VYMF and Director-General of Security

Case

[2018] AATA 891

5 April 2018

VYMF and Director-General of Security [2018] AATA 891 (5 April 2018)

Division:SECURITY APPEALS DIVISION

File Number(s):2015/1742      

Re:VYMF  

APPLICANT

Director-General of Security And  

RESPONDENT

DECISION

Tribunal:Deputy President Dr P McDermott RFD
Deputy President I Molloy

Senior Member D Morris

Date:5 April 2018

Place:Brisbane

The Tribunal affirms the decision under review.

........................................................................

Deputy President Dr P McDermott RFD

Deputy President I Molloy

Senior Member D Morris

Catchwords

NATIONAL SECURITY – adverse security assessment –  correctness, justification for any opinion or information contained in assessment –whether evidence, information, material relied on sufficiently probative to justify assessment – decision affirmed.

Legislation

Administrative Appeals Tribunal Act 1975 (Cth)

Australian Passports Act 2005 (Cth)

Australian Security Intelligence Organisation Act 1979 (Cth)

Cases

BLBS and Director-General of Security and Minister for Foreign Affairs (2013) 61 AAR 423
CXQY and Director-General of Security [2013] AATA 695

REASONS FOR DECISION

Deputy President Dr P McDermott RFD

Deputy President I Molloy

Senior Member D Morris

5 April 2018

INTRODUCTION

  1. VMYF (the applicant) has applied for the review of a qualified security assessment (QSA) made on 4 March 2015 by the Director-General of Security of the Australian Security Intelligence Organisation (ASIO or the Organisation) (the respondent) in relation to the applicant.

    BACKGROUND

  2. The applicant is an Australian citizen who is a former employee of ASIO. [redacted for security reasons]

  3. [redacted for security reasons]

  4. On 4 September 2014 the respondent directed that a Review for Cause be conducted to assess the suitability of the applicant to continue to hold a PV security clearance.

  5. On 12 November 2014 an assessing officer of ASIO assessed that the applicant was unsuitable to hold a PV security clearance on the basis that the applicant’s continued suitability to hold a PV security clearance could not be established beyond a reasonable doubt.

  6. The assessing officer assessed that the applicant did not meet the suitability indicators of trustworthiness, maturity or tolerance. The assessing officer also assessed that the applicant was vulnerable to influence and coercion [redacted for security reasons].

  7. On 24 November 2014 the respondent notified the applicant of his intention to withdraw her PV security clearance. The withdrawal would take effect 14 days from the date of the notice unless, within those 14 days, the applicant applied to the Inspector-General of Intelligence and Security (IGIS) for a review of the decision.

  8. On 12 December 2014 the applicant requested the IGIS to conduct a review of the decision by the respondent to withdraw her security clearance. On 23 December 2014 the IGIS concluded the review and did not make any recommendation to affect the respondent’s decision to withdraw the applicant’s security clearance. 

  9. On 5 January 2015 the respondent advised the applicant that the decision to withdraw her security clearance had taken effect and her employment with ASIO was terminated with effect on 6 January 2015.

  10. In early 2015 the applicant sought employment with another Australian Government agency. The position required a security clearance.

  11. On 4 March 2015 the Director-General issued a qualified security assessment (QSA) which contained information relating to the withdrawal of the applicant’s PV security clearance. Attached to the QSA was a Statement of Grounds.

  12. The QSA was issued to [redacted for security reasons] and the Australian Government Security Vetting Agency (AGSVA). AGSVA, as the name implies, is responsible for vetting applications for, and granting, security clearances.

  13. On 12 April 2015 the applicant applied to the Tribunal for a review of the decision to issue the QSA.

    TRIBUNAL’S JURISDICTION

  14. The application is made pursuant to 54(1) of the Australian Security Intelligence Organisation Act 1979 (the ASIO Act) which provides relevantly that an application may be made to the Tribunal for review of a qualified security assessment.

  15. The task of the Tribunal is to determine whether to affirm, set aside or vary the QSA, according to what it considers to be the correct and preferable decision.

  16. It is no part of the Tribunal’s role to review any of the decisions or administrative conduct which preceded the QSA, including the outcome of the review for cause procedure or the decision to terminate the applicant’s employment with ASIO.

    LEGISLATION

  17. ASIO was established by legislation (now repealed) and is continued in existence under s 6 of the ASIO Act.

  18. ASIO’s functions, under s 17(1)(c) of the ASIO Act, include advising authorities of the Commonwealth in respect of matters relating to security, in so far as those matters are relevant to their functions and responsibilities.

  19. Section 37(1) of the ASIO Act provides:

    The functions of the Organisation referred to in paragraph 17(1)(c) include the furnishing to Commonwealth agencies of security assessments relevant to their functions and responsibilities.

  20. Section 37(2) of the ASIO Act requires that aqualified security assessment be accompanied by a statement of grounds for the assessment.

