4.1
This chapter summarises the Australian Criminal Intelligence Commission (ACIC) Annual Report 2019–20 (annual report) compliance requirements and assesses the ACIC against them. It provides an overview of ACIC activities and priorities, changes to its senior management committees, financial performance, and notable findings from the Commonwealth Ombudsman.
Annual report compliance
PGPA Act requirements
4.2
As a Commonwealth entity, the ACIC must comply with the Public Governance, Performance and Accountability Act 2013 (PGPA Act), which requires Commonwealth entities provide an annual report to the responsible minister for presentation to the Parliament on the entity's activity during the reporting period. Under the PGPA Act, Commonwealth entities are required to prepare annual performance statements and include a copy of these statements in their annual reports tabled in the Parliament. The ACIC's annual performance statement appears in section 2 of the annual report.
4.3
The ACIC must also comply with the requirements in the Public Governance, Performance and Accountability Rule 2014. These requirements stipulate the format and specific content to be included in the annual report.
Australian Crime Commission Act 2002 (ACC Act) requirements
4.4
Section 61 of the ACC Act also sets out certain other requirements that must be met in an annual report by the ACIC Board, which is chaired by the Commissioner of the Australian Federal Police. Specifically, subsection 61(2) requires that the Chair of the Board's report should include:
(a)a description of any special ACC investigations undertaken during the year;
(b)a description, which may include statistics, of any patterns or trends, and the nature and scope, of any criminal activity that have come to the attention of the ACC during that year in the performance of its functions;
(c)any recommendations for changes in the laws of the Commonwealth, of a participating State or of a Territory, or for administrative action, that, as a result of the performance of the ACC's functions, the Board considers should be made;
(d)the general nature and the extent of any information furnished by the CEO during that year to a law enforcement agency;
(da)the general nature and the extent of any information disclosed by the CEO during that year to a body corporate under section 59AB;
(e)the extent to which investigations by the ACC have resulted in the prosecution in that year of persons for offences;
(ea)the extent to which investigations by the ACC have resulted in confiscation proceedings;
(g)particulars of the number and results of:
(ii)applications made to the Federal Court or the Federal Circuit Court under the Administrative Decisions (Judicial Review) Act 1977 for orders of review in respect of matters arising under this Act; and
(iii)other court proceedings involving the ACC; being applications and proceedings that were determined, or otherwise disposed of, during that year.
4.5
The Chair of the Board of the ACIC (the Board), Mr Reece Kershaw APM, presented the Board's annual report for 2019–20 to the Minister for Home Affairs on 17 March 2021, and the report was tabled in the Parliament on 25 June 2021. In conducting its examination, the committee did not seek to assess the Board's annual report. Nonetheless, in the process of conducting its examination, and in particular in conducting the public hearing, the committee received and considered evidence related to matters covered in the Board's report. For example, during the public hearing, the committee inquired into various matters that relate to trends in criminal activity that had come to the attention of the ACIC during the reporting year. In preparing this examination report, the committee also considered the content of the Board's report, while maintaining its focus on the ACIC's annual report.
Committee comment
4.6
Based on the committee's assessment, the ACIC's annual report meets the PGPA Act and Rule requirements. The annual report clearly indicates in a table at Appendix A where each of the PGPA requirements have been met.
Overview of ACIC activities in 2019–20
4.7
The annual report highlights a number of ACIC activities and priorities in the 2019–20 reporting year. These highlights included:
the discovery of 208 previously unknown targets;
the finalisation of 139 intelligence products containing examination material, and 153 analytical intelligence products;
the listing of six potential new Australian Priority Organisation Targets (APOTs);
the conduct of 157 examinations to discover new information about serious and organised crime;
the disruption of five APOTs to the point that they are no longer considered APOT-level threats, and disruption of 34 criminal entities;
68 entities involved in nine financial referrals totalling $22.2 million of offences;
260 charges laid and 106 people charged; and
the seizure of $3.1 billion in street value of drugs and precursors.
4.8
The report also highlights some of the critical ways in which the ACIC connects police and law enforcement to criminal intelligence and policing knowledge.
