The Australian federal police did not destroy all copies of phone records it obtained unlawfully, without a warrant, for the purpose of identifying a journalist’s source, according to a new audit by the commonwealth ombudsman.



In April 2017, the AFP commissioner, Andrew Colvin, confirmed such a breach had occurred within the professional standards unit and apologised, saying the accessed metadata had been destroyed.

But the ombudsman contradicted that account, saying its inspection of the AFP’s records “identified that not all copies of records containing the unlawfully accessed data had been destroyed by the AFP”.

“In relation to the destruction of all copies of records containing the unlawfully accessed data, the AFP advised our office that it had destroyed all of the material that was provided to it as a result of the breach,” the new report said.

“However, to confirm that this had been done, we arranged to revisit the AFP with technical assistance, appreciating the complexities of the AFP’s systems. This visit prompted PRS [professional standards] to conduct further checks of its systems with technical assistance, which identified additional records.

“We confirmed that these records were subsequently destroyed”.

The ombudsman has recommended the AFP immediately review its approach to metadata awareness and training to ensure all staff involved in exercising metadata powers had a thorough understanding of the legislative framework and their responsibilities.

The audit concluded that at the time of the breach, “there was insufficient awareness surrounding journalist information warrant requirements” within the professional standards unit.

It said within that unit, “a number of officers did not appear to fully appreciate their responsibilities when exercising metadata powers”.

“In any large, decentralised agency, there will inevitably be a risk that awareness-raising does not reach every officer who is required to be in the know,” the audit said. “In recognising this risk, all law enforcement agencies that can access metadata have implemented complementary measures to mitigate legislative non-compliance.”

“Unfortunately, the complementary measures adopted by the AFP were not strong enough to prevent this breach from occurring.”

But the ombudsman said it was of the view that “the AFP as a whole” respected that journalists had a higher threshold for accessing metadata courtesy of journalist information warrant provisions, which ensured that access to metadata to identify a journalist’s source was permitted only if the public interest in doing so outweighed the public interest in maintaining the confidentiality of a journalist’s source.

The audit said the AFP took “seriously” its legislative obligations, particularly in relation to its use of covert and intrusive powers.