ASIO has been found to have broken the law in a foreign-intelligence operation early last year.

A court has heard ASIO officers collected intelligence without a warrant as part of a “multi-faceted, multi-agency” operation, mistakenly believing they did not need one.

Additionally, officers were seconded to ASIO from other agencies for the operation without legal authorisation, and failed to file the required reports.

The findings come after a 16-month investigation by the Inspector-General of Intelligence and Security (IGIS), the security agencies’ watchdog, based on ASIO’s self-reporting of its mistakes.

The breaches were found to be inadvertent, but the IGIS found that ASIO’s procedures have not kept up with legislation.

The organisation provided “little, if any” compliance training to inform its officers of the laws under which they worked.

It found “systemic weaknesses” in compliance led to “significant problems” in planning and executing the operation.

“Whilst operational staff complied with ASIO’s operational planning procedures, these procedures were inconsistent with other ASIO policies and were insufficient to ensure that ASIO acted lawfully,” the IGIS said in its recently published annual report.

Margaret Stone from the IGIS says major concerns remain about how security laws are drafted, especially in regard to ASIO’s powers to make voluntary assistance requests and compulsory assistance orders.

She found that the wording of certain legislation means people are subject to compulsory orders that they do not have to be told about. The orders can apply both before an underlying warrant was executed and after it ceased.

This means people can be subject to arbitrary arrest and detention under orders that do not have to state where subjects have to attend, the nature of assistance required, or the time frame.

People face up to five years’ jail for breaching an order they may not know exists.

Ms Stone warns that ASIO is also not required to delete information obtained under an assistance order but which is no longer required, despite the ASIO Act requiring it.

Additionally, she found the Telecommunications (Interception and Access) Act allows agencies to grant tech companies and individuals immunity from civil liability for providing access to someone else’s encrypted data.

It can do this without having to demonstrate the action was reasonable or proportionate.

Ms Stone’s report also contains claims that limits and safeguards are inconsistent and sometimes missing, and that ASIO’s operating guidelines, issued by the attorney-general, have not kept up with technology, having not been updated since 2007.

More details are accessible here.