A tranche of 100,000 emails containing sensitive communications between politicians, parliament staff, security officers and others was handed to a third party that did not have a security clearance for it, the Department of Parliamentary Services (DPS) has admitted.
The communications were handed to law firm HWL Ebsworth in the same year it fell victim to a Russia-linked hack.
But despite assuring senators in October that the external contractor had been cleared to receive the emails, DPS secretary Jaala Hinchcliffe has now admitted that was not correct, conceding the mistake in a letter to senators late last week.
The department admitted a contractor with data forensics group Transperfect Legal, who HWL Ebsworth brought in to conduct searches of parliamentary inboxes, did not have the necessary clearance.
Liberal senator James McGrath said it was an extraordinary failure of leadership and judgement.
"We have a situation where an individual, without the required security clearance, was given access to highly sensitive data relating to the safety and security of everyone who works at Parliament House — without a second thought," Senator McGrath said.
"In my 11 years in the parliament I have never seen such blatant negligence."
Senator McGrath said the now-secretary, Jaala Hinchcliffe, and Senate president Sue Lines had "serious questions to answer".
In 2023 Ms Hinchcliffe ordered the surrender of all emails, Microsoft Office files and Teams chats in relation to an investigation into senior staff, including then-secretary Rob Stefanic.
HWL Ebsworth was hit in a hack that same year.
However the department asserts the communications were not held on HWL Ebworth's servers but instead on Transperfect's servers and says no privileged material was handed to investigators.
DPS did not verify clearance, emails not returned until last week
During Senate estimates questioning in October, Ms Hinchcliffe told senators the contractor had a "negative vetting 1" clearance, which permitted ongoing access to "Secret" classified resources and temporary access to "Top Secret" resources in certain circumstances.
But in a letter to the Senate committee last night, Ms Hinchliffe said she had been advised by the department's lawyers that the Transperfect contractor had never held that clearance, and that DPS had not attempted to verify that at the time.
Ms Hinchcliffe also confirmed to senators that sensitive data was not handed back to the department until Thursday of last week.
"We are extremely disappointed we were provided incorrect information," Ms Hinchcliffe told senators this morning.
While the exact contents of the communications handed to HWL Ebsworth are not known, parliamentarians have said examples of the data likely to be held by DPS includes material related to national security, confidential correspondence with ministers and parliamentarians, and sensitive security arrangements related to Parliament House.
The National Anti-Corruption Commission (NACC) is continuing a related investigation into the Department of Parliament Services, and it conducted a raid of DPS offices in parliament last year.
The NACC has not detailed the nature of that investigation, except to say that it does not relate to any current or former parliamentarians.