  21. Under s 4 of the ASIO Act the terms “authority of the Commonwealth” and “Commonwealth agencies” are widely defined.

  22. Section 4 of the ASIO Act defines ‘security’ as meaning:

    (a) the protection of, and of the people of, the Commonwealth and the several States  and Territories from:

    (i) espionage;

    (ii) sabotage;

    (iii) politically motivated violence;

    (iv) promotion of communal violence;

    (v) attacks on Australia's defence system; or

    (vi) acts of foreign interference;

    whether directed from, or committed within, Australia or not; and

    (aa) the protection of Australia's territorial and border integrity from serious threats; and
    (b) the carrying out of Australia's responsibilities to any foreign country in relation to a matter mentioned in any of the subparagraphs of paragraph (a) or the matter mentioned in paragraph (aa).

  23. The expression ‘security assessment or assessment’ is defined in s 35(1) of the ASIO Act as meaning a statement in writing furnished by ASIO to a Commonwealth agency expressing any recommendation, opinion or advice on, or referring to whether it would be consistent with the requirements of security for prescribed administrative action to be taken in respect of the person.

  24. The expression ‘qualified security assessment’ is defined in s 35(1) of the ASIO Act as meaning a security assessment in respect of a person that contains (a) any opinion or advice, or any qualification of any opinion or advice, or any information that is or could be prejudicial to the interests of the person, and (b) does not contain a recommendation of the kind referred to in paragraph (b) of the definition of adverse security assessment; whether or not the matters contained in the assessment would, by themselves, justify prescribed administrative action being taken or not taken in respect of the person to the prejudice to the interests of the person.

  25. “Prescribed administrative action” action under the ASIO Act, s 35, is also widely defined, sufficient to include refusing person employment or withholding the granting of a security clearance.

    COURSE OF EVIDENCE

  26. The statement of grounds which accompanied the QSA refers to the applicant having breached security policies in four respects whilst employed by ASIO. They were:

    (i)Removing electronic media (an unclassified DVD, believed to be a writable disc) from ASIO premises without proper authority, in contravention of ASIO security policy;

    (ii)Using official resources to conduct a secondary business in breach of ASIO HR and IT policies;

    (iii)Accessing an IT system for personal reasons; and

    (iv)Posting a number of derogatory comments about the workplace, the culture of the Organisation and senior management on a social media forum in breach of ASIO’s professional conduct and personal security guidelines.

  27. The statement of grounds also referred to psychological assessments of the applicant said to be relevant amongst other things to her vulnerability to external influences, [redacted for security reasons], and consequently her fitness to hold a security clearance. Much of the evidence was directed towards the statement of grounds. 

  28. The evidence on behalf of the respondent included affidavit and oral evidence from two senior ASIO officers. The first of these officers [redacted for security reasons].

  29. [redacted for security reasons]

  30. [redacted for security reasons]

  31. The second ASIO officer had responsibility for personnel security. She expressed doubts about the applicant’s ability to abide by protected security policy even after she had received counselling. She based this opinion, she said, on the whole person which included psychological assessments. She was referred to references in the statement of grounds that the applicant had enduring personality characteristics as a PV security clearance holder. In this context she referred to the applicant’s activities over a number of months. She also alluded to evidence later given in closed session.

  32. One of the incidents of misconduct in the statement of grounds, referred to above, concerned the unauthorised removal of a DVD from ASIO premises in contravention of ASIO security policy. It was put to this witness that this incident of misconduct concerned a CD and not a DVD. She answered that it was still a writable media. She was taken to the four incidents of misconduct. She agreed that the first and second incidents, including the removal of this disc, and occurring as it happens on Christmas Eve 2013, essentially arose out of the same set of facts. She regarded both incidents as very serious.

  33. She said that the third incident, which involved the applicant using official resources in the course of a conducting a [redacted for security reasons], was serious. She said the fourth incident involving the social media posting was a failure to comply with policy.

  34. These witnesses were, as we said, senior ASIO officers. Their evidence was clear, thorough and ultimately compelling. We accept the evidence of these witnesses including the opinions they expressed.

  35. The third witness who gave both written and oral evidence on behalf of the respondent was a registered psychologist and member of the Australian Psychological Society. [redacted for security reasons]

  36. [redacted for security reasons]

  37. [redacted for security reasons]

  38. [redacted for security reasons]

  39. [redacted for security reasons]. The applicant in her evidence confirmed that she could have obtained support through the Employee Assistance Program.

  40. [redacted for security reasons]

  41. [redacted for security reasons]

  42. [redacted for security reasons]. The applicant herself accepted that she had exercised poor judgment and let her emotions rule her head.  She accepted her coping strategies didn’t work and she has an issue with letting her emotions affect her judgment. [redacted for security reasons]

  43. [redacted for security reasons]

  44. [redacted for security reasons]

  45. The applicant gave evidence and was subjected to cross-examination. We were impressed by the manner in which she gave her evidence. She was necessarily questioned on difficult personal issues. It could not have been pleasant for her. She displayed great composure. She frankly acknowledged lapses on her part. She did not deny the essence of the breaches referred to in statement of grounds. She justifiably referred to her years of service with ASIO. Generally we found her to be a credible witness intent on advancing her case within proper limits.

