Government Communications Security Bureau and Related Legislation Amendment Bill

  • not the latest version

Explanatory note

General policy statement

This Bill is an omnibus Bill that amends the Government Communications Security Bureau Act 2003, the Inspector-General of Intelligence and Security Act 1996, and the Intelligence and Security Committee Act 1996. It is proposed (at the close of the Bill's committee of the whole House stage in Parliament) to divide the Bill into 3 separate amending Bills.

The purposes of the Bill are to—

  • provide for a clearly formulated and consistent statutory framework governing the activities of the Government Communications Security Bureau (GCSB); and

  • update that framework to respond to the changing security environment (particularly in relation to cybersecurity and information security), and to changes in the public law environment since the GCSB Act was passed in 2003; and

  • enhance the external oversight mechanisms that apply to the intelligence agencies by strengthening the office of the Inspector-General of Intelligence and Security and by improving the operation of Parliament’s Intelligence and Security Committee.

Amendments to Government Communications Security Bureau Act 2003

It is crucial that an agency exercising intrusive powers, as GCSB does, is governed by a consistent statutory framework that articulates the agency’s functions and powers, as well as the applicable controls and limitations, in the clearest possible terms. This promotes robust internal management and effective external oversight of the agency’s activities.

The March 2013 Review of Compliance at the Government Communications Security Bureau by Rebecca Kitteridge highlighted difficulties in interpreting the GCSB Act when the Bureau was providing assistance to other agencies, notably the New Zealand Security Intelligence Service. In a small jurisdiction like New Zealand, it is essential that specialised capabilities developed or acquired by agencies like GCSB should be available to meet key government priorities, where appropriate and subject to necessary safeguards. The Bill amends the GCSB Act to clarify this important support role as well as other aspects of the Bureau’s functions.

At the same time, New Zealand faces a changing security environment in which threats are increasingly interconnected and national borders are less meaningful. Globalisation means New Zealand is no longer as distant from security threats as it once was. This changed environment means the legislation governing GCSB needs updating, to enable it to address the security challenges posed by the increasing importance of cyberspace.

The Bill retains the basic construct of the GCSB Act and the core principles underpinning GCSB’s operations. Amendments to the objective, functions, powers, and limitation provisions are designed to address the issues above—namely, to improve clarity about the legal parameters for GCSB’s activities; and to accommodate changes in the prevailing security environment.

Objective and functions of GCSB

The Bill replaces the objective of GCSB with a simple statement that it strives, through its functions, to contribute to New Zealand’s national security, international relations, and economic well-being.

The Act currently provides for 3 core functions of GCSB:

  • information assurance and cybersecurity:

  • foreign intelligence:

  • co-operation with and assistance to other entities.

These 3 functions will be retained in substance. How they are articulated will be changed to improve transparency and facilitate external oversight of GCSB’s activities.

The statement of the 3 functions will be split into separate provisions (new sections 8A, 8B, and 8C). The information assurance and cybersecurity function will be given greater prominence, reflecting the key role GCSB plays in the wider cybersecurity domain—including its hosting of New Zealand’s National Cyber Security Centre, and its responsibility to use its cybersecurity capabilities to assist a range of public entities as well as private sector organisations such as critical national infrastructure providers and organisations of national significance.

The foreign intelligence function will be described in a way that provides transparency about the nature and scope of this role, without expressly legislating the range of activities involved or the skills required in pursuit of this function.

The Act will be changed to provide a sounder basis for GCSB to offer expert advice and assistance to other entities. The Bureau will have clear legal authority to assist the New Zealand Defence Force, New Zealand Police, and New Zealand Security Intelligence Service (as well as any other department that may be specified by Order in Council) in performing their lawful functions. In providing such assistance, GCSB will be confined to activities that the other entity is lawfully able to undertake itself (though it may not have the capability), and will be subject to any limitations and restrictions that apply to the other entity.

Powers, controls, and limitations

The Act confers 3 powers of interception on GCSB:

  • warrantless interception in situations not involving the physical connection of an interception device to a network; and not involving the installation of an interception device in any place in order to intercept communications in that place (sections 15 and 16):

  • interception of communications by an interception device under an interception warrant granted by the responsible Minister (section 17):

  • access to a computer system under a computer access authorisation granted by the responsible Minister (section 19).

This construct continues to provide the basic tools that GCSB needs to perform its functions, and it will be retained.

At present, section 13 of the Act dictates that the Bureau’s powers are available for the purpose of obtaining foreign intelligence. While much of GCSB’s work (including in the cybersecurity domain) can ultimately be linked to a foreign intelligence objective, the Act was conceived at a time when the nature, extent, and potential impact of the cyber threat was dramatically different from the threat posed now. The Act will be amended to make it clear that the powers can be used for both the foreign intelligence function and the information assurance and cybersecurity function, subject to appropriate controls and limitations.

The basic premise underpinning GCSB’s operations is that it is not to conduct foreign intelligence activities against New Zealanders. This premise predated the GCSB Act, and was incorporated in the GCSB Act (in section 14) because of its importance. However, the way this basic premise was incorporated into the Act meant that it applied not only to the foreign intelligence function of the Bureau, but also to its other 2 functions: information assurance and assisting other entities. This has resulted in a growing number of difficulties, and is restricting GCSB’s ability to effectively carry out its other 2 functions.

The basic premise in section 14 will be retained, with an adjustment to clarify that it only applies to the foreign intelligence function. As a safeguard in respect of New Zealanders’ privacy, any activity under new section 8A or 8B that might involve intercepting the communications of New Zealanders will require an authorisation to be granted jointly by the responsible Minister and the Commissioner of Security Warrants (appointed under the New Zealand Security Intelligence Service Act 1969). When GCSB is assisting another entity under new section 8C, the authorisation processes and any restrictions or limitations that apply to that entity will apply to the Bureau’s assistance.

Other amendments

A range of amendments designed to complement other changes, or in the interests of updating the Act generally, includes the following:

  • to enable the Inspector-General of Intelligence and Security to have access to the best possible information, the Act will be amended to require GCSB to maintain a written record of all warrants and authorisations in a form readily available for inspection:

  • in line with the recommendation of the Law Commission in June 2011, principles 1, 5, 8, and 9 of the Privacy Act 1993 will apply to GCSB, modified if necessary to achieve the effective and efficient performance by the Bureau of its functions:

  • the appointment framework for the Director of GCSB will be modified to codify the State Service Commissioner’s support for that process, as currently set out in the Cabinet Manual:

  • in situations of urgency where the responsible Minister is not readily available, the Attorney-General, the Minister of Foreign Affairs or the Minister of Defence will be empowered to issue an interception warrant or an access authorisation:

  • the maximum penalty for unauthorised disclosure of information will be increased to align it with the penalty for similar types of offending, for example in the Crimes Act 1961.

Amendments to Inspector-General of Intelligence and Security Act 1996

Effective and credible oversight of the intelligence agencies is crucial to provide assurance that those agencies’ powers are being used in accordance with the law and with respect for New Zealanders’ right to privacy. The Inspector-General of Intelligence and Security (IGIS) is a source of independent external oversight, responsible for examining issues of legality and propriety, efficacy and efficiency, and human rights and privacy compliance.

The Bill amends the Inspector-General of Intelligence and Security Act 1996 to strengthen the office of the IGIS, increasing the resourcing of the office to enable a greater range of activities to be carried out, expanding the IGIS’s statutory work programme, and enhancing the corresponding reporting responsibilities.

The changes to the Act include the following:

  • the statutory work programme of the IGIS, which includes a focus on warrants and authorisations issued to the intelligence agencies, will be extended to require regular examination of system-wide issues that impact on operational activities:

  • the IGIS will be required to certify each year in his or her annual report whether the compliance systems of the intelligence agencies are sound:

  • the IGIS will be able to initiate inquiries into matters of propriety without requiring the concurrence of the responsible Minister. This will enable the IGIS to undertake independent inquiries:

  • the responsible Minister will be given explicit responsibility to respond to IGIS reports within a reasonable time frame. The Minister may choose to provide those responses also to the Intelligence and Security Committee:

  • the IGIS will be expected to make unclassified versions of his or her reports publicly available, with appropriate precautions being taken in respect of any privacy or security concerns:

  • the legislative requirement that the IGIS be a retired High Court Judge will be removed, broadening the pool of potential candidates. The 3-year term of office will remain, with the possibility of reappointment for a maximum of 1 additional term:

  • a Deputy IGIS will be appointed.

