ACT Policing has admitted it unlawfully accessed citizens’ metadata a total of 3,365 times, not 116 as previously disclosed in an explosive commonwealth ombudsman’s report on Monday.

The new disclosures include a total of 240 cases that resulted in information valuable to criminal investigations and one that “may have been used in a prosecution”.

In a statement on Friday, ACT Policing revealed the 116 unlawful metadata requests detailed in the report tabled in parliament on Monday are the tip of the iceberg, with a further 3,249 requests made from 11 March to 13 October 2015 under an invalid authorisation.

The revelation comes as Western Australia’s top cop has said there have been no consequences for police who unlawfully accessed a journalist’s metadata, contradicting Peter Dutton’s suggestion they might be penalised.

In the statement ACT Policing revealed it is still seeking legal advice about how to deal with two cases where invalidly obtained metadata was used in “a missing persons case and a criminal matter where the data in question may have been used in a prosecution”.

“It is not appropriate to identify particular cases,” it said.

ACT Policing said that “steps were taken” to quarantine information from 240 telecommunications data requests which “generated information that was of value in progressing ongoing investigations and inquiries”.

The issue at ACT Policing affecting 116 cases over a fortnight in October 2015 was first disclosed to the ombudsman in that month, but it was not until 2018 that a further 3,249 cases were discovered stretching back to March of that year.

In its report the ombudsman criticised ACT Policing for failing to quarantine data when the issue was first identified “which resulted in additional use and communication of the data”.

Despite the quarantine process beginning in February 2018, the data had still not been fully quarantined by April 2018, it said.

ACT Policing said in March 2015 an “administrative oversight” occurred when the relevant ACT Policing position was “inadvertently omitted from the list” of people authorised to approve metadata searches.

“The ACT Policing position holder, who previously held the appropriate delegation, had continued issuing authorities in good faith unaware that the delegation had been omitted.”

The ACT police said it sought telecommunications data including the registered holder of a particular telephone number (mobile or fixed line) for the purpose of the enforcement of criminal law or to assist in finding a missing person.

“This information supported a range of community policing investigations from organised crime matters to assaults and property offences.

“None of the data in question was obtained in order to identify a journalist’s source.

“It is important to note that while the delegation was not in place, all authorisations and requests were managed in accordance with the relevant policies and procedures, including security, storage and disclosure.”

ACT Policing said it self-reported the requests without authorisation to the ombudsman in 2018, although the full extent of the problem is not revealed in the report which relates to the period July 2016 to June 2017.

“ACT Policing has implemented measures to maintain enduring authorisation to prevent this issue reoccurring and is committed to ensuring access to telecommunications data is conducted appropriately and transparently.

“Following the 2016-17 inspections the ombudsman’s report noted positive levels of transparency and accountability and a willingness to self-report any potential compliance issues as identified.”

The WA police commissioner, Chris Dawson, finally fronted journalists on Thursday, more than two days after the report showed his officers had obtained two invalid warrants targeting journalists.

Dawson confirmed that WA police were investigating a crime of journalism, explaining that a story published or broadcast by the journalist was “connected to the whole reasoning for the investigation” and police were “attempting to identify how the information was sought”.

“Journalists are not above the law, as much as the media may not like me saying that, and so if there’s a good reason to investigate an allegation of criminality, the police must do their job.”

Metadata retention laws, introduced in 2015, allow law enforcement agencies to access telecommunications data but journalists metadata can only be accessed with a warrant.

On Wednesday Peter Dutton, the federal home affairs minister, told Sky News “there are consequences” for breaches of safeguards, such as internal sanctions and civil penalties if police are sued.

Asked if there had been such consequences, Dawson replied: “No, the commonwealth ombudsman administratively oversights all warrants obtained under the [Telecommunications Interception and Access Act].”

Dawson explained that no penalty had been applied because he had “no information the police were trying to subvert the law”.

Rather, the invalid warrants were issued by a judge as the result of an “administrative oversight” because he and the WA police mistakenly believed he had been appointed as a public interest advocate authorised to approve journalist information warrants.

Dawson said the law does not allow him to identify the journalist affected, and conceded that he did not know if the journalist had been notified but he said the investigation “didn’t result in any court process”.

He claimed the investigation obtained “no value” from the journalist’s billing information, including who they called and the duration of calls.