    QUALIFIED SECURITY ASSESSMENT

  46. The purpose of the QSA, as expressed in paragraph 3, was to advise [redacted for security reasons] and AGSVA that the applicant’s Positive Vetting security clearance was withdrawn on 6 January 2015, and to provide information about the basis upon which it was withdrawn.

  47. The head of security under s 4 of the ASIO Act, was expressed in paragraph 3 of the QSA to be the protection of, and of the people of, the Commonwealth and the several States and Territories from the acts of foreign interference.

  48. The Assessment was expressed in paragraph 5 of the QSA:

    5. Assessment

    For the reasons set out in the statement of grounds (attached), the Australian Security Intelligence Organisation (ASIO) assesses that the requirements of security make it necessary or desirable to provide [redacted for security reasons] and AGSVA with information relating to the withdrawal of [the applicant’s] PV security clearance.

  49. Paragraph 6 of the QSA was headed Recommendation, and stated:

    ASIO does not recommend the taking (or not taking) of any prescribed administrative action at this time.

    However, ASIO recommends that AGSVA request a further security assessment from ASIO should AGSVA consider [the applicant’s] suitability to hold a security clearance.

  50. The respondent submits that the assessment to which the QSA was directed, as set out in paragraph 5 of the QSA, namely that the requirements of security made it necessarily or desirable to provide [redacted for security reasons] and AGSVA with information relating to the withdrawal of the applicant’s PV security clearance was manifestly correct and on the material before the Tribunal.

  51. The respondent also submitted, correctly in our view, that it was clearly consistent with the requirements of security that [redacted for security reasons] and AGSVA have such information. The evidence to that effect, called on behalf the respondent, was compelling.

  52. Furthermore, [redacted for security reasons] and AGSVA did not have that information from the applicant. That is to say, she had not disclosed the withdrawal of her PV security clearance (or the circumstances of such withdrawal) to her prospective employer [redacted for security reasons].

  53. The applicant may well have believed, as she said, that withdrawal of her previously held PV security clearance was irrelevant to the clearance level required for the position she was seeking with [redacted for security reasons]. In those circumstances it is readily understood why she would not disclose that information which, even if irrelevant, was hardly likely to enhance her employment prospects.

  54. We do not make any adverse finding against the applicant, in these circumstances, for not informing [redacted for security reasons] of the withdrawal of her PV security clearance. We do not consider she intended to deceive anyone.

  55. Nonetheless, the evidence before us, particularly from the ASIO officers, convinces us that the information that the applicant had a PV security clearance which had been withdrawn was relevant to security, and it was information that it was necessary or desirable that [redacted for security reasons] and AGSVA have.

  56. We also accept the respondent’s submissions, supported we think by evidence from the same ASIO witnesses, that the absence of such information, given the personnel requirements of Australian government departments and agencies, would itself have given rise to a risk security.

  57. The respondent also made the point that sharing information is required for the Protective Security Policy Framework[1] and [redacted for security reasons] and AGSVA had requested information relating to the applicant’s security clearance from ASIO[2].

    [1] SM1 at paragraph 46.

    [2] SM1 at paragraph 45.

  58. It was also pointed out by the respondent that the applicant accepted that the provision of accurate information to [redacted for security reasons] for the purpose of determining whether to employ her and as to her security clearance had implications for security[3].

    [3] Transcript, pages 267:20 - 268:6.

  59. It is our view, having heard all the evidence, some of it in closed session, that it was correct that information of the nature provided in the QSA be provided to the recipients at the time and in the circumstances that the applicant was under consideration for a position with [redacted for security reasons] which likely required some level of security clearance.

  60. That incudes, specifically, the information contained in paragraph 5 of the QSA.

  61. The matters raised by applicant did not go in any significant degree to these broad issues. Rather they went to the Statement of Grounds attached to the QSA to which we will now turn. That is not to say that the QSA and the statement of grounds can be viewed in isolation from one another. 

  62. Section 37(2) of the ASIO Act provides that the QSA must be accompanied by a statement of grounds. At a practical level, and to state the obvious, if the statement of grounds is wholly erroneous then the QSA will almost certainly be flawed.

    STATEMENT OF GROUNDS

  63. We have set out above the four breaches contained in the statement of grounds and the assessments of the applicant, including her vulnerabilities relevant to holding a security clearance.

  64. The respondent drew a distinction between paragraph 5 of the QSA, being the overall assessment, and the information in the Statement of Grounds which supports the QSA. It was submitted that the assessment itself was the correct and preferable decision. We have already indicated that we agree with that submission so far as it goes. 

  65. The respondent submitted that as regards information in the Statement of Grounds,


    s 43AAA of the AAT Act provides that the Tribunal must not make findings that would supersede information in the QSA unless those findings state that, in the Tribunal’s opinion, the information is incorrect, or incorrectly represented, or could not reasonably be relevant to the requirements of security.

