The commonwealth ombud has slammed the mishandling of data related to location-based services (LBS), or ‘pings’, by the ACT police in a report published on Wednesday.
The internal procedures of ACT police have come under scrutiny, with the possibility that a string of authorisations to obtain LBS data over a four-year period were incomplete and therefore unlawful.
In a report published on Wednesday, commonwealth ombud Michael Manthorpe said that many LSB requests failed compliance requirements between 13 October 2015 and 2019 because they were either not properly authorised or reported.
“This means LBS could have been accessed unlawfully,” Manthorpe said.
The ombud expressed his concern that not only did authorisation failures demonstrate police non-compliance with the Telecommunications (Interception and Access) Act, but also of the risk that people’s privacy may have been breached.
“Law enforcement agencies rely on a wide range of covert and intrusive tools to do their work, but to maintain public trust these tools need to be properly deployed, in accordance with the legislation which governs their use,” Manthorpe said.
“We have been unable to rule out the possibility that unauthorised LBS may have been used for prosecutorial purposes,” he added.
The ombud commenced his investigation into the AFP’s use of telecommunications data powers in response to an AFP disclosure to his office over the use of pings dating back to 2007. Manthorpe said he was not satisfied that the organisation had identified the scope of the breaches, leading him to query how widespread similar non-compliance conduct was in other parts of the AFP beyond the ACT police.
Manthorpe also called into question the number of chances to rectify the problem of police accessing LSBs outside of approved processes that had been missed over the years.
The failure of police compliance with reporting laws was all the more concerning in light of extended powers before parliament that propose to give law enforcement agencies more ways to ‘detect and disrupt criminal activity’.
“A critical factor in effective oversight of such powers is that law enforcement agencies need to report to the ombudsman about how the powers are being used, so that compliance can be assessed and publicly reported. In this case full reporting did not occur to the ombudsman for a considerable period of time,” Manthorpe said.
The AFP has accepted all of the recommendations in the ombud’s report to prevent the same failings in future.
“My office’s investigation identified that the internal procedures at ACT Policing and a cavalier approach to exercising telecommunications data powers resulted in a culture that did not promote compliance with the TIA Act. This contributed to the non-compliance identified in this report,” Manthorpe said.