The revised Australian Security Intelligence Organisation Minister’s Guidelines have an inadequate amount of information on how spies assess the level of intrusiveness when it comes to surveillance, according to Law Council president Pauline Wright.
Wright on Thursday highlighted two major issues with the document, the first being that some essential matters were not covered, including the collection, use, disclosure, storage, destruction or retention of sensitive information.
“An example would include information subject to client legal privilege or relating to journalists and/or their sources or health information,” she said.
“There is no specific guidance on bulk personal data, lawyers’ attendance at interviews, or how ASIO officers should interpret ‘acts of foreign interference’ as set out in legislation.”
The second key concern was a lack of guidance on proportionality and how an ASIO officer would assess and compare the level of intrusiveness in respect to surveillance.
“Proportionality has never been more important,” Wright argued.
“This is particularly the case given recent major expansions to ASIO’s powers, including encryption legislation passed in 2018 and proposed amendments before parliament to broaden ASIO’s compulsory questioning and surveillance devices and data access powers.”
The document was tabled earlier this month, replacing 2007 guidelines issued by former attorney-general Philip Ruddock. The guidelines will be reviewed every three years.
Wright noted that while several “valuable” improvements were made to the guidelines, there was “room for further improvement”.
She said they have failed to give the public a clear understanding of how any degree of intrusion would be assessed by ASIO, and they also haven’t provided a clear benchmark to promote consistency of decision-making by ASIO and oversight by the inspector-general of intelligence and security, Margaret Stone.
Stone recently called for additional resources so it can perform its duty of providing oversight of how ASIO uses its powers under the controversial encryption legislation, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.
Under the new guidelines, ASIO is required to report to the inspector-general whenever it has accessed or collected data “in contravention of legislation”.
Read more: Is it really a myth that our data isn’t safe?
The director-general must ensure ASIO employees who are authorised to use force against a person under a warrant are appropriately trained. However, the guidance “does not limit the inherent right of an ASIO employee or ASIO affiliate to self-defence”.
On proportionality of ASIO activities, the document said any means used for obtaining information “must be proportionate to the gravity of the threat posed and the likelihood of its occurrence, including by having regard to potential impacts on third parties”.
The least intrusive techniques for collecting information should be used where possible, but “a greater degree of intrusion may be justified” where a threat is likely to develop quickly. The agency must also consider whether the person has consented to the use of the technique and the sensitivity and volume of information being collected.
Intelligence collected could include the identity, finances, geographic dimension, and the past present and prospective activities of entities of interest.
In relation to the Telecommunications (Interception and Access) Act 1979, the guide noted that the director-general must report to the attorney-general on the extent of whether access to communications and stored communications have helped ASIO carry out its functions. They must also report on any breaches of the act by ASIO.
Under the guidelines, the director-general must “consult regularly” with the Opposition Leader to keep them informed of security matters.
Any feedback or news tips? Here’s where to contact the relevant team.