  66. We also accept that submission. We have previously indicated we also accept the respondent’s submission that the events that led up to the applicant being informed of the outcome of the review for cause procedure and the IGIS decision in relation to that are not the subject of this application.

  67. As to the statement of reasons, it was submitted on behalf of the respondent that, save for some very specific matters adverted to in open and closed affidavits of the second ASIO officer witnesses, the Tribunal would not find that any of the information is incorrect, incorrectly represented or could not reasonably be relevant to the requirements of security.

  68. The respondent submitted that during the course of the applicant’s employment she demonstrated behaviour and activities that raised doubts about her capacity to abide by protective security policies required by a PV clearance-holder.  It was submitted that the evidence supports the correctness of that assessment and that the applicant accepted as much in her cross‑examination.  It was also submitted that she also accepted that the chain of events in question showed there were very real doubts as to her ability to respond favourably to security counselling. 

  69. As to the two breaches on 24 December 2013, the respondent submitted that the applicant was well aware, and she accepted in evidence, that she could have downloaded an [redacted for security reasons] form and followed the proper procedure for removal of the disc.  She also accepted in cross‑examination that she made a conscious decision to breach the policy, and she also accepted that she did that to de-escalate a highly emotive situation. In cross‑examination she accepted that she knew that she was putting herself and other ASIO officers at risk. 

  70. The respondent referred to the issue as to whether or not the disc was a DVD or a CD and whether it was writeable. The applicant relied upon the evidence of a Mr L to say that it was a CD. The respondent submitted that there is no basis for the Tribunal to reach any clear finding that the disc examined by Mr L was the disc that was the subject of the incident on 24 December 2013, nor as to what, if anything, may have been done to the disc in the intervening period.

  71. [redacted for security reasons]

  72. The respondent referred to each of breaches as containing an accurate representation of what occurred, and together with the other information and opinions in the statement of grounds, supporting the QSA.

  1. It was submitted on behalf of the applicant that her conduct on Christmas Eve 2013 was totally out of character with the years of service which she had given to ASIO. [redacted for security reasons]

  2. It was submitted that it is the duty of the assessing agency, and now of the Tribunal, to look at the whole person within the context of the important obligations for the security of the nation.  The applicant disputed that she had enduring personality characteristics which would compromise her level of security clearance. On her behalf it was pointed out that she had maintained full-time employment in a government department since June 2015, and there was uncontested evidence favouring this submission, including a favourable probation assessment.

  3. The applicant submitted that the same witness, someone who was in a position to observe the applicant, provided unchallenged affidavit evidence that:

    She has demonstrated, at all times [paragraph 4], the highest level of professionalism, independence, integrity, honesty, accountability and ethical behaviour in her interaction with applicants and the [Commonwealth Government Department] colleagues.

  4. The applicant raised a number of matters said to be by way of mitigation. These included the short term or temporary nature of the breaches; the inconsequentiality of the breaches; the temporary emotional duress and emotional instability the applicant was undergoing at the time of the breaches; the frank and open admission of the misconduct alleged; the failure to take into account the past history of exemplary behaviour in the workplace and the applicant’s long and unblemished service with ASIO; the obtaining of counselling; her willingness to undergo treatment and her continuing use of counselling [redacted for security reasons]; the lack of any sinister or clandestine motive behind the misconduct; and her concern for the operations of ASIO and the security of the Commonwealth which motivated her to make a complaint to a Government agency.

  5. The applicant referred to the “Personnel Security Protocol” (page 92 of exhibit 1) approved as of September 2010 which (at p 116) refers to mitigation:

    In the event that a personal vulnerability emerges in the course of the background assessment, an assessing officer is to assess whether any factors exist that mitigate the relevance of the vulnerability. Mitigating factors are detailed in the adjudicative guidelines.

  6. The applicant submitted that in the Statement of Grounds underlying the QSA the honesty of the applicant was not challenged. Nor was there any allegation made of malicious intent. The applicant made submissions on the variations to the statement of grounds sought by the respondent. The applicant referred to the security assessment being based on the applicant’s pattern of behaviour “over a number of years” which, it was submitted, was a false premise which went to the heart of the case for the respondent.

  7. The applicant directed the Tribunal to s 43AAA(2) of the AAT Act ,which deals not simply with the findings as in (3), but with the justification for any opinion:

    Upon the conclusion of the review, the Tribunal must make and declare its findings in relation to the security assessment and those findings may state the opinion of the Tribunal as to the correctness of or justification for any opinion, advice or information contained in the assessment.

  8. The applicant strongly submitted that the QSA should be set aside because, amongst other things, it failed to take into account the mitigating factors.

    CONSIDERATION

  9. We have to say we accept all of the submissions on behalf of the respondent in respect of the statement of reasons. The applicant mainly, but not exclusively, relied on what were described as mitigators.

