The Australian Criminal Intelligence Commission (ACIC) ceased to report data on the number of security incidents from the agency’s 2018–19 annual report onwards, to avoid data misinterpretation that can occur when security incident statistics are provided without detailed context.
The number of security incidents in a financial year can fluctuate for a variety of reasons, including increased staff awareness of their security reporting obligations.
Looking at the past 3 financial years, security incident reports lowered from 81 (2018–19) to 53 (2019–20) then increased to 87 (2020–21). Prior to this, there were 85 security incidents reported in 2017–18. The figures for 2020–21 are not outside the norm for the ACIC.
The majority of security incidents reported in 2020–21 were low level and occurred within secure ACIC premises (for example, low-level classified documents being left on desks). These incidents have not significantly compromised the security of ACIC information, people or premises. The ACIC has a low tolerance for protective security risks, and as such takes a conservative approach when reporting and addressing these risks.
Like any organisation, the ACIC aspires to have no security incidents, but we would prefer to know of any incidents than to not be aware of them. This puts the agency in a position to mitigate the risk and put in place further prevention strategies. It would be worse to have few or no reports of security incidents, which could appear positive at face value, but could also mask serious security issues.
Chief Operating Officer
Australian Criminal Intelligence Commission