The Commonwealth Ombudsman’s Report to the Minister for Home Affairs on agencies’ compliance with the Surveillance Devices Act 2004 has found that Australian law enforcement agencies aren’t great at destroying data appropriately.
The report – released this week – examined four law enforcement agencies during the period between 1 July and 31 December 2020 to ensure said organisations were following the guidelines set out in the Surveillance Devices Act.
“The Act imposes requirements on agencies to securely store and destroy protected information they obtain by using surveillance devices or through computer access activities. The Act restricts the way agencies may use, communicate or publish such information and requires them to provide reports about these covert activities,” the report states.
As part of the investigation, the Australian Commission for Law Enforcement Integrity (ACLEI), the Australian Criminal Intelligence Commission (ACIC), South Australia Police (SAPOL) and the Australian Federal Police (AFP) were examined. The Victoria Police were also meant to be included, but that investigation was delayed until May 2021 as a result of the COVID situation in the state.
Australian Commission for Law Enforcement Integrity (ACLEI)
ACLEI is the only agency that passed the report with flying colours, with the ombudsman asserting it “did not make any significant findings during the reporting period.”
Australian Criminal Intelligence Commission (ACIC)
The instances in which ACIC did not destroy protected information as soon as possible were found during the investigation, with the Ombudsman stressing that there was a “significant delay” between when destruction was authorised and when it actually happened.
“We identified one instance where protection information was not destroyed within five years,” the report said.
“The ACIC disclosed seven additional instances it did not destroy protected information within five years.”
The ombudsman found one particular instance in which information wasn’t adequately destroyed within the five year period as outlined in the Act, which prompted ACIC to disclose a further seven instances in which this occurred.
Additionally, the report outlined issues with the agency’s record keeping, which is used to ensure they’re acting within the parameters of the law.
“The computer access warrant action sheets we inspected did not provide sufficient information for us to understand what actions were taken under the warrant, or to confirm that the correct devices were accessed,” the report said.
“As a result, we could not verify that the computers the ACIC targeted were those it was authorised to access under the warrant.”
Basically, the lack of adequate record keeping means the ombudsman couldn’t actually verify that ACIC had authorised access to certain computers, which is obviously a huge concern.
SA Police (SAPOL)
While SA Police didn’t pass the report with flying colours, the only issue flagged by the ombudsman relates to the process – or lack thereof – for destroying records.
According to the report, SA Police were unable to confirm a specific date in which it had most recently assessed if information obtained by surveillance devices were permitted under the act.
“During this inspection we identified that SA Police does not have destruction procedures to assess whether records are required for a purpose permitted under the Act or should be destroyed in accordance with s 46(1)(b) of the Act,” the report said.
While SA Police confirmed it doesn’t have delegated staff for the destruction of records, the ombudsman was able to confirm that it doesn’t currently have any protected information on file that is more than five years old.
Australian Federal Police (AFP)
However, the most damning information in the report relates to the Australian Federal Police.
Four instances in which the AFP didn’t destroy information within a reasonable time period were found. In one extreme case, sensitive documents weren’t destroyed for over five months after the authorisation was signed.
“Further, the AFP did not destroy protected information or certify it for retention within five years,” the report states.
“In three instances the AFP did not destroy the records until more than five years after the warrant was issued and could not provide files to demonstrate the protected information was certified for retention within five years.
“In the remaining instance, the AFP certified the protected information for destruction within five years but did not complete the destruction until after the five year period.”
Similarly to ACIC, the AFP also had issues with record keeping.
“During this reporting period, there were several instances where we could not ascertain whether the AFP was satisfied that the use of a surveillance device under the warrant was required, or whether the warrant should have been revoked in line with the mandatory revocation requirements under s 20(2) of the Act,” the report states.
“In these instances, the period between the last action the AFP took under the warrant and the warrant expiring ranged from three weeks to six months.”
In even more concerning findings, the report pointed out that the AFP was still conducting foreign surveillance without lawful approval as recently as last year.
“During this inspection, the AFP again disclosed two periods during which it conducted surveillance activities in a foreign country prior to receiving approval from an appropriate consenting official of that country.”
As part of the investigation, the AFP admitted to two separate instances in which data was collected without a warrant.
To put it simply, three out of the four agencies that were investigated as part of the report weren’t fully complying with what is required under the Surveillance Devices Act. Yikes.