DPS Secretary Jaala Hinchcliffe has conceded that the contractors lacked the security clearance required to view the emails. Photo: LinkedIn.
Federal parliamentarians are a little more jittery this week over concerns that external contractors could have viewed their sensitive emails without proper security clearances.
Department of Parliamentary Services (DPS) officials have tried to assure them that it’s not the case, while at the same time admitting to an egregious failure in allowing more than 100,000 emails to be handled by a non-vetted third party.
The last week of Senate Estimates for 2025 has unearthed a number of embarrassments for the Federal Government and the Australian Public Service, but the DPS gaffe is perhaps the most alarming.
The department admitted that it knew the truckload of sensitive communications on Parliament House’s IT system, between politicians, their staff, parliamentary staff, security officers, and others, was handled by someone who should not have been anywhere near them.
The emails in question were handed over to law firm HWL Ebsworth in 2023, the same year the company was successfully hacked by a Russian entity.
HWL Ebsworth further contracted the work to data forensics group TransPerfect Legal to search parliamentary inboxes over the probe into DPS’s former secretary, Rob Stefanic, and his alleged relationship with the former deputy secretary, Cate Saunders.
Contractors on such work need a Negative Vetting 1 clearance, which allows ongoing access to Secret classified resources as well as temporary access to Top Secret resources in some cases.
Despite DPS assuring Senators as recently as October that the external contractors had been cleared to receive the emails, the department has now admitted that was not the case.
Both HWL Ebsworth and TransPerfect Legal had mistakenly informed DPS that everyone involved in the email scrutiny had the proper level of security vetting.
The department’s lawyers discovered that a TransPerfect Legal contractor had never held that clearance, confirming also that DPS had not attempted to verify clearances at the time of engagement.
Department Secretary Jaala Hinchcliffe conceded the error in a letter to Senators on the eve of this week’s hearings, making it a dead cert it would be raised in Estimates.
Appearing before the Senate Finance and Public Administration Legislation Committee, Ms Hinchcliffe said her earlier statement was wrong and that, indeed, someone working for TransPerfect Legal did not have the required security clearance.
“We are extremely disappointed we were provided incorrect information,” Ms Hinchcliffe told the hearing.
She also confirmed that the sensitive emails were not returned to DPS until Thursday of last week (27 November).
DPS Deputy Secretary Nicola Hinder said the department’s not making further checks over security clearances was “entirely in accordance with normal practice” because HWL Ebsworth had an ongoing relationship with the government.
“In relation to the TPL employee, I assured myself upon commencement with DPS that we had received assurances that they did have [appropriate clearance],” Ms Hinder said.
“That subsequently turned out to be incorrect, and we have raised that in the strongest terms with both HWE, who have done the same with TPL.”
But Ms Hinder said she did not wish to “categorise it as being a lie” told to the department by the contractors.
Both the Secretary and Deputy Secretary were at pains to stress to the hearing that TransPerfect Legal used algorithms in its email searches, thereby limiting exposure to all documents far more than if they had been done manually.
The explanations were not good enough for Liberal Senator James McGrath, the shadow special minister of state.
He has blasted the department over the incident and its response.
“We have a situation where an individual, without the required security clearance, was given access to highly sensitive data relating to the safety and security of everyone who works at Parliament House — without a second thought,” Senator McGrath said.
“In my 11 years in the parliament, I have never seen such blatant negligence.”
“Not only have we uncovered that sensitive information and parliamentary privileged information was extracted and accessed by someone without the proper security clearance, but we have also been told by DPS that there is ‘nothing to see here’.
“We have launched an inquiry to get to the bottom of this, but the actions and blasé attitude of this department and its senior leadership have put parliamentarians and ultimately Australians at risk.”
