Police agencies made a series of illegal - or otherwise problematic - telecommunications metadata searches between 2015 and mid-2017, according to the Commonwealth Ombudsman.
In a report tabled in parliament [pdf], it was revealed that 116 authorisations for ACT Policing to access metadata over a fortnight in October 2015 were made by an officer without the authorisation to do so.
ACT Policing is the portfolio of the Australian Federal Police responsible for police services in the Australian Capital Territory.
The AFP blamed an “administrative oversight” where it failed “to authorise any officers within ACT Policing” to approve metadata requests.
The Ombudsman suggested that the AFP “quarantine all telecommunications data obtained under the 116 authorisations made by the unauthorised ACT Policing officer between 13–26 October 2015 from further use and communication.”
However, the Ombudsman noted, a quarantine wasn’t enacted, “which resulted in additional use and communication of the data.”
“Partial quarantining of the affected data was [finally] initiated in February 2018”, the Ombudsman noted, when it followed up with AFP.
Months later in April 2018, the AFP had still not “fully quarantined” the data.
Rather, “it was seeking legal advice regarding the use of the affected telecommunications data,” the Ombudsman noted.
“Due to the scale of this non-compliance, we will continue to monitor this issue closely with the AFP.”
The Ombudsman similarly noted a handful of other instances at TAS Police, CCC (QLD) and ICAC (NSW) “where telecommunications data was obtained either prior to, or without a valid authorisation.”
Other errors in telecommunications metadata requests were also uncovered.
In 84 instances, telcos sent agencies information that was outside of the date range specified in the authorisation.
The Ombudsman said it would explore remedial actions taken by agencies in these instances in a future report.
Additionally, the Ombudsman found five instances in 2016-17 when NSW Police accessed telecommunications data “in urgent circumstances or out-of-hours” with verbal approval - with only some filing paperwork later.
“We also identified one area of the NSW Police which was routinely exercising its telecommunications data powers without a written or electronic authorisation in place,” the Ombudsman said.
“The area’s process at the time of our inspection was for access to telecommunications data to be verbally approved and a written record of the verbal approval to be made in a log.
“We do not consider this practice is permitted by the [Telecommunications Interception and Access] Act and suggested to NSW Police that it review its policies and procedures to ensure all authorisations for telecommunications data are in written or electronic form and signed by the relevant authorised officer,” the Ombudsman said.
In a further 20 cases, several agencies made typos in authorisations that, in two instances, led to incorrect metadata being accessed.
“This highlights the risk that transposing errors may lead to inadvertent privacy intrusions,” the Ombudsman said.
“Despite measures agencies have in place during the application stage to ensure applications meet the requirements of the Act, such as comprehensive templates and guides, human error always remains a possibility.
“Currently, most agencies rely on quality assurance measures, such as vetting by compliance officers, as a means to identify these errors.”