The Australian Federal Police (AFP) is under scrutiny after the Commonwealth Ombudsman found ACT Policing – which is part of the AFP – accessed location data without proper authorisation on at least 135 occasions.

An Ombudsman’s report released on Wednesday shows ACT Policing was severely non-compliant with legislation when it accessed location-based services (LBS) between late 2015 and the start of 2020.

Commonwealth Ombudsman Michael Manthorpe said in a statement that ACT Policing had “a cavalier approach” to accessing metadata which contributed to its lack of legislative compliance.

“This means LBS could have been accessed unlawfully,” Manthorpe said in a statement.

“This could have a number of potential consequences, for example, the privacy of individuals may have been breached and we have been unable to rule out the possibility that unauthorised LBS may have been used for prosecutorial purposes.

“Law enforcement agencies rely on a wide range of covert and intrusive tools to do their work, but to maintain public trust these tools need to be properly deployed, in accordance with the legislation which governs their use.”

In his report, the Ombudsman found each of the 135 instances where ACT Policing accessed ongoing location data were not compliant with legislation.

The Ombudsman also found 90 instances where authorisation to access LBS happened after access had already occurred and a further 15 instances where ACT Policing accessed the location data despite an authorisation not being signed.

In total, the investigation uncovered just over 1,700 instances where ACT Policing accessed location data and was unable to determine compliance for 1,600 of them.

ACT Chief Police Officer Neil Gaughan said in a statement on Wednesday ACT Policing has already “implemented a number of measures” to stop the unauthorised use of location data from happening in the future.

“As police officers we have access to special powers for investigative purposes to ensure the safety of the entire community,” he said.

“We take this responsibility seriously, and accept and apologise for our past non-compliance outlined in the Ombudsman’s report.

“I want the community to be assured that we have changed our approach to requesting and approving access to mobile device locations, which my officers are implementing daily.”

In its report, the Ombudsman recommends for the AFP to seek legal advice about implications of its findings, especially when location data was used for “evidential or prosecutorial purposes”.

President of the Law Council of Australia, Dr Jacoba Brasch QC, said she found the report’s findings “deeply troubling”.

“The individual breaches identified by the Ombudsman, and their causes, are deeply troubling in isolation and appear to identify systemic failings in the exercise of a highly intrusive power and comes at a time with the government is moving to extend the powers of law enforcement and security agencies,” she said.

Legislation currently before the parliament would give the AFP and the Australian Criminal Intelligence Commission (ACIC) the ability to modify, copy, or delete data to disrupt online criminal offences.