In the same year the government forced telecommunications companies to store Australians’ data for two years, a record number of agencies accessed the data already available.

The Attorney-General’s Department’s annual report, which lists the number of authorisations granted to allow agencies to access data — such as call records, assigned IP addresses, location information and billing information — was released today. Curiously, it is much earlier than the previous year’s report, which was only tabled in June this year. The department claimed that report wasn’t delayed, but it just happened to coincide with the controversial debate over mandatory data retention legislation, which passed earlier this year.

According to the 2014-15 report, there were 371,831 warrantless authorisations granted to state, federal, and local government agencies for access to stored data between July 1, 2014, and June 30, 2015. The data was handed over for the investigation of crimes or for the protection of public revenue. The figure was up from 345,056 in the previous financial year.

A total of 83 agencies accessed data in the last financial year, compared to 77 agencies the year before. Aside from the usual law enforcement agencies including the AFP, the New South Wales Police, Victoria Police, and others, Bankstown City Council accessed data 13 times, Knox City Council accessed data 15 times, Racing New South Wales accessed data 33 times, and the Taxi Services Commission accessed data five times.

In theory, councils and similar agencies will no longer be able to access Australians’ data after the implementation of the mandatory data retention legislation in October. It limited the number of agencies that could access stored data to 22, but it is clear that a number of agencies have already written to Attorney-General George Brandis asking to be added back to the list. A freedom of information request to the department has identified that up to 45 agencies across the Commonwealth, and all states and territories bar the Northern Territory, have asked to be added back to the list.

It comes this week as the Joint Parliamentary Committee on Human Rights has suggested the so-called “journalist information warrant” scheme created to protect journalists’ sources could be a breach of Australia’s human rights obligations.

Before the legislation passed, agencies were able to — and did — access journalists’ metadata for the purpose of investigating leaks. The Department of Immigration and Border Protection was one of the main users of this power to hunt down sources reporting details from immigration detention.

Under the last-minute changes put through by Labor, agencies must obtain a warrant if they are accessing a journalist’s metadata for the purpose of identifying a leak. The warrant process is expected to be conducted entirely in secret, with a “public interest advocate” (PIA) appointed by the prime minister arguing on behalf of the journalist without the journalist or his or her sources ever knowing that their metadata was being sought (Malcolm Turnbull has yet to appoint a public interest advocate). It was also revealed the telcos that are ordered to hand over a journalist’s data to law enforcement agencies for the purpose of investigating a leak have no way of knowing whether a warrant has been obtained in advance by that agency.

In the committee’s report tabled in Parliament this week, it stated the legislation could limit the right to effective remedy, right to a fair hearing, right to privacy and right to freedom of expression for journalists and their sources. The report said:

“The PIA scheme is established in such a way that the PIA cannot seek instruction from any person who may be affected by a warrant in any circumstance, including where it would have no impact on an ongoing investigation.”

The committee also stated that the PIA might not be able to mount an effective opposition to the warrant because all the PIA had to be given was a “summary” of the information provided to the minister or the agency seeking the warrant in relation to the warrant request.

Angela Daly, a postdoctoral research fellow at Swinburne University who has examined privacy, data protection and intellectual property laws here, in the United States, and in the European Union, told Crikey the entire scheme was a breach of the human right to privacy as guaranteed by the International Covenant on Civil and Political Rights.

“As s bulk, warrantless indiscriminate data-gathering scheme affecting the entire population, it is hugely disproportionate to the aims of ensuring national security and fighting serious crime. Furthermore, evidence from overseas actually shows these schemes are ineffective in practice in achieving these objectives,” she said.

Additionally, she said journalists’ sources were not protected by the warrant scheme, because through a reverse search it is easily possible to figure out who has been talking to a journalist without ever getting a warrant.

For example, if the Department of Immigration and Border Protection were looking to find who had leaked to a journalist about immigration detention, the department could get the metadata for staff working in that area and look for who had called or emailed the journalist, if that journalist hadn’t taken steps to hide their communications from the mandatory data retention scheme.

The committee previously looked at the data retention legislation as a whole, and determined people whose metadata has been accessed should have the right to review. The committee also called on the government to introduce mandatory data-breach notification legislation in 2015 to ensure that if metadata held by a telecommunications company was breached or illegally accessed, the company would be obliged to report that breach. The exposure draft for that legislation was only released late yesterday afternoon, the last sitting day for 2015.

It would require companies to report to the public when there had been a breach of personal information, unless there was a public interest reason as to why the breach needed to be kept secret — for example national security reasons. It’s designed to punish companies that decide against risking the bad publicity of admitting to a data breach. Infamously, online retailer Catch of the Day waited three years after identifying a breach of customer credit card information to informing customers about it, and to this day has not explained why it waited so long to tell customers.

Brandis had first promised the legislation would be passed in 2015, and then he promised it would be introduced in 2015, now the government will consult on the legislation over summer, and the scheme would not come into effect until a year after legislation passes.