Senior management and committees restructure
4.9
A comparison of the 2019-20 annual report and previous annual reports suggests that in in 2019–20 the following committees were either abolished or renamed:
the Executive Leadership Group;
the Technology Governance Committee;
specific program and project boards; and
the National Consultative Committee.
4.10
The annual report discloses that the Project Governance Committee (formally the Technology Governance Committee) was expanded to include all non‑operational projects within the agency.
Committee comment
4.11
While the above changes are not of any particular concern to the committee, the ACIC might consider including or expanding information in future annual reports on similar committee and senior management changes.
Staff, retention and turnover
4.12
The annual report provides statistics on the ACIC's staffing profile. Comparisons of the average staffing levels (ASL), staff turnover and retention rates between 2016–17 and 2019–20 are provided in Table 2.1.
4.13
The ASL during 2019–20 was 737.22, plus 24 secondees funded by the ACIC and 19 secondees funded by other jurisdictions.
4.14
According to the annual report, during the 2019–20 reporting period, a total of 156 staff left the agency. The reasons for leaving were predominantly due to resignation (64), external transfers (42), and voluntary redundancies (21). Other reasons included retirement (10) and an external promotion (11). The average retention rate for 2019–20 was 81.0 per cent. This is consistent with the previous year, but represents a decrease compared to the 2016–17 and 2017–18 reporting periods.
4.15
Mr Michael Phelan, Chief Executive Officer of the ACIC, advised the committee at the April 2021 hearing that, despite a drop in ACIC revenues of approximately 30 per cent resulting from the COVID-19 pandemic (explained and discussed further below), the ACIC was able to avoid any job losses. This was achieved, in part, through a renegotiation of some external contracts, and making considered reductions in new investments in national policing information systems during the financial year.
Table 4.1: Comparison of the ACIC retention and turnover rates
|
|
|
|
|
|
|
781.69
|
118
|
88.9
|
|
|
780.06
|
130
|
87.3
|
|
|
745.61
|
170
|
80.9
|
|
|
737.22
|
156
|
81.0
|
Source: ACIC, Annual Report 2016–17, pp. 192 and 257; ACIC, Annual Report 2017–18, pp. 175 and 238; ACIC, Annual Report 2018–19, pp. 91 and 148; ACIC, Annual Report 2019–2020 pp. 96 and 104.
Committee comment
4.16
The committee is satisfied that the ACIC adjusted quickly and effectively to a significant and unexpected drop in revenue during the COVID-19 pandemic. Job losses were avoided, and the ACIC was able to maintain its core capabilities and continue delivering its critical services and products for the law enforcement community and other stakeholders. The committee congratulates the ACIC on its success in this regard.
4.17
The committee notes that the ACIC's retention rate of 81 per cent in 2019–20 is essentially unchanged from the 2018–19 year (80.9 per cent). Whether the drop from the higher rates of 2016–17 (88.9 per cent) and 2017–18 (87.3 per cent) years is meaningful or not is unclear, as the ACIC does not set out the impact of retention or movements in the retention rate on its capabilities. Similarly, the 2019–20 retention rate is included in the '2019–20 highlights' section at the front of the report (alongside a number of other metrics), but it is not explained why this result has been highlighted, how it compares to other reporting years, or how it compares to the retention rates of similar agencies. The committee does not have any specific concerns regarding either the 2019–20 result or recent trends. However, the committee considers that future annual reports would benefit from some explanatory context on this matter, including the impact (if any) of the retention rate on ACIC capabilities and any steps the ACIC may be taking in relation to staff retention.
Diversity and inclusion
4.18
The annual report notes the ACIC is committed to 'creating an environment that respects and values the expertise, experiences and abilities of all our employees'. During the reporting period, the ACIC had four diversity action plans: gender equality, people from culturally and linguistically diverse backgrounds, Aboriginal and Torres Strait Islander people, and people with a disability.
4.19
In the 2019–20 reporting year, ACIC developed the Diversity Action Plan Progress Scorecard 'to summarise and report on progress against the action plans'. At the time of writing, the Scorecard does not appear to be publicly available on the ACIC's website.
