Cleard Life Vetting Agency

VETTING VANTAGE POINT
2018 PROTECTIVE SECURITY POLICY FRAMEWORK UPDATE

“Is vetting 1 million citizens to stop 1,800 rogue users,
at a cost of $627m, necessary?”

Revisions to the Protective Security Policy Framework (PSPF) were activated this month, with important changes to

PSPF: 12 Eligibility and suitability of personnel” placing personnel security front and centre. Cyber security concerns

continue to feature strongly in public discourse: the community is concerned about how institutions, both public and

private, manage data, and those who manage data know that each breach brings greater costs1.

Integrity and confidence in the APS features strongly in current and future capability requirements of many Agencies.
Confidentiality and integrity are identified specifically in Corporate Plans as key strategic risk areas. As an AGSVA

Industry Vetting Panel (IVP) member processing around 8-10% of all PV clearances, we understand the need to ensure

that Commonwealth resources are kept safe. As suitability experts, who understand the Attorney General's

Adjudicative Guidelines better than most, we offer you our vantage point and on how these changes may have

significant implications

Personnel security and cyber security are intrinsically linked. IBM data2 shows that only 40% of data breaches originate

outside an organisation. Malicious intent by insiders account for more than 44% of breaches and more than 15% of

breaches are caused by inadvertent action: improved suitability screening can only improve these disturbing figures.

Source: IBM.

1
Data breach after data breach, is costing $2.4m per breach

2
The people you trust most could be planning the next big cyber attack on your company

-PAGE 1-
VETTING VANTAGE POINT

Let’s look at the PSPF changes

Change #1 Strengthening Baseline Clearances.

The Baseline Security Clearance is now expanded: financial history checks are now required for all clearance levels,
including Baseline:3

This is a significant validation and strengthening of this level’s clearance relevance, given that the 2015 independent

Review of Whole-of-Government Internal Regulation (Belcher Red Tape Review4) proposed scraping the Baseline

Clearance. As one of the Adjudicative Guideline’s “Factor Areas” is “Financial Considerations”, the inclusion of this

element at this level bolsters the number of data points to be assessed by the vetting officer. The requirement for

financial history records to be checked for Baseline clearances recognises the relationship between misdemeanour by

trusted insiders and the financial pressures of modern living. Enhanced screening of this factor in security clearances

will mitigate the risk posed by undisclosed adverse financial histories.

3
https://www.protectivesecurity.gov.au

4
https://www.finance.gov.au/publications/reducingredtape/

-PAGE 2-
VETTING VANTAGE POINT

The PSPF requires anyone who accesses Commonwealth systems to be screened for suitability5

The meaning of the term ‘suitability’ is laid out in the PSPF Adjudicative Guidelines called “Suitability Indicators” –
namely Honesty, Trustworthy, Tolerant, Maturity, Loyalty and Resilience (HTTMLR). The risk for the successful

implementation of this change is that agencies may seek to interpret the meaning of ‘suitable’ in sub-optimal ways

and, in the pursuit of efficiency, routinely outsource this additional assurance to their recruitment panels.

5
https://www.protectivesecurity.gov.au

-PAGE 3-
VETTING VANTAGE POINT

The recruitment business model is conflicted, however. It asks Recruiters to deliver competence and talent.
Disqualifying candidates based on a background check or character is the antithesis of the recruitment model. Because

of this, some of the nation’s largest agencies just duplicate this process: they have the recruiter recommend candidates

who are ‘possibly’ suitable and then the agency does its own security / suitability checks.

In practice, the ‘security check department’ inside the agency often analyses a ‘black mark’ database check, such as

National Criminal History Check, which costs a little more than a few dollars. It’s official, often legislatively mandated

and therefore has some value. But its use as a standard of character, or to comply with suitability indicators (HTTMLR),
is fallacious. Even going a step further to include a Statutory Declaration which in effect says, “I declare that I am a

good person with good character” may have some deterrent value but offers little substantive assurance. Referee

checks about the candidate’s prior work performance may also have limited value since referees are commonly

nominated on an assumption of a broadly favourable commentary. The limited value offered by these approaches falls

short of the genuine, substantive assurances that the PSPF is articulating.

