The ACT's Chief Police Officer (CPO) Ray Johnson has described more than 100 illegal accesses of metadata as an "administrative oversight".
A Commonwealth Ombudsman report revealed ACT Policing accessed metadata 116 times without proper authorisation in October 2015.
It also found police in Western Australia obtained the metadata of at least one journalist without obtaining a valid warrant.
Assistant Commissioner Johnson said changes made to the Telecommunications (Interception and Access) Act in 2015 meant the AFP member who gave the authorisations had not actually been approved to do so.
"The member who was doing the authorisations continued doing so in good faith, on the basis of operational need ... until the problem was discovered and it was reported to the Ombudsman," he said.
The 2015 legislative changes forced telecommunication companies to hold internet and phone records for up to two years so the information could be accessed as part of criminal investigations.
Domestic intelligence and police agencies could then be granted access to the metadata and could also apply for a warrant to access journalist's information.
Assistant Commissioner Johnson assured no journalist's data was accessed by ACT police.
"These are normal criminal investigations, perhaps missing people, normal business of community policing," he said.
"Everything from armed robberies to stolen bikes — a range of things that would have been investigated by ACT Policing."
Assistant Commissioner Johnson said the error was reported as soon as it was discovered and an authorised officer had since been appointed.
"I'm confident that the processes are now in place to make sure that under that legislation we comply," he said.
"We all understand that these are powers given to police by the community, we're entrusted with them and we desperately don't want to make mistakes with it."
AFP slow to implement Ombudsman's recommendations
The Ombudsman suggested the Australian Federal Police (AFP) — which runs ACT Policing — quarantine all telecommunications data obtained under the illegal authorisations from further use and communication.
The AFP accepted the recommendation but the report noted it "did not act to quarantine the affected data at that time, which resulted in additional use and communication of the data".
It was not until the Ombudsman's office contacted the AFP in February 2018 to follow up on remedial action that some of the affected data was quarantined.
The data still was not fully quarantined by April last year and the "AFP advised it was seeking legal advice regarding the use of the affected telecommunications data".
"Due to the scale of this non-compliance, we will continue to monitor this issue closely with the AFP," the report said.
Assistant Commissioner Johnson said the material had now been quarantined "apart from a handful that we're working with the Ombudsman on".
Metadata retention laws are currently being reviewed by the Parliamentary Joint Committee on Intelligence and Security.
