The federal government's security vetting system has yet to implement all the audit office's recommendations amid revelations sensitive documents were opened by couriers and lost in the mail, a new audit report has revealed.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
The Australian National Audit Office report has shown Defence's dedicated agency for the security vetting of personnel has yet to fully adopt two recommendations made in 2018 and 2019.
The recommendations made by the audit office, along with a parliamentary joint committee one year later, included improvements to frameworks and policies to better safeguard the sensitive security documents received from personnel applying for security level clearance.
The Australian Government Security Vetting Agency had implemented four recommendations with a further two remaining only partly implemented, December's audit report showed.
Among the two recommendations not wholly implemented was one for the improvement of its eVetting system in a non-public version of the report. While the agency's governance board was told the recommendation had been completed in mid-2018, its risk remained "high" by the year's end and risk mitigation activities had not been completed nor reported on.
A further recommendation by a parliamentary joint committee related to improving processes to ensure sensitive data wasn't lost also needed work. Defence said it had put five measures in place by August 2019 but the report concluded two measures were still not fully implemented.
The risk of this happening, the report said, was only realised when two sensitive data mishandling incidents occurred during the audit's reporting period.
One incident in late 2019 resulted in a courier opening a package of sensitive security information in order to solve who it was addressed to.
Personnel vetting files can include a range of deeply private information, ranging from travel and life events to details on intimate relationships.
A second incident occurring in April 2020 meant a paper-based security file was lost in transit and could not be recovered. It was determined to be a notifiable data breach and the Australian Information Commissioner was notified.
READ MORE:
Over the course of the 2019-20 year, the vetting agency completed nearly 50,000 security clearances with more than 400,000 personnel maintaining active security clearances ranging from Baseline to Positive Vetting.
Defence responded it accepted the audit report's findings and would work to improve its systems to avoid failings in oversight.
"Defence is committed to continuous improvement and is closely examining the report findings related to these measures," Defence wrote in response to the report.
"Defence takes seriously the oversight of these complex activities and is taking steps to further strengthen the governance of risk and implement the Auditor General's recommendation."