  10. It is a matter of concern that one of the mitigators raised by the applicant was “the inconsequentiality of the breaches”. We accept the respondent’s submission that this indicates that the applicant has still failed to recognise the security implications of the breaches. [redacted for security reasons]

  11. We consider there is unchallenged evidence that, in making the QSA, mitigators were considered as part of the process of assessment. The second ASIO officer gave evidence which emphasised that regard was had to the long period of service of the applicant. The same witness in her second affidavit deposed that in making the QSA certain enumerated conditions which were mitigators were considered. This statement was not challenged by the applicant. In re-examination, the witness reiterated the view she expressed in her second affidavit that those factors did not significantly mitigate the security concerns identified in the QSA.

  12. In any event, in reviewing a QSA there is no express policy requirement that mitigators be considered. While the vetting policy document which was included in the affidavit of this same witness provided background information on the history of the matter, that policy document does not apply to the provision of a QSA. The policy document that governs the QSA is Determination No. 2 (Open documents, page 301), which was considered in BLBS and Director-General of Security (2013) 61 A.A.R. 423. This policy document, unlike the “Personnel Security Protocol”, does not make any reference to mitigators. In these circumstances, the fact that the QSA was made without express regard to mitigators does not in our view impugn the document.

    Removal of electronic media from ASIO premises

  13. Foremost in the statement of grounds was the action of the applicant on 24 December 2013 in removing electronic media, which is referred to in the statement of grounds as “an unclassified DVD believed to be a writeable disc”, from a top secret area in ASIO premises contrary to policy. The applicant stated that she had received the disc from [redacted for security reasons] who had made a request to the external agency under the Right to Information Act for documents concerning an unsuccessful job application that he had made. She stated that [redacted for security reasons] had received the disc and the applicant had made the decision to review the file. In her affidavit of 9 February 2015 she explained: “My decision to access the [redacted for security reasons] system was merely to ascertain and confirm that the RTI file which had been sought by [redacted for security reasons] was on the disc as [redacted for security reasons] had previously received a blank disc [redacted for security reasons]”.

  14. The applicant takes issue with the description of the electronic media as being a DVD and instead contends that the electronic media is a CD. In support of her contention that the electronic media is a CD, the applicant relies upon an affidavit from Mr L who is a computer consultant with expertise in information technology. Mr L has reported upon a CD which is labelled as containing right to information disclosing documents relating to an application for employment with the [redacted for security reasons]. Mr L stated that the CD is a CD-R and is “closed” which means that it cannot have any more files written to it.  The applicant has submitted that the evidence of Mr L is unchallenged and should be accepted. The applicant also relies upon the fact that the second ASIO officer agreed under cross-examination that the electronic media was a CD and not a DVD.

  15. The Tribunal has concluded that there is no cogent evidence before the Tribunal of the providence of the electronic media. There was, for example, no evidence before the Tribunal as to the chain of custody of the electronic media that was removed from ASIO premises. The applicant has stated that she had obtained the electronic media from [redacted for security reasons]. [redacted for security reasons] was not called to give evidence as to the providence of the electronic media. There was no cogent evidence before the Tribunal that the CD-R that was examined by Mr L was in fact the electronic media that was removed from ASIO premises. Even though the ASIO officer accepted that the electronic media was a CD, there was also no evidence before the Tribunal that she herself examined the electronic media that the applicant removed from ASIO premises. Having regard to these circumstances, the Tribunal is unable to make a finding that the electronic media that the applicant removed from ASIO premises was a CD and not a DVD.

  16. There is evidence before the Tribunal that the electronic media was a DVD. When the applicant was interviewed on 11 February 2014 she had herself described the electronic media as a DVD (Open documents, p. 1205). When the allegations of misconduct were brought against the applicant the relevant documents which outlined her conduct made a number of references to a DVD (Open documents, p. 1180-1183), she did not then take issue with the description of the electronic media. In view of the fact that the applicant herself had possession of the electronic media and had on an earlier occasion described the electronic media as a DVD, there is evidence that the electronic media was a DVD. In these circumstances, the Tribunal does not consider it appropriate under s 43AAA of the AAT Act to amend the statement of grounds to refer to the electronic media as a CD rather than a DVD.

  17. Moreover we consider that it is not material if the electronic media was a CD. The relevant policy that the applicant had to comply with was the ASIO Security Policy [redacted for security reasons]. If the electronic media was a CD and not a DVD it would still fall within the description of a “[redacted for security reasons]” which includes [redacted for security reasons] (Open Documents, page 782). A CD or a DVD can therefore be regarded as a [redacted for security reasons] as that term is defined in the policy document.

  18. What is also significant is that the disc was an electronic media used on what is defined under the policy as an “[redacted for security reasons]”. An [redacted for security reasons] (Open Documents, page 782). The policy applies to equipment that was located in a top secret area in ASIO premises [redacted for security reasons].

  19. The statement of grounds made reference to the electronic media that was removed which was “believed to be a writeable disc”. Initially, under cross-examination Ms Maxwell stated that she believed that the disc was a writeable disc. When she was informed that Mr L was of the opinion that the disc was not writeable, Ms Maxwell then agreed under cross-examination that the electronic media was not rewriteable. As Ms Maxwell never had custody of the electronic media she would not be in a position to know whether the electronic media that rewriteable or not.

