Statement on unauthorised disclosure of Commonwealth documents

Statement on unauthorised disclosure of Commonwealth documents

PM&C
Friday, 13 July 2018

Department of the Prime Minister and Cabinet

Department of the Prime Minister and Cabinet

I am providing a statement on the findings of the AFP investigation into the unauthorised disclosure of Commonwealth documents and the review into PM&C’s security practices, procedures and culture conducted by Mr Ric Smith AO PSM.

The AFP concluded its investigation in March 2018. The AFP found that the unauthorised disclosure resulted from a culmination of human errors in the record-keeping, movement, clearance and disposal of document storage containers by PM&C in February 2016. In particular, the AFP found that the breach was not a deliberate act motivated by criminal or malicious intent. In accordance with standard practice, the AFP report will not be made public.

I am today publicly releasing the Smith Review report, which I also received in March 2018. This is to ensure the widest possible awareness of Mr Smith’s findings across the Australian Public Service.

I have wholeheartedly accepted all recommendations of the Smith Review. My Department has been working in recent months to implement these recommendations and I have established a dedicated team to strengthen PM&C’s protective security practices, procedures and culture. Among other matters:

  • The Department has put in place a system to digitally track the movement, custodianship and disposal of secure cabinets, supported by a revised protocol for handling secure cabinets and an audit program to monitor and ensure compliance.
  • We are rolling out new security training packages, both online and face-to-face, tailored to the needs of new starters, existing staff and managers.
  • We are progressively refreshing all policies, guidelines and procedures to ensure they are clear and fit-for-purpose following a review of our Security Risk Assessment.
  • We are driving a program of cultural change, supported by a dedicated communications strategy, to embed a strong protective security culture in PM&C.

PM&C’s Executive Board is monitoring implementation of the Smith Review recommendations, and metrics on our security performance, on a monthly basis.

I have given strong direction to all PM&C officers on their responsibilities to manage and report potential sources of security failures. I am pleased to say that PM&C staff have responded positively to these reforms.

I have personally dealt with and sanctioned a number of officers for their roles in this security breach. Given the personal nature of sanctions, I will not be commenting further on these. 

It is important that the Australian Public Service heeds the lesson of this incident and this has been the subject of attention at the Secretaries Board.  Each Secretary across the APS has reviewed his or her security arrangements, drawing on what we have learnt from the incident.

The Attorney-General’s Department will henceforth collate and disseminate lessons learnt from system success and failures across the Service, and work with agencies to encourage and support best practice protective security. The Australian Signals Directorate will support this by facilitating further exchanges of information on cyber security. Mr Chris Moraitis PSM, Secretary of the Attorney-General’s Department, will regularly highlight protective security issues at Secretaries Board meetings to ensure a comprehensive response across all agencies.

As I have indicated previously, I am deeply concerned that such an extraordinary lapse of security could occur. I am committed to ensuring that such an unauthorised disclosure does not happen again and that the lessons from this are disseminated and absorbed across the entire Australian Public Service.  We have spent the last few months since receiving the AFP and Smith Reports reinforcing our protective security culture in PM&C and this will remain an issue of ongoing focus for me and for our entire Department.

 

Martin Parkinson
13 July 2018