The Commonwealth Ombudsman has exposed a cavalier approach towards data powers at the Australian Federal Police, fuelling a culture that promotes non-compliance with the law.
Ombudsman Michael Manthorpe has released an explosive report, finding thousands of requests for "location-based services" data were not properly authorised or reported.
Location requests can only be made for an investigation into serious offences or offences punishable by at least three years in jail such as murder, kidnapping, drug trafficking, terrorism, aggravated robbery and firearm offences.
The requests provide a general area such as several streets, or a broad vicinity such as a suburb, not metadata or private communication on a mobile device.
Between 2015 and 2019, the ACT Policing Arm of the AFP have potentially been unlawfully accessing tower ping data.
This information could have been used to prosecute people.
"This could have a number of potential consequences," Mr Manthorpe said on Wednesday.
"For example, the privacy of individuals may have been breached and we have been unable to rule out the possibility that unauthorised LBS may have been used for prosecutorial purposes."
The ombudsman reviewed 1713 occasions ACT Police accessed tower ping data between 2015 and 2019.
It found only nine occasions their access was fully compliant with the Telecommunications Interception and Access Act.
Mr Manthorpe is concerned the breaches could have occurred in parts of the AFP beyond its local ACT Policing arm.
"Law enforcement agencies rely on a wide range of covert and intrusive tools to do their work," he said.
"But to maintain public trust these tools need to be properly deployed, in accordance with the legislation which governs their use."
Federal parliament is considering legislation to further extend police powers to detect and disrupt criminals.
"A critical factor in effective oversight of such powers is that law enforcement agencies need to report to the ombudsman about how the powers are being used, so that compliance can be assessed and publicly reported," Mr Manthorpe said.
"In this case full reporting did not occur to the ombudsman for a considerable period of time."
The AFP has accepted all of the ombudsman's recommendations for improvements.
"As police officers we have access to special powers for investigative purposes to ensure the safety of the entire community," Chief Police Officer for the ACT Neil Gaughan said in a statement.
"We take this responsibility seriously, and accept and apologise for our past non-compliance outlined in the ombudsman's report.
"I want the community to be assured that we have changed our approach to requesting and approving access to mobile device locations, which my officers are implementing daily."
He said all location requests on mobile devices are now centralised through the AFP Covert Analysis and Assurance business area.
As well, policies have been updated and training provided to all employees who use the laws.