  20. The person who would be more aware of the nature of the electronic media was the applicant who had possession of the electronic media and she conceded that she was not sure that the electronic media was not rewriteable. Under cross-examination she admitted: “I was not 100% sure no”. There is no cogent evidence before the Tribunal to enable it to make a finding to enable it to delete the reference in the statement of grounds to the electronic media as “believed to be a writeable disc”.

  21. Even if the electronic media was not rewriteable that is not the end of the matter in assessing the risk to the integrity to the ASIO IT system. The applicant also admitted under cross-examination that she did not know whether the electronic media had contained a virus. A matter of concern is that [redacted for security reasons] of the applicant had already been provided a blank disc from the external agency and the applicant did not know what was on the electronic media.

  22. In these circumstances the action of the applicant in removing electronic media from ASIO premises without obtaining prior approval constituted a breach of the “ASIO Security Policy [redacted for security reasons]. The applicant in fact has quite properly acknowledged that she should not have removed the electronic media from ASIO premises without obtaining that approval. The evidence before the Tribunal is that on 11 February 2014 the applicant advised the then [redacted for security reasons] that she was aware that she should not have removed the electronic media from ASIO premises without first seeking approval.

  23. The applicant in giving evidence stated that she was aware that she could have obtained an approval to remove the electronic media from the top secret area of ASIO but made a decision not to do so. The Tribunal is satisfied that the applicant was aware that she was in breach of the policy at the time when she removed the electronic media from a top secret area of ASIO without first obtaining approval.

    Using official resources to conduct a secondary business in breach of ASIO HR and IT policies

  24. On 25 September 2013 the applicant sought approval to undertake a secondary business. In her application the applicant stated that she would read the HR policy and agreed to comply with the terms of her engagement. The terms of her engagement required that she comply with policies of ASIO.

  25. Communications for the purpose of the secondary business were made both by email and by telephone. An IT audit of the period 7 October 2013 to 12 May 2014 identified that the applicant was using the ASIO internet access system to conduct her personal business. The use of the ASIO internet access system for the purpose of conducting her personal business was contrary to a number of official policies. The applicant was acting contrary to the ASIO [redacted for security reasons] HR Policy [redacted for security reasons]. An email issued by the applicant listed her work telephone number as her first point of contact during business hours.

  26. The ASIO [redacted for security reasons] Agreement provides that the use of the ASIO internet for personal profit making and personal email is a breach of the agreement [redacted for security reasons]. The ASIO HR policy on [redacted for security reasons] states that ASIO’s ICT systems were not to be used in the conduct or promotion of any private business interests [redacted for security reasons].

  27. The applicant had stated that she had official permission to use the ASIO email system for her business. She had informed the Inspector-General of Intelligence and Security: “All activities were conducted with the full knowledge of my line manager and in my own time”. This assertion was challenged by the second ASIO witness in her affidavit. In giving evidence the applicant agreed that her line manager was not aware that she was using the email system for the purposes of her business. She also then accepted that the emails were not sent in her own time such as on flex days or during the lunch hour. We are satisfied that the applicant did not receive official permission to use the ASIO email system for the purposes of her business.

  28. It was put to the applicant when she was giving evidence that she was fully aware that every time she sent one of those emails she was doing it in breach of policy, she answered: “Yes, I was being sloppy”. It is difficult to accept her assertion that she did not intend to act in breach of policy.

  29. [redacted for security reasons]

  30. [redacted for security reasons]

  31. [redacted for security reasons]

  32. The reasons that the applicant has provided for not observing ASIO’s policies were not consistent with the requirements of security. [redacted for security reasons]. The use by the applicant of the ASIO email system demonstrated a lack of insight or concern into the potential consequences to security. To her credit the applicant in that interview has quite properly accepted responsibility for what she did and explained that it “was laziness and shortcuts in quite a chaotic period”.

  33. One matter that was raised by the applicant in her security interview was that while she was “not trying to make excuses”, she asserted that there was a “little more lax attitude” in the [redacted for security reasons] work. However, she did not provide any reasons for this assertion. The second ASIO witness has explained that this was certainly not correct. While she was extensively cross-examined, her explanation about there not being a lax attitude in [redacted for security reasons] work was not challenged by the applicant.

    Accessing [redacted for security reasons] IT system for personal reasons

  34. On 24 December 2013 the applicant used [redacted for security reasons] to read a DVD that was provided to her by [redacted for security reasons] who was waiting in a nearby location.

  35. The second ASIO witness raised two matters of concern as to the applicant accessing the [redacted for security reasons] system to read the DVD. First, in her affidavit of 12 August 2015 (at para. 52) she pointed out that the applicant was not authorised to access the [redacted for security reasons] system. Secondly, Ms Maxwell in her affidavit (at para 61) remarked: [redacted for security reasons]. This statement was not challenged by the applicant.

  36. The Tribunal has concluded that there is a clear basis for the conclusion that the applicant wanted to avoid ASIO’s IT security system. [redacted for security reasons]

  37. On 12 March 2014 the applicant quite properly acknowledged that she should not have used the [redacted for security reasons] system for personal reasons and accepted the findings of misconduct.

