The home affairs minister Peter Dutton has claimed “there are consequences” for unlawful metadata searches but conceded he doesn’t know if any action has been taken after revelations of widespread breaches by law enforcement agencies.

On Wednesday the ACT’s chief police officer, Ray Johnson, brushed off the fact his officers accessed metadata at least 116 times without proper authorisation in 2015, labelling it an “administrative oversight”.

The revelations were contained in a commonwealth ombudsman’s report which also found Western Australian police twice obtained invalid warrants targeting journalists’ data and the department of immigration received data outside the authority’s parameters in 42 cases.

Labor’s home affairs spokeswoman Kristina Keneally said the report shows metadata powers “have been abused to allow illegal searches and to target journalists”.

Asked if the report is proof safeguards in the 2015 metadata laws are not working, Dutton said: “No, it’s not, there are many cases now where Asio and the AFP have relied on those laws particularly in relation to serious matters including counter-terrorism matters to keep Australians safe.

“There are mechanisms in place, safe checks and they should be adhered to and if not there are consequences for that,” he told Sky News.

“So, [we] take the protections very seriously but in the end, the vast majority of cases – 99% of the use of these laws – will be appropriate, and they’ll be used in a way that will result in protecting Australians, that’s the reality.”

Dutton told reporters in Canberra that the potential consequences include sanctions in state police acts and “the prospect of a civil penalty if somebody decided to take an action, if they believe there has been a breach”.

“In certain circumstances, not commenting on this particular circumstance, but there can be examples where people step outside the law where they’re supposed to be in the process of executing their duty and it might give rise to criminal offences.”

But Dutton conceded he did not know if any sanctions had been applied, referring further questions to the WA Police and ACT Policing, which works under contract with the AFP according to ACT law set by the “local council government here”.

The ombudsman report revealed the ACT Policing breach occurred because its commissioner failed to authorise any officers within to access metadata due to an “administrative oversight”.

The AFP assistant commissioner Ray Johnson told ABC Radio the error was reported as soon as it was discovered and an authorised officer has since been appointed.

“The member who was doing the authorisations continued doing so in good faith, on the basis of operational need ... until the problem was discovered and it was reported to the ombudsman,” he said.

“I’m confident that the processes are now in place to make sure that under that legislation we comply.”

Tim Singleton Norton, the chairman of Digital Rights Watch, said the report “has revealed the true extent of metadata requests across the country and the complete lack of due process being implemented by law enforcement agencies”.

“A huge number of requests for access to metadata were completely unauthorised and unwarranted – and the public have a right to be concerned about this.”

Alice Drury, lawyer at the Human Rights Law Centre, said the metadata laws “need urgent reform to ensure metadata can never be accessed by police to trace down whistleblowers and journalists acting in the public interest”.

“Metadata retention laws were sold as a way to investigate serious crimes,” she told Guardian Australia. “In reality, they have created a honeypot of data that can be accessed by government agencies to trace litterbugs or – most worrying of all – journalists who have reported stories that embarrass the government.

“The AFP accessed journalists’ data nearly 60 times last financial year, and now we hear valid warrants were not issued in all cases.”

Despite the revelations, the ombudsman concluded after its 2016-17 inspections “that agencies were generally exercising their powers to access stored communications and telecommunications data appropriately”.