Scoping documents6 used in a recent Royal Commission, Researchers described the combination of a “Police Check +
Referee Check” as being 'futile' for safeguarding organisations. That is why the Sex Abuse RC Recommendations

included better and more rigorous initial and ongoing screening practices.

We live in a society that trades in trust. If what lies beneath a candidate's profile is never properly screened for

trustworthiness, then there remains a large mass of residual risk.

Let’s consider the practical implications

Should agencies or entities covered by the PSPF “use security clearances where they need additional assurance of

the suitability and integrity of personnel” as PSPF#12 now recommends?

Let’s examine a small number of agencies with requirements to engage either flexible workforces or allow systems

access by multiple external parties.

Australian Bureau of Statistics (ABS): The ABS has a temporary workforce of approximately 17,000 for its Census

collection activities; even with the growth in on-line completion of the Census, a large proportion of the ABS’
temporary workforce engages directly with citizens, including entering their properties, and conveying material

containing some of the most sensitive data gathered by the Australian Government. What would be the community’s

expectation of a minimum level of clearance for a representative of the ABS who they might allow into their homes?
A Baseline Clearance is surely the minimum.

Australian Electoral Commission (AEC): The AEC has approximately 75,000 temporary election workers charged with

servicing the most fundamental democratic entitlement, the right to vote. AEC temporary election workers have

access to records of up to 15.5 million Australian voters, and handle the ballot papers that reflect the will of the voters

in electing their government. What would be the voters’ expectations of a minimum level if clearance for someone

entrusted with those responsibilities? Even a Baseline Clearance would not offer assurance about freedom from

foreign interference but it would markedly enhance the current standards under which only 30% or so of the workforce

has any form of screening.

6http://www.parentingrc.org.au/images/Resources/Scoping_review_Evals-of-pre-employment-screening-practices/Scoping-
review_Evaluations-of-pre-employment-screening-practices-to-prevent-csa.pdf

-PAGE 4-
VETTING VANTAGE POINT

Australia’s Digital Health Agency: The former privacy commissioner Malcolm Crompton7 said of digital health records

that they “will not be secure unless a widespread audit of every GP clinic in Australia is conducted. It may well be

military-grade [security] on the central servers of the My Health Record system [but] it’s demonstrably not military-
grade for all of those 900,000 practitioners.”

If the Australia Digital Health Agency, with its 900,000 users require access to Commonwealth systems to create, read,
update, delete sensitive personal information, then a Baseline Clearance should be considered a logical and

appropriate product that provides ‘additional assurances’ of the user’s suitability to access a commonwealth system.

Consider the financial impact on the Commonwealth and Taxpayer:
If the ABS orders Baseline Clearances x $637ea = $10m
If the AEC orders Baseline Clearances x $637ea = $44m
If the ADHA orders Baseline Clearances x $637ea = $573m Total = $627m

If you extrapolate this concept out to other Agencies and other programs of work, you can see how PERSEC is

conceivably a billion industry. However, to put that into perspective, the AGSVA’s Industry Vetting Panel, who process

up to 95% of clearances, has a budget of around $40million per year. This is about the same amount of money that

Queensland Train Drivers received – just for overtime - last year.

7
Cyber attacks rise in Australia's data breach numbers Cyber attacks rise in Australia's data breach numbers Health sector

continues to have most incidents. https://www.itnews.com.au/news/cyber-attacks-rise-in-australias-data-breach-numbers-
499323

-PAGE 5-
VETTING VANTAGE POINT

As a nation, how willing are we, how prepared are we to strengthen PERSEC in order

to have safer, more secure and prosperous workplaces?

The 2018 ANAO Audit of AGSVA also revealed around 1:1131 Baseline cases are initially considered adverse and

awarded a WITHHOLD recommendation (a polite way to describe them is complex.)