Gender
4.20
At first glance, the ACIC's gender balance appears very positive, with women making up 49.6 per cent of staff in the organisation in the 2019–20 period. However, when considering gender balance by job classification, it is apparent that there is an underrepresentation of women in more senior roles at the ACIC. According to the annual report, woman make up 64.3 per cent of staff in APS levels 1-6, but only 35.7 per cent at the Executive Level (EL) and Senior Executive Service (SES) level. This imbalance has been relatively unchanged across recent reporting years at the ACIC, as is apparent in the four years of data presented below in Table 2.2.
Table 4.2: Gender balance progress at the ACIC
|
|
|
|
|
|
|
50.86
|
34.76
|
66.50
|
|
|
49.40
|
32.99
|
66.16
|
|
|
49
|
33.16
|
65.46
|
|
|
49.6
|
35.7
|
64.3
|
Source: ACIC, Annual Report 2016–17, pp. 192 and 257; ACIC, Annual Report 2017–18, pp. 175 and 238; ACIC, Annual Report 2018–19, pp. 91 and 148; ACIC, Annual Report 2019–20, pp. 99-100.
4.21
While the percentage of women in the ACIC is lower than the APS overall (49.6 per cent, compared to 60 per cent), it is noteworthy that in the APS as a whole, women are at or above parity at the EL 1 (53.6 per cent), EL 2 (48.9 per cent), and SES Band 1 (49.9 per cent) levels, albeit with lower representation at the higher SES Band 2 and 3 levels (42 per cent and 45.1 per cent, respectively). By way of comparison, at the ACIC women in 2019–20 made up 35.52 per cent of EL 1 staff (103 of 290), 33.33 per cent of EL 2 staff (26 of 78), 21.43 per cent of SES Band 1 staff (3 of 14) and 50 per cent of SES Band 2 staff (2 of 4) (the ACIC has no SES Band 3 staff).
4.22
The annual report sets out the various ways in which the ACIC, under its Gender Action Plan 2017–2020, is working to advance gender equality, including through the Gender Equality Pledge signed by members of the ACIC Executive.
Committee comment
4.23
The committee welcomes the information in the annual report on steps the ACIC is taking to improve gender equality, including specific initiatives in the reporting year. However, the annual report does not provide any guidance on how the ACIC is progressing in addressing the gender imbalance in more senior levels of its workforce, or what agency-specific barriers might exist that are relevant to such progress. The committee notes that the Diversity Action Plan Progress Scorecard, developed in 2019–20, might provide some insight into the ACIC's progress in this respect.
Cultural and linguistic diversity
4.24
In 2019–20, 16 per cent of ACIC employees indicated that Australia is not their country of birth, 8 per cent do not speak English as their first language, and 15 per cent self-identified as being from a non-English speaking background. Table 2.3 provides a comparison of these numbers over recent reporting years.
Table 4.3: Comparison of cultural diversity date
|
|
|
|
|
|
|
|
22.8
|
8.3
|
N/a
|
1.23
|
|
|
15.9
|
14.79
|
N/a
|
1.64
|
|
|
16
|
15
|
22
|
1.6
|
|
|
16
|
8
|
15
|
1.2
|
Source: ACIC, Annual Report 2016–17, pp. 193–194; ACIC, Annual Report 2017–18, p. 176; ACIC, Annual Report 2018–19, pp. 92–93; ACIC, Annual Report 2018–19, pp. 100–101.
4.25
The rate of Indigenous employment at the ACIC in 2019–20 was 1.2 per cent. By comparison, in 2020 Aboriginal and Torres Strait Islanders comprised 3.4 per cent of the APS overall. The annual report notes that the ACIC 'continues to look at ways to increase development and leadership opportunities for Indigenous staff, including career development'.
4.26
In April 2018, the ACIC launched its Reconciliation Action Plan 2018–20 (RAP). According to the RAP, the ACIC 'will make a meaningful contribution to reconciliation with practical actions and goals to drive greater equality and understanding of Aboriginal and Torres Strait Islander culture'.
4.27
The final RAP report was released in November 2020. This report outlined the progress of the ACIC's reconciliation journey since 2018, and made a number of recommendations for future action.