    Posting derogatory comments about the workplace, the culture of the Organisation and senior management on a social media forum in breach of ASIO’s professional conduct and personal security guidelines

  38. When the applicant was recruited in 2004, she was given a reminder about remaining discreet about her ASIO employment. In 2008 she was also advised not to identify her employment with ASIO on any documents that will be circulated widely. The advice that was provided to the applicant was certainly not heeded when she posted the social media posting. [redacted for security reasons]

  39. The statement of grounds refers to the applicant making “a number of derogatory comments about the workplace, the culture of the Organisation and senior management on a social media forum in breach of ASIO’s professional conduct and personal security guidelines”.

  40. On 25 November 2013 the applicant met senior management when she was advised that her social media posting had security implications and was in breach of ASIO’s professional conduct and personal security guidelines. The posting referred to bullies in the workplace as well as the ineptitude of senior management. In her security interview on 9 October 2014 the applicant admitted that she had “stupidly made a [social media] rant”. [redacted for security reasons]. The comments that the applicant made at the security interview were put to her during the hearing but she had not read the record of that interview before the hearing.

  41. During the hearing it was put to the applicant that “the [social media] rant” was primarily about ASIO. She did not accept this suggestion. However, in her affidavit dated 9 February 2015 she deposed: “[redacted for security reasons]”. In the circumstance the denial of the applicant that the “[social media] rant” was not primarily about her workplace is questionable. In her affidavit the applicant explained that one reason why she made the social media post was because of the actions of [redacted for security reasons], an ASIO line manager.

  42. The applicant’s explanation in her affidavit differs sharply from what she said in her email of 23 March 2015 after she received notification from [redacted for security reasons] that she would not be engaged as an employee as a result of ASIO’s advice. In that email she said that in “my [social media] post … there was no reference whatsoever to ASIO, rather, was a reference to [redacted for security reasons]”. While there was no express reference to ASIO in the social media post, there was also no such reference to [redacted for security reasons]. The applicant while under cross-examination also indicated that when she made the social media post stated that she was frustrated with the Organisation which we consider indicates that she made the social media post because of her dissatisfaction with ASIO.

  1. The email of 23 March 2015 that the applicant had sent to [redacted for security reasons] was made as if her social media post had no security implications. This email somewhat renders hollow her earlier acceptance of responsibility after she made the social media post. On 2 December 2013 the applicant accepted responsibility for her social media posting and acknowledged the security implications. On that date she sent an email to senior officers in which she stated: “Firstly, I accept full responsibility for my post on [social media]. I acknowledge how it could be perceived and interpreted by others as well as from a security perspective. As noted in our meeting, it won’t happen again” (Open documents, p. 1168).

  2. The respondent has submitted that the statement of grounds should be amended by deleting the words “a number of”. The applicant submitted that the reference to a number of derogatory comments about the workplace in the social media posts shows a willingness to overstate the case against the applicant. However, the second ASIO officer, under cross-examination explained that the applicant had in a security interview been asked if she had made any other posts of this nature, to which she replied: “There wouldn’t have been only one”. Having regard to this answer it is understandable that the statement of grounds referred to “a number of derogatory comments about the workplace, the culture of the Organisation and senior management on a social media forum”. The amendment to the statement of grounds refers only to the social media post that could be found. We consider that it is appropriate that the amendment which is sought by the respondent should be made to the statement of grounds by the deletion of the words: “a number of” and by replacing the reference to “[social media] postings” with “[social media] post”.

    Vulnerability to improper influence or coercion

  3. ASIO has assessed that during the course of her employment with ASIO the applicant had displayed behaviours and has enduring personality traits which suggest that she is vulnerable to improper influence and coercion. [redacted for security reasons]

  4. The most recent example where the applicant was demonstrated to be vulnerable to improper influence was in following the advice of [redacted for security reasons] in evading ASIO security protocols by inserting the electronic media that [redacted for security reasons] had provided to her in the [redacted for security reasons] terminal which was located in the top secret space of ASIO and not utilising the [redacted for security reasons] system in an ASIO terminal. We consider that this is evidence that the applicant was vulnerable to improper influence. The failure of the applicant to abide by security protocols had the consequence that the electronic media was not tested to ascertain if the disc contained malware or a virus. While the applicant had assumed, in reliance on the advice of [redacted for security reasons], that the disc was produced from the external agency, that of itself was no guarantee that the disc was free from malware or a virus. The previous disc that [redacted for security reasons] had received from the external agency was blank, and the applicant could not be sure what was on the disc from the external agency.

    Enduring personality characteristics

  5. ASIO has assessed that the applicant has enduring personality characteristics which present security risks as a PV clearance holder. We have addressed this to some extent earlier in these reasons. The statement of grounds refers to [redacted for security reasons].

