Ombudsman says agencies still break data interception laws

Federal government agencies are getting better at complying with telecommunications interception laws, but there’s still work to be done, the Commonwealth Ombudsman has found.

Publishing its latest report (PDF) into agency compliance with the Telecommunications (Interception and Access Act, the ombudsman found breaches continue in the handling both of stored communications, and telecommunications data.

Agencies singled out for criticism in how they handle telecommunications data the 2019-2020 period (covered by this report) included the ACCC, the Australian Criminal Intelligence Commission, NSW Police, Queensland Police, South Australia’s ICAC, South Australia Police, and Western Australia Police.

A common problem was accessing telecommunications data without proper authority, something  identified by the ombudsman in its last report.

There remains insufficient or inconsistent processes for vetting and quarantining of stored communications, as well as how agencies use and share stored communications, the report said.

The ombudsman also found non-compliance with requirements for destruction of stored data, and agencies can still mishandle preservation notices.

As for telecommunications data, the office found journalist information warrants were misused, and there was an issue with “sufficient seniority of authorised officers” (that is, personnel requesting metadata from carriers and service providers).

The report identified the Department of Home Affairs as delegating telecommunications responsibilities to people without sufficient seniority. 

The report says: “we recommended the Department revise its s5AB(1) authorisation under the Act to remove APS Level 6”, instead limiting authorisations to management positions. “The Department did not accept this recommendation,” the report noted.

The report also said the Department of Home Affairs could not identify whether it had received any unauthorised data, and couldn’t demonstrate that it could “appropriately manage any use and disclosure that may have occurred.

“The Department did not have a specific policy or written guidance vetting of telecommunications data nor policies or procedures on use and disclosure of telecommunications data.”

The report highlighted a particular example: Home Affairs made a telecommunications authorisation covering multiple persons, but omitted the service numbers covered by the authorisation.

As a result, the ombudsman’s report found, “we could not determine what was authorised and were not satisfied these authorisations were properly made”. 

The Department was unable to explain why this happened, the report said.