As you can see from the above graphic, the higher the clearance level and the higher the number of people assessed

to be unsuitable. That is because we have incrementally more data points to analyse. Now that the Baseline Clearance

process has been beefed up to include finances, this 1:1131 ratio could easily become 1:500, which means that 1,800

trusted insiders accessing commonwealth resources are deemed unsuitable.

-PAGE 6-
VETTING VANTAGE POINT

Change #2 Pre-employment suitability occurs before employment is offered

The PSPF#12.C.1.6 also states that the pre-employment suitability screen should be done after the merit list is

complete, but before an employment contract is offered.

This change was advocated in the Journal of the Australian Institute of Professional Intelligence Officers Volume 25

Issue 2 (2017), in an article called “Breaking down barriers through proactive effective vetting management.”

But, can anyone imagine delivering a pre-employment suitability clearance, within

days, for potentially hundreds if not thousands of people?
The work that my team of security vetting officers do, to get to reach an adverse recommendation takes time to come

to, while remaining lawfully compliant. 1 in 4 complaints to the Human Right Commission being classified as Criminal

Record Discrimination.

-PAGE 7-
VETTING VANTAGE POINT

-PAGE 8-
VETTING VANTAGE POINT
Questions to consider:
Q. Does the Australian preemployment screening industry (including AGSVA) have capacity and

capability?

Quality: How is the consistency of suitability determinations being managed or controlled at the

moment?

Capable: Is the pre-employment industry capable of delivering PSPF-compliant suitability screening?

Throughput: Does the industry have the ability to process the volumes required to meet current and

future demand?

Timeliness: Can vetting / preemployment screening decisions be achieved inside the shortlisting

process?

Q. With NDIS Suitability Clearance currently being developed, WWCC doing their own thing at the

State Level plus an “Aged Care Suitability Clearance” coming down the track (via the latest Royal

Commission), does coordination and standardisation need to be addressed pre-emptively in order to

limit inconsistent vetting practices and bring everyone back to the AG’s PSPF standards and

suitability indicators of HTTMLR?

Q. Have Entities/Agencies considered and budgeted for these pre-engagement and subsequent

annual check activities?

Q. Is outsourcing suitability assessments to recruitment agencies the appropriate method to resolve

the issue?

Q. Will the PSPF-defined suitability standards truly be practiced in reality? Do you want them to be?

Q. Can the AGSVA with their expertise in vetting and the PSPF, able to meet the demand outlined in

this report?

Q. Is the AGSVA willing and able to create new products that cater to its customer’s non-national

security / suitability clearance demands?

Q. Does the AGSVA have its hands full with national security clearances? (processing just 10,000

Baseline per year)

Q. Is there a void that can be filled by other vetting groups in the ‘non-national security vetting’
space?

-PAGE 9-
VETTING VANTAGE POINT
Enter AI

What if there was a PSPF-compliant suitability clearance that claims

to be able to meet this demand head on?
We have developed the world’s first AI vetting platform. Designed by Australian intelligence, security, vetting and

suitability experts we have been able to streamline the suitability aspects of the pre-employment screen, without

duplicating Agency’s work (to establish identity).

We have demo'd 'Stephanie' in front of AGSVA, ASD and ASIO at a recent Crown Vetting All Staff Vetting Conference

on the Sunshine Coast and continue those discussions with our partners. The AGSVA is the Commonwealth's natural

channel and mechanism for vetting services. With our AI platform, we can augment and assist the AGSVA and

potentially other state-based vetting groups (eg. WWCC) to deliver capability and consistent standards at scale.

Importantly we can do this at a fraction of the cost of the official AGSVA Baseline clearance.

We are willing to discuss our vantage point further in a public hearing or in a private setting.

Author: Edward Barker

Founder, Cleard Life 02-6171 -4171

Principal, Crown Vetting 02-6111-2970

PO Box 1616, Tuggeranong, ACT, 2901

PO Box 617, Maroochydore, QLD, 4575

-PAGE 10-