Intelligence agency has never exercised powers it has to destroy data relating to people not suspected in investigations, parliamentary inquiry told

The Australian Security and Intelligence Organisation (Asio) can keep all web and phone telecommunications data it holds on Australians indefinitely, and has never exercised powers it does have to destroy some types of records of people not suspected in investigations.

The revelations have emerged in a submission by the inspector general of intelligence and security, Vivienne Thom, to a joint parliamentary inquiry into the federal government’s proposal to store Australians’ phone and web data for two years.

The plan to retain that data – which can include details of whom a person has called, emailed or communicated with over social media, where they were located and the time and date of their communications – has drawn a strong response from the public and government agencies, with almost 200 separate submissions to the inquiry.

The inspector general’s submission said that across all the sources of Asio’s powers there is not a single provision that required the organisation to erase or destroy telecommunications data it holds.

While the director general of Asio does have the power to destroy some types of telecommunications data that require warrants when it is found no longer to be required “for the performance of its functions”, this power has never been exercised.

Thom said in her submission: “I have recently been advised by Asio that the power had not been delegated and that the director-general does not currently make any decisions under these provisions. Therefore currently no records are destroyed under these provisions.”

She also noted that the attorney general’s guidelines to Asio state that: “Where an inquiry or investigation concludes that a subject’s activities are not, or are no longer, relevant to security, the records of that inquiry or investigation shall be destroyed under schedules agreed to between Asio and the National Archives of Australia.”

The inspector general asked the committee to consider whether changes should be made to guidelines that govern provisions around the destruction of data that is not relevant to inquiries.

Thom added that errors had occurred with the handling of Australians’ phone and web data, but they usually arose from telecommunications companies providing the wrong information to Asio. But she also said that Asio had demonstrated a “consistently high level of compliance” with how it dealt with authorisations for access to metadata.

The revelations in the inspector-general’s submission come after the privacy commissioner, Timothy Pilgrim, warned separately that the government’s data retention scheme risked seeing major privacy breaches of Australians’ personal information if the proposal was passed in its current form, and called for a mandatory data breach notification scheme.

“The proposed data retention scheme increases the risk and possible consequences of a data breach. This is because the challenge of effectively securing that information from misuse, interference and loss, and from unauthorised access, modification or disclosure will become more difficult as technology evolves,” Pilgrim said in his submission.

He also questioned whether a two-year retention period was a necessary and proportionate intrusion into Australians’ personal privacy, and urged the committee to request further evidence that would support the government’s claim for that minimum retention period.

So far, Australia’s police agencies have struggled to provide detailed information about the usefulness of a data retention scheme, with most unable to say how many times phone and web data has been used to prevent serious crimes or terrorist attacks, or how many convictions resulted from requests.

Pilgrim reiterated concerns from other organisations about two key questions about the scheme that will be addressed in regulations created by the attorney general rather than the bill itself. At this stage the actual set of data to be retained by telecommunications companies - and the range of agencies that will have access to metadata - will be determined in regulations after the bill has passed.

He recommended that both issues be addressed in the Act itself or in subsequent amendments, rather than left up to regulations, which are generally subject to less scrutiny and can only be invalidated by a vote from a majority of the Senate.

News outlets from across Australia have also expressed serious concerns about the potential chilling effect the bill will have and the risks posed to journalists’ sources.

Guardian Australia, Private Media and the Media Entertainment and Arts Alliance all lodged separate submissions calling for substantial amendments to the bill.

In a joint submission AAP, the ABC, News Corp Australia, SBS and Fairfax Media all called for enhanced oversight of access to telecommunications data by government agencies.

Two days of parliamentary hearings are scheduled on Thursday and Friday into the mandatory data retention bill.