How to Stop Filing Cabinets Going Feral

Staff have been disciplined and new security procedures introduced at the Department of Prime Minister & Cabinet (PM&C) following a report into Cabinet papers security breach of 2017.

A Review of the Department of the PM&C’s security procedures has a suggested a series of initiatives to ensure that surplus filing cabinets brim full of sensitive documents do not end up in Canberra second hand furniture dealers in the future

These measures will continue to be necessary as the report emphasises that “Despite the digital transformation underway, PM&C cannot rely on digitalisation of every task it performs to reduce the reliance on paper documentation. Individual preferences, habits and in some cases, Occupational Health and Safety factors, will continue to require classified information to be created, printed and stored in traditional ways.”

PM&C is transforming the way Cabinet documents are distributed via use of its new digital CabNet+ viewer for Protected level Cabinet documents (including Exposure Drafts, Drafts, Finals and Minutes).

However, the report notes, “While these measures considerably mitigate against the risk of staff storing large volumes of physical Cabinet documents in secure containers unnecessarily, they will not prevent them from creating and storing the associated working documents (e.g. drafting suggestions, briefing notes, etc.) outside the CabNet+ viewer and beyond their effective working life.

In future, the report has suggested that “Consideration should be given to whether secure containers should simply be destroyed, that is transferred to a scrap metal dealer, with drawers removed, rather than passed to agents for public sale at the end of their useful life.”

Other proposals include:

  • Filing cabinets should stay put in one location and not follow staff as they move around PM&C’s three offices in Canberra and a network of Regional Manager Offices and subregional offices within the states and territories (The Department now has some 2,200 staff located in more than 100 locations, and a visiting presence in some 200 other locations across Australia)
  • Before staff transfer they destroy all physical documents under their control or formally pass responsibility for remaining documents to someone else.
  • When filing cabinets are moved or disposed, someone should check they are unlocked and take a look in each drawer
  • There should be a central register of filing cabinets
  • The ‘clear desk’ policy required in the Department’s Protective Security Plan should be enforced, and security staff clearly mandated to record and report breaches.

“During the Review, Security staff confirmed that there is in fact no financial return to the Department from the present disposal practice – while the containers are removed at no cost to the Department, they are not actually bought by the company removing them. Some agencies consign their unwanted secure containers to scrap metal dealers rather than public sales, though it still requires drawers to be open of removed at the point of disposal.”

The Australian Federal Police (AFP) report into the incident found that the unauthorised disclosure resulted from a culmination of human errors in the record-keeping, movement, clearance and disposal of document storage containers by PM&C in February 2016. In particular, the AFP found that the breach was not a deliberate act motivated by criminal or malicious intent. The AFP report will not be made public.

PM&C has confirmed the material obtained by the ABC contained around 300 documents, which were largely collated between mid 2013 and mid-2014 as part of the official business of Cabinet Division (with the majority being working documents relating to FOI and other access requests). While half of the documents were classified Protected or below, there was a small amount of National Security classified material. These documents were not collated for the core purpose of the conduct of Cabinet business nor were they official Cabinet records. They were documents which related to a niche area of Cabinet Division’s responsibilities.

The AFP investigation established that the documents are likely to have left the control of PM&C between January and March 2016, following a Cabinet Division accommodation reshuffle in January 2016 when eight secure containers were identified as surplus and returned to Corporate Division.

PM&C has concluded that the secure containers were not checked to ensure they no longer held any documents. PM&C email records indicate that two secure containers in Cabinet Division – formerly used by the officer, or officers, who collated the documents – were missing keys at the time they were being prepared for disposal. There is no record that the containers were opened and checked prior to disposal.

The (AFP) investigation concluded that ‘the catalyst for the documents being made public is attributable to a culmination of human errors in the record keeping, movement, and clearance and disposal of document storage containers by PM&C rather than a deliberate unauthorised disclosure’.

PM&C says it has completed a full filing cabinet audit and each has now been given a new sequential reference number, and a unique asset identifier barcode and transferred to a digitalised asset register that will record the names of officers with access to the container.

“A new online application (Service Now) process has been implemented to manage requests for new secure containers, their relocation and disposal. This will significantly improve reliability, auditability and tracking of information over the entire life cycle of secure containers.”

It has promised to undertake a further review after 12 months to confirm that the agreed recommendations in this Report have been implemented and, to the extent possible, to measure their effectiveness.

The full Smith Review report is available HERE­