The Commonwealth Ombudsman's Report to the Minister for Home Affairs on agencies' compliance with the Surveillance Devices Act 2004, for the period 1 July to 31 December 2020 appeared this week, with three of the four law enforcement agencies inspected having issues with destroying data.
The report [PDF] looked at the Australian Federal Police (AFP), the South Australian Police, the Australian Criminal Intelligence Commission (ACIC), and the Australian Commission for Law Enforcement Integrity (ACLEI). Only the ACLEI law enforcement watchdog passed with flying colours.
For ACIC, the Ombudsman found three instances where protected information was not destroyed as soon as practicable. It added for each time this occurred, there was a "significant delay" between the authorisation and destruction of data.
"We identified one instance where protection information was not destroyed within five years," the report said.
"The ACIC disclosed seven additional instances it did not destroy protected information within five years."
The report also found issues with records kept to detail actions taken under warrant or tracking device authorisations to show agencies are acting lawfully.
"The computer access warrant action sheets we inspected did not provide sufficient information for us to understand what actions were taken under the warrant, or to confirm that the correct devices were accessed," the report said.
"As a result, we could not verify that the computers the ACIC targeted were those it was authorised to access under the warrant."
See also: ACIC believes there's no legitimate reason to use an encrypted communication platform
For the AFP, the Ombudsman found four instances where it did not destroy information after authorisation for more than a month, and one instance where it took over five months.
"Further, the AFP did not destroy protected information or certify it for retention within five years," the report states.
"In three instances the AFP did not destroy the records until more than five years after the warrant was issued and could not provide files to demonstrate the protected information was certified for retention within five years.
"In the remaining instance, the AFP certified the protected information for destruction within five years but did not complete the destruction until after the five year period."
The inspection found instances where AFP reported destroying data, but the Ombudsman found the warrant was not executed, or information was not gained from it. The AFP also had issues with its action sheets.
The report found the AFP was still conducting surveillance in foreign jurisdictions without lawful approval.
"While the AFP disclosed this instance of non-compliance, it did not quarantine the associated data until prompted to do so during our inspection," the report said.
"We suggested the AFP quarantine any unlawfully obtained data as soon as it identifies it."
"We identified that, while the surveillance device was first used extraterritorially on 17 December 2019, the AFP did not send written correspondence to the Attorney-General until 19 May 2020."
The report said only after the Ombudsman inspection, did it quarantine the data it retrieved.
The AFP also disclosed two instances where data was collected outside of a warrant. It also disclosed two instances where it failed to inform its overseeing minister of a warrant or authorisation ceasing, with the Ombudsman later finding another two instances.
With the South Australian Police, the Ombudsman found there was no process to destroy records.
"SA Police informed us it does not have staff delegated to perform the functions of the chief officer under s 46(1)(b) of the Act," the report said.
"SA Police advised it requested internal legal advice about its delegations more than 12 months prior to our inspection and had been told not to proceed with any destructions until that advice was given."
The SA force said it was gaining the relevant delegation and would start destruction as soon as the instrument was ratified.