national interests and the needs of Government, including in response to the recommendations of recent reviews relevant to defence and security, and the evolving security environment;
- The status, risks and potential mitigations of major investments in the NIC since 2017;
- Topics identified by the 2019 Comprehensive Review for consideration by future reviews, and whether further legislative changes are needed;
- Whether workforce decisions by the NIC at both the agency and community levels reflect a sufficiently strategic response to current and future workforce challenges, anticipate future capabilities of other states so we are best positioned to counter threats, are in line with the Australian Public Service commitments to diversity and inclusion and offer options if recruitment targets cannot be met;
- NIC preparedness in the event of regional crisis and conflict;
- Whether the use of the classification system by the NIC achieves the right balance between protecting sensitive information and providing decision making advantages to policy makers and operators; and
- Whether current oversight and evaluation mechanisms are effective and consistent across the NIC.
Comprehensive Review
The unclassified report of the 2020 Comprehensive Review of the Legal Framework of the National Intelligence Community, (Comprehensive Review) was released publicly in December 2020 and represented the first ‘wholesale review of the legislative framework’ underpinning NIC work.[4]
The Comprehensive Review’s focus on national intelligence legislation responded to recommendation 15 from the 2017 Independent Intelligence Review which stated:
A comprehensive review of the Acts governing Australia’s intelligence community be undertaken to ensure agencies operate under a legislative framework which is clear, coherent and contains consistent protections for Australians. This review should be carried out by an eminent and suitably qualified individual or number of individuals, supported by a small team of security and intelligence law experts with operational knowledge of the workings of the intelligence community.[5]
The Terms of Reference for the Comprehensive Review focused on making improvements to Commonwealth legislation, in order to, amongst other things:
- facilitate the general co-ordination and appropriate control and direction of each agency comprising the NIC in relation to the exercise of intelligence powers and functions, and of the NIC as a whole
- support the effective co-operation, liaison and sharing of information between NIC agencies, and between NIC agencies and Commonwealth, state, territory, foreign government and other partners, for intelligence purposes
- support the intelligence purposes, functions, administration and staffing (including recruiting) of each agency comprising the NIC
- provide for accountability and oversight that is transparent and as consistent across the NIC agencies as is practicably feasible.[6]
The Comprehensive Review noted that the legislative framework within which NIC agencies operate is complex, in some cases unnecessarily so, and made a number of recommendations ‘designed to alleviate unnecessary complexity’.[7] However, the Review also stated that ‘in other areas, it is necessary for the legislative framework to be complex, given it is designed to strike a balance between individual rights and collective security’:
Too often during the Review, proposals to ‘clarify’ or ‘streamline’ legislation amounted to no more than a bid to extend powers or functions. Government should be sceptical of calls for legislative clarity—very often such claims do not withstand even modest inquiry.[8]
A range of Bills have previously responded to the Comprehensive Review’s 203 recommendations. In addition to information contained in the Bills Digests for the Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020 and the Intelligence Services Legislation Amendment Bill 2023, further context can be found in Bills Digests listed below for earlier Bills specifically addressing the Comprehensive Review’s recommendations:
While there does not appear to be a formal record of which recommendations have been implemented, in April 2023 the Government stated that as of January 2023, 30 of the 203 recommendations from the Richardson Review had been implemented, 53 did not require implementation and 120 (including the 10 in the National Security Legislation Amendment (Comprehensive Review and Other Measures No. 2) Bill 2023 which has now been enacted) remained ‘in progress’.[9]
Committee consideration
Parliamentary Joint Committee on Intelligence and Security
On 7 December 2023, the Bill was referred to the PJCIS for inquiry and report. Details of the inquiry are at Review of the National Security Legislation Amendment (Comprehensive Review and Other Measures No. 3) Bill 2023.
Senate Standing Committee for the Scrutiny of Bills
The Committee considered the Bill in its Scrutiny Digest 1 of 2024 and made substantial comments in relation to the reversal of the burden of proof with respect to proposed subsection 92(2) of the ASIO Act, at item 39 of Schedule 2 (this is discussed in more detail in the ‘Key issues and provisions’ section of this Bills Digest).[10]
Policy position of non-government parties/independents
At the time of writing, the Bill does not appear to have attracted public comment from non‑government parties and independents.
Position of major interest groups
At the time of writing, the Bill does not appear to have attracted public comment from major interest groups.
Financial implications
The Government advises that the Bill has nil financial impacts (p. 4).