Amendments to Intelligence and Security Committee Act 1996

The Intelligence and Security Committee (ISC) is the parliamentary mechanism for oversight of the intelligence agencies. It examines issues of efficacy and efficiency, budgetary matters, and policy-setting.

The Bill amends the Intelligence and Security Committee Act 1996 to improve the ISC’s ability to provide effective oversight and accountability of the intelligence agencies.

The changes to the Act involve the following:

  • the Prime Minister will be required to relinquish the ISC chair if the Committee, when conducting a financial review of an intelligence agency for which the Prime Minister is the responsible Minister, is discussing the performance of that agency:

  • the Prime Minister will be permitted to nominate either the Deputy Prime Minister or the Attorney-General to act as an alternate chair in circumstances where that alternate is not already a member of the ISC:

  • subject to restrictions on the publication of sensitive information, the ISC will be required to table its reports in the House and make them publicly available on an Internet site.

Regulatory impact statement

The Department of the Prime Minister and Cabinet with the Government Communications Security Bureau produced a regulatory impact statement on 22 March 2013 to help inform the main policy decisions taken by the Government relating to the contents of this Bill.

A copy of this regulatory impact statement can be found at—

Clause by clause analysis

Clause 1 states the title of the Bill. When the Bill is divided, as noted earlier, the title of each Part will refer to the principal Act being amended.

Clause 2 is the commencement clause and provides that the Bill comes into force on the day that is 1 month after the date on which it receives the Royal assent. When the Bill is divided, as noted earlier, this commencement clause will be repeated in each separate Bill.

Part 1
Amendments to Government Communications Security Bureau Act 2003

Clause 3 provides that this Part amends the Government Communications Security Bureau Act 2003.

Clause 4 amends section 3, which specifies the purpose of the Act. The amendments substitute new paragraphs (c) to (e). They have been recast to be consistent with changes in terminology being made.

Clause 5 amends section 4, which defines terms used in the Act. The amendments repeal certain definitions, amend other definitions, and insert new definitions.

The new definition of incidentally obtained intelligence is important in relation to new section 14 inserted by clause 12 and to new section 25 inserted by clause 24.

The new definition of information infrastructure is inserted to take the place of the repealed definition of computer system. The new definition includes any medium through or in which communications are carried or stored and includes the communications themselves.

Clause 6 replaces sections 7 and 8 with new sections 7 to 8D.

New section 7 states the objective of the Government Communications Security Bureau (the Bureau).

New section 8 provides that the functions of the Bureau set out in new sections 8A to 8C are not to be taken as specifying any order of importance or priority. It also clarifies that the performance of the Bureau's functions, and the relative importance and priority of the functions, if any, are to be determined from time to time by the Director, subject to the control of the Minister.

New section 8A sets out the function of the Bureau in relation to information assurance and cybersecurity.

New section 8B sets out the function of the Bureau in relation to gathering and analysing intelligence about the capabilities, intentions, and activities of foreign persons and foreign organisations, and in relation to gathering and analysing intelligence about information infrastructures.

New section 8C sets out the function of the Bureau in relation to co-operation with certain other entities to facilitate the performance of their functions. New subsection (2) provides limits on the extent of the co-operation provided, but clarifies that the co-operation may be provided even though the advice and assistance provided might involve the exercise of powers by, or the sharing of the capabilities of, the Bureau that the Bureau is not, or could not be, authorised to exercise or share in the performance of its other functions.

New section 8D gives the Director all the powers that are necessary or desirable for the purpose of performing the functions of the Bureau, but this is subject to the Act, any other enactment, and the general law.

Clause 7 replaces section 9 with new sections 9 to 9D dealing with the appointment of the Director, the appointment process, remuneration and conditions of appointment, removal from office, and review of the Director's performance.

Clause 8 amends section 11, which makes it an offence for current or past employees of the Bureau to unlawfully disclose information gained in connection with the Bureau. The amendments increase the maximum penalties from 2 years' to 3 years' imprisonment and from a $2,000 to a $5,000 fine.

