The Commonwealth Ombudsman has found at least one "clear breach" and three "arguable" breaches by the Australian Federal Police (AFP) of the nation's metadata laws.
Those laws, passed by both major parties in March 2015, force telecommunications carriers to store customer call records, location information, IP addresses, billing information, and other data for two years, accessible without a warrant by law-enforcement agencies.
Reporting into the April incident, the Ombudsman found there was "insufficient awareness" of journalist warrant requirements within the Professional Standards Unit (PRS) of the AFP; that a number of PRS officers did not "appear to fully appreciate their responsibilities when exercising metadata powers"; that the AFP relied on manual checks and corporate knowledge rather than proper processes; and that documentation was not effective in preventing the breach.
The one recommendation from the report called on the AFP to make all staff that use metadata powers undergo training to have a "thorough understanding" of the laws and their responsibilities.
"In response to this recommendation, the AFP advised that it is now finalising an online mandatory training package that all AFP authorised officers will need to undertake annually to maintain their authorised officer status," the report said. "We will monitor the AFP's implementation of this recommendation, particularly in relation to how it assures itself that all authorised officers have completed the training. We will also monitor how the recommendation is applied to all staff involved in the exercise of metadata powers, not just authorised officers."
Despite the AFP claiming in April that the illegally accessed data was deleted, the Ombudsman found not all copies of the data were destroyed, with PRS finding other copies of the data prior to a visit by the Ombudsman's office, which were subsequently destroyed.
"We suggest that AFP, when destroying information, seek assistance from its technical officers to ensure that the information is destroyed from all locations on its systems," the report said.
Overall, the Ombudsman said it was satisfied with the AFP's response.
"We found no evidence to counter the AFP's assessment that the breach was a mistake with no ill will, malice, or bad intent involved," it said.
The AFP was commended for voluntarily reporting the breach to the Ombudsman.
"Put simply, this was human error," AFP Commissioner Andrew Colvin said in April. "It should not have occurred, the AFP take this very seriously, and we take full responsibility for a breach in the Act. I also want to say there was no ill will, malice, or bad intent by the officers involved who breached the Act. Quite simply, it was a mistake that should not have happened."
Earlier this week, a report from the University of Sydney showed Australians were slightly against the idea of law-enforcement agencies being able to access contract and website history information, but when asked about the same activities in regards to fighting terrorism, a majority approved of the activities.
"Clearly, there is salience for metadata data collection and surveillance when it is framed in security and anti-terrorism terms," the report states. "Privacy is important to Australians, but can be forsaken or traded off against security fears."
An August report from the Attorney-General's Department showed Australia's data retention system is used mostly to catch those involved in illicit drug offences. This was followed in ranking by miscellaneous, homicide, robbery, fraud, theft, and abduction categories.
Terrorism offences ranked below property damage and cybercrime.