Statement of Compatibility with Human Rights
As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011, the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[11]
Parliamentary Joint Committee on Human Rights
With respect to the changes to secrecy offences in Schedule 2, the Parliamentary Joint Committee on Human Rights (PJCHR) noted that these amendments engage and limit the right to freedom of expression, however:
…noting the proposed amendments do not expand the scope of existing secrecy offences and the government’s recent agreement to implement the recommendations of the Attorney-General’s Department’s Review of Secrecy Provisions Final Report, the committee makes no comment on these proposed amendments at this stage.[12]
The PJCHR also noted the changes in Schedule 3 and reiterated its previous comments regarding the human rights compatibility of ministerial authorisations for intelligence activities. [13] The PJCHR has previously stated that these measures may engage and limit the rights to privacy, equality and non-discrimination and life. While these rights may be subject to permissible limitations if they are shown to be reasonable, necessary, and proportionate, the PJCHR has previously raised questions about the proportionality of limitations with respect to ministerial authorisations for intelligence activities.[14]
Key issues and provisions
Schedule 1 of the Bill – ASIO security assessments
Part IV of the ASIO Act authorises ASIO to conduct security assessments. As explained in the Comprehensive Review, a security assessment is essentially:
- an external written communication
- furnished by ASIO
- to a state or Commonwealth government body
- in relation to a person (including a body corporate)
- which contains a recommendation, opinion or advice on:
- whether it would be consistent with the requirements of security for prescribed administrative action to be taken, or
- whether the requirements of security make it necessary or desirable for prescribed administrative action to be taken in respect of a person.[15]
There are three kinds of security assessments:
- non-prejudicial assessments—which are not prejudicial to a person’s interests
- qualified assessments—which contain information that is, or could be, prejudicial to a person’s interests, but do not make a recommendation that certain action be taken in relation to that person which, if implemented, would be prejudicial to the person’s interests and
- adverse assessments—which contain information that is, or could be, prejudicial to a person’s interests, and make a recommendation that certain action be taken in relation to that person which, if implemented, would be prejudicial to the person’s interests.[16]
Qualified and adverse security assessments are known as ‘prejudicial’ security assessments and generally attract rights of notice and review through the Administrative Appeals Tribunal (AAT).[17]
While one of ASIO’s core functions is to communicate intelligence for purposes relevant to security to appropriate persons,[18] the ASIO Act prohibits:
- a Commonwealth agency from taking prescribed administrative action on the basis of any communication made by ASIO in relation to a person which does not amount to a security assessment and
- ASIO from making any communication to a state, which it knows is intended or likely to be used by that state in considering prescribed administrative action against a person, except in the form of a security assessment.[19]
However, a Commonwealth agency may take temporary action on the basis of such a communication from ASIO if it is necessary for the requirements of security pending ASIO’s assessment.[20] The ASIO Act does not define ‘temporary action’ for the purposes of making such a communication.
Common examples of actions that amount to ‘prescribed administrative action’ include decisions to:
Key provisions
Changes to prescribed administrative action
The key provisions in Schedule 1 of the Bill respond to several of the recommendations of the Comprehensive Review and amend the ASIO Act to make changes to what constitutes a prescribed administrative action. These include:
- recommendation 193, relating to extending the definition of prescribed administrative action to include decisions relating to parole, firearms licences and security guard licences (see proposed paragraphs 35(1)(g) and (h), at item 1 of Schedule 1)[22]
- recommendation 194, about enabling new categories of ‘prescribed administrative action’ to be prescribed by the regulations (see proposed paragraphs 35(1)(i) and proposed section 36AA, at items 6 and 7 of Schedule 1)[23] and
- recommendation 197, about excluding decisions under the Foreign Acquisitions and Takeovers Act 1975 from the definition of ‘prescribed administrative action’ (see proposed subsection 35(1A), at item 11 of Schedule 1).[24]
With respect to the new power to make regulations to allow new categories of ‘prescribed administrative action’, an action may only be prescribed where it has the potential to affect an individual’s liberty or livelihood and matters relating to security would be a primary consideration in deciding to take that action. This reflects the views put forward in the Comprehensive Review on which types of ASIO communications should be subject to the notification and review rights in Part IV of the ASIO Act.[25]
The PJCIS must review any regulations as soon as possible after they are they are made and provide a report to each House before the end of the relevant disallowance period (see proposed subsection 36AA(2), at item 7 of Schedule 1). Proposed subsections 36AA(3) and (4) extend the applicable disallowance period for the regulations, depending on when the PJCIS provides its report under proposed subsection 36AA(2). According to the Explanatory Memorandum, this will ensure that each House of Parliament has at least a week from when the report is tabled in that House to consider the regulations in light of the Committee’s comments and recommendations (p. 22).
Temporary actions by Commonwealth agencies
Currently a Commonwealth agency may take action of a temporary nature on the basis of a preliminary communication by ASIO (that is, a communication which is not provided in the form of a security assessment) to prevent:
- access by a person to any information or place, access to which is controlled or limited on security grounds or
- a person from performing an activity in relation to, or involving, a thing (other than information or a place), if the person's ability to perform that activity is controlled or limited on security grounds
if the Commonwealth agency is satisfied that the requirements of security make it necessary to take that action as a matter of urgency, pending the furnishing of an assessment by ASIO.[26]
The ASIO Act is silent on what would constitute action of a temporary nature and there do not appear to be any grounds of recourse where a person has suffered harm as a result of a temporary action (though a person could make a complaint to the IGIS).
The provisions in Division 4 of Part 2 of Schedule 1 would amend the ASIO Act to provide that a Commonwealth agency may take action:
- that is of a temporary nature and is of a kind referred to in paragraphs (g) and (h) of the definition of prescribed administrative action in subsection 35(1) (being decisions relating to parole, firearms licences and licences to work as a security guard)
- that is of a temporary nature and is prescribed administrative action of a kind referred to in paragraph (i) of the definition of prescribed administrative action in subsection 35(1) and has been prescribed in the regulations (the new classes of prescribed administrative action discussed above)
if on the basis of a preliminary communication by ASIO, the Commonwealth agency is satisfied the requirements of security make it necessary to take action as a matter of urgency, pending the furnishing of a security assessment.
Preliminary communication to states
The provisions in Division 3 of Part 2 of Schedule 1 of the Bill will also amend the ASIO Act to make changes to how ASIO can communicate information to relevant parties. Currently Part IV of the ASIO Act treats the communication of security advice by ASIO in urgent circumstances differently depending on whether that advice is being communicated to a Commonwealth agency, or a state or territory agency.
Recommendation 198 of the Comprehensive Review outlined that amendments to the ASIO Act were required to ensure that ASIO could communicate information to a state or territory agency in an urgent manner where the requirements of security make it necessary to take action of a temporary nature pending the furnishing of a security assessment.[27] Proposed subsections 40(1A) and (1B), at item 18 of Schedule 1 will allow ASIO to make a preliminary communication (that is, a communication which is not provided in the form of a security assessment), whether directly, or indirectly through a Commonwealth agency, to a state or an authority of a state for the purpose of enabling that state or authority to take certain temporary action, where it would be necessary as a matter of urgency to take that action.
Recommendation 198 also outlined that as provided for when communicating information to a Commonwealth agency, a security assessment must be subsequently furnished by ASIO to the state or territory agency to which it has provided, directly or indirectly, the preliminary information. This is reflected in the proposed amendments. However, no time limit is imposed with respect to when the security assessment must be provided, although the Explanatory Memorandum states a security assessment should be done ‘as soon as reasonably practicable (p. 25).
Notification of delayed security assessments
The provisions in Part 3 of Schedule 1 of the Bill will amend the ASIO Act to require that ASIO notify the IGIS when there have been delays of more than 12 months to finalise a security assessment. These provisions partly address recommendation 199 of the Comprehensive Review, which stated:
The Australian Security Intelligence Organisation Act should be amended to require ASIO to notify the IGIS in every instance where it has taken more than 12 months to finalise a security assessment, and subject to the requirements of security, notify the individual in writing of their ability to make a written complaint under the Inspector-General of Intelligence and Security Act. If the requirements of security do not permit notification of the individual, IGIS must be notified of this fact.[28]
The Review outlined that having a reporting requirement to the IGIS, and a notification to the affected individual, balanced ‘the need to allow ASIO to carefully consider complex cases in the interests of security with the right of the individual to have that assessment finalised in a timely manner’.[29] The Review further noted that ‘[g]iven such a high proportion of these complex cases ultimately result in non-prejudicial assessments, it is particularly important that the individuals the subject of the assessments understand the options available to facilitate their conclusion’.[30]
The previous Government’s response to the Comprehensive Review did not agree with the recommendation that ASIO notify the individual of their ability to make a complaint to the IGIS:
IGIS will be given greater visibility of lengthy security assessments and will be able to consider the reasons for, and reasonableness of, the delay in finalising them through the requirement for ASIO to notify the IGIS. This approach avoids any risk of individuals and their associates gaining an understanding of the precise prioritisation of ASIO’s categories of security assessments, which may allow those people to modify their behaviour and activities to obscure matters of security interest. The Review’s recommendation that ASIO notify individuals of their ability to make a complaint to the IGIS was intended to ensure that individuals were aware of this right. As such, the Government considers that the most appropriate solution is for individuals to be better alerted to that right, for example through changes to relevant application forms or guidance material.[31]
Part 2 of Schedule 4 of the Bill makes similar amendments with respect to delayed security clearance decisions and security clearance suitability assessments.
The provisions also set out authorisation requirements, providing that an ASIO employee or affiliate at a rank equivalent to or higher than SES can be authorised by the Director-General of Security, in writing, to authorise ASIO to ‘make a preliminary communication to a state or an authority of a state’ if they are ‘satisfied the requirements of security make it necessary as a matter of urgency for the state or authority to take’ urgent temporary action’ (proposed subsection 40(4), at item 21 of Schedule 1).
Key issues
Exceptions to communications relating to security guard licences and firearms licences
Items 3 and 4 of Schedule 1 of the Bill create exceptions to the restrictions in subsections 39(1) and 40(2) of the ASIO Act which prevent Commonwealth agencies:
- from taking, refusing to take or refraining from taking prescribed administrative action on the basis of communications by ASIO that does not amount to a security assessment and
- from furnishing information, recommendations, opinions or advice (except in the form of a security assessment) to states or authorities of a state where ASIO knows the state or authority intends or is likely to use the recommendation, opinion or advice in considering prescribed administrative action
with respect to communications relating to security guard licences and firearms licences.
These exceptions will allow ASIO to communicate information to authorities of the Commonwealth or state that ASIO has received in the course of ASIO performing its functions where the information relates to the commission or intended commission of a serious crime, communications in the national interest or for the purposes of co-operating with or assisting another body in the performance of that body’s functions. It is unclear whether this is in line with the intention of recommendation 193 of the Comprehensive Review, particularly given the proposed provisions in the Bill which expand the ability of ASIO to make preliminary communications to Commonwealth and state agencies.
Expansion of the ability of a Commonwealth Agency to take temporary actions
While providing for the need for a high level of authorisation for the communication of preliminary information, the ASIO Act does not set out any requirements for mandatory record keeping or reporting to IGIS or for detailing in an annual report the number of such urgent communications made to state and/or Commonwealth authorities per year, and whether security assessments were subsequently provided and the time frame in which they were completed. Instead, the use of such provisions is reviewed by the IGIS as part of its inspection and compliance monitoring functions.[32]
The ASIO Act also does not identify avenues for recourse for any person adversely affected by a temporary action or actions undertaken by a Commonwealth entity because of an ASIO communication that was incorrect and/or based on judgements that were wrong.[33] The broad scope of ‘temporary actions’ within the provision (not only in terms of current prescribed administrative action but also in the future as a result of regulation-making power) means that it is possible that a person could be adversely affected as a result of a communication that was based on incorrect information or judgements, and have few if any review or appeal rights.
Compliance with Australia’s trade and investment treaties
The Bill will exempt ASIO’s security assessments prepared for the purpose of advising the Foreign Investment Review Board on whether an investment is in Australia’s national interest from the notification and review requirements in Part IV of the ASIO Act. While this implements recommendation 197 of the Comprehensive Review, in making the recommendation Dennis Richardson noted it would ‘need to be tested against the detail of each of Australia’s trade and investment treaties’.[34]
While Australia’s more modern trade and investment agreements exclude its foreign investment policy from investment law claims brought by foreign investors (and in some cases foreign states), some of the older treaties do not offer the same level of protection.[35]
Schedule 2 of the Bill – Protecting identities of employees within the NIC
Key provisions and issues
Cover arrangements for ASIS, ASIO and ASD officers
Provisions in the IS Act and ASIO Act make it an offence to identify a person (including a person identifying themself) as a current or former ASIS or ASIO employee or affiliate or to make public information from which their identity could reasonably be inferred.[36] As noted in the Comprehensive Review, these provisions are necessary to protect the identity of ASIS and ASIO officers from hostile foreign intelligence services.[37]
To avoid breaching these provisions, ASIS and ASIO officers use a cover employer (usually a Commonwealth department) in a wide range of personal situations where the person’s employer needs to be provided, including for banking and insurance purposes.[38] Concerns were raised by ASIS as part of its submission to the Comprehensive Review that such arrangements may be in breach of relevant provisions in the Criminal Code which prevent a person from falsely representing themselves as a Commonwealth officer in a particular capacity. While the Review did not agree with these concerns, it supported greater clarity on this issue and therefore recommended that the relevant legislation be amended to allow ASIS and ASIO officers to use cover identities as authorised by the Director-General of the relevant agency (recommendations 70 and 71).[39]
