Contact Reporting Guidelines The Australian Government Contact Reporting Scheme

Transcription

1 Contact Reporting Guidelines The Australian Government Contact Reporting Scheme Version 1.0 Approved September 2010

2 Contents Introduction... 1 The role of ASIO... 1 Australian Government Contact Reporting Scheme... 2 Threat sources... 2 Reporting Criteria... 3 Reporting procedures... 3 Implementation... 4 Implementation outside Australia... 4 Required contact report information... 5 Contact Report Form... 6 i

3 Introduction This guide should be read in conjunction with the: Protective Security Policy Framework, and PSPF - Australian Government Personnel Security Protocol. Information provided in these guidelines was provided by the Australian Security Intelligence Organisation (ASIO). The Australian Government has developed a number of mechanisms designed to protect official information from potential compromise because of accidental or deliberate disclosure. A key element in protecting official information is informing Australian Government employees of the risk posed by foreign intelligence services in Australia and overseas. Human intelligence collection is low-risk and a very common form of intelligence gathering. Intelligence services can develop an aggregate picture through low-level collection from a number of sources including government employees. Throughout this document, employees are defined as: people employed by, or representing, the Australian, State or Territory Governments government contractors and their employees, and all others who hold Australian Government security clearances. Small pieces of information they may provide others could form part of an intelligence collection process. Accordingly, employees need to recognise that an innocent conversation or contact (eg. ) with a foreign official can be part of human intelligence gathering. The role of ASIO ASIO is Australia s security intelligence service. Its roles and responsibilities are mandated by the Australian Security Intelligence Organisation Act 1979 (ASIO Act). The ASIO Act specifies ASIO s role as security. This is defined as the protection of Australia, its people and its interests from: espionage sabotage politically motivated violence acts of foreign interference promotion of communal violence attacks on Australia s defence systems, and Australia s territorial and border integrity from serious threats. ASIO s responsibility for security extends geographically beyond Australia. In fulfilling its obligations to protect Australia, ASIO collects, assesses, investigates and disseminates intelligence relevant to security. 1

4 Australian Government Contact Reporting Scheme ASIO manages the Australian Government Contact Reporting Scheme. Specifically, the Scheme assists ASIO in identifying intelligence or hostile activity directed against Australia and its interests, government employees and contractors, and people who hold an Australian Government security clearance. It also helps identify trends, including: what information is of interest to foreign intelligence services who is interested in it, and the methods the foreign intelligence services are prepared to use to collect the information. ASIO uses this intelligence to assist in the formulation of threat assessment and security intelligence advice. Threat assessments help agencies to understand existing threats to their resources and formulate appropriate counter measures for risk mitigation. Threat sources Foreign intelligence services, foreign officials and politically, commercially or issuemotivated groups and individuals can devote considerable energy and resources into obtaining access to political, economic, scientific, technological, military and other information. This is not limited to classified information. The access sought often includes privileged information, ie. information that is not normally available to the general public. Any compromise may be prejudicial to Australia s national interest. Relationships or contacts often happen when an employee's job requires communication with foreign representatives. Contacts can also occur, but are not limited to, scenarios such as: invitations to attend functions written correspondence sport and recreation activities overseas travel visits to embassies, consulates or involvement with trade missions or other international events membership of international clubs, institutes, professional associations or friendship societies incidental social interaction unsolicited phone calls including unsolicited phone calls where the caller has obtained the employee s details from a department/company website training or study (eg. language classes) on-line social networking sites, and/or introductions via a third party. The initial overture might be subtle, carefully planned and occur over an extended period of time. It is designed so that the person being cultivated is not aware it is occurring. However there could be indicators that arouse suspicion including: a seemingly innocuous interest in an employee s official, social or personal activities 2

