No ACT police officers have faced disciplinary action or been sacked over possibly illegal data breaches, despite their potential to jeopardise criminal proceedings, documents obtained under freedom of information have revealed.
The Commonwealth Ombudsman found that ACT Policing had accessed location data 1713 times between 13 October 2015 and 3 January 2020, but could only be confident nine requests for prospective telecommunications data, including location-based services, were correctly made through the AFP centralised compliance team.
Ombudsman Michael Manthorpe’s investigation found that police retrospectively authorised access to metadata and conducted a “fishing expedition” on a phone they had not been approved to search for.
In one instance, the police decided to ping the phone of a suspect’s girlfriend, who was not subject to investigation, and “just hope that they love each other lots and do everything together!”
In another instance, officers were not even sure if the number they were ‘pinging’ was still related to the suspect.
Pinging is used to determine the location of a mobile device by analysing its connection to phone towers.
Draft talking points prepared in light of the Ombudsman’s report revealed that the senior officer who had pinged phones still worked for ACT Policing.
The organisation admitted, “a number of non-compliance issues identified in the report and the detail of email exchanges highlights a culture that doesn’t meet community expectations”.
Despite this, no one had “faced disciplinary action or been sacked for their poor behaviour in relation to these requests” more than a year after the original discrepancies were discovered in March 2020, the documents revealed.
The Australian Federal Police (AFP) instead opted to take an “education-based approach to enhancing compliance” and culture within ACT Policing.
ACT Policing sits under the AFP umbrella.
“The AFP remains a learning organisation and our officers will make mistakes,” the document said.
“With additional training and further oversight, this should prevent breaches like this occurring in the future.
“However, if this keeps occurring it would be considered a significant breach by an officer and would then be assessed by AFP’s Professional Standards area.”
The AFP also rejected assertions that the breaches should be examined by the ACT Integrity Commission if ACT Policing came under the Commission’s scope.
“There is no evidence of an integrity issue in this situation,” the document said. “There is nothing to indicate that this is anything more than an ongoing administrative oversight.”
It still remains unclear whether the breaches have jeopardised any criminal proceedings or resulted in the unlawful jailing of any suspects.
ACT Policing said it was receiving preliminary legal advice and was engaging in discussions with the Director of Public Prosecutions on a case-by-case basis at the time but that it was too early to discern any legal exposure.
But according to police briefing materials, the “likelihood of [legal exposure] is low, as location data is traditionally used only as indicative information to assist criminal investigations”, according to the briefing materials.
Legal advice is subject to legal privilege and cannot be released but the Ombudsman was unable to rule out that unlawfully obtained data was used during prosecution.
On preliminary investigation, the DPP had not found any judicial impacts when the report was released despite being provided with the list the year before, ACT Policing said at the time.
Region Media approached ACT Policing for updated advice about legal exposure or jeopardised investigations or cases and was told that investigations were continuing.
Chairperson of the ACT Law Society’s Criminal Law Committee and Kamy Saeedi Law partner, Michael Kukulies-Smith, said if location data was used as the first link in the chain of evidence, there is an argument it would be inadmissible, jeopardising criminal cases.
Evidence gathered is not admissible if it is obtained illegally or “in consequence of an impropriety or of a contravention of an Australian law”.
“If that tower data was illegally obtained, which is the sort of thing we are talking about in the Ombudsman’s report, then arguably everything that flows from that is in consequence from the initial contravention,” Mr Kukulies-Smith said.
This arises if the location data became the basis for narrowing down a suspect list or the warrant to search a person’s house, he said.
“Without transparency from police about what access was made, we cannot say this did not happen. All we have at this moment is their word.
“What I suspect they would say is that it was incidental and was not an active part of the investigation.
“But that is where minds differ on that argument and a person should be entitled to know [if their data was illegally accessed] so they can put that argument to the court and the court determine if the evidence was improperly obtained,” Mr Kukulies-Smith said.