The latest Snowden document, revealed by Guardian Australia today, increases concern that the Defence Signals Directorate (DSD) is operating outside its legal mandate. The minutes of a policy meeting in Britain in 2008, with their US, Canadian, UK and New Zealand counterparts, reveal DSD representatives claiming that they were entitled to share the confidential data of Australians with these partners, and were even considering disclosing them to “non-intelligence agencies” without first obtaining a warrant.

This would be a breach of sections 8 and 12 of the Intelligence Services Act 2001. Snowden’s evidence that that DSD ignored this law (or was ignorant of its correct interpretation) raises the prospect that law-abiding Australians have had their personal data wrongfully collected and transmitted to bodies which may use it to damage them.

The Intelligence Services Act sets strict limits on any DSD (now ASD) activity “likely to have a direct effect on an Australian person or produce intelligence on an Australian person”. In such cases, ministerial authorisation is required (section 8) and before giving it, the minister must be satisfied that the Australian is “a person of interest” – ie involved in terrorism or espionage or serious crime. This is a vital safeguard and any unauthorised or unnecessary surveillance of an Australian is in breach of the Act (section 12).

The Snowden leak, however, suggests that in some circumstances DSD believes it can circumvent this safeguard and even offer up the fruit of its warrantless interceptions to foreign agencies.

The meeting of the five national electronic spying representatives was called in 2008 to consider whether and how to share the remarkably intimate intelligence that can be gathered from “metadata” – the log of electronic signals sent and received by individuals. “Metadata absolutely tells you everything about somebody’s life” says the NSA’s general counsel. It told, for example, that General Petraeus was having an affair with his biographer, so he could not, in puritan America, remain head of the CIA. There are doubtless quite a few Australians whom metadata tales might dob in (think Bob Hawke and Blanche d’Alpuget) without any suggestion that they have been involved in crime. It is this prospect that makes it important to ensure that DSD operates scrupulously within the law.

The minutes of the policy convention show DSD representatives insouciant about sharing metadata on Australians – so long as it had been hoovered up “unintentionally” they were happy to store and to disclose it without obtaining a warrant. This is a misinterpretation of section 8. If it has been collected unintentionally it must be destroyed. Significantly, the Canadian eavesdroppers drew the line at sharing this “bulk metadata” precisely because of Canada’s privacy laws.

There are other disquieting details in the minutes of this spooks’ convention. The parties all agreed that as a result of electronic spying breakthroughs they appear to be now collecting “medical, legal and religious, or restricted business information, which may be regarded as an intrusion of privacy (my italics)”. But there is no “may” about it – obtaining details of personal medical history counts as an invasion of privacy under every human rights treaty, whilst theft of professionally privileged legal advice is contrary to the common law. These minutes are further evidence we are slipping into an Orwellian world where the state can scoop up any electronic communication, and in which DSD thinks it can lawfully tittle-tattle on Australians to foreign agencies and is even considering disclosure to “non-intelligence agencies” – police, professional associations, employers and perhaps even to newspapers.

Snowden’s earlier revelations, in Guardian Australia and the ABC, that DSD had in 2009 targeted the mobile phones of top Indonesians, including the president’s wife, raise the question of whether it had exceeded its powers to gather information of relevance to national security, as distinct from gossip and intimate personal data. His latest revelations are more serious, raising the question of whether DSD has, since 2008, been exceeding its powers in relation to disclosing data collected on Australian citizens who are not suspected of crime. It calls for an answer to the Quis Custodiet question: who guards the guardians?

In Australia there is a parliamentary committee on intelligence and security. But it can only review matters referred by a minister or by the houses of parliament – it cannot act on its own initiative to ensure that DSD is operating within the law. There is however an inspector general of intelligence and security, a position established by special legislation in 1986 who may of her own initiative “inquire into any matter that relates to the compliance by (DSD) with the laws of the Commonwealth … or the propriety of particular activities of the agency… or a practice of that agency that is or may be inconsistent with or contrary to any human right”.

The guardian who must now guard the DSD is the current inspector general Dr Vivienne Thom, a legal academic. So far she has remained silent on the Snowden revelations and as far as the public is aware, she has not investigated the organisation for privacy invasion or excess of power in respect of those allegations. If she hasn't, she must do so urgently and immediately, or her office will not live up to its statutory duty. The answer to the Quis Custodiet question, in Australia, will be Nemo – nobody.

• Geoffrey Robertson QC is the author of Dreaming too Loud – Reflections on a Race Apart, published this month by Random House