Clause 9 amends section 12, which provides for the Bureau's annual report. The amendments are drafting amendments.

Clause 10 replaces the Part 3 heading to update terminology and reflect that the Part deals with both intercepting communications and accessing information infrastructures.

Clause 11 replaces section 13, which sets out the purpose of Part 3. The purpose is recast to be consistent with the recasting of the Bureau's functions and with amendments made to other provisions in Part 3.

Clause 12 replaces section 14, which provides that interceptions are not to target New Zealand citizens or permanent residents of New Zealand. The new section 14 is expressly linked to the Bureau's intelligence-gathering function in new section 8B and provides that any incidentally obtained intelligence is not obtained in breach of new section 8B, but must not be retained or disclosed except in accordance with section 23 and new section 25.

Clause 13 amends section 15, which prohibits, unless authorised, the connecting or installing of interception devices. The amendments are technical to reflect the change in terminology from computer systems to information infrastructures.

Clause 14 inserts new sections 15A and 15B.

New section 15A provides for the Director, for the purpose of performing the Bureau's functions under new section 8A or 8B, to apply to the Minister for an interception warrant to intercept communications or an access authorisation to access information infrastructures. The new section sets out the matters that the Minister must be satisfied about before issuing a warrant or an authorisation.

New section 15B requires the Commissioner of Security Warrants (appointed under the New Zealand Security Intelligence Service Act 1969) to be involved if anything that may be done under a warrant or an authorisation issued under new section 15A is for the purpose of intercepting the private communications of a New Zealand citizen or permanent resident of New Zealand under new section 8A or new section 8B to the extent that intercepting the person's private communications under that section is not precluded by new section 14.

Clause 15 amends section 16, which permits certain interceptions without an interception warrant or an access authorisation.

The amendments—

  • specify that the section applies to interceptions for the purposes of the Bureau's functions in new sections 8A and 8B:

  • specify that it does not authorise the interception of private communications of New Zealand citizens or permanent residents of New Zealand.

Clause 16 repeals section 17 and the cross-heading above section 17. Section 17 has been assimilated into new section 15A inserted by clause 14.

Clause 17 amends section 18, which provides for certain matters about interception warrants. The amendments widen the application of the section to include access authorisations.

Clause 18 replaces section 19 with new sections 19 and 19A. New section 19 requires the Director to keep a register of interception warrants and access authorisations that have been issued. New section 19A provides for the urgent issue of interception warrants or access authorisations by the Attorney-General, the Minister of Defence, or the Minister of Foreign Affairs if the Minister is unavailable and it is necessary to issue them before the Minister is available.

Clause 19 makes a drafting amendment to section 20.

Clause 20 replaces section 21 with a new section that confers immunity from civil and criminal liability for certain things done under the Act if done in good faith and in a reasonable manner.

Clauses 21 to 23 make drafting amendments to sections 22, 23, and 24 respectively.

Clause 24 replaces section 25. The new section specifies when and to whom incidentally obtained intelligence about New Zealand citizens or permanent New Zealand residents may be retained and communicated. The ground in the current section 25 of preventing or detecting serious crime in New Zealand or any other country is retained and the following 2 new grounds are added:

  • preventing or responding to threats to human life in New Zealand or any other country:

  • identifying, preventing, or responding to threats or potential threats to the national security of New Zealand or any other country.

Clause 25 inserts new sections 25A and 25B dealing with the protection and disclosure of personal information. New section 25A requires the Director, in consultation with the Inspector-General of Intelligence and Security and the Privacy Commissioner, to formulate a policy on the protection and disclosure of personal information that complies with the principles set out in new section 25B. New section 25B sets out the principles about collecting, using, storing, and retaining personal information.

Clause 26 makes consequential amendments to other Acts as set out in the Schedule.

Part 2
Amendments to Inspector-General of Intelligence and Security Act 1996

Clause 27 provides that this Part amends the Inspector-General of Intelligence and Security Act 1996.

Clause 28 amends section 2(1), which contains definitions of terms, and inserts a definition of Deputy Inspector-General.