5 a fascination with some particular aspect of an employee s work, social or personal activities requests for information about other employees who work in the agency a request to meet with the employee away from the work environment introduction to another person who takes a similar interest encouragement to participate in questionable or illegal activity, or offers of hospitality or gifts. Reporting Criteria Employees should complete a contact report when a contact, either official or social, with: embassy or foreign government officials within Australia, or foreign officials or nationals outside Australia seems suspicious, persistent or unusual in any respect, or becomes ongoing. Foreign officials could include trade or business representatives. Additionally, employees should complete a contact report for instances when an individual or group, regardless of nationality, seeks to obtain official information they do not have a need to access in order to fulfil their work function. Reporting procedures If an employee believes he/she has been the subject of contact by a foreign national that meets the reporting criteria, he/she should report the incident to the Agency Security Adviser (ASA). The ASA can provide employees with a Contact Report form. To assist with the accurate recall of events, the employee should complete a written report as soon as possible after the suspected contact has occurred. The ASA is responsible for receiving completed Contact Reports. The ASA should have the appropriate experience and expertise to: analyse reports make a sound judgement about the best course of action, and provide support and advice to the person who has been contacted. See PSPF Governance - Developing a Security Culture. ASAs are encouraged to seek advice from ASIO to assist in determining the best course of action. In certain exceptional circumstances, a contact report may lead to a security or criminal investigation. If the matter is clearly fraud-related, the agency should inform the AFP. Fraud may also involve loss of equipment or technology that may have application to a foreign country, including intellectual property. See PSPF Governance - Protective Security Investigations. Additionally agencies are to report promptly any potentially major security incidents to ASIO independent of the Contact Reporting Scheme. Examples of such incidents include the loss or compromise of security classified or privileged information in any format (eg. hard copy, electronic, verbal) or the loss of equipment or technology. 3

6 Implementation Agencies security awareness training programs are to ensure employees know about the Scheme and understand their obligations and the reporting arrangements. The Scheme is not intended to restrict legitimate contact between employees and foreign officials. It provides support and encourages information sharing, which benefits the Government employee who has been contacted, and the Australian Government. Agencies are to ensure employees are aware of: the existing threat and threat sources their personal and professional responsibilities the ways that people can be deceived, coerced or pressured into actions harmful to national security or interest the fact that targeting occurs across all levels or ranks of an organisation not just at senior level the fact that most attempts to collect intelligence will be subtle and often appear innocuous the effectiveness of security awareness training in restricting information collection by foreign representatives the need for high standards of personal conduct, and the procedures for contact reporting. Agencies are to identify whether or not they have people working in high risk areas and, if so, provide appropriate briefings. High risk employees include those who: are required to liaise with foreign officials because they have a good proficiency in the native language of the foreign officials are involved in sensitive or priority negotiations or policy work, or work in units which regularly share information with foreign officials. See PSPF Governance - Security awareness training guidelines. ASIO can provide a brief on the Contact Reporting Scheme to agencies. These briefings are arranged through the individual ASA. Implementation outside Australia The Contact Reporting Scheme does not aim to constrain official and social contact with representatives of other governments outside Australia. Rather, it aims to alert employees to the possibility that foreign officials contacting them could have ulterior motives obtaining classified or privileged information to which they have access. Employees performing official duties overseas should be aware that the intelligence and security services in certain countries conduct surveillance of foreign representatives. Employees should contact their ASA prior to travel to ascertain the possible threat from foreign intelligence services and seek appropriate briefings. ASIO can, where relevant, provide a briefing on security situations that individuals may encounter when they perform official duties overseas. This includes advice on document security, physical security, reporting procedures and other security issues. 4

7 Required contact report information The style and format of contact reports may vary from agency to agency, but the following information should be included: Time, Date indicating if details are approximate Location including address where contact or incident occurred Names, Designations and Nationalities the reporting person s details along with those of all other persons present during the contact Types of Contact may include a combination of social, informal, official business and/or other aspects. All aspects should be indicated Conversation any conversation or discussion may cover a number of subjects. The general topic areas should be described, including personal details disclosed by either party, and Other details such as the circumstances that led to the contact or incident and the factors that made it noteworthy or unusual, should be recorded. A generic Contact Report Form is attached. The person making the report should contact his/her ASA in the first instance for any enquiries regarding the Contact Reporting Scheme or Contact Reporting procedures. 5

8 Contact Report Form Details of Contact (If space is insufficient, please include an attachment) Time: Date: Location: Means of Contact: In Person Telephone Correspondence Other Contact Initiated By: If Other, please specify: Unit or Firm Rep Foreign Rep Other Topics of Conversation Significant to Security (Or details of incident): If Other, please specify: Names of Persons Present (Include Designations and Nationality): Further Contact (Outline any arrangements made): Reason or Occasion: Business Social Personal Official Incidental Other Other Information (eg Documents provided, undertakings given or received, etc): If Other, please specify: Details of Person Making the Report Signature: (Hard copy only) Printed Name: Designation/Position: Phone #: Date: The completed Contact Report Form should be provided to your Agency Security Adviser. 6