Metadata breach the only time journalist source records have been accessed: AFP

The Australian Federal Police bungled the only time it handled a journalist's metadata, with the feds asserting that they have never made any journalist warrant applications.

The Australian Federal Police (AFP) has said it does not seek journalist metadata relating to sources as a routine matter, and has made no applications under Australia's data-retention laws to seek such information.

The assertion was made in response to questioning during Senate Estimates from Australian Greens Senator Scott Ludlam about a breach of metadata laws the AFP revealed last month.

"Notwithstanding this breach, we have made no applications for information pertaining to a journalist's source," Deputy Commissioner Ramzi Jabbour said. "We've made no applications for warrants, we've made no applications full stop. There have been no other breaches other than this one that we identified."

The breach was discovered as part of a routine audit by senior officers to examine investigations for learnings, AFP Commissioner Andrew Colvin said.

As a result, a new process was instituted, whereby applications for metadata now need to be approved by an AFP commander, rather than a superintendent as under prior arrangements. This reduces the number of authorising officers from approximately 200 to around 40.

"This was a particularly egregious breach of operational security that put directly at risk the lives of officers and the public, and we felt we needed to try to ascertain how that breach occurred," Colvin said.

The Commonwealth Ombudsman is conducting an audit of the AFP's processes.

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, passed by the Australian government and opposition parties in March 2015, came into effect in October 2015 and sees customers' call records, location information, IP addresses, billing information, and other data stored for two years by telecommunications carriers, accessible without a warrant by law-enforcement agencies.

Authorities do need a warrant to access the metadata of a journalist for the purposes of identifying a source, however.

Earlier this week, the Ombudsman released a report [PDF] into how authorised agencies are handling telecommunications data.

The Ombudsman found the AFP to be compliant, but noted a number of exceptions.

"We identified two instances where a stored communications warrant had been applied for and subsequently issued in respect of multiple persons, which is not provided for under the Act," the report said.

In response, the AFP said its warrant templates were not clear enough.

It was also noted that on six occasions, warrants were exercised by people not authorised to; in three instances, the Ombudsman could not determine whether stored communications related to the person named on a warrant; and in one instance, it could not determine who had received stored communications from a carrier.

In April last year, the AFP also admitted that it had attempted to warrantlessly access the metadata of a journalist.