4.28
The annual report also highlights specific initiatives pursued in 2019–20 under the RAP, including National Reconciliation Week and NAIDOC Week events, the use of an Acknowledgement of Country in all ACIC meetings, staff attendance at relevant conferences and reconciliation events, and participation in various Indigenous employment programs.
Committee comment
4.29
The committee commends the ACIC for its commitment to its reconciliation journey through the RAP 2018—20 and the achievements made through this process as highlighted in both the annual report and the RAP final report. The committee notes that the annual report made no mention of a future RAP. The committee nonetheless looks forward to hearing more from the ACIC in future annual reports on how it will continue to contribute to reconciliation going forward, and increase development and leadership opportunities for Indigenous staff at the ACIC.
Disability
4.30
The percentage of ACIC staff that identify as having a disability has declined slightly over the last four reporting periods. In the 2016–17 year, 2.7 per cent of ACIC employees identified as having a disability, moving to 2.4 per cent in 2017–18, 2.1 per cent in 2018–19, and 1.9 per cent in 2019–20.
4.31
The ACIC pursued a number of initiatives under the Disability Action Plan 2017–20 to help ensure its workplace is 'accessible and inclusive'. These included specific events focused on understanding and improving the experiences of people with disabilities, reviewing recruitment practices to ensure they are accessible and inclusive, maintaining a silver membership with the Australian Network on Disability, and participation in disability mentoring programs.
Committee comment
4.32
The committee reiterates the suggestion made in its examination of the 2018—19 ACIC Annual Report that the ACIC make a copy of the Disability Action Plan 2017–20 publicly available. This action would assist the committee in understanding the outcomes of the plan. The committee again considers it may be helpful for the ACIC to make publicly available the Diversity Action Plan Progress Scorecard (as discussed above in relation to gender diversity) or otherwise make publicly available relevant information from the Scorecard on progress against the Disability Action Plan.
Internal audits and risk management
4.33
The ACIC internal audit team, which is accountable to the CEO and the Audit Committee (discussed below), has three main responsibilities:
working with management to review enterprise risks, controls, governance, systems and processes;
identifying opportunities for innovation and efficiency; and
monitoring the implementation of audit outcomes.
4.34
In 2019–20, the ACIC internal audit team examined the following key areas:
information technology security;
work health and safety; and
4.35
As the annual report explains, in accordance with responsibilities under section 45 of the PGPA Act, the CEO of the ACIC has established and maintains an independent Audit Committee, the authority of which is established under a charter made available on the ACIC's website. During 2019–20, the Audit Committee met six times and reviewed areas including financial performance; internal and external audit reports; progress against audit recommendations; planning and performance frameworks and reporting; compliance with legislation; risk oversight and management; and ANAO activity.
Misconduct, fraud and corruption activity
4.36
The annual report summarises the features of the ACIC's Fraud and Corruption Control Plan and the process followed when fraud or corruption is suspected.
4.37
Where fraud or corruption is suspected, the matter may be subject to misconduct investigation, criminal investigation, or both. If sufficient evidence of a criminal offence is found, the matter may be referred to the Commonwealth Director of Public Prosecutions for consideration of criminal prosecution.
Committee comment
4.38
The report does not refer to whether there were any allegations of misconduct, fraud or corruption in the reporting period. If this was because no such allegations were made, a simple statement to that effect would have been useful for the sake of clarity and transparency. If such allegations were in fact made in the reporting period, the committee considers that it would have been appropriate for the ACIC to provide a breakdown on the number of allegations made and cases identified, again for the purpose of added transparency generally, and more specifically to ensure the committee is able to properly understand and assess the strength of the ACIC's fraud and corruption control processes. If there are reasons this information cannot be provided, it would assist if the ACIC could explain this in future annual reports.
Financial performance
4.39
The ACIC's financial result for 2019–20 was an operating surplus of $5.333 million. The annual report explains that with the exclusion of unfunded depreciation ($7.301 million), the impact of the new lease accounting standard ($1.934 million), and capital funding income ($15.399 million), the ACIC would have realised a loss of $0.831 million for the financial year.'
