AFP breached data retention laws

The Australian Federal Police has admitted to breaching the country's data retention law by accessing the call records of a journalist without obtaining a warrant.

AFP commissioner Andrew Colvin today revealed an investigator in the force's professional standards team had breached the law while trying to uncover which officer leaked information to a journalist earlier this year.

He suggested the investigator did not realise a warrant was required to access a journalist's metadata, an exemption specified under the data retention legislation.

All other data retained in the scheme is accessible to 21 designated law enforcement agencies without a warrant.

Colvin attributed the breach to "human error" and said there was "no malice" involved.

The records - which covered a week of in- and outbound call data - have been destroyed, he said.

No action has been taken against the investigator, and the journalist in question has not been informed of the breach.

"This is the first investigation where the AFP was required to obtain a journalist information warrant under the TIA Act, and the processes we had in place were found to be lacking. Our internal procedures have been changed to prevent a repeat of this incident," Colvin said.

The AFP went public with the breach after the Commonwealth Ombudsman said it would conduct an audit of the incident. The force self-reported to the ombudsman on Wednesday of this week.

The federal government added warrant protection for journalist metadata to the data retention laws following a recommendation from a joint parliamentary committee investigating the bill, despite saying it did not believe it was necessary.

From April 13 this year all Australian carriage service providers were required to comply with the data retention legislation.

It forces them to store metadata including:

• names, addresses, birthdates, financial and billing information of internet and phone account holders;
• traffic data such as numbers called and texted, as well as times and dates of communications;
• when and where online communications services start and end;
• a user’s IP address;
• type and location of communication equipment; and
• upload and download volumes for two years.

Just this month telcos said the scheme continued to have gaping flaws that were yet to be addressed, despite it entering operation a year and a half ago.