The incident that triggered this Review would have been very serious for any Public Service agency but was especially so for the Department of the Prime Minister and Cabinet (PM&C) given its position at the apex of Commonwealth agencies.
In commissioning this Review, the Secretary of the Department recognised the gravity of the incident and sought advice on measures that needed to be taken to optimise protective security management in the Department.
The incident was investigated by the Australian Federal Police (AFP), whose report identified ‘human errors in the record keeping, movement, clearance and disposal of document storage containers by PM&C in 2016 rather than a deliberate unauthorised disclosure’.
This Review concluded that the Department should strengthen the high-level governance of its protective security responsibilities, and demand a more robust security culture in the organisation. While the Department’s procedures, protocols and guidelines are generally sound, they are in need of updating and modernising in response inter alia to its fast-changing working environment. The shortcomings reflected in the incident which triggered this Review should be addressed through the revision of procedures, protocols and guidelines and through more targeted training programs.
In addressing its Terms of Reference, this Report describes the environment in which protective security must be managed within PM&C (Chapter 1) and then, in order, describes and makes recommendations about:
- the protective security governance arrangements in place in PM&C (Chapter 2),
- the existing documentation in PM&C, including practices, systems and procedures relating to protective security (Chapter 3)
- PM&C’s culture in regard to protective security and its relevant training programs (Chapter 4), and
- the implications of the recent incident for the broader Public Service, including lessons that might be drawn from the Review for other agencies (Chapter 5).