Part 1 of Schedule 2 of the Bill will amend the IS Act and ASIO Act to give effect to these recommendations. However, the proposed amendments will also allow the Director-General of the Australian Signals Directorate (ASD) to authorise the use of a Commonwealth authority as the cover employer for staff members of ASD, which was not specifically recommended as part of the Comprehensive Review. While the Comprehensive Review considered the merits of introducing a specific secrecy offence prohibiting the disclosure of information identifying an ASD employee, it recommended that such an offence was not required at this time.[40] This was due to there being ‘no risk to the life or safety of informants and sources (which provides strong justification for these offences for ASIO and ASIS) in the case of ASD due to the different nature of its work’.[41]
Exemption from the Archives Act
The Archives Act creates an access regime under which members of the public (either by request or through public release) can access Commonwealth records after a certain period, which applies to all NIC agencies. There are broad exemptions that apply with respect to the release of information, which include information or a matter that:
- could cause damage to the defence, security or international relations of the Commonwealth
- was communicated in confidence from a foreign entity and that entity confirms its ongoing confidentiality (which would be reasonable to maintain)
- would constitute a breach of confidence
- would or could reasonably be expected to prejudice the conduct of an investigation, reveal a confidential source or endanger the physical safety of any person
- would or could reasonably be expected to prejudice the fair trial of a person, affect enforcement of law or protection of public safety and
- would involve the unreasonable disclosure of information relating to the personal affairs of any person.[42]
The National Archives of Australia (NAA) is responsible for deciding on the release of records requested under the Archives Act. If an applicant is dissatisfied with the decision, they can seek internal review followed by a review by the AAT. The NAA holds many ASIO records on the investigation and surveillance of people, groups and organisations.[43]
The Comprehensive Review considered the existing exemptions under the Archives Act, including whether there should be a class exemption under the Act for documents that reveal the identities of ASIS and ASIO staff members or agents and other sensitive material relating to intelligence agencies. While some submitters argued for a class exemption for intelligence documents more broadly, the Review did not support this and instead recommended that only the identities of ASIO and ASIS staff members and agents should be protected from disclosure under the Archives Act (recommendation 190).[44] The provisions contained in Schedule 3 of Part 2 of the Bill amend the AAT Act and the Archives Act to give effect to this recommendation.
In making this recommendation, the Comprehensive Review noted that the ‘Parliament has recognised that the identities of ASIS and ASIO officers are protected, to the point of creating an offence for disclosure’ and ‘archival exemption of ASIO and ASIS identities would be consistent with that policy intent and ensure it is given full effect’.[45]
Protecting the identity of ASIO employees and ASIO affiliates
As discussed above, section 92 of the ASIO Act currently prohibits the publication of information about an ASIO employee or ASIO affiliate except where the Minister or the Director-General of ASIO has consented to its publication. Currently section 92 outlines certain methods of publication which do not include more modern means of communication, such as social media.
Item 39 of Schedule 2 of the Bill will repeal and replace section 92 to modernise the publication offence by removing reference to specific types of publication in favour of a blanket inclusion of all publication methods. As stated in the Explanatory Memorandum:
The existing designation of specific methods of publication rather than a blanket inclusion of all methods resulted in a potential gap in the legislation whereby methods of publication not specifically mentioned may not be considered as an offence. (p. 14)
These amendments follow the inadvertent publication of the name of an ASIO officer by Annastacia Palaszczuk’s office as part of the routine online release of the then Premier’s diaries in 2019, which was then shared online and on other social media.[46]
Proposed subsections 92(2) and 92(3) introduce two exceptions with respect to the new offence in proposed subsection 92(1) which will allow a person to make public information about the identity of ASIO employees/affiliates where:
- the Minister or the Director-General has consented, in writing, to the information being made public (proposed subsection 92(2)) or
- the information relates to a person who is a former employee/affiliate, that person has consented to, caused or authorised the publication of the information and that person is not the person causing or permitting the information to be made public (proposed subsection 92(3)).
The Senate Scrutiny of Bills Committee raised concerns in relation to the reversal of the evidential burden of proof with respect to proposed subsection 92(2):
The committee notes that while written consent provided by the Minister or the Director-General, to making identifying information public, may only be made in exceptional circumstances, it is not clear to the committee why the evidential burden has been reversed in relation to this exception. It is not apparent to the committee that the Minister or the Director-General’s written consent would be a matter peculiarly within the defendant’s knowledge as the Minister or the Director-General would also have knowledge of such consent and would also be able to provide it as evidence if required. Further, it is not clear to the committee that obtaining or disproving such information would be significantly more costly or difficult for the prosecution.
