A “cavalier” approach to the handling of telecommunications data led to the AFP potentially unlawfully accessing location information hundreds of times, a scathing Commonwealth Ombudsman report has found.
The Ombudsman found that from October 2015 to 2019 only nine of the 1713 times ACT Policing accessed location-based services – known as mobile phone “pings” – were confirmed to be “fully compliant” with the law.
ACT Policing did not properly follow the AFP’s processes for accessing this highly personal data, and did not report this accessing to the Home Affairs minister and Ombudsman as required, meaning this data could have been accessed unlawfully, the report found.
“My Office’s investigation identified that the internal procedures at ACT Policing and a cavalier approach to exercising telecommunications data powers resulted in a culture that did not promote compliance with the TIA Act,” Commonwealth Ombudsman Michael Manthorpe said.
“This contributed to the non-compliance identified in this report.”
Because the authorisations issued by ACT Policing to telcos to accessing the ping data were not properly authorised or reported to the Ombudsman, they “could have been accessed unlawfully”, Mr Manthorpe said.
“This would have a number of potential consequences, for example, the privacy of individuals may have been breached and we have been unable to rule out the possibility that unauthorised location-based services may have been used for prosecutorial purposes,” he said.
The Ombudsman was also highly critical of the AFP, which it said missed a number of opportunities to address and rectify these issues across five years, did not properly disclose the extent of the issue to the Ombudsman, and did not acknowledge it was aware of the issue at the time, despite emails revealing it being brought to the attention of AFP staff in 2017 and 2018.
This is significantly concerning in light of the sweeping new “identify and disrupt” laws currently before Parliament, which would hand huge powers to the AFP to take control of an individual’s online accounts, the Ombudsman said.
“Law enforcement agencies rely on a wide range of covert and intrusive tools to do their work, but to maintain public trust these tools need to be properly deployed, in accordance with the legislation which governs their use,” Mr Manthorpe said.
“Indeed, the Parliament currently has before it proposed legislation which will further extend the powers of law enforcement agencies, in relation to being able to detect and disrupt criminal activity.
“A critical factor in effective oversight of such powers is that law enforcement agencies need to report to the Ombudsman about how the powers are being used, so that compliance can be assessed and publicly reported. In this case full reporting did not occur to the Ombudsman for a considerable period of time.”
In January last year the AFP told the Ombudsman that it had identified 800 requests that ACT Policing made for telecommunications data from 2007 that were not in line with the proper processes.
The AFP engaged PwC to complete an internal audit of the authorisations, and the Ombudsman soon also launched an inquiry, finding that the AFP had not properly identified the scope of the issue.
“Our Office could not be satisfied that the AFP had identified the full extent of accesses to telecommunications data outside AFP-approved processes. The extent of ACT Policing’s usage could not be verified, and we consider it is possible there was non-compliance in other parts of the AFP,” the report said.
The Ombudsman also found that the PwC audit “did not address all areas we consider are fundamental to assessing an agency’s compliance when accessing telecommunications data”, meaning it missed a number of acts of legislative non-compliance.
Under federal law, ACT Policing can internally authorise a carrier to disclose telecommunications data such as the ping location, but before doing so must consider a range of issues, and make a record that the authorisation took place. This is meant to be made through the AFP’s centralised compliance team, and be reported to the Ombudsman and Home Affairs minister.
But numerous records identified were found to not have been provided to the Ombudsman and were made not following the AFP’s processes, the Ombudsman found. This means that many of the times the location ping data was accessed may have been unlawful, which could have significant consequences for people who may have been convicted because of this data.
While the AFP said the data had only been used to locate someone to arrest them, the Ombudsman said he was “unable to rule out the possibility that unlawfully obtained evidence” had been used for prosecutorial purposes.
Among the issues identified by the Ombudsman contributing to this lack of compliance were a loss of corporate knowledge, a lack of consistent processes and procedures, a lack of engagement between ACT Policing and the AFP compliance team and a “lack of appreciation of the serious nature of the intrusiveness of these powers”.
Both the AFP and ACT Policing had “several opportunities across eight years” to rectify these issues, the Ombudsman found.
The report made a number of recommendations, including for ongoing education and training, a shift in compliance culture, compliance-focused guidance and procedures, consequences for officers who demonstrate continued non-compliance with legislative requirements and better engagement with other agencies.