The Commonwealth Ombudsman's report Australian Federal Police’s (AFP) use and administration of telecommunications data powers 2010 to 2020
is the outcome of my Office’s own motion investigation into the Australian Federal Police’s (AFP) use and administration of telecommunications data powers under Chapter 4 of the Telecommunications (Interception and Access) Act 1979 (the TIA Act). In particular, our investigation focussed on access to and use of one type of telecommunications data—location-based services (LBS), colloquially known as ‘pings’.
My Office provides independent assurance that telecommunications data, including LBS, is only used in the circumstances permitted by the legislation and that agencies using these powers can demonstrate their compliance. We do this by inspecting a sample of records and reporting what we find each year. Our ability to provide this assurance is dependent on agencies providing full and accurate records of their use of the powers. As such, when the AFP identified records that showed ACT Policing (the AFP’s community policing arm) had accessed LBS and that those records had not previously been provided to my Office, I decided it was appropriate for my Office to conduct its own investigation.
There were several important factors that informed my decision to commence an investigation, including:
- the covert and intrusive nature of this power
- the duration and potential scale of non-compliance with the TIA Act as a result of ACT Policing accessing telecommunications data outside the AFP’s approved process
- the omission of the affected records from our Office’s regular compliance inspections
- previous recommendations our Office has made to the AFP about non-compliance with the TIA Act.
The AFP identified records dating back to 2007 which showed ACT Policing accessed LBS outside the AFP’s approved process. This meant two things:
- the access was not reported to the Minister for Home Affairs and the records were not provided to my Office, to be considered for inspection.
- • the risk of non-compliance with legislative requirements under the TIA Act was higher as the access occurred outside established processes approved by the AFP.
My Office’s inspections of the AFP’s access to telecommunications data from 2015–16 occurred without full or accurate records to inform our assessment
After identifying the records, the AFP did the right thing—they disclosed the issue to our Office and after discussion, commissioned PwC Australia (PwC) to conduct an internal audit of the affected records.
My Office’s investigation focused on the scope and extent of any non-compliance, noting the potentially serious consequences, and the causes of any non-compliance, including culture, practices and procedures that contributed.
This report makes findings based upon the following themes:
• We identified that many of the authorisations made by ACT Policing for access to telecommunications data between 13 October 2015 and 2019 were not properly authorised. Of the 1,713 individual accesses to LBS by ACT Policing for that period, we were only able to provide assurance that nine were fully compliant with the TIA Act.
• Many LBS could have been accessed unlawfully which has a number of potential consequences. Firstly, if access was unlawful and the information relied on in prosecutions, there may be consequences for people convicted of an offence. While initial advice provided by the AFP to my Office was that the LBS obtained by ACT Policing was only used to locate someone to arrest them, we were unable to rule out the possibility that unlawfully obtained evidence, the LBS, may have been used for prosecutorial purposes. Secondly, the privacy of individuals may have been breached.
• We could not be satisfied that the scope of the breaches has been fully identified by the AFP nor the potential consequences and consider it is possible breaches have occurred in parts of the AFP other than ACT Policing.
• The AFP and ACT Policing missed a number of opportunities to identify and address that ACT Policing was accessing LBS outside the AFP’s approved process earlier.
• The internal procedures at ACT Policing and a cavalier approach to exercising the powers resulted in a culture that did not promote compliance with the TIA Act. This contributed to the non-compliance identified in this report.
In response to PwC’s report, the AFP made several changes to the way in which staff access prospective telecommunications data in an effort to improve compliance with the TIA Act. These have been useful first steps towards the AFP achieving future compliance. However, I consider the AFP needs to do more to confirm the extent of non-compliance with the legislation for this type of telecommunications data and remediate any consequences of non-compliance with the TIA Act identified in this report.
This report includes eight recommendations to assist the AFP in addressing these issues and implementing processes to prevent recurrence of similar issues.