The Ombudsman identified a “critical need” for staff to understand the law after auditing 10 agencies’ compliance with controversial metadata retention laws that require telcos to retain information about communications for at least two years.

“These obligations ensure Australia’s law enforcement and security agencies are lawfully able to access data, subject to strict controls,” the Department of Home Affairs claims on its website.

Twenty law enforcement agencies have access to the stored metadata (though they’re not the only ones who have accessed it).

While the agencies are “lawfully able to access the data, subject to strict controls”, those controls aren’t always adhered to and it’s not always lawful when the agencies access the data.

“We identified instances at all inspections in 2018-19 where agencies had accessed telecommunications data without proper authority. As such, the disclosure of the data was unauthorised,” the Ombudsman said in a report tabled in parliament last week.

RELATED: 30k Aussies don’t know they were hacked

RELATED: Zoom call that cost $16m

The inspections covered the period from July 1 2018 until June 30 2019, during which the Ombudsman made 13 recommendations to four agencies and suggestions to others.

Recommendations are made “if an issue is sufficiently serious and/or has been previously identified and not resolved” while suggestions are given in the first instance of less serious noncompliance.

While not a single agency inspected was fully compliant, “most agencies were receptive” to the findings and recommendations, according to the report.

In the latest period, the Ombudsman inspected the Australian Criminal Intelligence Commission (ACIC), Australian Federal Police (AFP), Australian Securities and Investments Commission (ASIC), Crime and Corruption Commission Queensland (CCC), the Department of Home Affairs, New South Wales Police Force (NSWPF), Queensland Police Service (QPS), Tasmania Police, Victoria Police and WA Police.

NSWPF has made the most requests for access to data out of the inspected agencies with almost 100,000 requests for historic or prospective records, followed by Victoria Police at almost 93,000.

NSW, Victoria and Tasmania Police, and the AFP were highlighted for specific scrutiny, with the Ombudsman delivering 13 recommendations to the four agencies.

Tasmania Police drew the Ombudsman’s ire because it “did not have a well-developed compliance culture” and it was recommended the agency bring in new training and awareness programs as one of the four recommendations it received — the most of any agency.

Some of the issues included not submitting its 2017-18 annual report to the Home Affairs Minister, not keeping proper records on the destruction of data, failure to destroy data it was supposed to, and destroying other data without proper approval.

In response the police force said it was “committed to promoting a strong compliance culture” and outlined changes it expects will increase awareness and compliance among staff.

The Ombudsman said it would monitor whether those changes are effective at its next inspection, but noted its latest inspection showed “limited progress in addressing our previous inspection findings”.

In contrast, Queensland’s CCC “demonstrated a willingness to own and resolve problems” including changing its systems for data retention and putting the emphasis on authorising officers to indicate compliance rather than individual requesting officers. The CCC was not given any recommendations or suggestions.

The AFP was issued two recommendations regarding how it handles requests from foreign countries.

The report recommended Victoria Police ensures authorised officers demonstrate the required considerations when authorising access to data, reviews its approach to awareness raising and training to make sure its staff understand the legislative framework thoroughly, and “implements processes to prevent use or disclosure of unauthorised telecommunications data”.

The Ombudsman previously suggested that NSWPF require written (rather than oral) approval to conduct searches.

Since that hadn’t been implemented by the following inspection, the Ombudsman made a recommendation (adopted by NSWPF) that it “review its policies and procedures to ensure all authorisations for telecommunications data are in written or electronic form and signed by the relevant authorised officer”.

Originally published as Data retention laws: Australian police given new metadata recommendations