The Australian Federal Police (AFP) must stop keeping sensitive operational data on network drives and urgently implement an electronic data and records management system (EDRMS) to remedy “serious deficiencies” in its recordkeeping, the Auditor-General has advised in handing down an Australian National Audit Office (ANAO) review of the force’s use of statutory powers.

The formal audit assessed the accountability and reporting practices governing the AFP’s use of the powers given to it, including the management of warrants, across 86 different Commonwealth Acts.

“It is important that the AFP has appropriate administrative frameworks to ensure that powers are exercised lawfully and in accordance with authorised procedures,” the review noted, “and that officers are adequately trained to exercise powers that are conferred upon them.”

Some 4,000 warrants were issued to the AFP under that legislation during 2019-20 – and while 97.8 per cent of them were properly documented and managed according to legal requirements, the ANAO review found, there were nonetheless “serious deficiencies in the AFP’s record keeping practices and processes.”

Internal records related to the AFP’s use of warrants issued under Section 3E of the Crimes Act – which contains a bevy of rules around timing, authority, documentation and other aspects of valid warrants – “are stored in a way whereby retrieval is unable to be achieved efficiently or with an assurance of completeness,” the Auditor-General warned.

Fully 90 per cent of the AFP’s “digital operational records” were being stored as files on network drives, the analysis found, noting that such drives “are not considered by the National Archives of Australia to be appropriate for that purpose.”

Records stored on network drives “are not secure from unauthorised access, alteration or deletion,” the audit noted, adding that “the AFP does not have the capacity to identify all digital records that it holds on any individual or entity.”

“Inconsistent” administrative processes meant AFP officers weren’t documenting mandatory reviews of s3E warrants, nor were they uploading details of warrants into the AFP’s Police Realtime Online Management Information System (PROMIS) system “and are not obliged to do so”, the review found.

One in 4 warrants was not actually entered into PROMIS, and many of those that were entered were given “incorrect or misleading” keywords that hampered the ability to find and retrieve them.

Although the AFP generally met its Parliamentary reporting obligations around the use of certain powers, the review found, the force “does not systematically record other uses of statutory powers and does not produce internal reports on their use.”

“It is of concern to the ANAO that the AFP does not accurately record the number of s3E Crimes Act warrants it has been issued, or that it has executed.”

Overall, the ANAO concluded, “gaps in the AFP’s management of IT security” were creating unacceptable risks and “poor record keeping practices and processes are a risk to the integrity of the AFP’s operations.”

“As a matter of urgency,” ANAO recommended, “the AFP should implement an EDRMS to allow it to store records so they are secure and readily accessible.”

Recordkeeping was not even included in the initial scope of the audit, but had been added because “the ANAO considers that the issues identified are sufficiently important” to be added.

The AFP, it said, “should cease its reliance on network drives.”

Policing to a better standard

Operational transparency has always been important when it comes to administering warrants, but the increasingly diverse range of warrants available to the AFP had compounded the problem over time.

Although the audit found that the AFP “appropriately exercises” warrants under the Telecommunications (Interception and Access) Act 1979 and Surveillance Devices Act 2004 – two key data-related investigative powers – its poor recordkeeping had created procedural gaps around its s3E Crimes Act warrants.

Six out of 272 randomly audited warrants did not meet the requirements of the Crimes Act, the panel found, while 54.8 per cent “were not prepared consistently with AFP best practice”.

None of the 79 TIA Act warrants reviewed by ANAO, the report noted, “had all of the relevant documentation uploaded into PROMIS”.

That could present problems for their legal enforceability and evidentiary validity down the track – which is why, a judicial review of the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 last year warned that warrants were a critical part of the proper functioning of such laws.

“There is a greater need for safeguards in the virtual world than in the physical world,” Independent National Security Legislation Monitor Dr James Renwick wrote, “for both reasons of trust and the wide and unknown impact of technology.”

The AFP’s problems with the 1990s-era PROMIS system have been well-known for years, with a 2011 review already noting the platform had become unwieldy.

A planned $145m replacement project was scrapped in 2015 and revived in 2018, while in 2019 the AFP ranked itself 156 out of 166 Australian government entities in terms of the maturity of its information management.