4.40
The ACIC's operating appropriation for 2019–20 was $103.841 million. $77.329 million was allocated for base funding, and the remaining $26.512 of tied funding was allocated as follows:
$1.647 million for the Australian Gangs Intelligence Coordination Centre;
$0.891 million to enhance physical security for all office buildings and personnel security capabilities, in response to the current heightened security threat;
$4.350 million to develop and enhance the ACIC's cybercrime intelligence and analysis capability in response to recommendations of the 2016 Cyber Security Review;
$0.359 million to support 24/7 operation of the Australian Cyber Security Centre to prevent and combat cyber security threats;
$1.194 million for the operation of the National Wastewater Drug Monitoring Program;
$4.569 million to support the deployment of surveillance capability;
$1.735 million to enhance the Criminal Intelligence Capability program and provide better training to the intelligence workforce for the ACIC and partner agencies; and
$11.767 million to develop the National Criminal Intelligence System (NCIS) Tranche 1 program.
4.41
In addition to the government appropriation detailed above, the ACIC had own source income totalling $140.761 million. Own source income was derived from the national policing information services ($110.534 million), Proceeds of Crime Trust Account ($13.020 million), and provision of services ($14.468 million). A further $2.739 million in resources were received free of charge.
4.42
The annual report explains that the onset of the COVID-19 pandemic in March 2020 had a:
…significant negative impact on our revenue received from the National Police Checking Service (NPCS).
NPCS revenue is used to pay for the delivery and operation of current national policing information systems and services, and the delivery of new systems and services for the law enforcement community. The number of nationally coordinated criminal history checks conducted through ACIC systems rose by 0.1 per cent this year, with check volumes and revenue reducing significantly from March 2020.
4.43
Appearing at the public hearing in April 2021, Mr Phelan further explained:
As you're aware, our organisation is also responsible for providing criminal history checks to Australians. We provide them out on a commercial basis. We had a drop in revenue of around 30 per cent that started in February last year, throughout the whole of the pandemic. We have a 0.98 per cent correlation to the Australian workforce in terms of our revenue base. So that took a rather large hit, cutting costs accordingly, but we still managed to meet all of the objectives that our partners, particularly our state and federal colleagues, wanted us to in terms of national policing information systems. So there was not a lot lost there. To be quite frank, we're back up now to pre-COVID levels in revenue. What was predicted to be a $105 million hole in our budget over the forward estimates has come back a fair way, back to where now we're on the same track as we were before, probably just a year and a half behind revenue projections.
4.44
Mr Phelan noted that in response to the drop in revenue, the ACIC invested less than it might otherwise have done so in new national policing information systems, and realised savings through the renegotiation of some external contracts.
4.45
The annual report notes some variances between the funds allocated in the ACIC's Portfolio Budget Statements 2019–20, and the actual final outcome for 2019–20. The ACIC's explanations for the variances include:
the COVID-19 pandemic reduced business activities, including travel and the agency's and contracted vendors' ability in delivering a number of projects;
following the production of the budget, arrangements with other government agencies were agreed, including additional contributions and funding for projects;
the implementation of a new lease accounting standard; and
delays in the National Criminal Intelligence Systems Tranche 1 project.
Committee comment
4.46
The committee is satisfied that the ACIC was able to successfully manage its resources in reporting year, despite the disruptions and challenges presented by the COVID-19 pandemic.
Commonwealth Ombudsman reports
4.47
This part of the examination report considers Commonwealth Ombudsman (Ombudsman) oversight activities and reports on the ACIC.
4.48
Due to the Ombudsman reports for the 2018–19 year not being tabled in the Parliament prior to the committee's examination of the ACIC's 2018–19 annual report, both the 2018–19 and 2019–20 Ombudsman inspection reports are considered here.
4.49
In 2018–19 and 2019–20, the Commonwealth Ombudsman visited the ACIC's offices in Brisbane, Sydney and Melbourne to conduct seven inspections in total. The ACIC received reports for each of these inspections and notes that:
The reports include issues that were self-disclosed by the ACIC to the Ombudsman during inspections, as well as instances that the Ombudsman identified based on its review of our records. In most of the reports the Ombudsman also expressed satisfaction with the ACIC's transparency, commitment to compliance measures and remedial action.