Clause 29 replaces section 5 with new section 5, which provides for the appointment of an Inspector-General of Intelligence and Security and a Deputy Inspector-General of Intelligence and Security. The Deputy Inspector-General has all the powers and functions of the Inspector-General, subject to the control and direction of the Inspector-General. The Deputy Inspector-General has all the powers and functions of the Inspector-General if there is a vacancy in the office of the Inspector-General or if the Inspector-General is absent from duty for any reason.

Clause 30 amends section 6, which provides for the Inspector-General's term of office. The amendments—

  • add a reference to the Deputy Inspector-General:

  • provide a maximum term of appointment of 3 years for each:

  • provide that each can be reappointed, but in the case of the Inspector-General only once.

Clause 31 amends section 11, which specifies the functions of the Inspector-General. The amendments replace subsection (1)(c), (d), and (da) with new paragraphs. Paragraph (c) is replaced with 2 new paragraphs. The effect of this is to permit the Inspector-General to inquire into the propriety of particular activities of an intelligence and security agency without needing the agreement of the Minister.

Paragraphs (d) and (da) are replaced with 2 new paragraphs. New paragraph (d) requires the Inspector-General to review, at intervals of not more than 12 months,—

  • the effectiveness and appropriateness of procedures adopted by each intelligence and security agency to ensure compliance with its governing legislation in relation to the issue and execution of warrants and authorisations:

  • the effectiveness and appropriateness of compliance systems concerning operational activity, including supporting policies and practices of each intelligence and security agency relating to certain matters, including risk management and legal compliance generally.

New paragraph (da) requires the Inspector-General to conduct unscheduled audits of the procedures and compliance systems described in new paragraph (d).

This clause also repeals section 11(2). That subsection placed limitations on the ability of the Inspector-General to do anything of his or her own motion in relation to a complaint about any activity of an intelligence and security agency.

Clause 32 amends section 12, which authorises the Inspector-General to consult certain public office holders and disclose information necessary for that purpose.

The effect of the amendments is to add a reference to the Independent Police Conduct Authority as one of the public offices that may be consulted.

Clause 33 amends section 15 consequential on the amendments to section 12.

Clause 34 amends section 25, which specifies what the Inspector-General must do on completing an inquiry. The amendments—

  • require the Minister to provide his or her response to the report to the Inspector-General and the chief executive of the intelligence and security agency concerned:

  • permit the Minister to provide his or her response to the Intelligence and Security Committee.

These amendments do not apply to the extent that a report relates to employment matters or security clearance issues.

Clause 35 inserts new section 25A, which requires the Director-General, as soon as practicable after forwarding a report as required under section 25(1), to make a copy of the report publicly available on an Internet site maintained by the Inspector-General. The new section specifies matters that must not be disclosed in the report made available under this section.

Clause 36 amends section 27, which provides for the Inspector-General's annual report. The amendments—

  • require the Inspector-General to certify whether each intelligence and security agency's compliance systems are sound:

  • require the Inspector-General, as soon as practicable after his or her annual report is presented to Parliament, to make a copy of his or her report (as presented to Parliament) publicly available on an Internet site maintained by the Inspector-General.

Part 3
Amendments to Intelligence and Security Committee Act 1996

Clause 37 provides that this Part amends the Intelligence and Security Committee Act 1996.

Clause 38 amends section 6, which specifies the functions of the Committee. Section 6(1)(e) specifies one of the Committee's functions to be to report to the House of Representatives on the activities of the Committee. The amendment substitutes a new paragraph (e), which requires the Committee to present an annual report to the House of Representatives and to make an annual report publicly available on the Internet site of the New Zealand Parliament.

Clause 39 inserts new section 7A, which contains further provisions about the chairperson of the Committee. The new section provides—

  • that the Prime Minister is not to chair a meeting of the Committee while it is discussing, in the course of a financial review of an intelligence and security agency, any matter relating to the performance of the intelligence and security agency if the Prime Minister is the responsible Minister of the agency. In that case, one of the members of the Committee appointed under section 7(1)(c) must act as chairperson:

  • that the chairperson of the Committee may appoint either the Deputy Prime Minister or the Attorney-General (if not already a member of the Committee) to act as chairperson in the absence of the chairperson.

Clause 40 makes amendments to section 18 that are consequential on the amendment made by clause 38.