'

Review called for ASIO's information handling practices

The parliamentary committee reviewing the first stage of the government's national security reforms has called for a review of how ASIO handles individuals' information, and whether it should be destroyed when it is no longer required for an investigation.

The Australian Parliamentary Joint Committee on Intelligence and Security is calling for a review of how the Australian Security Intelligence Organisation (ASIO) handles individuals' information, and whether it should be destroyed when it is no longer needed, in its Advisory Report on the National Security Legislation Amendment Bill (No. 1) 2014 (PDF), released yesterday.

"The committee recommends that the government initiate a review of the attorney-general's guidelines issued under Section 8A of the Australian Security Intelligence Organisation (ASIO) Act 1979 examining requirements to govern ASIO's management and destruction of information obtained on persons who are not relevant, or no longer relevant, to security matters," the report said.

In a submission by the Inspector-General for Intelligence and Security (IGIS), concerns were raised over the implications for how data would be obtained and handled, given the "considerable" scope of computer access warrants under the proposed new definition — which stipulates that a warrant to search a computer can include machines in an entire network of computers.

IGIS noted that the Australian Federal Police surveillance device warrants contain an obligation to destroy unneeded material within five years, and suggested that a similar obligation be incorporated into the legislation for ASIO to assess whether records are required to be retained after "a period of time".

In a supplementary submission, the Attorney-General's Department and ASIO acknowledged the concerns about the potential privacy impacts of the new measures in the Bill, and indicated that "it may be timely to reconsider the guidelines to determine if they remain appropriate in their current form or would benefit from relevant modifications".

The committee also proposed amending the warrant provisions for both search and computer access warrants allowing the addition, deletion, or alteration of data that "either does not materially interfere with, interrupt, or obstruct a communication in transit or the lawful use of a computer, or is necessary for the execution of a warrant".

Additionally, the committee said the Bill proposes amending the warrant provisions to allow access to third-party computers, or communications in transit, as a means to access data on a target computer; and to add, copy, alter, or delete data if necessary "to achieve that purpose".

"The amendment would enable ASIO to use a third-party computer or 'communication in transit' in order to access data held on a target computer," the report said. "If necessary to achieve the purpose, ASIO would also be able to add, copy, delete, or alter data on the third-party computer or communication in transit."

The report said that the proposed modified subsections would reduce these restrictions on ASIO's warrant powers by only prohibiting actions that "materially interfere with, interrupt, or obstruct lawful use of a computer" and by adding an exception to this prohibition, for when the action is necessary in order to execute the warrant.

The committee proposed that the Bill insert a new paragraph into the ASIO Act to specify that "so far as necessary for, or conducive to, the performance of its functions", ASIO may cooperate with "any other person or body whether within or outside Australia" in addition to the existing authorities with which it has the ability to share information.

Meanwhile, the Bill also proposes two new offences in relation to the unauthorised disclosure of information relating to a special intelligence operation (SIO), consisting of a basic offence carrying a five-year maximum jail term, and an aggravated offence carrying a 10-year maximum jail term.

These offences would apply to disclosures by "any person, including participants in an SIO, other persons to whom information about an SIO has been communicated in an official capacity, and persons who are the recipients of an unauthorised disclosure of information, should they engage in any subsequent disclosure".