The Commonwealth Ombudsman has been unable to confirm whether the Australian Customs and Border Protection Service (Customs – now integrated into the Australian Border Force) met its legal obligations when exercising powers given to it under telecommunications interception and access legislation.
The Ombudsman’s first public assessment of compliance with the Telecommunications (Interception and Access) Act was released today. The Ombudsman assessed both access to so-called metadata and stored communications.
The report covers the period 1 July 2015 to 30 June 2016 and included the 20 agencies authorised by the TIA to access an individual’s telecommunications data – which includes the information covered by the government’s mandatory data retention regime.
‘Telecommunications data’ also dubbed ‘metadata’ covers information about an individual’s communications but not the ‘content’ of a particular communication – the time an SMS was sent and to whom, for example, but not what it said.
Under the current TIA regime, access to that data is available to the 20 agencies without a warrant (with the one exception of an agency seeking to access a journalist’s metadata for the purpose of identifying her or his source - which requires a ‘journalist information warrant’). Accessing the contents of a communication requires a warrant process.
Although government agencies have long had warrant-free access to metadata, it was only as part of the data retention legislation that the Ombudsman was given oversight of agencies’ use of that power.
The Ombudsman concluded that overall, agencies demonstrated a strong commitment to comply with the provisions of the data retention scheme. However, a number of common areas of risk were identified across agencies.
Those included the level of involvement and support from senior leadership, the effectiveness of internal communications to raise awareness of relevant changes and share best practices, and training given to individuals involved in exercising ‘metadata’ powers.
The Australian Federal Police earlier this year blamed “human error” after one of its officer’s illegally accessed a journalist’s telecommunications data. The breach was reported to the Ombudsman in April and so fell outside the scope of the recent report.
In relation to accessing stored communications – which unlike metadata requires a warrant - the Ombudsman said that most agencies were compliant with the TIA Act; however, some noteworthy cases of non-compliance were identified.
In particular, the Ombudsman said it was unable to “provide assurance that Customs was only dealing with lawfully accessed information”. In five instances, the Ombudsman could not determine whether telecommunications carriers had accessed stored communications during the period that the relevant warrant was in force because of poor recordkeeping practices.
“In our view, Customs does not have sufficient processes in place to demonstrate that it is only dealing with lawfully accessed stored communications,” the report states.
Fourteen preservation notices (directing a telco to preserve communications while an agency applies for a warrant to access them) were found to be non-compliant. The agency also fell short on several fronts when it came to its recordkeeping and reporting obligations.
The agency was also criticised for its level of cooperation with the Ombudsman’s inspection. In its response to the report, the agency acknowledged record-keeping shortfalls and noted that the inspection came during a significant period of upheaval as moves were underfoot to integrate it with the Department of Immigration and Border Protection.