4.50
The Ombudsman released five inspection reports related to the 2018–19 and 2019–20 years. These reports assess the ACIC's:
compliance with the Surveillance Devices Act 2004 (SD Act);
Telecommunications (Interception and Access) Act 1979; and
controlled operation records.
Surveillance Devices
4.51
Under the SD Act, specified law enforcement agencies can covertly use surveillance devices when investigating certain offences. Each agency is independently assessed by the Ombudsman to ensure compliance with the SD Act. Overall, the ACIC was found to be compliant with the requirements of the Act, with the exception of a small number of instances of non-compliance that were administrative or low-risk in nature.
4.52
The Ombudsman produces compliance reports every six or 12 months. The findings of the three reports which assessed the ACIC's records from January 2018 to December 2019 have been outlined below. Overall, nine findings were made, with four resulting from self-disclosure by the ACIC.
Summary of findings for the 2018‒19 year
Self-disclosed findings
4.53
The ACIC disclosed two instances of non-compliance with tracking device authorisation (TDA) requirements in which the authorising officer had not included the TDAs' period of effect in the written permission. Once the ACIC identified these errors, the TDAs were revoked. In addition, the ACIC disclosed one instance where a tracking device was installed prior to a written authority. The ACIC identified and quarantined the protected information captured prior to the written authorisation record.
Finding 1
4.54
The Ombudsman's inspection found that the ACIC installed an optical surveillance device in the foyer of a premise rather than the specified unit listed on the warrant. The ACIC clarified that the executing officer obtained verbal permission from the Property Manager of the units to install the surveillance device in the foyer of the unit, although the Ombudsman was unable to locate written records to confirm this. The ACIC confirmed it had updated its records to reflect the events and conversation leading to the installation of the surveillance device.
Finding 2
4.55
The Ombudsman's inspection found three instances, separate from the two disclosed by the ACIC, where the ACIC did not comply with the record‑keeping requirements under section 40 of the SD Act. The ACIC advised that records were updated and new procedures have been implemented to ensure these administrative requirements are met.
Summary of findings for the 2019‒20 year
Self-disclosed findings
4.56
The ACIC disclosed one instance in which a surveillance device was used contrary to a condition specified in the warrant. Remedial action was taken by the ACIC as soon as it identified that a device had collected protected information contrary to the conditions of the warrant. The ACIC states that it 'ceased using the surveillance device and quarantined the protected information it had collected'.
4.57
The ACIC disclosed seven instances where warrants requested to be revoked expired prior to the chief officer making the revocation.
4.58
The ACIC disclosed three instances where it had not revoked retrieval warrants when it retrieved the device. The ACIC advised the Ombudsman that it would address this issue by developing an enhancement to its case management system.
Finding 1
4.59
The Ombudsman found one instance where protected information was not destroyed as soon as practicable, which is required under section 46(1)(b) of the SD Act.
Finding 2
4.60
The Ombudsman found 'a number of records' that the ACIC had certified for destruction but had not yet destroyed, being subsequently certified for retention. In response, the ACIC advised that it would implement better measures to support decision making when certifying documents for destruction.
Committee comment
4.61
The committee notes that the Ombudsman's assessments of the ACIC's compliance with the SD Act were positive overall, and commends the ACIC for its high standards of self-disclosure. The committee notes that the ACIC was responsive to findings made by the Ombudsman, and put measures in place to address concerns, such as updating records and implementing new administrative procedures and system enhancements where appropriate.
Controlled operations
4.62
Under Part 1AB of the Crimes Act 1914 (Crimes Act), the ACIC (as well as the Australian Federal Police and the Australian Commission for Law Enforcement Integrity) can authorise a controlled operation.
4.63
Controlled operations are covert operations carried out for the purpose of obtaining evidence that may lead to the prosecution of a person for a serious Commonwealth offence. Participants involved in such operations are protected from criminal responsibility and indemnified against civil liabilities that may arise as a result of activities undertaken during the course of the operation, providing that conditions are met.
