ACT Policing has identified “compliance issues” stretching back 13 years in its use of powers to identify the approximate location of mobile devices as part of investigations.
In a statement, the Australian Federal Police - which includes ACT Policing - said compliance issues, “some dating back to 2007 … related to [its] record-keeping, authorisations and reporting of requests” obligations under the relevant legislation.
AFP said it had self-reported the issues to the Commonwealth Ombudsman, and also commissioned PwC Australia to conduct an “independent audit into requests to telecommunications carriers”.
“The independent audit is expected to be completed by June 2020,” AFP said in a statement.
“The AFP understands the Commonwealth Ombudsman intends to commence an own-motion investigation into this matter.”
Commonwealth Ombudsman Michael Manthorpe confirmed that the impacted records “were not included in data the AFP [had previously] provided to the Ombudsman”.
While welcoming the self-reporting and the PwC audit, Manthorpe said “the issue is of serious concern, given the covert and intrusive nature of these powers and the duration and potential scale of the non-compliance that has been identified.”
“The Ombudsman has made suggestions to the AFP about the scope of the audit, in particular to ensure that it comprehensively examines the extent to which specific legislative provisions in force at the relevant times were breached, and their implications,” he said.
Manthorpe also confirmed the Ombudsman would independently examine the matter.
“The Ombudsman anticipates issuing a public report about his investigation in due course.”
AFP said the requests under investigation “were made by ACT Policing and related to the potential identification of a mobile device location during an investigation.”
It said the location request “only provides, if available, a general area, such as several streets, or broad vicinity, such as a suburb”, and could only be authorised for serious offences or those punishable with at least three years imprisonment.
“The location requests cannot provide metadata or private communication on the mobile device,” it said.
“The AFP has identified and taken corrective action to ensure legislative compliance, including appropriate recording, authorisation and future reporting.”