ACT police accessed the metadata of telephone conversations without proper authorisation more than 100 times in 2015, according to a Commonwealth Ombudsman report.
The breaches came to light two years later and are detailed in the Commonwealth Ombudsman’s report Monitoring of agency access to stored communications and telecommunications data for the period 1 July 2016 to 30 June 2017.
The ACT Chief Police officer Ray Johnson has put them down to an administrative oversight in which the ACT was not included in an updated authorisation from the Australian Federal Police Commissioner when the relevant legislation was changed in 2015, leaving the particular ACT officer concerned without the power to authorise police to allow access to phone metadata.
“The member who was doing the authorisation continued doing so in good faith on the basis of operational need for a period of time until the problem was discovered and declared to the Ombudsman,” he told the ABC.
Weekly NewsletterEvery Thursday afternoon, we package up the most-read and trending RiotACT stories of the past seven days and deliver straight to your inbox..
This affected 116 authorisations made between 13 and 26 October 2015 and a large number of authorisations dating back to March 2015, which preceded the start of the Ombudsman’s oversight.
New laws in 2015 forced telecommunication companies to hold internet and phone records for up to two years so the information can be accessed as part of criminal investigations. Domestic intelligence and police agencies could then be granted access to the metadata and could also apply for a warrant to access journalists’ information.
Information does not include the contents of conversations.
The Ombudsman suggested the AFP quarantine all telecommunications data obtained under the 116 ACT authorisations from further use, which the AFP accepted but did not act on until February 2018 when the Ombudsman followed up.
By April 2018, the data had still not been fully quarantined and the AFP said it was seeking legal advice regarding the use of the affected data.
“Due to the scale of this non-compliance, we will continue to monitor this issue closely with the AFP,” the Ombudsman wrote.
Assistant Commissioner Johnson said ACT Policing had been working with the Ombudsman to ensure it had met the requirements for dealing with that information but a ‘handful’ of data to do with an ongoing missing person case was still to be finalised.
He said the data was used in normal criminal and missing persons investigations ranging from armed robberies to stolen bikes, and no journalists’ information was involved.
The authorisation had been updated and the right people were now making the decisions.
“I’m confident that there is right oversight and review and that if at any point there is a need to update the instruments that will happen and will fully take into account ACT Policing,” Assistant Commissioner Johnson said.
He said part of the assurance process was the work of the Ombudsman, who has oversight of the legislation.
“We understand that these are powers given to us by the community and we’re entrusted with them,” Assistant Commissioner Johnson said. “We desperately don’t want to make mistakes with it.”
Metadata retention laws are currently being reviewed by the Parliamentary Joint Committee on Intelligence and Security.