4.64
The Ombudsman provides independent oversight by inspecting agencies records at least once every 12 months to determine compliance with the Crimes Act and, in the case of the ACIC, corresponding state and territory controlled operations legislation.
4.65
The Ombudsman assesses compliance based on the records agencies make available at the inspection, discussions with relevant agency staff, observations of agencies' processes, and agencies' remedial action in response to any issues identified.
4.66
In both 2018–19 and 2019–20, the Ombudsman conducted two inspections respectively of the ACIC. A second inspection was planned in 2019–20, but due to travel and social distancing restrictions caused by the COVID-19 pandemic, this inspection was cancelled. A sample of records that the Ombudsman was unable to inspect will be included in the next controlled operations report.
Summary of findings for the 2018—19 year
4.67
At the 2018–19 inspection, the Ombudsman assessed 38 of the 89 controlled operations authorities and made five findings. These findings are outlined below.
Finding 1—Unauthorised participants and activities
4.68
Authorities provide protection from criminal and civil liability for participants who engage in conduct during the course of a controlled operation. In the 2018–19 inspection, the Ombudsman found two instances where, based on available evidence, law enforcement officers engaged in controlled conduct prior to an authorisation commencing; two instances where, due to a lack of detailed evidence, it was unable to be determined whether conduct engaged in constituted as controlled conduct; and three instances where it was unable to be determined if a civilian participant was acting under lawful instruction. In this same year, the ACIC disclosed three instances where activities relating to a controlled operation were not authorised.
Finding 2—Approved conduct not reflected in written record
4.69
The Ombudsman identified a written record for an urgent authority that did not accurately reflect the controlled conduct approved for the participants. The ACIC acknowledged this finding.
Finding 3—General register and record-keeping matters
4.70
The Ombudsman identified two circumstances in which it was unable to determine the accuracy of the ACIC general register due to inconsistencies between the information recorded in the general register and information about controlled conduct in the conduct log.
Finding 4—New authorities granted rather than variations to existing authority
4.71
The Ombudsman identified two instances where new authorities were granted for a similar controlled operation, when it was possible for the original authority to have been varied. This had the result of the controlled operations running for combined periods longer than three months, meaning that the need for Administrative Appeals Tribunal (AAT) oversight was circumvented.
Finding 5—Application requiring further information
4.72
The Ombudsman identified one instance, deemed to be an isolated administrative error, in which an application for a controlled operation did not include the details of all relevant previous controlled operation authorities for the same criminal activity.
Summary of findings for the 2019—20 year
4.73
At the 2019–20 inspection, the Ombudsman assessed 30 of the 61 controlled operations authorities and made four findings. These findings are outlined below.
Finding 1—Unauthorised participants and activities
4.74
During the 2019–20 inspection, the Ombudsman identified an authorisation that did not detail the specifics of controlled conduct that civilian participants could engage in. The ACIC also disclosed one instance where the principal law enforcement officer was not listed as a law enforcement participant on the controlled operation authority and one instance in which a law enforcement participant named on the conduct log was not listed as a participant in the authority for the controlled operation.
Finding 2—Subsequent urgent controlled operation authority granted
4.75
The Ombudsman identified two instances where the ACIC granted urgent verbal controlled operations authorities subsequent to other related controlled operations authorities that had previously been granted formal authority, which is contrary to a limitation provided in s 15GJ(2) of Part IAB of the Crimes Act.
Finding 3—Approved conduct not reflected in written record
4.76
The 2019–20 Ombudsman's inspection found multiple controlled operation authorities that did not specify that law enforcement officers could direct civilian participants to undertake controlled conduct. The Ombudsman states that where an authority does not specify conduct, it can create ambiguity about what conduct is covered in the authority and increase the risk of unauthorised conduct and exposure to civil and criminal liability. The ACIC advised that it would review its internal guidance and procedures to regard how references to controlled conduct in authorities are drafted.
Finding 4—General register and record-keeping matters
4.77
The Ombudsman identified that the ACIC's general register did not include details of relevant offences as required under the Crimes Act. It also identified several instances where information recorded was incomplete or incorrect. The ACIC advised that it had updated its general register to correctly record the required information, and corrected and completed information identified as incorrect.