The committee also notes that under existing subsection 92(1) of the ASIO Act, disproving the existence of written consent of the Minister or Director-General is an element of the offence of making information public that can identify an ASIO employee, former ASIO employee or ASIO affiliate. It is unclear to the committee why, in modernising the wording of the offence, it was necessary to create an additional defence, when previously it was sufficient for the matter to exist as an element of the offence.[47]
The Committee has sought the Minister’s advice on this matter.[48] The creation of the exception, instead of the current approach of having consent by the Minister/Director-General as an element of the offence, may also make it more challenging when dealing with a disclosure relating to the identity of a former ASIO officer whose identity has previously been disclosed as it may not be clear whether consent was provided. This may have implications for academics or journalists.
Proposed section 92 removes the exception that currently applies with respect to broadcasting or reporting of Parliamentary proceedings. It also clarifies the existing exception in subsection 92(1B) for publication of information relating to former ASIO employees or affiliates who have consented to the publication, or caused or permitted the information to be made public. Proposed subsection 92(3) clarifies that this exception does not apply if the person making the information public, or causing or permitting the information to be made public, is the former ASIO employee or affiliate. The Explanatory Memorandum explains the reasoning behind this change:
This change would ensure that former ASIO employees or affiliates cannot unilaterally publicly ‘self-declare’ their ASIO affiliation. When the existing subsection 92(1B) exception was first conceived, a self-declaration would not necessarily have an impact on other officers or affiliates around them. Modern technology, however, has meant this is no longer the case, and it is now necessary to clarify the operation of this exception.
If a former ASIO employee or affiliate were to publicly self-declare their association with ASIO, other ASIO employees or affiliates around them who are digitally linked to them, whether through social media or other digital means, can be discovered. Public self-declarations are not only the business of the former ASIO employees or affiliates, and it is necessary to clarify the operation of the exception so that it is clear it cannot be relied upon by former ASIO employees or affiliates. Former ASIO employees or affiliates will still, however, be able to seek the permission of the Minister or Director-General to publicly declare their affiliation with ASIO. (p. 47)
In 2012, it was reported that ‘a survey by Fairfax Media has discovered more than 200 former and present intelligence officers who have disclosed their classified employment in profiles on LinkedIn, other professional networking sites and social media including Facebook and Twitter’.[49]
Item 39 of Schedule 2 of the Bill will also amend the ASIO Act to introduce proposed section 92A. Proposed subsection 92A(1) provides that a person commits an offence if they either disclose, or engage in conduct that results in the disclosure of, information that identifies or could reasonably lead to establishing the identity of, a current or former ASIO employee or ASIO affiliate, or such an identity could be reasonably inferred from the information. Proposed paragraph 92A(1)(c) provides that a person only commits the offence if they intend to, or the know the disclosure will, endanger the health or safety of a person, or intend to, or know that the disclosure will, prejudice the effective performance of the functions or duties, or the effective exercise of the powers of ASIO. The maximum penalty for breaching proposed section 92A is imprisonment for 10 years and a prosecution may only be commenced by, or with the consent, of the Attorney-General.
According to the Explanatory Memorandum (p. 48), the introduction of this offence brings protections for ASIO officers closer to those afforded to ASIS officers under section 41 of the IS Act. However, section 41 of the IS Act does not include the additional elements of the offence specified in proposed paragraph 92A(1)(c). According to the Explanatory Memorandum (p. 48), ‘this is appropriate given the differing operating contexts of ASIO and ASIS employees and affiliates’. However, the reference to prejudicing the ‘effective performance of ASIO’s functions and duties, or the effective exercise of ASIO’s powers’ in proposed paragraph 92A(1)(c) may be construed widely and arguably some forms of public interest journalism or academic publication may be captured by the new offence. It is also not clear whether a disclosure relating to the identity of a former ASIO officer whose identity has previously been disclosed with the written consent of the Attorney-General/Director-General would be captured by proposed subsection 92A where the disclosure may be argued as endangering the health or safety of a person, or prejudicing the effective performance of the functions or duties, or the effective exercise of the powers of ASIO.
The creation of this new offence was also not recommended as part of the Comprehensive Review, which examined the current secrecy offences,[50] with the Explanatory Memorandum stating it is necessary ‘in light of the deteriorating security environment’ (p. 48). However, given the Comprehensive Review was finalised in December 2019 it is unclear how much has changed to warrant stronger protections for ASIO officers.
The Explanatory Memorandum also states that proposed sections 92 and 92A ‘have been developed with reference to the principles for framing secrecy offences agreed to by the Government to implement the Commonwealth Government’s Review of Secrecy Provisions Final Report’ (p. 46). The Final Report was released by the Government on 21 November 2023 and proposes 11 recommendations to guide future work to:
- reduce the number of secrecy provisions
- support a consistent approach to the framing of secrecy provisions
- maintain essential protections for Commonwealth information
- respond to stakeholder concerns about the impact of secrecy provisions on press freedom.[51]
Schedule 3 of the Bill – Authorisations for intelligence activities
Changes to the ministerial authorisation framework
Australia’s foreign intelligence agencies (ASIS, AGO and ASD) may, in certain circumstances, collect intelligence on Australians if they obtain a ministerial authorisation from the responsible minister.
