In February the federal government tabled the Commonwealth Ombudsman’s report on agency access to stored communications and telecommunications data for the 2018-19 financial year. While the Ombudsman noted that most agencies were improving, all agencies were found to have breached the law in some way.
Ironically the agencies subject to inspection are the actual law enforcement bodies at federal and state levels. The agencies looked at were Australian Criminal Intelligence Commission, Australian Federal Police (AFP), Crime and Corruption Commission Queensland, Department of Home Affairs, Independent Commissioner Against Corruption for South Australia, New South Wales Police, Queensland Police, Tasmania Police, Victoria Police, and Western Australia Police.
“We identified instances at all inspections in 2018-19 where agencies had accessed telecommunications data without proper authority. As such, the disclosure of the data was unauthorised,” the report [PDF] said in the section dedicated to telco data inspections.
Issues with authorisations ranged from ‘administrative error’, such as in incorrect number or time period on a notice, to authorisation being made by those without authority to do so, failing to send written notices as required by law, and relying on oral notices.
“At all agencies, we identified instances where carriers had provided data that was not authorised because it was outside the parameters of the authorisation. This included instances where the carrier provided data that exceeded the time period authorised, or provided a different type of data than was authorised,” the report said.
The Ombudsman said although ‘many agencies’ could identify and quarantine unauthorised data, at around half of the agencies, the inspections found further instances of unauthorised data.
Called out for an elevated level of criticism was Tasmania Police, which the Ombudsman said did not have a “well-developed compliance culture.”
“This was indicated by a large number of issues across several of its processes, including limited progress in addressing our previous inspection findings and significant variances in the level of awareness of requirements under the Act,” the report said.
“We considered that the required improvements could not be implemented without fundamental changes to the way Tasmania Police approaches compliance.”
In the telco data section, Tasmania Police received two recommendation and 10 suggestions, with failures in gaining consent to access data, a lack of record keeping on when communications data is destroyed, failing to destroy data when required, and data being destroyed without proper approval. More of the report’s findings on Tasmania is reproduced below.
“At both the 2017-18 and 2018-19 inspections, we identified that all stored communications a particular carrier provided to Tasmania Police were received by a staff member who was not authorised to receive them,” the report stated.
The inspections also found Tasmania Police had an “ineligible issuing authority” around stored communication warrants.
“We were not satisfied that Tasmania Police had taken appropriate remedial action to manage the unlawfully accessed stored communications or that there was sufficient awareness within Tasmania Police of the existence of these invalid warrants,” the Ombudsman said.
Further, the inspections showed Tasmania Police failed to provide its annual report for 2017-18 to the Minister for Home Affairs, as required.
Meanwhile The AFP were dealt three recommendations and 33 suggestions as the agency continued to issue successive foreign preservation notices, failed to gain consent of victims in one instance, failed to destroy data, and directed telcos to perform actions that were not required or did not have legal authority to perform.
The report said there were several instances where it could not be confirmed whether authorised officers had made “required considerations” prior to authorisation due to a lack of documentation. It also passed on multiple requests from foreign law enforcement without checking whether the request was permitted in Australia.
“We also identified that the AFP had made two foreign prospective authorisations (one of which had been extended) in the absence of the Attorney-General having made an authorisation … despite this being required before a foreign prospective authorisation can be made,” the report said.
“In our 2019-20 inspection, we found that the AFP was not able to account for the use and disclosure of the information it obtained under one of these authorisations and suggested that it do so.”
The AFP also received a number of stored communications warrants from a member of the Administrative Appeals Tribunal (AAT) that was not authorised to do so. This was a common issue amongst the agencies inspected, as were the issues of warrant templates not being in a prescribed form, and having incorrect wording in affidavits.
During the period covered by the report, NSW Police led the way with over 98,000 uses of its powers for historic records, followed by Victoria Police with 82,700, Queensland Police used the powers almost 25,300 times, the AFP used its powers for historic records 19,550 times.
For prospective records, Victoria Police used its powers almost 9,700 times, the AFP was next with 3,700 uses, followed by Queensland Police on 3,430.
Of those records, the Commonwealth Ombudsman only needed to look at 155 records from the AFP, 125 from Victoria Police, and 92 from Tasmania Police to find issues on which to base its report.
From the report:
Tasmania Police
We inspected Tasmania Police from 22 to 26 October 2018. We made two recommendations about its overall approach to compliance (as discussed in Part B of this report), and made two recommendations, 10 suggestions and one better practice suggestion specifically about its access to stored communications. We sent Tasmania Police our final report on 16 July 2020.
