The Commonwealth Ombudsman has found at least one "clear breach" and three "arguable" breaches by the Australian Federal Police (AFP) of the nation's metadata laws.
Those laws, passed by both major parties in March 2015, force telecommunications carriers to store customer call records, location information, IP addresses, billing information, and other data for two years, accessible without a warrant by law-enforcement agencies.
The one exception to the national surveillance scheme is that law-enforcement agencies must obtain a warrant for access to journalists' metadata when attempting to identify a source.
In April, the AFP confessed that it was not able to respect that one caveat in the metadata scheme when it admitted it had accessed a journalist's call records "mistakenly".
Reporting into the April incident, the Ombudsman found there was "insufficient awareness" of journalist warrant requirements within the Professional Standards Unit (PRS) of the AFP; that a number of PRS officers did not "appear to fully appreciate their responsibilities when exercising metadata powers"; that the AFP relied on manual checks and corporate knowledge rather than proper processes; and that documentation was not effective in preventing the breach.
The one recommendation from the report called on the AFP to make all staff that use metadata powers undergo training to have a "thorough understanding" of the laws and their responsibilities.
"In response to this recommendation, the AFP advised that it is now finalising an online mandatory training package that all AFP authorised officers will need to undertake annually to maintain their authorised officer status," the report said. "We will monitor the AFP's implementation of this recommendation, particularly in relation to how it assures itself that all authorised officers have completed the training. We will also monitor how the recommendation is applied to all staff involved in the exercise of metadata powers, not just authorised officers."
Despite the AFP claiming in April that the illegally accessed data was deleted, the Ombudsman found not all copies of the data were destroyed, with PRS finding other copies of the data prior to a visit by the Ombudsman's office, which were subsequently destroyed.
"We suggest that AFP, when destroying information, seek assistance from its technical officers to ensure that the information is destroyed from all locations on its systems," the report said.
Overall, the Ombudsman said it was satisfied with the AFP's response.
"We found no evidence to counter the AFP's assessment that the breach was a mistake with no ill will, malice, or bad intent involved," it said.
The AFP was commended for voluntarily reporting the breach to the Ombudsman.
"Put simply, this was human error," AFP Commissioner Andrew Colvin said in April. "It should not have occurred, the AFP take this very seriously, and we take full responsibility for a breach in the Act. I also want to say there was no ill will, malice, or bad intent by the officers involved who breached the Act. Quite simply, it was a mistake that should not have happened."
Earlier this week, a report from the University of Sydney showed Australians were slightly against the idea of law-enforcement agencies being able to access contract and website history information, but when asked about the same activities in regards to fighting terrorism, a majority approved of the activities.
"Clearly, there is salience for metadata data collection and surveillance when it is framed in security and anti-terrorism terms," the report states. "Privacy is important to Australians, but can be forsaken or traded off against security fears."
An August report from the Attorney-General's Department showed Australia's data retention system is used mostly to catch those involved in illicit drug offences. This was followed in ranking by miscellaneous, homicide, robbery, fraud, theft, and abduction categories.
Terrorism offences ranked below property damage and cybercrime.
A year after metadata retention laws passed Australian Parliament, the Attorney-General's Department was recommending agencies use coercive powers if they were locked out of the scheme.
The Australian Federal Police bungled the only time it handled a journalist's metadata, with the feds asserting that they have never made any journalist warrant applications.
The Attorney-General's Department does not consider agencies using their own statutes to demand data from telcos as a loophole.
The Australian Attorney-General's Department believes the offshoring of telecommunications metadata is not a security concern.
The Australian Federal Police accessed a journalist's call records in breach of the data retention legislation, it has been revealed.