Ombudsman finds AFP location privacy breaches may have been 'unlawful'

The ACT Chief Police Officer has admitted a culture of non-compliance existed within the AFP and ACT Policing relating to illegal requests for location information used to arrest suspected criminals.

Commonwealth Ombudsman Michael Manthorpe’s investigation into the AFP’s use and administration of telecommunications data powers was launched after the AFP disclosed it had identified compliance issues affecting ACT Policing’s handling of requests for location-based services (LBS), colloquially known as ‘pings’, dating back to 2007.

“This means LBS could have been accessed unlawfully,” Mr Manthorpe said.

“This could have a number of potential consequences, for example, the privacy of individuals may have been breached and we have been unable to rule out the possibility that unauthorised LBS may have been used for prosecutorial purposes.”

ACT Chief Police Officer and AFP Deputy Commissioner Neil Gaughan said the use of police powers were well short of community expectations, and he would be overhauling access to mobile phone information and location records after the discovery of rampant non-compliance.

ACT Policing can make these requests to identify a potential location of a mobile device in the past or in real-time.

However, location requests can only be made for an investigation into serious offences such as murder, kidnapping, drug trafficking, terrorism, aggravated robbery and firearm offences. These requests only provide a general location such as several streets, or a broad vicinity such as a suburb, if available.

Location requests cannot provide metadata or private communication on a mobile device.

The investigation also found the AFP and ACT Policing missed several opportunities to identify and address ACT Policing accessing LBS outside the AFP’s approved process earlier.

The most serious breach included 91 instances of location-based services not being authorised and a further 1201 instances of the ombudsman being unable to determine if authorisation was issued.

Based on the records provided by the AFP, the report found that between 13 October 2015 and 3 January 2020, ACT Policing accessed location information 1713 times, of which only nine instances were fully compliant.

Chief Police Officer Gaughan said the AFP had accepted all eight recommendations, and he would be looking at whether the breaches may have impacted any prosecutions. He would also be taking steps to ensure officers have longer periods in their positions to ensure consistency in the organisation, as many officers involved had since retired.

“As police officers, we have access to special powers for investigative purposes to ensure the safety of the entire community. We take this responsibility seriously and accept and apologise for our past non-compliance outlined in the Ombudsman’s report,” the Chief Police Officer said.

“I want the community to be assured that we have changed our approach to requesting and approving access to mobile device locations, which my officers are implementing daily.”

He said a “substantial change” to their processes included that all location requests on mobile devices are now centralised through the AFP Covert Analysis and Assurance business area, with consideration to urgent requests required by ACT Policing to support its operations.

“The AFP has updated internal policies and alerted all employees who use these laws for an investigation to be aware of their obligations and requirements,” Chief Police Officer Gaughan said.

The ombudsman’s investigation began in March last year after the AFP self-reported that 800 requests had been made by ACT Policing for metadata outside approved processes.

The Commonwealth Ombudsman didn’t rule out that some officers accessed LBS unlawfully.

However, the Chief Police Officer said he didn’t want to create a situation where every officer doing the wrong thing was being “slapped on the wrist” for what he called “honest mistakes”.

“I stand here apologetic for the situation we now find ourselves in,” he said. “We’ve drawn a line in the sand, and if people in the future don’t follow the guidelines, professional standards action will be taken.”

Other non-compliance included a failure to keep records of information put to the authorising officer and failure to consider whether the request related to a journalist.

The AFP has accepted all eight recommendations to address and prevent future recurrences.