On 16 May 2011, three contractors formerly employed at the Defence Security Authority’s vetting centre in Brisbanemade allegations on the ABC Lateline program concerning inappropriate security vetting practices.
The vetting centre is part of the Australian Government Security Vetting Agency which has provided security vetting for the majority of Commonwealth agencies since 2010.
The former contractors alleged that while working at the vetting centre they were encouraged to insert false information into security clearance applications to enable those applications to be successfully uploaded for further security checking by the Australian Security Intelligence Organisation (ASIO).
The Government has taken this matter very seriously since the allegations were brought to its attention on 16 May 2011.
On 17 May 2011, I asked the Inspector-General of Defence to undertake an initial assessment to determine whether the matter should be referred for external review.
Based on this initial assessment, on 27 May 2011, I recommended to the Prime Minister that she refer the allegations to the independent Inspector-General of Intelligence and Security for thorough investigation.
The Inspector-General of Intelligence and Security commenced her investigation in June 2011.
On 21 September 2011, I issued a statement outlining the findings of a review undertaken by the Department of Defence’s Chief Security Officer into the management practices used in the vetting centre. The Chief Security Officer’s review was undertaken in response to requests from the Inspector-General of Intelligence and Security for information to support her Inquiry.
The Chief Security Officer’s review found:
- Inappropriate work practices were in place at the vetting centre. This related to the use of ‘work-arounds’ to manage difficulties uploading data onto a new electronic link between Defence and ASIO. These ‘work-arounds’ involved vetting staff entering into electronic vetting forms phrases or words to identify unclear or missing information when a security clearance applicant had not provided all of the required information;
- Documentation and management arrangements in place at the centre were inadequate and did not effectively record the ‘work-arounds’; and
- Almost none of the ‘work-arounds’ had been discussed between Defence and ASIO.
The Chief Security Officer’s findings raised serious concerns around the management of security vetting within the Defence Security Authority.
I made these concerns public at the time.
The Inspector-General of Intelligence and Security finalised her report late in December 2011 and I am taking my first available opportunity to table it in the House.
Evidence provided to the Inspector-General of Intelligence and Security’s inquiry confirmed that the substance of the allegations by the former contractors was true: incorrect data had been inserted into the vetting process.
Difficulties in uploading data led to the use by vetting staff of “workarounds” to address both database incompatibilities and situations where an applicant had not provided all the data required. This corrupted data was provided to ASIO and was used for security assessments.
The practice of workarounds was not confined to the three complainants; most if not all staff used workarounds to some extent. There was a wide variation in the use of incorrect data and little by way of documentation. Further, except in limited circumstances, the use of the modified data had not been agreed by ASIO. There was also no support for the suggestion that this data was used as a place marker to be corrected at a later stage.
In the course of the Inquiry other practices and incidents, unrelated to data entry, were also identified which were not consistent with good administrative practice.
While there was no evidence that there had been any attempt to subvert or mislead the security clearance process, the report identifies a number of contributing factors that led to these practices, including:
- inadequate management oversight, contributing to inadequate and inconsistent documentation, poor record keeping, poor management and inadequate quality assurance;
- inadequate training for contractors and staff, poor maintenance of training records, and the use of staff in roles for which they had not completed their formal qualification;
- delayed and inadequate systems upgrades, and poor IT systems user controls; and
- sustained pressure for output.
The Inspector-General of Intelligence and Security found that the integrity of data in both DSA and ASIO had been undermined if not compromised. Incorrect data entered the databases and some persists today.
The Inspector-General of Intelligence and Security noted that the ASIO security assessment is but one part of a broader assessment of a person’s suitability to hold a clearance. For high-level clearances the process involves a personal interview, multiple referee checks, police record checks and often a psychological interview. This thorough assessment process is designed to pick up issues of security concern.
The Inspector-General of Intelligence and Security noted that it was not possible for her Inquiry to determine whether any particular ASIO security assessment had been compromised by the provision of incorrect data.
The extensive review and validation of clearances already underway will identify whether any such cases exist. So far, approximately 3100 high-level security clearances have been reviewed and validated of around 5300 applications made during the period.
The Inspector-General of Intelligence and Security made 13 recommendations and the Government has accepted them all.
In accepting all of the 13 recommendations, Defence has taken immediate action to rectify the problems identified by the Inspector-General of Intelligence and Security.
These remediation efforts are focussed in two areas: remediation of vetting processes, improvement of documentation and updates to information technology systems, and validation of data affected by the inappropriate work practices.
Firstly, Defence has stopped all inappropriate data entry practices and is finalising agreed data entry protocols with ASIO for instances where vettees genuinely do not know, or cannot provide some information or evidence.
Defence has already taken steps to strengthen the management and oversight of the Defence Security Authority and the Australian Government Security Vetting Agency. Steps have also been taken to
- centralise the control and management of vetting documentation;
- ensure all managers involved in the vetting process are formally qualified;
- develop a comprehensive training program to ensure vetting staff have the necessary professional skills and development;
- introduce an updated electronic vetting program with a thorough program of training support; and
- update the online vetting pack to reduce the need for data entry protocols to support the transmission of data to ASIO.
Secondly, Defence has commenced the careful process of checking and validating each and every one of the security assessments that were subject to the inappropriate practices.
If this validation process identifies that information has been changed without justification then the correct information will be obtained from the clearance holder and provided to ASIO under an agreed remediation strategy. This is a significant task. Care also needs to be taken not to unduly divert resources from ongoing security assessments and clearance processes.
Finally, the Secretary of Defence has written to the three former staff members who raised the allegations to acknowledge their allegations in respect of data-entry were true and to provide them with a copy of the Inspector-General of Intelligence and Security report.
The Inspector-General of Intelligence and Security’s report identified management practices and process deficiencies that do not reflect well on Defence.
The report’s findings provide a sound framework for addressing the shortcomings that have been identified.
It has been very important not to wait for the Inspector-General of Intelligence and Security’s Inquiry to be finalised before getting on with the job of addressing these problems. The review and validation process for clearances commenced in September 2011.
The Government will ensure that the Department of Defence fully addresses the issues identified by the Inspector-General of Intelligence and Security and that all recommendations are implemented in a comprehensive manner.
Assurance of Defence’s security vetting efforts will be provided by annual audits on compliance with security vetting policy conducted by the Defence Chief Audit Executive for at least the next three years.
The first audit will be completed by 30 June 2012 and its results will be published in the Defence Annual Report. This will provide ongoing public reporting and assurance of Defence’s security vetting practices.
The Government takes its national security responsibilities very seriously. The allegations about inappropriate security vetting practices were first brought to the Government’s attention on 16 May 2011 and by the end of May had been referred to the Inspector-General of Intelligence and Security. She commenced her Inquiry in June.
Preliminary findings of a Defence review conducted in support of the Inspector-General of Intelligence and Security’s Inquiry were released publicly in September 2011. Defence’s review and validation of security clearances commenced that month ahead of the final report of the Inspector-General of Intelligence and Security.
The Inspector-General of Intelligence and Security’s report tabled today sets out the work Defence has already undertaken and will need to undertake to remediate the shortcomings identified by the Inspector-General of Intelligence and Security in Defence’s security vetting practices and processes.