Progress since previous inspection
During our 2018–19 inspection, we identified that Tasmania Police had not taken sufficient remedial action to address findings from our 2017–18 inspection. This led us to identify broader issues relating to Tasmania Police’s awareness of the requirements under Chapter 3 of the Act, and the mechanisms and processes it has in place to support compliance.
Significant findings
Insufficient remedial action taken for previous inspection findings
We identified instances where Tasmania Police had not taken sufficient remedial action in response to suggestions we made following our 2017–18 inspection. For example, at our 2017–18 inspection we identified instances of stored communications warrants Tasmania Police had issued in relation to victims of serious contraventions in circumstances where the victim did not consent or was not provided with the opportunity to consent. Although the relevant investigations appeared not to have been progressed, we were not satisfied that Tasmania Police had fully acted on our previous suggestions and we made further suggestions to Tasmania Police regarding this issue. Tasmania Police advised us about action it has taken in response to our suggestions, including updating its standard operating procedures.
We identified two instances at our 2017–18 inspection where a carrier provided Tasmania Police with stored communications that did not comply with the warrant conditions. During our 2018–19 inspection, we found that Tasmania Police had not taken any action to manage the information it received from the carrier under these two warrants. Due to the risks posed by these issues, in our 2018–19 inspection report we recommended to Tasmania Police that it establish clear and effective procedures for accessing and disseminating stored communications accessed under warrants subject to conditions or restrictions, including assessing whether the stored communications information provided by a carrier is consistent with the authority of the warrant. Tasmania Police advised us it made changes in line with our recommendation, but we remain of the view that further procedural guidance is required.
Destruction of stored communications information
We identified issues affecting Tasmania Police’s destruction processes, including:
a lack of contemporaneous records to indicate when stored communications were destroyed, to demonstrate that destruction took place forthwith in accordance with s 150(1) of the Act
instances where, at the time of the inspection, stored communications information certified for destruction was not destroyed
stored communications information which was not certified for destruction by the chief officer until approximately one year after it was identified as no longer being required
instances where stored communications were destroyed without chief officer approval. (We identified this issue previously in our 2017–18 inspection and identified it again during this inspection period. However, these instances were all dated prior to our 2017–18 inspection and were present in this sample due to the retrospective nature of our inspections.)
We suggested that, in order to remediate the inconsistencies in its destruction practices, Tasmania Police should establish clear guidelines for its staff on destruction processes. This should assist Tasmania Police in ensuring that destructions are conducted in a timely and consistent manner in accordance with s 150 of the Act.
Tasmania Police told us it amended its destruction processes and updated its standard operating procedures.
Non-compliant processes for receiving stored communications
At both the 2017–18 and 2018–19 inspections, we identified that all stored communications a particular carrier provided to Tasmania Police were received by a staff member who was not authorised to receive them under s 135(2) of the Act. This meant that a key part of the stored communications process was performed by a staff member who had no training or guidance on the requirements of Chapter 3 of the Act. This, in turn, presented risks to Tasmania Police’s management of stored communications and its ability to account for using and communicating this information.
We recommended that Tasmania Police establish a mechanism to ensure that it appropriately and accountably receives stored communications in accordance with s 135(1) and (2) of the Act. In response to our recommendation, Tasmania Police told us it has since ceased this practice and now all stored communications are sent directly to an area where all staff are covered by the s 135(2) authorisation.
Management of unlawfully accessed stored communications
We identified instances where an ineligible issuing authority invalidly issued stored communications warrants. We were not satisfied that Tasmania Police had taken appropriate remedial action to manage the unlawfully accessed stored communications or that there was sufficient awareness within Tasmania Police of the existence of these invalid warrants.
To ensure that Tasmania Police can identify when unlawfully accessed stored communications are received and manage such information appropriately, we suggested it establish clear protocols to confirm that stored communications returned by the carrier comply with the warrant. Tasmania Police has advised they would update its standard operating procedures.
Annual reporting to the Minister
We identified that, at the time of our inspection, Tasmania Police had not provided its annual report to the Minister for the 2017–18 period, contrary to s 159 of the Act. We suggested Tasmania Police provide its 2017–18 annual report to the Minister and update its standard operating procedures to ensure staff are aware of the reporting obligations under the Act. Tasmania Police advised our Office that it would include reporting obligations in its procedures.