Adequacy of controlled operation reports
4.78
Agencies are required to report to the Ombudsman and the Minister on the details of controlled operations during the preceding six months. The adequacy of these reports is considered by the Ombudsman in its annual report. In the 2018–19 period, four instances were identified where information was incorrectly recorded in the six monthly reports. In the 2019–20 period, three instances of information were incorrectly reported in the annual and six monthly reports, and across the ACIC files, not all targets listed in the application and authority for a controlled operation were reflected in the six monthly reports. In both reporting periods, the Ombudsman considered that the ACIC had adequate processes in place to achieve compliance with the reporting requirements of the Crimes Act.
Committee comment
4.79
The committee is satisfied that the ACIC has responded in a timely manner and taken appropriate remedial action in instances where the Ombudsman has made findings in relation to its conduct of controlled operations. Further, the committee notes the ACIC's overall compliance with Part 1AB of the Crimes Act 1914.
Telecommunications (Interception and Access) Act 1979
4.80
The Commonwealth Ombudsman has an overarching role in assessing agencies' compliance with Chapter 3 (preserving and accessing stored communications) and Chapter 4 (accessing telecommunications data) of the Telecommunications (Interception and Access) Act 1979 (Telecommunications Act).
4.81
Stored communications are the content of communications that have already occurred and are stored on the carriers systems. Telecommunications data is information about a communication, but does not include content or substance of the communications. Access to stored communications requires an application to an external issuing authority (a judge or an eligible AAT member), while access to telecommunications data is an internal authorisation process.
4.82
In 2021, the Ombudsman released its report on the results of inspections conducted under s 186B of the Telecommunications (Interception and Access) Act 1979 for the 2018-19 year. These results are discussed below. The report that relates to the 2019–20 year is yet to be released and may be addressed in a future examination report by the committee.
Findings for stored communication inspections in 2018—19
4.83
The Ombudsman inspected the ACIC from 24 to 28 September 2018 and made one suggestion based on one significant finding.
4.84
The ACIC self-disclosed four instances in which it gave preservation notices after it had already issued telecommunication interception warrants. The Ombudsman found that this was contrary to the condition for giving preservation notices under s 107J(1)(d) of the Telecommunications Act.
4.85
The ACIC explained that due to limitations on carrier systems, the ACIC issued preservation notices to ensure the stored communications were not destroyed by the carrier. The Ombudsman was satisfied with this explanation but made the suggestion that the ACIC should document these considerations and decisions when they occur.
Findings for telecommunications data inspections conducted in 2018—19
4.86
The Ombudsman inspected the ACIC from 6 to 29 November 2018 and made eight suggestions based on its findings. The Ombudsman also noted that the ACIC constantly demonstrates thorough preparations for inspections, and proactively discloses instances of non-compliance and associated remedial actions. The Ombudsman observed that this is 'reflective of strong quality assurance and disclosure procedures'.
4.87
The ACIC disclosed 171 instances where telecommunications data was accessed without proper authority, which had occurred as acting arrangements for the authorised officers had not been formalised. The Ombudsman suggested that the ACIC should take further steps to confirm the nature of the acting arrangements. The ACIC acknowledged the suggestion from the Ombudsman and confirmed that it is committed to improving the training and control mechanisms around such authorisations.
4.88
The ACIC disclosed seven instances where it assessed telecommunications data without a signed authorisation in place, four where formal approval was not documented and nine where the request for telecommunication data was made before the approval. The Ombudsman suggested that the ACIC should quarantine the affected data from further use or disclosure. The ACIC acted on this suggestion.
Committee comment
4.89
While any issues of non-compliance with the Telecommunications Act, however inadvertent, are potentially serious in nature, the committee is pleased with the ACIC's level of self-disclosure to the Ombudsman in relation to detected instances of non-compliance.
4.90
The committee also notes the comments within the Ombudsman's report on the ACIC taking remedial action in response to issues raised, and looks forward to seeing the impact and progression of these actions in future annual reports.