Private companies responsible for sensitive security clearances for government officials have "frequently" breached information security requirements, a parliamentary committee has found.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
Defence's management of the mostly outsourced security vetting program was criticised, with the committee calling for extra safeguards to be introduced to ensure sensitive data isn't lost.
The contractors involved in checking the backgrounds of public servants handle information about their sexual histories, possible alcohol, drug and gambling issues, and other factors that could make them vulnerable to blackmail.
Serious concerns about the way that information is handled have been unearthed by an inquiry, with the committee concerned some information kept by the private companies could be reconstructed if they were subject to a cyber attack.
"Despite reassurances from Defence, the committee remains concerned about the safe handling of sensitive documents prior to the establishment of the new case management system," the report said.
Documents transferred between the companies and Defence travelled by courier or by email, because the companies don't have access to the government IT system used for processing clearances.
"Potentially sensitive information is communicated outside of Defence's secure ICT environment," the report said.
The committee remains concerned about the safe handling of sensitive documents
- Parliamentary committee report
Issues around the quality of data as well as how it is handled were identified, with an audit report finding some officials were granted clearances even though their date of birth showed they were older than 100, or younger than 10. Some even had dates of birth that were in the future.
The joint committee of Public Accounts and Audit also said in its report - from government, opposition and crossbench members - it was "concerned about the foreign ownership and control of some of the vetting entities contracted by Defence".
Around 85 per cent of security clearances, including top-level positive vetting clearances, are done by the 22 companies contracted by Defence, as part of a model designed to slash waiting times for the clearances.
Defence confirmed one of the companies had a UK-national, Australian-resident director, and also said it couldn't prevent the companies from doing work for overseas governments.
Defence is in the middle of an overhaul of the IT system used by the Australian Government Security Vetting Agency, but it isn't expected to be online until late 2020, and fully operational by 2023.
The department has also signalled changes to the way it manages its contracts with the private vetting companies, with the expectation that fewer companies would be used in future.
In an unusual move, the committee criticised the conduct of the Defence department throughout the inquiry for failing to provide "the level of confidence or assurance the Committee required".
"The significant delays in receiving answers from Defence during this inquiry were unacceptable and could be considered disrespectful to the parliamentary committee process."
The inquiry was prompted by an audit report that found the security vetting program wasn't properly protecting the Australian government from insider threats.