  6. [redacted for security reasons]

  7. [redacted for security reasons]

  8. [redacted for security reasons]

  9. As indicated previously, the Tribunal accepts the reliability of the evidence of the first ASIO witness on this and other matters. [redacted for security reasons]

  10. The Tribunal has had regard to a number of recent employment references concerning the trustworthiness of the applicant including the evidence referred to above. Nonetheless, there is evidence before the Tribunal that the applicant has been vulnerable to exploitation. She has herself stated in giving evidence that she has difficulty in that she allows her emotions to affect her judgment. 

  11. The first report of [redacted for security reasons] (Exhibit G) understates her conduct in relation in her [redacted for security reasons] usage for the purposes of the secondary business. [redacted for security reasons] specifically referred to three emails having been sent when an IT audit had revealed that the applicant had sent 47 emails on the [redacted for security reasons] system. The applicant had not denied giving that incorrect information to [redacted for security reasons] and had not asked [redacted for security reasons] to correct the report before she tendered [redacted for security reasons] report.

  12. We have already said that we do not consider the statement of grounds concerning the applicant’s “enduring personality characteristics” could be regarded as erroneous. There is no need to restate our findings.

    Consequences to security

  13. The statement of reasons refers to the applicant’s “pattern of behaviour over a number of years, whilst employed by ASIO, demonstrated a disregard for security policies”. The relevant period of time which is in contention is between 7 October 2013 and 12 May 2014. While that period straddled two years, 2013 and 2014, it certainly is not accurate to describe the period as a “number of years”. The second ASIO officer accepted that this is an overstatement. We consider that the reference to “over a number of years” should be omitted from the statement of reasons.

  14. We consider that the period of time from 7 October 2013 and 12 May 2014 is a sufficient period of time to establish a pattern of behaviour. We agree that a seven-month period of transgression of security policies could be regarded as an extended period of security-breaching behaviour. [redacted for security reasons]. Despite having recently attended the workshop the applicant had nevertheless breached a number of security policies.

  15. One matter that the applicant contended was that adverse action was taken against the applicant for her lodgement of her complaint to a Government agency in November 2012. The Tribunal, having reviewed the considerable material before it, does not consider that there is any basis for this contention. Certainly after the social media incident no action was taken to review the security classification of the applicant even though the applicant acknowledges the security implications of the posting.

    CONCLUSION

  16. The Tribunal recognises the long service of the applicant and the acknowledgement of her officers of the high standard of her work. However, the Tribunal concludes that during her employment with ASIO she demonstrated behaviour and activities that raised doubts about her capacity to abide by protective security policies required by a PV holder. This occurred after she had attended a security awareness workshop on 27 August 2013.

  17. One reason why the Tribunal agrees that the applicant has demonstrated behaviour and activities that raised doubts about her capacity to abide by protective security policies required by a PV holder is that she has ignored a clear warning about security matters that was given to her on 25 November 2013 after she made the social media post in November 2013. Soon after in the next month she then used a [redacted for security reasons] terminal in a top secret area for personal reasons in clear disregard of security policy even though she had no authority to access the terminal. The removal of the electronic media from the top secret area without authorisation was also made in disregard of security policy.

    DECISION

  18. The reference in the statement of grounds to the date of access of the [redacted for security reasons] IT system as being “24 December 2014” should be deleted and replaced by a reference to “24 December 2013”.

  19. The reference in the statement of grounds to “over a number of years” should be deleted. The reference in the statement of grounds to “a number of derogatory comments in the workplace” should be amended by deleting the words “a number of”. The reference to “[social media] postings” should be replaced with “[social media] post”.

  20. [redacted for security reasons]

  21. Apart from these amendments to the statement of grounds of the Qualified Security Assessment, the Tribunal otherwise affirms the decision under review.

  22. The question of costs was alluded to in submissions. The Tribunal considers that the parties should have an opportunity to address this issue if they wish. Our tentative view, having regard to s 69B of the AAT Act is there should be no order as to costs. The parties each have 21 days from the date of publication of this decision to notify the Tribunal should either of them wish to submit that some other order in respect of costs be made. Otherwise that tentative ruling on costs will take effect.

I certify that the preceding 136 (one hundred and thirty-six) paragraphs are a true copy of the reasons for the decision herein of Deputy President Dr P McDermott RFD, Deputy President I Molloy, and Senior Member D Morris

........................................................................

Associate

Dated: 5 April 2018

Date(s) of hearing: 9 - 13 May 2016 and 19 December 2017
Date final submissions received: 13 May 2016
Applicant: In person
Counsel for the Applicant: [redacted for security reasons]
Solicitors for the Applicant: [redacted for security reasons]
Counsel for the Respondent:

Dr Kristina Stern SC

Peter Melican (Junior Counsel)
Solicitors for the Respondent: Australian Government Solicitor

Key Legal Topics

Areas of Law

  • Administrative Law

  • Statutory Interpretation

Legal Concepts

  • Judicial Review

  • Procedural Fairness

  • Standing

  • Breach

  • Remedies

  • Costs

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

0

Cases Cited

1

Statutory Material Cited

0

Re Griffiths and Telstra Corporation Limited [2013] AATA 695