An audit has been called to probe requests the Australian Federal Police (AFP) made to telecommunications carriers.
The AFP said it commissioned PwC to perform the audit after "identifying compliance issues, some dating back to 2007".
The identified issues relate to record-keeping, authorisations, and reporting of requests under Section 180(2) of the Telecommunications (Interception and Access) Act 1979.
The AFP said it undertook an examination of historic documents and records to estimate the extent of the compliance issues, and self-reported to the Commonwealth Ombudsman on 24 January 2020.
In a statement, the AFP confirmed the requests were made by ACT Policing and related to the potential identification of a mobile device location during an investigation.
Location requests cover the general location of the device, such as several streets or a suburb, but do not provide metadata or private communication from the mobile device.
Location requests can only be made for investigations into serious offences or offences punishable by imprisonment for at least three years.
Offences that meet these definitions include murder, kidnapping, drug trafficking, terrorism, aggravated robbery, and firearms offences.
As a result of these "compliance issues", some requests were not reported to the Minister for Home Affairs, as they were not included in submissions by the AFP for annual reporting.
"This resulted in the AFP not discharging their reporting obligations in respect to these requests, nor presenting requests for Ombudsman inspection," a statement from the AFP said.
"The AFP has identified and taken corrective action to ensure legislative compliance, including appropriate recording, authorisation and future reporting."
"Once the issue was discovered, ACT Policing notified the Ombudsman's Office to seek advice on how to remedy this administrative oversight," it said at the time.
From the extra requests, 240 were forwarded to case officers, which landed ACT Policing in legal hot water.
"ACT Policing has sought legal advice regarding the management of two matters relating to a missing persons case and a criminal matter where the data in question may have been used in a prosecution," it said.
"The Ombudsman's Office has been kept informed throughout the examination and quarantining process. It is not appropriate to identify particular cases."
The Commonwealth Ombudsman is expected to commence an own-motion investigation into the compliance issues matter, and PwC's audit is due to be completed by June 2020.
There is content on the envelope. A Senate committee has been told that law enforcement agencies sometimes get full URLs from telcos, despite government reassurances.
The commissioner also reiterated the importance of limiting the retention period, introducing a warrant-based system, better defining terminology used in the legislation, and restricting who exactly has access to data.
The NSW Law Enforcement Conduct Commission was joined by the Australian Commission for Law Enforcement in asking for the minimum two-year period for retaining telco data be kept under the country's data retention regime.
Agencies are very happy with Australia's data retention scheme, with one using it in 90% of investigations.