Section 8 of the IS Act provides that the responsible Minister (the Foreign Minister for ASIS, and the Defence Minister for AGO or ASD) must issue a written direction, that amongst other things, must require the relevant agency to obtain an authorisation before undertaking activities for the specific purpose of producing intelligence on, or that will, or are likely to, have a direct effect on, an Australian person. The IS Act does not clarify what is meant by ‘direct effect’ and the Comprehensive Review noted that ‘submissions to the Review demonstrated differing interpretations across agencies about what constitutes a direct effect or a direct effect activity’.[52]
Section 9 of the IS Act provides that, before the responsible Minister may give an authorisation, the Minister must be satisfied of a number of matters, including that the Australian person (or class of persons) is, or is likely to be, involved in one or more of the following activities:
- activities that present a significant risk to a person’s safety
- acting for, or on behalf of, a foreign power
- activities that are, or are likely to be, a threat to security
- activities that pose a risk, or are likely to pose a risk, to the operational security of ASIS
- activities related to the proliferation of weapons of mass destruction or the movement of goods listed from time to time in the Defence and Strategic Goods List (within the meaning of regulation 13E of the Customs (Prohibited Exports) Regulations 1958)
- activities related to a contravention, or an alleged contravention, by a person of a UN sanction enforcement law
- committing a serious crime by moving money, goods or people
- committing a serious crime by using or transferring intellectual property or
- committing a serious crime by transmitting data or signals by means of guided and/or unguided electromagnetic energy.[53]
Pursuant to paragraph 9(1A)(b), before the Minister may give an authorisation in relation to a person who is, or is likely to be involved in activities that are, or are likely to be, a threat to security, they must first obtain the agreement of the Attorney-General. As stated in the Comprehensive Review:
The Attorney-General’s agreement under the IS Act is not, of itself, a ministerial authorisation. Only a responsible minister can authorise—and be accountable for—an IS Act agency’s activities. However, the Attorney-General’s agreement is an essential precondition before the responsible minister can give an authorisation where the subject of the authorisation is engaged, or likely to be engaged, in activities that are or are likely to be a threat to security.[54]
The Attorney-General’s agreement must also be sought prior to the Minister giving authorisation for an activity, or a series of activities, in relation to a class of Australian persons who are, or are likely to be involved with a listed terrorist organisation.[55]
Sections 9A, 9B, 9C and 9D of the IS Act prescribe the arrangements in the case of emergency, including where the Minister or Attorney-General are unavailable to make the authorisation or there is an imminent risk to the safety of an Australian person.
Changes to the sequencing of ministerial authorisations
The provisions in Part 1 of Schedule 3 to the Bill amend the IS Act to enable a Minister to give an authorisation to ASIS, AGO or ASD to undertake certain activities in respect of Australian persons, in circumstances where Australian persons are, or are likely to be, involved in activities that are, or are likely to be, a threat to security or, involved with a listed terrorist organisation, without first obtaining the agreement of the Attorney-General. This will still need to be obtained, however proposed subsections 9(1AAC) and (1AAD) will amend the IS Act to provide that the agreement of the Attorney-General can be provided before or after the authorisation of the Minister.
This reflects recommendation 2 of the Comprehensive Review which stated:
The sequencing of steps required in the Intelligence Services Act’s ministerial authorisation process should be adjusted to enable the responsible minister to authorise an Intelligence Services Act agency to produce intelligence on an Australian person and then seek the Attorney-General’s agreement to that authorisation. The authorisation would not take effect until the Attorney-General has given agreement.[56]
The Comprehensive Review stated that it had received evidence that ‘the agreement of the Attorney-General remains an absolutely critical check and balance when it comes to the activities of [IS Act] agencies in respect of Australians’.[57] However, the Review did not agree ‘that the Attorney-General’s role in the IS Act’s ministerial authorisation regime is an additional “check and balance” or protection for Australians from the IS Act agencies’ covert or intrusive powers’.[58] The Review took the view that the Attorney-General’s role is not intended to be a procedural safeguard but rather ‘is designed to provide visibility of proposed operational activities that relate to a threat to security to the minister charged with authorising warranted intelligence collection for security purposes by ASIO’ (this is discussed further below).[59]
The Comprehensive Review noted that the 2017 Intelligence Review had also recommended changing the sequencing to remove the requirement that the Attorney-General’s agreement be sought prior to the relevant Minister’s authorisation, arguing that this may also reduce the time required to process authorisations as the Attorney-General would be able to consider the submission at the same time as the relevant Minister.[60]
Expansion of circumstances where intelligence activities can be authorised
Item 1 of Schedule 3 will also repeal and replace subsection 9(1A) of the IS Act to clarify the circumstances when a Minister may authorise intelligence activities involving Australians. The amendments will clarify the current list of circumstances in subsection 9(1A) to explicitly include where Australian persons are involved in activities that present a significant risk to their own safety (not just another person’s safety) or where Australian persons are involved in activities relating to the contravention, or alleged contravention of a United Nations (UN) sanction enforcement law.[61]
The Explanatory Memorandum states that these amendments are intended to clarify that the current provisions in subsection 9(1A) include the above circumstances but does not provide any explanation for the need for this clarification or guidance on the types of scenarios they are intended to capture (pp. 52–53). The human rights implications of these proposed amendments are also not discussed in the Statement of Compatibility. As discussed above, these amendments would give intelligence agencies a broad remit to undertake intelligence activities on a person who is involved in activities that present a significant risk to their own safety and may include individuals who are undertaking public interest journalism in another country or undertaking academic research.
Changes to ministerial arrangements with respect to ASIO
ASIO can intercept telecommunications under warrants issued by the Attorney-General pursuant to the TIA Act. Warrants for the exercise of other intrusive powers, including searches, computer access and surveillance devices, can be issued pursuant to the provisions of the ASIO Act.
As noted in the Comprehensive Review, ‘ever since legislation has provided for powers for ASIO, the Attorney-General has been responsible for issuing warrants to ASIO’:
This approach was first reflected in the Telephonic Communications (Interception) Act 1960 (Cth) and recently reaffirmed in the Home Affairs and Integrity Agencies Legislation Amendment Act 2018 (Cth) which, among other things, amended the ASIO Act and Telecommunications (Interception and Access) Act 1979 (Cth) to retain the Attorney-General’s role in relation to warrants and related functions, following the move of ASIO to the Home Affairs portfolio. In contrast, the ASIO Act, as originally introduced in 1979, referred to the minister issuing ASIO warrants, and did not entrench a particular role for the Attorney-General—this was unnecessary given that the Attorney-General was, until May 2018, the minister responsible for ASIO and administration of the ASIO Act. [footnotes omitted][62]
The Comprehensive Review noted that the current arrangements provided for in the Acts Interpretation Act 1901 mean that references to the Attorney-General in the ASIO Act and TIA Act also include the acting Attorney-General or a junior portfolio minister.[63]
The Comprehensive Review stated that it ‘is not aware of any instance in which a junior minister has issued an ASIO warrant’.[64] However, the Review did not support the current arrangements:
The issuing of an ASIO warrant by a junior minister would represent a fundamental departure from the principles underpinning the ministerial warrant framework. Delegation of the Attorney-General’s power to issue ASIO warrants would effectively ‘bypass’ the First Law Officer, and would risk damage to public confidence in the level of control over ASIO’s activities and, ultimately, the legitimacy of the control framework.[65]
The Review made a number of recommendations to limit the ability of junior ministers to issues warrants, including recommendation 17:
The Australian Security Intelligence Organisation Act and any new electronic surveillance framework (incorporating existing authorities under the Telecommunications (Interception and Access) Act, the Surveillance Devices Act and relevant parts of the Australian Security Intelligence Organisation Act) should provide that powers vested in the Attorney-General in respect of ASIO may only be exercised by the Attorney-General and not by a junior minister. As with section 3A of the Intelligence Services Act, references to the Attorney-General should continue to include a person acting as the Attorney-General.[66]
The provisions in Part 2 of Schedule 3 of the Bill amend the ASIO Act and TIA Act to provide that a reference to the Attorney-General in either of these Acts refers only to the Minister with that title or a person acting as the Attorney-General.
These amendments are in addition to amendments made by the National Security Legislation Amendment (Comprehensive Review and Other Measures No. 2) Act 2023, which implemented recommendations 18 and 19 of the Comprehensive Review to further limit the delegation of the Attorney-General’s powers with respect to ASIO warrants.
Concluding comments
One of the terms of reference for the 2024 Independent Intelligence Review is to examine the impact of the recommendations arising from the 2017 Independent Intelligence Review and the 2019 Comprehensive Review. However, the piece-meal approach taken by governments in implementing recommendations from the Comprehensive Review has made it challenging to identify the overall status of these reforms and what remains to be implemented. This is made more challenging due to each of three main implementing Bills also including amendments that do not directly respond to recommendations from the Comprehensive Review.