‘Serious’ issues with police access to telco data on the rise

“Serious compliance issues” with law enforcement access to metadata and content under Australia’s telecommunications interception laws have climbed for the third straight year, the Commonwealth Ombudsman has found.

The 2020-21 report, covering use of the powers between July 2019 to June 2020, made 29 recommendations across six agencies, up from 21 recommendations in 2018-19, 13 recommendations in 2017-18 and one recommendation in 2016-17.

Tech workers

Recommendations, unlike suggestions or “better practices suggestions”, are deemed a “serious compliance issue or an issue on which an agency has not made sufficient progress in implementation”.

“Generally, we saw an increase in the number of compliance-related findings compared to previous inspections,” the Ombudsman said, adding that this was partly down to its “increased emphasis on inspecting agencies’ policies, procedures, and controls”

“However, there were also instances where we were not satisfied with the remedial action agencies took in response to previous compliance findings, including implementing previous recommendations and suggestions made by our Office.”

The Ombudsman noted that it observed “several practices indicating a maturing compliance culture”, including self-reporting of non-compliance by agencies and “timely remedial” action when issues have been identified.

Most of the serious compliance issues identified in 2019-20 relate to telecommunication data access, with 23 recommendations made across six agencies, compared with just six recommendations for stored communications.

Under the Telecommunications (Interception and Access) Act, “telecommunications data” can include subscriber information and the date, time and duration of calls (metadata), whereas “stored communications” is SMS messages, emails, voicemails and other content.

Only an external issuing authority like a judge or member of the Administrative Appeals Tribunal is permitted to issue a warrant to access stored communications, while agencies themselves can authorise telecommunications data access.

Of the telecommunication data recommendations made, NSW Police received nine. It was followed by Tasmania Police with six; South Australia Police with five; the Australian Federal Police with four; the Department of Home Affairs, Victoria Police and Northern Territory Police with three; and Queensland Police Service with two.

One of the key issues identified – which forms the basis of nine recommendations – was whether authorised officers had “sufficient information” necessary to consider making an authorisation, with clear records not always available.

The Ombudsman called out the AFP and Victoria Police in this instance, noting that the “examples are illustrative of findings or risks that are relevant to all agencies that exercise powers” under the Act.

It has recommended “increasing the awareness among requesting and authorised officers of the privacy and record keeping requirements of the Act” and that agencies implement measure to ensure officers “consistently document any information” relevant to the authorisation.

Another 13 recommendations related to ensuring officers involve in telecommunication data requests were provided with adequate training, including ongoing training, and other guidance materials.

For stored communications access, the report shows three of the six recommendations relate to Victoria Police, with the remaining three recommendations pertaining to the AFP and Tasmania Police.

Issues identified related to agencies securing warrants from an ineligible authority, failing to demonstrated that preservation notices were properly given and other data vetting and quarantining concerns.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories