The public sector watchdog has been unable to confirm whether the former Customs agency obtained a warrant each time it accessed stored telecommunications data.
In its first assessment of compliance with the Telecommunications (Interception and Access) Act published today [pdf], the Commonwealth Ombudsman said it was unclear whether Customs - now part of the wider Immigration department - had met its legal obligations when accessing data stored by telcos.
The TIA Act covers both metadata accessed by 20 agencies under the data retention laws without a warrant, as well as communications stored by telcos which require a warrant to access.
The Ombudsman - which was given the power to scrutinise agency access to metadata when the data retention laws were introduced - found that between July 1 2015 to June 30 2016, agencies were on the whole compliant with their obligations under the legislation.
But it said it was unable to ascertain that Customs had only dealt with "lawfully accessed information" in five specific cases.
It blamed poor agency record-keeping practices.
"No stored communications product was made available for our inspection. Therefore, we cannot provide assurance that Customs was only dealing with lawfully accessed information," the Ombudsman said in its report.
“In our view, Customs does not have sufficient processes in place to demonstrate that it is only dealing with lawfully accessed stored communications."
The ombudsman said the former agency needed to implement processes that could prove its access to stored communications was legal. However, the office did note that its inspection took place during the agency's merger into the wider Immigration department.
While it found agencies were overall compliant with their data access obligations, it did identify several common risk areas, including training for staff exercising their metadata powers.
The Australian Federal Police last month blamed a lack of awareness for its breach of a journalist's metadata.