Law enforcement agencies are deleting metadata obtained in investigations before the Commonwealth Ombudsman has the chance to inspect it because of gaps in legislation.
Laws introduced in 2015 don't include any requirements or guidelines on how long metadata information should be stored, or how it should be destroyed.
Commonwealth Ombudsman Michael Manthorpe has also told a parliamentary committee agencies have in some cases been provided with information excluded under the scheme, including URLs searched by people, but advances in technology mean it's unclear what data can legally be obtained under the legislation.
Parliament's powerful Intelligence and Security committee is reviewing controversial laws that require telecommunication companies to retain users' metadata for at least two years. The Ombudsman has outlined concerns around how the law works in practice.
Unlike in similar schemes, the laws don't lay out how long agencies should keep the information for, and how it should be destroyed. It means in some cases the Ombudsman hasn't been able to ensure the data has been used in line with the legislation, although most of the time agencies have kept the data.
"In some instances agencies have destroyed telecommunications data obtained under an authorisation by the time of our inspection," Mr Manthorpe said.
"In these instances, because the information has already been destroyed, we are unable to check whether the telecommunications data the agency received complied with the parameters set by the relevant authorisation."
The Ombudsman has powers to inspect law enforcement agencies to ensure they are using their powers in line with the law, but Mr Manthorpe said the way the legislation was written meant it could at times be difficult to make that determination, especially regarding online communication.
The legislation doesn't allow agencies to access the "content or substance" of a communication, meaning agencies can access the time and phone number of a text message, but not what the message said.
According to the Ombudsman, it isn't clear if information such as a user's IP address, the URL searched, or account numbers, are considered content or metadata. The Ombudsman said carriers needed to know what information they should hand over, and agencies needed to know what could or couldn't be used in an investigation.
In addition to his concerns about agencies deleting data before inspection, the Ombudsman said guidelines around how the data should be destroyed were needed, in line with similar requirements for other information.
"There are no provisions requiring the agency to keep records of when such information is destroyed or who authorised the destruction," Mr Manthorpe said.